Random number generation is a process by which, often by means of arandom number generator (RNG), a sequence ofnumbers orsymbols is generated that cannot be reasonably predicted better than byrandom chance. This means that the particular outcome sequence will contain some patterns detectable in hindsight but impossible to foresee. True random number generators can behardware random-number generators (HRNGs), wherein each generation is a function of the current value of a physical environment's attribute that is constantly changing in a manner that is practically impossible to model. This would be in contrast to so-calledrandom number generations done bypseudorandom number generators (PRNGs), which generatepseudorandom numbers that are in fact predetermined—these numbers can be reproduced simply by knowing the initial state of the PRNG and the method it uses to generate numbers.[1] There is also a class ofnon-physical true random number generators (NPTRNG) that produce true random numbers without an access to a dedicated hardware source, by scavenging entropy that is present in the computer system.[2] See the details inTrue vs. pseudo-random numbers.
Variousapplications of randomness have led to the development of different methods for generatingrandom data. Some of these have existed since ancient times, including well-known examples like the rolling ofdice,coin flipping, theshuffling ofplaying cards, the use ofyarrow stalks (fordivination) in theI Ching, as well as countless other techniques. Because of the mechanical nature of these techniques, generating large quantities of sufficiently random numbers (important in statistics) required much work and time. Thus, results would sometimes be collected and distributed asrandom number tables.
Several computational methods for pseudorandom number generation exist. All fall short of the goal of true randomness, although they may meet, with varying success, some of thestatistical tests for randomness intended to measure how unpredictable their results are (that is, to what degree their patterns are discernible). This generally makes them unusable for applications such ascryptography. However, carefully designedcryptographically secure pseudorandom number generators (CSPRNGS) also exist, with special features specifically designed for use in cryptography.
Random number generators have applications ingambling,statistical sampling,computer simulation,cryptography,completely randomized design, and other areas where producing an unpredictable result is desirable. Generally, in applications having unpredictability as the paramount feature, such as in security applications,hardware generators are generally preferred over pseudorandom algorithms, where feasible.
Pseudorandom number generators are very useful in developingMonte Carlo-method simulations, asdebugging is facilitated by the ability to run the same sequence of random numbers again by starting from the samerandom seed. They are also used in cryptography – so long as theseed is secret. The sender and receiver can generate the same set of numbers automatically to use as keys.
The generation ofpseudorandom numbers is an important and common task in computer programming. While cryptography and certain numerical algorithms require a very high degree ofapparent randomness, many other operations only need a modest amount of unpredictability. Some simple examples might be presenting a user with a "random quote of the day", or determining which way a computer-controlled adversary might move in a computer game. Weaker forms ofrandomness are used inhash algorithms and in creatingamortizedsearching andsorting algorithms.
Some applications that appear at first sight to be suitable forrandomization are in fact not quite so simple. For instance, a system that "randomly" selects music tracks for a background music system must onlyappear random, and may even have ways to control the selection of music: a truly random system would have no restriction on the same item appearing two or three times in succession.
There are two principal methods used to generate random numbers. The first method measures some physical phenomenon that is expected to be random and then compensates for possible biases in the measurement process. Example sources include measuringatmospheric noise, thermal noise, and other external electromagnetic and quantum phenomena. For example, cosmic background radiation or radioactive decay as measured over short timescales represent sources of naturalentropy (as a measure of unpredictability or surprise of the number generation process).
The speed at which entropy can be obtained from natural sources is dependent on the underlying physical phenomena being measured. Thus, sources of naturally occurringtrue entropy are said to beblocking – they are rate-limited until enough entropy is harvested to meet the demand. On some Unix-like systems, including mostLinux distributions, the pseudo device file/dev/random will block until sufficient entropy is harvested from the environment.[3] Due to this blocking behavior, large bulk reads from/dev/random, such as filling ahard disk drive with random bits, can often be slow on systems that use this type of entropy source.
The second method uses computationalalgorithms that can produce long sequences of apparently random results, which are in fact completely determined by a shorter initial value, known as a seed value orkey. As a result, the entire seemingly random sequence can be reproduced if the seed value is known. This type of random number generator is often called apseudorandom number generator. This type of generator typically does not rely on sources of naturally occurring entropy, though it may be periodically seeded by natural sources. This generator type is non-blocking, so they are not rate-limited by an external event, making large bulk reads a possibility.
Standard cryptographic designs take a hybrid approach, using randomness harvested from natural sources to seed acryptographically secure pseudorandom number generators (CSPRNGs). Hardware random number generators generally produce only a limited number of random bits per second. In order to increase the available output data rate, they are often used to generate the "seed" for a faster PRNG. PRNG also helps with the noise source "anonymization" (whitening out the noise source identifying characteristics) andentropy extraction. With a proper PRNG algorithm selected (cryptographically secure pseudorandom number generator, CSPRNG), the combination can satisfy the requirements ofFederal Information Processing Standards andCommon Criteria standards.[4]
The earliest methods for generating random numbers, such as dice, coin flipping and roulette wheels, are still used today, mainly in games and gambling, as they tend to be too slow for most applications in statistics and cryptography.
