Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115931
Return-Path: <zeriyoshi@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25103 invoked from network); 3 Sep 2021 13:50:40 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 3 Sep 2021 13:50:40 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id DB4241804C8
	for <internals@lists.php.net>; Fri,  3 Sep 2021 07:27:09 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <zeriyoshi@gmail.com>
Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com [209.85.218.54])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri,  3 Sep 2021 07:27:09 -0700 (PDT)
Received: by mail-ej1-f54.google.com with SMTP id bt14so12471816ejb.3
        for <internals@lists.php.net>; Fri, 03 Sep 2021 07:27:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=31HsGPPpOlkKWhlSPU8/jfKtyfLgRxTjg4DWSieJBCk=;
        b=N1p5MHAwkeJ9y7/3ehvw97TtpFHAEd042gIEwiplenX2vnIH0CDrkGG/voV9DGxu9T
         6s2X910e1CpgPZbhur2fY0fksTGVRUkQDHZ0VvX8GUrweNDJhCADxfxQX/BLB1CKfrC/
         0BjH1mAtN29qFZeXnBMukT/iq0Ovd9NixwFh7MJtLPu3cFa/aRWkDOKYg0oYL8zfeFmJ
         vOMA8u9bbNVCw5k6VSQMW9UcXkMzZnFxapD6OHlsp62Y+4wVZSBPIu37Cx4zqVpEk5bU
         b5EQxQYCLEj9ddhhaPRwIe24x2c2jjCwnTRy1TYSdGrJzxKj8ieUgyDHxC3h1Cvb0I+t
         L1fQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=31HsGPPpOlkKWhlSPU8/jfKtyfLgRxTjg4DWSieJBCk=;
        b=j5xpdCgXuIdgIf97tI7WCjx6cAeKXMHhDPImAQ0CCq1W4VQ1UOC4FUoemFdCvn6DGo
         1H5WBu8R+3PqyXDlYlpKj+nKfU98FO0bN/l0YxNfe4NWunMj3pjBopAa0JT0GRRWJuSv
         qbYJqL1UnK5qfT5vJ85lWttJVmz8mTPpeJHPJ1HJX742F1goYjxqPQvN4zQeT4aK4Hqo
         Kr+ii7NmhLZ0klnHzYfhZ+HFMnN6YNKS1CL0ooEPcrxvCAcNFLiIoBGQ7iaQMZph6nCY
         YrPJ9581FXT07yISjv19Hy+V0t2HqJx3wH1bD64C5gRjFOJEOSycOdWOAM8Vl3fcHKdQ
         RZDQ==
X-Gm-Message-State: AOAM531zzyA4bkVK9NGVeglcpcEip/6il1dlX3VdVNRwXSQP/0+w8vIr
	RW50eoFYs3rY1njyB/TETmsrDBPdDiHMrXgGPwc+f0a4Z/uH/g==
X-Google-Smtp-Source: ABdhPJybgapILx5VM44UjQ0vJwBPjCZo2FkvcSMT2U+VtwjzNci4ZJjiKaP4a9XF5I07MNMVMWWi3qhGbCiWpEBahHI=
X-Received: by 2002:a17:906:3159:: with SMTP id e25mr4488361eje.549.1630679227332;
 Fri, 03 Sep 2021 07:27:07 -0700 (PDT)
MIME-Version: 1.0
References: <CABTDVhBRpD=nWBk2xGLEmdcWwOzCeqGeqH5vLSugPFOeEN9Mog@mail.gmail.com>
 <6921b613-d993-4e5b-82a7-60e3c9b3df38@www.fastmail.com> <CABTDVhDufAQMvHJqe6fF5Jz+t0Wo+hbRA0A7KA1jh9ZPBeR2Eg@mail.gmail.com>
 <abfb24a4-bce5-4abc-b2ec-404c571f46ea@www.fastmail.com>
In-Reply-To: <abfb24a4-bce5-4abc-b2ec-404c571f46ea@www.fastmail.com>
Date: Fri, 3 Sep 2021 23:26:55 +0900
Message-ID: <CABTDVhCUTkv1x8kcqm9R=U6tUNkfB8k2Ga981sKONwTbx8h4Mg@mail.gmail.com>
To: Larry Garfield <larry@garfieldtech.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000016816805cb181890"
Subject: Re: [PHP-DEV] [RFC] Random Extension 3.0
From: zeriyoshi@gmail.com (Go Kudo)

