If you are a developer who started your journey with the help of online tutorials, you would have probably used the Math.random() function in your coding projects. I used it for my dice roll application, which I created when I started learning React.

One of the main reasons for the use of the Math.random() function for random number generation is its ease of use. All you have to do is call the function and voila, you get a random number. It has no dependencies as well.

The Math.random() function can be used in several applications including animation and random background color selection. You can read more about its uses over here.

But have you ever wondered whether Math.random() is really random?

How random is Math.random()?

TLDR; Not random at all.

If you run the Math.random() function several times on your browser, you will notice that the values are different every time. But in fact, the Math.random() does not generate random numbers, rather it simulates the generation of random numbers with the help of algorithms — and does a pretty good job at it too. This type of random number generation is called pseudo-random number generation (PRNG).

If you run the Math.random() on a loop, you will eventually start seeing the pattern repeat itself. In modern-day browsers, this point is calculated to be 2¹²⁸ — 1. This totally depends on the PRNG algorithm being used.

How is Math.random() implemented?

As mentioned above, the point where the Math.random() pattern repeats itself depends on the PRNG algorithm being used. Now the question arises; what is the PRNG algorithm used by JavaScript?

None.

The PRNG algorithm being used in the Math.random() function is not known by JavaScript. Instead, it is up to the browser to decide and implement it. There were several well-known PRNG algorithms being used by browsers.

• Mersenne-Twister
• LCG
• MWC1616 (multiply with carry, combining two 16-bit parts)

But in 2015, the Chrome team found out several issues with their “then” PRNG algorithm, the MWC1616. They quickly changed their algorithm to xorshift128+ in their next update. And soon after, browser giants Firefox and Safari also followed. Now pretty much every modern-day browser uses the xorshift128+ algorithm to create randomness.

The quality of a PRNG algorithm is hard to test unlike other metrics such as memory usage, performance, and period length which can be easily calculated. To determine the quality of a PRNG algorithm, several statistical tests are done. The TestU01 is a standard PRNG test suite that implements several of these tests.

The xorshift128+ algorithm passed the TestU01 suite with flying colors. Furthermore, since it uses 128 bits of internal state, it has a period of 2¹²⁸ — 1. This means that the pattern will repeat itself after 2¹²⁸ — 1 cycles.

To know more about the xorshift128+ algorithm and chrome’s implementation read the below-given resources.

How to get truly random numbers?

All you perfectionists out there might start wondering now; how on earth do you get a perfect random number.

Well, the truth is that you can never get a real random number with an algorithmic approach. When math and formulae are used to create a random number, however random it might seem, the pattern will eventually repeat itself after the end of the period.

Do you really need a truly random number?

Most of the time, no.

If you are developing a simple dice game or a randomized animation for your webpage, you will not need a truly random number. A simulated random number obtained by the random() function is more than enough for your needs.

But there might be instances where you will need to use a truly random number for your implementation. These examples might include lottery winner selection and even cryptographic functions.

Since much of cryptography depends on a cryptographically secure random number generator for key and cryptographic nonce generation, if a random number generator can be made predictable, it can be used as a backdoor by an attacker to break the encryption.

Solutions

The MDN docs advise us NOT to use Math.random() function with anything related to cryptography and security. Rather, it is advised to use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.

But if you still want to use truly random numbers, you can get them with the help of APIs. These true random numbers are generated with the help of physical methods. These numbers are based on a random atomic or subatomic physical phenomenon such as radioactive decay, thermal noise, etc.

Read more about them over here.

You can get true random values from the below APIs.

* ANU Quantum Random Number Generator API — quantum fluctuations of a vacuum

A React hook (shared on Bit) that fetches random numbers from the quantum random number generator.

* Random.org — atmospheric noise

* HotBits — radioactive decay

It should also be noted that a true random number generator is not needed most of the time. For these instances, the algorithmic approaches are far more sufficient. But in case, if you are working on one of the exceptional cases, you can use the above-given APIs to retrieve a truly random number. But you must also keep in mind the additional time taken for each of the requests to the API. This makes it difficult for these APIs to be used on a time-sensitive instance.

What do you think about the Math.random() function? Does it do a good job at simulating random numbers? Feel free to drop your comments below.

Thank you for reading and happy coding.

Learn More