This blog post explains the limitations of computer-generated random numbers, the nature of true randomness, and the difference between TRNGs and PRNGs in simple terms.
“If there’s one thing computers are bad at, it’s flipping a coin.” This is a quote from Steve Ward, a professor in the Department of Computer Science at MIT. He means that today’s computers can only process conditions input by humans according to algorithms—methods defined by humans—making it difficult for a computer alone to exhibit the level of randomness one would expect from a coin flip. Computers can process millions of data points through complex calculations and precise predictions, but ‘randomness’ remains a difficult challenge because its very nature requires unpredictable elements. Consequently, computer processing relies on values directly input by humans. So, how can we overcome this limitation?
Yet, random numbers are essential for many programs closely tied to our daily lives. Examples include OTPs, frequently used for security, and gacha items, a major revenue source for many game companies. OTPs enhance security by generating a new number for each login, while games provide unpredictable excitement to users by offering random rewards through gacha systems. Thus, numbers possessing randomness have become essential elements across diverse fields. This raises a problem that must be solved: How do we make a computer output ‘random’ numbers that are ‘convenient for us to use’?
The most fundamental principle is to observe and record random factors, then utilize that data. While modern science has advanced to the point where it can accurately predict countless phenomena, there are still many events humans cannot precisely forecast. By observing these phenomena, we essentially ‘borrow’ random elements occurring in nature to generate random numbers for the computer. For example, the website random.org observes atmospheric noise and uses the results to derive random numbers, which it provides to us. Devices or programs that generate random numbers in this manner are collectively called TRNGs (True Random Number Generators).
However, generating perfect random numbers and using them are two different matters. While numbers generated by a TRNG are undoubtedly perfect random numbers that no one can predict, there are two major drawbacks to using them directly. One is that the output speed cannot exceed the measurement speed, meaning that depending on the TRNG, it may fail to perform adequately when a large number of numbers are needed in a short time. For example, consider a TRNG that flips a coin 10 times per second, recording 1 for heads and 0 for tails. This TRNG would be impractical if 1000-digit binary random numbers were needed within 10 seconds. Another issue is that the numbers are too random to be easily reproduced in a different space or at a different time. Difficulty in reproduction leads to problems with usability, such as making it hard to diagnose errors in programs related to the numbers or making it difficult to share ‘keys’ when applying TRNG for security.
For this reason, many companies and organizations use both TRNG and PRNG (Pseudo Random Number Generator) when generating random numbers. A PRNG is an algorithm that fundamentally uses a single number obtained from elsewhere to generate the next number, then uses that number to generate the next number, and repeats this process to create another number. While a PRNG provides randomness, its algorithmic nature inherently creates repetitive patterns. To compensate for this, the seed is set using a TRNG value to enhance the pseudo-randomness of the PRNG.
Based solely on this information, one might think any algorithm could serve as a PRNG if it meets basic conditions. However, there are two decisive reasons why not just any algorithm should be used as a PRNG. The first reason is that the output values of all algorithms eventually become cyclical. A PRNG follows the process: [input a number → process it using a defined method → output the number corresponding to the processed result → use the output number to input another number → process it using the defined method → …]. Due to the limitations of computer programs, the range of numbers used in every input and output step is constrained. Because of this limitation, during repeated iterations, the ‘number generated using the output result’ can become identical to a ‘value previously received as input’. From this point onward, previously generated numbers start reappearing, and the output numbers become predictable rather than truly random. This is a limitation inherent to all algorithms, but it is self-evident that an algorithm that minimizes this cyclical phenomenon has greater value as a random number generator than one that does not.
The second reason is that using just any algorithm might result in numbers never appearing within the output range. This creates practical difficulties. For example, imagine a game where 100 people are assigned numbers from 1 to 100 in order of height, and a computer program randomly selects a number between 1 and 100. The person corresponding to that number wins 1 million won. If the PRNG algorithm used in this game fails to generate the numbers 88 and 99, this would be unfair. Beyond such specific cases, errors like this in fields requiring sophisticated random numbers can lead to catastrophic consequences.
Therefore, algorithms commonly used as PRNGs are meticulously designed, embodying the essence of modern mathematics and computer science. They exhibit a cycle, but this cycle is so distant that it might as well not exist. Every number within the output range appears, and furthermore, the frequency of occurrence for every number is uniform. The Mersenne Twister, a PRNG created in 1997 and still widely used across various fields today, has a cycle of ( (2^19937)-1), meaning it does have a cycle. However, theoretically, even if every computer on Earth used it until the universe ended, the cycle would never be observed. It guarantees the same distribution across 623 dimensions, ensuring every number appears an equal number of times.
Through TRNGs and PRNGs, we gain access to random numbers on computers. Simply put, since computers cannot physically flip a coin themselves, we observe coin flips happening elsewhere and instruct the computer to process them. While technologies using random numbers are ubiquitous, their foundation rests on the efforts of countless individuals who faced and solved this problem in the past. If you ever think of this article when using an OTP or buying a gacha item, I hope you’ll take a moment to appreciate those people.
