TRNG Perl script query

Question

I think that I seem to have successfully created and tested a very simple script which when run on a Windows VPS, serves as a building block for a True Random Number Generator. I am therefore wondering to myself, if it is this easy then what is the point of Pseudo Random Number Generators?

Here is the script.

#! /usr/bin/perl
use Time::HiRes qw(gettimeofday);

($seconds, $microseconds[0]) = gettimeofday;

for ($count = 1; $count <= 1000000; $count++)
  {
  }

($seconds, $microseconds[1]) = gettimeofday;

$difference = $microseconds[1] - $microseconds[0];

print "Content-type:text/html\n\n";
print "$difference";

Typical outputs:
46980
-953586
47168
67242
59319

As you can see from the above outputs, this script seems to work very well.

Would this script work as well on a dedicated server with a very fast CPU? Are timings on VPS servers particularly volatile? Would this script work as well on all Windows systems?

If I am creating an application which is critically dependent on a good quality TRNG, can anyone see any reason why it might be a mistake to depend on this script for the purpose?

Answer 1

It's not exactly clear what you mean by a "True Random Number Generator" but your code is surely not one. It is pretty clearly dependent on how long it takes for your system to run through a million iterations of a for loop, while a truly random number wouldn't have any such dependencies.

As you can see from the above outputs, this script seems to work very well.

This sentence as it stands doesn't make much sense. You have only shown 5 outputs of your generator which can presumably provide around 2 million possible outputs. There are a battery of standard tests that have been worked out to determine if RNG's work well - mainly because the testing of such RNGs is subtle and difficult - an eye test is just not sufficient. See here for example.

Here are a couple of stackoverflow questions that also give some insight, but the main takeaway is that random number testing is probably much harder than you think and "True" random number generators are not possible in software alone:

How to test randomness (case in point - Shuffling)

How to unit test a pseudo random number generator?

So, in summary, to answer your question:

If I am creating an application which is critically dependent on a good quality TRNG, can anyone see any reason why it might be a mistake to depend on this script for the purpose?

The main reason is that you have not shown it to be truly random. My guess is that if you were to run some tests on this code, you would find that certain ranges of values would show up much more frequently than others. This is enough to be considered not random, and enough to reject it.