Embed Size (px)
Citation preview
WW
W.G
AR
RO
NLO
TTER
Y.C
OM
S C I E N C E N E W S3 6 2 D E C E M B E R 4 , 2 0 0 4 V O L . 1 6 6
TAKE A CHANCEScientists put randomness to work
BY ERICA KLARREICH
Since the dawn of written history, people haveexploited the randomness of a roll of a die toinject their games with the thrill of the unpre-dictable. Today, randomness is finding myriadother uses, such as encrypting credit card num-
bers in Internet transactions, deciding how to allocatetreatments in drug trials, choosing precincts to call innational polls, running online gambling sites, and help- ing physicists simulate phenomena ranging from the weather totraffic patterns. These applications, however, require many morerandom numbers than can be obtained from rolling a die. A busycommercial Web site, for example, uses hundreds of thousandsof random numbers every minute to mask its users’ credit cardnumbers. And in the research world, computer simulations eatup millions of random numbers in a matter of seconds. To accom-modate these needs, researchers arecreating a precise science out of some-thing at which toddlers excel: makingchaos at breakneck speed.
Randomness is a slippery concept,easier to talk about than to define.Scientists instead tend to say what itisn’t. A random number is one thatcan’t be predicted.
Knowing some of the randomnumbers in a list doesn’t make it eas-ier to figure out the others. Over thepast few decades, computer scientistshave designed computer algorithmsthat produce a good approximationof true randomness. These algorithmschurn out long sequences of pseudo-random numbers, which are scatteredabout the number line in roughly thesame distribution as random num-bers are. These pseudorandom num-bers are unpredictable enough formany, but not all, purposes.
Now, physicists and computer sci-entists are figuring out ways to pulltrue randomness out of the physical world. One Web site, forinstance, generates random numbers from the noise of a radiotuned between stations. And a commercial device put on the mar-ket last March harnesses nature’s ultimate source of randomness:quantum physics, which Albert Einstein famously described asGod playing dice.
APPROXIMATELY RANDOM Although computers are expertat spewing out numbers, a computer program can’t by itself pro-duce random ones. Computers are engineered to behave deter-
ministically, obeying the will of their users. “If a computer doessomething unpredictable, then we call it broken,” says LandonNoll, a cryptographer at the computer security firm SystemEx-perts in Sudbury, Mass.
However, computer scientists have figured out how to producecomputer-generated sequences of numbers that are virtually indis-tinguishable from random numbers. To get a sense of how thesealgorithms operate, consider the following highly simplified ver-sion of a pseudorandom-number algorithm.
First, it’s necessary to choose a starting number between 0 and12, called the seed—say, the number 4. After that initial choice, thealgorithm produces each new pseudorandom number by multi-plying the preceding number by 17, dividing the result by 13, andtaking the remainder.
This particular algorithm is a far cry from randomness, since itquickly falls into a pattern. The first few numbers in the sequenceare 3, 12, 10, 1, and then 4, which brings us back to where westarted. After that, the sequence simply repeats itself indefinitely.
All pseudorandom-number gener-ators eventually fall into a repeatingpattern. However, an algorithm thatproduces an extremely long patternbefore repeating can be unpredictableenough to suit many purposes. Math-ematicians have constructed effectivepseudorandom-number generatorssimilar to the above algorithm byusing larger numbers than 17 and 13and more-complicated procedures forgenerating the next number in thesequence. One widely used pseudo-random number generator alongthese lines is the Mersenne Twister,designed in 1997, which produces asequence of 219,937–1 numbers beforerepeating.
Pseudorandom-number generatorsare key to computer simulations ofcomplicated physical systems. Forexample, to search for the characteris-tic shape into which a protein mole-cule will fold, researchers start withone possible shape and then make
small, random changes in it, checking the stability of each newshape. Whenever the shape has gotten more stable, they replacethe old one with the new. Then they repeat the same process, some-times thousands of times.
Similar processes are used to simulate a wide range of phenom-ena, including weather, traffic flow, stock market swings, and radi-ation therapy for cancer.
A large simulation can swallow up tens of billions of randomnumbers. As a result, researchers put a high premium on the effi-ciency of the pseudorandom-number generator they use. The
LUCKY NUMBERS — Chaotic systems such as lottery balls bouncing about make good sources ofunpredictability.
EK bob 12/1/04 2:37 PM Page 362
C.P
ICK
OV
ER
W W W. S C I E N C E N E W S. O R G D E C E M B E R 4 , 2 0 0 4 V O L . 1 6 6 3 6 3
Mersenne Twister, which is one of the fastest pseudorandom-num-ber generators around, is a popular choice.
