php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #81384 Secureness of GMP random functions undocumented
Submitted: 2021-08-26 09:12 UTC Modified: 2021-08-26 10:33 UTC
From: michelbach94 at gmail dot com Assigned:
Status: Verified Package: GNU MP related
PHP Version: 8.0.9 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: michelbach94 at gmail dot com
New email:
PHP Version: OS:

 

 [2021-08-26 09:12 UTC] michelbach94 at gmail dot com
Description:
------------
Usually, the documentation of PHP functions that return randomness says whether the respective function is cryptographically secure. However, this is not the case with the GMP randomness functions gmp_random_bits() and gmp_random_range() (nor with the deprecated gmp_random()).

From a Google search, I found that these functions are not cryptographically secure sources of randomness (https://stackoverflow.com/a/56377850). This should be added to the documentation as PHP's GMP implementation being able to handle large numbers is very welcoming to the implementation of cryptographic primitives.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-26 10:33 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2021-08-26 10:33 UTC] cmb@php.net
gmp_random_bits(), gmp_random() and gmp_random_range() call
mpz_urandomb() and mpz_urandomm(), respectively, internally, and
these names suggest that urandom is used as source of randomness,
but this is not explicitly documented[1], so possibly that "u"
just refers to the uniform distribution.

So, yes, if in doubt don't use these numbers for cryptographic
purposes.

[1] <https://gmplib.org/manual/Integer-Random-Numbers>
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Oct 24 12:03:45 2021 UTC