What is the PRNG algorithm used in Rust's `rand` crate?

Question

I'm writing a web app that will do some financial model simulations. Just for fun and an opportunity to learn new things, I have decided to offload all the math and simulations to a WebAssembly and implement that wasm in Rust.

I am therefore looking at PRNGs for Rust. I found a Mersenne Twister crate and MT is obviously a well-established algorithm (even used by default in several languages), but this particular crate does not seem to be very popular. I also understand that Rust has a rand crate "built-in" (if that's even a thing) but I haven't found any info as to:

• What is the algorithm used in rand?
• How does that algorithm stack up to others (e.g. MT) in terms of randomness quality?

To be clear: I'm evaluating algorithms for statistical randomness (simulating stochastic processes), not cryptographic security.

Answer 1

The algorithm used as the default PRNG is ChaCha with 12 rounds. This is used in ThreadRng and StdRng, both of which are typically seeded from the system's CSPRNG.

ChaCha12, like with all cryptographically secure PRNGs, passes the next bit test. That is, given an arbitrary amount of output from the PRNG, the probability of correctly guessing the next bit is negligibly better than even. This is the best standard that any PRNG can offer, and it is substantially better than the Mersenne Twister, which does not pass this test.

ChaCha is typically very fast, and for most purposes ChaCha12 is a good option. If you need more robust cryptographic security, ChaCha20 (that is, ChaCha with 20 rounds) is the most conservative. The best known attacks on ChaCha are on seven rounds.

If you just need a fast, non-cryptographic PRNG, ChaCha8 is a good option. It is typically faster than almost all other PRNGs, including, in my testing, PCG and Xoshiro256++ (which is the current SmallRng), and is still considered cryptographically secure (and therefore passes the next bit test), but due to the low security margin, it would not be a responsible choice for cryptographic use. It is, however, a great choice for most other uses due to its speed and statistical properties.

Answer 2

I also understand that Rust has a rand crate "built-in" (if that's even a thing) but I haven't found any info as to:

• What is the algorithm used in rand?

The documentation requires jumping around but seems pretty clear?

random redirects to thread_rng, which directs to the ThreadRng structure, which documents that it uses the same PRNG as StdRng which says:

The current algorithm used is the ChaCha block cipher with 12 rounds. Please see this relevant rand issue for the discussion.

*How does that algorithm stack up to others (e.g. MT) in terms of randomness quality?

ChaCha is a cryptographically secure PRNG (it's what's used for every BSD's system RNG as well as Linux), whereas MT most definitely is not; and ChaCha is vastly superior to MT in terms of randomness quality.

That does have a cost though, CSPRNG tend to be slower than non-secure PRNGs (as they have different goals entirely). Though MT is not exactly fast as far as PRNG goes, so chacha12 may well be competitive.

rand also provides SmallRng, a non-cryptographic PRNG with rather good statistical properties which is extremely fast.