7/23/2024

Is Complete Randomness Even Possible?




There are also many more mundane inputs for random number generators. It's possible to use the movement of a mouse cursor on a computer screen, the time delay between key presses on a keyboard, or the noise of traffic on a computer network, for instance. "We're pretty confident that that is secure," says Steven Murdoch, a professor of security engineering at University College London, referring to the latter. Murdoch is the creator of the Tor browser, which enables secure internet browsing via multiple layers of encryption.

Murdoch argues that we know enough to generate suitably random numbers but that there often isn't enough verification to ensure that a supposedly random output really is unpredictable. "The thing that I'd like to see more of is careful design and testing," he says.

But that's the really tricky part.

"You can't tell if something is random – you can only catch it out as non-random," explains Darren Hurley-Smith, an information security lecturer at Royal Holloway, University of London. Researchers have ways of identifying non-random number generators, such as statistical analyses that look for sequences where one number comes up more than it would if said sequence were truly random – too many threes, for instance. This isn't enough, though. What if your sequence is "123123123123123"? In that case, Hurley-Smith points out, you have lots of threes but they're no more frequently represented than one or two. However, there's a super obvious pattern to the sequence, an underlying structure, that gives it away as non-random.

For really big sets of numbers, statistical tests for randomness get very complicated and yet you can never prove that something is truly random, only that it is indistinguishable from random, based on your best analysis.

The consequences of getting randomness wrong, however, are serious.

When random number generators don't do their jobs properly, you can expect that malicious people might try to exploit them. In 2017, Wired reported on the case of a Russian hacker who allegedly got people to film the activity of slot machines at casinos. Based on the results of each play, he was able to predict the workings of the machines' internal random number generators and, therefore, determine when they would next pay out.

And about a decade ago, security researchers at the University of Cambridge, including Murdoch, famously realised that scammers were able to steal money from people by predicting the supposedly random numbers generated inside chip-and-pin cards. Such numbers are required to authenticate a transaction when you pay for something in a shop. But it turned out that it was possible to predict upcoming numbers and thus impersonate someone's debit card in order to spend their money without their authorisation. Such scams are still likely being perpetrated today, according to one of the researchers who discovered this flaw.

Even if you account for bad engineering, most of the random number generators mentioned above could still be a little more robust. The sources of randomness they depend on are, at best, just random to us. If we somehow knew every intricacy of the Universe, and could model it perfectly, we would likely be able to predict the detailed hubbub of atmospheric noise, or the pattern of raindrops falling on glass.

As such, some people argue that the best kind of random number generator is a quantum random number generator – that is, one that relies on quantum mechanical effects. These are, as far as we can tell, are as random as it gets. The weird behaviour, or entropy, of subatomic particles, including the timing of a single radioactive atom's decay, for example, are completely unpredictable. There's some discussion at to whether true randomness really exists anywhere but we can leave that to the theoretical physicists.

For practical purposes, things like the timing of photons – tiny particles of light – arriving at a detector is something that has been considered truly random and suitable as a basis for generating random numbers. Another approach involves counting photons emitted by a laser pulse, which in a special experimental setup will yield a randomly odd or even number of photons. By doing this again and again, you can generate a string of random bits and use that to churn out random numbers.

In principle, quantum random number generators are "intrinsically unpredictable", says Zhanet Zaharieva, co-founder of UK-based firm Quantum Dice, which is developing its own quantum-random-number-generating technology. And yet even some of these newer systems are susceptible to flaws that can bias their outputs. "What you end up having is a system that is a mixture of quantum entropy […] and classical noise," says Zaharieva.

Hurley-Smith notes, for instance, that some quantum random number generators rely on equipment that might make them less random over time. "If a photon hits the sensor, it will ever so slightly warm it up, possibly making it more or less sensitive to future strikes," he explains. In other words, you have a truly random phenomenon – but you'll end up skewing your detection of it one way or another, reducing the randomness of the output.

With the development of quantum technology, we can expect to see even more inventive and, hopefully, reliable random number generators in the future.

In the meantime, there's always random.org. Sometimes people write to Mads Haahr, complaining that they have spotted what looks like a predictable sequence of numbers in the site's output. That's really just because humans are very bad at recognising randomness, he says. We seem predisposed to see patterns in everything. Haahr enjoys taking the time to reply and explain these concepts in more detail.

He might not have set out to create a resource like random.org originally, but over time Haahr realised it was something he wanted to do. Perhaps, he suggests, it's because he is originally from Denmark – regularly ranked among the least corrupt countries in the world. Now, people use his website in order to convince their users, participants or audiences that they are tossing a fair coin. That whatever game or process they're running is an honest and just one – at least within the boundaries of randomness.

There would be, it must be noted, a rather large incentive for Haahr and his colleagues who collaborate on random.org to manipulate the output of the website if it allowed them to rig the result of a lottery draw, for example. They would never do that, Haahr insists, as it's against everything they stand for. But it's a fair question because, as he freely admits, it is possible.

When the chips are down, no matter how exquisite a random number generator is in principle, you still have to trust that the person running it hasn't lost their scruples.

“Always, I guess, some trust is necessary somewhere in the process,” says Haahr. “You have to believe that.”

- Author: Chris Baraniuk, BBC

0 comments:

Post a Comment

Grace A Comment!