random number generator recommendations for applications
TRANSCRIPT
RandomNumberGeneratorRecommendationsforApplicationsThisversionofthedocumentisdated2021-11-14.
PeterOccil
Mostappsthatuserandomlygeneratedorpseudorandomnumberscareabouteitherunpredictability,highquality,orrepeatability.Thisarticlegivesrecommendationsonchoosingtherightkindofrandomnumbergenerator(RNG)orpseudorandomnumbergenerator(PRNG)fortheapplication.
1IntroductionManyapplicationsrelyonrandomnumbergenerators(RNGs)toproduceasequenceofnumbersthatseeminglyoccurbychance;however,it'snotenoughforthissequencetomerely"lookrandom".Butunfortunately,mostpopularprogramminglanguagestoday—
specifyfewandweakrequirementsontheirbuilt-inRNGs(suchasC'srand),specifyarelativelyweakgeneral-purposeRNG(suchasJava'sjava.math.Random),implementRNGsbydefaultthatleavesomethingtobedesired(suchasMersenneTwister),initializeRNGswithatimestampbydefault(suchasthe.NETFrameworkimplementationofSystem.Random),and/oruseRNGsthatareinitializedwithafixedvaluebydefault(asisthecaseinMATLABandC[^1]),
sothatasaresult,manyapplicationsuseRNGs,especiallybuilt-inRNGs,thathavelittleassuranceofhighqualityorsecurity.Thatiswhythisdocumentdiscusseshigh-qualityRNGsandsuggestsexistingimplementationsofthem.
Thisdocumentcovers:
CryptographicRNGs[^2],noncryptographicRNGs,andmanually-seededpseudorandomnumbergenerators,aswellasrecommendationsontheiruseandproperties.Nondeterministicsources,entropy,andseedgeneration.ExistingimplementationsofRNGs.GuidanceforimplementationsofRNGsdesignedforreusebyapplications.IssuesonshufflingwithanRNG.
Thisdocumentdoesnotcover:
TestinganRNGimplementationforcorrectness[^3]orstatisticalquality.SeemydocumentontestingPRNGs.Generatingnumberswithunequalprobabilities;Idiscussthistopicinanotherdocument.Generatorsoflow-discrepancysequences(quasirandomsequences),suchasSobolsequences.TheyarenotRNGssincethenumberstheyproducedependonpriorresults.ApplicationsforwhichtheselectionofRNGsislimitedbyregulatoryrequirements.
1.1AboutThisDocumentThisisanopen-sourcedocument;foranupdatedversion,seethesourcecodeoritsrenderingonGitHub.YoucansendcommentsonthisdocumenteitheronCodeProjectorontheGitHubissuespage.
2ContentsIntroduction
AboutThisDocumentContentsDefinitionsSummaryCryptographicRNGsNoncryptographicPRNGsManually-SeededPRNGs
WhentoUseaManually-SeededPRNGManually-SeededPRNGRecommendationsManually-SeededPRNGUseCasesManually-SeededPRNGsinGamesSingleRandomValueEnsuringReproducibility
NondeterministicSourcesandSeedGenerationWhatIsaNondeterministicSource?WhatIsEntropy?SeedGenerationSeedGenerationforNoncryptographicPRNGs
SeedingMultipleProcessesExistingRNGAPIsinProgrammingLanguagesHashFunctions
ProceduralNoiseFunctionsPseudorandomFunctions
RNGTopicsShufflingUniqueRandomIdentifiersVerifiableRandomNumbers
GuidelinesforNewRNGAPIsCryptographicRNGs:RequirementsHigh-QualityRNGs:RequirementsDesignsforPRNGsImplementingNewRNGAPIs
AcknowledgmentsNotesLicense
3DefinitionsInthisdocument:
Randomnumbergenerator(RNG)meanssoftwareand/orhardwarethatseekstogenerateintegersinaboundedrangesuchthateachpossibleoutcomeisaslikelyas
anyotherwithoutinfluencebyanythingelse[^4].Pseudorandomnumbergenerator(PRNG)meansarandomnumbergeneratorthatproducesnumbersbyanalgorithmthatmathematicallyexpandsitsinput.SeedmeansarbitrarydataservingasaPRNG'sinput.Informationsecuritymeanskeepinginformationsafefromattacksthatcouldaccess,use,delay,ormanipulatethatinformation.[^5]
4SummaryDoestheapplicationuserandom-behavingnumbersforinformationsecuritypurposes(e.g.,aspasswordsorothersecrets)?
Yes:UseacryptographicRNG.No:Doestheapplicationrequirereproducible"random"numbers?
Yes:Useamanually-seededhigh-qualityPRNG.Ifaseedisknown,useit.Otherwise,generateafreshseedusingacryptographicRNG.
Doestheapplicationrunmultipleindependentprocessesthatusepseudorandomnumbers?
No:SeedonePRNGwiththeseeddeterminedabove.Yes:Passtheseeddeterminedabovetoeachprocessasdescribedin"SeedGenerationforNoncryptographicPRNGs".
No:IsacryptographicRNGtooslowfortheapplication?Yes:Useahigh-qualityPRNGwithaseedgeneratedusingacryptographicRNG.No:UseacryptographicRNG.
5CryptographicRNGsCryptographicRNGs(alsoknownas"cryptographicallystrong"or"cryptographicallysecure"RNGs)seektogeneratenumbersthatnotonly"lookrandom",butarecost-prohibitivetoguess.AnapplicationshoulduseacryptographicRNGwhenevertheapplication—
generatesrandom-behavingnumbersforinformationsecuritypurposes,orgeneratesrandom-behavingnumberssoinfrequentlythattheRNG'sspeedisnotaconcern.
See"CryptographicRNGs:Requirements"forrequirements.See"ExistingRNGAPIsinProgrammingLanguages"forexistingAPIs.ForcryptographicRNGs,anapplicationshoulduseonlyonethread-safeinstanceoftheRNGfortheentireapplicationtouse.
Examples:AcryptographicRNGisrecommended—
whengeneratingsecurityparameters(includingencryptionkeys,randompasswords,nonces,sessionidentifiers,"salts",andsecretvalues),forthepurposesofsendingorreceivingmessagesorotherdatasecurelybetweencomputers,orwheneverpredictingfuturerandomoutcomeswouldgiveaplayeroruserasignificantandunfairadvantage(suchasinmultiplayernetworkedgames).
6NoncryptographicPRNGs
NoncryptographicPRNGsvarywidelyinthequalityofrandomnessofthenumberstheygenerate.Forthisreason,anoncryptographicPRNGshouldnotbeused—
forinformationsecuritypurposes(e.g.,togeneraterandompasswords,encryptionkeys,orothersecrets),ifcryptographicRNGsarefastenoughfortheapplication,orifthePRNGisnothighquality(see"High-QualityRNGs:Requirements").
NoncryptographicPRNGscanbeautomaticallyseeded(anewseedisgenerateduponPRNGcreation)ormanuallyseeded(thePRNGusesapredeterminedseed).
See"WhentoUseaManually-SeededPRNG"tolearnwhichkindofseedingtouse.See"SeedGenerationforNoncryptographicPRNGs"foradviceonhowtoseed.See"ExistingRNGAPIsinProgrammingLanguages"forexistingAPIs.Forautomatically-seededPRNGs,anapplicationshoulduseonlyoneinstanceofthegeneratorandpassitaroundtopartsoftheapplicationthatneedit.
7Manually-SeededPRNGsAgivenpseudorandomnumbergenerator(PRNG)generatesthesamesequenceof"random"numbersforthesame"seed".Someapplicationscareaboutreproducible"randomness"andthuscouldsetaPRNG'sseedmanuallyforreproducible"random"numbers.
