On Tue, Sep 22, 2015 at 2:10 AM, Steven D'Aprano <steve@pearwood.info> wrote:
Are there use-cases for a strong random float between 0 and 1? If so, is it sufficient to say secrets.randbelow(sys.maxsize)/sys.maxsize, or should we offer secrets.random() and/or secrets.uniform(a, b)?
I would be leery of such a function, because it'd be hard to define it perfectly. Tell me, crypto wonks: If I have a function randfloat() that returns 0.0 <= x < 1.0, is it safe to use it like this: # Generate an integer 0 <= x < 12345, uniformly distributed uniform = int(randfloat() * 12345) # Ditto but on a logarithmic distribution log = math.exp(randfloat() * math.log(12345)) # Double-logarithmic loglog = math.exp(math.exp(randfloat() * math.log(math.log(12345)))) If it's producing a random *real number* 0 <= x < 1, then these should be valid. But given the differences between floats and reals, I would be worried that this kind of usage would introduce an unexpected bias. Obviously the first example is much better spelled randbelow or randrange, but for more complicated examples, grabbing a random float would look like the best way to do it. Will it? Always? Not being a crypto wonk myself, I can't know what's safe and what isn't. If Python is going to offer a new module with the (implicit or explicit) recommendation "use this for all your cryptographic entropy", it needs to be 100% reliable. ChrisA