How Randomness Works in Computers

Flip a coin. Roll a die. Shuffle a deck.

Now ask a CPU to do the same thing.

That’s where things get interesting.

A computer is a deterministic machine. Same inputs, same state, same output. Always. So when we ask it for a “random” number, we’re really asking it to fake unpredictability.

Let’s dig into how that actually works.

PRNGs (Pseudorandom Number Generator)

The short answer: for most everyday purposes, we don’t generate randomness at all. We simulate it using something called a PRNG.

A PRNG is just a mathematical function:

1. Start with a number called a seed
2. Apply a transformation
3. Output a new number
4. Repeat

If you reuse the same seed, you get the exact same sequence. Every time.

John von Neumann, one of the godfathers of modern computing, proposed one of the first PRNGs back in 1946. His idea was almost comically simple: take a number, square it, pull out the middle digits, and use that as your next number. Repeat forever.

It kind of worked. The sequences were short and sometimes collapsed into repeating loops. Von Neumann himself joked:

“Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.”

Over the decades, the tricks got much better. The generators used in today’s programming languages produce sequences so long they won’t repeat before the heat death of the universe.

But they all share the same fundamental flaw: if you know the internal state, you can predict every future number.

So Where Does Real Randomness Come From?

If math is deterministic, the only source left is physics.

A True Random Number Generator (TRNG) doesn’t use formulas. It looks for the small, unpredictable, chaotic events happening all around (and inside) your machine, and turns that chaos into numbers.

Your Computer Is Already Harvesting Chaos

Operating systems maintain something called an entropy pool. Think of it as a bucket that collects tiny unpredictable events and mixes them together.

Typical entropy sources include:

1. Keyboard and mouse timing

Not what you type but when you type. The microsecond gaps between keystrokes vary due to muscle motion, attention shifts, even heartbeat timing.

2. Disk timing

Seek times vary slightly due to air turbulence, vibration, temperature. Each access has jitter.

3. Network jitter

Packet arrival times depend on routing, congestion, interference, and competing traffic.

4. Electronic thermal noise

Every resistor and transistor produces noise from electron motion. At microscopic scales, this is unavoidable.

The Chip Inside Your Chip

Here’s something most developers don’t know: modern Intel and AMD processors have a dedicated randomness circuit built right into the silicon.

On Intel, you can execute RDRAND. This instruction samples an on-chip physical noise source, conditions the signal and Returns a hardware-generated random value.

Lava Lamps and Radioactive Decay: TRNGs Get Creative

The quest for physical randomness has led to some wonderfully creative solutions.

Cloudflare’s Lava Lamps

At Cloudflare’s San Francisco office, a wall of lava lamps is continuously filmed. The chaotic motion of heated wax is sensitive to air currents, affected by temperature, influenced by vibration, impossible to model precisely

Frames from the camera feed are hashed into entropy used for securing traffic.

Radioactive Decay

Some systems measure decay events from tiny radioactive sources. Each decay event occurs unpredictably and has no classical cause. The timing between decay events becomes entropy.

The Hybrid Model That Actually Runs the Internet

Physics is slow. Software is fast.

So real systems combine both.

1. Gather physical entropy (TRNG)
2. Seed a Cryptographically Secure PRNG (CSPRNG)
3. Generate fast output from the CSPRNG
4. Periodically reseed with fresh entropy

The CSPRNG is still deterministic internally but it has one crucial property, Even if an attacker sees thousands of outputs, they cannot reconstruct internal state or predict future values.

When It Goes Wrong

Getting randomness wrong has caused spectacular failures.

The Debian OpenSSL bug (2008): A well-meaning developer accidentally removed a line of code that fed real entropy into OpenSSL’s random number generator. For two years, every encryption key generated on Debian Linux came from a pool of just 32,768 possible seeds. All of them could be guessed in minutes. SSH keys, HTTPS certificates — all silently compromised across millions of machines.

Sony’s PlayStation 3 hack (2010): Sony’s code-signing system was supposed to use a random number during each signing operation. Instead, it used the same “random” number every single time. Hackers recovered Sony’s private signing key, and the PS3’s entire security model collapsed overnight.

Is Anything Truly Random?

Here’s the question that makes physicists argue at dinner parties.

Is thermal noise truly random? Or just chaotic and hard to predict?

Classical physics says: deterministic, but sensitive. Quantum mechanics says: fundamentally random.

Experiments over decades support the quantum view but from a systems perspective, that debate doesn’t change much.

If an attacker cannot model or measure your entropy source, it’s unpredictable enough and unpredictability is what security requires.

The Takeaway

The next time you call Math.random(), remember what’s happening underneath.

We built deterministic machines. And then we taught them to listen to the chaos of the universe.

That’s how randomness works in computers. It’s not a trick. It’s a bridge between the world of perfect logic and the world of beautiful, irreducible noise.