To reiterate the message about *not* using mt_rand() for anything security related, here's a new tool that has been just posted that recovers the seed value given a single mt_rand() output:
http://www.openwall.com/php_mt_seed/README
(PHP 4, PHP 5, PHP 7, PHP 8)
mt_rand — Generate a random value via the Mersenne Twister Random Number Generator
Many random number generators of older libcs have dubious or unknown characteristics and are slow. The mt_rand() function is a drop-in replacement for the older rand(). It uses a random number generator with known characteristics using the » Mersenne Twister, which will produce random numbers four times faster than what the average libc rand() provides.
If called without the optional min
,
max
arguments mt_rand()
returns a pseudo-random value between 0 and
mt_getrandmax(). If you want a random number
between 5 and 15 (inclusive), for example, use mt_rand(5,
15)
.
This function does not generate cryptographically secure values, and must not be used for cryptographic purposes, or purposes that require returned values to be unguessable.
If cryptographically secure randomness is required, the Random\Randomizer may be used with the Random\Engine\Secure engine. For simple use cases, the random_int() and random_bytes() functions provide a convenient and secure API that is backed by the operating system’s CSPRNG.
min
Optional lowest value to be returned (default: 0)
max
Optional highest value to be returned (default: mt_getrandmax())
A random integer value between min
(or 0)
and max
(or mt_getrandmax(), inclusive),
or false
if max
is less than min
.
Version | Description |
---|---|
7.2.0 | mt_rand() has received a bug fix for a modulo bias bug. This means that sequences generated with a specific seed may differ from PHP 7.1 on 64-bit machines. |
7.1.0 | rand() has been made an alias of mt_rand(). |
7.1.0 |
mt_rand() has been updated to use the fixed, correct, version of
the Mersenne Twister algorithm. To fall back to the old behaviour, use mt_srand() with MT_RAND_PHP as the second parameter.
|
Example #1 mt_rand() example
<?php
echo mt_rand(), "\n";
echo mt_rand(), "\n";
echo mt_rand(5, 15), "\n";
?>
The above example will output something similar to:
1604716014 1478613278 6
min
max
range must
be within the range mt_getrandmax(). i.e. (max
-
min
) <= mt_getrandmax()
Otherwise, mt_rand() may return poorer random numbers
than it should.
To reiterate the message about *not* using mt_rand() for anything security related, here's a new tool that has been just posted that recovers the seed value given a single mt_rand() output:
http://www.openwall.com/php_mt_seed/README
To see some systematic deviations from a universal distribution run:
<?php
$alfabet = str_split('ADHKLMNPSTUWX');
$countalfabet = count($alfabet)-1;
$code = array_fill_keys($alfabet, 0);
for ($L=0; $L<80*$countalfabet; $L++)
{
$lettr = floor(mt_rand ( 0, $countalfabet ));
$code[$alfabet[$lettr]]++;
}
foreach($code as $L => $Freq)
{
for($F=0; $F<$Freq; $F++)
{
echo $L;
}
echo "\n<br/>";
}
?>
The seed is the PID + LCG (https://github.com/php/php-src/search?q=GENERATE_SEED&unscoped_q=GENERATE_SEED)