[whatwg] Cryptographically strong random numbers

Brendan Eich brendan at mozilla.org
Tue Feb 22 15:34:03 PST 2011


On Feb 22, 2011, at 2:49 PM, Erik Corry wrote:
> I can find Klein's complaints that the implementation of Math.random is insecure but not his complaints about the API.  Do you have a link?

In the paper linked from http://seclists.org/bugtraq/2010/Dec/13 section 3 ("3. The non-uniformity bug"), viz:

"Due to issues with rounding when converting the 54 bit quantity to a double precision number (as explained in http://www.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdf section 2.1, x2 may not accurately represent the state bits if the whole double precision number is ≥0.5."

but that link dangles, and I haven't had time to read more.

The general concern about the API arises because Adam's API returns a typed array result that could have lenght > 1, i.e., not a random result that fits in at most 32 (or even 53) bits.

/be


More information about the es-discuss mailing list