Where do you get your random numbers?

dtwenty.org gets its random numbers from a Simtec EntropyKey, a hardware random number generator made in the UK. You can buy one from me, and if you're in the US, it's a whole lot cheaper than buying direct.

So what's all this noise about true randomness?

As with pretty much everything about number theory, the idea of a "random" number is a lot more complicated than it first appears.

Indeed, there is no such thing as a inherently random number, say, the number 4. It's not the number which is random, but the manner in which it was generated. Matthew Skaia would say that the number has "color", that it has significance assigned to it by humans, beyond what is in the number itself.[1]

There are many ways to generate random numbers, each of which have subtly different strengths, depending on just what you're going to do with them.

First of all are pseudorandom number generators, such as the Mersenne Twister. These are algorithms run on a computer that produce numbers which appear random, but are actually deterministic. This is an unavoidable side effect of running them on a computer, which goes to great, great lengths to make sure every time it adds 2 and 2 it gets 4.

Now. For almost all purposes this is perfectly sufficient. Unless your hobby is memorizing long series of numbers, you won't recognize the output of Mersenne on sight.

Unfortunately, any time a system makes the output of a random number generator predictable, they become vulnerable to a long series of interesting abuses and hacks.

So, for security applications, which might be subject to scrutiny by attackers, there are hardware random number generators, which harvest high quality random numbers from messy physical processes, rather than using the predictable algorithmic output of pseudorandom number generators. They are "truly random".

The EntropyKey uses quantum weirdness involving two transistors, while more exotic sources of randomness include radioactive isotopes, and even a camera pointed at a lavalamp.

Do I want a hardware random number generator?

Short answer: No.

Unless you're serving SSL/TLS encrypted traffic, or generating lots of cryptographic keys, in which case, yes, and buy one from me.

Long answer: There's a bit of an ethical conundrum here. Obviously, from a strict "maximizing utility" standpoint, I want you to buy as many random number generators from me as possible. Heck, from that standpoint I'd like to convince you to give me all your money, for nothing in return; but outside of a couple very specialized fields of commerce, that's not possible.

And so I'm compelled to say, that for rolling dice, you don't need a hardware random number generator. A perfectly ordinary desktop Linux machine will get plenty of high-quality entropy from mouse events, etc, to generate numbers that are more than random enough for human purposes. If you really want to, you can buy one of my HRNGs and then use Roll to produce very high quality dice rolls, but that would be spending money for unnoticeable gain.

That's for a Linux computer. Due to the way Windows implemented its random number generation system, you have to write random number-consuming software for it with the EntropyKey specifically in mind. To the best of my knowledge, this has never been done. So if you don't use a Unix-derived operating system, you can't even use the EntropyKey.

Simtec mentions FIPS-140-2 Level 3 compliance on their website?

Yeah, well, they shouldn't. The EntropyKey is not FIPS certified.

It aims for compliance, and, hypothetically, were it tested, it might possibly pass. But FIPS certification is really excitingly expensive, and neither dtwenty.org or Simtec Electronics has paid for it. Simtec is perhaps more cavalier with such language, being on the other side of an ocean from the very serious men in suits who care about such things, so it's up to me to say it: Do not use the EntropyKey for applications that require FIPS-140-2 certification.

What software does dtwenty.org run on?

I wrote a blog post about this, but here's the short version. Nginx on Debian Linux for the frontend, Bottle.py using the Flup FastCGI server (also on Debian) on the backend, and Jquery for the site itself. As you can see, I had to do very little actual programming, which is handy, since I am both incompetent and lazy.

1: ^This is actually a slight misapplication of the term. Matt originally coined it to describe the curious legal state of a certain class of very large numbers, viz, copyrighted material. You could take one three megabyte file, which happened of be an mp3 of $POPULAR_SONG, which was purchased from an authorized retailer and thus perfectly legal; and compare it to that same file downloaded from a file sharing site, which would be illegal and could send you to jail. Both files have exactly the same information, are bit-for-bit identical, but have different legal provenances, or more simply, are different colors.

Amusingly, and of particular relevance to us, you could hypothetically use a random number generator to produce that same number. This would be really stunningly unlikely, and possibly take millions of years; but the file generated by pure random luck would have yet another color still. You could probably sell it as your own personal invention, and depending on the judge, might even be able to defend a copyright claim on it. That is yet another fiendishly difficult legal problem, and it's probably to the relief of the legal profession that this stunt will never be accomplished in the real world.