## DEV Community

Jackson Goodman(he/him)

Posted on

# When Random Numbers Are Not Random

"And then we can have it spit out something random!"
I think every brainstorming session I've had has thrown that idea out. Both in the company of my code collaborators or the solitude of a personal project, the utility of random number is super handy. Random numbers are essential in forms of cryptography and eliminating as much bias as possible.

But how do we know a random number is random? Aren't machines programmed to do specific instructions, so isn't that mean that no number is random? If computers only follow instructions, can they really guess?
This video goes into the main ideas of how computers choose randomness.

Computers use a trick when they are told to select a random number. They grow randomness a "seed"- a number taken from an unpredictable source.

A common place to generate a seed from is using time or CPU clocks.

That seed then needs to grow- and computers grow the seed by running it through an algorithm.

Here's an example method called "middle squares", credited to John Von Neumann.

• A Seed Is Established

Example:

`seed = 173`

• Seed Is Multiplied By Itself

Calculation:

`seed*seed = result`

Example:

`173*173 = 29929`

• Output The Middle Of The Result Example:

`output = 992`

• Multiply The Result By The Result Repeated Calculation:

`result*result = newResult`

Example:

`29929*29929 = 895745041`

• Output The Middle Of The New Result Example:

`output = 992745`

• Repeat Each Calculation With Each New Result Example:

`output = 992745847...`

This is or a variation on these principles dictate how most random numbers are generated. But is this cryptographically sound?

Recently I was at a talk featuring The First Prototype's founder, Saamer Mansoor, who lead such an enthusiastic and interesting lecture on the subject of randomness and finding cryptographically secure RNG.

Trends in the forefront of the wider world focus in on data leaks, institutional skepticism, and ransomware.

Luckily there are thousands of Developers, Scientific Laboratories, Security Agencies, and NGOs working tirelessly to develop safe and sustainable means of encryption, together.

There are good things about unsecure RNG. A friend of mine once shared how a company under a ransomware attack were able to generate a key to unlock their hijacked data- the hackers had generated a random number to create the key, but because it was based off of a CPU clock, the company was able to recreate the seed and regain control of their data.

Most of this is not super important or pertinent to junior developers, but it's always good to cover what's going on in the world.

As junior developers, it's always good to go over your numbers.