Cryptographic Randomness Explained: Why Fairness Matters in Online Draws

The Illusion of Randomness

When you ask a computer to generate a "random" number, what actually happens behind the scenes? The answer might surprise you—and it has significant implications for anyone running giveaways, raffles, or any selection where fairness matters.

Most programming languages provide a simple random number function (like JavaScript's Math.random()). These functions are fast and convenient, but they have a dirty secret: they're not actually random. They're pseudo-random.

Pseudo-Random vs. Cryptographically Secure Random

Pseudo-Random (PRNG)

• Uses mathematical formulas
• Starts from a "seed" value
• Same seed = same sequence
• Patterns can be predicted
• Fast but not secure

Cryptographically Secure (CSPRNG)

• Uses physical entropy sources
• Hardware-based randomness
• Unpredictable by design
• Cannot be reverse-engineered
• Used in security applications

How Pseudo-Random Numbers Work

Pseudo-random number generators (PRNGs) use mathematical algorithms to produce sequences of numbers that appear random. They start with an initial value called a "seed" and apply a formula to generate each subsequent number.

The problem? If you know the algorithm and the seed, you can predict every "random" number that will be generated. In many systems, the seed is based on the current time, making it potentially guessable.

How Cryptographically Secure Random Numbers Work

Cryptographically secure pseudo-random number generators (CSPRNGs) take a fundamentally different approach. They gather "entropy"—genuine randomness—from physical sources like:

• Electrical noise in hardware components
• Timing variations in user input (mouse movements, keystrokes)
• Disk seek times and network packet timing
• Dedicated hardware random number generators

This physical entropy is then processed through cryptographic algorithms designed to be computationally infeasible to predict or reverse-engineer.

Why This Matters for Giveaways and Selections

You might think, "Who cares if someone could theoretically predict my giveaway winner?" Here's why it matters:

Trust and Perception

Even if no one actually exploits weak randomness, the possibility of exploitation undermines trust. This is why many users ask "is Wheel of Names fair?" or worry about rigged giveaways. When you can say your selection uses cryptographically secure randomness—the same standard used for banking and security—you're making a stronger statement about fairness.

Legal and Compliance Considerations

In some jurisdictions and for certain types of promotions, there are legal requirements around how winners must be selected. Using provably fair, cryptographically secure methods provides documentation that your selection process meets the highest standards.

Protection Against Manipulation

While rare, there have been documented cases of people exploiting weak random number generators. In 2010, a security researcher demonstrated how to predict the "random" numbers generated by PHP's rand() function, which was used by many websites for everything from password resets to contest winners.

The Web Crypto API: Browser-Based Security

Modern web browsers provide access to cryptographically secure randomness through the Web Crypto API. This API, available via crypto.getRandomValues(), taps into the operating system's secure random number generator.

How AllWheel Uses the Web Crypto API

AllWheel's random selection tools—including our wheel spinner, name picker, and number generator—are built on the Web Crypto API. When you spin a wheel or pick a name, here's what happens:

1Your browser requests random bytes from the operating system's CSPRNG
2The OS gathers entropy from hardware sources and cryptographic mixing
3These secure random bytes are returned to the browser
4AllWheel converts these bytes into a selection from your list
5The entire process happens locally—no data is sent to any server

Technical Note: Avoiding Modulo Bias

When converting random bytes to a number within a range, naive implementations can introduce "modulo bias"—a subtle unfairness where some numbers are slightly more likely than others. AllWheel uses rejection sampling to eliminate this bias, ensuring every option has exactly equal probability.

How to Verify Randomness Quality

If you're evaluating random selection tools, here are questions to ask:

Does it use the Web Crypto API or equivalent?

Look for mentions of crypto.getRandomValues() or similar secure APIs.

Is the selection performed client-side?

Client-side selection means no server can manipulate results.

Does it handle modulo bias?

Quality implementations use rejection sampling or similar techniques.

Is the code open for inspection?

Transparency allows verification of claims about randomness quality.

Common Misconceptions About Randomness

"Random means unpredictable patterns"

True randomness can produce patterns that look non-random. Getting the same number twice in a row, or seeing apparent clusters, doesn't indicate a problem—it's actually expected in truly random sequences. Our brains are wired to see patterns even where none exist.

"More complex algorithms are more random"

Complexity doesn't equal randomness. A simple algorithm using genuine entropy (like the Web Crypto API) is far more random than a complex algorithm using a predictable seed. The source of randomness matters more than the algorithm's complexity.

"Online tools can't be trusted"

This depends entirely on the tool's implementation. Tools that perform selection client-side using the Web Crypto API are actually more trustworthy than many alternatives because the selection happens on your device, not on a server that could be manipulated. Learn more about what makes a wheel spinner fair.

Conclusion: Randomness You Can Trust

When fairness matters—whether you're running a giveaway, selecting students in a classroom, or making any decision that affects others—the quality of your randomness matters too.

Cryptographically secure random number generation isn't just for banks and security applications. It's the standard that anyone who cares about fairness should demand from their selection tools.

By understanding the difference between pseudo-random and cryptographically secure randomness, you can make informed choices about the tools you use—and confidently tell your audience that your selections are provably fair.

Frequently Asked Questions

Is Math.random() good enough for my giveaway?

For casual use, it's acceptable, but not ideal. Math.random() is pseudo-random and theoretically predictable. For giveaways where trust matters, use tools with cryptographically secure randomness (Web Crypto API).

Can someone hack a random number generator?

Cryptographically secure generators (CSPRNG) are designed to be computationally infeasible to predict or manipulate. The Web Crypto API uses the same security standards as online banking. Learn more about whether wheel spinners can be rigged.

Why does client-side selection matter?

When selection happens in your browser (client-side), no server can manipulate results. You can verify this by checking your browser's network tab—no data is sent when you click "generate."

What is modulo bias and should I worry about it?

Modulo bias is a subtle unfairness that can occur when converting random bytes to a number range. Quality tools use rejection sampling to eliminate this. If a tool doesn't mention handling modulo bias, it may have slight unfairness.