+ All Categories
Home > Documents > Random Number Generator Recommendations for Applications

Random Number Generator Recommendations for Applications

Date post: 07-Dec-2021
Category:
Upload: others
View: 6 times
Download: 0 times
Share this document with a friend
21
Random Number Generator Recommendations for Applications This version of the document is dated 2021-11-14. Peter Occil Most apps that use randomly generated or pseudorandom numbers care about either unpredictability, high quality, or repeatability. This article gives recommendations on choosing the right kind of random number generator (RNG) or pseudorandom number generator (PRNG) for the application. 1 Introduction Many applications rely on random number generators (RNGs) to produce a sequence of numbers that seemingly occur by chance; however, it's not enough for this sequence to merely "look random". But unfortunately, most popular programming languages today— specify few and weak requirements on their built-in RNGs (such as C's rand ), specify a relatively weak general-purpose RNG (such as Java's java.math.Random), implement RNGs by default that leave something to be desired (such as Mersenne Twister), initialize RNGs with a timestamp by default (such as the .NET Framework implementation of System.Random ), and/or use RNGs that are initialized with a fixed value by default (as is the case in MATLAB and C[^1]), so that as a result, many applications use RNGs, especially built-in RNGs, that have little assurance of high quality or security. That is why this document discusses high-quality RNGs and suggests existing implementations of them. This document covers: Cryptographic RNGs[^2], noncryptographic RNGs, and manually-seeded pseudorandom number generators, as well as recommendations on their use and properties. Nondeterministic sources, entropy, and seed generation. Existing implementations of RNGs. Guidance for implementations of RNGs designed for reuse by applications. Issues on shuffling with an RNG. This document does not cover: Testing an RNG implementation for correctness[^3] or statistical quality. See my document on testing PRNGs . Generating numbers with unequal probabilities; I discuss this topic in another document . Generators of low-discrepancy sequences (quasirandom sequences), such as Sobol sequences. They are not RNGs since the numbers they produce depend on prior results. Applications for which the selection of RNGs is limited by regulatory requirements.
Transcript
Page 1: Random Number Generator Recommendations for Applications

RandomNumberGeneratorRecommendationsforApplicationsThisversionofthedocumentisdated2021-11-14.

PeterOccil

Mostappsthatuserandomlygeneratedorpseudorandomnumberscareabouteitherunpredictability,highquality,orrepeatability.Thisarticlegivesrecommendationsonchoosingtherightkindofrandomnumbergenerator(RNG)orpseudorandomnumbergenerator(PRNG)fortheapplication.

1IntroductionManyapplicationsrelyonrandomnumbergenerators(RNGs)toproduceasequenceofnumbersthatseeminglyoccurbychance;however,it'snotenoughforthissequencetomerely"lookrandom".Butunfortunately,mostpopularprogramminglanguagestoday—

specifyfewandweakrequirementsontheirbuilt-inRNGs(suchasC'srand),specifyarelativelyweakgeneral-purposeRNG(suchasJava'sjava.math.Random),implementRNGsbydefaultthatleavesomethingtobedesired(suchasMersenneTwister),initializeRNGswithatimestampbydefault(suchasthe.NETFrameworkimplementationofSystem.Random),and/oruseRNGsthatareinitializedwithafixedvaluebydefault(asisthecaseinMATLABandC[^1]),

sothatasaresult,manyapplicationsuseRNGs,especiallybuilt-inRNGs,thathavelittleassuranceofhighqualityorsecurity.Thatiswhythisdocumentdiscusseshigh-qualityRNGsandsuggestsexistingimplementationsofthem.

Thisdocumentcovers:

CryptographicRNGs[^2],noncryptographicRNGs,andmanually-seededpseudorandomnumbergenerators,aswellasrecommendationsontheiruseandproperties.Nondeterministicsources,entropy,andseedgeneration.ExistingimplementationsofRNGs.GuidanceforimplementationsofRNGsdesignedforreusebyapplications.IssuesonshufflingwithanRNG.

Thisdocumentdoesnotcover:

TestinganRNGimplementationforcorrectness[^3]orstatisticalquality.SeemydocumentontestingPRNGs.Generatingnumberswithunequalprobabilities;Idiscussthistopicinanotherdocument.Generatorsoflow-discrepancysequences(quasirandomsequences),suchasSobolsequences.TheyarenotRNGssincethenumberstheyproducedependonpriorresults.ApplicationsforwhichtheselectionofRNGsislimitedbyregulatoryrequirements.

Page 2: Random Number Generator Recommendations for Applications

1.1AboutThisDocumentThisisanopen-sourcedocument;foranupdatedversion,seethesourcecodeoritsrenderingonGitHub.YoucansendcommentsonthisdocumenteitheronCodeProjectorontheGitHubissuespage.

2ContentsIntroduction

AboutThisDocumentContentsDefinitionsSummaryCryptographicRNGsNoncryptographicPRNGsManually-SeededPRNGs

WhentoUseaManually-SeededPRNGManually-SeededPRNGRecommendationsManually-SeededPRNGUseCasesManually-SeededPRNGsinGamesSingleRandomValueEnsuringReproducibility

NondeterministicSourcesandSeedGenerationWhatIsaNondeterministicSource?WhatIsEntropy?SeedGenerationSeedGenerationforNoncryptographicPRNGs

SeedingMultipleProcessesExistingRNGAPIsinProgrammingLanguagesHashFunctions

ProceduralNoiseFunctionsPseudorandomFunctions

RNGTopicsShufflingUniqueRandomIdentifiersVerifiableRandomNumbers

GuidelinesforNewRNGAPIsCryptographicRNGs:RequirementsHigh-QualityRNGs:RequirementsDesignsforPRNGsImplementingNewRNGAPIs

AcknowledgmentsNotesLicense

3DefinitionsInthisdocument:

Randomnumbergenerator(RNG)meanssoftwareand/orhardwarethatseekstogenerateintegersinaboundedrangesuchthateachpossibleoutcomeisaslikelyas

Page 3: Random Number Generator Recommendations for Applications

anyotherwithoutinfluencebyanythingelse[^4].Pseudorandomnumbergenerator(PRNG)meansarandomnumbergeneratorthatproducesnumbersbyanalgorithmthatmathematicallyexpandsitsinput.SeedmeansarbitrarydataservingasaPRNG'sinput.Informationsecuritymeanskeepinginformationsafefromattacksthatcouldaccess,use,delay,ormanipulatethatinformation.[^5]

4SummaryDoestheapplicationuserandom-behavingnumbersforinformationsecuritypurposes(e.g.,aspasswordsorothersecrets)?

Yes:UseacryptographicRNG.No:Doestheapplicationrequirereproducible"random"numbers?

Yes:Useamanually-seededhigh-qualityPRNG.Ifaseedisknown,useit.Otherwise,generateafreshseedusingacryptographicRNG.

Doestheapplicationrunmultipleindependentprocessesthatusepseudorandomnumbers?

No:SeedonePRNGwiththeseeddeterminedabove.Yes:Passtheseeddeterminedabovetoeachprocessasdescribedin"SeedGenerationforNoncryptographicPRNGs".

No:IsacryptographicRNGtooslowfortheapplication?Yes:Useahigh-qualityPRNGwithaseedgeneratedusingacryptographicRNG.No:UseacryptographicRNG.

5CryptographicRNGsCryptographicRNGs(alsoknownas"cryptographicallystrong"or"cryptographicallysecure"RNGs)seektogeneratenumbersthatnotonly"lookrandom",butarecost-prohibitivetoguess.AnapplicationshoulduseacryptographicRNGwhenevertheapplication—

generatesrandom-behavingnumbersforinformationsecuritypurposes,orgeneratesrandom-behavingnumberssoinfrequentlythattheRNG'sspeedisnotaconcern.

See"CryptographicRNGs:Requirements"forrequirements.See"ExistingRNGAPIsinProgrammingLanguages"forexistingAPIs.ForcryptographicRNGs,anapplicationshoulduseonlyonethread-safeinstanceoftheRNGfortheentireapplicationtouse.

Examples:AcryptographicRNGisrecommended—

whengeneratingsecurityparameters(includingencryptionkeys,randompasswords,nonces,sessionidentifiers,"salts",andsecretvalues),forthepurposesofsendingorreceivingmessagesorotherdatasecurelybetweencomputers,orwheneverpredictingfuturerandomoutcomeswouldgiveaplayeroruserasignificantandunfairadvantage(suchasinmultiplayernetworkedgames).

