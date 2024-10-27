Bit by Bit is a weekly column focusing on technical advances each and every week across multiple spaces. My name is Adam Conway, and I've been covering tech and following the cutting-edge for a decade. If there's something you're interested in and would like to see covered, you can reach out to me at adam@xda-developers.com.

When you think of randomness, you might picture the roll of a dice or the shuffle of a deck of cards—true, unpredictable outcomes that no one can foresee. However, as a developer, there have been a lot of times when I've needed to make use of randomness. It may come as a surprise that despite the power our computers have, they can't achieve true randomness. In fact, they rely on complex mathematical algorithms to simulate randomness, creating what’s known as pseudo-randomness.

Why can computers not be truly random?

It's all about deterministic machines

Computers, by design, are deterministic machines. Every operation they perform follows a set of specific instructions, leading to predictable and reproducible outcomes. This predictability, while essential for reliability and consistency, is also what makes true randomness difficult for computers to achieve. Essentially, randomness implies a lack of pattern or predictability, yet computers are structured around executing logical and precise algorithms that leave little room for unpredictability.

The algorithms that computers use for randomness are known as pseudo-random number generators. These are based on initial input values, or “seeds," and if you've ever played a game like Minecraft, you've heard of seeds. Given the same seed, a pseudo-random number generator will always produce the exact same sequence of numbers. For applications where predictability could be an issue, like in cryptography, even a small amount of predictability can be risky. They simulate randomness well enough for everyday applications, but true randomness is often necessary in fields requiring high security, where the stakes are far greater.

To approximate randomness, computers sometimes incorporate external “noisy” sources—like thermal fluctuations or electronic noise in circuits—that are influenced by the physical world and therefore are less predictable. This combines hardware-derived entropy with algorithms, basically using the real world as a seed. However, those sources of randomness can still not be random enough, and can sometimes require post-processing and other changes to make them as random as possible.

How randomness is calculated despite the limitations

From games to security, how is it done?

There are a few ways to do randomness when it comes to computers, and the most basic one is a linear congruential generator, or LCG. For example, Pokémon Stadium, Pokémon Stadium 2, the Generation III and Generation IV core series games, and Pokémon Colosseum use a 32-bit linear congruential generator. This formula makes it so that, over time, the sequence will repeat if the seed and constants are the same. This isn't good for security, but works completely fine for simple applications like games.

In Generation V, Pokemon also uses a Mersenne Twister, capable of generating longer sequences with better statistical randomness. It works by storing an array of numbers that are repeatedly shifted and combined to produce new values in the sequence. It still works for simpler contexts, but when it comes to security and cryptographic uses, we use a cryptographically secure pseudo-random number generator, which use significantly more complex algorithms to produce an output.

To introduce a stronger layer of unpredictability, these cryptographically secure generators often draw on real-world, unpredictable data, and this is what we call entropy. Entropy can come from sources like mouse movements, keyboard timings, or specialized hardware devices that capture electronic noise. This entropy is then combined with the algorithm's output to make it less predictable, achieving what’s known as a true random number generator. However, true randomness is challenging to capture, even with entropy-based methods, as they still require processing to ensure quality and consistency.

If you've ever generated an RSA key on your computer in a program like PuttyGen, it may have asked you to move your mouse around to generate it. This generates entropy that it can then use to produce the public and private key pair in a secure way.

All of this is to say that if you game regularly, chances are, the "random" events that you're facing aren't truly random, rather that they are simply just perceivably random. This poses a challenge to developers who need random outputs, and the solution is to create algorithms that make it seem that way. You could never tell the difference, but if you want to manipulate something "random," this is why it's possible!