[Python-ideas] Should our default random number generator be secure?

M.-A. Lemburg mal at egenix.com
Tue Sep 15 19:42:38 CEST 2015 

On 15.09.2015 17:46, Tim Peters wrote:
> [M.-A. Lemburg <mal at egenix.com>]
>> ...
>> If you can come up with a crypto RNG that allows repeating the
>> results, I think you'd have us all convinced, otherwise it
>> doesn't really make sense to compare apples and oranges,
>> and insisting that orange juice is better for you than
>> apple juice ;-)
> 
> For example, run AES in CTR mode.  Remember that we did something
> related on whatever mailing list it was ;-) discussing the PSF's
> voting system, to break ties in a reproducible-by-anyone way using
> some public info ("news") that couldn't be known until after the
> election ended.

Ah, now we're getting somewhere :-)

If we accept that non-guessable, but deterministic is a good
compromise, then adding a cipher behind MT sounds like a reasonable
way forward, even as default.

For full crypto strength, people would still have to rely on
solutions like /dev/urandom or the OpenSSL one (or reseed the
default RNG every now and then). All others get the benefit of
non-guessable, but keep the ability to seed the default RNG in
Python.

Is there some research on this (MT + cipher or hash) ?

> My understanding is that ChaCha20 (underlying currently-trendy
> implementations of arc4random) is not only deterministic, it even
> _could_ support an efficient jumpahead(n) operation.  The specific
> OpenBSD implementation of arc4random goes beyond just using ChaCha20
> by periodically scrambling the state with kernel-obtained "entropy"
> too, and that makes it impossible to reproduce its sequence.  But it
> would remain a crytpo-strength generator without that extra scrambling
> step.
> 
> Note that these _can_ be very simple to program.  The "Blum Blum Shub"
> crypto generator from 30 years ago just iteratively squares a "big
> integer" modulo a (carefully chosen) constant.  Not only
> deterministic, given any integer `i` it's efficient to directly
> compute the i'th output.  It's an expensive generator, though
> (typically only 1 output bit is derived from each modular squaring
> operation).

IMO, that's a different discussion and we should rely on existing
well tested full entropy mixers (urandom or OpenSSL) until the researchers
have come with something like MT for chaotic PRNGs.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Sep 15 2015)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...           http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...           http://zope.egenix.com/
________________________________________________________________________
2015-09-14: Released mxODBC Plone/Zope DA 2.2.3   http://egenix.com/go84
2015-09-18: PyCon UK 2015 ...                               3 days to go
2015-09-26: Python Meeting Duesseldorf Sprint 2015         11 days to go

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Python-ideas mailing list