6NoncryptographicPRNGs

Page 4: Random Number Generator Recommendations for Applications

NoncryptographicPRNGsvarywidelyinthequalityofrandomnessofthenumberstheygenerate.Forthisreason,anoncryptographicPRNGshouldnotbeused—

forinformationsecuritypurposes(e.g.,togeneraterandompasswords,encryptionkeys,orothersecrets),ifcryptographicRNGsarefastenoughfortheapplication,orifthePRNGisnothighquality(see"High-QualityRNGs:Requirements").

NoncryptographicPRNGscanbeautomaticallyseeded(anewseedisgenerateduponPRNGcreation)ormanuallyseeded(thePRNGusesapredeterminedseed).

See"WhentoUseaManually-SeededPRNG"tolearnwhichkindofseedingtouse.See"SeedGenerationforNoncryptographicPRNGs"foradviceonhowtoseed.See"ExistingRNGAPIsinProgrammingLanguages"forexistingAPIs.Forautomatically-seededPRNGs,anapplicationshoulduseonlyoneinstanceofthegeneratorandpassitaroundtopartsoftheapplicationthatneedit.

7Manually-SeededPRNGsAgivenpseudorandomnumbergenerator(PRNG)generatesthesamesequenceof"random"numbersforthesame"seed".Someapplicationscareaboutreproducible"randomness"andthuscouldsetaPRNG'sseedmanuallyforreproducible"random"numbers.

7.1WhentoUseaManually-SeededPRNGByseedingaPRNGmanuallyforreproducible"randomness",anapplicationwillbetiedtothatPRNGoritsimplementation.Forthisreason,anapplicationshouldnotuseamanually-seededPRNG(ratherthanacryptographicorautomatically-seededRNG)unless—

1. theapplicationmightneedtogeneratethesame"random"resultmultipletimes,2. theapplicationeither—

makestheseed(ora"code"or"password"basedontheseed)accessibletotheuser,orfindsitimpracticaltostoreordistributethe"random"numbersor"random"content,ratherthantheseed,forlateruse(e.g.,tostorethosenumbersto"replay"later,tostorethatcontentina"savefile",ortodistributethatcontentratherthanaseedtonetworkedusers),and

3. anyfeaturethatusessuchaPRNGtogeneratethat"random"resultisreproducible,inthatitproducesthesame"random"resultforthesameseedforaslongasthefeatureisstillinusebytheapplication.

7.2Manually-SeededPRNGRecommendationsIfanapplicationchoosestouseamanually-seededPRNGforreproducible"randomness",theapplication—

shouldchooseahigh-qualityPRNG,shouldchooseaPRNGimplementationwithconsistentbehaviorthatwillnotchangeinthefuture,oughttodocumentthechosenPRNGbeingusedaswellasalltheparametersforthatPRNG,and

Page 5: Random Number Generator Recommendations for Applications

shouldnotseedthePRNGwithfloating-pointnumbersorgeneratefloating-pointnumberswiththatPRNG.

ForadviceongeneratingseedsforthePRNG,see"SeedGenerationforNoncryptographicPRNGs").

Example:Anapplicationcouldimplementamanually-seededPRNGusingathird-partylibrarythatspecificallysaysitimplementsahigh-qualityPRNGalgorithm,andcouldinitializethatPRNGusingabitsequencefromacryptographicRNG.ThedeveloperscouldalsomentiontheuseofthespecificPRNGchosenonanycodethatusesit,toalertotherdevelopersthatthePRNGneedstoremainunchanged.

7.3Manually-SeededPRNGUseCasesUsecasesformanually-seededPRNGsincludethefollowing:

Simulationsandmachinelearning.Thisincludesphysicssimulationsandartificialintelligence(AI)ingames,aswellassimulationstoreproducepublishedresearchdata.MonteCarloestimations.Proceduralnoisegeneration.Gamesthatgenerate"random"contentthatisimpracticaltostore.Unittestsinwhich"randomness"oughtnottoinfluencewhethertheypassorfail.Here,amanually-seededPRNGwithafixedseedisusedinplaceofanotherkindofRNGforthepurposeofthetest,tohelpensureconsistentresultsacrossthecomputersundertest.

7.4Manually-SeededPRNGsinGamesManykindsofgamesoftwaregenerateseemingly"random"gamecontentthatmightneedtoberepeatedlyregenerated,suchas—

procedurallygeneratedmapsforarole-playinggame,shufflingavirtualdeckofcardsforasolitairegame,orarandomlychosenconfigurationofagameboardorpuzzleboard.

Ingeneral,thebiggerthat"random"contentis,thegreaterthejustificationtouseamanually-seededPRNGandacustomseedtogeneratethatcontent.Thefollowingarespecialcases:

1. Ifthegameneedsreproducible"random"contentonlyatthestartofthegamesession(e.g.,a"random"gameboardora"random"orderofvirtualcards)andthatcontentissmall(say,nomorethanahundrednumbers):

Thegameshouldnotuseamanually-seededPRNGunlesstheseedisbasedona"code"or"password"enteredbytheuser.Thisisagoodsignthatthegameoughttostorethe"random"contentinsteadofaseed.

2. Inanetworkedgamewheremultiplecomputers(e.g.,multipleplayers,oraclientandserver)haveasharedviewofthegamestateandnumbersfromanRNGorPRNGareusedtoupdatethatgamestate:

Thegameshouldnotuseamanually-seededPRNGwherepredictingarandomoutcomecouldgiveaplayerasignificantandunfairadvantage(e.g.,therandomoutcomeistheresultofadieroll,orthetopcardofthedrawpile,foraboardorcardgame).ThegamemayusesuchaPRNGinothercasestoensurethegamestateisconsistentamongcomputers,includinginphysicssimulationsandAI.

Page 6: Random Number Generator Recommendations for Applications

Examples:

1. Supposeagamegeneratesamapwithrandomterrain(whichusesanRNGtoproducelotsofnumbers)andshowstheplayera"code"togeneratethatmap(suchasabarcodeorastringoflettersanddigits).Inthiscase,thegame—

maychangethealgorithmitusestogeneraterandommaps,butshoulduse,inconnectionwiththenewalgorithm,"codes"thatcan'tbeconfusedwith"codes"itusedforpreviousalgorithms,andshouldcontinuetogeneratethesamerandommapusinganold"code"whentheplayerentersit,evenafterthechangetoanewalgorithm.

2. Supposeagameimplementsachapterthatinvolvesnavigatingarandomlygenerateddungeonwithrandomlyscatteredmonstersanditems.Ifthelayoutofthedungeon,monsters,anditemshastobethesameforagivenweekandforallplayers,thegamecanseedaPRNGwithahashcodegeneratedfromthecurrentweek,thecurrentmonth,thecurrentyear,and,optionally,aconstantsequenceofbits.

7.5SingleRandomValueIfanapplicationrequiresonlyonerandomvalue,withafixednumberofbits,thentheapplicationcanpasstheseedtoahashfunctionratherthanaPRNG.Examplesofthisincludethefollowing:

Generatingacolorpseudorandomly,bypassingtheseedtotheMD5hashfunction,whichoutputsa128-bithashcode,andtakingthefirst24bitsofthehashcodeastherandomcolor.GeneratingapseudorandomnumberinaGLSL(OpenGLShadingLanguage)fragmentshaderbypassingthefragmentcoordinates(whichvaryforeachfragment,or"pixel")aswellasaseed(whichisthesameforallfragments)totheWanghash,whichoutputsa32-bitinteger.[^6]

7.6EnsuringReproducibilityToensurethatamanually-seededPRNGdeliversreproducible"random"numbersacrosscomputers,acrossruns,andacrossapplicationversions,anapplicationneedstotakespecialcare.Reproducibilityisoftennotachievableiftheapplicationreliesonfeaturesorbehavioroutsidetheapplication'scontrol,includinganyofthefollowing:

Floating-pointnumbersareamajorsourceofvaryingresults.Differentimplementationsofthesamefloating-pointoperationmighthavesubtledifferencesevenifthey'regiventhesameinput.[^7]Itisnontrivialtocontrolforallofthesedifferences,andtheyinclude:

Differencesinaccuracy,aswithJava'sMathvs.StrictMath,orthex87FSINinstructionvs.asoftwareimplementationofsine.Differencesinrounding.Resultscanvaryiftheapplicationcan'tcontrolhowfloating-pointnumbersarerounded.[^8]Differencesinoperationorder.Unlikewithintegersorfixed-pointnumbers[^9],addingormultiplyingfloating-pointnumbersinadifferentordercanchangetheresult.Thiscanhappen,forexample,withparallelreductions(suchasparallelsumsanddotproducts),whichsplitacalculationacrossseveralparalleltasksandcombinetheirresultsintheend.Resultscanvary,evenacrossruns,ifaprogramautomaticallychooseswhetherandhowtouseparallelreduction.