7.1WhentoUseaManually-SeededPRNGByseedingaPRNGmanuallyforreproducible"randomness",anapplicationwillbetiedtothatPRNGoritsimplementation.Forthisreason,anapplicationshouldnotuseamanually-seededPRNG(ratherthanacryptographicorautomatically-seededRNG)unless—
1. theapplicationmightneedtogeneratethesame"random"resultmultipletimes,2. theapplicationeither—
makestheseed(ora"code"or"password"basedontheseed)accessibletotheuser,orfindsitimpracticaltostoreordistributethe"random"numbersor"random"content,ratherthantheseed,forlateruse(e.g.,tostorethosenumbersto"replay"later,tostorethatcontentina"savefile",ortodistributethatcontentratherthanaseedtonetworkedusers),and
3. anyfeaturethatusessuchaPRNGtogeneratethat"random"resultisreproducible,inthatitproducesthesame"random"resultforthesameseedforaslongasthefeatureisstillinusebytheapplication.
7.2Manually-SeededPRNGRecommendationsIfanapplicationchoosestouseamanually-seededPRNGforreproducible"randomness",theapplication—
shouldchooseahigh-qualityPRNG,shouldchooseaPRNGimplementationwithconsistentbehaviorthatwillnotchangeinthefuture,oughttodocumentthechosenPRNGbeingusedaswellasalltheparametersforthatPRNG,and
shouldnotseedthePRNGwithfloating-pointnumbersorgeneratefloating-pointnumberswiththatPRNG.
ForadviceongeneratingseedsforthePRNG,see"SeedGenerationforNoncryptographicPRNGs").
Example:Anapplicationcouldimplementamanually-seededPRNGusingathird-partylibrarythatspecificallysaysitimplementsahigh-qualityPRNGalgorithm,andcouldinitializethatPRNGusingabitsequencefromacryptographicRNG.ThedeveloperscouldalsomentiontheuseofthespecificPRNGchosenonanycodethatusesit,toalertotherdevelopersthatthePRNGneedstoremainunchanged.
7.3Manually-SeededPRNGUseCasesUsecasesformanually-seededPRNGsincludethefollowing:
Simulationsandmachinelearning.Thisincludesphysicssimulationsandartificialintelligence(AI)ingames,aswellassimulationstoreproducepublishedresearchdata.MonteCarloestimations.Proceduralnoisegeneration.Gamesthatgenerate"random"contentthatisimpracticaltostore.Unittestsinwhich"randomness"oughtnottoinfluencewhethertheypassorfail.Here,amanually-seededPRNGwithafixedseedisusedinplaceofanotherkindofRNGforthepurposeofthetest,tohelpensureconsistentresultsacrossthecomputersundertest.
7.4Manually-SeededPRNGsinGamesManykindsofgamesoftwaregenerateseemingly"random"gamecontentthatmightneedtoberepeatedlyregenerated,suchas—
procedurallygeneratedmapsforarole-playinggame,shufflingavirtualdeckofcardsforasolitairegame,orarandomlychosenconfigurationofagameboardorpuzzleboard.
Ingeneral,thebiggerthat"random"contentis,thegreaterthejustificationtouseamanually-seededPRNGandacustomseedtogeneratethatcontent.Thefollowingarespecialcases:
1. Ifthegameneedsreproducible"random"contentonlyatthestartofthegamesession(e.g.,a"random"gameboardora"random"orderofvirtualcards)andthatcontentissmall(say,nomorethanahundrednumbers):
Thegameshouldnotuseamanually-seededPRNGunlesstheseedisbasedona"code"or"password"enteredbytheuser.Thisisagoodsignthatthegameoughttostorethe"random"contentinsteadofaseed.
2. Inanetworkedgamewheremultiplecomputers(e.g.,multipleplayers,oraclientandserver)haveasharedviewofthegamestateandnumbersfromanRNGorPRNGareusedtoupdatethatgamestate:
Thegameshouldnotuseamanually-seededPRNGwherepredictingarandomoutcomecouldgiveaplayerasignificantandunfairadvantage(e.g.,therandomoutcomeistheresultofadieroll,orthetopcardofthedrawpile,foraboardorcardgame).ThegamemayusesuchaPRNGinothercasestoensurethegamestateisconsistentamongcomputers,includinginphysicssimulationsandAI.
Examples:
1. Supposeagamegeneratesamapwithrandomterrain(whichusesanRNGtoproducelotsofnumbers)andshowstheplayera"code"togeneratethatmap(suchasabarcodeorastringoflettersanddigits).Inthiscase,thegame—
maychangethealgorithmitusestogeneraterandommaps,butshoulduse,inconnectionwiththenewalgorithm,"codes"thatcan'tbeconfusedwith"codes"itusedforpreviousalgorithms,andshouldcontinuetogeneratethesamerandommapusinganold"code"whentheplayerentersit,evenafterthechangetoanewalgorithm.
2. Supposeagameimplementsachapterthatinvolvesnavigatingarandomlygenerateddungeonwithrandomlyscatteredmonstersanditems.Ifthelayoutofthedungeon,monsters,anditemshastobethesameforagivenweekandforallplayers,thegamecanseedaPRNGwithahashcodegeneratedfromthecurrentweek,thecurrentmonth,thecurrentyear,and,optionally,aconstantsequenceofbits.
7.5SingleRandomValueIfanapplicationrequiresonlyonerandomvalue,withafixednumberofbits,thentheapplicationcanpasstheseedtoahashfunctionratherthanaPRNG.Examplesofthisincludethefollowing:
Generatingacolorpseudorandomly,bypassingtheseedtotheMD5hashfunction,whichoutputsa128-bithashcode,andtakingthefirst24bitsofthehashcodeastherandomcolor.GeneratingapseudorandomnumberinaGLSL(OpenGLShadingLanguage)fragmentshaderbypassingthefragmentcoordinates(whichvaryforeachfragment,or"pixel")aswellasaseed(whichisthesameforallfragments)totheWanghash,whichoutputsa32-bitinteger.[^6]
7.6EnsuringReproducibilityToensurethatamanually-seededPRNGdeliversreproducible"random"numbersacrosscomputers,acrossruns,andacrossapplicationversions,anapplicationneedstotakespecialcare.Reproducibilityisoftennotachievableiftheapplicationreliesonfeaturesorbehavioroutsidetheapplication'scontrol,includinganyofthefollowing:
Floating-pointnumbersareamajorsourceofvaryingresults.Differentimplementationsofthesamefloating-pointoperationmighthavesubtledifferencesevenifthey'regiventhesameinput.[^7]Itisnontrivialtocontrolforallofthesedifferences,andtheyinclude:
Differencesinaccuracy,aswithJava'sMathvs.StrictMath,orthex87FSINinstructionvs.asoftwareimplementationofsine.Differencesinrounding.Resultscanvaryiftheapplicationcan'tcontrolhowfloating-pointnumbersarerounded.[^8]Differencesinoperationorder.Unlikewithintegersorfixed-pointnumbers[^9],addingormultiplyingfloating-pointnumbersinadifferentordercanchangetheresult.Thiscanhappen,forexample,withparallelreductions(suchasparallelsumsanddotproducts),whichsplitacalculationacrossseveralparalleltasksandcombinetheirresultsintheend.Resultscanvary,evenacrossruns,ifaprogramautomaticallychooseswhetherandhowtouseparallelreduction.
Multithreadinganddynamictaskschedulingcancausepseudorandomnumbersto
begeneratedinadifferentorderorbydifferentthreadsfromoneruntothenext,causinginconsistentresults;thiscanhappenevenifeachthreadbyitselfproducesthesamepseudorandomnumbersforthesameinput(Leiersonetal.,2012)[^10].Dealingwiththisissuerequireseitherusingasinglethread,orassigningPRNGstoindividualtasksratherthanthreadsorthewholeapplication.Nondeterministicsources(wheretheoutputcanvaryevenifinputandstatearethesame),suchasthefilesystemorthesystemclock.Undocumented,undefined,orimplementation-dependentbehaviororfeatures,includingaparticularhashtabletraversalorderoraparticularsizeforC/C++'sintorlong.
Thus,anapplicationoughttousemanually-seededPRNGsonlywhennecessary,tominimizetheneedforreproducible"randomness".Wherereproducibilityisrequired,theapplicationoughttoavoidfloating-pointnumbers,nondeterministicfeatures,andotherbehavioroutsideitscontrol,andoughttosticktothesameversionsofalgorithmsituses.
