rfc:improve_predictable_prng_random
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
rfc:improve_predictable_prng_random [2017/02/02 03:41] – yohgaki | rfc:improve_predictable_prng_random [2017/02/03 04:34] – Fix function signature yohgaki | ||
---|---|---|---|
Line 14: | Line 14: | ||
<code php> | <code php> | ||
// We need the same random numbers here | // We need the same random numbers here | ||
- | mt_srand(1234); | + | srand(1234); |
for ($i=0; $i < 10; $i++) { | for ($i=0; $i < 10; $i++) { | ||
// Use my PRNG state | // Use my PRNG state | ||
- | | + | |
} | } | ||
Line 29: | Line 29: | ||
</ | </ | ||
- | **This is not limited to specific request that calls mt_srand($some_value), | + | **Above code worked as it should. PHP 7.1 broke this code.** Similarly, shuffle()/ |
+ | |||
+ | <code php> | ||
+ | // We need the same random numbers here | ||
+ | mt_srand(1234); | ||
+ | for ($i=0; $i < 10; $i++) { | ||
+ | // Use my PRNG state | ||
+ | | ||
+ | } | ||
+ | |||
+ | // Somewhere later in code AND/OR even other requests | ||
+ | |||
+ | // We need to shuffle randomly | ||
+ | shuffle($my_random_array); | ||
+ | </ | ||
+ | |||
+ | **These behaviors are not limited to specific request that calls mt_srand($some_value)/ | ||
PHP should have system and user PRNG state to resolve this behavior. | PHP should have system and user PRNG state to resolve this behavior. | ||
Line 42: | Line 58: | ||
==== Rack of Reseeding ==== | ==== Rack of Reseeding ==== | ||
- | Reseeding is important for PRNG to mitigate guessed random value. Since MT rand is predictable PRNG, using the same PRNG state allows to guess random value. Current PHP only supports very weak initialization and keeps using the same PRNG state once it is initialized. This behavior makes trivial to guess MT rand generated random numbers. | + | Reseeding is important for PRNG to mitigate guessed random value. Since MT rand is predictable PRNG, using the same PRNG state allows to guess next random value easily. Current PHP only supports very weak initialization and keeps using the same PRNG state once it is initialized. This behavior makes trivial to guess MT rand generated random numbers. |
To resolve this issue, PHP should reseed MT rand when state is used certain number of times. | To resolve this issue, PHP should reseed MT rand when state is used certain number of times. | ||
Line 48: | Line 64: | ||
===== Proposal ===== | ===== Proposal ===== | ||
- | ==== Return PRNG state object from mt_srand()/ | + | ==== Return PRNG random |
<code php> | <code php> | ||
- | | + | |
- | | + | |
</ | </ | ||
- | mt_srand()/ | + | mt_srand()/ |
Note: srand() is alias of mt_rand(). Python initializes MT rand state by string data like this proposal. | Note: srand() is alias of mt_rand(). Python initializes MT rand state by string data like this proposal. | ||
Line 70: | Line 86: | ||
<code php> | <code php> | ||
- | int mt_rand([RandomState | + | int mt_rand([RandomMT |
- | int mt_rand(int $min, int $max [, RandomState | + | int mt_rand(int $min, int $max [, RandomMT |
- | int rand([RandomState | + | int rand([Random |
- | int rand(int $min, int $max [, RandomState | + | int rand(int $min, int $max [, Random |
- | bool shuffle(array &$arr [, RandomSatate | + | bool shuffle(array &$arr [, Random |
</ | </ | ||
Line 81: | Line 97: | ||
==== Random object and function ==== | ==== Random object and function ==== | ||
- | Create RandomeInterface, | + | Create RandomeInterface, |
<code php> | <code php> |
rfc/improve_predictable_prng_random.txt · Last modified: 2018/03/01 23:13 by carusogabriel