php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #81384 Secureness of GMP random functions undocumented
Submitted: 2021-08-26 09:12 UTC Modified: 2021-08-26 10:33 UTC
From: michelbach94 at gmail dot com Assigned:
Status: Verified Package: GNU MP related
PHP Version: 8.0.9 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
50 + 21 = ?
Subscribe to this entry?

 
 [2021-08-26 09:12 UTC] michelbach94 at gmail dot com
Description:
------------
Usually, the documentation of PHP functions that return randomness says whether the respective function is cryptographically secure. However, this is not the case with the GMP randomness functions gmp_random_bits() and gmp_random_range() (nor with the deprecated gmp_random()).

From a Google search, I found that these functions are not cryptographically secure sources of randomness (https://stackoverflow.com/a/56377850). This should be added to the documentation as PHP's GMP implementation being able to handle large numbers is very welcoming to the implementation of cryptographic primitives.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-26 10:33 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2021-08-26 10:33 UTC] cmb@php.net
gmp_random_bits(), gmp_random() and gmp_random_range() call
mpz_urandomb() and mpz_urandomm(), respectively, internally, and
these names suggest that urandom is used as source of randomness,
but this is not explicitly documented[1], so possibly that "u"
just refers to the uniform distribution.

So, yes, if in doubt don't use these numbers for cryptographic
purposes.

[1] <https://gmplib.org/manual/Integer-Random-Numbers>
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Nov 30 13:03:49 2021 UTC