[whatwg] Cryptographically strong random numbers

Brendan Eich brendan at mozilla.com
Tue Feb 22 15:39:07 PST 2011

On Feb 22, 2011, at 3:26 PM, Bill Frantz wrote:

> On 2/22/11 at 1:36 PM, brendan at mozilla.com (Brendan Eich) wrote:
>> However, Math.random is a source of bugs as Amit Klein has shown, and these can't all be fixed by using a better non-CS PRNG underneath Math.random and still decimating to an IEEE double in [0, 1]. The use-cases Klein explored need both a CS-PRNG and more bits, IIRC. Security experts should correct amateur-me if I'm mistaken.
> I'll see if the security expert hat fits. :-)


> The random() function in many languages has a useful property which is incompatible with security. By setting its seed, you can get deterministic execution of a Monte Carlo algorithm. IANAJSE, but I didn't see a way to set the seed of Math.random(), so the ECMAScript/Javascript version lacks this useful property. But, having both a repeatable random function and a secure random function in a language is certainly reasonable.

Browsers have, based on Amit's work, added some automatic reseeding and (before that) switched from a singleton hidden state to state-per-window/iframe.

The "API issue" as Erik put it is this: do we need an array of bytes/shorts/ints, potentially a lot of random values; or would the fractional bits of a single IEEE 64-bit double precision result be "good enough".


More information about the es-discuss mailing list