[Python-ideas] Should our default random number generator be secure?
mal at egenix.com
Tue Sep 15 19:42:38 CEST 2015
On 15.09.2015 17:46, Tim Peters wrote:
> [M.-A. Lemburg <mal at egenix.com>]
>> If you can come up with a crypto RNG that allows repeating the
>> results, I think you'd have us all convinced, otherwise it
>> doesn't really make sense to compare apples and oranges,
>> and insisting that orange juice is better for you than
>> apple juice ;-)
> For example, run AES in CTR mode. Remember that we did something
> related on whatever mailing list it was ;-) discussing the PSF's
> voting system, to break ties in a reproducible-by-anyone way using
> some public info ("news") that couldn't be known until after the
> election ended.
Ah, now we're getting somewhere :-)
If we accept that non-guessable, but deterministic is a good
compromise, then adding a cipher behind MT sounds like a reasonable
way forward, even as default.
For full crypto strength, people would still have to rely on
solutions like /dev/urandom or the OpenSSL one (or reseed the
default RNG every now and then). All others get the benefit of
non-guessable, but keep the ability to seed the default RNG in
Is there some research on this (MT + cipher or hash) ?
> My understanding is that ChaCha20 (underlying currently-trendy
> implementations of arc4random) is not only deterministic, it even
> _could_ support an efficient jumpahead(n) operation. The specific
> OpenBSD implementation of arc4random goes beyond just using ChaCha20
> by periodically scrambling the state with kernel-obtained "entropy"
> too, and that makes it impossible to reproduce its sequence. But it
> would remain a crytpo-strength generator without that extra scrambling
> Note that these _can_ be very simple to program. The "Blum Blum Shub"
> crypto generator from 30 years ago just iteratively squares a "big
> integer" modulo a (carefully chosen) constant. Not only
> deterministic, given any integer `i` it's efficient to directly
> compute the i'th output. It's an expensive generator, though
> (typically only 1 output bit is derived from each modular squaring
IMO, that's a different discussion and we should rely on existing
well tested full entropy mixers (urandom or OpenSSL) until the researchers
have come with something like MT for chaotic PRNGs.
Professional Python Services directly from the Experts (#1, Sep 15 2015)
>>> Python Projects, Coaching and Consulting ... http://www.egenix.com/
>>> Python Database Interfaces ... http://products.egenix.com/
>>> Plone/Zope Database Interfaces ... http://zope.egenix.com/
2015-09-14: Released mxODBC Plone/Zope DA 2.2.3 http://egenix.com/go84
2015-09-18: PyCon UK 2015 ... 3 days to go
2015-09-26: Python Meeting Duesseldorf Sprint 2015 11 days to go
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the Python-ideas