How to Fabricate Unpredictability in a Random Number Generator

Randomness is essential in computing: TCP/IP sequence numbers, TLS nonces, ASLR offsets, password salts and cryptosystem keys all require randomness for optimal operation. But creating unpredictable environments is not an easy feat - creating unpredictability takes work!

An effective random number generator is at the core of secure computing. Additionally, it serves as an effective tool for statistical sampling, computer simulation, and cryptography.

Origins

Random number generators (RNGs) are hardware or software algorithms which produce random sequences of numbers or symbols each time they are activated, similar to flipping coins or rolling dice. RNGs have numerous applications in cryptography, computer simulations, online gambling, videogames, among other fields.

Starting back in ancient times, people have used randomness as a way of creating data for statistical and probabilistic experiments. Dice rolling, shuffling of cards and divination using yarrow stalks are among the many ancient techniques people have employed to generate random digits for use in statistical or probabilistic experiments. Unfortunately, however, such methods take much more time and generating large quantities of random digits is more challenging.

Statistics started publishing random sampling numbers tables during the 1930s; one such table published by Tippett in 1927 included 41,600 random digits.

Methods to generate random digits include decimal expansions of irrational numbers or using the square root function on a calculator, both of which produce numbers which appear random; however, these do not satisfy the second requirement of being considered true random: values must occur without any discernable patterns that could be seen over time.

Modern random number generators may rely on physical phenomena whose unpredictability stems from quantum mechanics laws. Such phenomena include radioactive decay, thermal noise, shot noise and avalanche noise in Zener diodes as well as clock drift or actual movements of hard disk read-write heads as potential sources of randomness.

Functions

Random number generators form the cornerstone of many aspects of modern life, from protecting credit card numbers in online transactions to selecting winners in lottery games and choosing songs on shuffle. Furthermore, random number generators play an essential role in security by providing keys to ciphers and decrypting cryptographic operations. A good random number generator should adhere to its fundamental principle that knowledge of past numbers should not allow one to predict what may come next in its sequence.

Random number generators (RNGs) are hardware or software programs which take non-deterministic input (such as atmospheric noise, voltage fluctuations from thermal movement in an electric circuit or radioactive decay of an isotope) and produce unpredictable outputs with a high degree of entropy - an index measuring uncertainty or disorder within a system.

Implementing a random number generator in Python involves two functions: getstate() and setstate(). getstate() returns an object which captures the internal state of your generator; while setstate() restores this state back to its initial value. This allows your random number generator to consistently produce consistent numbers over time; making it particularly suitable for Monte Carlo simulations.

Limitations

Random number generators (RNGs) produce sequences of numbers or bits that appear random but exhibit patterns, making them suitable for Monte Carlo simulations and statistical sampling, but can be subverted by monitoring their output or exploiting their non-determinism. RNGs can also be subverted through exploiting these vulnerabilities to subvert Monte Carlo simulations and sampling, but do so at your own risk!

Ideal PRNGs have a long period and excellent statistical properties, while being fast enough to process data quickly. Furthermore, thread safety must be observed; otherwise the PRNG may jump out of its cycle early and cause distorted outcomes or other undesirable effects.

Step one in creating a PRNG is to select an unmodified source of randomness. There are various methods available for doing this, but hardware that has not been modified by humans would provide optimal results; examples may include hard drives that have not had special software installed or sound cards without modifications whatsoever.

Once the desired entropy has been acquired, a PRNG is used to generate random sequences of numbers until an apparent high degree of randomness appears in its output. Many PRNGs use linear congruential algorithms for this task; others like LXM and xoroshiro families employ additional permutation functions for enhanced statistical performance.

Security

Random Number Generators are integral parts of many security-sensitive applications, providing encryption keys, nonces, and initial values for cryptographic algorithms. As such, they must produce high-quality randomness to prevent attacks - but producing it requires considerable skill, with even one flaw potentially undermining security.

Traditional random number sources like dice, coin flips and roulette wheels may not provide sufficient randomness for cryptographic applications; however, they can be combined with software-based cryptographically secure pseudorandom number generators (CSPRNGs) to increase performance. This hybrid approach utilizes natural sources for randomness when possible while falling back on CSPRNGs when needed to satisfy read rates.

Even with such measures in place, random numbers generated using hardware-based TRNGs still pose security threats that could compromise a system's overall security; including files, source code, memory and network communications.

Some attacks rely on manipulating power traces during random number generation. For instance, Intel CPU's RDRAND circuit generates random bits by switching logical states quickly - this allows exploiters to identify patterns both in output and internal state of TRNGs.

Robust random number generators should pass stringent tests evaluating various statistical properties, including uniformity and independence. The B+HCCES TRNG architecture implemented on Cyclone-V GT FPGA has successfully completed all evaluations for NIST SP 800-90A/B/c and BSI AIS 31 random number testing suites.