Other pseudorandom-number generators are also widelyused, including some that have serious flaws, says David Wag-ner, a computer scientist at the University of California, Berke-ley. For example, many computers come equipped with a ran-dom-number generator that alternates between odd and evennumbers. A truly random sequence would never have such aregular structure.
A faulty random-number generator can wreck a scientific proj-ect. In one famous case in 1992, physicists realized that a com-puter simulation of atomic spins was giving completely wronganswers, even though the pseudorandom-number generator theywere using had passed a stringent set of statistical tests (SN:12/19&26/92, p. 422). Subtle correlations between the num-bers the algorithm produced were being amplified by the simu-lation’s calculations and skewing the results.
Fortunately, scientists are becoming more aware of the risks ofusing a pseudorandom numbergenerator, even though theymight not understand its work-ings, says Thomas Lumley, astatistician at the University ofWashington in Seattle. “I thinkmost people doing large simula-tions are educated now,” he says.
KEEPING A SECRET Whilethe Mersenne Twister does agood job of imitating random-ness, mathematicians proposethat certain other algorithms,while slower, are closer to truerandomness. They are calledcryptographically strong algo-rithms, and their output passes every statistical test that can be per-formed in a feasible amount of computer time to distinguish ran-dom numbers from numbers that fall into a pattern.
“If you used a cryptographically strong algorithm to shuffle decksof cards on an online gambling site, then even after I played hun-dreds of poker hands, I wouldn’t be able to predict anything at allabout the next hand,” says Wagner.
These random-number generators are the algorithms of choice forapplications such as encrypting credit card numbers in Internettransactions, for which unpredictability is of paramount importance.
“Even a hacker who is very smart and is willing to mount a brute-force attack shouldn’t be able to predict anything about what ran-dom numbers you’re generating,” Wagner says.
Cryptographically strong algorithms, however, share an Achilles’heel with the other pseudorandom number generators. They allrequire the user to input a starting seed number. If hackers findout the secret seed, they can generate the entire output sequenceinstantly by using the same algorithm.
That’s precisely what occurred in 1995, when Wagner, then agraduate student at Berkeley, and his fellow student Ian Goldbergcracked the random-number generator used by the Netscape webbrowser to secure online transactions. The pair figured out thatNetscape was constructing its seeds using easily predicted num-bers, such as the time of day. Luckily for Netscape, the two studentshad no criminal intent. They simply publicized the browser’s vul-nerability, which Netscape quickly corrected.
In recent years, Wagner says, “there have been several otherinstances of widely deployed systems that have been vulnerable toattack because insufficient attention was paid to generating high-quality randomness.”
To evade hackers, it’s best to choose the seed randomly. How-ever, this creates a chicken-and-egg problem. To generate the ran-dom seed using a computer, it’s necessary to run a pseudorandom-
number generator, which in turn must be started off using a ran-dom seed. At some point, there must be a first seed, which a hackercould discover.
HARNESSING CHAOS Researchers are now making an endrun around this vicious cycle by finding ways to import randomnumbers from the world outside the computer. These numberscan then be used either as the seeds for computer algorithms oras random numbers in their own right.
Some of the simpler versions extract randomness out of humanactions such as the motion of a computer mouse, say, or the timebetween keystrokes. Others, in a quest for super fast random-num-ber generation, are turning to more-exotic sources of randomness.
Most of these exploit chaotic physical systems, for which tinychanges in the starting conditions propagate into dramatic swingsin the large-scale behavior of the system. Chaotic systems—suchas lottery balls jumping about in a box—are not strictly speakingrandom, but they generally include elements that are effectively
impossible to predict.One of the first of these phys-
ical random-number generators,called Random.org, uses a radioto pull random numbers out ofthe atmospheric noise generatedby weather systems.
“When we built this in 1997,we bought the cheapest radio wecould find,” says Mads Haahr, ofTrinity College, Dublin, who runsRandom.org. “The guy in theshop thought we were crazybecause we made him take it outof the box and put in batteries sowe could listen to the noisebetween stations.”
Haahr’s Web site (www.random.org) can generate up to 3,000random numbers per second. Over the last 6 years, it has dishedout more than 61 billion random numbers for free to an eclecticarray of users. These include archaeologists choosing which quad-rants of a large area to survey; a choreographer selecting the order,timing, and placement of dance steps; online card-playing sitesshuffling their virtual decks; the U.S. Environmental ProtectionAgency determining which companies to include in a randomaudit of hazardous-material use; and a locksmith deciding howdeeply to cut the notches on keys.
Another early random-number generator extracted random-ness from a very retro source: lava lamps, whose illuminatedblobs move unpredictably. In the lavarand project, created byNoll and colleagues in 1996, digital cameras trained on six lavalamps fed images into a computer, which converted the picturesinto numbers (SN: 8/9/97, p. 92).
