SHA-based subclass for random module

[Raymond Hettinger]

[Holger Duerer]
>     >> I don't know what getrandbits does exactly.  But if it uses the
>     >> normal PRNG code, doesn't that mean that your plaintext still
>     >> has only 32 bits of entropy?  I.e. if you want to do an
>     >> inversion lookup table, you would only have to calculate the
>     >> 2^32 possible outcomes of this call and not all 2^128
>     >> theoretically possible ones?
>
>     Raymond> genrandbits() pulls as many bits as requested out of the
>     Raymond> underlying generator.  The Mersenne Twister carries 624
>     Raymond> words of internal state (about 20000 bits) so it is
>     Raymond> capable of supplying all the bits needed for this
>     Raymond> application.
>
>     Raymond> So, yes, the plaintext will span the 2^128 possibilities.

[Holger Duerer]
> Well, I am aware that the state is larger.  But my understanding from
> a quick glance at the code was that you seed it with only an unsigned
> long (automatically done with time(NULL) for you if you don't provide
> a seed -- even worse at it reduces the search space dramatically).

The seed(x) method accepts longs and can have an arbitrary number of
bits.  If
using this proposed generator cryptographically, the seed should be
viewed as a key and all the usual precautions should be taken
(secrecy, long length, and a pure random source). So, what ever you
do, don't seed it with time!


Raymond