Differences

This shows you the differences between two versions of the page.

--- rfc:improve_predictable_prng_random [2017/02/02 03:41] – yohgaki
+++ rfc:improve_predictable_prng_random [2017/02/03 04:34] – Fix function signature yohgaki
@@ Line 14: / Line 14: @@
 <code php>
 // We need the same random numbers here
-mt_srand(1234);
+srand(1234);
 for ($i=0; $i < 10; $i++) {
    // Use my PRNG state
-   $my_rand[] = mt_rand();
+   $my_rand[] = rand();
 }
@@ Line 29: / Line 29: @@
 </code>
-**This is not limited to specific request that calls mt_srand($some_value), but applies to consecutive requests.**
+**Above code worked as it should. PHP 7.1 broke this code.** Similarly, shuffle()/etc are broken by PHP 7.1.
+<code php>
+// We need the same random numbers here
+mt_srand(1234);
+for ($i=0; $i < 10; $i++) {
+   // Use my PRNG state
+   $my_rand[] = mt_rand();
+}
+// Somewhere later in code AND/OR even other requests
+// We need to shuffle randomly
+shuffle($my_random_array); // This is NOT RANDOM at all
+</code>
+**These behaviors are not limited to specific request that calls mt_srand($some_value)/srand($some_value), but applies to consecutive requests.**
 PHP should have system and user PRNG state to resolve this behavior.
@@ Line 42: / Line 58: @@
 ==== Rack of Reseeding ====
-Reseeding is important for PRNG to mitigate guessed random value. Since MT rand is predictable PRNG, using the same PRNG state allows to guess random value. Current PHP only supports very weak initialization and keeps using the same PRNG state once it is initialized. This behavior makes trivial to guess  MT rand generated random numbers.
+Reseeding is important for PRNG to mitigate guessed random value. Since MT rand is predictable PRNG, using the same PRNG state allows to guess next random value easily. Current PHP only supports very weak initialization and keeps using the same PRNG state once it is initialized. This behavior makes trivial to guess  MT rand generated random numbers.
 To resolve this issue, PHP should reseed MT rand when state is used certain number of times.
@@ Line 48: / Line 64: @@
 ===== Proposal =====
-==== Return PRNG state object from mt_srand()/srand() ====
+==== Return PRNG random object (RandomMT) from mt_srand()/srand() ====
 <code php>
-  Random mt_srand([int|string $seed]);
+  RandomMT mt_srand([int|string $seed]);
-  Random srand([int|string $seed]);
+  RandomMT srand([int|string $seed]);
 </code>
-mt_srand()/srand() returns Randome object, that implements RandomInterface, is used with PRNG functions. Unless PRNG state object is specified, functions that use MT rand uses internal system PRNG state. When $seed is string, all bits are used for PRNG state initialization upto MT rand state buffer max. Internal PRNG state uses php_random_bytes() and randomize state.
+mt_srand()/srand() returns RandomeMT object, that implements RandomInterface, is used with PRNG functions. Unless PRNG state object is specified, functions that use MT rand uses internal system PRNG state. When $seed is string, all bits are used for PRNG state initialization upto MT rand state buffer max. Internal PRNG state uses php_random_bytes() and randomize state.
 Note: srand() is alias of mt_rand(). Python initializes MT rand state by string data like this proposal.
@@ Line 70: / Line 86: @@
 <code php>
-  int mt_rand([RandomState $seed_object])
+  int mt_rand([RandomMT $seed_object])
-  int mt_rand(int $min, int $max [, RandomState $seed_object])
+  int mt_rand(int $min, int $max [, RandomMT $seed_object])
-  int rand([RandomState $seed_object])
+  int rand([Random $seed_object])
-  int rand(int $min, int $max [, RandomState $seed_object])
+  int rand(int $min, int $max [, Random $seed_object])
-  bool shuffle(array &$arr [, RandomSatate $seed_object]);
+  bool shuffle(array &$arr [, Random $seed_object]);
 </code>
@@ Line 81: / Line 97: @@
 ==== Random object and function ====
-Create RandomeInterface, then implement RPNG specific Random objects.
+Create RandomeInterface, then implement RNG specific Random objects.
 <code php>

Differences

Page Tools