In this blog post, we’ll explain the limitations of computer-generated random numbers, the nature of randomness, and the difference between TRNGs and PRNGs in simple terms.
“If there’s one thing computers are really bad at, it’s flipping a coin.” This is a quote from Steve Ward, a professor in the Department of Computer Science at MIT. He means that because today’s computers can only process data according to algorithms—which are sets of rules defined by humans—it is difficult for computers alone to achieve the level of randomness expected in a coin flip. While computers can process millions of data points through complex calculations and precise predictions, “randomness” remains a difficult challenge because, by its very nature, it requires the intervention of unpredictable elements. As a result, computers operate based on values directly inputted by humans. So, how can we overcome this limitation?
However, many programs closely related to our daily lives absolutely require random numbers. Examples include OTPs, which are frequently used for security, and gacha items, which are a major source of revenue for many game companies. OTPs enhance security by generating a new code with every login, while games provide users with unpredictable excitement by offering random rewards through gacha systems. As such, numbers with randomness have become an essential element in various fields. This raises a problem that needs to be solved. How can we make a computer generate “random” numbers that are “convenient for us to use”?
The most basic principle is to observe and record random factors and then utilize that data. Although modern science has advanced to the point where it can accurately predict countless phenomena, there are still many phenomena that humans cannot predict with certainty. By observing these phenomena, we can provide random numbers to a computer, as if “borrowing” random elements from nature. For example, the website random.org observes noise in the atmosphere and uses the results to derive random numbers, which it then provides to us. Devices and programs that generate random numbers in this way are collectively referred to as TRNGs (True Random Number Generators).
However, generating truly random numbers and using them are two different matters. While it is clear that numbers generated by a TRNG are truly random and cannot be predicted by anyone, there are two main challenges to using them directly. One is that the speed at which numbers are output cannot exceed the speed at which they are measured; therefore, depending on the TRNG, it may not be able to fulfill its role when a large number of numbers are needed in a short period of time. For example, if there is a TRNG that flips a coin 10 times per second and records 1 for heads and 0 for tails, this TRNG would be difficult to use when a 1,000-digit binary random number is needed within 10 seconds. Another challenge is that the numbers are so random that they are difficult to reproduce in a different space or at a different time. If the numbers are hard to reproduce, it becomes difficult to troubleshoot errors in programs that rely on them, and when applying TRNGs to security systems, it’s hard to share the “key,” leading to usability issues.
For this reason, many companies and organizations use PRNGs (Pseudo-Random Number Generators) alongside TRNGs when generating random numbers. A PRNG is an algorithm that, fundamentally, uses a single number obtained from elsewhere to generate the next number, then uses that number to generate the next one, and repeats this process. While a PRNG provides randomness, its algorithmic nature results in repetitive patterns. To compensate for this, a seed from a TRNG is set to enhance the randomness of the pseudo-random numbers.
Based on the information provided so far, it might seem that any algorithm could be used as a PRNG as long as it meets the basic conditions. However, there are two decisive reasons why not just any algorithm should be used as a PRNG. The first reason is that the output values of all algorithms eventually become cyclic. A PRNG follows the process of [input a number → process it using a defined method → output a number corresponding to the processed result → use the output number as input for another number → process it using a defined method → …]. However, due to the limitations of computer programs, there are restrictions on the range of numbers used in every input and output step. Because of this limitation, during the repetition of this process, there comes a point where the “new number generated from the output” matches a “value previously received as input.” From this point onward, numbers that have appeared before begin to reappear, and the output numbers cease to be random and instead become predictable. While this is a limitation of all algorithms, it is self-evident that algorithms that minimize this cyclic behavior have greater value as random number generators than those that do not.
The second reason is that if just any algorithm is used, there may be numbers within the output range that never appear even once. This makes the algorithm difficult to use. For example, imagine a game where 100 people are assigned numbers from 1 to 100 in order of height, and a computer program randomly selects a number between 1 and 100 to award 1 million won to the person corresponding to that number. If, due to the limitations of the PRNG algorithm used, the numbers 88 and 99 are never generated, this would be unfair. Such errors can lead to catastrophic consequences not only in this specific scenario but also in various fields that require sophisticated random numbers.
For this reason, algorithms commonly used as PRNGs are meticulously designed to embody the essence of modern mathematics and computer science. While they do exhibit a cycle, that cycle is so incredibly distant that it is effectively non-existent; every number within the output range appears, and furthermore, the frequency of each number’s appearance is uniform. Take the Mersenne Twister, a PRNG created in 1997 that is still widely used in various fields today. It has a period of ( (2^19937)-1), it has a period of (2^19937)-1. Although it does exhibit a cycle, theoretically, even if every computer on Earth were to use it until the end of the universe, one would never observe the cycle of numbers. Furthermore, it guarantees that all numbers will appear an equal number of times across 623 dimensions.
Through TRNGs and PRNGs, we are able to utilize random numbers on computers. Simply put, since a computer cannot physically flip a coin itself, we can have it process the results of coin flips occurring elsewhere. While technologies using random numbers are easily accessible everywhere, they are built upon the efforts of countless people who faced and solved this problem in the past. If you ever think of this article when using an OTP or purchasing a gacha item, I hope you’ll take a moment to express your gratitude to those people.
