Why random doesn’t really mean random

A friend of mine sent me a link to one of my favorite videos about how CloudFlare uses a wall of lava lamps to generate random events to seed their cryptographically secure random number generator, and asked why the random numbers generated by Python or C libraries aren’t random enough.

If we’re being blunt, no random number generating library that comes packaged with any language is truly a random number generator. In Computer Science they’re refereed to as “pseudo-random number generators” because they use a function to generate a “random” number using a series of inputs. Usually those inputs are from hardware on the computer, like the current system time or signal noise from hardware components. The downfall of these libraries is that they are deterministic functions, as are all computers. This means that if a computer using the same function is given the same input variables, it will produce the same random number. When we use a computer’s calculator, we want to be sure that the functions are working exactly as expected, we don’t want to wonder if the output is correct. Computer’s cannot generate random numbers because the whole point of using a computer is that it will execute code in a predictable way. They just aren’t designed to create random numbers.

For educational aspects and very very basic security, the pseudo-random generator libraries will work just fine, but for enterprise level security, or in CloudFlare’s case, 10% of all internet traffic you need something more robust, a true-random number generator.

True random number generators use external inputs to feed into the computer and produce random numbers. The source of data here is extremely important. You can use background or white noise from a microphone attached to your computer and it’ll generate seemingly random numbers, but if it picks up hum from your AC power or the cyclical rotation noise of your computer’s fan, you’ve made your generator significantly less random.

Some of the most popular random seeds are phenomena that occur naturally. HotBits is a really cool service who has a cloud connected radioactive detector. Random.org  uses a really cool atmospheric detector to generate seeds for your random number generator. These are extremely difficult to duplicate since reproducing the initial condition would require knowing the exact state of a radioactive isotope or the location and energies of all the atoms in a part of the atmosphere. The downside is that these kinds of true random seeds are much slower at producing random numbers than the bundled libraries that come with Python or C.

Regardless of the randomness source used to seed the generator, you just have to make sure there aren’t any patterns in the phenomena and the changes can be identified.

There are also philosophical arguments to be made, that the universe is deterministic and nothing can ever be truly random. I don’t have the qualifications or desire to lead that discussion so we’ll leave that alone.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.