random_bytes can be unique ? collision percentage?

Question

I searched here, but I found nothing about my question. So, here I am posting this beginner-like question. Is random_bytes() can be unique ? is it collision proof? or at least percentage of collision ? that's all thank you.

Answer 1

According to the manual:

Generates an arbitrary length string of cryptographic random bytes that are suitable for cryptographic use

So you can assume uniqueness, of course depending on the length of generated string. If you need to generate ID, then look at UUIDv4 e.g., and follow its generation algorithm, then you should be mostly safe.

Answer 2

I made a totally unscientific test using this script:

<?php

// collisions.php -- check collisions of random_bytes()

set_time_limit(0);

if(count($argv) < 2) die("Usage: php collisions.php n\n       where n is the number of tries\n");

$tries = floatval($argv[1]);
if($tries < 1) die("Number of tries must be at least 1.\n");

$t = time();

$chkUnqiue = [];
for($i = 0; $i < $tries; $i++) {
   $r = bin2hex(random_bytes(16));
   if(isset($chkUnique[$r]))
      $chkUnique[$r]++;
   else
      $chkUnique[$r] = 0;
}

$t = time() - $t;

echo "Collisions by random_bytes() after " . number_format($tries) . " tries: " .
     array_sum($chkUnique) .
     "\nTook approx. $t sec.\n";

And tried it for up to 30 million runs:

php collisions.php 30000000

And the output was:

Collisions by random_bytes() after 30,000,000 tries: 0
Took approx. 53 sec.

Beyond 30 million, it started throwing out of memory errors. Running in CLI mode, I had the memory limit set to -1 (unlimited) so I had no room for larger tests on that server ... maybe someone can confirm no collisions on larger number of trials?