dangerous to be sure, but it's also a technically valid seed,
are you sure we should disallow a valid seed?
On Thu, 4 Aug 2022 at 20:33, Tim Düsterhus <t...@bastelstu.be> wrote:
> Hi
>
> On 8/4/22 10:09, Anton Smirnov wrote:
> > xoshiro** has a known edge case: all-zero seed
>
> Indeed, good catch. I had that in mind, but forgot about it.
>
> > <?php
> >
> > $engine = new \Random\Engine\Xoshiro256StarStar(str_repeat("\0", 32));
> >
> > while (true) {
> > echo hex2bin($engine->generate()), PHP_EOL; // 0000000000000000
> > }
> >
> > It should be documented and/or handled
> >
> > It's only for a string seed, int seed is not affected
> >
>
> I've created a PR here:
>
> https://github.com/php/php-src/pull/9250
>
> I've opted to throw a ValueError in that case, as that's the only safe
> option that does not introduce a bias.
>
> The 32xNUL seed basically should only happen for manually written
> testing input and not happen otherwise. An actual random seed will
> result in 32 NUL bytes with just a 2**-256 chance and when relying on
> the implicit CSPRNG seeding (`null` as seed parameter) my PR will just
> retry to catch even that edge case.
>
> Best regards
> Tim Düsterhus
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>
>