The lavarand apparatus is impractical, Noll readily acknowl-edges. It was intended, he says, mainly as a whimsical proof thatit’s possible to generate high-quality random numbers from aphysical source.
While analyzing lavarand’s workings, the researchers found totheir surprise that most of the noise and unpredictability was com-ing not from the lava lamps but from the digital cameras. Theteam’s latest version of lava lamp randomness, called LavaRnd,ironically does away with the lava lamps. It’s simply a webcamrunning with its lens cap on. LavaRnd produces 200,000 randomnumbers per second, more than enough for many cryptographyand simulation applications.
One of the tricks in designing physical random-number genera-tors such as Random.org or LavaRnd is to erase any bias in the num-bers. In a truly random stream of numbers, each combination ofdigits should appear as often as any other combination. However,in numbers generated from the physical world, this is rarely the case.
VISUALIZING RANDOMNESS — Evenly distributed points inspace, depicting numbers, came from a good pseudorandom-numbergenerator (left), but the tendril patterns (right) are far from random.
EK bob 12/1/04 2:38 PM Page 363
S C I E N C E N E W S3 6 4 D E C E M B E R 4 , 2 0 0 4 V O L . 1 6 6
Even a coin toss, the seeming epitome of ran-domness, is subtly biased. Earlier this year,mathematicians proved that a tossed coin isslightly more likely to land on the face itstarted out on than on the opposite face (SN:2/28/04, p. 131).
Over the decades, computer scientistshave worked out computer algorithms totackle this problem. In 1951, mathematicianJohn von Neumann came up with a simplealgorithm that works on sequences of bits.
To balance a sequence between 0s and 1s, von Neumann’s algo-rithm groups the bits into pairs, then discards any pair in which thetwo bits are the same. If the two bits are different, the algorithmreplaces the pair with the first bit—so, for instance, 01 would beshortened to 0. The result is a new sequence that preserves all theunpredictability of the original sequence but in which 0s and 1sappear with roughly the same frequency.
Von Neumann’s procedure throws away about 75 percent of theoriginal sequence. Computer scientists have more recently comeup with less-profligate algorithms, such as one that Noll and hiscolleagues designed for LavaRnd, called the Digital Blender.
“The Blender takes the original structure and chops it up andsqueezes it down into a random mash of data,” Noll says.
QUANTUM RANDOMNESS Although chaotic systems aregood sources of unpredictability, they are deterministic, at least inprinciple. Given a precise knowledge of the physical parametersof a given weather system, for instance, it should be possible to fig-ure out exactly what the system is going to do.
By contrast, quantum physics—the science of subatomic par-ticles—is intrinsically random. According to its laws, it’s impos-sible to know for sure what a quantum system will do. Researchersare now building random number generators that exploit thisunpredictability.
One such system called HotBits, created by John Walker of Four-milab in Switzerland, generates random numbers by timingradioactive decays of Krypton-85 atoms detected by a Geigercounter. These decays happen at random intervals, quantummechanics dictates. HotBits produces a modest 30 random num-bers per second, not enough for the most number-hungry appli-cations. However, another Swiss team has just produced a quan-tum random-number generator that produces 4 million randombits per second. Unlike Random.org, LavaRnd, and HotBits, thisrandom-number generator is a commercial venture.
The new device, a matchbox-size module that can be mountedon a computer’s circuit board, is produced by id Quantique inGeneva. It operates by beaming photons of light at a semitrans-parent mirror. According to quantum theory, each photon has a50 percent chance of passing through the mirror and the samechance of being reflected, making the device a quantum idealiza-tion of a coin toss. The device’s creators predict that its simplic-ity will appeal to potential users. Any machine has the potentialto break, and if a physical random-number generator is compli-cated, it can be hard to tell whether it is in good working order.
“You can never definitively test that random-numbers are reallyrandom,” says Gregoire Ribordy, id Quantique’s CEO. “But thisgenerator is so simple that it’s easy to test whether it is workingproperly just by testing the components.”
Some physicists argue that quantum systems are more purelyrandom than chaotic systems are. Yet in the final analysis, quan-tum physics and chaos are probably equally good sources of ran-domness for all practical purposes, Haahr says.
To actually predict the behavior of a chaotic system like theweather, for example, “you would probably need knowledge of theposition and velocity of every single molecule in the planet’s weathersystems, which is of course infeasible,” he observes. “It’s hard enoughto predict the weather for the next couple of days.”
Unlikechaos,quantumphysics isintrinsicallyrandom
EK bob 12/1/04 2:38 PM Page 364
