Skip to content

Replace JS snippet with WASI call for random byte generation #980

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Replace JS snippet with WASI call for random byte generation #980

wants to merge 1 commit into from

Conversation

@palas
Copy link
Contributor

@palas palas commented Oct 23, 2025

Changelog

- description: |
    Use WASI call to generate random bytes instead of JS snippet
  type:
  - compatible
  projects:
  - cardano-wasm

Context

We want to produce a WASM module that doesn't depend on JavaScript function calls to work, only in WASI, so that it can be used from other languages. This PR modifies the call used to generate random ByteStrings so that it doesn't depend on JavaScript but uses the random_get primitive from WASI. Which is described as producing high quality randomness, and is actually implemented in terms of crypto.getRandomValues in the shim we use.

How to trust this PR

It is tricky, because it is really sensitive code, and the code is quite simple, but it does rely on the WASI implementation underneath. I will do some testing and you can see the implementation in the shim we are currently using for JS here: https://github.com/bjorn3/browser_wasi_shim/blob/8dee2473332e540b3f3a9c59259dd027dc1e6853/src/wasi.ts#L886

Something worrying is It seems it uses Math.random() as fallback, which is not cryptographically secure. But until we can include WASI2, this seems the best primitive.

Checklist

  • Commit sequence broadly makes sense and commits have useful messages
  • New tests are added if needed and existing tests are updated. See Running tests for more details
  • Self-reviewed the diff

@palas palas self-assigned this Oct 23, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 23, 2025
View reviewed changes
@palas palas force-pushed the use-wasi-for-randomness branch 2 times, most recently from ce9c7cf to f83a020 Compare October 24, 2025 19:57
@palas palas force-pushed the use-wasi-for-randomness branch from f83a020 to 6c6658e Compare October 24, 2025 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dcoutts dcoutts Awaiting requested review from dcoutts dcoutts is a code owner

@Jimbo4350 Jimbo4350 Awaiting requested review from Jimbo4350 Jimbo4350 is a code owner

@erikd erikd Awaiting requested review from erikd erikd is a code owner

@newhoggy newhoggy Awaiting requested review from newhoggy newhoggy is a code owner

@carbolymer carbolymer Awaiting requested review from carbolymer carbolymer is a code owner

@kevinhammond kevinhammond Awaiting requested review from kevinhammond kevinhammond is a code owner

@CarlosLopezDeLara CarlosLopezDeLara Awaiting requested review from CarlosLopezDeLara CarlosLopezDeLara is a code owner

@disassembler disassembler Awaiting requested review from disassembler disassembler is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@palas palas

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@palas