[Python-ideas] Should our default random number generator be secure?

Steven D'Aprano steve at pearwood.info
Thu Sep 10 04:11:08 CEST 2015

On Wed, Sep 09, 2015 at 08:55:06PM -0500, Tim Peters wrote:
> [Alexander Walters <tritium-list at sdamon.com>]
> > In a word - No.
> >
> > There is zero reason for people doing crypto to use the random module,
> > therefor we should not change the random module to be cryptographically
> > secure.
> >
> > Don't break things and slow my code down by default for dubious reasons,
> > please.
> Would your answer change if a crypto generator were _faster_ than MT?
> MT isn't speedy by modern standards, and is cache-hostile (about 2500
> bytes of mutable state).
> Not claiming a crypto hash _would_ be faster.  But it is possible.

If the crypto PRNG were comparable in speed to what we have now (not 
significantly slower), or faster, *and* gave reproducible results with 
the same seed, *and* had no known/detectable statistical biases), and we 
could promise that those properties would continue to hold even when the 
state of the art changed and we got a new default crypto PRNG, then I'd 
still be -0.5 on the change due to the "false sense of security" factor.

As I've already mentioned in another comment, I'm with Paul Moore -- I 
think anyone foolish/ignorant/lazy/malicious enough to use the default 
PRNG for crypto is surely making more than one mistake, and fixing that 
one thing for them will just give people a false sense of security.


More information about the Python-ideas mailing list