Indeed it should satisfy those properties. Say if you Shamir share something, the adversary might get t shares in order. If it can guess the next bit with non-negligible advantage, this will completely break our claim that the adversary has no information on the secret.

Luckily it should not be hard to replace. I think we knew about this earlier but just forgot, actually.

By the way, I am not sure we use any random numbers that should NOT secure in this way.

Citat af Thomas P Jakobsen <>:

VIFF itself as well as most protocols implemented in VIFF uses the
viff.util package for random number generation. This package in turn
uses the random package in the Python standard library. This means
that random numbers are generated using a Mersenne twister.

As far as I can see, this is a problem, since Mersenne twister PRNGs
are generally not suited for cryptographic usage. E.g. it is not known
to pass the "next-bit test" and withstand the "state compromise
extensions", see

One solution would be to use the os.urandom() function instead. This
has specifically been designed to produce cryptographically secure
random numbers.

(We should probably keep the old random generator, too. It is probably
faster and not all random numbers used in VIFF and VIFF programs need
to be cryptographically secure.)

Let me know what you think about this.

Kind regards,
viff-devel mailing list (

viff-devel mailing list (

Reply via email to