Multithreadinganddynamictaskschedulingcancausepseudorandomnumbersto

Page 7: Random Number Generator Recommendations for Applications

begeneratedinadifferentorderorbydifferentthreadsfromoneruntothenext,causinginconsistentresults;thiscanhappenevenifeachthreadbyitselfproducesthesamepseudorandomnumbersforthesameinput(Leiersonetal.,2012)[^10].Dealingwiththisissuerequireseitherusingasinglethread,orassigningPRNGstoindividualtasksratherthanthreadsorthewholeapplication.Nondeterministicsources(wheretheoutputcanvaryevenifinputandstatearethesame),suchasthefilesystemorthesystemclock.Undocumented,undefined,orimplementation-dependentbehaviororfeatures,includingaparticularhashtabletraversalorderoraparticularsizeforC/C++'sintorlong.

Thus,anapplicationoughttousemanually-seededPRNGsonlywhennecessary,tominimizetheneedforreproducible"randomness".Wherereproducibilityisrequired,theapplicationoughttoavoidfloating-pointnumbers,nondeterministicfeatures,andotherbehavioroutsideitscontrol,andoughttosticktothesameversionsofalgorithmsituses.

AsforreproduciblePRNGs,java.util.RandomisoneexampleofaPRNGwithconsistentbehavior,butnoneofthefollowingissuchaPRNG:

TheCrandmethod,aswellasC++'sdistributionclassesfrom<random>,suchasstd::uniform_int_distribution,useimplementation-definedalgorithmsforpseudorandomnumbergeneration..NET'sSystem.Randomhaspseudorandomnumbergenerationbehaviorthatcouldchangeinthefuture.

8NondeterministicSourcesandSeedGenerationRNGsultimatelyrelyonso-callednondeterministicsources;withoutsuchsources,nocomputercanproducenumbersatrandom.

8.1WhatIsaNondeterministicSource?Anondeterministicsourceisasourcethatdoesn'tgivethesameoutputforthesameinputeachtime(forexample,aclockthatdoesn'talwaysgivethesametime).Therearemanykindsofthem,butsourcesusefulforgeneratingnumbersatrandomhavehard-to-guessoutput(thatis,theyhavehighentropy;seethenextsection).Theyinclude—

timingsofinterruptsanddiskaccesses,timingsofkeystrokesand/orotherinputdeviceinteractions,thermalnoise,theoutputgeneratedwithA.Seznec'stechniquecalledhardwarevolatileentropygatheringandexpansion(HAVEGE),providedahigh-resolutioncounterisavailable,anddifferencesbetweentwohigh-resolutioncountervaluestakeninquicksuccession(suchasin"JitterRNG";see(Müller)[^11]).

RFC4086,"RandomnessRequirementsforSecurity",section3,containsasurveyofnondeterministicsources.

Note:Onlineservicesthatmakerandomlygeneratednumbersavailabletoapplications,aswellasthenoiseregisteredbymicrophoneandcamerarecordings(seeRFC4086sec.3.2.1,(Liebow-Feeser2017a)[^12],and(Liebow-Feeser2017b)[^13]),areadditionalnondeterministicsources.However,online

Page 8: Random Number Generator Recommendations for Applications

servicesrequireInternetorothernetworkaccess,andsomeofthemrequireaccesscredentials.Also,manymobileoperatingsystemsrequireapplicationstodeclarenetwork,camera,andmicrophoneaccesstousersuponinstallation.Forthesereasons,thesekindsofsourcesarenotrecommendedifotherapproachesareadequate.

Example:Aprogramcouldaskuserstoflipcoinsorrolldiceandtypeintheirresults.Ifusersdoso,theresultstypedthiswaywillhavecomefromnondeterministicsources(here,coinsordice).

8.2WhatIsEntropy?Entropyisavaluethatdescribeshowharditistoguessanondeterministicsource'soutput,comparedtoanidealprocessofgeneratingindependentuniformrandombits.Entropyisgenerallythenumberofbitsproducedbythatidealprocess.(Forexample,a64-bitoutputwith32bitsofentropyisashardtoguessas32independentuniformrandombits.)NISTSP800-90Brecommendsmin-entropyastheentropymeasure.Characterizinganondeterministicsource'sentropyisnontrivialandbeyondthescopeofthisdocument.SeealsoRFC4086section2.

8.3SeedGenerationIngeneral,therearetwostepstogenerateanN-bitseedforaPRNG[^14]:

1. GatherenoughdatafromindependentnondeterministicsourcestoreachNbitsofentropyormore.

2. Then,condensethedataintoanN-bitnumber,aprocesscalledrandomnessextraction.

SeemyNoteonRandomnessExtraction.Itshouldbementioned,though,thatininformationsecurityapplications,unkeyedhashfunctionsshouldnotbeusedbythemselvesinrandomnessextraction.

8.4SeedGenerationforNoncryptographicPRNGsIngeneral,togenerateaseedallowedbyanoncryptographicPRNG,anapplicationoughttouseacryptographicRNGoramethoddescribedintheprevioussection.

ItisnotrecommendedtoseedPRNGswithtimestamps,sincetheycancarrytheriskofgeneratingthesame"random"numbersequenceaccidentally.[^15]

8.4.1SeedingMultipleProcesses

Someapplicationsrequiremultipleprocesses(includingthreads,tasks,orsubtasks)tousereproducible"random"numbersforthesamepurpose.Anexampleismultipleinstancesofasimulationwithrandomstartingconditions.However,noncryptographicPRNGstendtoproducenumbersequencesthatarecorrelatedtoeachother,whichisundesirableforsimulationsinparticular.

Toreducethiscorrelationrisk,theapplicationcanchooseahigh-qualityPRNGthatsupportsstreamsofuncorrelatedsequences(nonoverlappingsequencesthatbehavelikesequencesofnumberschosenuniformlyandindependentlyatrandom)andhasanefficientwaytoassignadifferentstreamtoeachprocess.Forexample,insomePRNGs,thesestreamscanbeformed—

Page 9: Random Number Generator Recommendations for Applications

byinitializingPRNGswithconsecutiveseeds(asin"counter-based"PRNGs(Salmonetal.2011)[^16]),orbydiscardingafixedbuthugenumberofPRNGoutputsinanefficientway("jump-ahead").

Multipleprocessescanbeseededforpseudorandomnumbergenerationasfollows.[^17]

1. Streamcase.IfthePRNGsupportsstreamsasdescribedabove:Generateaseed(oruseapredeterminedseed),then:

1. CreateaPRNGinstanceforeachprocess.2. Hashtheseedandafixedidentifiertogenerateanewseedallowedbythe

PRNG.3. Foreachprocess,advancethePRNGtothenextstream(unlessit'sthefirst

process),thengivethatprocessacopyofthePRNG'scurrentinternalstate.

2. Generalcase.ForotherPRNGs,orifeachprocessusesadifferentPRNGdesign,thefollowingisawaytoseedmultipleprocessesforpseudorandomnumbergeneration,butitcarriestheriskofgeneratingseedsthatleadtooverlapping,correlated,orevenidenticalnumbersequences,especiallyiftheprocessesusethesamePRNG.[^18]Generateaseed(oruseapredeterminedseed),then:

1. CreateaPRNGinstanceforeachprocess.TheinstancesneednotallusethesamePRNGdesignorthesameparameters;forexample,somecanbeSFC64andothersxoroshiro128**.

2. Foreachprocess,hashtheseed,auniquenumberforthatprocess,andafixedidentifiertogenerateanewseedallowedbytheprocess'sPRNG,andinitializethatPRNGwiththenewseed.

3. Leapfrogging(BaukeandMertens2007)[^19].ThefollowingisanalternativewaytoinitializeaPRNGforeachprocessifthenumberofprocesses(N)issmall.Generateaseed(oruseapredeterminedseed),then:

1. CreateonePRNGinstance.HashtheseedandafixedidentifiertogenerateanewseedallowedbythePRNG.

2. GiveeachprocessacopyofthePRNG'sstate.Then,forthesecondprocess,discard1outputfromitsPRNG;forthethirdprocess,discard2outputsfromitsPRNG;andsoon.

