SHA-based subclass for random module

Raymond Hettinger python at
Mon Mar 22 19:47:10 CET 2004

Holger Duerer <H.Duerer at> wrote in message news:<87oeqpaqih.fsf at>...
> >>>>> "Raymond" == Raymond Hettinger <python at> writes:
>     >> Since the size of plaintext is only 2^53, can't I just
>     >> calculate all 2^53 md5 values in advance, and invert the output
>     >> of MD5Random to get MT outputs, then attack MT just like any
>     >> LFSR?
>     Raymond> Change the plaintext line to read:
>     Raymond>         plaintxt = str(Random.getrandbits(self, 128))
>     Raymond> Now, 128 bits of input space gets digested to 128 bits
>     Raymond> and then only 53 of those bits are used in to compute the
>     Raymond> float.  That should preclude the formation of an
>     Raymond> inversion table.
> I don't know what getrandbits does exactly.  But if it uses the normal
> PRNG code, doesn't that mean that your plaintext still has only 32
> bits of entropy?  I.e. if you want to do an inversion lookup table,
> you would only have to calculate the 2^32 possible outcomes of this
> call and not all 2^128 theoretically possible ones?

genrandbits() pulls as many bits as requested out of the underlying
generator.  The Mersenne Twister carries 624 words of internal state
(about 20000 bits) so it is capable of supplying all the bits needed
for this application.

So, yes, the plaintext will span the 2^128 possibilities.


More information about the Python-list mailing list