pitdicker
commented
6 years ago My thoughts about requiring CryptoRng for from_rng have now changed three times.
My first thought was no, because it is an unneccesary heavy requirement in some cases. From https://github.com/dhardy/rand/issues/18#issuecomment-345293603:
For RNG's that are itself CryptoRng it should. For simple PRNG's something that is statistically strong is already good enough.
On second thought yes, because I don't see all that many situations where you would choose to seed from a simple RNG.
It prevents some legal uses of seeding from a weaker RNG, like splitting streams. But then it is still possible call
from_seeddirectly, and an indication you are doing something to think twice about. For cryptographic RNG's it prevents a small chance of misuse.
Now I am not sure anymore.
We have a couple of CryptoRng-quality sources: OsRng, with JitterRng as fallback in NewSeeded. And I suppose soon thread_rng. Then seeding from a good source can be ergonomic and/or fast. So requiring CryptoRng should hinder almost no-one. But if the natural candidates for initializing an RNG already are CryptoRng, is there much use in enforcing it?
But do we really expect misuse? I do not really consider the Xorshift seeding Xorshift problem here, that should not be interesting anymore when we have better small RNG's. Do we expect someone to seed something like ChaCha with PCG? Sounds like a solution looking for a problem...
I can't call requiring CryptoRng a good or a bad thing now. I see little benefit now, but also little negative consequences.
dhardy
This is a concept implementation with issues; see the FIXMEs.
I'm not convinced that we should do this since it's more restrictive than required to achieve the desired effects (prevent accidental clone of
XorShiftRngand prevent seeding a strong PRNG from a weak PRNG).The sham implementation for
ThreadRngshows how easy it is to mis-useCryptoRng; I wonder if we should just rename itStrongRngorNonTrivialRngand let ISAAC implement it.