AsforreproduciblePRNGs,java.util.RandomisoneexampleofaPRNGwithconsistentbehavior,butnoneofthefollowingissuchaPRNG:
TheCrandmethod,aswellasC++'sdistributionclassesfrom<random>,suchasstd::uniform_int_distribution,useimplementation-definedalgorithmsforpseudorandomnumbergeneration..NET'sSystem.Randomhaspseudorandomnumbergenerationbehaviorthatcouldchangeinthefuture.
8NondeterministicSourcesandSeedGenerationRNGsultimatelyrelyonso-callednondeterministicsources;withoutsuchsources,nocomputercanproducenumbersatrandom.
8.1WhatIsaNondeterministicSource?Anondeterministicsourceisasourcethatdoesn'tgivethesameoutputforthesameinputeachtime(forexample,aclockthatdoesn'talwaysgivethesametime).Therearemanykindsofthem,butsourcesusefulforgeneratingnumbersatrandomhavehard-to-guessoutput(thatis,theyhavehighentropy;seethenextsection).Theyinclude—
timingsofinterruptsanddiskaccesses,timingsofkeystrokesand/orotherinputdeviceinteractions,thermalnoise,theoutputgeneratedwithA.Seznec'stechniquecalledhardwarevolatileentropygatheringandexpansion(HAVEGE),providedahigh-resolutioncounterisavailable,anddifferencesbetweentwohigh-resolutioncountervaluestakeninquicksuccession(suchasin"JitterRNG";see(Müller)[^11]).
RFC4086,"RandomnessRequirementsforSecurity",section3,containsasurveyofnondeterministicsources.
Note:Onlineservicesthatmakerandomlygeneratednumbersavailabletoapplications,aswellasthenoiseregisteredbymicrophoneandcamerarecordings(seeRFC4086sec.3.2.1,(Liebow-Feeser2017a)[^12],and(Liebow-Feeser2017b)[^13]),areadditionalnondeterministicsources.However,online
servicesrequireInternetorothernetworkaccess,andsomeofthemrequireaccesscredentials.Also,manymobileoperatingsystemsrequireapplicationstodeclarenetwork,camera,andmicrophoneaccesstousersuponinstallation.Forthesereasons,thesekindsofsourcesarenotrecommendedifotherapproachesareadequate.
Example:Aprogramcouldaskuserstoflipcoinsorrolldiceandtypeintheirresults.Ifusersdoso,theresultstypedthiswaywillhavecomefromnondeterministicsources(here,coinsordice).
8.2WhatIsEntropy?Entropyisavaluethatdescribeshowharditistoguessanondeterministicsource'soutput,comparedtoanidealprocessofgeneratingindependentuniformrandombits.Entropyisgenerallythenumberofbitsproducedbythatidealprocess.(Forexample,a64-bitoutputwith32bitsofentropyisashardtoguessas32independentuniformrandombits.)NISTSP800-90Brecommendsmin-entropyastheentropymeasure.Characterizinganondeterministicsource'sentropyisnontrivialandbeyondthescopeofthisdocument.SeealsoRFC4086section2.
8.3SeedGenerationIngeneral,therearetwostepstogenerateanN-bitseedforaPRNG[^14]:
1. GatherenoughdatafromindependentnondeterministicsourcestoreachNbitsofentropyormore.
2. Then,condensethedataintoanN-bitnumber,aprocesscalledrandomnessextraction.
SeemyNoteonRandomnessExtraction.Itshouldbementioned,though,thatininformationsecurityapplications,unkeyedhashfunctionsshouldnotbeusedbythemselvesinrandomnessextraction.
8.4SeedGenerationforNoncryptographicPRNGsIngeneral,togenerateaseedallowedbyanoncryptographicPRNG,anapplicationoughttouseacryptographicRNGoramethoddescribedintheprevioussection.
ItisnotrecommendedtoseedPRNGswithtimestamps,sincetheycancarrytheriskofgeneratingthesame"random"numbersequenceaccidentally.[^15]
8.4.1SeedingMultipleProcesses
Someapplicationsrequiremultipleprocesses(includingthreads,tasks,orsubtasks)tousereproducible"random"numbersforthesamepurpose.Anexampleismultipleinstancesofasimulationwithrandomstartingconditions.However,noncryptographicPRNGstendtoproducenumbersequencesthatarecorrelatedtoeachother,whichisundesirableforsimulationsinparticular.
Toreducethiscorrelationrisk,theapplicationcanchooseahigh-qualityPRNGthatsupportsstreamsofuncorrelatedsequences(nonoverlappingsequencesthatbehavelikesequencesofnumberschosenuniformlyandindependentlyatrandom)andhasanefficientwaytoassignadifferentstreamtoeachprocess.Forexample,insomePRNGs,thesestreamscanbeformed—
byinitializingPRNGswithconsecutiveseeds(asin"counter-based"PRNGs(Salmonetal.2011)[^16]),orbydiscardingafixedbuthugenumberofPRNGoutputsinanefficientway("jump-ahead").
Multipleprocessescanbeseededforpseudorandomnumbergenerationasfollows.[^17]
1. Streamcase.IfthePRNGsupportsstreamsasdescribedabove:Generateaseed(oruseapredeterminedseed),then:
1. CreateaPRNGinstanceforeachprocess.2. Hashtheseedandafixedidentifiertogenerateanewseedallowedbythe
PRNG.3. Foreachprocess,advancethePRNGtothenextstream(unlessit'sthefirst
process),thengivethatprocessacopyofthePRNG'scurrentinternalstate.
2. Generalcase.ForotherPRNGs,orifeachprocessusesadifferentPRNGdesign,thefollowingisawaytoseedmultipleprocessesforpseudorandomnumbergeneration,butitcarriestheriskofgeneratingseedsthatleadtooverlapping,correlated,orevenidenticalnumbersequences,especiallyiftheprocessesusethesamePRNG.[^18]Generateaseed(oruseapredeterminedseed),then:
1. CreateaPRNGinstanceforeachprocess.TheinstancesneednotallusethesamePRNGdesignorthesameparameters;forexample,somecanbeSFC64andothersxoroshiro128**.
2. Foreachprocess,hashtheseed,auniquenumberforthatprocess,andafixedidentifiertogenerateanewseedallowedbytheprocess'sPRNG,andinitializethatPRNGwiththenewseed.
3. Leapfrogging(BaukeandMertens2007)[^19].ThefollowingisanalternativewaytoinitializeaPRNGforeachprocessifthenumberofprocesses(N)issmall.Generateaseed(oruseapredeterminedseed),then:
1. CreateonePRNGinstance.HashtheseedandafixedidentifiertogenerateanewseedallowedbythePRNG.
2. GiveeachprocessacopyofthePRNG'sstate.Then,forthesecondprocess,discard1outputfromitsPRNG;forthethirdprocess,discard2outputsfromitsPRNG;andsoon.
3. Now,wheneveraPRNGcreatedthiswayproducesanoutput,itthendiscardsthenextNminus1outputsbeforefinishing.
Note:Thestepsaboveincludehashingseveralthingstogenerateanewseed.ThishastobedonewitheitherahashfunctionofNormorebits(whereNisthePRNG'smaximumseedsize),oraso-called"seedsequencegenerator"likeC++'sstd::seed_seq.[^20]
Examples:
1. Philox4×64-7isacounter-basedPRNGthatsupportsonestreamperseed.Toseedtwoprocessesbasedontheseed"seed"andthisPRNG,anapplicationcan—
taketheSHA2-256hashof"seed-mysimulation"asanewseed,initializethefirstprocess'sPRNGwiththenewseedandacounterof0,andinitializethesecondprocess'sPRNGwith1plusthenewseedandacounterof0.