--00000000000016816805cb181890
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

> I'm still unclear how I'd write my own NumberGenerator right now.  I
mean, I can extend the class, but I don't have a sense for what I'd do with
it for non-testing/trivial implementations.  You say it's using an internal
function to generate numbers, but in user space what would I do with that?
And when/why would I?

For example, I will create an application that does a lottery. I need to
estimate the load and test it. If I actually use random numbers to draw the
lots, the test results will be different each time.

It is true that this example can be solved by devising a better
implementation of the userland.

If this is the case, you may be wondering why we implement it this way.

Currently, there are several implementations of random number generators
written in PHP.

https://github.com/savvot/random

Although not in this library, I use an in-house interface that is
completely replaceable with random_int() for load testing in my production
brother.

Also, JIT was implemented in PHP 8.0. which has the potential to make it
possible to write in PHP what would otherwise have to be implemented in C
due to execution speed issues. In fact, the random number generator written
in PHP for my tests shows a significant performance improvement when JIT is
enabled. The ability to have a workable random number implementation in
userland should be useful for future extensions.

> Is the intent that I should stop using random_int()?

No, it's not. random_int() is a safe and easy CSPRNG, and is recommended
for future use.
The advantage of using Random\NumberGenerator\Secure is that it can shuffle
strings/arrays using the same random number source as random_int().

Something that is not included in this RFC but that I would like to
deprecate in the future is the mt_srand (srand) function. These have
internal state and are very harmful for extensions such as Swoole:

Also, shuffle() and str_shuffle() are very good functions, but I don't
think they should use the random number source generated by mt_srand. The
user may unintentionally use an unsecured random number.

I apologize for the difficulty in conveying this message. I've revised the
wording.

> Changes random source to php_random_int() in shuffle(), str_shuffle(),
and array_rand() .

2021=E5=B9=B49=E6=9C=883=E6=97=A5(=E9=87=91) 23:04 Larry Garfield <larry@ga=
rfieldtech.com>:

> On Fri, Sep 3, 2021, at 8:55 AM, Go Kudo wrote:
> > Thank you.
> >
> > > Why is the number generator a parent class rather than an interface?
> >
> > This is an implementation limitation. I could not find a way to define =
my
> > own object handler in interface.
> > As Nikita pointed out in a previous suggestion, the NumberGenerator now
> > uses php_random_ng_algo_user to generate random numbers faster than
> before,
> > even if it is a userland implementation.
>
> I'm still unclear how I'd write my own NumberGenerator right now.  I mean=
,
> I can extend the class, but I don't have a sense for what I'd do with it
> for non-testing/trivial implementations.  You say it's using an internal
> function to generate numbers, but in user space what would I do with that=
?
> And when/why would I?
>
> > > You don't mention the CSPRNG functions at all.
> >
> > This is a mistake. I have corrected it. Thanks!
>
> I'm still not clear on the intent here.  Is the intent that I should stop
> using random_int()?  And if so, replace it with... what?  Do I have to
> supply a specific non-default generator?  That makes the usability worse,
> and more likely to be gotten wrong.
>
> Also, in future scope you you have this sentence, which makes little sens=
e:
>
> >> Replace random_bytes() with random_bytes() for random numbers used in
> shuffle(), str_shuffle(), and array_rand().
>
> --Larry Garfield
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>
>

--00000000000016816805cb181890--