←back to thread

Inverting the Xorshift128 random number generator

(littlemaninmyhead.wordpress.com)
108 points rurban | 3 comments | 31 Aug 25 18:49 UTC | HN request time: 0s | source
Show context
delduca ◴[04 Sep 25 13:41 UTC] No.45127193[source]
I have recently replaced Lua's random for this implemetation

https://nullonerror.org/2025/08/02/replacing-lua-s-math-rand...

replies(2): >>45128081 #>>45135705 #
bazzargh ◴[04 Sep 25 15:02 UTC] No.45128081[source]
A word of caution. A few years ago we had a production impact event where customers were getting identical cookies (and so started seeing each others sessions). When I took a look at the code, what I found was that they were doing something very like your code - using a time() based seed and an PRNG.

Whenever we deployed new nginx configs, those servers would roll out and restart, getting _similar_ time() results in the seed. But the individual nginx workers? Their seeds were nearly identical. Not every call to the PRNG was meant for UUIDs, but enough were that disaster was inevitable.

The solution is to use a library that leverages libuuid (via ffi or otherwise). A "native lua" implementation is always going to miss the entropy sources available in your server and generate clashes if it's seeded with time(). (eg https://github.com/Kong/lua-uuid, https://github.com/bungle/lua-resty-uuid)

replies(4): >>45128343 #>>45128442 #>>45130303 #>>45130355 #
1. tptacek ◴[04 Sep 25 15:25 UTC] No.45128343[source]
Why would you ever use an insecure RNG to generate a cookie?
replies(1): >>45128760 #
2. bazzargh ◴[04 Sep 25 16:01 UTC] No.45128760[source]
In the code I saw, at least twice in its history people had introduced a "pure lua" solution for speed, and were clearly unaware of the shotgun they'd just pointed at their feet. (as in, somebody saw the issue and fixed it, and then someone else _fixed it back_ before I came along).

But in case _I'm_ messing up here, I'll bow to your expertise: libuuid uses /dev/random, which uses a CSPRNG (ChaCha20) with entropy ingested via Blake2 from whatever sources the system can get, right?

We did actually do a bunch of before/after testing showing the collision rates (zero after), and I believe the cookie in question has been replaced with a third party identity system in the intervening years - but if we did it wrong, I'd like to know.

replies(1): >>45129378 #
3. akerl_ ◴[04 Sep 25 16:55 UTC] No.45129378[source]
I think the question isn’t “why switch it to libuuid”, it’s “why is anybody ever setting it to a time-based non-CS PRNG”.