RE: [PHP-DEV] More powerful (and backward compatible) API of random number generator functions

From:	Bryan C. Geraghty	Date:	Sat, 31 Aug 2013 01:17:47 +0000
Subject:	RE: [PHP-DEV] More powerful (and backward compatible) API of random number generator functions
References:	1 2 3 4	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

First, I want to ask: Does anyone else think we should draw a distinction between RNGs and CSPRNGs?

I ask this because the OpenSSL option here is the only CSPRNG; The others are trivially breakable
and should not be used for cryptographic applications. I could see an argument for wanting to use
them in non-security contexts but I'm wondering if the API should make it clear when that is
being done.

Secondly, a good place to look for defining a standard secure CSPRNG is FIPS 1402 Annex C
(csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf‎)

Bryan

-----Original Message-----
From: Marc Bennewitz [mailto:[email protected]] 
Sent: Friday, August 30, 2013 2:59 PM
To: [email protected]
Subject: Re: [PHP-DEV] More powerful (and backward compatible) API of random number generator
functions

Am 30.08.2013 04:30, schrieb Yasuo Ohgaki:
> On Thu, Aug 29, 2013 at 9:00 PM, Ángel González <[email protected]> wrote:
> 
>> Marc Bennewitz wrote:
>>
>>> Idea for an RFC for a more powerful (and backward compatible) API of 
>>> random number generator functions.
>>>
>>> The following psaudocode is self explained (hopfully)
>>>
>>> const RAND_ALGO_LIBC
>>> const RAND_ALGO_MERSENNE_TWISTER
>>> const RAND_ALGO_OPENSSL
>>> const RAND_ALGO_GMP
>>>
>> (...)
>>
>>> What do you think?
>>>
>>
>> Why do you want them?
> 
> 
> This proposal is good because we need the best random function 
> available in a system with easy to use API. I would like to see the 
> best algorithm in a system as default.
> 

Defining the "best" algorithm as the standard default would be great but what is the best
algorithm? Some are fast but less secure and other are more secure but slow.

Some times ago i read a feature request to implement the mersenne twister algorithm for
rand/shuffle/array_rand but this was closed because it would be a bc break. (can't find it
new).

Best Regards
Marc

--
PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php



   

Thread (12 messages)

• Marc BennewitzWed, 28 Aug 2013 20:59:34 +0000
  • Ángel GonzálezThu, 29 Aug 2013 12:00:37 +0000
    • Yasuo OhgakiFri, 30 Aug 2013 02:30:43 +0000
      • Marc BennewitzFri, 30 Aug 2013 19:58:43 +0000
        • LeighFri, 30 Aug 2013 23:27:29 +0000
          • Bryan C. GeraghtySat, 31 Aug 2013 01:31:27 +0000RE: [PHP-DEV] More powerful (and backward compatible) API of random number generator functions
        • Bryan C. GeraghtySat, 31 Aug 2013 01:17:47 +0000RE: [PHP-DEV] More powerful (and backward compatible) API of random number generator functions
          • Marc BennewitzSat, 31 Aug 2013 10:29:56 +0000Re: More powerful (and backward compatible) API of random number generator functions
          • Jakub ZelenkaSun, 01 Sep 2013 13:12:27 +0000Re: More powerful (and backward compatible) API of random number generator functions
            • Marc BennewitzSun, 01 Sep 2013 20:18:36 +0000
            • Pierre JoyeSun, 01 Sep 2013 22:01:18 +0000
    • Marc BennewitzFri, 30 Aug 2013 19:43:09 +0000