[Python-ideas] Should our default random number generator be secure?

Nathaniel Smith njs at pobox.com
Thu Sep 10 05:56:56 CEST 2015

On Wed, Sep 9, 2015 at 8:35 PM, Tim Peters <tim.peters at gmail.com> wrote:
> There are some clean and easy approaches to this based on
> crypto-inspired schemes, but giving up crypto strength for speed.  If
> you haven't read it, this paper is delightful:
>     http://www.thesalmons.org/john/random123/papers/random123sc11.pdf

It really is! As AES acceleration instructions become more common
(they're now standard IIUC on x86, x86-64, and even recent ARM?), even
just using AES in CTR mode becomes pretty compelling -- it's fast,
deterministic, provably equidistributed, *and* cryptographically
secure enough for many purposes.

(Compared to a true state-of-the-art CPRNG the naive version fails due
to lack of incremental mixing, and the use of a reversible transition
function. But even these are mostly only important to protect against
attackers who have access to your memory -- which is not trivial as
heartbleed shows, but still, it's *waaay* ahead of something like MT
on basically every important axis.)


Nathaniel J. Smith -- http://vorpus.org

More information about the Python-ideas mailing list