On 27 January 2017 at 14:30, Lauri Kenttä <lauri.ken...@gmail.com> wrote: >> This needs to be thought of as 2^32 possible _streams_ with a period >> of (2^19937)−1. Offset within the stream is as important as the stream >> variation itself. > > This is not true. There is one stream of period (2^19937)−1, and > the initial state defines the current position in that stream.
I'm not sure about this, the LCG constant used in the initial generator seems completely unrelated to the rest of the algorithm, so I don't see how this offsets the stream position. If it is truly the case, I stand corrected. >> Even with 2^32 possible initial states every >> password generated will still have a bit strength of 2^60 > > > If the attacker knows the algorithm, the bit strength is only 2^32. > The remaining 2^28 comes from security through obscurity, which is > not a generally valid real security thing. Fair point. > Anyway, a password should be better generated with CSPRNG, not MT, > so "hardening" MT is totally irrelevant. Obviously. I still maintain that pulling 2.5k from the CSPRNG to power MT is overkill though. I agree we shouldn't waste time "hardening" it just because some people misuse it. We can make the initial seeding less deterministic but I don't think we should do more than that. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
