The Illusion of Randomness: Pseudo-Random vs. True Random Numbers

Anurag Swaroop YadavAnurag Swaroop Yadav
4 min read

Table of contents

Introduction

Random numbers power everything from cryptography to gaming, but what if I told you that most of the "random" numbers we use aren’t random? In reality, most random number generators (RNGs) are deterministic, meaning that if you know the algorithm, you can predict the output. This is why the distinction between pseudo-random numbers and true random numbers matters so much, especially in security-critical applications.

Pseudo-Random Numbers: The Predictable Chaos

A pseudo-random number generator (PRNG) is an algorithm that generates a sequence of numbers that appear random but are determined by an initial seed value. Because these generators follow a fixed set of rules, given the same seed, they will always produce the same sequence of numbers. This is useful in applications like simulations and gaming but poses a serious security problem.

While PRNGs are fast and efficient, they have one fatal flaw: predictability. If an attacker can determine the seed or reverse-engineer the algorithm, they can generate the same "random" numbers. This is where true random number generators (TRNGs) come in.

True Random Numbers: Harnessing Nature’s Unpredictability

A true random number generator (TRNG) relies on physical processes to generate randomness. Instead of using algorithms, TRNGs measure unpredictable natural phenomena such as:

  • Thermal noise in electronic circuits.

  • Radioactive decay.

  • Keystrokes and mouse movements on a computer.

  • Atmospheric noise.

Linux and Randomness:

Since computers are inherently deterministic, Linux gathers entropy[Randomness] from unpredictable external sources like keystroke timing, mouse movements, disk I/O timings, network packet arrival times, and hardware RNGs. These unpredictable events feed the kernel entropy pool, which the system uses to generate secure random numbers.

On Linux systems, randomness is vital for cryptographic operations, such as SSH keys and encryption. Linux provides two special files for generating random numbers:

  • /dev/random – Utilizes environmental noise (keystrokes, mouse movements, disk activity) to produce high-quality randomness but can block when there isn’t enough entropy.

  • /dev/urandom – A non-blocking RNG that reuses entropy pool data when it runs low, making it faster but potentially less secure.

For security-sensitive operations like generating cryptographic keys, /dev/random is preferred, while /dev/urandom is preferred when speed is more important.

📝 Before introducing the LavaLamp system, the folks at Cloudflare relied on Linux’s true random number generator.

The Lava Lamps of Cloudflare: A Unique Source of Randomness

One of the most fascinating examples of TRNG in action is Cloudflare’s Lava Lamp Wall. Cloudflare, a company that provides internet security and performance services, uses a wall of lava lamps as a randomness source for cryptographic keys.

How does this work? A camera records the swirling, unpredictable patterns in the lava lamps, converts them into digital data, and feeds them into an entropy pool to generate truly random numbers. Because the physics of lava lamp motion is highly chaotic and practically impossible to predict, this method ensures strong randomness.

You can read more about Lava lamps in this article: The Magic Behind Cloudflare’s Encryption Lava lamp

Why Random Number Matters

True randomness is crucial in ensuring security, fairness, and accuracy across various fields. In cryptography, it protects sensitive data by making encryption keys and session tokens unpredictable, so attackers can’t guess or recreate them.

Scientific simulations, from climate models to disease spread predictions, use randomness to capture the chaotic nature of real-world systems. Even decentralized networks, like blockchains, depend on randomness to fairly select leaders and distribute tasks, ensuring no participant can game the system. Whether it’s safeguarding data, ensuring fairness, or simulating reality, true randomness adds the essential unpredictability that makes systems secure, fair, and realistic.

Conclusion

While PRNGs are useful for everyday tasks, they aren’t truly random. Security-critical applications require TRNGs, which rely on unpredictable physical processes like lava lamps, hardware noise, or keystrokes to generate randomness. As the need for secure cryptographic systems grows, so does the importance of true randomness in our digital world.

Next time you generate a "random" password, ask yourself: is it random 🤔 ?

Resourses

  1. Why Python’s random numbers aren’t really random and why it matters

  2. Can a computer generate a truly random number?

  3. Understanding random number generators, and their limitations, in Linux

0
Subscribe to my newsletter

Read articles from Anurag Swaroop Yadav directly inside your inbox. Subscribe to the newsletter, and don't miss out.

true randomtrue random number generatornumbersrandom number generatorpseudo

Written by

Anurag Swaroop Yadav
Anurag Swaroop Yadav