There are several strata of pseudo-random number generators (PRNG). For 99% of the requirements performed in Perl, the built-in
rand() works just fine. It is even smart enough to use an internally defined seeding strategy if no seeding was already performed, usually out-doing anyone's naive code that tries to mix
$$ ^ time().
What you are recommending is a high-cost solution to fulfill the last 1% of PRNG users. Crypto-hard PRNG, as you say, needs to incorporate feedback from other available entropy sources. These perturb the normal chains so that even knowing the past history of generated numbers won't help in predicting the next number.
However, I have to point out two weaknesses here.
- Not much entropy
You only propose one source of entropy available to the Perl interpreter. There may be more, but it's pretty clear that the interpreter is not in a great position to sample from a wide variety of sources. It may watch artifacts of high-resolution time, artifacts of memory allocation, artifacts of the current codebase, and maybe artifacts of data throughput. Generally, a Perl application is only heavily affecting one of these sources at a time, in predictable patterns that are internal to one single process, so the overall entropic input is an unuseful trickle.
- Not hardened against access
The Perl interpreter is a user-land process, and as such, has no security against anything else within its own process space. If an attacker wanted to affect or tap your process's CPRNG, eval "use Untrusted_XS_Module;" and it's done. On some operating systems, other processes could even crack your process without tainted data attacks. CPRNGs must be kept within hardened black boxes, and as such, the operating system's kernel is really the only place that comes close on today's mortal computers.
I won't even discuss runtime costs, because perhaps there are some magic ways of gaining entropy for free.
I agree with your sentiment: a standard for accessing CPRNG resources is desirable, but not appropriate within the Perl interpreter.
--
[ e d @ h a l l e y . c c ]
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.