[Python-ideas] Should our default random number generator be secure?

Sturla Molden sturla.molden at gmail.com
Tue Sep 15 16:27:37 CEST 2015

On 15/09/15 14:34, Nathaniel Smith wrote:

> No, this is simply wrong. I promise! ("Oh, sorry, this is
> contradictions...") For the output of a cryptographic RNG, any deviation
> from the uniform distribution is considered a flaw. (And as you know,
> given uniform variates you can construct any distribution of interest.)
> If I know that you're using a coin that usually comes up heads to
> generate your passwords, then this gives me a head start in guessing
> your passwords, and that's considered unacceptable.

The uniform distribution has the highest entropy, yes, but it does not 
mean that other distributions are unacceptable. The sequence just has to 
be incredibly hard to predict. A non-uniform distribution will give an 
adversary a head start, that is true, but if the adversary still cannot 
complete the brute-force attack before the end of the universe there is 
little help in knowing this.

In scientific computing we do not care about adversaries. We care about 
the correctness of our numerical result. That means we should be fuzzy 
about the distribution, not about the predictability or "randomness" of 
a sequence, nor about adversaries looking to recover the internal state. 
MT is proven to be uniform (equidistributed) up to 623 dimensions, but 
it is incredibly easy to recover the internal state. The latter we do 
not care about. In fact, we can often do even better with "quasi-random" 
sequences, e.g. Sobol sequences, which are not constructed to produce 
"uncorrelated" points, but constructed to produce correlated points that 
are delibarately more uniform than uncorrelated points.


More information about the Python-ideas mailing list