It is not good to use the wrong kind of PRG, it should
be fixed as soon as possible. But do we know that
os.urandom will be OK on any platform, or is this
OS -dependent at the end of the day?
On 06/07/2010, at 15.22, Thomas P Jakobsen wrote:
> VIFF itself as well as most protocols implemented in VIFF uses the
> viff.util package for random number generation. This package in turn
> uses the random package in the Python standard library. This means
> that random numbers are generated using a Mersenne twister.
> As far as I can see, this is a problem, since Mersenne twister PRNGs
> are generally not suited for cryptographic usage. E.g. it is not known
> to pass the "next-bit test" and withstand the "state compromise
> extensions", see
> One solution would be to use the os.urandom() function instead. This
> has specifically been designed to produce cryptographically secure
> random numbers.
> (We should probably keep the old random generator, too. It is probably
> faster and not all random numbers used in VIFF and VIFF programs need
> to be cryptographically secure.)
> Let me know what you think about this.
> Kind regards,
> viff-devel mailing list (http://viff.dk/)
viff-devel mailing list (http://viff.dk/)