Random numbers, revealed

captainsafia profile image Safia Abdalla Updated on ・3 min read

Random numbers play a quintessential role in computer science. From cryptography to gaming to machine learning, randomness is useful in the functionality of a lot of software. Even though they are pretty ubiquitous, there is a lot of nuance to random numbers that most developers don't encounter in their typical interactions with them.

What and Why Random Numbers?

There are two requirements for random numbers. First, random numbers have to be uniformly distributed across some given interval set. Essentially, this means that given a particular range of numbers, say 1 to 100, any random number is equally as likely to be chosen as any other. Random numbers must also be independent. Given a process that returns a random number, correlated numbers should not be returned each time the process is used.

These requirements make sense. They ensure that random numbers are unique and uniform. However, there is a bit of a catch when it comes to random numbers generated by computer algorithms. Random numbers generated by computers don't often meet the criteria of mathematical random numbers.

Types of Random Numbers

There are different kinds of random numbers to distinguish when discussing random numbers in programming. They are...

Psuedo-random values

Psueodrandom values are not truly random. Generally, any random number that is generated by a computer is going to be a psuedorandom number. Despite the heisenbugs you might have run into, computers are deterministic devices. A program, given the same input, will always produce the same output.

To introduce randomness into their implementations, most random number generators will generate a number based on an initial seed. The same seed will produce the same set of random numbers. As a result, to generate random numbers the seed must be changed each time. Commonly, the seed will be the current date and time represented as a number.

Cryptographically secure random values

Cryptographically secure random values are, as the name suggest, random values that can be used for encryption, key generation, and other cryptographic use cases. Generally, a pseudorandom number generated will also generated cryptographically secure random values if it is impossible to distinguish the random numbers generated from the algorithm and truly random values. This brings us to....

Truly random values

Truly random values are values that adhere to the criteria for random numbers that we defined earlier. Generally, true random values are generated by relaying on some state that is not stored in the machine. random.org, a popular website for generating truly random values, generates random numbers based on atmospheric noise.

How Are Random Numbers Generated

I've already alluded to how psuedorandom generators are generated from a seed value and how truly random numbers are often generated from some random natural phenomena, like atmospheric noise. What does an actual psuedorandom number generator in a programming language look like?

I tend to lean to my most frequently used language nowadays, JavaScript, for deep dives on implementation. As it turns out, the official JavaScript standard doesn't provide any guidance on how JavaScript interpreters should implement pseudorandom number generation.

To find our answer, we'll have to dive into the V8 codebase. V8 is the JavaScript engine used in the Chrome browser and the Node runtime, so knowing how its internal Math.random implementation works is handy. As it turns out, the V8 engineering team has published a blog post on this topic, so I'll leave the thorough explanation of this to the experts.


Editor guide
patarapolw profile image
Pacharapol Withayasakpunt

What about how "secure" random numbers work?

About the V8 link, the magic numbers, 18030, 30903, 23, 17, 26 seems magical... Why not some kind of special prime number?

jonrandy profile image
Jon Randy

It is totally impossible to generate a truly random number

lbotinelly profile image
Leo Botinelly

Axiomatically correct, but you can have implementations that fulfill the requirements for all practical purposes. I'd say that's the implicit category the author is referring to.