0

I heard today that the random function from C is not a good way to generate a random number. Someone told me that it is possible to anticipate the generated value.

I ask because I heard a few interesting things:

  1. I heard that the number is generated based on the CPU's clock
  2. If the first one is true, then is it possible to anticipate the random value?
  3. How does the rand function work and why is it not good?
  4. Do random functions from other programming languages nested from C/C++ have the same issues?

Basically, if you have the input parameters you will obtain the same result. I also heard something that the rand function from C does not return a random value, but a pseudo-random value. What does this mean?

Mathias Müller
  • 22,203
  • 13
  • 58
  • 75
tzortzik
  • 4,993
  • 9
  • 57
  • 88
  • 5
    `rand` is not based on the CPU's clock. – Oliver Charlesworth Feb 02 '14 at 14:04
  • 1
    Also, did you do any research before you posted this? e.g. read https://en.wikipedia.org/wiki/Pseudorandom? – Oliver Charlesworth Feb 02 '14 at 14:05
  • 1
    In C++ (C++11 precisely) you can use `std::random_device`, which relies on the OS entropy pool to produce strong (i.e. "not that predictable") random numbers. But, unless you have a physical source of entropy (i.e. "randomness") attached to your PC, the "random" numbers you get are always the result of a calculation that can be reproduced, thus the "pseudorandom" name. This calculation could be extremely hard or even physically unfeasible to reproduce, but it is not "random" in the true sense of the word. – Stefano Sanfilippo Feb 02 '14 at 14:07
  • Unfortunate that this answer is closed as a duplicate of a 2010 question given OP's "functions from other programming languages ...have the same issues " question. C++11 has advanced this issue and has no representation in the "duplicate" post. – chux - Reinstate Monica Feb 02 '14 at 19:00

1 Answers1

0

Random is not based on the cpu clock, but the seed used can be based on the current time for example.

How it works

As anything that happens in a computer, the result of a calculation is deterministic and cannot be really random. Basically, the random function remembers the latest returned value, and calculates the new one starting from the old one, for example:

X(i) = (a*X(i-1) + b)mod(n)   where a, b and n are constants

so a (pseudo)random function actually returns a predictable sequence of numbers based on the first value. In C you can specify the first value (seed) with srand():

srand(time(NULL));

For example in this way you initialize the seed to the current number of seconds. But if you know the starting value, again the sequence is predictable.

Problems

This is not good for numerous reasons, mainly related to security: for example, if you have a web session identified by a random number given from the server to the user at login, and an attacker is able to predict it, this can be used to impersonate the real user.

Usually is the same with the other programming languages. The only way to get better random numbers, is to rely also on inputs given by the user, such as mouse movements, key press and so on. This gives more unpredictability to the generated value, and this is how OS number generators such as /dev/random work.

fede1024
  • 3,099
  • 18
  • 23