Pseudorandom number generator

From open-encyclopedia.com - the free encyclopedia.

A pseudorandom number generator (PRNG) is an algorithm which generates a sequence of numbers, the elements of which are approximately independent of each other.

The outputs of pseudorandom number generators are not truly random—they only approximate some of the properties of random numbers. John von Neumann emphasized this with the remark "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.¹" While truly random numbers can be generated using hardware random number generators, pseudorandom numbers are a critical part of modern computing, from cryptography to the Monte Carlo method for simulating physical systems. Careful mathematical analysis is required to ensure that the generated numbers are sufficiently "random;" as Robert R. Coveyou of Oak Ridge National Laboratory once remarked, "The generation of random numbers is too important to be left to chance.²"

Most such algorithms attempt to produce samples that are uniformly distributed. Common classes of algorithms are linear congruential generators, lagged Fibonacci generators, linear feedback shift registers and generalised feedback shift registers. Recent instances of algorithms include Blum Blum Shub, Fortuna, and the Mersenne Twister.

Contents

1 Inherent nonrandomness

2 Mersenne Twister

3 Cryptographically secure pseudorandom number generators

Inherent nonrandomness

Because any PRNG run on a deterministic computer (contrast quantum computer) is a deterministic algorithm, its output will inevitably have one property that a true random sequence would not exhibit: guaranteed periodicity. It is certain that if the generator uses only a fixed amount of memory then, given a sufficient number of iterations, the generator will revisit the same internal state twice, after which it will repeat forever. A generator that isn't periodic can be designed, but its memory requirements would grow as it ran. In addition, a PRNG can be started from an arbitrary starting point, or seed state, and will always produce an identical sequence from that point on. The practical significance of this periodicity is limited. The length of the maximum period doubles with each bit of added memory. It is easy to build PRNGs with periods so long that no computer could complete one cycle in the expected lifetime of the universe. It is an open question, and one central to cryptography, whether there is any way to distinguish the output of a well designed PRNG from perfect random noise without knowing its seed. Most cryptography relies on the assumption that it is infeasible to distinguish a suitable PRNG from noise; the simplest example is a stream cipher, which (often) works by taking the exclusive or of the secret message with the output of a PRNG. The design of such PRNGs is extremeley difficult, and most programs use much simpler PRNGs.

In practice, many common PRNGs exhibit artifacts which can cause them to fail statistically significant tests. These include, but are certainly not limited to:

Shorter than expected periods for some seed states (not full period)
Poor dimensional distribution
Successive values are not independent
Some bits may be 'more random' than others
Lack of uniformity

Defects exhibited by a flawed PRNG may range from unnoticeable to ridiculous. The RANDU random number algorithm used for decades on mainframe computers was flawed, and much research work of that time is less reliable than it should have been as a result. Sometimes, but not always, modeling problems are noticed and lead to improvements in PRNGs.

Mersenne Twister

The recent invention of the Mersenne Twister algorithm, by Makoto Matsumoto and Takuji Nishimura in 1997, avoids most of these problems. It has a colossal period of 2¹⁹⁹³⁷-1 iterations, is proven to be equidistributed in 623 dimensions (for 32-bit values), and runs faster than all but the least statistically desirable generators. It is now increasingly becoming the "random number generator of choice" for statistical simulations and generative modeling.

However, it is possible to efficiently analyze the output of the Mersenne Twister and recognize the numbers as being non-random (as with the Berlekamp-Massey algorithm or an extension from it, such as the Reed-Sloane algorithm).

Cryptographically secure pseudorandom number generators

Main article: Cryptographically secure pseudo-random number generator

A PRNG suitable for cryptographic applications is called a cryptographically secure PRNG (CSPRNG). Its output should not only pass all statistical tests for randomness but satisfy some additional cryptographic requirements.

Some classes of CSPRNGs include the following:

Stream ciphers, including block ciphers running in counter or output feedback mode.
Special designs with a security proof. For example Blum Blum Shub has a strong conditional security proof, though it is slow.
PRNGs that have been designed specifically to be cryptographically secure. One example is ISAAC, which is fast and whose security recommendations feature, among others, a very large expected cycle time.

Notes

¹ "Various techniques used in connection with random digits", Applied Mathematics Series, no. 12, 36-38 (1951).

² Peterson. Ivars. The Jungles of Randomness: A Mathematical Safari. Wiley, NY, 1998. (pp. 178) ISBN 0-471-16449-6

References

Donald E. Knuth, The Art of Computer Programming, Volume 2: Seminumerical Algorithms, 3rd edition (Addison-Wesley, Boston, 1998).
J. Viega, Practical Random Number Generation in Software, in Proc. 19th Annual Computer Security Applications Conference, Dec. 2003.

External links

The GNU Scientific Library. A free (GPL) C library that includes a number of PRNG algorithms.

fi:Näennäissatunnaislukugeneraattori zh:随机函数 ru:Генератор псевдослучайных чисел