3

I'm trying to find an RNG to generate a stream of pseudorandom bits. I have found that Mersenne Twister (MT19937) is a widely used RNG that generates good 32-bit unsigned integers and that implementations have been done to generate apparently good double-precision floats (generating a 53-bit integer). But I don't seem to find any references to it being well-behaved on the bit side of things.

Marsaglia expressed some concerns about the randomness of Mersenne Twister that are making me doubt about using it.

Does anybody know if Mersenne Twister has a significant bias used to generate pseudorandom bits? If it is the case, does anyone know a good pseudorandom bit generator?

Luc
  • 5,339
  • 2
  • 48
  • 48
Wilhelm
  • 1,868
  • 14
  • 21
  • Without an external source such of seeding or grabbing a number, this is probably fine. It's also pretty fast to calculate as well, a bonus. The companies I've worked at have always use it, so there's an endorsement for you as well. Whatcha up to that you are worried about how random it is? – Michael Dorgan Jan 04 '12 at 01:01
  • IIRC, it shouldn't be used for statistics/high-security-stuff, but is quick enough and pretty random for most uses. (Although, there are apparently [better PRNGs](http://en.wikipedia.org/wiki/Multiply-with-carry) which are faster, according to the Wikipedia article... IIRC.) Its initial values are closer to 0, but after a bunch of iterations, it's pretty random. – Mateen Ulhaq Jan 04 '12 at 01:12
  • @muntoo MWC has bias on the bits, so I can not use it. – Wilhelm Jan 04 '12 at 14:13
  • @MitchWheat What is a good RNG for Monte Carlo? – Wilhelm Jan 04 '12 at 14:14
  • A really good one is to use actuall randomness from a physical source – Mitch Wheat Jan 05 '12 at 00:20
  • specifically, the source of random numbers should pass the DIEHARD statistical tests – Mitch Wheat Jan 05 '12 at 00:36
  • 2
    And I would like to revise my comment: Mersenne twister is no good for cryptographic purposes, but is suited for Monte Carlo. – Mitch Wheat Jan 05 '12 at 00:39
  • Ok. ___NO___ MT is a bad algorithm. The recommended approach is "roll your own." – bobobobo Apr 15 '13 at 02:17
  • There are better algorithms than MT for just about any purpose, but without knowing what purpose you have in mind, I can't recommend one. – Lee Daniel Crocker Sep 14 '13 at 23:16

2 Answers2

4

All psudorandom generators strive to generate a high degree of unpredictability per bit. There is currently no way to predict a bit from mersene twisters with a degree substantially better than random chance until you observe 624 values.

All questions in the form of "is X RNG good" must be replied with: "what are you doing with it?" Meresene Twister has had GREAT success in simulations because of its excellent frequency distributions. In cryptographic situations, it is completely and utterly devoid of all value whatsoever. The internal state can be identified by looking at any 624 contiguous outputs. Blum Blum Shub has been very strong in cryptographic situations, but it runs unacceptably slow for use in simulations.

Kuba hasn't forgotten Monica
  • 95,931
  • 16
  • 151
  • 313
Cort Ammon
  • 10,221
  • 31
  • 45
0

No.

Nobody should be choosing a Mersenne Twister to generate randomness unless it's built-in, and if you are using randomness extensively you should be replacing it anyway. The Mersenne Twister fails basic statistical randomness tests that far simpler, far faster algorithms do not, and is generally just a bit disappointing.

The insecure, non-crytographic pseudo-random number generators I recommend nowadays are xoroshiro+ and the PCG family. xoroshiro+ is faster and purported to be slightly higher quality, but the PCG family comes with a more complete library and fills more roles.

However, modern cryptographic randomness can get more than fast enough. Rust's rand library uses ISAAC by default, and other choices exist. This should be your default choice in all but the most exceptional cases.

Veedrac
  • 58,273
  • 15
  • 112
  • 169