[Python-ideas] Should our default random number generator be secure?
Stefan Krah
skrah at bytereef.org
Wed Sep 9 20:17:27 CEST 2015
<random832 at ...> writes:
> On Wed, Sep 9, 2015, at 14:00, Stefan Krah wrote:
> > My intuition is that if someone just uses a random() function
> > without checking if it's cryptographically secure then the
> > application will probably have other holes as well. I mean,
> > for example no one is going to use C's rand() function for crypto.
>
> Let's turn the question around - what's the _benefit_ of having a random
> number generator available that _isn't_ cryptographically secure? One
> possible argument is performance. If that's the issue - what are our
> performance targets? How can they be measured? Another argument is that
> some applications really do need deterministic seeding. Is there a
> reason not to require them to be explicit about it?
As you say, performance:
http://www.pcg-random.org/rng-performance.html
Random number generation is a very broad field. I'm not a specialist,
so I just entered "Mersenne Twister" into an academic search engine
and got many results, but none for arc4random.
It's an interesting question you ask. I'd have to do a lot of reading
first to get an overview.
Stefan Krah
More information about the Python-ideas
mailing list