[Python-ideas] Should our default random number generator be secure?

Stefan Krah skrah at bytereef.org
Wed Sep 9 20:17:27 CEST 2015

 <random832 at ...> writes:
> On Wed, Sep 9, 2015, at 14:00, Stefan Krah wrote:
> > My intuition is that if someone just uses a random() function
> > without checking if it's cryptographically secure then the
> > application will probably have other holes as well.  I mean,
> > for example no one is going to use C's rand() function for crypto.
> Let's turn the question around - what's the _benefit_ of having a random
> number generator available that _isn't_ cryptographically secure? One
> possible argument is performance. If that's the issue - what are our
> performance targets? How can they be measured? Another argument is that
> some applications really do need deterministic seeding. Is there a
> reason not to require them to be explicit about it?

As you say, performance:


Random number generation is a very broad field. I'm not a specialist,
so I just entered "Mersenne Twister" into an academic search engine
and got many results, but none for arc4random.

It's an interesting question you ask. I'd have to do a lot of reading
first to get an overview.

Stefan Krah

More information about the Python-ideas mailing list