Is Java's java.util.Random reliable? [duplicate]

Question

This question already has answers here:

How good is java.util.Random? (6 answers)

Closed 8 years ago.

I cannot help but notice...after I have started developing my math game (and gave it to beta-testers after constantly tweaking it, and I am still not done!) that my use of java.util.Random and its method nextInt() casted to double may not be the reliable saviour class I was looking for. Is it for generating random numbers for applications like mine? //The point of this app is to make an arithmetic game that is challenging for ALL PEOPLE and lets you solve problems with both integer and floating-point arguments. The highest number my program generates is a 6-digit number, and that is because of some different logic I have used for the Human Calculator (highest level) difficulty, namely for the division problems. I was thinking about using Mersenne twister algorithm, but I think the algorithm used by java.util.Random is something like this: http://docs.oracle.com/javase/7/docs/api/java/util/Random.html#next%28int%29 .

Also, I would like to know if it would be recommended that I use something like new java.util.Random(System.currentTimeMillis())

Answer 1

Random's no-arg constructor is already based on the current time (through its cpu nanoTime and not the UTC date) so just creating it will get you a different seed every time. the seeded Random(long) version is (in my experience) mostly used when you want predictable output (some procedural generation routines for computer games, for example, allow the player to specify a random seed)

if youre very worried about how random your random numbers are, you might want to look at SecureRandom, which is recommended over plain Random for encryption and such. there's a nice explanation of how to use it here and a VERY good explanation of the difference between the two here

Answer 2

The other answers have this pretty covered, particularly mfrankli's answer regarding the difference between statistically random and cryptographically random. In your situation, you really only need the latter, so java.util.Random is good enough.

All that being said, one easy mistake to make (which has bitten me at least once), is creating many Random instances within a short period of time. For example calling new Random() every time you need a random number. You should initialize Random once and re-use it as much as possible. Since Random is seeded off the system time (even at a the nano scale), the output of a series of Random instances created at very close to the same time will not be uniformly distributed.

Answer 3

Short answer: yes, java.util.Random should be fine for your application; and simply using the constructor new java.util.Random(), with no argument, should also be fine.

Longer answer: java.util.Random is not cryptographically secure - there's a technical definition here, but essentially it isn't 'random enough' for security people to feel safe using it; an attacker could potentially guess the random numbers produced. However, it satisfies two other important properties:

1. Resembles the random distribution i.e., each value is equally likely to be generated.
2. Non-deterministic i.e., you'll get a different sequence of values each time.

In other words: you should be good to go.