6

I came across this question on Stack overflow: How to randomly selection item from a list in Python and they mentioned that it is not suitable for cryptographic/security purposes.

So, I found this page in the official documentation: random - Generate pseudorandom numbers

It mentions that they use a Mersenne twister to generate random numbers.

Isn't Mersenne twister supposed to be a pretty decent random generator (at least that's what I was told in class)? So why can you not use it for security purposes?

Hiten
  • 248
  • 2
  • 9
  • You shouldn't handle security yourself (especially on a programming language you can introspect to find the seed :o) – Benoît P Feb 13 '19 at 14:33
  • 1
    But isn't the seed for the random generator randomly generated using the OS library (if it exists) or the system clock? Even if that was not the case, how would using the security library (that they suggest), get over that? – Hiten Feb 13 '19 at 14:35
  • 2
    The intent of the `random` module is to provide usable random numbers for general purposes. But if you start using those random numbers for encryption then there may be someone prepared to invest effort in cracking your encryption, which is something that `random` is not designed to withstand. In that case, use the `secrets` module instead. See PEP 506 for the reasons why you should do this. – BoarGules Feb 13 '19 at 14:40
  • 1
    That's not my point, you could get the seed (introspection), and once you have it, you can predict all future numbers. Which is pretty bad in terms of security. – Benoît P Feb 13 '19 at 14:40
  • Using a "pretty decent random generator" for security purposes is really not on. Very easily hackable by determined attackers. Good security is very, very hard, so I agree with @BenoîtPilatte, don't try to handle it yourself. – joanis Feb 13 '19 at 14:40
  • Alright, that makes sense! Thanks a lot for your comments! Just as a side note, I wasn't trying to write my own security, I was just confused... – Hiten Feb 13 '19 at 14:43

1 Answers1

5

Mersenne twister does a decent job of mimicking statistical properties(*) of randomness, but it is a deterministic algorithm. If two copies are set to the same state, they will produce identical results in synchronization. That means that for crypto/security applications your security is shot if an attacker can determine your initial state. I've read that for MT this can be done by knowledgeable people after six hundred and some sequential observations.

Bottom line - use it for Monte Carlo sampling or stochastic models, but not for crypto.

(*) - Actually, Pierre L'Ecuyer, who is considered one of the foremost researchers on pseudo-random number generation, is not a fan of MT even for Monte Carlo usage. He has shown that while the full cycle is uniformly distributed, zeros in the the internal state tend to be persistent and the generator can get "stuck" for sizeable sub-periods in non-uniform subsequences. He collaborated with the creator of Mersenne Twister to fix these issues in the WELL generator.

pjs
  • 18,696
  • 4
  • 27
  • 56