0

Using srand(time(NULL)) seems overly deterministic. For example, when I run std::cout << rand() % 9000 I get 4275. When I run it again, I get 4311. It's too based on time.

Coffee Maker
  • 1,543
  • 1
  • 16
  • 29
  • That was just by chance they were that close to each other. It happens when your number is random. – Martin Konecny Jun 02 '14 at 17:22
  • Also, since you asked for C++, you might want to consider using [the new random number library](http://en.cppreference.com/w/cpp/numeric/random). – Csq Jun 02 '14 at 17:22
  • While your example is not sufficient evidence for a problem, I wouldn't use `rand`. If you use a PRNG that doesn't suck, it'll output completely different sequences even if the input is very similar. Even with perfect seeds, `rand` has horrible flaws, including the insufficient seed and state size. – CodesInChaos Jun 02 '14 at 17:23
  • @Csq it's amazing how many answers to that question don't attempt to answer the actual question. I think this one is specific enough to be considered different. – Mark Ransom Jun 02 '14 at 17:24
  • 1
    You think that is deterministic? I challenge you to guess the next number. – abelenky Jun 02 '14 at 17:24
  • @MarkRansom " it's amazing how many answers to that question don't attempt to answer the actual question" - yes. Even though I like the `srand((time.tv_sec * 1000) + (time.tv_usec / 1000))` in the accepted answer. – Csq Jun 02 '14 at 17:26
  • 1
    @MartinKonecny, it's not chance, I've run into the same problem myself with Microsoft's implementation of `rand`. The formula used shows a definite correlation between the seed and the first value produced. – Mark Ransom Jun 02 '14 at 17:30
  • 1
    For generating the high-entropy seed value itself, the proper thing to use is the [`std::random_device`](http://en.cppreference.com/w/cpp/numeric/random/random_device) class, as part of the new `` library. For older compilers (pre-C++11), you can use [TR1 random library](http://www.johndcook.com/cpp_TR1_random.html), or [Boost.Random](http://www.boost.org/doc/libs/1_55_0/doc/html/boost_random.html), which are nearly the same. Otherwise, you can also read from [`/dev/random` or `/dev/urandom`](http://en.wikipedia.org/?title=/dev/random) or the non-Unix equivalent (?). – Mikael Persson Jun 02 '14 at 17:41

3 Answers3

1

If you use C++ I'd recommend using <random> from the standard library. It is much more reliable than rand()

vsoftco
  • 55,410
  • 12
  • 139
  • 252
  • +1 And if you're using an older compiler, `` was added as part of TR1, so it's also available under `` as `std::tr1::mt19937` etc. – Praetorian Jun 02 '14 at 17:31
1

The problem with your approach is that you are just taking two samples, and assuming it is representative of the overall population (ie: statistical fallacy based on insignificant sample size). The rand() function returns values that effectively form a uniform distribution on [0, RAND_MAX]. The example you provided isn't a very good one.

Second, calling srand(time(NULL)) is a decent approach in general on most modern machines. The only time where it poses a significant security risk is when running on a single-core embedded chip that doesn't have a battery backup for the system clock. I've worked with some Motorola boards that do this, and about 90% of the time, when our program loaded up, we ended up getting the same random seed value. I believe some Bingo machines in the 80's were vulnerable to this since they were designed to be left running 24/7, but the operators were shutting them down every night.

Finally, rand() is half-decent at best. If you want a random number generator that has better properties (ie: "close" seed values not providing a similar pattern, a wider range of output values, minimal bias), consider going with an external RNG algorithm.

References

  1. Recommended way to initialize srand?, Accessed 2014-06-02, <https://stackoverflow.com/questions/322938/recommended-way-to-initialize-srand>
  2. What difference between rand() and random() functions?, Accessed 2014-06-02, <https://stackoverflow.com/questions/18726102/what-difference-between-rand-and-random-functions>
  3. What alternatives are there to the C library's rand() and srand()?, Accessed 2014-06-02, <http://benpfaff.org/writings/clc/random.html>
Community
  • 1
  • 1
Cloud
  • 18,753
  • 15
  • 79
  • 153
0

If for some reason you're stuck using rand(), try draining a couple of values from it after calling srand. The correlation is greatest on the first call to rand and decreases from that point on.

  srand(time(NULL));
  rand();
  rand();

You can also seed it using a value from /dev/random or /dev/urandom (or a Windows equivalent.

Community
  • 1
  • 1
Mark Ransom
  • 299,747
  • 42
  • 398
  • 622