2. Somedynamicthreading(task-parallel)platformsemploytaskschedulerswheretasksorsubtasks(sometimescalledstrandsorfibers)arenotassignedtoaparticularoperatingsystemprocessorthread.Toensurereproducible"randomness"intheseplatforms,PRNGshavetobeassignedtotasks(ratherthansystemprocessesorthreads)andarenotsharedbetweentasks,andeachtask'sPRNGcanbeinitializedasgiveninthe"generalcase"stepsabove(wherethetask'suniquenumberisalsoknownasapedigree)(Leiersonetal.,2012)[^10].
9ExistingRNGAPIsinProgrammingLanguagesAsmuchaspossible,applicationsshoulduseexistinglibrariesandtechniquesforcryptographicandhigh-qualityRNGs.Thefollowingtablelistsapplicationprogramminginterfaces(APIs)forsuchRNGsforpopularprogramminglanguages.
PRNGsmentionedinthe"High-Quality"columnneedtobeinitializedwithaseed(see"SeedGenerationforNoncryptographicPRNGs").Thementionofathird-partylibraryinthissectiondoesnotimplythatthelibraryisthebestoneavailableforanyparticularpurpose.Thelistisnotcomprehensive.SeealsoParagon'sblogpostonexistingcryptographicRNGs.
Language Cryptographic High-Quality
.NET(incl.C#andVB.NET)(H)
RandomNumberGenerator.Create()inSystem.Security.Cryptographynamespace;airbreather/AirBreather.Commonlibrary(CryptographicRandomGenerator)
XoshiroPRNG.Netpackage(XoRoShiRo128starstar,XoShiRo256plus,XoShiRo256starstar);Data.HashFunction.MurmurHashorData.HashFunction.CityHashpackage(hashthestringseed+"_"+counter)
C/C++(G) (C) xoroshiro128plusplus.c;xoshiro256starstar.c
Python(A) secrets.SystemRandom(sincePython3.6);os.urandom()
ihaque/xorshiftlibrary(defaultseedusesos.urandom());numpy.random.GeneratorwithPhiloxorSFC64(sincever.1.7);hashlib.md5(b"%d_%d"%(seed,counter)).digest(),hashlib.sha1(b"%d_%d"%(seed,counter)).digest()
Java(A)(D) (C);java.security.SecureRandom(F)
it.unimi.dsi/dsiutilsartifact(XoRoShiRo128PlusPlusRandom,XoRoShiRo128StarStarRandom,XoShiRo256StarStarRandom,XorShift1024StarPhiRandom);org.apache.commons/commons-rng-simpleartifact(RandomSourceofSFC_64,XO_RO_SHI_RO_128_PP,XO_RO_SHI_RO_128_SS,XO_SHI_RO_256_PP,orXO_SHI_RO_256_SS)
JavaScript(B)
crypto.randomBytes(byteCount)(node.jsonly);random-number-csprngpackage(node.jsonly);crypto.getRandomValues()(Web)
xoroshiro128starstarpackage;md5package(md5(seed+"_"+counter,{asBytes:true}));murmurhash3jspackage(murmurhash3js.x86.hash32(seed+"_"+counter));crypto.createHash("sha1")(node.jsonly)
Ruby(A)(E)
(C);SecureRandom.rand()(0orgreaterandlessthan1)(E);SecureRandom.rand(N)(integer)(E)(forboth,require'securerandom');
Digest::MD5.digest("#{seed}_#{counter}"),Digest::SHA1.digest("#{seed}_#{counter}")(forboth,require'digest')
sysrandomgem
PHP(A) random_int(),random_bytes()(bothsincePHP7)
md5($seed.'_'.$counter,true);sha1($seed.'_'.$counter,true)
Go crypto/randpackagemd5.Sumincrypto/md5packageorsha1.Sumincrypto/sha1package(forboth,hashthebytearrayseed+"_"+counter)
Rust (C)rand_xoshirocrate(Xoroshiro128PlusPlus,Xoshiro256PlusPlus,Xoshiro256StarStar,Xoshiro512StarStar)
Perl Crypt::URandommodule
Crypt::Digest::MD5module(md5($seed.'_'.$counter));Digest::SHAmodule(sha1($seed.'_'.$counter));Digest::MurmurHash3module(murmurhash3($seed.'_'.$counter))
OtherLanguages (C)
Hashthestringseed+"_"+counterwithMurmurHash3,xxHash64,CityHash,MD5,orSHA-1
(A)ThegeneralRNGsofrecentversionsofPythonandRubyimplementMersenneTwister,whichisnotpreferredforahigh-qualityRNG.PHP'smt_rand()implementsorimplementedaflawedversionofMersenneTwister.
(B)JavaScript'sMath.random()(whichranges0orgreaterandlessthan1)isimplementedusingxorshift128+(oravariant)intheV8engine,Firefox,andcertainothermodernbrowsersasoflate2017;Math.random()usesan"implementation-dependentalgorithmorstrategy",though(seeECMAScriptsec.20.2.2.27).
(C)AcryptographicRNGimplementationcan—
readfromthe/dev/urandomdeviceinLinux-basedsystems(usingtheopenandreadsystemcallswhereavailable)[^21],callthearc4randomorarc4random_bufmethodonFreeBSDormacOS,callthegetentropymethodonOpenBSD,orcalltheBCryptGenRandomAPIinWindows7andlater,
andonlyuseothertechniquesiftheexistingonesareinadequatefortheapplication.Butunfortunately,resource-constraineddevices("embedded"devices)aremuchlesslikelytohaveacryptographicRNGavailablecomparedtogeneral-purposecomputingdevicessuchasdesktopcomputersandsmartphones(Wetzels2017)[^22],althoughmethodsexistforimplementingacryptographicRNGontheArduino(Peng2017)[^23].
(D)Java'sjava.util.Randomclassusesa48-bitseed,soisnotconsideredahigh-qualityRNG.However,asubclassofjava.util.Randommightbeimplementedasahigh-qualityRNG.
(E)Ruby'sSecureRandom.randmethodpresentsabeautifulandsimpleAPIforgeneratingnumbersatrandom,inmyopinion.Namely,rand()returnsanumber0orgreaterandlessthan1,andrand(N)returnsaninteger0orgreaterandlessthanN.
(F)InJava8andlater,useSecureRandom.getInstanceStrong().InJavaearlierthan8,callSecureRandom.getInstance("NativePRNGNonBlocking")or,ifthatfails,SecureRandom.getInstance("NativePRNG").ForAndroid,especiallyversions4.3andearlier,see(Klyubin2013)[^24].UsingtheSecureRandomimplementation"SHA1PRNG"isnotrecommended,becauseofweaknessesinseedingandRNGqualityinimplementationsasof2013(Michaelisetal.,2013)[^25].
(G)std::random_devicewasintroducedinC++11,butitsspecificationleavesconsiderablymuchtobedesired.Forexample,std::random_devicecanfallbacktoaPRNGofunspecifiedqualitywithoutmuchwarning.Atbest,std::random_deviceshouldnotbeusedexcepttosupplementothertechniquesfor
generatingrandom-behavingnumbers.
(H)The.NETFramework'sSystem.Randomclassusesaseedofatmost32bits,soisnotconsideredahigh-qualityRNG.However,asubclassofSystem.Randommightbeimplementedasahigh-qualityRNG.
10HashFunctionsAhashfunctionisafunctionthattakesanarbitraryinputofanysize(suchasanarrayof8-bitbytesorasequenceofcharacters)andreturnsanoutputwithafixednumberofbits.Thatoutputisalsoknownasahashcode.
Forpseudorandomnumbergenerationpurposes:
Theindividualbitsofahashcodecanserveaspseudorandomnumbers,orthehashcodecanserveastheseedforaPRNG.Goodhashfunctionsincludecryptographichashfunctions(e.g.,SHA2-256,BLAKE2)andotherhashfunctionsthattendtoproducewildlydispersedhashcodesfornearbyinputs.PoorhashfunctionsincludelinearPRNGssuchasLCGsandtheXorshiftfamily.
Theuseofhashfunctionsforotherpurposes(suchasdatalookupanddataintegrity)isbeyondthescopeofthisdocument.Seemynoteonhashfunctions.
