[Python-ideas] PEP 504: Using the system RNG by default

Donald Stufft donald at stufft.io
Wed Sep 16 19:17:22 CEST 2015

On September 16, 2015 at 1:10:09 PM, Random832 (random832 at fastmail.com) wrote:
> On Wed, Sep 16, 2015, at 11:54, Nick Coghlan wrote:
> > * random._inst is a SystemRandom() instance by default
> He has a point on the performance issue. The difference between Random
> and SystemRandom on my machine is significantly more than an order of
> magnitude. (Calling libc's arc4random with ctypes was roughly in the
> middle, though I *suspect* a lot of that was due to ctypes overhead).
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/

I did the benchmark already: https://bpaste.net/show/79cc134a12b1

Using this code: https://github.com/dstufft/randtest

However, using anything except for urandom is warned against by most security experts I’ve talked to. Most of them are only OK with it, if it means we’re using a CSPRNG by default in the random.py module, but not if it’s not the default. Even then, one of them thought that using a userspace CSPRNG instead of urandom was a bad idea (The rest though it was better than the status quo). They all agreed that splitting the namespace was a good idea.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Python-ideas mailing list