Christopher Gurnee added the comment: > If you have to care about security, you shouldn't use the random module > at all. random.SystemRandom() merely uses a CPRNG as entropy source. But > It also manipulates numbers in ways that may or may not be safe.
I must respectfully disagree with this. The current docs say: > Use os.urandom() or SystemRandom if you require a cryptographically > secure pseudo-random number generator. That's a pretty strong statement, and IMO it would lead most to believe that SystemRandom along with *all* of its member functions is safe to use for cryptographic purposes[1] (assuming of course that os.urandom() is also a safe CSPRNG). As a compromise, perhaps SystemRandom could provide its own randrange() with the #9025 fix, while keeping random.randrange() unmodified to preserve the implied same-sequence rule. [1] I don't mean to imply that this bias bug necessarily is a cryptographic safety issue--it seems unlikely to me that it is one, however not being a cryptographer myself, I'd rather not draw any conclusions either way, and instead I'd prefer to err on the side of safety. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23974> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
