Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95979 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26171 invoked from network); 13 Sep 2016 09:50:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Sep 2016 09:50:00 -0000 Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.41 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.41 mail-wm0-f41.google.com Received: from [74.125.82.41] ([74.125.82.41:37104] helo=mail-wm0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 48/1B-60695-7CBC7D75 for ; Tue, 13 Sep 2016 05:49:59 -0400 Received: by mail-wm0-f41.google.com with SMTP id c131so102618698wmh.0 for ; Tue, 13 Sep 2016 02:49:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:references:from:to:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=Cq6GEmzq1CesMN2uSNGCLsSS7rth45fE0+2tnpq2Z3E=; b=Pvx1qehj0q2W9ylEdGWeUyz4Vv9wZxlSrG+9oqgAazfSneeW/IdEJmkbQ+gSuW4oF4 UxQeWIvLUjXqeq+WWE/Qkvg+HBd6EIPQljFDIX+Y33s/5vmXHf0n3t407rrLgqC/Bt46 Jeh2zKBXwo5WADT2vJZVyQCVa0V+f90pgqALDvHxNXN2RZeD4Htpz9P+ixagfvzCuUvy VrUmwytgCo2ngZ8qJ5rdvwIljHMDxD1pzYJ0g6VOu0Mrbvo7ZlvorZXsTxD8sUR0PKvB uEn3672bnDtTOOk42MSFwVcd8ZcuU84gmV8llo2G7u0alEeI3eNkk/evGx2Ubso9g+RE 2EZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:references:from:to:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=Cq6GEmzq1CesMN2uSNGCLsSS7rth45fE0+2tnpq2Z3E=; b=FP37BI5KgStWCpZaSroRxCi7flVXGZkBXi/Y4T9V0edCaHiZcil9H4pKEsSlsyzDQC wUs/G0FAlCxPUDSRgr/Zo8VU/WrEZkLXXJo86vWqaa2tKCyQErTTTADQue3FinrBnBrj XqFCuH6/ABX6+CgJYIXO9HjtSjoQu+13IgxKzBqHk19gXRWp1qsjn547+GI4QwNGIoYe RU/ACAPxQomLNYqUDJJcQ4hNVu7xbCEJW/ZcMMY2NvcXxdOtHZkmLxLRd9MxEuRoUBhz UCZrwfVe7Y4JUggv0LuWwM14io+nhOEQUpJw2VMoScDa1CB4/Jb58kLxK0DWWpUXLCN3 RhlA== X-Gm-Message-State: AE9vXwNJMqfLtWd59IPmpPup9m3ZmkHFt8rBlvgMpDL3DkoFaVooYZrjvADDQZYcM8ujrw== X-Received: by 10.194.192.195 with SMTP id hi3mr19151927wjc.108.1473760196022; Tue, 13 Sep 2016 02:49:56 -0700 (PDT) Received: from [192.168.0.98] ([93.188.182.58]) by smtp.gmail.com with ESMTPSA id t5sm21957398wjm.12.2016.09.13.02.49.54 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Sep 2016 02:49:55 -0700 (PDT) References: <878tuxenl4.fsf@lil.giraffy.jp> <87twdlcs2j.fsf@lil.giraffy.jp> <6370f3c9-0904-bac9-0f9e-e563e9af9843@gmail.com> To: "internals@lists.php.net" Message-ID: <206179c0-326f-70b4-a14d-afa0859bbc66@gmail.com> Date: Tue, 13 Sep 2016 10:47:36 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Improve uniqid() uniqueness From: rowan.collins@gmail.com (Rowan Collins) On 13/09/2016 02:07, Yasuo Ohgaki wrote: > I pasted simple benchmark to the PR. > New code uses about 2x cpu time on my Fedora 24. CSPRNG uses more complex > code than php_combined_lcg(), so this is expected. To me, this is at least as important as changing the length and character range of the output. > If I encode php_random_bytes() to the same length of digits, it does > not increase entropy space. It remains about a million (a little less > than 10 bits). It's too small for current baseline. Not enough entropy for what? Can you give some concrete scenarios where you see this being a problem? To me, uniqid() is useful because it is a quick way of getting a short string that's likely to be fairly unique. If that is its purpose, then making it slower, and its output longer, are not helping anybody. If it's purpose is to be truly random, and have controllable entropy, etc, then we might as well deprecate it in favour of random_bytes(). Regards, Rowan Collins [IMSoP]