10.1ProceduralNoiseFunctionsNoiseisarandomizedvariationinimages,sound,andotherdata.[^26]
Anoisefunctionissimilartoahashfunction;ittakesann-dimensionalpointand,optionally,additionaldata,andoutputsapseudorandomnumber.[^27]Noisefunctionsgenerateproceduralnoisesuchascellularnoise,valuenoise,andgradientnoise(includingPerlinnoise).Ifthenoisefunctiontakesadditionaldata,thatdata—
shouldincluderandomlygeneratedorpseudorandomnumbers,andshouldnotvaryfromoneruntothenextwhilethenoisefunctionisusedforagivenpurpose(e.g.,togenerateterrainforagivenmap).
10.2PseudorandomFunctionsApseudorandomfunctionisakindofhashfunctionthattakes—
asecret(suchasapasswordoralong-termkey),andadditionaldatasuchasasalt(whichisdesignedtomitigateprecomputationattacks)oranonce,
andoutputsapseudorandomnumber.(Iftheoutputisencryptionkeys,thefunctionisalsocalledakeyderivationfunction;seeNISTSP800-108.)Somepseudorandomfunctionsdeliberatelytaketimetocomputetheiroutput;thesearedesignedaboveallforcasesinwhichthesecretisapasswordorisotherwiseeasytoguess—examplesofsuchfunctionsincludePBKDF2(RFC2898),scrypt(RFC7914),andEthash.PseudorandomfunctionsarealsousedinproofsofworksuchastheonedescribedinRFC8019sec.4.4.
11RNGTopics
ThissectiondiscussesseveralimportantpointsontheuseandselectionofRNGs,includingthingstoconsiderwhenshufflingorgenerating"unique"randomidentifiers.
11.1ShufflingInalistwithNdifferentitems,thereareNfactorial(thatis,1*2*...*N,orN!)waystoarrangetheitemsinthatlist.Thesewaysarecalledpermutations[^28].
Inpractice,anapplicationcanshufflealistbydoingaFisher–Yatesshuffle,whichisunfortunatelyeasytomessup—see(Atwood2007)[^29]—andisimplementedcorrectlyinanotherdocumentofmine.
However,ifaPRNGadmitsfewerseeds(andthuscanproducefewernumbersequences)thanthenumberofpermutations,thentherearesomepermutationsthatthatPRNGcan'tchoosewhenitshufflesthatlist.(Thisisnotthesameasgeneratingallpermutationsofalist,which,foralistbigenough,can'tbedonebyanycomputerinareasonabletime.)
Ontheotherhand,foralistbigenough,it'sgenerallymoreimportanttohaveshufflesactrandomthantochoosefromamongallpermutations.
Anapplicationthatshufflesalistcandotheshuffling—
1. usingacryptographicRNG,preferablyonewithasecuritystrengthofbbitsorgreater,or
2. ifanoncryptographicRNGisotherwiseappropriate,usingahigh-qualityPRNGthat—
hasab-bitorbiggerstate,andisinitializedwithaseedderivedfromdatawithatleastbbitsofentropy,or"randomness".
Forshufflingpurposes,bcanusuallybecalculatedbytakingnfactorialminus1(wherenisthelist'ssize)andcalculatingitsbitlength.APythonexampleisb=(math.factorial(n)-1).bit_length().Seealso(vanStaveren2000,"Lackofrandomness")[^30].Forshufflingpurposes,anapplicationmaylimitbto256orgreater,incaseswhenvarietyofpermutationsisnotimportant.Forothersamplingtasks,thefollowingPythonexamplesshowhowtocalculateb:
Choosingkoutofndifferentitemsatrandom,inrandomorder:b=((math.factorial(n)/math.factorial(n-k))-1).bit_length().Choosingkoutofndifferentitemsatrandom,withoutcaringaboutorder(RFC3797,sec.3.3):b=((math.factorial(n)/(math.factorial(k)*math.factorial(n-k)))-1).bit_length().Shufflingdidenticallistsofcitems:b=((math.factorial(d*c)/(math.factorial(d)**c))-1).bit_length().
11.2UniqueRandomIdentifiersSomeapplicationsrequiregeneratinguniqueidentifiers,especiallytoidentifydatabaserecordsorothersharedresources.Examplesofuniquevaluesincludeauto-incrementednumbers,sequentiallyassignednumbers,primarykeysofadatabasetable,andcombinationsofthese.Applicationshavealsogenerateduniquevaluesatrandom.
Thefollowingaresomequestionstoconsiderwhengeneratinguniqueidentifiers:
1. Cantheapplicationeasilycheckidentifiersforuniquenesswithinthedesiredscope
andrange(e.g.,checkwhetherafileordatabaserecordwiththatidentifieralreadyexists)[^31]?
2. Cantheapplicationtoleratetheriskofgeneratingthesameidentifierfordifferentresources[^32]?
3. Doidentifiershavetobehardtoguess,besimply"random-looking",orbeneither?4. Doidentifiershavetobetypedinorotherwiserelayedbyendusers[^33]?5. Istheresourceanidentifieridentifiesavailabletoanyonewhoknowsthatidentifier
(evenwithoutbeingloggedinorauthorizedinsomeway)?[^34]6. Doidentifiershavetobememorable?
Someapplicationsmayalsocareabout"uniquerandom"values.Generally,however,valuesthatarebothuniqueandrandomareimpossible.Thus,applicationsthatwant"uniquerandom"valueshavetoeithersettlefornumbersthatmerely"lookrandom";orcheckforortoleratepossibleduplicates;orpairrandomlygeneratednumberswithuniqueones.
Iftheapplicationcansettlefor"random-looking"uniqueintegers:
TheapplicationcanproduceauniqueN-bitintegerandpassthatintegertoafunctionthatmapsN-bitintegerstoN-bitintegersinareversibleway(alsocalledamixingfunctionwithreversibleoperations;see"Hashfunctions"byB.Mulvey).Thisincludesusingtheuniqueintegerastheseedfora"full-period"linearPRNG,thatis,alinearPRNGthatgoesthroughallN-bitintegersexactlyoncebeforerepeating[^35].Theapplicationcangenerateuniqueintegersgreaterthan0andlessthanKasfollows:1. SetUto0,andchooseF,anN-bitfunctiondescribedearlier,whereNisthe
numberofbitsneededtostorethenumberK-minus-1.2. CalculateF(U)thenadd1toU.IftheresultofFislessthanK,outputthat
result;otherwise,repeatthisstep.3. Repeatthepreviousstepasneededtogenerateadditionaluniqueintegers.
Anapplicationthatgeneratesuniqueidentifiersshoulddosoasfollows:
Iftheapplicationcanansweryestoquestion1or2above:Andyestoquestion5:Generatea128-bit-longorlongerrandomintegerusingacryptographicRNG.Andnotoquestion5:Generatea32-bit-longorlongerrandomintegerusingacryptographicRNG.
Otherwise:Ifidentifiersdon'thavetobehardtoguess:Useauniqueinteger(eitheronethat'snaturallyunique,orarandomlygeneratednumberthatwascheckedforuniqueness).Iftheydohavetobehardtoguess:UseauniqueintegerwhichisfollowedbyarandomintegergeneratedusingacryptographicRNG(therandominteger'slengthdependsontheanswertoquestion5,asabove).
Thissectiondoesn'tdiscusshowtoformatauniquevalueintoatextstring(suchasahexadecimaloralphanumericstring),becauseultimately,doingsoisthesameasmappinguniquevaluesone-to-onewithformattedstrings(whichwilllikewisebeunique).
11.3VerifiableRandomNumbersVerifiablerandomnumbersarerandomlygeneratednumbers(suchasseedsforPRNGs)thataredisclosedalongwithalltheinformationnecessarytoverifytheirgeneration.Usually,suchinformationincludesrandomlygeneratedvaluesand/oruncertaindatatobedeterminedandpubliclydisclosedinthefuture.Techniquestogenerateverifiablerandom
numbers(asopposedtocryptographicRNGsalone)areusedwheneveronepartyalonecan'tbetrustedtoproduceanumberatrandom.Verifiablerandomnumbersthataredisclosedpubliclyshouldnotbeusedasencryptionkeysorothersecretparameters.
