Understanding Online Sources of Randomness

Information current as of: Monday, April 7, 2025

When seeking entropy or randomness online, the "best" source depends critically on your specific needs, particularly regarding quality, speed, verifiability, and security implications. Here's a breakdown of the different types of sources available:

1. True Random Number Generators (TRNGs)

These generators derive randomness from inherently unpredictable physical phenomena. They offer the highest statistical quality ("true" randomness) but may have limitations in speed or accessibility compared to algorithmic methods.

Examples:

random.org: A very popular service generating randomness primarily from atmospheric noise. Offers free tiers (with rate limits) and paid options via a simple HTTP API. Provides various formats (numbers, sequences, bitmaps).
ANU Quantum Random Numbers: From the Australian National University, based on quantum vacuum fluctuations. Often provides data blocks and APIs, subject to availability.
HotBits: Generates randomness from the timing of radioactive decay events.

Best for: Statistical sampling, simulations, games, lotteries (where public verifiability isn't paramount), scientific research, or any application specifically requiring randomness directly derived from physical processes where potential biases in algorithms are unacceptable. Generally **not** recommended for generating cryptographic secrets.

2. Cryptographically Secure Pseudo-Random Number Generators (CSPRNGs)

These use deterministic algorithms, but are carefully designed to produce output that is computationally indistinguishable from true random numbers and unpredictable for cryptographic purposes. They are typically seeded with entropy from the operating system (which often includes hardware events or TRNG sources).

The Best Source: Your Local Operating System

For almost all programming tasks requiring high-quality or secure randomness, the best practice is **not** to fetch it online, but to use the CSPRNG built into your local operating system or runtime environment.

Why Local is Better:
- Speed: Orders of magnitude faster than network requests.
- Availability: Works offline, always accessible.
- Security: Avoids transmitting potentially sensitive random data. Relies on heavily vetted OS implementations (like /dev/urandom) that manage entropy pooling.
- Simplicity: Easily accessed via standard libraries.
Common Access Methods:
- Linux/macOS: Reading from /dev/urandom.
- Windows: Using APIs like CryptGenRandom or BCryptGenRandom.
- Python: os.urandom() or the high-level secrets module (recommended for security).
- JavaScript (Browser/Node.js): crypto.getRandomValues() or crypto.randomBytes().
- Java: java.security.SecureRandom.

Best for: Generating cryptographic keys, nonces, salts, initialization vectors (IVs), session IDs, passwords, security tokens, and general-purpose high-quality randomness in software development. **This is the standard for security-sensitive applications.**

Security Warning: Never use online TRNGs (like random.org) or non-cryptographic PRNGs (like Python's default random module) to generate cryptographic keys, passwords, or other secret values. Always use a dedicated CSPRNG, preferably the one provided by your operating system or language's secure library (like Python's secrets module).

3. Public Randomness Beacons

These services generate randomness (typically using TRNGs/CSPRNGs internally) and publish it at regular intervals in a way that is publicly verifiable and resistant to manipulation or prediction. Their main purpose is trust and auditability in public processes.

Examples:

NIST Randomness Beacon: From the US National Institute of Standards and Technology. Publishes timestamped, chained random values every 60 seconds with cryptographic proofs.
drand (League of Entropy): A distributed network run by multiple independent partners. Uses threshold cryptography to produce publicly verifiable, decentralized randomness at regular intervals (e.g., every 30 seconds). Designed to be highly resistant to bias from any single participant.

Best for: Public lotteries, random selection for audits or panels, cryptographic parameter generation ceremonies, trusted timestamping, blockchain applications, or any multi-party process requiring a shared, unbiased, and auditable source of randomness.

Summary Comparison

Category	Randomness Quality	Typical Speed	Public Verifiability	Primary Use Case	Recommendation / Key Examples
Online TRNGs	True (Physical Source)	Slow (Network Latency, Rate Limits)	No (Trust Provider)	Statistics, Simulations, Non-Crypto "True" Randomness	`random.org`, ANU QRNG
Local CSPRNGs	Cryptographically Secure (Algorithmic)	Very Fast (Local CPU/OS)	No	Cryptography, General Secure Programming	Use OS/Language Built-ins (`secrets`, `os.urandom`, `crypto.getRandomValues`)
Public Beacons	Cryptographically Secure (Derived)	Interval-Based (e.g., 30-60s)	Yes (Designed for Auditability)	Public Lotteries, Audits, Trusted Setups	NIST Beacon, drand