3. Now,wheneveraPRNGcreatedthiswayproducesanoutput,itthendiscardsthenextNminus1outputsbeforefinishing.

Note:Thestepsaboveincludehashingseveralthingstogenerateanewseed.ThishastobedonewitheitherahashfunctionofNormorebits(whereNisthePRNG'smaximumseedsize),oraso-called"seedsequencegenerator"likeC++'sstd::seed_seq.[^20]

Examples:

1. Philox4×64-7isacounter-basedPRNGthatsupportsonestreamperseed.Toseedtwoprocessesbasedontheseed"seed"andthisPRNG,anapplicationcan—

taketheSHA2-256hashof"seed-mysimulation"asanewseed,initializethefirstprocess'sPRNGwiththenewseedandacounterof0,andinitializethesecondprocess'sPRNGwith1plusthenewseedandacounterof0.

Page 10: Random Number Generator Recommendations for Applications

2. Somedynamicthreading(task-parallel)platformsemploytaskschedulerswheretasksorsubtasks(sometimescalledstrandsorfibers)arenotassignedtoaparticularoperatingsystemprocessorthread.Toensurereproducible"randomness"intheseplatforms,PRNGshavetobeassignedtotasks(ratherthansystemprocessesorthreads)andarenotsharedbetweentasks,andeachtask'sPRNGcanbeinitializedasgiveninthe"generalcase"stepsabove(wherethetask'suniquenumberisalsoknownasapedigree)(Leiersonetal.,2012)[^10].

9ExistingRNGAPIsinProgrammingLanguagesAsmuchaspossible,applicationsshoulduseexistinglibrariesandtechniquesforcryptographicandhigh-qualityRNGs.Thefollowingtablelistsapplicationprogramminginterfaces(APIs)forsuchRNGsforpopularprogramminglanguages.

PRNGsmentionedinthe"High-Quality"columnneedtobeinitializedwithaseed(see"SeedGenerationforNoncryptographicPRNGs").Thementionofathird-partylibraryinthissectiondoesnotimplythatthelibraryisthebestoneavailableforanyparticularpurpose.Thelistisnotcomprehensive.SeealsoParagon'sblogpostonexistingcryptographicRNGs.

Language Cryptographic High-Quality

.NET(incl.C#andVB.NET)(H)

RandomNumberGenerator.Create()inSystem.Security.Cryptographynamespace;airbreather/AirBreather.Commonlibrary(CryptographicRandomGenerator)

XoshiroPRNG.Netpackage(XoRoShiRo128starstar,XoShiRo256plus,XoShiRo256starstar);Data.HashFunction.MurmurHashorData.HashFunction.CityHashpackage(hashthestringseed+"_"+counter)

C/C++(G) (C) xoroshiro128plusplus.c;xoshiro256starstar.c

Python(A) secrets.SystemRandom(sincePython3.6);os.urandom()

ihaque/xorshiftlibrary(defaultseedusesos.urandom());numpy.random.GeneratorwithPhiloxorSFC64(sincever.1.7);hashlib.md5(b"%d_%d"%(seed,counter)).digest(),hashlib.sha1(b"%d_%d"%(seed,counter)).digest()

Java(A)(D) (C);java.security.SecureRandom(F)

it.unimi.dsi/dsiutilsartifact(XoRoShiRo128PlusPlusRandom,XoRoShiRo128StarStarRandom,XoShiRo256StarStarRandom,XorShift1024StarPhiRandom);org.apache.commons/commons-rng-simpleartifact(RandomSourceofSFC_64,XO_RO_SHI_RO_128_PP,XO_RO_SHI_RO_128_SS,XO_SHI_RO_256_PP,orXO_SHI_RO_256_SS)

JavaScript(B)

crypto.randomBytes(byteCount)(node.jsonly);random-number-csprngpackage(node.jsonly);crypto.getRandomValues()(Web)

xoroshiro128starstarpackage;md5package(md5(seed+"_"+counter,{asBytes:true}));murmurhash3jspackage(murmurhash3js.x86.hash32(seed+"_"+counter));crypto.createHash("sha1")(node.jsonly)

Ruby(A)(E)

(C);SecureRandom.rand()(0orgreaterandlessthan1)(E);SecureRandom.rand(N)(integer)(E)(forboth,require'securerandom');

Digest::MD5.digest("#{seed}_#{counter}"),Digest::SHA1.digest("#{seed}_#{counter}")(forboth,require'digest')

Page 11: Random Number Generator Recommendations for Applications

sysrandomgem

PHP(A) random_int(),random_bytes()(bothsincePHP7)

md5($seed.'_'.$counter,true);sha1($seed.'_'.$counter,true)

Go crypto/randpackagemd5.Sumincrypto/md5packageorsha1.Sumincrypto/sha1package(forboth,hashthebytearrayseed+"_"+counter)

Rust (C)rand_xoshirocrate(Xoroshiro128PlusPlus,Xoshiro256PlusPlus,Xoshiro256StarStar,Xoshiro512StarStar)

Perl Crypt::URandommodule

Crypt::Digest::MD5module(md5($seed.'_'.$counter));Digest::SHAmodule(sha1($seed.'_'.$counter));Digest::MurmurHash3module(murmurhash3($seed.'_'.$counter))

OtherLanguages (C)

Hashthestringseed+"_"+counterwithMurmurHash3,xxHash64,CityHash,MD5,orSHA-1

(A)ThegeneralRNGsofrecentversionsofPythonandRubyimplementMersenneTwister,whichisnotpreferredforahigh-qualityRNG.PHP'smt_rand()implementsorimplementedaflawedversionofMersenneTwister.

(B)JavaScript'sMath.random()(whichranges0orgreaterandlessthan1)isimplementedusingxorshift128+(oravariant)intheV8engine,Firefox,andcertainothermodernbrowsersasoflate2017;Math.random()usesan"implementation-dependentalgorithmorstrategy",though(seeECMAScriptsec.20.2.2.27).

(C)AcryptographicRNGimplementationcan—

readfromthe/dev/urandomdeviceinLinux-basedsystems(usingtheopenandreadsystemcallswhereavailable)[^21],callthearc4randomorarc4random_bufmethodonFreeBSDormacOS,callthegetentropymethodonOpenBSD,orcalltheBCryptGenRandomAPIinWindows7andlater,

andonlyuseothertechniquesiftheexistingonesareinadequatefortheapplication.Butunfortunately,resource-constraineddevices("embedded"devices)aremuchlesslikelytohaveacryptographicRNGavailablecomparedtogeneral-purposecomputingdevicessuchasdesktopcomputersandsmartphones(Wetzels2017)[^22],althoughmethodsexistforimplementingacryptographicRNGontheArduino(Peng2017)[^23].

(D)Java'sjava.util.Randomclassusesa48-bitseed,soisnotconsideredahigh-qualityRNG.However,asubclassofjava.util.Randommightbeimplementedasahigh-qualityRNG.

(E)Ruby'sSecureRandom.randmethodpresentsabeautifulandsimpleAPIforgeneratingnumbersatrandom,inmyopinion.Namely,rand()returnsanumber0orgreaterandlessthan1,andrand(N)returnsaninteger0orgreaterandlessthanN.

(F)InJava8andlater,useSecureRandom.getInstanceStrong().InJavaearlierthan8,callSecureRandom.getInstance("NativePRNGNonBlocking")or,ifthatfails,SecureRandom.getInstance("NativePRNG").ForAndroid,especiallyversions4.3andearlier,see(Klyubin2013)[^24].UsingtheSecureRandomimplementation"SHA1PRNG"isnotrecommended,becauseofweaknessesinseedingandRNGqualityinimplementationsasof2013(Michaelisetal.,2013)[^25].

(G)std::random_devicewasintroducedinC++11,butitsspecificationleavesconsiderablymuchtobedesired.Forexample,std::random_devicecanfallbacktoaPRNGofunspecifiedqualitywithoutmuchwarning.Atbest,std::random_deviceshouldnotbeusedexcepttosupplementothertechniquesfor

Page 12: Random Number Generator Recommendations for Applications

generatingrandom-behavingnumbers.

