[Python-ideas] Should our default random number generator be secure?

Tim Peters tim.peters at gmail.com
Tue Sep 15 17:46:04 CEST 2015

[M.-A. Lemburg <mal at egenix.com>]
> ...
> If you can come up with a crypto RNG that allows repeating the
> results, I think you'd have us all convinced, otherwise it
> doesn't really make sense to compare apples and oranges,
> and insisting that orange juice is better for you than
> apple juice ;-)

For example, run AES in CTR mode.  Remember that we did something
related on whatever mailing list it was ;-) discussing the PSF's
voting system, to break ties in a reproducible-by-anyone way using
some public info ("news") that couldn't be known until after the
election ended.

My understanding is that ChaCha20 (underlying currently-trendy
implementations of arc4random) is not only deterministic, it even
_could_ support an efficient jumpahead(n) operation.  The specific
OpenBSD implementation of arc4random goes beyond just using ChaCha20
by periodically scrambling the state with kernel-obtained "entropy"
too, and that makes it impossible to reproduce its sequence.  But it
would remain a crytpo-strength generator without that extra scrambling

Note that these _can_ be very simple to program.  The "Blum Blum Shub"
crypto generator from 30 years ago just iteratively squares a "big
integer" modulo a (carefully chosen) constant.  Not only
deterministic, given any integer `i` it's efficient to directly
compute the i'th output.  It's an expensive generator, though
(typically only 1 output bit is derived from each modular squaring

More information about the Python-ideas mailing list