[Python-ideas] Should our default random number generator be secure?
Sturla Molden
sturla.molden at gmail.com
Tue Sep 15 16:27:37 CEST 2015
On 15/09/15 14:34, Nathaniel Smith wrote:
> No, this is simply wrong. I promise! ("Oh, sorry, this is
> contradictions...") For the output of a cryptographic RNG, any deviation
> from the uniform distribution is considered a flaw. (And as you know,
> given uniform variates you can construct any distribution of interest.)
> If I know that you're using a coin that usually comes up heads to
> generate your passwords, then this gives me a head start in guessing
> your passwords, and that's considered unacceptable.
The uniform distribution has the highest entropy, yes, but it does not
mean that other distributions are unacceptable. The sequence just has to
be incredibly hard to predict. A non-uniform distribution will give an
adversary a head start, that is true, but if the adversary still cannot
complete the brute-force attack before the end of the universe there is
little help in knowing this.
In scientific computing we do not care about adversaries. We care about
the correctness of our numerical result. That means we should be fuzzy
about the distribution, not about the predictability or "randomness" of
a sequence, nor about adversaries looking to recover the internal state.
MT is proven to be uniform (equidistributed) up to 623 dimensions, but
it is incredibly easy to recover the internal state. The latter we do
not care about. In fact, we can often do even better with "quasi-random"
sequences, e.g. Sobol sequences, which are not constructed to produce
"uncorrelated" points, but constructed to produce correlated points that
are delibarately more uniform than uncorrelated points.
Sturla
More information about the Python-ideas
mailing list