[Python-ideas] Should our default random number generator be secure?

Nathaniel Smith njs at pobox.com
Tue Sep 15 14:34:36 CEST 2015


On Sep 15, 2015 4:57 AM, "Sturla Molden" <sturla.molden at gmail.com> wrote:
>
> On 15/09/15 09:36, Nathaniel Smith wrote:
>
>> Obviously the thing the scientists worry about is a *strict* subset of
>> what the cryptographers are worried about. This is why it is silly to
>> worry that a crypto RNG will cause problems for a scientific
>> simulation. The cryptographers take the scientists' real goal -- the
>> correctness of arbitrary programs like e.g. a monte carlo simulation
>> -- *much* more seriously than the scientists themselves do.
>
>
> No. Cryptographers care about predictability, not the exact distribution.
Any distribution can be considered randomness with a given entropy, but not
any distribution is uniform. Only the uniform distribution is uniform. That
is where our needs fail to meet. Cryptographers damn any RNG that allow the
internal state to be reconstructed. Scientists damn any RNG that do not
produce the distribution of interest.

No, this is simply wrong. I promise! ("Oh, sorry, this is
contradictions...") For the output of a cryptographic RNG, any deviation
from the uniform distribution is considered a flaw. (And as you know, given
uniform variates you can construct any distribution of interest.) If I know
that you're using a coin that usually comes up heads to generate your
passwords, then this gives me a head start in guessing your passwords, and
that's considered unacceptable.

Or for further evidence, consider: "Scott Fluhrer and David McGrew also
showed such attacks which distinguished the keystream of the RC4 from a
random stream given a gigabyte of output." --
https://en.m.wikipedia.org/wiki/RC4#Biased_outputs_of_the_RC4

This result is listed on wikipedia because the existence of a program that
can detect a deviation from perfect uniformity given a gigabyte of samples
and an arbitrarily complicated test statistic is considered a publishable
security flaw (and RC4 is generally deprecated because of this and related
issues -- this is why openbsd's "arc4random" function no longer uses
(A)RC4).

-n
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150915/40a58bc7/attachment.html>


More information about the Python-ideas mailing list