[overshard]

And this is when comments in code are important! Any random numbers without a source are immediate suspect to me, especially in something that needs to be secure. It will save your coworkers and peers time trying to figure out why it's there.

[swatcoder]

That’s true, but this thing is not code any more.

It’s an incantation that’s propagated for 50+ years because it’s minimal and effective. Over time, it’s been fully distilled to those properties.

Since comments aren’t essential to being minimal and effective, they don’t survive the distillation.

Think of it like a clever gist that got pasted and shared a hundred times. Even if the original source had explained every step in great detail, with inline comments and deep explanatory discourses and citations to prior art and etc, they’d eventually get trimmed away as fat as people repeatedly prune it down to some “important” bits pasted into their own copies and then later share those trimmed copies, ad infinitum.

This is that, but 50 years out.

[AstralStorm]

Since it's an LCG, it does not matter how it was derived as long as the randomness properties are known. Such as cycle length, identical initial state set and dispersion properties. Perhaps also performance.

These should be documented.

It's a rather weak PRNG of short cycle, so the suspicion is that it's made for particular dispersion properties, such as for a hash table of particular data and size or other bucketing algorithm.

[ChrisLomont]

>These should be documented.

They're trivial to look up, and any modern source would likely outlive the game of telephone of trying to keep such a comment intact correctly.

[bee_rider]

It is interesting -- 5/9 of the books listed there are clearly numerics textbooks, so it isn't surprising they talked about a non-cryptographic PRNG. Curious about the other 4. But maybe this shows up as a "here's why you should be careful what type of RNG you are using" type example.

[krater23]

When you find this algorithm with or without any comments from where the numbers come from in a point that should be secure, you should be more than suspect. In any way, this is not a secure PRNG.

[pclmulqdq]

For PRNGs like this, constants are often chosen by guess and check. This algorithm (an LCG) has a bit more theory, so these might not have been chosen that way, but the author of the code probably didn't have any insight either.

[nailer]

Or just name your constants.

https://en.m.wikipedia.org/wiki/Magic_number_(programming)

[Waterluvian]

“No magic numbers.”

[eru]

You'd want https://en.wikipedia.org/wiki/Nothing-up-my-sleeve_number

[Waterluvian]

That’s clever!

[JKCalhoun]

Security through obscurity?

Maybe not.