Random number generation
What Is Random Number Generation?
Random number generation is the process of producing values that lack predictable patterns and satisfy statistical criteria for randomness. In computing and communications, the process divides into two fundamentally different approaches: true random number generators (TRNGs), which derive unpredictability from physical entropy sources, and pseudorandom number generators (PRNGs), which use deterministic algorithms seeded with an initial value to produce long sequences that pass statistical tests for randomness. The distinction matters most in security applications, where predictable outputs can be exploited by an adversary, but also in scientific simulation, where the quality of the random sequence directly affects the validity of the results.
Random number generation draws on probability theory, information theory, and computational complexity. The sequences produced are closely related to the study of random sequences, which concerns the formal mathematical properties that define what it means for a sequence to be "random" in a theoretical sense.
True Random Number Generators
A TRNG samples a physical source of entropy whose output cannot be predicted even with full knowledge of the system's prior state. Common entropy sources include thermal noise in resistors, shot noise in semiconductor junctions, radioactive decay timing, and photon arrival times in optical systems. Operating system entropy pools, such as /dev/random on Linux systems, accumulate entropy from hardware interrupts, keyboard timing, and disk I/O and deliver it to applications on demand. The throughput of a TRNG is limited by the rate at which the physical source produces entropy, which makes pure TRNGs impractical for applications requiring large volumes of random data rapidly. In practice, TRNGs are used to generate seed values that initialize PRNGs, combining physical unpredictability with computational speed.
Pseudorandom Number Generators
A PRNG is a deterministic algorithm that, given an initial seed value, produces a sequence of numbers that appears random by statistical measures but is fully determined by the seed. The linear congruential generator, one of the earliest and simplest algorithms, updates the state as x_(n+1) = (a * x_n + c) mod m with specific constants a, c, and m. More sophisticated designs such as the Mersenne Twister (1998) produce sequences with a period of 2^19937 - 1 that pass a wide battery of statistical tests, making it suitable for scientific simulation. For cryptographic applications, a much stronger guarantee is required: the next output must be computationally indistinguishable from a truly random value even to an adversary who has observed all previous outputs. Cryptographically secure PRNGs (CSPRNGs), such as those specified in the NIST SP 800-90A standard, are based on hash functions, block ciphers, or elliptic curve computations that make backward inference computationally infeasible.
Cryptographic Requirements and Testing
Cryptographic applications impose requirements beyond simple statistical uniformity. A CSPRNG must pass the next-bit test: no polynomial-time algorithm should predict the next bit with probability significantly better than one-half, given all previous bits. NIST evaluates generators against this standard through the NIST SP 800-22 statistical test suite, which applies 15 distinct tests including frequency, runs, and discrete Fourier transform tests. Failures in any test indicate structure in the output that may be exploitable. Hardware security modules and cryptographic chips incorporate TRNG-seeded CSPRNGs that continuously reseed from ongoing hardware entropy, a design that limits the damage from any single seed compromise. An independent analysis of cryptographically secured pseudorandom generators tested against NIST methods confirms that standard constructions meet the required thresholds under normal operating conditions.
Applications
Random number generation is fundamental across a broad range of computing and engineering disciplines, including:
- Cryptographic key generation, nonce production, and initialization vector selection in secure communications protocols
- Monte Carlo simulation in physics, finance, and engineering design
- Procedural content generation in video game environments and synthetic training data
- Statistical sampling in survey methodology and clinical trial randomization
- Lottery and gaming systems where auditability of randomness is a regulatory requirement