# Is it possible to predict math.random?

So, I’m trying to script this code that can predict the math.random function used in lua and my best guess was using the os.time. I’ve searched a little bit on the internet and it said that the math.random function seed is always set to the current time on default. Is this true or the math.random function is truly unpredictable?

2 Likes

I don’t think it’s predictable, it doesn’t give the time now, it gives a random number between x and y

It says that math.random uses PRNG. With the same seed, it can produce the same sequence of numbers. Is this true?

A truly random number would be a number that completely lacks predictability or any patterns.

The best `random` functions in programming languages can do is output a `pseudo-random number`, and the seed is commonly based on things like time stamps, CPU temperature etc. So while the sequence of numbers is (more than enough) random for our use case in gaming industry (and not sensitive cases like cryptography), it’s still deterministic. True randomness has no patterns and takes values of factors that are unrealistic to predict. Like noise in a microphone, possibly temperature changes, and so on.

I think Roblox modifed math.random() a little bit so it doesn’t always use a fixed seed by default. Otherwise, yeah, if you know the algorithm for generating random numbers, and the seed, you could theoretically predict the outcome.

Maybe diving into the luau math library can help: luau/VM/src/lmathlib.cpp at master · Roblox/luau · GitHub.

1 Like

So, Is the math.random function outcome will always be the same accross all devices if it was to run or use the same seed?

Yes, same seed, same sequence.

Mind you, to get the same sequence on the server and on the client, you’ll have to set the seed manually on both machines.

An analogy are be Minecraft worlds. As long as we know the seed, we can generate the same world terrain over and over again.

Is the default seed from the math.random is the operating system time?

In vanilla lua, to my knowledge, the default seed is derived from the time stamp when the program starts running. I’ll check what the situation is in Roblox.

I also found this Stack Overflow thread: get current random seed from lua - Stack Overflow.

EDIT. @NoobcyHarlaw I think your best bet is to set the seed yourself and use it to predict/guess the sequence.

On the other hand, Roblox has their own object `Random` object which is more advanced way to achieve better pseudo-randomness. If no seed is specified, it takes one from the “internal entropy source”.

Otherwise, it’s not feasible to predict randomness without knowing the seed.

EDIT 2. It’s the very purpose of the seed value to remain hard to identify in order to ensure as seemingly random outcomes as possible.

Yes and No … There really isn’t true random on a computer. You will always be at some point in an algorithm yielding a number. A seed is a reference to base the “random” algorithm off. So, yes, you can break this down to a predictable point. But, the pool of the numbers is so large, that predictable point is pretty much untouchable. As designed to be. There is also ways to reset the random seed, randomly. This exponentially adds to the complexity of finding a moment of predictability. Most modern internal random routines today are beyond finding patterns as this has been a raging subject for years. Bringing the modern routines to that point of exponential complexity by default …

2 Likes

Is it possible to get “internal entropy source” from a script in roblox studio?

Thanks for explaining that to me! I get it now. Computer-generated random numbers aren’t truly random, but they’re based on algorithms and seeds. The numbers they generate are really hard to predict because there are so many possibilities. It’s like trying to guess which color M&M you’ll pick blindly from a huge jar—it’s pretty much impossible to know for sure! Your explanation helped me understand this better, and I appreciate your patience in breaking it down for me. Thanks again!

It’s more not knowing where in the algorithm it is, as the pool is so large. If it doesn’t start repeating numbers until “100k”, picks based off a seed … That’s going to be pretty hard for any code to pick out, considering the seed could just randomly change (internally it will vary your seed). Also, the fact “100k” is far from the pool we are talking about here. This is also a part of keeping random secure. As the amount of numbers gets too large to even compare. Kind of like hitting overflow on a calculator. Keep in mind, decades of programmers have been making random more of a “secure random” than a “true random”.

@2112Jay put it nicely. Realistically speaking, it’s extremely unlikely to be able to guess the value without knowing the seed. And we don’t know what seed the algorithm choses, especially with `Random.new()`.

`math.random()` in different programming languages is considered pseudo-random and deterministic, because there’s still an algorithm behind the seeming randomness.

So the two important characteristics are predictability and periodicity (after a certain amount of generated numbers, the sequence is going to repeat - talking about more than four billion numbers I think).

So while theoretically this is not sufficient enough for a field like cryptography, which requires something more unpredictable like temperatures and noises from the background, or even special external devices.

Nevertheless, that doesn’t mean `math.random()` is easy to guess at all. But with a known seed and access to the underlying algorithm, it’s possible.

What you’re looking at here is a war that has been going on from day one. This guy here is using a very weak limited random routine (as seen by the output). Back in 1975 this may have worked or with a limited pool. But trying to do this with strings or logarithms from .lua isn’t going to cut it. But this is showing you how it is all really just a pool of numbers created as a logarithm.

We could debate this forever … and they have been.

@ MeerkatSpirit That’s why I said: “Yes and No”

1 Like

So you’re telling me… freezing my computer is a form of RNG manipulation?

Lol, lua almost certainly uses time stamps, but I’m sure there are algorithms that rely on hardware temperature and events, because they are unpredictable to a degree.

Edit. @Bedu009 No pun intended haha.

Yeah, temperature can be a great entropy source. If I remember correctly, Intel uses it in some processors to generate random numbers (thermal noise). And then there are special hardware random number generators as another example.

Yes, they are unpredictable to a degree
Literally

No, the best you can do is overwrite it and set the seed. Then you can predict based on how many times the function is called what the random number will produced. You can do this using math.randomseed() or better Random.new(seed) which is localized into one variable and not global effecting all scripts.

Would be interesting to know if an Roblox engineer comes along and gives the info.

I also found these GDC talks to be pretty interesting if you want techniques to control this RNG:

Fun fact random prediction was used to hack into TF2 and generate free random crits:

1 Like

Trying to stop people from breaking random is an ongoing war. We most likely don’t even know everything they use. This has become an art form long ago. The defenders have more mojo than the attackers. They have the home field advantage. Trust me when I say, this is a major rabbit hole.