Extract all PNRG methods to a shard under crystal-lang org, leaving only PCG32 in the stdlib #4634
Comments
|
Also, create a shard with the extracted methods here: https://github.com/crystal-lang/crystal-random |
|
It seems I can't create a PR to shard as it's empty. |
|
PCG32 has not proven itself by being used in the standard library of any serious programming language, or otherwise. Making it the default was bad, removing alternatives is madness. |
|
If it doesn't prove itself, it can certainly be replaced before 1.0. But there is surely no value in having more than one generator in the stdlib. |
That gets us nowhere. Without being deeply involved in the field, the only way to compare PRNGs is by the level of trust. There is no rigorous way to prove randomness. |
Yes, and I wonder why. Xorshift varions are used in several languares though (as I mentioned in #4493) - would you prefer it? Is it discussion of Xorshift vs PCG or MT19937+ISAAC vs PCG?
There is a TestU01. Both PCG and Xorshift passes it. |
|
I don't care so much about merits of PRNGs and I am not directing the communication that way. All I'm saying is the standard library should have a trusted PRNG, not only one that performs fast or whatever. |
|
@oprypin so is a PRNG that is used by Erlang, JavaScript V8, Nim and Rust (Rust is using ISAAC by default though) trusted enough? Would it better if we switch to it instead of PCG? Another idea is to let ISAAC stay (as @ysbaddaden proposed IIRC) - it is cryptographically secure, time-proven and requires zero efforts as it is already here. |
|
I'm not knowledgeable enough on the topic of randomness, so I asked @jedisct1 (libsodium author):
Everything I read says the same: PCG32 and xorshift* are both good. They pass the TestU01 statistical test suite, and they're fast. They aren't cryptographically secure AFAIK, so documentation should state that, and redirect to |
|
True entropy is really the provenance of the OS - has access to boot time entropy pools, mixes inputs, and has direct hwrng access if available. Software-only solutions in userspace are inherently at a disadvantage against attackers, so I'd lean towards a performant prng in stdlib, with instructions for users on getting heavy lifting done by the OS if possible, or using a proven slower one from a separate lib. |
|
I think distributing a proven and trusted secure PRNG along the faster default and the system source is a good idea. We'd have a fast yet good default, a secure but system-specific solution, and a secure solution using the same PRNG, whatever the underlying system. Maybe we could introduce ChaCha12 (or ChaCha20 if we're conservative) instead of ISAAC. The implementation is simpler, it's well trusted and used in many places. ChaCha20 performed poorly in non release mode (which may or may not a concern) but I suppose ChaCha12 would do better? |
|
this stackexchange answer seems to agree that ChaCha12 is a fine choice. PCG32 seems to be fast and "challenging" to predict compared to MT19937, but still not fully secure. Therefore PCG32 appears to be a very good all-rounder, a good default. ChaCha12 seems to be a good choice for cryptographically secure random. In addition to providing |
|
ChaCha12 should take 60% time of ChaCha20 +- overhead. I've updated my benchmark at https://github.com/konovod/prngs with it, and added to table results in non-release mode. Speaking about performance, I have only basic experience in optimization, didn't tried to check generated assembly code (and don't know SSE anyway). Also, both PCG32 and ChaCha20 (and also XorShift) use About ISAAC - i don't know about attacks on it, there is even unclaimed bounty on it's page for discovering a seed from sequence, but it is based on RC4 that is known to be vulnerable. So ChaCha is a safer bet. |
I didn't said it always fails. But it fails in unpredictable situations, so it should be always checked. Looks like, combining shift+or into rotl is late in optimisations chain, and previous optimisations sometimes break this conversion. |
Same way SHA2 is based on MD5. But SHA2 is still not broken. There is improved version ISAAC+ from Jean-Phillipe Aumasson "On the pseudo-random generator ISAAC"(https://131002.net/data/papers/Aum06b.pdf) |
|
Does LLVM provide intrinsics for |
|
AFAIK no. |
|
There is no LLVM sources have only macros like this: #define rot( x, k ) (((x)<<(k)) | ((x)>>(32-(k))))Usually it is optimized by LLVM into |
This require very little changes to ISAAC - replace shifts to rotation, one addition to xor, add xor in one place. I did it in my prngs shard. Makes thing slower by 5-10%. The only thing that stops me from making PR - i haven't found any implementations of it. So no specs or test vectors - i can only generate some values and call it spec, hoping that i implemented it right. |
|
Interesting, but no test vectors nor usages is a show stopper, yes. |
|
Just created an empty shared at this repo: https://github.com/crystal-lang/crystal-random. PRs to move stuff from the stdlib welcome! |
|
This issue can be closed. In stdlib there's only |
PR #4536 introduced the best PNRG method Crystal has had to date. As we want to remove anything that isn't essential from the standard library, we will only keep PCG32 and create a new official shard to provide the rest of the PNRG methods.
PRs to remove the methods from the stdlib are welcome!
The text was updated successfully, but these errors were encountered: