To reiterate the message about *not* using mt_rand() for anything security related, here's a new tool that has been just posted that recovers the seed value given a single mt_rand() output:
http://www.openwall.com/php_mt_seed/README
mt_rand
(PHP 4, PHP 5, PHP 7, PHP 8)
mt_rand — Generate a random value via the Mersenne Twister Random Number Generator
Description
mt_rand(): int
Many random number generators of older libcs have dubious or unknown characteristics and are slow. The mt_rand() function is a drop-in replacement for the older rand(). It uses a random number generator with known characteristics using the » Mersenne Twister, which will produce random numbers four times faster than what the average libc rand() provides.
If called without the optional min,
max arguments mt_rand()
returns a pseudo-random value between 0 and
mt_getrandmax(). If you want a random number
between 5 and 15 (inclusive), for example, use mt_rand(5,
15).
Caution
This function does not generate cryptographically secure values, and must not be used for cryptographic purposes, or purposes that require returned values to be unguessable.
If cryptographically secure randomness is required, the Random\Randomizer may be used with the Random\Engine\Secure engine. For simple use cases, the random_int() and random_bytes() functions provide a convenient and secure API that is backed by the operating system’s CSPRNG.
Parameters
-
min -
Optional lowest value to be returned (default: 0)
-
max -
Optional highest value to be returned (default: mt_getrandmax())
Return Values
A random integer value between min (or 0)
and max (or mt_getrandmax(), inclusive),
or false if max is less than min.
Changelog
| Version | Description |
|---|---|
| 7.2.0 | mt_rand() has received a bug fix for a modulo bias bug. This means that sequences generated with a specific seed may differ from PHP 7.1 on 64-bit machines. |
| 7.1.0 | rand() has been made an alias of mt_rand(). |
| 7.1.0 |
mt_rand() has been updated to use the fixed, correct, version of
the Mersenne Twister algorithm. To fall back to the old behaviour, use mt_srand() with MT_RAND_PHP as the second parameter.
|
Examples
Example #1 mt_rand() example
<?php
echo mt_rand(), "\n";
echo mt_rand(), "\n";
echo mt_rand(5, 15), "\n";
?>The above example will output something similar to:
1604716014 1478613278 6
Notes
Warning
min max range must
be within the range mt_getrandmax(). i.e. (max -
min) <= mt_getrandmax()
Otherwise, mt_rand() may return poorer random numbers
than it should.
See Also
- mt_srand() - Seeds the Mersenne Twister Random Number Generator
- mt_getrandmax() - Show largest possible random value
- random_int() - Get a cryptographically secure, uniformly selected integer
- random_bytes() - Get cryptographically secure random bytes
add a note
User Contributed Notes 3 notes
Pawe Krawczyk ¶
11 years ago
greald at ghvernuft dot nl ¶
1 year ago
To see some systematic deviations from a universal distribution run:
<?php
$alfabet = str_split('ADHKLMNPSTUWX');
$countalfabet = count($alfabet)-1;
$code = array_fill_keys($alfabet, 0);
for ($L=0; $L<80*$countalfabet; $L++)
{
$lettr = floor(mt_rand ( 0, $countalfabet ));
$code[$alfabet[$lettr]]++;
}
foreach($code as $L => $Freq)
{
for($F=0; $F<$Freq; $F++)
{
echo $L;
}
echo "\n<br/>";
}
?>
Anonymous ¶
5 years ago
The seed is the PID + LCG (https://github.com/php/php-src/search?q=GENERATE_SEED&unscoped_q=GENERATE_SEED)