(H)The.NETFramework'sSystem.Randomclassusesaseedofatmost32bits,soisnotconsideredahigh-qualityRNG.However,asubclassofSystem.Randommightbeimplementedasahigh-qualityRNG.

10HashFunctionsAhashfunctionisafunctionthattakesanarbitraryinputofanysize(suchasanarrayof8-bitbytesorasequenceofcharacters)andreturnsanoutputwithafixednumberofbits.Thatoutputisalsoknownasahashcode.

Forpseudorandomnumbergenerationpurposes:

Theindividualbitsofahashcodecanserveaspseudorandomnumbers,orthehashcodecanserveastheseedforaPRNG.Goodhashfunctionsincludecryptographichashfunctions(e.g.,SHA2-256,BLAKE2)andotherhashfunctionsthattendtoproducewildlydispersedhashcodesfornearbyinputs.PoorhashfunctionsincludelinearPRNGssuchasLCGsandtheXorshiftfamily.

Theuseofhashfunctionsforotherpurposes(suchasdatalookupanddataintegrity)isbeyondthescopeofthisdocument.Seemynoteonhashfunctions.

10.1ProceduralNoiseFunctionsNoiseisarandomizedvariationinimages,sound,andotherdata.[^26]

Anoisefunctionissimilartoahashfunction;ittakesann-dimensionalpointand,optionally,additionaldata,andoutputsapseudorandomnumber.[^27]Noisefunctionsgenerateproceduralnoisesuchascellularnoise,valuenoise,andgradientnoise(includingPerlinnoise).Ifthenoisefunctiontakesadditionaldata,thatdata—

shouldincluderandomlygeneratedorpseudorandomnumbers,andshouldnotvaryfromoneruntothenextwhilethenoisefunctionisusedforagivenpurpose(e.g.,togenerateterrainforagivenmap).

10.2PseudorandomFunctionsApseudorandomfunctionisakindofhashfunctionthattakes—

asecret(suchasapasswordoralong-termkey),andadditionaldatasuchasasalt(whichisdesignedtomitigateprecomputationattacks)oranonce,

andoutputsapseudorandomnumber.(Iftheoutputisencryptionkeys,thefunctionisalsocalledakeyderivationfunction;seeNISTSP800-108.)Somepseudorandomfunctionsdeliberatelytaketimetocomputetheiroutput;thesearedesignedaboveallforcasesinwhichthesecretisapasswordorisotherwiseeasytoguess—examplesofsuchfunctionsincludePBKDF2(RFC2898),scrypt(RFC7914),andEthash.PseudorandomfunctionsarealsousedinproofsofworksuchastheonedescribedinRFC8019sec.4.4.

11RNGTopics

Page 13: Random Number Generator Recommendations for Applications

ThissectiondiscussesseveralimportantpointsontheuseandselectionofRNGs,includingthingstoconsiderwhenshufflingorgenerating"unique"randomidentifiers.

11.1ShufflingInalistwithNdifferentitems,thereareNfactorial(thatis,1*2*...*N,orN!)waystoarrangetheitemsinthatlist.Thesewaysarecalledpermutations[^28].

Inpractice,anapplicationcanshufflealistbydoingaFisher–Yatesshuffle,whichisunfortunatelyeasytomessup—see(Atwood2007)[^29]—andisimplementedcorrectlyinanotherdocumentofmine.

However,ifaPRNGadmitsfewerseeds(andthuscanproducefewernumbersequences)thanthenumberofpermutations,thentherearesomepermutationsthatthatPRNGcan'tchoosewhenitshufflesthatlist.(Thisisnotthesameasgeneratingallpermutationsofalist,which,foralistbigenough,can'tbedonebyanycomputerinareasonabletime.)

Ontheotherhand,foralistbigenough,it'sgenerallymoreimportanttohaveshufflesactrandomthantochoosefromamongallpermutations.

Anapplicationthatshufflesalistcandotheshuffling—

1. usingacryptographicRNG,preferablyonewithasecuritystrengthofbbitsorgreater,or

2. ifanoncryptographicRNGisotherwiseappropriate,usingahigh-qualityPRNGthat—

hasab-bitorbiggerstate,andisinitializedwithaseedderivedfromdatawithatleastbbitsofentropy,or"randomness".

Forshufflingpurposes,bcanusuallybecalculatedbytakingnfactorialminus1(wherenisthelist'ssize)andcalculatingitsbitlength.APythonexampleisb=(math.factorial(n)-1).bit_length().Seealso(vanStaveren2000,"Lackofrandomness")[^30].Forshufflingpurposes,anapplicationmaylimitbto256orgreater,incaseswhenvarietyofpermutationsisnotimportant.Forothersamplingtasks,thefollowingPythonexamplesshowhowtocalculateb:

Choosingkoutofndifferentitemsatrandom,inrandomorder:b=((math.factorial(n)/math.factorial(n-k))-1).bit_length().Choosingkoutofndifferentitemsatrandom,withoutcaringaboutorder(RFC3797,sec.3.3):b=((math.factorial(n)/(math.factorial(k)*math.factorial(n-k)))-1).bit_length().Shufflingdidenticallistsofcitems:b=((math.factorial(d*c)/(math.factorial(d)**c))-1).bit_length().

11.2UniqueRandomIdentifiersSomeapplicationsrequiregeneratinguniqueidentifiers,especiallytoidentifydatabaserecordsorothersharedresources.Examplesofuniquevaluesincludeauto-incrementednumbers,sequentiallyassignednumbers,primarykeysofadatabasetable,andcombinationsofthese.Applicationshavealsogenerateduniquevaluesatrandom.

Thefollowingaresomequestionstoconsiderwhengeneratinguniqueidentifiers:

1. Cantheapplicationeasilycheckidentifiersforuniquenesswithinthedesiredscope

Page 14: Random Number Generator Recommendations for Applications

andrange(e.g.,checkwhetherafileordatabaserecordwiththatidentifieralreadyexists)[^31]?

2. Cantheapplicationtoleratetheriskofgeneratingthesameidentifierfordifferentresources[^32]?

3. Doidentifiershavetobehardtoguess,besimply"random-looking",orbeneither?4. Doidentifiershavetobetypedinorotherwiserelayedbyendusers[^33]?5. Istheresourceanidentifieridentifiesavailabletoanyonewhoknowsthatidentifier

(evenwithoutbeingloggedinorauthorizedinsomeway)?[^34]6. Doidentifiershavetobememorable?

Someapplicationsmayalsocareabout"uniquerandom"values.Generally,however,valuesthatarebothuniqueandrandomareimpossible.Thus,applicationsthatwant"uniquerandom"valueshavetoeithersettlefornumbersthatmerely"lookrandom";orcheckforortoleratepossibleduplicates;orpairrandomlygeneratednumberswithuniqueones.

Iftheapplicationcansettlefor"random-looking"uniqueintegers:

TheapplicationcanproduceauniqueN-bitintegerandpassthatintegertoafunctionthatmapsN-bitintegerstoN-bitintegersinareversibleway(alsocalledamixingfunctionwithreversibleoperations;see"Hashfunctions"byB.Mulvey).Thisincludesusingtheuniqueintegerastheseedfora"full-period"linearPRNG,thatis,alinearPRNGthatgoesthroughallN-bitintegersexactlyoncebeforerepeating[^35].Theapplicationcangenerateuniqueintegersgreaterthan0andlessthanKasfollows:1. SetUto0,andchooseF,anN-bitfunctiondescribedearlier,whereNisthe

numberofbitsneededtostorethenumberK-minus-1.2. CalculateF(U)thenadd1toU.IftheresultofFislessthanK,outputthat

result;otherwise,repeatthisstep.3. Repeatthepreviousstepasneededtogenerateadditionaluniqueintegers.

Anapplicationthatgeneratesuniqueidentifiersshoulddosoasfollows:

Iftheapplicationcanansweryestoquestion1or2above:Andyestoquestion5:Generatea128-bit-longorlongerrandomintegerusingacryptographicRNG.Andnotoquestion5:Generatea32-bit-longorlongerrandomintegerusingacryptographicRNG.

Otherwise:Ifidentifiersdon'thavetobehardtoguess:Useauniqueinteger(eitheronethat'snaturallyunique,orarandomlygeneratednumberthatwascheckedforuniqueness).Iftheydohavetobehardtoguess:UseauniqueintegerwhichisfollowedbyarandomintegergeneratedusingacryptographicRNG(therandominteger'slengthdependsontheanswertoquestion5,asabove).

