0

I wonder how PHP Rand() function works? I mean; How is this function randomising numbers without any rule or any other randomization function?

For example i have an array like this:

$numbers = array(0,1,2,3,4,5,6,7,8,9);

So how can i randomise this numbers without rand(), array_rand() etc..

Basic question is:

How randomization functions works?

pheaselegen
  • 398
  • 1
  • 4
  • 15
  • Possible duplicate of [What is the best algorithm to shuffle cards?](https://stackoverflow.com/questions/40057647/what-is-the-best-algorithm-to-shuffle-cards) – iainn May 10 '18 at 15:52
  • You should read the Wikipedia's article: [Pseudorandom number generator](https://en.wikipedia.org/wiki/Pseudorandom_number_generator) – klenium May 10 '18 at 15:53
  • 1
    As said in a manual: "`rand` — Generate a random value via the Mersenne Twister Random Number Generator" – u_mulder May 10 '18 at 15:54
  • Your two questions contradict each other... Who says that the PHP implementation of the `rand()` function does not use the underlying OS feature, so another function? And what does that have to do with the question how to generate random numbers _without_ using that function? – arkascha May 10 '18 at 15:54
  • 1
    If you're gonna RYO you may as well do it properly and make it truly random by using a natural source of entropy; solar radiation maybe, or white noise on a dead radio frequency (which I think random.org uses)... or even a lava lamp has been done. :) – CD001 May 10 '18 at 16:00
  • https://github.com/php/php-src/blob/master/ext/standard/mt_rand.c – AbraCadaver May 10 '18 at 16:02
  • @CD001 And why should white noise be guaranteed to be a good or even valid random source? And a lava lamp likewise? – arkascha May 10 '18 at 16:03
  • @arkascha - neither are deterministic, or at least the physics of the blobs in a lava lamp are complex enough that the exact pattern cannot be predicted... yes, there are better sources of entropy, but it should be sufficiently random for seed generation in any practical sense. – CD001 May 11 '18 at 08:02
  • @CD001 Sure, that is the typical explanation one would expect, but... Wouldn't it be trivial to change for example that white noise if you know the frequency? What a great attack vector ;-) (read: don't trust all the stuff you assume...) – arkascha May 11 '18 at 08:29
  • @arkascha - hmmm, so if the frequency itself isn't random, yes, you've got a point. That in itself would be a weak source of entropy (being a fixed value it couldn't be any less chaotic) then if you were to broadcast a known signal on *that* frequency... would be a novel attack vector but it would be effective... – CD001 May 11 '18 at 08:35

2 Answers2

5

PHP rand(), like all psuedo-random number generators, does not generate truly random data, but instead uses some mathematical function to create seemingly random data.

The methods may vary but the basic principle is this:

We take an initial value as a 'seed', s. (This may be the current time, a user inputted "random" value, or even true random entropy harvested from some entropy source)

We then take s and apply a function, f, to it producing a new value s' (s-prime) (this function is often a modulo function or hashing function)

We can then repeat this process ad infinitum, putting s' into f producing s'', etc.

This sequence of results from f are our "random" numbers.

But, hopefully you realized, f remained the same and will always produce the same output given the same input.

So if we give it the same starting seed s, we will always get the same sequence of s',s'',s'''...

This is why we call them "Psuedo" random. If you don't know the starting seed and don't observe the sequence for too long, it seems random. But if we know the function f used and the starting seed s we can predict every value rand() would produce.

Kallmanation
  • 1,132
  • 7
  • 11
  • This article adds some interesting information http://cod.ifies.com/2008/05/php-rand01-on-windows-openssl-rand-on.html – Emeeus May 10 '18 at 16:09
  • How is the `f` function defined? And what affects it? – Reza S Nov 12 '19 at 21:54
  • @RezaS, there are many possible implementations. Essentially, an algorithm is selected for `f` based on mathematical proofs/experimentation so that we know our function provides a "random" enough result based on the input. (of course it is not actually random, the same input will result in the same output) The Mersenne Twister is one very popular implementation: https://en.wikipedia.org/wiki/Mersenne_Twister – Kallmanation Nov 13 '19 at 13:45
  • @Kallmanation thank you, I dug into the source code for PHP and found out the possible implementations: https://github.com/php/php-src/blob/PHP-7.0.33/ext/standard/rand.c – Reza S Nov 15 '19 at 20:51
0

Generally, It depends to the time based on the number of milliseconds or even nanoseconds. and we can multiplay the seed number with some fixed value to get a specific return, in most cases between 0 and 1 For exemple : Considering that numberis is a seed of seconds.

numberi+1 = (a * numberi + c) mod m
Le-Mr-Ruyk
  • 179
  • 2
  • 17