The urandom is os-specific: "This function returns random bytes from an OS-specific randomness source. The returned data should be unpredictable enough for cryptographic applications, though its exact quality depends on the OS implementation. On a UNIX-like system this will query /dev/urandom, and on Windows it will use CryptGenRandom."
I don't know whether this will be good enough. If not, I guess we'll have to use some external package (openssl?) or implement our own algorithm. Regards, Thomas On Tue, Jul 6, 2010 at 15:40, Ivan Bjerre Damgård <i...@cs.au.dk> wrote: > It is not good to use the wrong kind of PRG, it should > be fixed as soon as possible. But do we know that > os.urandom will be OK on any platform, or is this > OS -dependent at the end of the day? > > - Ivan > > On 06/07/2010, at 15.22, Thomas P Jakobsen wrote: > >> VIFF itself as well as most protocols implemented in VIFF uses the >> viff.util package for random number generation. This package in turn >> uses the random package in the Python standard library. This means >> that random numbers are generated using a Mersenne twister. >> >> As far as I can see, this is a problem, since Mersenne twister PRNGs >> are generally not suited for cryptographic usage. E.g. it is not known >> to pass the "next-bit test" and withstand the "state compromise >> extensions", see >> http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator. >> >> One solution would be to use the os.urandom() function instead. This >> has specifically been designed to produce cryptographically secure >> random numbers. >> >> (We should probably keep the old random generator, too. It is probably >> faster and not all random numbers used in VIFF and VIFF programs need >> to be cryptographically secure.) >> >> >> Let me know what you think about this. >> >> Kind regards, >> Thomas >> _______________________________________________ >> viff-devel mailing list (http://viff.dk/) >> firstname.lastname@example.org >> http://lists.viff.dk/listinfo.cgi/viff-devel-viff.dk > > _______________________________________________ viff-devel mailing list (http://viff.dk/) email@example.com http://lists.viff.dk/listinfo.cgi/viff-devel-viff.dk