Thissectiondoesn'tdiscusshowtoformatauniquevalueintoatextstring(suchasahexadecimaloralphanumericstring),becauseultimately,doingsoisthesameasmappinguniquevaluesone-to-onewithformattedstrings(whichwilllikewisebeunique).

11.3VerifiableRandomNumbersVerifiablerandomnumbersarerandomlygeneratednumbers(suchasseedsforPRNGs)thataredisclosedalongwithalltheinformationnecessarytoverifytheirgeneration.Usually,suchinformationincludesrandomlygeneratedvaluesand/oruncertaindatatobedeterminedandpubliclydisclosedinthefuture.Techniquestogenerateverifiablerandom

Page 15: Random Number Generator Recommendations for Applications

numbers(asopposedtocryptographicRNGsalone)areusedwheneveronepartyalonecan'tbetrustedtoproduceanumberatrandom.Verifiablerandomnumbersthataredisclosedpubliclyshouldnotbeusedasencryptionkeysorothersecretparameters.

Examples:

1. GeneratingverifiablerandomnesshasbeendescribedinRFC3797,whichdescribestheselectionprocessfortheNominationsCommittee(NomCom)oftheInternetEngineeringTaskForce.

2. Verifiabledelayfunctionscalculateanoutputaswellasaproofthattheoutputwascorrectlycalculated;thesefunctionsdeliberatelytakemuchmoretimetocalculatetheoutput(e.g.,togeneratearandom-behavingnumberfrompublicdata)thantoverifyitscorrectness.[^36]Inmanycases,suchafunctiondeliberatelytakesmuchmoretimethanthetimeallowedtocontributerandomnesstothatfunction.[^37]

3. Inaso-calledcommitmentscheme,onecomputergeneratesdatatobecommitted(e.g.arandomlygeneratednumberorachessmove),thenrevealsitshashcodeordigitalsignature(commitment),andonlylaterrevealstoallparticipantsthecommitteddata(alongwithotherinformationneeded,ifany,toverifythatthedatawasn'tchangedinbetween).Examplesofcommitmentschemesarehash-basedcommitments.[^37]

4. So-calledmentalcardgame(mentalpoker)schemescanbeusedinnetworkedgameswhereadeckofcardshastobeshuffledanddealttoplayers,sothattheidentityofsomecardsisknowntosomebutnotallplayers.[^37]

12GuidelinesforNewRNGAPIsThissectioncontainsguidelinesforthoseseekingtoimplementRNGsdesignedforwidereuse(suchasinaprogramminglanguage'sstandardlibrary).Asmentionedearlier,anapplicationshoulduseexistingRNGimplementationswheneverpossible.

Thissectioncontainssuggestedrequirementsoncryptographicandhigh-qualityRNGsthatanewprogramminglanguagecanchoosetoadopt.

12.1CryptographicRNGs:RequirementsAcryptographicRNGgeneratesrandombitsthatbehavelikeindependentuniformrandombits,suchthatanoutsidepartyhasnomorethannegligibleadvantageincorrectlyguessingpriororfutureunseenoutputbitsofthatRNGevenafterknowinghowtheRNGworksand/orextremelymanyoutputsoftheRNG,orpriorunseenoutputbitsofthatRNGaftercompromisingitssecurity,suchasreadingitsinternalstate.[^38]

IfacryptographicRNGimplementationusesaPRNG:

LetSbethesecuritystrengthoftheRNG.Sisatleast128bitsandshouldbeatleast256bits.BeforetheRNGgeneratesapseudorandomnumber,theRNGhastohavebeeninitializedtoastatethatultimatelyderivesfromdatathat,asawhole,isatleastashardtoguessasanidealprocessofgeneratingSmanyindependentuniformrandombits[^39].

AcryptographicRNGisnotrequiredtoreseeditself.

Examples:ThefollowingareexamplesofcryptographicRNGs:

Page 16: Random Number Generator Recommendations for Applications

Randomnessextractorsorcryptographichashfunctionsthattakeveryhard-to-predictsignalsfromtwoormorenondeterministicsourcesasinput.A"fast-key-erasure"generatordescribedbyD.J.Bernsteininhisblog(Bernstein2017)[^40].TheHash_DRBGandHMAC_DRBGgeneratorsspecifiedinNISTSP800-90A.TheSP800-90seriesgoesintofurtherdetailonhowRNGsappropriateforinformationsecuritycanbeconstructed,andinspiredmuchofthissection.AnRNGmadeupoftwoormoreindependentlyinitializedcryptographicRNGsofdifferentdesigns.[^41]RFC8937describesanRNGthathashesanothercryptographicRNG'soutputwithasecretvaluederivedfromalong-termkey.

12.2High-QualityRNGs:RequirementsAPRNGisahigh-qualityRNGif—

itgeneratesbitsthatbehavelikeindependentuniformrandombits(atleastfornearlyallpracticalpurposesoutsideofinformationsecurity),thenumberofdifferentseedsthePRNGadmitswithoutshorteningorcompressingthoseseedsis263ormore(thatis,thePRNGcanproduceanyofatleast263differentnumbersequences,whichitcangenerallydoonlyifthePRNGhasatleast63bitsofstate),anditeither—

providesmultiplesequencesthataredifferentforeachseed,haveatleast264numberseach,donotoverlap,andbehavelikeindependentsequencesofnumbers(atleastfornearlyallpracticalpurposesoutsideofinformationsecurity),hasamaximum"random"numbercyclelengthequaltothenumberofdifferentseedsthePRNGadmits,orhasaminimum"random"numbercyclelengthof2127orgreater.

EverycryptographicRNGisalsoahigh-qualityRNG.

WhereanoncryptographicPRNGisappropriate,anapplicationshoulduse,ifpossible,ahigh-qualityPRNGthatadmitsanyof2127ormoreseeds.(Thisisarecommendation,sinceasstatedabove,high-qualityPRNGsarerequiredtoadmitonly263ormoreseeds.)

Examples:Examplesofhigh-qualityPRNGsincludexoshiro256**,xoroshiro128**,xoroshiro128++,Philox4×64-7,andSFC64.Igiveadditionalexamplesinaseparatepage.

12.3DesignsforPRNGsThefollowingaresomewaysaPRNGcanbeimplemented:

Asastatefulobjectthatstoresaninternalstateandtransformsiteachtimea"random"numberisgenerated.ThiskindofPRNGisinitializedbyconvertingaseedtoaninternalstate.Asa(stateless)functionthattransformsaninternalstateandoutputs"random"numbersandthetransformedstate.ThisdesignisoftenseeninHaskellandotherfunctionalprogramminglanguages.Asa(stateless)"splittablePRNG",furtherdescribedinmydocumentontestingPRNGs.

Page 17: Random Number Generator Recommendations for Applications

12.4ImplementingNewRNGAPIsAprogramminglanguageAPIdesignedforreusebyapplicationscouldimplementRNGsusingthefollowingguidelines:

1. TheRNGAPIcanincludeamethodthatfillsoneormorememoryunits(suchas8-bitbytes)completelywithrandombits.Seeexample1.

2. IftheAPIimplementsanautomatically-seededRNG,itshouldnotallowapplicationstoinitializethatsameRNGwithaseedforreproducible"randomness"[^42](itmayprovideaseparatePRNGtoacceptsuchaseed).Seeexample2.

3. IftheAPIprovidesaPRNGthatanapplicationcanseedforreproducible"randomness",itshoulddocumentthatPRNGandanymethodstheAPIprovidesthatusethatPRNG(suchasshufflingandGaussiannumbergeneration),andshouldnotchangethatPRNGorthosemethodsinawaythatwouldchangethe"random"numberstheydeliverforagivenseed.Seeexample2.

4. Anewprogramminglanguage'sstandardlibraryoughttoincludethefollowingmethodsforgeneratingnumbersthatbehavelikeindependentuniformlydistributednumbers(seemydocumentonrandomizationandsamplingmethodsfordetails).

Fourmethodsforintegers:0tonincludingn,0tonexcludingn,atobincludingb,andatobexcludingb.Amethodtosamplerealnumbersfromtheopeninterval(a,b).

Examples:

1. AClanguageRNGmethodforfillingmemorycouldlooklikethefollowing:intrandom(uint8_t[]bytes,size_tsize);,wherebytesisapointertoanarrayof8-bitbytes,andsizeisthenumberofrandom8-bitbytestogenerate,andwhere0isreturnedifthemethodsucceedsandnonzerootherwise.

