New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reuse pool more times #4
Comments
Interesting suggestion. However, this would make sequential UUIDs quite predictable. Even though the spec says not to, I've seen people use UUID as security tokens in the wild. |
Sample starting point in a random pool of bytes should not have any effect on the outcomes. If it is becoming predictable, then there is some bug in the underlying crypto. You should report it. |
Can you explain this a little more? I thought the bytes in the buffer were used to directly construct the UUID so I picture the sequential generation in this case as:
|
Yes. Except, the underlying buffer itself is not sequential. It is random bytes. The chance of generating "abcd..." sequence in the buffer by the Cyrpto (here) is highly improbable. If that were the case, then the
By random what it means is that there is no correlation between For that matter, we can reuse this buffer so many times, such as
|
In other words, the Assuming the buffer size is Based on this, you can write an ultimate uniqueness test case, such as below, to test this theory:
This test will succeed for any moderate random algorithm implementation. Because, to generate unique ids of length n, you would only For example, buffer holding "aaaabcdef" bytes is sure to generate unique strings of length In other words, you can simplify the above test code, to check if there are The bigger challenge here is, not local uniqueness, rather global / universal uniqueness. But that is purely dependent on the randomBytes generated by the Crypto (one of the reasons why they try to take MAC address etc. into consideration while generating these random bytes). If the generated buffer is guaranteed to be globally unique, then the sampling order, such as (Sidenote: for those who are interested in knowing how to generate all the combinations, permutations or the |
Hey, exquisite explanation and thank you kindly for that. I did try your suggestion and I believe everything you say is correct about the uniqueness. However, I still believe that it makes sequential UUIDs predictable. I know this isn't a requirement of the v4 spec, but I do find unpredictability to be an expectation of users. See the sequential UUIDs generated below using your
Notice how they follow a predictable pattern (roughly Edit: I will add that your suggestion more than doubles the performance and may be worth adding a setting for folks who don't need unpredictability. |
I see your point regarding the predictability. You are right, someone needs to just try 256 possibilities. Certainly cannot be used for crypto. The example IDs illustrated the point more clearly - thank you for pointing it out. I like your idea of a flag controlling the behavior for performance. In many cases, such as database records, where |
This is good work.
Currently with the bufIdx += n the
uuid.BUFFER_SIZE
pool of random bytes gets exhausted afteruuid.BUFFER_SIZE / n
times (e.g. 512 / 16), which is not much.In practice, this can be just
bufIdx ++
and pool gets useduuid.BUFFER_SIZE - n
times (e.g. 512 - 16)There is no effect on uniqueness, since unless all the
n + 1
bytes are equal in value,bufIdx ++
is as random asbufIdx += n
This improves the mileage.
Something like
buf.slice(bufIdx, bufIdx + n)
, modifying the condition to be(++bufIdx + n) > uuid.BUFFER_SIZE)
The text was updated successfully, but these errors were encountered: