4

For the different JavaScript implementations of Math.random:

Putting aside memory and length issues, will the following eventually have an eternally repeating sequence of numbers (e.g. It only depends on an internal seed, and when that seed wraps back to its starting point the numbers will repeat)?

sequence = Math.random();
while(true){
    sequence += ', ' + Math.random();
}

Will each client have the same repeating sequence (e.g. Clients don't incorporate client-specific data into the random number generation process)?


I ask because if the possible sequence of numbers is a limited subset, things like generating UUIDs with Math.random will have a much greater chance of collision.

Community
  • 1
  • 1
Briguy37
  • 8,342
  • 3
  • 33
  • 53
  • I don't think each client can have the SAME repeating SEQUENCE, assuming sequence meaning a series of numbers. You might eventually get a repeating number but sequence repeating seems unlikely to impossible – Huangism Nov 26 '14 at 15:28
  • Well, there is the possibility of two clients having the exact same seed(their timestamp being exactly the same), but the chances are slim...for sure. I wonder what the seed generators are for Spidermonkey and V8... – Benjamin Trent Nov 26 '14 at 15:36
  • Yes, it is *guaranteed* to repeat, and to repeat the same sequence given the same seed. DO NOT use Math.random() for generating UUIDs--you need a cryptographic RNG for that. – Lee Daniel Crocker Nov 26 '14 at 18:09

5 Answers5

5

From reading MDN:

Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.

I would assume, that collisions are eventually possible.

Thomas Junk
  • 5,588
  • 2
  • 30
  • 43
2

This mdn doc for Math.random() says that you can not rely on this to be truly secure.

But you could still try the alternative suggested window.crypto.getRandomValues() but at the time I write this, it is still experimental.

The implementation selects the initial seed to the random number generation algorithm; it cannot be chosen or reset by the user.

Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.

axelduch
  • 10,769
  • 2
  • 31
  • 50
2

It, mostly, depends on the seed generator of the underlying system. If two clients have the same exact seed, then the sequence will end up being the same...generally. There may be slight differences between the different implementations but the default falls back on the implementation in Java: Dig this SO question for additional info.

Generally the seed is a "bit better", aka slightly "more random" than just a timestamp.

Specifically:

V8 on Windows will use two different s_rand calls and bit arithmetic to get the seed for the generator. If /dev/urandom exists, it will use it instead. urandom is farely good as it does not simply use a unix timestamp but environmental noise. If both options are not available, V8 will just use different time stamps and mathematically combine them. However, the sequence of random numbers is not directly pulled from Java, and will probably not have the exact same sequence as a FireFox client as getting the next random number uses a different mathematical formula.

Firefox does something very similarly and it looks like they lifted the definition from Java. As for the seed, again, its generation is very similar to that of V8, using s_rand on windows /dev/urandom when it is available, and falling back on timestamps when neither are available.

All in all, the generation is "pseudo-random" and if the calculation of the next random number is the same(Chrome and Firefox differ slightly on this) and the two sequences are started with the same exact seed, then of course, the two clients will have the exact same sequence of numbers. Statistically, the chances of this happening are insignificant, but conceivably, it indeed can happen.

Dig the following sources for some more in depth statistical, mathematical goodness.

Sources:

  1. Firefox implementation of math_random
  2. V8's implementation
  3. Breaking the Java random number generator
  4. Predicting the Seed in JS
Community
  • 1
  • 1
Benjamin Trent
  • 7,378
  • 3
  • 31
  • 41
0

All random number generators need a seed; otherwise they are just a list of numbers that seem kind of random but will repeat eventually. Javascripts Math.Random() does not accept a seed as an argument and instead relies on a built-in seed generator. Even though it is a psuedo-random number generator, because no one has control over where the seed actually starts, Math.random() shouldn't have any kind of predictable pattern.

Check http://bocoup.com/weblog/random-numbers/ for a bit more on this.

IamzombieGrrArgh
  • 172
  • 2
  • 9
-1

No, while nothing in computing is truly random, the algorithms that are used to create these "random" numbers are make it seem random so you will never get a repeating pattern. Most (I'm not sure about Math.random) randomising functions will get the current timestamp and use that as part of it's process and this is one of the main reasons you will not get repeating data in this case.

DrRoach
  • 1,320
  • 9
  • 16
  • I would assume that if the pseudo-random generator is constructed with the same seed, then the random numbers generated would be exactly the same. The underlying function does not change between each client and the only difference would be the seed, right? So, having the same seed would produce the same sequence. I suppose ultimately the seed generation is the key to this question. – Benjamin Trent Nov 26 '14 at 15:37
  • Yes it depends entirely on how the seed is generated, some functions may use header parameters along with the time to make it more random for example but, like with any math equation, if you enter the same input you get the same output. – DrRoach Nov 26 '14 at 15:45