Hashrocket.com / blog

Large random background header

The Adventures of Generating Random Numbers in Erlang and Elixir

posted on and written by in

Image 100x100 dorian karter

While working in Elixir I needed to generate a random number and to my surprise could not find an easy way to do so without using Erlang (at first - see below). That lead me to learning a few interesting things about random seeds, how to create secure ones and how Erlang handles random.

Erlang comes out of the box with two modules in charge of generating pseudo-random values: random and rand.

The Erlang documentation for random warns that one should use "the improved" rand instead of random for generating random numbers. Another (less official) site mentioned that random is scheduled to be removed in Erlang/OTP 20.

I wondered what the difference between rand and random was so I fired the Erlang repl (erl) and typed:

1> random:uniform().
0.4435846174457203

Then I closed and re-opened erl and ran that same command again:

1> random:uniform().
0.4435846174457203

Surprisingly we get the same answer for random. That's not very random. Turns out random uses the same seed by default for every VM instance. That's not great, to say the least.

By contrast, the new and improved rand will use a different seed each time:

Eshell V8.0.2  (abort with ^G)
1> rand:uniform().
0.6015998630734499

After restarting erl:

Eshell V8.0.2  (abort with ^G)
1> rand:uniform().
0.05250536227383032

Much better.

So that's it right?? Not so fast... The documentation for rand states that the default seed is not cryptographically strong, and suggests that we use "one of the functions in crypto" to generate a cryptographically strong seed. There are however no examples whatsoever as to how one would do that and I had to dig deep to discover what follows.

What does it mean for a seed to be safe? (a bit of a tangent)

I found an excellent explanation online by Thomas Pornin that I think explains it better than I could:

When you generate a private key, you do so with a source of randomness. If that source of randomness can output N different streams of bits, then, at most, you may get N different private key. This is where we like to talk of entropy, which is a measure of how big that N is. When the source of randomness is said to offer "100 bits of entropy", then it means that (roughly) N = 2100.

The attacker will want to obtain your private key. If he knows that you use a weak source with a low N (say, only 40 bits of entropy), then he can, on his own machine, enumerate all possible outputs from the random source and work out the corresponding private key.

For instance, suppose that you used a PRNG seeded with the current time, expressed in microseconds. This is the time as known by your machine. The attacker assumes that your machine is reasonably well set with the current time, say within 10 seconds. So, from the point of view of the attacker, the seed for your PRNG is known within a 10 seconds range; since the PRNG use the time in microseconds, that leaves him with N = 10000000 possible seeds. The attacker then says to himself: "IF that guy used as seed value x, THEN his code produced private key value Kx; let's see if that matches his public key... nope. So he did not use x. Let's try again with x+1 (and so on)."

So a weak PRNG is deadly in such situations.

How to generate cryptographically strong seeds with the new rand library

If you are still stuck in an old version of Erlang you can seed random like this: erlang seed = crypto:bytes_to_integer(crypto:strong_rand_bytes(12)). random:seed(seed).

To generate a cryptographically strong seed for the rand library we can use the following code:

<<I1:32/unsigned-integer, I2:32/unsigned-integer, I3:32/unsigned-integer>> = crypto:strong_rand_bytes(12).
rand:seed(exsplus, {I1, I2, I3}).
% then we can use rand:uniform as usual and all of our generated numbers will be based of the secure random seed
rand:uniform(1000).

Remember that there is a performance penalty for generating cryptographically secure seeds so you would want to be strategic about seeding your random number generator.

In the meantime a quickrand library has appeared which enforces proper random number seeding: https://github.com/okeuday/quickrand

How to generate a secure random string

To generate a secure random string for an authentication token you can use the following:

base64:encode(crypto:strong_rand_bytes(N)).

Where N is the number of bytes to generate.

Here is an example of generating a 20 byte string by encoding strong_rand_bytes with base64:

1> base64:encode(crypto:strong_rand_bytes(20)).
<<"XKRL5NDnnuIWo0KD9Taz4A6JSZw=">>

Using rand in Elixir

Using rand in Elixir is as easy as calling it as an atom and replacing the : operator with a . operator:

:rand.uniform()

In Elixir there is no need to terminate the statement with a ..

To generate a cryptographically strong random number in Elixir by way of interop to Erlang:

<< i1 :: unsigned-integer-32, i2 :: unsigned-integer-32, i3 :: unsigned-integer-32>> = :crypto.strong_rand_bytes(12)
:rand.seed(:exsplus, {i1, i2, i3})
:rand.uniform(1000) # generate random number from 0 - 1000

This conversion from Erlang to Elixir was not as trivial to me. Particularly the binary pattern matching to 32-bit integers. Fortunately users Ben Wilson (benwilson512) and zackehh on the Elixir Slack channel were able to help.

Enum.random

After writing this blog post I discovered a more idiomatic way of generating random numbers in Elixir using the Enum.random function. The function is described as such

                             def random(enumerable)

Returns a random element of an enumerable.

Raises Enum.EmptyError if enumerable is empty.

This function uses Erlang's :rand module to calculate the random value. Check
its documentation for setting a different random algorithm or a different seed.

The implementation is based on the reservoir sampling
(https://en.wikipedia.org/wiki/Reservoir_sampling#Relation_to_Fisher-Yates_shuffle)
algorithm. It assumes that the sample being returned can fit into memory; the
input enumerable doesn't have to, as it is traversed just once.

Examples

┃ # Although not necessary, let's seed the random algorithm
┃ iex> :rand.seed(:exsplus, {1, 2, 3})
┃ iex> Enum.random([1, 2, 3])
┃ 2
┃ iex> Enum.random([1, 2, 3])
┃ 1

What is not mentioned in this documentation is that this method can also take ranges. So say we want to generate a random number from 1 to 1,000 we could call it like so:

Enum.random(1..1_000)

Like the documentation suggests, Enum.random uses Erlang's :rand module behind the scenes, but does not seed it securely by default. If you are going to use Enum.random for cryptographic purposes and need it to be secure you should still seed it as in my examples above.

I hope you found this blog post educational and that it shed some light on random seeding concepts in Erlang and Elixir.

Posted in Elixir and tagged with Elixir, erlang, random, seed