Node.js uuid.v4 vs crypto.randomUUID. Which implementation is more cryptographically secure?

Alexander D'Attore

3/9/23, 8:21 AM

For a long time I've used the uuid npm package for my v4 uuid needs. It seems in recent versions of node they have introduced a built-in crypto module with the method randomUUID.

Some benchmarks have been done to show crypto.randomUUID is much faster than uuid.v4 (roughly 3x +).

However I can't find any information about how the implementations differ (if at all) in terms of how they choose random numbers for their output UUID. Is one likely to be using a more secure RNG?

UUID Node Module

Node.js Docs for crypto.randomUUID

943

0 + 0

random-number-generator

JAAAY

3/9/23, 8:26 AM

They both implement the same RFC.

fgrieu

3/9/23, 9:09 AM

This is so implementation-specific, and with little crypto (there's no key, and indistinguishability from random is not the meat of the question) that it's seems off-topic. What about asking it on [security-SE](https://security.stackexchange.com/) or [SO](https://stackoverflow.com/) instead?

Alexander D'Attore

3/9/23, 10:05 AM

This is implementation specific for sure. The heart of my question is meant to be which implementation provides the best indistinguishability from random.

SAI Peregrinus

3/9/23, 2:48 PM

Even "random" UUIDs are distinguishable from random bytes, by design. But both should have essentially identical entropy for those parts of the UUID which are randomly chosen, when in random UUID mode (instead of time-based or one other modes specified in the RFC).

Maarten Bodewes

3/9/23, 9:31 PM

The 3x difference in speed unfortunately doesn't tell you anything. A less secure random number generator is generally *much* faster than 3x the speed. The difference is probably due to implementation differences or how the randoms are retrieved (e.g. byte-by-byte or word-to-word). [This post](https://www.nearform.com/blog/new-crypto-capabilities-in-node-js/) seems to go a bit deeper into the differences.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Node.js uuid.v4 vs crypto.randomUUID. Which implementation is more cryptographically secure?

TH: Node.js uuid.v4 กับ crypto.randomUUIDการใช้งานใดมีความปลอดภัยในการเข้ารหัสมากกว่ากัน

RO: Node.js uuid.v4 vs crypto.randomUUID.Care implementare este mai sigură criptografic?

RU: Node.js uuid.v4 против crypto.randomUUID.Какая реализация более криптографически безопасна?

VI: Node.js uuid.v4 so với crypto.randomUUID.Việc triển khai nào an toàn hơn về mặt mật mã?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.