The urandom is os-specific:

"This function returns random bytes from an OS-specific randomness
source. The returned data should be unpredictable enough for
cryptographic applications, though its exact quality depends on the OS
implementation. On a UNIX-like system this will query /dev/urandom,
and on Windows it will use CryptGenRandom."

I don't know whether this will be good enough. If not, I guess we'll
have to use some external package (openssl?)  or implement our own
algorithm.

Regards,
Thomas



On Tue, Jul 6, 2010 at 15:40, Ivan Bjerre Damgård <i...@cs.au.dk> wrote:
> It is not good to use the wrong kind of PRG, it should
> be fixed as soon as possible. But do we know that
> os.urandom will be OK on any platform, or is this
> OS -dependent at the end of the day?
>
> - Ivan
>
> On 06/07/2010, at 15.22, Thomas P Jakobsen wrote:
>
>> VIFF itself as well as most protocols implemented in VIFF uses the
>> viff.util package for random number generation. This package in turn
>> uses the random package in the Python standard library. This means
>> that random numbers are generated using a Mersenne twister.
>>
>> As far as I can see, this is a problem, since Mersenne twister PRNGs
>> are generally not suited for cryptographic usage. E.g. it is not known
>> to pass the "next-bit test" and withstand the "state compromise
>> extensions", see
>> http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator.
>>
>> One solution would be to use the os.urandom() function instead. This
>> has specifically been designed to produce cryptographically secure
>> random numbers.
>>
>> (We should probably keep the old random generator, too. It is probably
>> faster and not all random numbers used in VIFF and VIFF programs need
>> to be cryptographically secure.)
>>
>>
>> Let me know what you think about this.
>>
>> Kind regards,
>> Thomas
>> _______________________________________________
>> viff-devel mailing list (http://viff.dk/)
>> viff-devel@viff.dk
>> http://lists.viff.dk/listinfo.cgi/viff-devel-viff.dk
>
>
_______________________________________________
viff-devel mailing list (http://viff.dk/)
viff-devel@viff.dk
http://lists.viff.dk/listinfo.cgi/viff-devel-viff.dk

Reply via email to