Examples:
1. GeneratingverifiablerandomnesshasbeendescribedinRFC3797,whichdescribestheselectionprocessfortheNominationsCommittee(NomCom)oftheInternetEngineeringTaskForce.
2. Verifiabledelayfunctionscalculateanoutputaswellasaproofthattheoutputwascorrectlycalculated;thesefunctionsdeliberatelytakemuchmoretimetocalculatetheoutput(e.g.,togeneratearandom-behavingnumberfrompublicdata)thantoverifyitscorrectness.[^36]Inmanycases,suchafunctiondeliberatelytakesmuchmoretimethanthetimeallowedtocontributerandomnesstothatfunction.[^37]
3. Inaso-calledcommitmentscheme,onecomputergeneratesdatatobecommitted(e.g.arandomlygeneratednumberorachessmove),thenrevealsitshashcodeordigitalsignature(commitment),andonlylaterrevealstoallparticipantsthecommitteddata(alongwithotherinformationneeded,ifany,toverifythatthedatawasn'tchangedinbetween).Examplesofcommitmentschemesarehash-basedcommitments.[^37]
4. So-calledmentalcardgame(mentalpoker)schemescanbeusedinnetworkedgameswhereadeckofcardshastobeshuffledanddealttoplayers,sothattheidentityofsomecardsisknowntosomebutnotallplayers.[^37]
12GuidelinesforNewRNGAPIsThissectioncontainsguidelinesforthoseseekingtoimplementRNGsdesignedforwidereuse(suchasinaprogramminglanguage'sstandardlibrary).Asmentionedearlier,anapplicationshoulduseexistingRNGimplementationswheneverpossible.
Thissectioncontainssuggestedrequirementsoncryptographicandhigh-qualityRNGsthatanewprogramminglanguagecanchoosetoadopt.
12.1CryptographicRNGs:RequirementsAcryptographicRNGgeneratesrandombitsthatbehavelikeindependentuniformrandombits,suchthatanoutsidepartyhasnomorethannegligibleadvantageincorrectlyguessingpriororfutureunseenoutputbitsofthatRNGevenafterknowinghowtheRNGworksand/orextremelymanyoutputsoftheRNG,orpriorunseenoutputbitsofthatRNGaftercompromisingitssecurity,suchasreadingitsinternalstate.[^38]
IfacryptographicRNGimplementationusesaPRNG:
LetSbethesecuritystrengthoftheRNG.Sisatleast128bitsandshouldbeatleast256bits.BeforetheRNGgeneratesapseudorandomnumber,theRNGhastohavebeeninitializedtoastatethatultimatelyderivesfromdatathat,asawhole,isatleastashardtoguessasanidealprocessofgeneratingSmanyindependentuniformrandombits[^39].
AcryptographicRNGisnotrequiredtoreseeditself.
Examples:ThefollowingareexamplesofcryptographicRNGs:
Randomnessextractorsorcryptographichashfunctionsthattakeveryhard-to-predictsignalsfromtwoormorenondeterministicsourcesasinput.A"fast-key-erasure"generatordescribedbyD.J.Bernsteininhisblog(Bernstein2017)[^40].TheHash_DRBGandHMAC_DRBGgeneratorsspecifiedinNISTSP800-90A.TheSP800-90seriesgoesintofurtherdetailonhowRNGsappropriateforinformationsecuritycanbeconstructed,andinspiredmuchofthissection.AnRNGmadeupoftwoormoreindependentlyinitializedcryptographicRNGsofdifferentdesigns.[^41]RFC8937describesanRNGthathashesanothercryptographicRNG'soutputwithasecretvaluederivedfromalong-termkey.
12.2High-QualityRNGs:RequirementsAPRNGisahigh-qualityRNGif—
itgeneratesbitsthatbehavelikeindependentuniformrandombits(atleastfornearlyallpracticalpurposesoutsideofinformationsecurity),thenumberofdifferentseedsthePRNGadmitswithoutshorteningorcompressingthoseseedsis263ormore(thatis,thePRNGcanproduceanyofatleast263differentnumbersequences,whichitcangenerallydoonlyifthePRNGhasatleast63bitsofstate),anditeither—
providesmultiplesequencesthataredifferentforeachseed,haveatleast264numberseach,donotoverlap,andbehavelikeindependentsequencesofnumbers(atleastfornearlyallpracticalpurposesoutsideofinformationsecurity),hasamaximum"random"numbercyclelengthequaltothenumberofdifferentseedsthePRNGadmits,orhasaminimum"random"numbercyclelengthof2127orgreater.
EverycryptographicRNGisalsoahigh-qualityRNG.
WhereanoncryptographicPRNGisappropriate,anapplicationshoulduse,ifpossible,ahigh-qualityPRNGthatadmitsanyof2127ormoreseeds.(Thisisarecommendation,sinceasstatedabove,high-qualityPRNGsarerequiredtoadmitonly263ormoreseeds.)
Examples:Examplesofhigh-qualityPRNGsincludexoshiro256**,xoroshiro128**,xoroshiro128++,Philox4×64-7,andSFC64.Igiveadditionalexamplesinaseparatepage.
12.3DesignsforPRNGsThefollowingaresomewaysaPRNGcanbeimplemented:
Asastatefulobjectthatstoresaninternalstateandtransformsiteachtimea"random"numberisgenerated.ThiskindofPRNGisinitializedbyconvertingaseedtoaninternalstate.Asa(stateless)functionthattransformsaninternalstateandoutputs"random"numbersandthetransformedstate.ThisdesignisoftenseeninHaskellandotherfunctionalprogramminglanguages.Asa(stateless)"splittablePRNG",furtherdescribedinmydocumentontestingPRNGs.
12.4ImplementingNewRNGAPIsAprogramminglanguageAPIdesignedforreusebyapplicationscouldimplementRNGsusingthefollowingguidelines:
1. TheRNGAPIcanincludeamethodthatfillsoneormorememoryunits(suchas8-bitbytes)completelywithrandombits.Seeexample1.
2. IftheAPIimplementsanautomatically-seededRNG,itshouldnotallowapplicationstoinitializethatsameRNGwithaseedforreproducible"randomness"[^42](itmayprovideaseparatePRNGtoacceptsuchaseed).Seeexample2.
3. IftheAPIprovidesaPRNGthatanapplicationcanseedforreproducible"randomness",itshoulddocumentthatPRNGandanymethodstheAPIprovidesthatusethatPRNG(suchasshufflingandGaussiannumbergeneration),andshouldnotchangethatPRNGorthosemethodsinawaythatwouldchangethe"random"numberstheydeliverforagivenseed.Seeexample2.
4. Anewprogramminglanguage'sstandardlibraryoughttoincludethefollowingmethodsforgeneratingnumbersthatbehavelikeindependentuniformlydistributednumbers(seemydocumentonrandomizationandsamplingmethodsfordetails).
Fourmethodsforintegers:0tonincludingn,0tonexcludingn,atobincludingb,andatobexcludingb.Amethodtosamplerealnumbersfromtheopeninterval(a,b).
Examples:
1. AClanguageRNGmethodforfillingmemorycouldlooklikethefollowing:intrandom(uint8_t[]bytes,size_tsize);,wherebytesisapointertoanarrayof8-bitbytes,andsizeisthenumberofrandom8-bitbytestogenerate,andwhere0isreturnedifthemethodsucceedsandnonzerootherwise.
2. AJavaAPIthatfollowstheseguidelinescancontaintwoclasses:aRandomGenclassthatimplementsanunspecifiedbutgeneral-purposeRNG,andaRandomStableclassthatimplementsanSFC64PRNGthatisdocumentedandwillnotchangeinthefuture.RandomStableincludesaconstructorthattakesaseedforreproducible"randomness",whileRandomGendoesnot.Bothclassesincludemethodsdescribedinpoint4,butRandomStablespecifiestheexactalgorithmstothosemethodsandRandomGendoesnot.Atanytimeinthefuture,RandomGencanchangeitsimplementationtouseadifferentRNGwhileremainingbackwardcompatible,whileRandomStablehastousethesamealgorithmsforalltimetoremainbackwardcompatible,especiallybecauseittakesaseedforreproducible"randomness".
