On 2017-01-27 12:58, Leigh wrote:
On 27 January 2017 at 02:52, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
Since mt_rand is predictable PRNG, there is possibility to be known to
attackers always.
What I would like to change is
- there is only 2^32 initial states
This needs to be thought of as 2^32 possible _streams_ with a period
of (2^19937)−1. Offset within the stream is as important as the stream
variation itself.
This is not true. There is one stream of period (2^19937)−1, and
the initial state defines the current position in that stream.
Statistical testing of MT shows it to be pretty good. The ability to
recover the state from full outputs doesn't subtract from the quality
of the randomness. It is absolutely not a cryptographic quality
generator, but it is a high quality source of entropy.
Do not confuse entropy and randomness. Entropy is true randomness,
as can be seen in /dev/random. There is no deterministic algorithm
for generating more entropy, so MT or even a CSPRNG has exactly
as much entropy as the seed contains.
Even with 2^32 possible initial states every
password generated will still have a bit strength of 2^60
If the attacker knows the algorithm, the bit strength is only 2^32.
The remaining 2^28 comes from security through obscurity, which is
not a generally valid real security thing.
Anyway, a password should be better generated with CSPRNG, not MT,
so "hardening" MT is totally irrelevant.
--
Lauri Kenttä
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
