Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112525
Return-Path: <zeriyoshi@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 58648 invoked from network); 16 Dec 2020 15:15:14 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 16 Dec 2020 15:15:14 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 863D8180546
	for <internals@lists.php.net>; Wed, 16 Dec 2020 06:46:27 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <zeriyoshi@gmail.com>
Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 16 Dec 2020 06:46:27 -0800 (PST)
Received: by mail-ed1-f43.google.com with SMTP id b73so25043262edf.13
        for <internals@lists.php.net>; Wed, 16 Dec 2020 06:46:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=Hj8PacI/eZiNjmDLYYkFSy1MYbveblAhVxmo5eMrwUI=;
        b=p7Xo9wi4FKsgMXYODF/FKGBEQPaLkYCAFVa1dI7P/1/7SA3407fl275q7ueauGGvQA
         1E8YWMTw1Y+x96ekVuTZOn/sgxobAZsLim43XOPTZEXGP/pQyOvmnmVuX5povKsuvPpT
         Xi8ZNORQT8t7XAkWy7r934lJ5GUTA7cIPqnYVPpKCR6GaYZYhgRQUUNzQBJrTusr1gWF
         GFpbtgLtwIEBlCGwFVjSRE0QghjKi8qWwJpkxdVXOLMfZDWaJXBSPTnOObZuXIWbaRf0
         cvnqFcjSeN5SSLwMUsCwPYvaU462YlBKhuFJy5z8KmJr5Z85FRmPcuAzHF11DLcNjtLO
         OMVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=Hj8PacI/eZiNjmDLYYkFSy1MYbveblAhVxmo5eMrwUI=;
        b=TM9tJRjKzbLz3L35Par7iMzJZS/slQUrhi5Sq4n+qXen+ky04tfJVWNnrz2iMz+mR3
         UcnWjqEWlkDoDgMN1TwP4kIpumfjngTdNMCL9AgdD3SCj6VtlfwijNHLAIawN3UTw8Hs
         luFo0J4v8DCu5WE5/xeW5+niUF4qZNQcvLYBgy2mSCWlfsf3aBv8OCdKKN9qDTqd1aGh
         K0WkH+3UygbB9OuGC3cw5o+y1qk6MH+Dp4VRNI2QkmoULBSl21HNvlpndNc2pc/wD7so
         wrvtCQMwjNfBaqshVuqf9p0uLBzQbORv9OGOx/fAH2cWjj448R1ib+4iTtQmT43lD2rE
         /2vQ==
X-Gm-Message-State: AOAM531pLyBpuk1KoGNOpQjfp5m5u2okWhlfQPYPskuRAp84qxrOTGAF
	hMX1SMGoBJEMjUlWPcukd5ZYIuHEFPd2a9y+uVh+/z3XqxjTMQ==
X-Google-Smtp-Source: ABdhPJzPqYAYdpsAHwKPP9r/UBgektuOUxW5nl7/58PO4JZ9wZLQZdoQoEOWB2oM4bnZa9Z9hHqxFmtuRuU6BNk5wxs=
X-Received: by 2002:a50:ccdb:: with SMTP id b27mr7274090edj.20.1608129982926;
 Wed, 16 Dec 2020 06:46:22 -0800 (PST)
MIME-Version: 1.0
Date: Wed, 16 Dec 2020 23:46:11 +0900
Message-ID: <CABTDVhA-FvEXdS+A=T5bJnX5YxjseN+ko14GUOqnuA52-omiiw@mail.gmail.com>
To: internals@lists.php.net
Content-Type: multipart/alternative; boundary="00000000000062947705b695f0fd"
Subject: Improving PRNG implementation.
From: zeriyoshi@gmail.com (zeriyoshi)

--00000000000062947705b695f0fd
Content-Type: text/plain; charset="UTF-8"

Nice to meet you, internals.

PHP 8.0 has been released. With the inclusion of JIT, PHP is about to be
extended beyond the web.

So I'd like to make a few suggestions.

First , PHP has the historical Mersenne Twister PRNG. However, this
implementation keeps its state in a global and cannot be handled as an
object like other languages (e.g. Java).

So, I created a PHP Extension and proposed it to PECL.

https://marc.info/?l=pecl-dev&m=160795415604102&w=2
https://github.com/zeriyoshi/php-ext-orng

But, Then I looked at the mailing list archives and noticed that a similar
proposal had been made before.

https://externals.io/message/98021#98130

I feel that this suggestion is needed now to expand PHP beyond the web.

Second suggestion is to stop using the Combined LCG as the default seed
value for each function.

PHP's Combined LCG only uses PID (or ZTS Thread ID) and time as entropy.
https://github.com/php/php-src/blob/master/ext/standard/lcg.c#L72

With the development of container technology, this problem seems to be
getting more serious. So I think we should use the random numbers provided
by the OS (getrandom on Linux) if available.

I would like to hear your opinions.

Regards
Go Kudo <zeriyoshi@gmail.com>

--00000000000062947705b695f0fd--