13AcknowledgmentsIacknowledge—
thecommenterstotheCodeProjectversionofthispage(aswellasasimilararticleofmineonCodeProject),including"Cryptonite"andmember3027120,SebastianoVigna,SeverinPappadeux,andLeeDanielCrocker,whoreviewedthisdocumentandgavecomments.
14Notes
[^1]:Seealsothequestiontitled"Matlabrandandc++rand()"onStackOverflow.
[^2]:AdistinctionbetweencryptographicandnoncryptographicRNGsseemsnatural,becausemanyprogramminglanguagesofferageneral-purposeRNG(suchasC'srandorJava'sjava.util.Random)andsometimesanRNGintendedforinformationsecuritypurposes(suchasRuby'sSecureRandom).
[^3]:Forexample,seeF.DörreandV.Klebanov,"PracticalDetectionofEntropyLossinPseudo-RandomNumberGenerators",2016.
[^4]:Itemsthatproducenumbersorsignalsthatfollowanon-uniformdistributionarenotconsideredRNGsinthisdocument.(Forexample,GaussianandsimilarnoisegeneratorsarenotconsideredRNGs.)Manyoftheseitems,however,typicallyserveassourcesfromwhichuniformrandom-behavingintegerscanbederivedthroughrandomnessextractiontechniques(see"SeedGeneration").Likewise,itemsthatproducefloating-pointnumbersarenotconsideredRNGshere,eveniftheysamplefromauniformdistribution.AnexampleisthedSFMTalgorithm,whichultimatelyusesageneratorofpseudorandomintegers.
[^5]:SeealsotheFIPS200definition("Theprotectionofinformationandinformationsystemsfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructioninordertoprovideconfidentiality,integrity,andavailability")andISO/IEC27000.
[^6]:However,someversionsofGLSL(notablyGLSLES1.0,asusedbyWebGL1.0)mightsupportintegerswitharestrictedrange(aslowas-1024to1024)ratherthan32-bitorbiggerintegersasareotherwisecommon,makingitdifficulttowritehashfunctionsforgeneratingpseudorandomnumbers.Anapplicationoughttochoosehashfunctionsthatdeliveracceptable"random"numbersregardlessofthekindsofnumberssupported.
AnalternativeforGLSLandotherfragmentorpixelshaderstosupportrandomnessistohavetheshadersamplea"noisetexture"withrandomdataineachpixel;forexample,C.Peters,"Freebluenoisetextures",MomentsinGraphics,Dec.22,2016,discusseshowso-called"bluenoise"canbesampledthisway.
SeealsoN.Reed,"QuickAndEasyGPURandomNumbersInD3D11",NathanReed'scodingblog,Jan.12,2013.
[^7]:Formoreinformation,see"Floating-PointDeterminism"byBruceDawson,thewhitepaper"FloatingPointandIEEE754ComplianceforNVIDIAGPUs",andanIntelwebinar.
[^8]:Forintegers,thisproblemalsooccurs,butisgenerallylimitedtothequestionofroundingafteranintegerdivisionorremainder,whichdifferentprogramminglanguagesanswerdifferently.
[^9]:Fixed-pointnumbersareintegersthatstoremultiplesof1/n(e.g.1/10000,1/256,or1/65536).Theirresolutiondoesn'tvarydependingonthenumber,unlikewithfloating-pointnumbers."TheButterflyEffect-DeterministicPhysicsinTheIncredibleMachineandContraptionMaker"isoneusecaseshowinghowfixed-pointnumbersaidreproducibility.IhavewrittenasamplePythonimplementationoffixed-pointnumbers.
[^10]:Leierson,C.E.,etal.,"DeterministicParallelRandom-NumberGenerationforDynamicMultithreadingPlatforms",2012.
[^11]:Müller,S."CPUTimeJitterBasedNon-PhysicalTrueRandomNumberGenerator".
[^12]:Liebow-Feeser,J.,"Randomness101:LavaRandinProduction",blog.cloudflare.com,Nov.6,2017.
[^13]:Liebow-Feeser,J.,"LavaRandinProduction:TheNitty-GrittyTechnicalDetails",blog.cloudflare.com,Nov.6,2017.
[^14]:Ratherthangeneratingaseed,thesestepscouldbeawaytosimulateasourceofnumberschosenindependentlyanduniformlyatrandom.However,thisisgenerallyslowerthanusingPRNGstosimulatethatsource.
[^15]:Forexample,manyquestionsonStackOverflowhighlightthepitfallsofcreatinganewinstanceofthe.NETFramework'sSystem.Randomeachtimepseudorandomnumbersareneeded,ratherthanonlyonceintheapplication.SeealsoJohansen,R.S.,"APrimeronRepeatableRandomNumbers",UnityBlog,Jan.7,2015.
[^16]:Salmon,JohnK.,MarkA.Moraes,RonO.Dror,andDavidE.Shaw."Parallelrandomnumbers:aseasyas1,2,3."InProceedingsof2011InternationalConferenceforHighPerformanceComputing,Networking,StorageandAnalysis,pp.1-12.2011.
[^17]:P.L'Ecuyer,D.Munger,etal."RandomNumbersforParallelComputers:RequirementsandMethods,WithEmphasisonGPUs",April17,2015,section4,goesingreaterdetailonwaystoinitializePRNGsforgeneratingpseudorandomnumbersinparallel,includinghowtoensurereproducible"randomness"thiswayifthatisdesired.
[^18]:Forsingle-cyclePRNGs,theprobabilityofoverlapforNprocesseseachgeneratingLnumberswithaPRNGwhosecyclelengthisPisatmostN*N*L/P(S.Vigna,"Ontheprobabilityofoverlapofrandomsubsequencesofpseudorandomnumbergenerators",InformationProcessingLetters158(2020)).UsingtwoormorePRNGdesignscanreducecorrelationrisksduetoaparticularPRNG'sdesign.ForfurtherdiscussionandanexampleofaPRNGcombiningtwodifferentPRNGdesigns,seeAgnerFog,"Pseudo-RandomNumberGeneratorsforVectorProcessorsandMulticoreProcessors",JournalofModernAppliedStatisticalMethods14(1),article23(2015).
[^19]:BaukeandMertens,"Randomnumbersforlarge-scaledistributedMonteCarlosimulations",2007.
[^20]:Besidestheseed,otherthingsarehashedthattogetherserveasadomainseparationtag(see,e.g.,thework-in-progressdocument"draft-irtf-cfrg-hash-to-curve").Notethefollowing:-Ingeneral,hashfunctionscarrytheriskthattwoprocesseswillendupwiththesamePRNGseed(acollisionrisk)orthataseednotallowedbythePRNGisproduced(a"rejectionrisk"),butthisriskdecreasesthemoreseedsthePRNGadmits(see"Birthdayproblem").-M.O'Neill(in"Developingaseed_seqAlternative",Apr.30,2015)developedhashfunctions(seed_seq_fe)thataredesignedtoavoidcollisionsifpossible,andotherwisetoreducecollisionbias.Forexample,seed_seq_fe128hashes128-bitseedsto128-bitorlongeruniquevalues.-Anapplicationcanhandlearejectedseedbyhashingwithadifferentvalueorbyusingabackupseedinstead,dependingonhowtoleranttheapplicationistobias.-SeealsoMatsumoto,M.,etal.,"Commondefectsininitializationofpseudorandomnumbergenerators",ACMTransactionsonModelingandComputerSimulation17(4),Sep.2007.
[^21]:Usingthesimilar/dev/randomisnotrecommended,sinceinsomeimplementationsitcanblockforsecondsatatime,especiallyifnotenoughrandomnessisavailable.Seealso"Mythsabout/dev/urandom".
