Sunday, October 20, 2019

Difference between Random, ThreadLocalRandom and SecureRandom

There were used to be days when Math.random() method was the only way to generate random numbers in Java, but with the evolution of Java API, as of JDK 7, we now have 3 classes to generate Random numbers i.e. java.util.RandomThreadLocalRandom, and SecureRandom. In this article, we will compare these three classes and learn some key differences between Random, ThreadLocalRandom, and SecureRandom in Java.

1. Java’s default Random class is expensive to initialize, but once initialized, it can be reused.
2. In multithreaded code, the ThreadLocalRandom class is preferred.
3. The SecureRandom class will show arbitrary, completely random performance. Performance tests on code using that class
must be carefully planned.



Random vs ThreadLocalRandom in Java

As the name suggests, the main difference between these two is how thread-safety is handled. The main operation is responsible for generating random number nextGaussian() of java.util.Random is synchronized. Since this method is used by all the methods which return random number, in multi-threading environment this method becomes a bottleneck.

In short, if two threads use the same random instance at the same time, one will have to wait for other to complete its operation. On the other hand, ThreadLocalRandom class uses a thread-local concept, where each thread has its own random number generator.

So in a contended environment, it's better to use ThreadLocalRandom. One more performance benefit of using this class is that it reuse an expensive-to-create object.


Difference between Random, ThreadLocalRandom, and SecureRandom in Java
As opposed to synchronization difference between ThreadLocalRandom and Random, SecureRandom is algorithmic different than Random and ThreadLocalRandom. Both Random and ThreadLocalRandom (later is sub-class of former) implements a typical pseudorandom algorithm. While these algorithms are quite sophisticated.

The difference between those classes and the SecureRandom class lies in the algorithm used. The Random class (and the ThreadLocalRandom class, via inheritance) implements a typical pseudorandom algorithm. While those algorithms are quite sophisticated, they are in the end deterministic. If the initial seed is known, it is easy to determine the exact series of numbers the engine will generate. That means hackers are able to look at series of numbers from a particular generator and (eventually) figure out what the next number will be. Although good pseudorandom number generators can emit a series of numbers that look really random (and that even fit probabilistic expectations of randomness), they are not truly random.

The SecureRandom class, on the other hand, uses a system interface to obtain random data. The way that data is generated is operating-system-specific, but in general, this

source provides data based on truly random events (such as when the mouse is moved).

This is known as entropy-based randomness and is much more secure for operations

that rely on random numbers.