On Sat, 21 Jan 2017 at 14:41 Niklas Keller <m...@kelunik.com> wrote: > Anyway, the "issue" with mt_rand is not the seed being predictable but the > internal state being recoverable from the output. But mt_rand is > predictable by design, so why should we even seed it with a CSPRNG by > default? > > > For the record, when I was making RNG changes for 7.1, I did look at the mt_rand seed mechanism, and decided it was _good enough_ for the purposes of mt_rand.
State recovery can actually be done with as few as 624 sequential outputs, you will never be able to get away from that. Even with a fully CSPRNG generated state, if an attacker gets 624 outputs after the state is twisted, the RNG is compromised.