Ahardware random number generator can be based on an essentially random atomic or subatomic physical phenomenon whose unpredictability can be traced to the laws ofquantum mechanics.[5][6] Sources ofentropy includeradioactive decay,thermal noise,shot noise, avalanche noise inZener diodes,clock drift, the timing of actual movements of ahard disk read-write head, andradio noise. However, physical phenomena and tools used to measure them generally feature asymmetries andsystematic biases that make their outcomes not uniformly random. Arandomness extractor, such as acryptographic hash function, can be used to approach a uniform distribution of bits from a non-uniformly random source, though at a lower bit rate.
The appearance of wideband photonic entropy sources, such asoptical chaos andamplified spontaneous emission noise, greatly aid the development of the physical random number generator. Among them, optical chaos[7][8] has a high potential to physically produce high-speed random numbers due to its high bandwidth and large amplitude. A prototype of a high-speed, real-time physical random bit generator based on a chaotic laser was built in 2013.[9]
Various imaginative ways of collecting this entropic information have been devised. One technique is to run a hash function against a frame of a video stream from an unpredictable source.Lavarand used this technique with images of a number oflava lamps.HotBits measured radioactive decay withGeiger–Muller tubes,[10] whileRandom.org uses variations in the amplitude of atmospheric noise recorded with a normal radio.
Another common entropy source is the behavior of human users of the system. While people are not considered good randomness generators upon request, they generate random behavior quite well in the context of playingmixed strategy games.[11] Some security-related computer software requires the user to make a lengthy series of mouse movements or keyboard inputs to create sufficient entropy needed to generate randomkeys or to initialize pseudorandom number generators.[12]
 | This sectionmay need to be rewritten to comply with Wikipedia'squality standards.You can help. Thetalk page may contain suggestions.(October 2025) |
Most computer-generated random numbers use PRNGs which are algorithms that can automatically create long runs of numbers with good random properties but eventually the sequence repeats (or the memory usage grows without bound). These random numbers are fine in many situations but are not as random as numbers generated from electromagnetic atmospheric noise used as a source of entropy.[citation needed] The series of values generated by such algorithms is generally determined by a fixed number called aseed. One of the most commonPRNG is thelinear congruential generator, which uses the recurrence
to generate numbers, wherea,b andm are large integers, and is the next inX as a series of pseudorandom numbers. The maximum number of numbers the formula can produce is themodulus,m. The recurrence relation can be extended to matrices to have much longer periods and better statistical properties.
To avoid certain non-random properties of a single linear congruential generator, several such random number generators with slightly different values of the multiplier coefficient,a, can be used in parallel, with amaster random number generator that selects from among the several different generators.
A simple pen-and-paper method for generating random numbers is the so-calledmiddle-square method suggested byJohn von Neumann. While simple to implement, its output is of poor quality. It has a very short period and severe weaknesses, such as the output sequence almost always converging to zero. A recent innovation is to combine the middle square with aWeyl sequence. This method produces high-quality output through a long period.[13]
Most computer programming languages include functions or library routines that provide random number generators. They are often designed to provide a random byte or word, or afloating point numberuniformly distributed between 0 and 1.
The quality i.e. randomness of such library functions varies widely from completely predictable output to cryptographically secure. The default random number generator in many languages, including Python, Ruby, R, IDL and PHP is based on theMersenne Twister algorithm and isnot sufficient for cryptography purposes, as is explicitly stated in the language documentation. Such library functions often have poor statistical properties, and some will repeat patterns after only tens of thousands of trials. They are often initialized using a computer'sreal-time clock as the seed, since such a clock is 64 bits and measures in nanoseconds, far beyond the person'sprecision. These functions may provide enough randomness for certain tasks (for example, video games) but are unsuitable where high-quality randomness is required, such as in cryptography applications or statistics.[14]
Much higher quality random number sources are available on most operating systems; for example,/dev/random on various BSD flavors, Linux, Mac OS X, IRIX, and Solaris, orCryptGenRandom for Microsoft Windows. Most programming languages, including those mentioned above, provide a means to access these higher-quality sources.
Random number generation may also be performed by humans, in the form of collecting various inputs fromend users and using them as a randomization source. However, most studies find that human subjects have some degree of non-randomness when attempting to produce a random sequence of e.g., digits or letters. They may alternate too much between choices when compared to a good random generator;[15] thus, this approach is not widely used. However, for the very reason that humans perform poorly in this task, human random number generation can be used as a tool to gain insights into brain functions otherwise not accessible.[16]
Even given a source of plausible random numbers (perhaps from a quantum mechanically based hardware generator), obtaining numbers which are completely unbiased takes care. In addition, behavior of these generators often changes with temperature, power supply voltage, the age of the device, or other outside interference.
Generated random numbers are sometimes subjected to statistical tests before use to ensure that the underlying source is still working, and then post-processed to improve their statistical properties. An example would be the TRNG9803[17] hardware random number generator, which uses an entropy measurement as a hardware test, and then post-processes the random sequence with a shift register stream cipher. It is generally hard to use statistical tests to validate the generated random numbers. Wang and Nicol[18] proposed a distance-based statistical testing technique that is used to identify the weaknesses of several random generators. Li and Wang[19] proposed a method of testing random numbers based on laser chaotic entropy sources using Brownian motion properties.
Statistical tests are also used to give confidence that the post-processed final output from a random number generator is truly unbiased, with numerousrandomness test suites being developed.
Most random number generators natively work with integers or individual bits, so an extra step is required to arrive at thecanonical uniform distribution between 0 and 1. The implementation is not as trivial as dividing the integer by its maximum possible value. Specifically:[20][21]
The mainstream algorithm, used byOpenJDK,Rust, andNumPy, is described in a proposal forC++'s STL. It does not use the extra precision and suffers from bias only in the last bit due to round-to-even.[22] Other numeric concerns are warranted when shifting thiscanonical uniform distribution to a different range.[23] A proposed method for theSwift programming language claims to use the full precision everywhere.[24]
Uniformly distributed integers are commonly used in algorithms such as theFisher–Yates shuffle. Again, a naive implementation may induce a modulo bias into the result, so more involved algorithms must be used. A method that nearly never performs division was described in 2018 by Daniel Lemire,[25] with the current state-of-the-art being the arithmetic encoding-inspired 2021 "optimal algorithm" by Stephen Canon ofApple Inc.[26]
Most 0 to 1 RNGs include 0 but exclude 1, while others include or exclude both.
Given a source of uniform random numbers, there are a couple of methods to create a new random source that corresponds to aprobability density function. One method called theinversion method, involves integrating up to an area greater than or equal to the random number (which should be generated between 0 and 1 for proper distributions). A second method called theacceptance-rejection method, involves choosing an x and y value and testing whether the function of x is greater than the y value. If it is, the x value is accepted. Otherwise, the x value is rejected and the algorithm tries again.[27][28]
As an example for rejection sampling, to generate a pair ofstatistically independentstandard normally distributed random numbers (x,y), one may first generate thepolar coordinates (r,θ), wherer2~χ22 andθ~UNIFORM(0,2π) (seeBox–Muller transform).
The outputs of multiple independent RNGs can be combined (for example, using a bit-wiseXOR operation) to provide a combined RNG at least as good as the best RNG used. This is referred to assoftware whitening.
Computational and hardware random number generators are sometimes combined to reflect the benefits of both kinds. Computational random number generators can typically generate pseudorandom numbers much faster than physical generators, while physical generators can generate true randomness.
Some computations making use of a random number generator can be summarized as the computation of a total or average value, such as the computation of integrals by theMonte Carlo method. For such problems, it may be possible to find a more accurate solution by the use of so-calledlow-discrepancy sequences, also calledquasirandom numbers. Such sequences have a definite pattern that fills in gaps evenly, qualitatively speaking; a truly random sequence may, and usually does, leave larger gaps.
The following sites make available random number samples:
Since much cryptography depends on a cryptographically secure random number generator for key andcryptographic nonce generation, if a random number generator can be made predictable, it can be used asbackdoor by an attacker to break the encryption.
The NSA is reported to have inserted a backdoor into theNIST certifiedcryptographically secure pseudorandom number generatorDual EC DRBG. If for example an SSL connection is created using this random number generator, then according toMatthew Green it would allow NSA to determine the state of the random number generator, and thereby eventually be able to read all data sent over the SSL connection.[29] Even though it was apparent that Dual_EC_DRBG was a very poor and possibly backdoored pseudorandom number generator long before the NSA backdoor was confirmed in 2013, it had seen significant usage in practice until 2013, for example by the prominent security companyRSA Security.[30] There have subsequently been accusations that RSA Security knowingly inserted a NSA backdoor into its products, possibly as part of theBullrun program. RSA has denied knowingly inserting a backdoor into its products.[31]
It has also been theorized that hardware RNGs could be secretly modified to have less entropy than stated, which would make encryption using the hardware RNG susceptible to attack. One such method that has been published works by modifying the dopant mask of the chip, which would be undetectable to optical reverse-engineering.[32] For example, for random number generation in Linux, it is seen as unacceptable to use Intel'sRDRAND hardware RNG without mixing in the RDRAND output with other sources of entropy to counteract any backdoors in the hardware RNG, especially after the revelation of the NSA Bullrun program.[33][34]
In 2010,a U.S. lottery draw was rigged by the information security director of theMulti-State Lottery Association (MUSL), who surreptitiously installed backdoormalware on the MUSL's secure RNG computer during routine maintenance.[35] During the hacks the man won a total amount of $16,500,000 over multiple years.
random(4) – Linux Programmer'sManual – Special Files from Manned.org{{cite conference}}: CS1 maint: bot: original URL status unknown (link)| International | |
|---|---|
| National | |
| Other | |
