[Python-ideas] Should our default random number generator be secure?

Nathaniel Smith njs at pobox.com
Thu Sep 10 06:59:08 CEST 2015


On Wed, Sep 9, 2015 at 4:23 PM, Greg Ewing <greg.ewing at canterbury.ac.nz> wrote:
> Steven D'Aprano wrote:
>>
>> one desirable property of PRNGs is that you can repeat a sequence of
>> values if you re-seed with a known value. Does arc4random keep that
>> property?
>
> Another property that's important for some applications is
> to be able to efficiently "jump ahead" some number of steps
> in the sequence, to produce multiple independent streams of
> numbers. It would be good to know if that is possible with
> arc4random.

The answer to both of these questions is no. For modern cryptographic
PRNGs, full determinism is considered a flaw, and determinism is a
necessary precondition to supporting jumpahead.

The reason is that even if an attacker learns your secret RNG state at
time t, then you want this to have a limited impact -- they'll
obviously be able to predict your RNG output for a while, but you
don't want them to be able to predict it from now until the end of
time. So determinism is considered bad, and high-quality CPRNGs
automatically reseed themselves with new entropy according to some
carefully designed schedule. And OpenBSD's "arc4random" generator is a
high-quality CPRNG in this sense.

-- 
Nathaniel J. Smith -- http://vorpus.org


More information about the Python-ideas mailing list