2. AJavaAPIthatfollowstheseguidelinescancontaintwoclasses:aRandomGenclassthatimplementsanunspecifiedbutgeneral-purposeRNG,andaRandomStableclassthatimplementsanSFC64PRNGthatisdocumentedandwillnotchangeinthefuture.RandomStableincludesaconstructorthattakesaseedforreproducible"randomness",whileRandomGendoesnot.Bothclassesincludemethodsdescribedinpoint4,butRandomStablespecifiestheexactalgorithmstothosemethodsandRandomGendoesnot.Atanytimeinthefuture,RandomGencanchangeitsimplementationtouseadifferentRNGwhileremainingbackwardcompatible,whileRandomStablehastousethesamealgorithmsforalltimetoremainbackwardcompatible,especiallybecauseittakesaseedforreproducible"randomness".

13AcknowledgmentsIacknowledge—

thecommenterstotheCodeProjectversionofthispage(aswellasasimilararticleofmineonCodeProject),including"Cryptonite"andmember3027120,SebastianoVigna,SeverinPappadeux,andLeeDanielCrocker,whoreviewedthisdocumentandgavecomments.

14Notes

Page 18: Random Number Generator Recommendations for Applications

[^1]:Seealsothequestiontitled"Matlabrandandc++rand()"onStackOverflow.

[^2]:AdistinctionbetweencryptographicandnoncryptographicRNGsseemsnatural,becausemanyprogramminglanguagesofferageneral-purposeRNG(suchasC'srandorJava'sjava.util.Random)andsometimesanRNGintendedforinformationsecuritypurposes(suchasRuby'sSecureRandom).

[^3]:Forexample,seeF.DörreandV.Klebanov,"PracticalDetectionofEntropyLossinPseudo-RandomNumberGenerators",2016.

[^4]:Itemsthatproducenumbersorsignalsthatfollowanon-uniformdistributionarenotconsideredRNGsinthisdocument.(Forexample,GaussianandsimilarnoisegeneratorsarenotconsideredRNGs.)Manyoftheseitems,however,typicallyserveassourcesfromwhichuniformrandom-behavingintegerscanbederivedthroughrandomnessextractiontechniques(see"SeedGeneration").Likewise,itemsthatproducefloating-pointnumbersarenotconsideredRNGshere,eveniftheysamplefromauniformdistribution.AnexampleisthedSFMTalgorithm,whichultimatelyusesageneratorofpseudorandomintegers.

[^5]:SeealsotheFIPS200definition("Theprotectionofinformationandinformationsystemsfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructioninordertoprovideconfidentiality,integrity,andavailability")andISO/IEC27000.

[^6]:However,someversionsofGLSL(notablyGLSLES1.0,asusedbyWebGL1.0)mightsupportintegerswitharestrictedrange(aslowas-1024to1024)ratherthan32-bitorbiggerintegersasareotherwisecommon,makingitdifficulttowritehashfunctionsforgeneratingpseudorandomnumbers.Anapplicationoughttochoosehashfunctionsthatdeliveracceptable"random"numbersregardlessofthekindsofnumberssupported.

AnalternativeforGLSLandotherfragmentorpixelshaderstosupportrandomnessistohavetheshadersamplea"noisetexture"withrandomdataineachpixel;forexample,C.Peters,"Freebluenoisetextures",MomentsinGraphics,Dec.22,2016,discusseshowso-called"bluenoise"canbesampledthisway.

SeealsoN.Reed,"QuickAndEasyGPURandomNumbersInD3D11",NathanReed'scodingblog,Jan.12,2013.

[^7]:Formoreinformation,see"Floating-PointDeterminism"byBruceDawson,thewhitepaper"FloatingPointandIEEE754ComplianceforNVIDIAGPUs",andanIntelwebinar.

[^8]:Forintegers,thisproblemalsooccurs,butisgenerallylimitedtothequestionofroundingafteranintegerdivisionorremainder,whichdifferentprogramminglanguagesanswerdifferently.

[^9]:Fixed-pointnumbersareintegersthatstoremultiplesof1/n(e.g.1/10000,1/256,or1/65536).Theirresolutiondoesn'tvarydependingonthenumber,unlikewithfloating-pointnumbers."TheButterflyEffect-DeterministicPhysicsinTheIncredibleMachineandContraptionMaker"isoneusecaseshowinghowfixed-pointnumbersaidreproducibility.IhavewrittenasamplePythonimplementationoffixed-pointnumbers.

[^10]:Leierson,C.E.,etal.,"DeterministicParallelRandom-NumberGenerationforDynamicMultithreadingPlatforms",2012.

[^11]:Müller,S."CPUTimeJitterBasedNon-PhysicalTrueRandomNumberGenerator".

[^12]:Liebow-Feeser,J.,"Randomness101:LavaRandinProduction",blog.cloudflare.com,Nov.6,2017.

Page 19: Random Number Generator Recommendations for Applications

[^13]:Liebow-Feeser,J.,"LavaRandinProduction:TheNitty-GrittyTechnicalDetails",blog.cloudflare.com,Nov.6,2017.

[^14]:Ratherthangeneratingaseed,thesestepscouldbeawaytosimulateasourceofnumberschosenindependentlyanduniformlyatrandom.However,thisisgenerallyslowerthanusingPRNGstosimulatethatsource.

[^15]:Forexample,manyquestionsonStackOverflowhighlightthepitfallsofcreatinganewinstanceofthe.NETFramework'sSystem.Randomeachtimepseudorandomnumbersareneeded,ratherthanonlyonceintheapplication.SeealsoJohansen,R.S.,"APrimeronRepeatableRandomNumbers",UnityBlog,Jan.7,2015.

[^16]:Salmon,JohnK.,MarkA.Moraes,RonO.Dror,andDavidE.Shaw."Parallelrandomnumbers:aseasyas1,2,3."InProceedingsof2011InternationalConferenceforHighPerformanceComputing,Networking,StorageandAnalysis,pp.1-12.2011.

[^17]:P.L'Ecuyer,D.Munger,etal."RandomNumbersforParallelComputers:RequirementsandMethods,WithEmphasisonGPUs",April17,2015,section4,goesingreaterdetailonwaystoinitializePRNGsforgeneratingpseudorandomnumbersinparallel,includinghowtoensurereproducible"randomness"thiswayifthatisdesired.

[^18]:Forsingle-cyclePRNGs,theprobabilityofoverlapforNprocesseseachgeneratingLnumberswithaPRNGwhosecyclelengthisPisatmostN*N*L/P(S.Vigna,"Ontheprobabilityofoverlapofrandomsubsequencesofpseudorandomnumbergenerators",InformationProcessingLetters158(2020)).UsingtwoormorePRNGdesignscanreducecorrelationrisksduetoaparticularPRNG'sdesign.ForfurtherdiscussionandanexampleofaPRNGcombiningtwodifferentPRNGdesigns,seeAgnerFog,"Pseudo-RandomNumberGeneratorsforVectorProcessorsandMulticoreProcessors",JournalofModernAppliedStatisticalMethods14(1),article23(2015).

[^19]:BaukeandMertens,"Randomnumbersforlarge-scaledistributedMonteCarlosimulations",2007.

[^20]:Besidestheseed,otherthingsarehashedthattogetherserveasadomainseparationtag(see,e.g.,thework-in-progressdocument"draft-irtf-cfrg-hash-to-curve").Notethefollowing:-Ingeneral,hashfunctionscarrytheriskthattwoprocesseswillendupwiththesamePRNGseed(acollisionrisk)orthataseednotallowedbythePRNGisproduced(a"rejectionrisk"),butthisriskdecreasesthemoreseedsthePRNGadmits(see"Birthdayproblem").-M.O'Neill(in"Developingaseed_seqAlternative",Apr.30,2015)developedhashfunctions(seed_seq_fe)thataredesignedtoavoidcollisionsifpossible,andotherwisetoreducecollisionbias.Forexample,seed_seq_fe128hashes128-bitseedsto128-bitorlongeruniquevalues.-Anapplicationcanhandlearejectedseedbyhashingwithadifferentvalueorbyusingabackupseedinstead,dependingonhowtoleranttheapplicationistobias.-SeealsoMatsumoto,M.,etal.,"Commondefectsininitializationofpseudorandomnumbergenerators",ACMTransactionsonModelingandComputerSimulation17(4),Sep.2007.

