Re: random() generates collisions too early

On 22.10.2013 14:55, Honza Horak wrote:
> On 10/21/2013 04:19 PM, Heikki Linnakangas wrote:
>> On 18.10.2013 14:55, Honza Horak wrote:
>>> Also, I'd suggest to state explicitly in the doc, that random()
>>> shouldn't be taken as CSPRNG, since I can imagine people blindly
>>> believing that random() can be good enough for such use cases, just
>>> because they see how many possible values they get from double-precision
>>> type:
>>> http://www.postgresql.org/docs/9.3/static/functions-math.html
>>
>> Yeah, that seems like a good idea. A patch would be welcome.
>
> I don't think we need to tell some long stories here, so what about this
> one:
> "pseudo-random value in the range 0.0 < x < 1.0 (characteristic of
> randomness depends on the system implementation and is usually limited,
> thus not considered as a CSPRNG in any case)"

I had to look up what CSPRNG stands for, so we probably should spell it
out. Also not sure what it means for the characteristic of the
randomness to be limited. How about something like:

> random value in the range 0.0 <= x < 1.0 (the characteristics of the
> returned values depends on the system implementation. This function
> is not suitable for cryptographic applications; use pgcrypto
> instead.)

Or perhaps it would be even better to move random() and setseed to a
separate table. They are somewhat different from the rest of the
functions listed in the table of Mathematical Functions, and it would be
nice to list them together; currently the round() functions fall between
them in the alphabetically ordered table. What do you think of the attached?

- Heikki