Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94198 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42240 invoked from network); 22 Jun 2016 13:19:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Jun 2016 13:19:08 -0000 Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 108.166.43.83 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 108.166.43.83 smtp83.ord1c.emailsrvr.com Linux 2.6 Received: from [108.166.43.83] ([108.166.43.83:51675] helo=smtp83.ord1c.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9E/EE-43024-B409A675 for ; Wed, 22 Jun 2016 09:19:07 -0400 Received: from smtp3.relay.ord1c.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp3.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 4EC3918029F; Wed, 22 Jun 2016 09:19:05 -0400 (EDT) X-Auth-ID: fsb@thefsb.org Received: by smtp3.relay.ord1c.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 7D15D1802DB; Wed, 22 Jun 2016 09:19:03 -0400 (EDT) X-Sender-Id: fsb@thefsb.org Received: from [10.0.1.2] (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12]) (using TLSv1 with cipher DES-CBC3-SHA) by 0.0.0.0:465 (trex/5.5.4); Wed, 22 Jun 2016 09:19:05 -0400 User-Agent: Microsoft-MacOutlook/14.6.5.160527 Date: Wed, 22 Jun 2016 09:19:01 -0400 To: php-internals , Fleshgrinder Message-ID: Thread-Topic: [PHP-DEV] [RFC] RNG fixes References: <1726fd34-8c3c-0af8-ab97-630cbbf13772@fleshgrinder.com> <49fb7830-b186-523a-696c-39e251738bdb@fleshgrinder.com> <63bb3ecc-d896-08e4-7b55-9b60a87c6457@fleshgrinder.com> In-Reply-To: <63bb3ecc-d896-08e4-7b55-9b60a87c6457@fleshgrinder.com> Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: 7bit Subject: Re: [PHP-DEV] [RFC] RNG fixes From: fsb@thefsb.org (Tom Worster) On 6/21/16, 1:43 PM, "Fleshgrinder" wrote: >Yes, let's ask the users! But we don't do that, we just discuss it here. >Howe could we create such a poll that reaches many people? Maybe Reddit? Perhaps you misunderstand what I intended by leaving the choice to users. If we add a new RNG and keep the existing ones then each user can make an independent choice. >That being said, I repeat myself now, nikic also proposed to deprecate >rand() and having pcg_rand() as a modern replacement for mt_rand() I admire O'Neill's work and her paper and I find the generators and related theory very interesting. I'm not sure they are sufficiently well scrutinized and tested. Afaik, the status of this work is: there's an unpublished paper, a web site, some implementations and a conversation on reddit. Among other things, O'Neill makes claims about suitability for crypto. If PHP choses PCG as is its new RNG, that constitutes a strong endorsement and wonder who among us can confirm the work. I think there's also an argument against using an RNG that makes specific unpredictability claims since this confuses the distinction between it and random_bytes(). People may think that once seeded it's a fast alternative. Tom