Pseudorandom vs True Random: How to Tell Them Apart

Random numbers come in two flavors: pseudorandom numbers built by calculation, and true random numbers derived from physical phenomena. Both look nicely scattered, but in real engineering work, missing the distinction leads to mistakes such as:

• needing a reproducible simulation, but the result changes every run
• generating password tokens with a random source that is easy to predict
• treating “passes a statistical test” as proof of true randomness

1. The short answer

Pseudorandom numbers are sequences computed from internal state and an algorithm.
True random numbers are sequences derived from physical phenomena such as thermal noise or electrical jitter.

In practice, however, the safe random numbers used in real systems are not raw physical output. They are the output of a CSPRNG (cryptographically secure pseudorandom number generator) seeded from a physical entropy source.

So it helps to keep three categories straight:

1. Ordinary PRNG (pseudorandom number generator)
2. CSPRNG / DRBG (cryptographic PRNG)
3. NRBG / TRNG (true random number generator backed by a physical entropy source)

2. Terminology

3. What actually differs (four axes)

3.1 Source

• Pseudorandom: an algorithm and internal state
• True random: a physical entropy source

3.2 Reproducibility

• Pseudorandom: same seed, same result (great for testing)
• True random: different result even under the same conditions

3.3 Predictability

• Ordinary PRNG: leaking the seed makes the stream easy to read ahead
• CSPRNG: hard to predict as long as internal state stays protected
• True random: hard to predict when the physical source is healthy, but a faulty sensor changes that

3.4 Speed

• Pseudorandom: fast and steady
• True random: slower, since it requires entropy collection and monitoring

4. How to actually tell them apart

You cannot decide from output alone

Looking at a finite slice of output never proves a sequence is true random. You can always write a program that reproduces the same slice on demand.

Look at the generator design first

• What algorithm is it (a plain PRNG or a DRBG)?
• Where does the seed come from (a constant, or the OS entropy source)?
• Does it reseed?
• Does the entropy source have health checks?
• Which API is being called?

Statistical tests are for spotting defects

Test suites like NIST SP 800-22 are useful for catching obvious bias. Passing them, however, does not prove you have a true random source.

5. Choosing by use case

6. Safe random APIs by language

• Windows: BCryptGenRandom
• .NET: System.Security.Cryptography.RandomNumberGenerator
• Linux: getrandom()
• Python: the secrets module (the random module is not recommended)
• Java: SecureRandom

7. Common misconceptions

1. “If it passes statistical tests, it must be true random.” No. CSPRNGs pass them just fine.
2. “True random is always safe.” No. A bad sensor or a flawed design can drop the quality.
3. “All pseudorandom is dangerous.” No. CSPRNGs are the core of safe random number generation.
4. “Math.random() is fine for tokens.” No. Looking scattered and being hard to predict are not the same property.

8. A decision flow when you are unsure

1. Do you need to reproduce the same result? Yes: ordinary PRNG. No: continue.
2. Would prediction by an attacker be a problem? Yes: the OS-standard secure API. No: pick on speed.
3. Do you need accountability or audit on the random source? Yes: consider a physical RNG.
4. Tempted to roll your own? Reach for the standard API first.

9. Wrap-up

• Pseudorandom is built by calculation; reproducibility is its strength
• True random is built from physical phenomena; entropy is its strength
• Real safe random in production is physical entropy + a CSPRNG
• Judge the generator design, not the appearance of the output
• For security purposes, use the OS or language standard secure API

References

1. NIST SP 800-90A Rev. 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators
2. NIST SP 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation
3. NIST SP 800-90C: Recommendation for Random Bit Generator (RBG) Constructions
4. NIST SP 800-22 Rev. 1a: A Statistical Test Suite for Random and Pseudorandom Number Generators
5. RFC 4086: Randomness Requirements for Security
6. Microsoft Learn: BCryptGenRandom function
7. Linux man page: getrandom(2)
8. Microsoft Learn: RandomNumberGenerator Class
9. Python documentation: secrets - Generate secure random numbers for managing secrets
10. Oracle Java Documentation: SecureRandom
11. IPA: Chapter 3.3 Hard-to-break Cryptography and Use of Pseudorandom Numbers (Japanese)