Score:2

Node.js uuid.v4 vs crypto.randomUUID. Which implementation is more cryptographically secure?

cn flag

For a long time I've used the uuid npm package for my v4 uuid needs. It seems in recent versions of node they have introduced a built-in crypto module with the method randomUUID.

Some benchmarks have been done to show crypto.randomUUID is much faster than uuid.v4 (roughly 3x +).

However I can't find any information about how the implementations differ (if at all) in terms of how they choose random numbers for their output UUID. Is one likely to be using a more secure RNG?

UUID Node Module

Node.js Docs for crypto.randomUUID

JAAAY avatar
us flag
They both implement the same RFC.
fgrieu avatar
ng flag
This is so implementation-specific, and with little crypto (there's no key, and indistinguishability from random is not the meat of the question) that it's seems off-topic. What about asking it on [security-SE](https://security.stackexchange.com/) or [SO](https://stackoverflow.com/) instead?
Alexander D'Attore avatar
cn flag
This is implementation specific for sure. The heart of my question is meant to be which implementation provides the best indistinguishability from random.
SAI Peregrinus avatar
si flag
Even "random" UUIDs are distinguishable from random bytes, by design. But both should have essentially identical entropy for those parts of the UUID which are randomly chosen, when in random UUID mode (instead of time-based or one other modes specified in the RFC).
Maarten Bodewes avatar
in flag
The 3x difference in speed unfortunately doesn't tell you anything. A less secure random number generator is generally *much* faster than 3x the speed. The difference is probably due to implementation differences or how the randoms are retrieved (e.g. byte-by-byte or word-to-word). [This post](https://www.nearform.com/blog/new-crypto-capabilities-in-node-js/) seems to go a bit deeper into the differences.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.