Skip to content

Instantly share code, notes, and snippets.

@sarciszewski

sarciszewski/README.md

Last active February 16, 2016 22:49
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sarciszewski/f7bd4c0358a44321787b to your computer and use it in GitHub Desktop.
Save sarciszewski/f7bd4c0358a44321787b to your computer and use it in GitHub Desktop.
Download ZIP
PRNG Benchmarks
Raw
README.md

In response to some people claiming that using a CSPRNG is "going way overboard" and/or is "overkill", I've written this test to verify the performance impact of using a CSPRNG versus their insecure mt_rand() based hacks.

I think the results are conclusive (at least on my device): A 50% speed increase. In addition to less-predictable randomness.

If anyone would like to suggest a benchmark script (or conditions that lead to different results with mine), let me know and I will link to them here.

Raw
functions.php
<?php
function shitty_prng($bytes = 32)
{
$buf = '';
for ($i = 0; $i < $bytes; ++$i) {
$buf .= chr(mt_rand(0, 255));
}
}
function better_prng($bytes = 32)
{
if (function_exists('mcrypt_create_iv')) {
return mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
}
return openssl_random_pseudo_bytes(32);
}
function openssl_prng($bytes = 32)
{
return openssl_random_pseudo_bytes(32);
}
function mcrypt_prng($bytes = 32)
{
return mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
}
Raw
test.php
<?php
require "functions.php";
$buf = '';
$tests = [];
$start = microtime(true);
for ($i = 0; $i < 100000; ++$i) {
$buf = shitty_prng();
}
$tests['mtrand'] = ( microtime(true) - $start );
$start = microtime(true);
for ($i = 0; $i < 100000; ++$i) {
$buf = better_prng();
}
$tests['csprng'] = ( microtime(true) - $start );
$start = microtime(true);
for ($i = 0; $i < 100000; ++$i) {
$buf = openssl_prng();
}
$tests['openssl'] = ( microtime(true) - $start );
$start = microtime(true);
for ($i = 0; $i < 100000; ++$i) {
$buf = mcrypt_prng();
}
$tests['mcrypt'] = ( microtime(true) - $start );
var_dump($tests);
Raw
test_results
array(4) {
["mtrand"]=>
float(2.3792960643768)
["csprng"]=>
float(1.0584290027618)
["openssl"]=>
float(0.38547611236572)
["mcrypt"]=>
float(0.97102904319763)
}
array(4) {
["mtrand"]=>
float(2.4055750370026)
["csprng"]=>
float(1.0631558895111)
["openssl"]=>
float(0.30554485321045)
["mcrypt"]=>
float(1.106586933136)
}
array(4) {
["mtrand"]=>
float(2.3207230567932)
["csprng"]=>
float(1.0591180324554)
["openssl"]=>
float(0.29997992515564)
["mcrypt"]=>
float(1.0387818813324)
}
array(4) {
["mtrand"]=>
float(2.3104860782623)
["csprng"]=>
float(1.1197648048401)
["openssl"]=>
float(0.2982759475708)
["mcrypt"]=>
float(1.0270299911499)
}
@paragonie-scott
Copy link

https://3v4l.org/LYfu9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment