How to properly seed random number generator

Question

I am trying to generate a random string in Go and here is the code I have written so far:

package main  import (     "bytes"     "fmt"     "math/rand"     "time" )  func main() {     fmt.Println(randomString(10)) }  func randomString(l int) string {     var result bytes.Buffer     var temp string     for i := 0; i < l; {         if string(randInt(65, 90)) != temp {             temp = string(randInt(65, 90))             result.WriteString(temp)             i++         }     }     return result.String() }  func randInt(min int, max int) int {     rand.Seed(time.Now().UTC().UnixNano())     return min + rand.Intn(max-min) } 

My implementation is very slow. Seeding using time brings the same random number for a certain time, so the loop iterates again and again. How can I improve my code?

Answer 1

Each time you set the same seed, you get the same sequence. So of course if you're setting the seed to the time in a fast loop, you'll probably call it with the same seed many times.

In your case, as you're calling your randInt function until you have a different value, you're waiting for the time (as returned by Nano) to change.

As for all pseudo-random libraries, you have to set the seed only once, for example when initializing your program unless you specifically need to reproduce a given sequence (which is usually only done for debugging and unit testing).

After that you simply call Intn to get the next random integer.

Move the rand.Seed(time.Now().UTC().UnixNano()) line from the randInt function to the start of the main and everything will be faster. And lose the .UTC() call since:

UnixNano returns t as a Unix time, the number of nanoseconds elapsed since January 1, 1970 UTC.

Note also that I think you can simplify your string building:

package main  import (     "fmt"     "math/rand"     "time" )  func main() {     rand.Seed(time.Now().UnixNano())     fmt.Println(randomString(10)) }  func randomString(l int) string {     bytes := make([]byte, l)     for i := 0; i < l; i++ {         bytes[i] = byte(randInt(65, 90))     }     return string(bytes) }  func randInt(min int, max int) int {     return min + rand.Intn(max-min) } 

Answer 2

I don't understand why people are seeding with a time value. This has in my experience never been a good idea. For example, while the system clock is maybe represented in nanoseconds, the system's clock precision isn't nanoseconds.

This program should not be run on the Go playground but if you run it on your machine you get a rough estimate on what type of precision you can expect. I see increments of about 1000000 ns, so 1 ms increments. That's 20 bits of entropy that are not used. All the while the high bits are mostly constant!? Roughly ~24 bits of entropy over a day which is very brute forceable (which can create vulnerabilities).

The degree that this matters to you will vary but you can avoid pitfalls of clock based seed values by simply using the crypto/rand.Read as source for your seed. It will give you that non-deterministic quality that you are probably looking for in your random numbers (even if the actual implementation itself is limited to a set of distinct and deterministic random sequences).

import (     crypto_rand "crypto/rand"     "encoding/binary"     math_rand "math/rand" )  func init() {     var b [8]byte     _, err := crypto_rand.Read(b[:])     if err != nil {         panic("cannot seed math/rand package with cryptographically secure random number generator")     }     math_rand.Seed(int64(binary.LittleEndian.Uint64(b[:]))) } 

As a side note but in relation to your question. You can create your own rand.Source using this method to avoid the cost of having locks protecting the source. The rand package utility functions are convenient but they also use locks under the hood to prevent the source from being used concurrently. If you don't need that you can avoid it by creating your own Source and use that in a non-concurrent way. Regardless, you should NOT be reseeding your random number generator between iterations, it was never designed to be used that way.

---

Edit: I used to work in ITAM/SAM and the client we built (then) used a clock based seed. After a Windows update a lot of machines in the company fleet rebooted at roughly the same time. This caused an involtery DoS attack on upstream server infrastructure because the clients was using system up time to seed randomness and these machines ended up more or less randomly picking the same time slot to report in. They were meant to smear the load over a period of an hour or so but that did not happen. Seed responsbily!