←back to thread

Inverting the Xorshift128 random number generator

(littlemaninmyhead.wordpress.com)
108 points rurban | 1 comments | 31 Aug 25 18:49 UTC | HN request time: 0.209s | source
Show context
Aardwolf ◴[04 Sep 25 14:09 UTC] No.45127470[source]
Xorshift128+ is not a cryptographic rng though, so at least this isn't a cryptographic attack...

Should programming languages use cryptographic rngs like a ChaCha20 based one in their standard libraries to stop accidental use of non cryptographic rngs for cryptographic purposes? But that comes at the cost of speed

replies(6): >>45127744 #>>45127837 #>>45127961 #>>45127992 #>>45131766 #>>45131852 #
kstrauser ◴[04 Sep 25 14:34 UTC] No.45127744[source]
I think some naming conventions could go a long way. If you want to import `fast_unsafe_random`, you might think twice.
replies(2): >>45127995 #>>45135027 #
thomasmg ◴[04 Sep 25 14:54 UTC] No.45127995[source]
I agree, why would you slow down things for everybody if it's only a problem for cryptographic purposes. Xorshift128+ etc are around 10 to 30 times faster than ChaCha20.

The challenge is things that don't _obviously_ need cryptographically secure generators. For example, do you need a secure generator for the seed of a hash table, or a sorting algorithm? (For those that do use a seed). Some will argue that yes, this is important. Until a few years ago, the hash tables used static hash algorithms without any randomization, but "hash flooding" changed that. I think that nowadays, still many hash table implementations don't use secure generators.

Then, there's secure and insecure hash functions. Secure hash functions like SHA-256 are (compared to non-secure functions) specially slow for short keys. There are "somewhat" secure hash function algorithms like SipHash that can be used for this purpose.

replies(4): >>45128074 #>>45128629 #>>45128841 #>>45132983 #
1. kstrauser ◴[04 Sep 25 15:50 UTC] No.45128629[source]
Good point about the hashing. Python does the right thing by making you select the one you want when writing your own code. If it had a default option, make that SHA-256 so that all users get the strong one by default. But yes, if you’re not actually doing crypto stuff, say if you only want to see if two locally generated files have the same content, there are lots of much faster alternatives.