## It all seems so random

How good are you at predicting the outcome of rolling a die? ‘Probably not very good, and even with a single cubical die, any outcome has a one-in-six chance. While it’s frustrating to predict the outcome of simple dice rolls, we know that we can see a number repeat if we roll the dice just a few more times. A cubical die is a random number generator. It’s a physical random number generator that will give us a number between one and six. Other simple random number generators in our everyday lives are drawing from a deck of cards and coin flipping (a really simple one for sure).

Still, with all these and other similar methods, we have two special situations. The first is that it’s not entirely unreasonable to guess the outcome beforehand. This is handy if you’re betting on the outcome, and the odds are higher the more possible outcomes there are (one in two for the coin toss, one in six for the die, one in fifty two for the cards). The second is that the outcomes repeat fairly regularly. Again, they repeat less frequently on average, as the number of outcomes increases.

So what if we want to generate random numbers that are next to impossible to guess and that never repeat? Why would we want to do something like that?

## Applications of Random Number Generators

There are lots of reasons why an unpredictable result is desirable. Maybe the most obvious is gaming. If you’re running a lottery, you want the numbers drawn to be unpredictable. Guessing the winning lottery number is just dumb luck. ‘Simply chance. ‘No way to predict it ahead of time.

Many applications of statistics, for analysis and computer simulation benefit from random number generators. Monte-Carlo simulation techniques are built upon random number generation.

Randomness can be subjective too. For example, let’s say we want to select music tracks randomly from a library. True randomness of a commonly sized library might mean that the same track gets played more than once in the set. In fact, it might get played twice in a row. That would not feel “random” for a shuffle play of a music library.

The random number generation applications we’re most interested in here are those that are common in the data center. In particular, we’re talking about the use of random number generation in cryptography.

### Data Center Applications

Random number generators are used in cryptography, and in particular for encryption keys and tokenization. For encryption key use, the more randomness the better, as that will translate into difficulty in compromising the keys.

For encryption key use, random number generators are used to create seed values (or starting values) from which the encryption algorithms will work.

Tokenization is an important function for pseudonymization, which is used to mask or obscure personally identifiable information (PII). Pseudonymization is required by certain compliance regulations protecting PII.

## Yeah but how random is it really

Many electronic random number generators are more aptly called *pseudo-random number generators*. This is because they have a finite number of values from which to draw. They typically draw these values from their surroundings, such as the system’s time clock or CPU cycles. If the starting values are predictable, then the numbers that they generate cannot be truly random.

There are two primary ways that random numbers are generated electronically. The first is based on some sort of physical process thought to be random itself. For example, some sort of electromagnetic or quantum phenomena such as thermal noise, background radiation or radioactive decay. The second way is based on some sort of computational algorithm. These algorithms depend upon some starting value called a “seed” or “key.” The random number generators that we’ll discuss work on either one or a hybrid combination of these approaches.

I found a very interesting visual presentation of this here. In the first image shown above, you see a pattern from a True Random Number Generator. It looks quite random. The second image is a random number sequence from a Pseudo-Random Number Generator. Notice the patterns? I think you’d agree this second set of data looks not quite as random.

## Types of Random Number Generators

Let’s break the discussion about random number generator types into two categories; Pseudo-Random Number Generators (PRNG) and True Random Number Generators (TRNG). As the name would suggest, PRNG’s are generally less random than are TRNG’s, but there’s more than meets the eye.

### Pseudo-Random Number Generators (PRNG)

PRNG’s generate random numbers using a mathematical algorithm or a list of numbers precalculated beforehand. The numbers generated look to be random, but are essentially predetermined according to the formula used to create them.

PRNG’s are said to be efficient because they can create the numbers very quickly and with minimal computing resources. They are also said to be deterministic because a given sequence of numbers can be reproduced at a later state if one knows the starting point of the sequence. A downside of PRNG’s is that they are also periodic. That is, the sequence of random numbers will eventually repeat itself. Fortunately, the period is so long that it can be ignored for most practical purposes, but it is a predictable behavior (not truly random).

PRNG algorithms require a “seed” or starting value to generate the random numbers. When used for encryption key generation, the seed value attracts risk because if one knows the algorithm and the seed, then one could produce the output used for creation of the keys.

It’s important to note that there are lots of PRNG algorithms to choose from. The strength a given algorithm can be quite high and there are lots of instances in which a PRNG is “random enough.” An interesting anomaly though is that for a given algorithm, the degree of randomness can be different if that algorithm is running on a different operating system, or a different programming language (because of the way that languages are executed on different operating systems). The effectiveness of a given PRNG algorithm needs to be carefully assessed in the context of the application and platform supporting it.

### True Random Number Generators (TRNG)

TRNG’s draw from the randomness of some accessible physical phenomena for generation of random numbers. Examples include radioactive decay, atmospheric noise, background (white) noise, and electrical or quantum phenomena. Different sources can be considered more random than others, but the point is that TRNG’s are taking a reading from some sort of physical source and bringing it into the data processing. There is no discernable pattern in true random number generation and they can be counted on to produce something that is truly random. Each and every time a reading is taken one will consistently come across a different output.

It’s easy to see that TRNG’s would not be as efficient as PRNG’s, but they are nondeterministic, meaning that one would not be able to reproduce a given sequence of numbers. They have no periodicity. Because they are aperiodic, TRNG’s are better suited for encryption key generation.

## Random Number Generators and the Data Center

Cryptography is an essential element in data protection for data in motion, data at rest, and also for data in use. New legislation, such as the European Union’s General Data Protection Regulation (GDPR) mandates privacy by design and encourages pseudonymization of all PII. Tokenization and data encryption are components of the path to compliance. Strong encryption requires strong random number generation capabilities.