The purpose of a random number function is to get — you guessed it — a random number, something you cannot predict (or be very hard to predict with certainty). If the mt_rand() function is faster and less predictable (more “random”) than the old rand(), why not just switch the underlying implementation to the new method?
To put it another way, what kind of program that uses rand() would break in a later version of PHP if/because the underlying implementation changed?
Advertisement
Answer
Mainly because that’s the PHP way. Just like they added mysql_real_escape_string instead of replacing mysql_escape_string with it.
However, it might also be related to the disadvantages the mersenne-twister algorithm has (I have no clue if they are also present in the rand() algorithm though):
The algorithm in its native form is not suitable for cryptography (unlike Blum Blum Shub). Observing a sufficient number of iterates (624 in the case of MT19937, since this figure is the size of the state vector from which future iterates are produced) allows one to predict all future iterates. A pair of cryptographic stream ciphers based on output from Mersenne twister has been proposed by Makoto Matsumoto et al. The authors claim speeds 1.5 to 2 times faster than Advanced Encryption Standard in counter mode. wikipedia
Another issue is that it can take a long time to turn a non-random initial state (notably the presence of many zeros) into output that passes randomness tests. A small lagged Fibonacci generator or linear congruential generator gets started much more quickly and usually is used to seed the Mersenne Twister with random initial values. wikipedia