[whatwg] Cryptographically strong random numbers

Erik Corry erik.corry at gmail.com
Tue Feb 22 14:49:47 PST 2011


I can find Klein's complaints that the implementation of Math.random is
insecure but not his complaints about the API.  Do you have a link?

It seems pretty simple to generate a random number from 1 to 2 by fixing the
exponent and mixing in 52 bits of random mantissa. Subtract 1 to get an
evenly distributed value from 0-1. Multiply and Math.floor or >>> to get
your 8, 16, or 32 bits of randomness.
On Feb 22, 2011 11:04 PM, "Brendan Eich" <brendan at mozilla.org> wrote:
> On Feb 22, 2011, at 2:00 PM, Jorge wrote:
>
>> On 22/02/2011, at 22:36, Brendan Eich wrote:
>>> (...)
>>>
>>> However, Math.random is a source of bugs as Amit Klein has shown, and
these can't all be fixed by using a better non-CS PRNG underneath
Math.random and still decimating to an IEEE double in [0, 1]. The use-cases
Klein explored need both a CS-PRNG and more bits, IIRC. Security experts
should correct amateur-me if I'm mistaken.
>>
>> .replace( /1]/gm, '1)' ) ?
>
> Right.
>
> Reading more of Amit Klein's papers, the rounding to IEEE double also
seems problematic. Again, I'm not the crypto-droid you are looking for.
>
> /be
>


More information about the whatwg mailing list