[^22]:Wetzels,J.,"33C3:AnalyzingEmbeddedOperatingSystemRandomNumberGenerators",samvartaka.github.io,Jan.3,2017.
[^23]:B.Peng,"TwoFastMethodsofGeneratingTrueRandomNumbersontheArduino",GitHubGist,December2017.
[^24]:A.Klyubin,"SomeSecureRandomThoughts",AndroidDevelopersBlog,Aug.14,
2013.
[^25]:Michaelis,K.,Meyer,C.,andSchwenk,J."RandomlyFailed!TheStateofRandomnessinCurrentJavaImplementations",2013.
[^26]:Therearemanykindsofnoise,suchasproceduralnoise(includingPerlinnoise,cellularnoise,andvaluenoise),colorednoise(includingwhitenoiseandpinknoise),periodicnoise,andnoisefollowingaGaussianorotherprobabilitydistribution.SeealsotwoarticlesbyRedBlobGames:"NoiseFunctionsandMapGeneration"and"Makingmapsfromnoisefunctions".
[^27]:Noisefunctionsincludefunctionsthatcombineseveraloutputsofanoisefunction,includingbyfractionalBrownianmotion.Bydefinition,noisefunctionsdeliverthesameoutputforthesameinput.
[^28]:Moregenerally,alisthasN!/(W_1!*W_2!*...*W_K!)permutations(amultinomialcoefficient),whereNisthelist'ssize,Kisthenumberofdifferentitemsinthelist,andW_iisthenumberoftimestheitemidentifiedbyiappearsinthelist.However,thisnumberisnevermorethanN!andsuggestsusinglessrandomness,soanapplicationneednotusethismorecomplicatedformulaandmayassumethatalisthasN!permutationsevenifsomeofitsitemsoccurmorethanonce.
[^29]:Atwood,Jeff."Thedangerofnaïveté",Dec.7,2007.
[^30]:vanStaveren,Hans."BigDeal:Anewprogramfordealingbridgehands",Sep.8,2000
[^31]:Forapplicationsdistributedacrossmultiplecomputers(e.g.,servers),thischeckismadeeasierifeachcomputerisassignedauniquevaluefromacentraldatabase,becausethenthecomputercanusethatuniquevalueaspartofuniqueidentifiersitgeneratesandensurethattheidentifiersareuniqueacrosstheapplicationwithoutfurthercontactingothercomputersorthecentraldatabase.AnexampleisTwitter'sSnowflakeservice.
[^32]:Intheory,generatingtwoormorerandomintegersofthesamesizerunstheriskofproducingaduplicatenumberthisway.However,thisriskdecreasesasthatsizeincreases(see"Birthdayproblem").Forexample,intheory,anapplicationhasa50%chanceforduplicatenumbersaftergenerating—-about2.7billionbillionrandom122-bitintegers(includingthosefoundinversion-4UUIDs,oruniversallyuniqueidentifiers),-about1.4millionbillionbillionrandom160-bitintegers,or-about93billionbillionbillionrandom192-bitintegers.
[^33]:Ifanapplicationexpectsenduserstotypeinauniqueidentifier,itcouldfindthatverylonguniqueidentifiersareunsuitableforit(e.g.128-bitnumberstakeup32base-16characters).Therearewaystodealwiththeseandotherlongidentifiers,including(1)separatingmemorablechunksoftheidentifierwithahyphen,space,oranothercharacter(e.g.,"ABCDEF"becomes"ABC-DEF");(2)generatingtheidentifierfromasequenceofmemorablewords(asinElectrumorinBitcoin'sBIP39);or(3)addingaso-called"checksumdigit"attheendoftheidentifiertoguardagainsttypingmistakes.Theapplicationoughttoconsidertrying(1)or(2)beforedecidingtouseshorteridentifiersthanwhatthisdocumentrecommends.
[^34]:Notethattheinsecuredirectobjectreferencesproblemcanoccurifanapplicationenablesaccesstoasensitiveresourceviaaneasy-to-guessidentifier,butwithoutanyaccesscontrolchecks.
[^35]:"Full-period"linearPRNGsincludeso-calledlinearcongruentialgeneratorswithapower-of-twomodulus.Forexamplesofthose,seetables3,5,7,and8ofSteeleand
Vigna,"Computationallyeasy,spectrallygoodmultipliersforcongruentialpseudorandomnumbergenerators",arXiv:2001.05304[cs.DS].
[^36]:Verifiabledelayfunctionsaredifferentfromproofsofwork,inwhichtherecanbemultiplecorrectanswers.ThesefunctionswerefirstformallydefinedinBoneh,D.,Bonneau,J.,etal.,"VerifiableDelayFunctions",2018,butsuchfunctionsappearedearlierinLenstra,A.K.,Wesolowski,B.,"Arandomzoo:sloth,unicorn,andtrx",2015.
[^37]:Itisoutsidethescopeofthispagetoexplainhowtobuildaprotocolusingverifiabledelayfunctions,commitmentschemes,ormentalcardgameschemes,especiallybecausesuchprotocolsarenotyetstandardizedforgeneraluseandfewimplementationsofthemareusedinproduction.
[^38]:ImplementingacryptographicRNGinvolvesmanysecurityconsiderations,includingthese:1.IfanapplicationrunscodefromuntrustedsourcesinthesameoperatingsystemprocessinwhichacryptographicRNG'sstateisstored,it'spossibleformaliciouscodetoreadoutthatstateviaside-channelattacks.AcryptographicRNGshouldnotbeimplementedinsuchaprocess.See(A)andseealso(B).2.AcryptographicRNG'sstatecouldbereusedduetoprocessforkingorvirtualmachinesnapshotresets.See(C)and(D),forexample.3.IfacryptographicRNGisnot"constant-time"(theRNGisdata-dependent),itstimingdifferencescouldbeexploitedinasecurityattack.
(A)"Post-SpectreThreatModelRe-Think"intheChromiumsourcecoderepository(May29,2018).<br/>(B)Bernstein,D.J."EntropyAttacks!",Feb.5,2014.<br/>(C)Everspaugh,A.,Zhai,Y.,etal."Not-So-RandomNumbersinVirtualizedLinuxandtheWhirlwindRNG",2014.<br/>(D)Ristenpart,T.,Yilek,S."WhenGoodRandomnessGoesBad:VirtualMachineResetVulnerabilitiesandHedgingDeployedCryptography",2010.<br/>ForadetailednotionofasecureRNG,seeCoretti,Dodis,etal.,"SeedlessFruitistheSweetest:RandomNumberGeneration,Revisited",2019.
[^39]:Thisdatacancomefromnondeterministicsources,andalsoincludeprocessidentifiers,timestamps,environmentvariables,pseudorandomnumbers,virtualmachineguestidentifiers,and/orotherdataspecifictothesessionortotheinstanceoftheRNG.SeealsoNISTSP800-90Aandthepreviousnote.
[^40]:Bernstein,D.J."Fast-key-erasurerandomnumbergenerators",Jun.23,2017.
[^41]:Anexampleisthe"shrinkinggenerator"techniquetocombinetwoRNGs;seeJ.D.Cook,"UsingoneRNGtosampleanother",June4,2019,formore.
[^42]:Allowingapplicationstodosowouldhamperforwardcompatibility—theAPIwouldthenbelessfreetochangehowtheRNGisimplementedinthefuture(e.g.,touseacryptographicorotherwise"better"RNG),ortomakeimprovementsorbugfixesinmethodsthatusethatRNG(suchasshufflingandGaussiannumbergeneration).(Asanotableexample,theV8JavaScriptenginerecentlychangeditsMath.random()implementationtouseavariantofxorshift128+,whichisbackwardcompatiblebecausenothinginJavaScriptallowsMath.random()tobeseeded.)Nevertheless,APIscanstillallowapplicationstoprovideadditionalinput("entropy")totheRNGinordertoincreaseitsrandomnessratherthantoensurerepeatability.
15LicenseAnycopyrighttothispageisreleasedtothePublicDomain.Incasethisisnotpossible,thispageisalsolicensedunderCreativeCommonsZero.