What even is this. You had an explicitly *non-cryptographic RNG* but you’re upset it doesn’t display cryptographic properties!?
Conversation
Rust cryptography task force: wake up and get on top of this before your beloved language gets ruined by idiots who don’t even know what they want.
9
25
269
Q: I need a parachute. I’m curious if my new proposed design, which involves three Toyota seat belts and eight boxes of Kleenex will allow me to safely float to the ground.
2
11
178
We don’t need to handle severe crosswinds. We just need to feel safe jumping out of airplanes.
2
1
83
I’ve been downvoted on HN for making this point. I beg you, turn your back to that place if you ever want to do good engineering work.
7
13
253
There are, in fact, definitions of “good” that apply to non-cryptographic PRNGs. But non-invertability isn’t one of them. That’s a security property.
1
5
123
I want to live in a world where “random number generator” and “pseudorandom number generator” refer to secure things.
And there is this other class of things like “statistical sequence generator” that others can play with and make fast.
3
14
161
Ok I wrote down all my thoughts and will shut up now.
18
48
401
Replying to
I disagree that the number of people who need non-crypto RNGs is small, randomized algorithms are pretty common
2
2
Replying to
My claim is that what’s small is the set of people who need randomized algorithms and ALSO have tight performance requirements that make CSPRNGs inappropriate.
These people know who they are and can shop for fast insecure generators, rather than having them be default.
3
14
The consequence of noticeably slow cryptography is that people aren't going to use it at all. Real world CSPRNGs are way too slow and drive away many people who would be more than happy using a SIMD optimized ChaCha8 but not a typical portable ChaCha20 implementation.
If the default across programming languages / libraries was giving people a fast thread-local ChaCha8 CSPRNG then wanting a non-CS PRNG would be incredibly rare as you describe. Since the best case is that you get a software ChaCha20 implementation, people think they need non-CS.
1
Part of good language/library design is having empathy for the programmers that are going to use it.
Programmers commonly need lots of random data and there are lots of widely used randomized algorithms.
One area with a lot of need for this are video games particularly for AIs.
1
1
Show replies
Can we PLEASE have a “just use this” ChaCha8 implementation?