Will Math.random repeat?

Question

For the different JavaScript implementations of Math.random :

Putting aside memory and length issues, will the following eventually have an eternally repeating sequence of numbers (eg It only depends on an internal seed, and when that seed wraps back to its starting point the numbers will repeat)?

sequence = Math.random();
while(true){
    sequence += ', ' + Math.random();
}

Will each client have the same repeating sequence (eg Clients don't incorporate client-specific data into the random number generation process)?

I ask because if the possible sequence of numbers is a limited subset, things like generating UUIDs with Math.random will have a much greater chance of collision.

Answer 1

From reading MDN :

Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.

I would assume, that collisions are eventually possible.

Answer 2

This mdn doc for Math.random() says that you can not rely on this to be truly secure.

But you could still try the alternative suggested window.crypto.getRandomValues() but at the time I write this, it is still experimental.

The implementation selects the initial seed to the random number generation algorithm; it cannot be chosen or reset by the user.

Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.

Answer 3

It, mostly, depends on the seed generator of the underlying system. If two clients have the same exact seed, then the sequence will end up being the same...generally. There may be slight differences between the different implementations but the default falls back on the implementation in Java: Dig this SO question for additional info .

Generally the seed is a "bit better", aka slightly "more random" than just a timestamp.

Specifically:

V8 on Windows will use two different s_rand calls and bit arithmetic to get the seed for the generator. If /dev/urandom exists, it will use it instead. urandom is farely good as it does not simply use a unix timestamp but environmental noise. If both options are not available, V8 will just use different time stamps and mathematically combine them. However, the sequence of random numbers is not directly pulled from Java, and will probably not have the exact same sequence as a FireFox client as getting the next random number uses a different mathematical formula.

Firefox does something very similarly and it looks like they lifted the definition from Java. As for the seed, again, its generation is very similar to that of V8, using s_rand on windows /dev/urandom when it is available, and falling back on timestamps when neither are available.

All in all, the generation is "pseudo-random" and if the calculation of the next random number is the same(Chrome and Firefox differ slightly on this) and the two sequences are started with the same exact seed, then of course, the two clients will have the exact same sequence of numbers. Statistically, the chances of this happening are insignificant, but conceivably, it indeed can happen.

Dig the following sources for some more in depth statistical, mathematical goodness.

Sources:

1. Firefox implementation of math_random
2. V8's implementation
3. Breaking the Java random number generator
4. Predicting the Seed in JS

Answer 4

All random number generators need a seed; otherwise they are just a list of numbers that seem kind of random but will repeat eventually. Javascripts Math.Random() does not accept a seed as an argument and instead relies on a built-in seed generator. Even though it is a psuedo-random number generator, because no one has control over where the seed actually starts, Math.random() shouldn't have any kind of predictable pattern.

Check http://bocoup.com/weblog/random-numbers/ for a bit more on this.

Answer 5

No, while nothing in computing is truly random, the algorithms that are used to create these "random" numbers are make it seem random so you will never get a repeating pattern. Most (I'm not sure about Math.random) randomising functions will get the current timestamp and use that as part of it's process and this is one of the main reasons you will not get repeating data in this case.