[^21]:Usingthesimilar/dev/randomisnotrecommended,sinceinsomeimplementationsitcanblockforsecondsatatime,especiallyifnotenoughrandomnessisavailable.Seealso"Mythsabout/dev/urandom".

[^22]:Wetzels,J.,"33C3:AnalyzingEmbeddedOperatingSystemRandomNumberGenerators",samvartaka.github.io,Jan.3,2017.

[^23]:B.Peng,"TwoFastMethodsofGeneratingTrueRandomNumbersontheArduino",GitHubGist,December2017.

[^24]:A.Klyubin,"SomeSecureRandomThoughts",AndroidDevelopersBlog,Aug.14,

Page 20: Random Number Generator Recommendations for Applications

2013.

[^25]:Michaelis,K.,Meyer,C.,andSchwenk,J."RandomlyFailed!TheStateofRandomnessinCurrentJavaImplementations",2013.

[^26]:Therearemanykindsofnoise,suchasproceduralnoise(includingPerlinnoise,cellularnoise,andvaluenoise),colorednoise(includingwhitenoiseandpinknoise),periodicnoise,andnoisefollowingaGaussianorotherprobabilitydistribution.SeealsotwoarticlesbyRedBlobGames:"NoiseFunctionsandMapGeneration"and"Makingmapsfromnoisefunctions".

[^27]:Noisefunctionsincludefunctionsthatcombineseveraloutputsofanoisefunction,includingbyfractionalBrownianmotion.Bydefinition,noisefunctionsdeliverthesameoutputforthesameinput.

[^28]:Moregenerally,alisthasN!/(W_1!*W_2!*...*W_K!)permutations(amultinomialcoefficient),whereNisthelist'ssize,Kisthenumberofdifferentitemsinthelist,andW_iisthenumberoftimestheitemidentifiedbyiappearsinthelist.However,thisnumberisnevermorethanN!andsuggestsusinglessrandomness,soanapplicationneednotusethismorecomplicatedformulaandmayassumethatalisthasN!permutationsevenifsomeofitsitemsoccurmorethanonce.

[^29]:Atwood,Jeff."Thedangerofnaïveté",Dec.7,2007.

[^30]:vanStaveren,Hans."BigDeal:Anewprogramfordealingbridgehands",Sep.8,2000

[^31]:Forapplicationsdistributedacrossmultiplecomputers(e.g.,servers),thischeckismadeeasierifeachcomputerisassignedauniquevaluefromacentraldatabase,becausethenthecomputercanusethatuniquevalueaspartofuniqueidentifiersitgeneratesandensurethattheidentifiersareuniqueacrosstheapplicationwithoutfurthercontactingothercomputersorthecentraldatabase.AnexampleisTwitter'sSnowflakeservice.

[^32]:Intheory,generatingtwoormorerandomintegersofthesamesizerunstheriskofproducingaduplicatenumberthisway.However,thisriskdecreasesasthatsizeincreases(see"Birthdayproblem").Forexample,intheory,anapplicationhasa50%chanceforduplicatenumbersaftergenerating—-about2.7billionbillionrandom122-bitintegers(includingthosefoundinversion-4UUIDs,oruniversallyuniqueidentifiers),-about1.4millionbillionbillionrandom160-bitintegers,or-about93billionbillionbillionrandom192-bitintegers.

[^33]:Ifanapplicationexpectsenduserstotypeinauniqueidentifier,itcouldfindthatverylonguniqueidentifiersareunsuitableforit(e.g.128-bitnumberstakeup32base-16characters).Therearewaystodealwiththeseandotherlongidentifiers,including(1)separatingmemorablechunksoftheidentifierwithahyphen,space,oranothercharacter(e.g.,"ABCDEF"becomes"ABC-DEF");(2)generatingtheidentifierfromasequenceofmemorablewords(asinElectrumorinBitcoin'sBIP39);or(3)addingaso-called"checksumdigit"attheendoftheidentifiertoguardagainsttypingmistakes.Theapplicationoughttoconsidertrying(1)or(2)beforedecidingtouseshorteridentifiersthanwhatthisdocumentrecommends.

[^34]:Notethattheinsecuredirectobjectreferencesproblemcanoccurifanapplicationenablesaccesstoasensitiveresourceviaaneasy-to-guessidentifier,butwithoutanyaccesscontrolchecks.

[^35]:"Full-period"linearPRNGsincludeso-calledlinearcongruentialgeneratorswithapower-of-twomodulus.Forexamplesofthose,seetables3,5,7,and8ofSteeleand

Page 21: Random Number Generator Recommendations for Applications

Vigna,"Computationallyeasy,spectrallygoodmultipliersforcongruentialpseudorandomnumbergenerators",arXiv:2001.05304[cs.DS].

[^36]:Verifiabledelayfunctionsaredifferentfromproofsofwork,inwhichtherecanbemultiplecorrectanswers.ThesefunctionswerefirstformallydefinedinBoneh,D.,Bonneau,J.,etal.,"VerifiableDelayFunctions",2018,butsuchfunctionsappearedearlierinLenstra,A.K.,Wesolowski,B.,"Arandomzoo:sloth,unicorn,andtrx",2015.

[^37]:Itisoutsidethescopeofthispagetoexplainhowtobuildaprotocolusingverifiabledelayfunctions,commitmentschemes,ormentalcardgameschemes,especiallybecausesuchprotocolsarenotyetstandardizedforgeneraluseandfewimplementationsofthemareusedinproduction.

[^38]:ImplementingacryptographicRNGinvolvesmanysecurityconsiderations,includingthese:1.IfanapplicationrunscodefromuntrustedsourcesinthesameoperatingsystemprocessinwhichacryptographicRNG'sstateisstored,it'spossibleformaliciouscodetoreadoutthatstateviaside-channelattacks.AcryptographicRNGshouldnotbeimplementedinsuchaprocess.See(A)andseealso(B).2.AcryptographicRNG'sstatecouldbereusedduetoprocessforkingorvirtualmachinesnapshotresets.See(C)and(D),forexample.3.IfacryptographicRNGisnot"constant-time"(theRNGisdata-dependent),itstimingdifferencescouldbeexploitedinasecurityattack.

(A)"Post-SpectreThreatModelRe-Think"intheChromiumsourcecoderepository(May29,2018).<br/>(B)Bernstein,D.J."EntropyAttacks!",Feb.5,2014.<br/>(C)Everspaugh,A.,Zhai,Y.,etal."Not-So-RandomNumbersinVirtualizedLinuxandtheWhirlwindRNG",2014.<br/>(D)Ristenpart,T.,Yilek,S."WhenGoodRandomnessGoesBad:VirtualMachineResetVulnerabilitiesandHedgingDeployedCryptography",2010.<br/>ForadetailednotionofasecureRNG,seeCoretti,Dodis,etal.,"SeedlessFruitistheSweetest:RandomNumberGeneration,Revisited",2019.

[^39]:Thisdatacancomefromnondeterministicsources,andalsoincludeprocessidentifiers,timestamps,environmentvariables,pseudorandomnumbers,virtualmachineguestidentifiers,and/orotherdataspecifictothesessionortotheinstanceoftheRNG.SeealsoNISTSP800-90Aandthepreviousnote.

[^40]:Bernstein,D.J."Fast-key-erasurerandomnumbergenerators",Jun.23,2017.

[^41]:Anexampleisthe"shrinkinggenerator"techniquetocombinetwoRNGs;seeJ.D.Cook,"UsingoneRNGtosampleanother",June4,2019,formore.

[^42]:Allowingapplicationstodosowouldhamperforwardcompatibility—theAPIwouldthenbelessfreetochangehowtheRNGisimplementedinthefuture(e.g.,touseacryptographicorotherwise"better"RNG),ortomakeimprovementsorbugfixesinmethodsthatusethatRNG(suchasshufflingandGaussiannumbergeneration).(Asanotableexample,theV8JavaScriptenginerecentlychangeditsMath.random()implementationtouseavariantofxorshift128+,whichisbackwardcompatiblebecausenothinginJavaScriptallowsMath.random()tobeseeded.)Nevertheless,APIscanstillallowapplicationstoprovideadditionalinput("entropy")totheRNGinordertoincreaseitsrandomnessratherthantoensurerepeatability.

15LicenseAnycopyrighttothispageisreleasedtothePublicDomain.Incasethisisnotpossible,thispageisalsolicensedunderCreativeCommonsZero.


Recommended