undefined | Better HN

0 pointsmabbo2y ago0 comments

Even at a billion requests per second, 128 bit UUIDs shouldn't collide for something like a billion years.

And that's if you're going completely random and not taking care to try to reduce collisions.

0 comments

Are you sure about that math?

A billion seconds at a billion requests per second is already 2^60 items. You'd only need a few billion seconds to have a 50:50 collision chance with 128 random bits, and even less with a real UUID that only has 122 random bits.

You'd hit 1% odds of collision after less than a decade.

If you actually want to go for a billion years, you need to expand that UUID by 50%.

mabboOP2y ago

You know I think I converted powers of two and powers of ten interchangeably in my calculations. You're very likely correct.

danielmarkbruce2y ago

This seems off. A few billion seconds to have a 50:50 chance? Why wouldn't it be a billion seconds at a billion per second (2^60 total requests) would give a 1 in 2^68 chance (or 1 in 2^62 if its really only 122 bits)?

Dylan168072y ago

Birthday paradox. The number of opportunities to collide is the number of items squared. (Divided by two and a smidge)

1 more reply

penteract2y ago

Because we're talking about collisions, as opposed to comparing 2^64 independent pairs. With 2^128 possible values, if you've picked 2^63 distinct ones, the chance that a randomly selected value collides with one of those is 1 in 2^65. If none of your second batch of 2^63 collide with each other, that gives a 2^63/2^65 = 1/4 chance of one of them colliding with the first batch. Considering the possibility of collisions within each batch of 2^63 brings it closer to 1 in 2.

jandrewrogers2y ago

There have been many cases of UUIDv4 collisions because an RNG wasn’t as random as expected, due to broken RNG or developer error. It is one of those cases where practice is not as reliable as theory, and it is banned in some places as a consequence.

It depends on how paranoid you need to be.

MichaelZuo2y ago

NIST standards on RNG are not as random as expected?

Or do you mean certain folks intentionally chose substandard implementations for some reason?

jandrewrogers2y ago

A significant number of implementers roll their own UUIDv4. It seems so easy so why not? Most UUIDs are used in contexts where the devs are not that sophisticated so it isn’t that surprising that naive mistakes happen. If you are using it for distributed UUID generation, it just takes one person making a mistake to create havoc.

UUIDv4 is banned in many high security environments primarily because it is easy for people to screw up in practice and it is difficult to detect when those mistakes are made. 128-bits doesn’t leave much room for mistakes using probabilistic uniqueness.

polynomial2y ago

Facts.

lazide2y ago

Shouldn’t != never happens. All sorts of weird implementation issues can cause problems.

j / k navigate · click thread line to collapse

0 comments

Dylan168072y ago

Are you sure about that math?

You'd hit 1% odds of collision after less than a decade.

If you actually want to go for a billion years, you need to expand that UUID by 50%.

mabboOP2y ago

You know I think I converted powers of two and powers of ten interchangeably in my calculations. You're very likely correct.

danielmarkbruce2y ago

Dylan168072y ago

Birthday paradox. The number of opportunities to collide is the number of items squared. (Divided by two and a smidge)

1 more reply

penteract2y ago

jandrewrogers2y ago

It depends on how paranoid you need to be.

MichaelZuo2y ago

NIST standards on RNG are not as random as expected?

Or do you mean certain folks intentionally chose substandard implementations for some reason?

jandrewrogers2y ago

polynomial2y ago

Facts.

lazide2y ago

Shouldn’t != never happens. All sorts of weird implementation issues can cause problems.

j / k navigate · click thread line to collapse