I’m not sure exactly what you’re asking, but to decrypt stuff (the nice way) you need to know the key (either a symmetric key or part of a public/private keypair.) Random number generators are used to make random keys.
Years ago, I can’t remember where, but I saw a blog-style post of a guy who used a web cam of the sky/clouds overhead for this sort of thing.
Ok. I remember–broadly–those principles.
In some other thread sometime I’ll ask some dumb cryptography questions…
I just have to add this quote by John Von Neumann: “Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin.”
Computers can’t come up with truly random numbers. They have complicated formulas which produce numbers which are random enough for most uses, but it’s just a formula. If you know the formula and the number it started with, you could compute each and every number produced.
Let’s take a simple example. Let’s say the formula the computer uses to produce random numbers is this:
R = R *2 [The next random number is the current random number times two]
(Yes, that’s a terrible equation for random numbers, but it will work for this example.)
The seed is like setting the first random number. So if you seed it with 10, you’ll get the random numbers 20, 40, 80 … If you seed it with 15, you’ll get 30, 60, 120 …
Those “random” numbers will work for some programs which just need sort of random numbers. But if you have a security need for random numbers, those numbers aren’t random enough. A crook may be able to guess the seed number and then they will know the random number sequence. They may be able to use that knowledge to break the security key.
A common way to set the seed is by using the current system time in milliseconds. This works fine for non-security uses. But if you need random numbers for a security implementation, it’s bad. If a crook can figure out what time your program started, he can figure out the seed used and he will have a much easier time to break the security.
Here is an example of the value of deterministic pseudo-random number generators. One way of testing ICs is Built-In Self Test, (BIST) which works by using a linear feedback shift register implemented in hardware, which is basically polynomial division. These are designed to generation 2**n-1 random numbers, where n is the size of the LFSR (You can’t have the all 0 value) without repeating. These get applied to the circuit, the results compressed, and then checked against the expected value. The value is predicted by simulating the patterns as applied to the circuit, and so the values had better be repeatable. They start with a seed, and various methods to move to different parts of the number space use reseeding after some time. By careful selection of the seeds you can even force the sequence to have some properties you want.
There is even a big book of polynomials, or so I’ve heard.
This is why I love Amazon reviews. I almost wasted my money on that thing.
[Hijack]
Which reminds me of a list I once saw of unlikely titles for math books. The only two I remember were:
- One million random numbers, in numerical order
- A short list of odd perfect numbers
P.S. I also once saw a list in Reader’s Digest of unlikely book titles. The one I liked was:
- New hope for the dead
[/Hijack]
Dig it.
For all practical intents and purposes, there is no difference. It’s more of a philosophical thing that nerds like to talk about.
Since when are cryptography, computer animation, video games, and all the other examples posted in this thread not practical applications?
As I wrote above, the distinction is critical for almost all of experimental computational science. If the random number generators were all true random it would make the science much harder to do and significantly impact upon its practicality. There are a lot of subtleties involved that impact on practicality. So much so that the use of PRNG versus true stochastic has a clear technical divide built from the needs of the application. When you know enough about the nature of the problem the need for one versus the other is black and white, one will do, the other will not.
OK, OK, most practical intents and purposes.
No public key cryptography = no ecommerce. What’s impractical about that?
Hey! My grandma depends on PRN everytime her cool swirly screen saver switches on!
There are numerous examples of security flaws caused by using a poorly seeded PRNG rather than a true source of entropy. Many don’t involve cryptography. This one springs to mind as a memorable example.
I’d expect any competent developer to understand the difference and know how to choose which one to use. It’s very much a practical thing, not academic or philosophical.
If you’re a programmer, it’s worth noting that most systems have a simple PRNG used for things like Freecell (to use an above example), and a much “more random” one to use for Cryptography.
In .net, that’s System.Random for the former, and System.Security.Cryptography.RNGCryptoServiceProvider for the latter.
And the reason you have two different ones is that your entropy pool is a valuable resource, one that you don’t want to just waste on something trivial like a game.