[Python-ideas] Should our default random number generator be secure?

Nathaniel Smith njs at pobox.com
Wed Sep 16 11:02:36 CEST 2015


On Wed, Sep 16, 2015 at 1:21 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>
>
> On 16.09.2015 02:43, Tim Peters wrote:
>> [Tim, on CryptMT]
>>> I did see one paper suggesting it was possible to distinguish the
>>> output of that from a truly random sequence given 2**50 consecutive
>>> outputs (but that's all - still no way to deduce the state).
>>
>> Sorry:  not 2**50 consecutive outputs (which are bytes), but 2**50
>> consecutive output bits, so only 2**47 outputs.
>
> Thanks for the "CryptMT" pointers. I'll do some research after PyCon UK
> on this.
>
> http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/CRYPTMT/index.html
>
> A quick glimpse at
>
> http://www.ecrypt.eu.org/stream/p3ciphers/cryptmt/cryptmt_p3.pdf
>
> suggests that this is a completely new stream cipher, though it
> uses the typical elements (key + non-linear filter + feedback loop).

NB that that paper also says that it's patented and requires a license
for commercial use.

> The approach is interesting, though: they propose an PRNG which
> can then get used as stream cipher by XOR'ing the PRNG output with
> the data stream. So the PRNG implies the cipher, not the other way
> around as many other approaches to CSPRNGs.
>
> That's probably also one of its perceived weaknesses: it's different
> than the common approach.

I think you just described the standard definition of a stream cipher?
"Stream cipher" is just the crypto term for a deterministic RNG, that
you XOR with data. (However it's a not a CSPRNG, because those require
seeding schedules and things like that -- check out e.g. Fortuna.)

-n

-- 
Nathaniel J. Smith -- http://vorpus.org


More information about the Python-ideas mailing list