Random Number Generators: How They Actually Work

Random numbers power more of the modern world than most people realize. Encryption that protects your bank transactions, simulations that predict weather patterns, games that shuffle decks of cards, and scientific experiments that need unbiased sampling all depend on random number generation. But computers are deterministic machines that follow instructions exactly. So how do they produce randomness?

True Random vs Pseudo-Random

There are two fundamentally different approaches to generating random numbers. True random number generators (TRNGs) harvest randomness from physical phenomena: thermal noise in electronic circuits, radioactive decay, atmospheric noise, or even the precise timing of keystrokes. These sources are genuinely unpredictable because they depend on quantum or chaotic physical processes.

Pseudo-random number generators (PRNGs) use mathematical algorithms to produce sequences that look random but are entirely deterministic. Given the same starting value (called a seed), a PRNG will produce the exact same sequence every time. The output passes statistical tests for randomness, meaning it has no detectable patterns, but it is not truly random in a philosophical sense.

How PRNGs Work

A PRNG starts with a seed value and applies a mathematical function to produce the next number in the sequence. That output then becomes the input for the next iteration. The key properties of a good PRNG are a long period (the sequence length before it repeats), uniform distribution (all values in the range are equally likely), and no discernible pattern in the output.

One of the most widely used PRNGs is the Mersenne Twister, which has a period of 2 to the power of 19937 minus 1. That number is so large that you could generate a new random number every nanosecond from the beginning of the universe until now and not exhaust the sequence. For most applications, this is more than sufficient.

The seed determines everything. If you seed a PRNG with the current time in milliseconds, the sequence will differ each time you run the program (because the time is different). But if someone knows the seed, they can reproduce the entire sequence. This is why PRNGs alone are not suitable for cryptographic applications.

Cryptographically Secure Random Numbers

Security-sensitive applications like encryption key generation, session tokens, and password salt values require cryptographically secure pseudo-random number generators (CSPRNGs). These combine a PRNG with entropy from true random sources to produce output that is computationally infeasible to predict, even if an attacker knows part of the sequence.

Operating systems maintain entropy pools that collect randomness from hardware events: mouse movements, disk seek times, network packet arrival times, and dedicated hardware random number generators. When a program requests cryptographically secure random data, the OS draws from this pool. On Linux, this is available through /dev/urandom. On Windows, it is the CryptGenRandom API.

Common Uses for Random Numbers

• Cryptography: generating encryption keys, initialization vectors, nonces, and salts that must be unpredictable
• Gaming: shuffling cards, rolling dice, generating procedural content, and determining loot drops
• Scientific simulation: Monte Carlo methods use random sampling to approximate complex mathematical problems
• Statistical sampling: selecting random subsets of a population for surveys and experiments
• Load balancing: randomly distributing requests across servers to prevent hotspots

The Limits of Randomness

Human intuition about randomness is notoriously poor. People expect random sequences to look "spread out" and are surprised when clusters appear. If you flip a fair coin 100 times, getting six heads in a row is not unusual at all, but it feels non-random to most people. This cognitive bias is why humans are bad at detecting whether a sequence is truly random and why we rely on statistical tests instead.

Another common misconception is that random means evenly distributed in small samples. Roll a fair six-sided die six times, and getting each number exactly once would actually be quite unlikely. Randomness guarantees even distribution only over very large sample sizes (the law of large numbers), not in any individual short sequence.

Whether you need a random number for a quick decision, a classroom exercise, or a programming project, understanding the mechanics behind the generation process helps you choose the right tool for the job. Simple PRNGs work fine for games and simulations, and a random number generator handles everyday needs instantly. Anything involving security demands cryptographic-grade randomness.