Rand VS MT_Rand

[Ben Fury]

I just wanted to throw out there that no number is truly random. There are tons of articles out there that explain this in detail. Basically, MT_Rand is NOT 4 times faster and does NOT generate better random numbers than Rand does. In fact, both are about equal and equally vulnerable. Both can be guessed by hackers. There is no solid evidence anywhere indicating that MT_Rand is faster and better than Rand, besides maybe a few claims found online. There are simple scripts that you can write that show the randomness of both functions.


--------------------------------------------------------------------------------

Script one (To show how random they really are):

<?php
header("Content-type: image/png");
$img = imagecreatetruecolor(256, 256)
or die("Error while creating the graphic.");
$white = imagecolorallocate($img, 255, 255, 255);

for ($x=0; $x<256; $x++)
{
for ($y=0; $y<256; $y++)
{
if (mt_rand(0,1) === 1)
{
imagesetpixel($img, $x, $y, $white);
}
}
}
imagepng($img);
imagedestroy($img);
?>

------------------------------------------------------

Script 2 (To show how fast they output):

<?php
$start = microtime(true);
for ($i=0; $i<1000000; $i++)
{
$random = mt_rand(0,1);
}
$end = microtime(true);

$runtimeMtRand= $end - $start;

$start = microtime(true);
for ($i=0; $i<1000000; $i++)
{
$random = rand(0,1);
}
$end = microtime(true);

$runtimeRand = $end - $start;

echo "Runtime mt_rand(): ".$runtimeMtRand." seconds!";
echo "Runtime rand(): ".$runtimeRand." seconds!";
?>

--------------------------------------------------------------------------------------------------

Both of these scripts are found here: http://en.code-bude.net/2013/01/06/php-r...is-faster/

------------------------------------------------------------------------------

Maybe I am wrong and you found better backing evidence than me, but I believe that your effort in better randomization is not finished simply by find/replacing all Rands with MT_Rands.

[Sevion]

mt_rand uses http://en.wikipedia.org/wiki/Mersenne_twister

rand uses http://en.wikipedia.org/wiki/Linear_cong..._generator

Rand is actually faster than mt_rand by such a small amount that its not even something to make a change for. (Now if you look at the two functions line for line mt_rand is faster as it goes through its code faster, however theres more of it so in the end it ends up ever so slightly slower)

Rand can easily be manipulated by python allowing hackers the ability to manipulate the outcome of the PRNG within a range allowing them to increase the odds of getting the desired number from the PRNG. mt_rand is still susceptible to this but not as bad.

If the goal is great randomness such as crypto randomizing then openssl_random_pseudo_bytes() would be the route to go. But this function is heavy and can be slow at times.

In many tests I've read and I've performed rand() isnt very random. While mt_rand while not 100% random either performs better in randomization.

http://web.archive.org/web/2014080100272...s-mt_rand/

And one thing you will also notice in alot of "test" articles that provide similar results when comparing the two functions is people dont bother to check what their system is using for its PRNG. rand() could actually be using the mersenne twister provided the server is using it as the default.