What is random?
Random is defined by the Oxford dictionary as:
Done, chosen, etc. without somebody deciding in advance what is going to happen, or without any regular pattern.
Following this definition, the act of trying to think of a random number or generating one in an application should be easy, right? Well, let’s have a look and see if this is the case.
Human capabilities
When thinking of something random like an arbitrary number, one would imagine that one’s choice is truly random. This is, however, not the case. Wagenaar (1972) studied the field of randomness in humans, and compiled a report that summarizes fifteen previous studies regarding the subject. The report finds that functional factors, such as memory, attention and boredom, play a large role in the process of randomizing, as well as identifying randomness. All but one study found that participants are inherently bad at randomizing.
Brugger (1997) provides a good explanation on why randomness is difficult for humans to achieve:
Interdependence among consecutive choices is considered a consequence of an organism’s natural susceptibility to interference. Random generation is thus a complex action which demands complete suppression of any rule-governed behavior.
Using numbers an example to further this thought, one can have a look at Benford’s law. This is also known as the first-digit-law. The law states the following:
In many naturally occurring collections of numbers, the leading digit is likely to be small.
The number one is the leading digit 30% of the time in the observations. Whereas the number nine appears less than 5% of the time. This indicates a natural bias which will also spill over into the thought of randomness. The following graph shows the probability of a number appearing as the first digit in a sequence of numbers:
Due to this natural bias, one cannot meet the requirements of randomness, particularly the criterion of, “…without any regular pattern” as this bias forms an inherent pattern in any set of natural numbers. This law can also be applied in the following applications to detect anomalies: accounting fraud, criminal trials, election data and more.
Humans typically display non-randomness. This varies from person to person, and is greatly dependent on functional factors affecting the person in question. . Moreover there is no clear way to train a person to generate randomness as this would indirectly create a pattern that the person would then use to generate pseudo-randomness.
Computational capabilities
Almost all randomness in computation is based on a pseudorandom system. Instances of random number generators use pseudorandom number generators in the backend. They generate a sequence of numbers whose properties approximate the properties of sequences of random numbers. These random number generators all rely on a seed, which is a number used to initialize the random number generator.
This means that if you were to use the same seed across two random number generators, you would get the same set of numbers when generated. Seeds are usually generated with some state of the computer, such as the system clock. This is clearly defined in Microsoft’s documentation on the Random class which uses the system clock as its seed. And there is somewhat of a warning that comes with it that states:
As a result, different Random objects that are created in close succession … have identical default seed values and, therefore, produce identical sets of random numbers.
This has been updated with Microsoft’s latest framework .NET Core — now simply known as .NET. The framework stipulates that its seed is generated by another pseudorandom number generator that will avoid the conflict as described above. So it is relatively “more” random than the previous implementation.
When working with cryptography we often need to generate encryption keys using a pseudorandom number generator. If the seed of the number generator is compromised the attacker can re-generate the encryption key giving them access to all data encrypted with that key. Therefore high entropy is required to generate a seed value for the generation of the encryption key.
High entropy sources are becoming readily available. Systems can currently use sources such as keyboard timings and mouse movements. There is currently a project being spearheaded by NIST that is establishing itself as an Entropy as a Service (EaaS) provider. Vassilev A, Staples R. (2006)(NIST) provides some clarity on how they plan on and currently are generating this entropy. They state that ring oscillators and quantum devices should be used to generate constant and complete randomness. NIST has setup a beta version of this EaaS, known as Beacon. Beacon generates, “…full-entropy bit-strings and posts them in blocks of 512 bits every 60 seconds”. Furthermore, there is a REST API available to call to see how the system works: Pulse
Alternatively, Cloudflare has an interesting way to generate entropy for their cryptographic systems. They have a wall of 100 lava lamps in their HQ with a camera pointed towards the lava lamps. The camera takes images at a regular interval and sends the image back to the Cloudflare servers. They assign a numeric value to each pixel of the image which generates a string of completely random numbers. This is then used as the seed for the servers to generate secure keys. More information on this system can be found here.
Conclusion
When it comes to complete randomness, humans and our digital counterparts lack the ability to generate true randomness. However, we are making progress in the computational field by special methodologies, such as ring oscillators and quantum generators, to get as close to random as possible. We have eventually found ways to generate randomness where there is none, such as the Cloudflare lava lamp wall.
Opinions expressed are solely my own and do not express the views or opinions of my employer.
References
- Brugger, P. (1997). Variables that influence the generation of random sequences: An update. Perceptual and Motor Skills, 84(2), 627–661.
- Wagenaar, W. A. (1972). Generation of random sequences by human subjects: A critical survey of literature. Psychological Bulletin, 77(1), 65–72.
- Vassilev A, Staples R. Entropy-as-a-Service: Unlocking the Full Potential of Cryptography. Computer (Long Beach Calif). 2016;49(9):98-102. doi:10.1109/MC.2016.275
