In a old post, I was asserting that randomness doesn't exist un computer science, but today I would like to explain you why it doesn't exist, or at least doesn't really exist.
Because yes, we need to be cautious when talking about generating random numbers using computers.
We can list three different types of random in computer science :
- Absolute random (theoritical)
- Realistic random (extrinsic)
- Pseudo-random (intrinsic)
Now let's see the difference between those three concepts in a simple and understandable way.
1 - Absolute random
Let's start by defining the global randomness notion using one of its synonym : random means unpredictible.
Because nature is well made, we can find random all around us. The laws of our universe are described by a science field called "quantum physics".
Don't be scared, no need to be a physicist to understand the rest of this article.
One charactersitic of quantum physics is its unpredictability because it doesn't rely on precise known mesures, but on a set of probabilities.
To give you an example, without going deep into the details, it is physically impossible to predict exactly the desintegration speed of an atom (this is one of the many examples).
Here, impossible doesn't mean "impossible because of technical limitations", but really impossible according to physics laws.
Knowing that, we can say there are true examples of absolute random happening in nature.
In the case where a computer science system could precisely evaluate this desintegration at that moment t in an efficient way, we would be able to generate a perfectly random number.
A number absolutely unpredictible.
As a matter of fact, integrating such measuring tools inside lambda computers is unthinkable, therefor explaining why absolute randomness in classical computer science doesn't exists.
At the opposite side, a said "quantum" computer would be perfectly able to generate an absolute random number because is operation directly relies on this non-deterministic physics.
For our classical computer science, the one we use everyday, we need to rely on more realistic methods I'm going to introduce you below.
2 - Realistic random
The goal for a random number, specially in cryptography, is being unpredictible enough for an attacker not to be able to guess its value.
Fortunately, are computers are able to produce such numbers, except their system being based on logic they need help from outside the system in the form of unpredictible data.
By using external data (extrinsic), we are able to generate a random-enough number to be used under real conditions.
For example, such a function will you the current position of the mouse pointer, the cooling-system fan speed, or the CPU temperature to generate a random number.
Even if those values are not perfectly random (scientifically speaking), it would be extremely difficult to predict the exact values of these numbers.
This type of realistic random is therefor strong enough for criticial operations, crypto for example, but not absolute.
Nonetheless, it means that if an attacker had a direct access to the machine itself, he could (in theory) reproduce these random numbers by intercepting the data used for generation.
There even are experiences showing it is possible to decrypt an RSA key analysing the sound of the machine's fans : https://www.cs.tau.ac.il/~tromer/acoustic/
3 - Pseudo-random
Here we're talking about the most common type of random, which uses the internal (intrinsic) parameters of the computer and is mainly used for business logic like returning an array randomly sorted.
Most of the time these methods use mathematical functions and a time factor to generate a "quasi-random", good enough for a non-critical use, but far from being secure.
I hope this post was useful to you, see you soon on the blog !
About the author
Hi, I am Nicolas Brondin-Bernard, freelance web engineer since 2015 with a passion for sharing knownledge and experiences.
I'm also a coach for junior web developers, you can message me on firstname.lastname@example.org, on my website or follow me on social networks like Twitter to avoid missing the bests posts or my future projects!