Is generating and combining 3 Math.random () values more random than a 1 Math.random () value?

Question

Is generating and combining 3 Math.random () values more random than a 1 Math.random () value?

I need to create a unique identifier for several sentences in a longer story (when multiple users can simultaneously perform the same action on different machines).

I considered executing new Date().getTime() (and possibly a username union), but since the identifier was generated in the loop during iteration over the sentences, I found that duplicates were created (since generation could happen in the same millisecond) .

So, I am playing with:

 var random1 = Math.floor((Math.random() * 10000) + 1).toString(36); var random2 = Math.floor((Math.random() * 10000) + 1); var random3 = Math.floor((Math.random() * 10000) + 1); var id = random1 + random2 + random3; // generates things like: // 1h754278042 // 58o83798349 // 3ls28055962

It occurred to me (although, admittedly, as a person who did not reflect on unique / random / cryptological problems), is it possible that combining three random numbers is not random if there is one random number?

Is generating and combining 3 Math.random() values more random than a 1 Math.random() value?

This answer ( https://security.stackexchange.com/a/124003 ) states:

If a random generator does generate random data, then it will not matter.

But I'm not sure how this relates to using Math.random() .

Edit:

The script is the client side of the Internet, not for security, to ensure that each offer has a unique identifier in the database.

Edit:

I finished the implementation:

 function guid() { function s4() { return Math.floor((1 + Math.random()) * 0x10000) .toString(16) .substring(1); } return s4() + s4() + '-' + s4() + '-' + s4() + '-' + s4() + '-' + s4() + s4() + s4(); } var id = guid();

From: stack overflow

Also see the comment on this answer:

Actually, RFC allows you to create UUIDs created from random numbers. You just need to trick a couple of bits to determine this as an example. See Section 4.4. Algorithms for creating UUIDs from true Random or pseudo-random numbers: rfc-archive.org/getrfc.php?rfc=4122

+5

javascript random

user1063287 Jul 6 '16 at 15:45

source share

3 answers

The only thing you change by combining 3 evenly distributed random numbers is a larger range of possible values. The distribution is still uniform, so it is no more "random", but it significantly reduces the risk of collisions. Then the number of possible values will be 36 ^ 12, or 4.7383813e + 18.

You will get the same effect by combining 12 base numbers 36 (0-9, AZ).

+2

D Stanley Jul 6 '16 at 21:11

source share

Math.random () returns a Number value with a positive sign greater than or equal to 0, but less than 1, selected randomly or pseudo-randomly with approximately uniform distribution over this range using an implementation-dependent algorithm or strategy.

Here's the implementation of V8:

 uint32_t V8::Random() { // Random number generator using George Marsaglia MWC algorithm. static uint32_t hi = 0; static uint32_t lo = 0; // Initialize seed using the system random(). If one of the seeds // should ever become zero again, or if random() returns zero, we // avoid getting stuck with zero bits in hi or lo by reinitializing // them on demand. if (hi == 0) hi = random(); if (lo == 0) lo = random(); // Mix the bits. hi = 36969 * (hi & 0xFFFF) + (hi >> 16); lo = 18273 * (lo & 0xFFFF) + (lo >> 16); return (hi << 16) + (lo & 0xFFFF); }

Source: http://dl.packetstormsecurity.net/papers/general/Google_Chrome_3.0_Beta_Math.random_vulnerability.pdf

In other words, 3 random values of ane are no more “random” than 1.

+1

Sergei Podlipaev Jul 6 '16 at 16:04

source share

sh1 · Accepted Answer · 2016-07-07T05:52:45+0000

It's complicated.

Because you are using a random number generator, it is possible that the first line will be the same, while the second or third line is different. This means that you are creating more unique strings than you could get with just one call to Math.random() . More unique strings mean fewer collisions, which you were aiming for.

To confirm this, just upload a lot of these lines to a file, and then sort them and see if the second and third values change with the first value or if they can change independently (you will need to add delimiters to the output to see this).

This is an artifact that hides the state of PRNG; and after a few additions it will stop working. It should (without guarantees!) Be after so many iterations that you cannot easily test it, so do not try to do it empirically.

If you had a really primitive generator algorithm, you might find that whenever random1 was equal to X, then random2 always be equal to Y, and random3 always be equal to Z; therefore, if you had a collision in X, then implicitly Y and Z would also collide, and therefore they would not help.

But most PRNGs (as well as the structure of your code when you take only 10,000 different values from each call) have a state much larger than what they show in one call. This means that even if random1 is X, random2 and random3 are still completely unpredictable, and collisions become less likely due to their presence.

However, by the time you get to random100 , you should start to understand that you can guess that it will be based on the values of all other randomX , and it will no longer create a unique string.

Then the whole problem runs down the rabbit hole of seed quality and staff size. Basically, it is believable so that the random number generator is so weak that it can produce only four billion unique lines and probably much less in realistic situations. The random() function was not intended to solve the GUID problem, so there is a risk that it will not succeed effectively.

Is generating and combining 3 Math.random () values ​​more random than a 1 Math.random () value?

More articles:

Is generating and combining 3 Math.random () values more random than a 1 Math.random () value?