The problem with Mersenne twister is that it doesn&#39;t split well.  The main reason for crypto prng in this package would not be to advertise to people that &quot;System.Random can be used for security-related apps&quot; <b>but to make splitting reasonably safe</b>.  It&#39;s not good enough to have a known-bad generator under splitting provided as the default.  And I think we need splitting, especially as more Haskell programs become parallel.  Would it address your concerns to not mention the crypto nature of the standard implementation in the System.Random documentation?<div>

<br></div><div>I think there&#39;s also a reasonable argument to lean towards <i>correctness</i> over performance in Haskell&#39;s defaults.  For example, unconstrained Num bindings default to Integer and likewise random numbers could be as strong as possible by default, and those looking for raw rands/sec throughput could make other informed choices.<br>

<div><div><div><div><div><br></div><div>I had thought that maybe we could bifurcate the &quot;stdgen&quot; concept into a fast and a strong version, which could be say Mersenne Twister and AES respectively.  But, again, the problem comes if the fast version is expected to be splittable as well.</div>

<div><br></div><div>With &quot;SplittableGen&quot; factored out from &quot;RandomGen&quot; I suppose it would be possible for the fast version to NOT offer splitting.  However, Mersenne Twister is best used with an imperative interface, you can see the tension in the pure version of the mersenne package on hackage:</div>

<div><br></div><div>  <a href="http://hackage.haskell.org/package/mersenne-random-pure64-0.2.0.3">http://hackage.haskell.org/package/mersenne-random-pure64-0.2.0.3</a></div><div><br></div><div>Please also see Burton Smith&#39;s comments below in response to my proposal to offer a MT + AES combination.  </div>

<div><br></div><div>Best,</div><div>  -Ryan</div><div><br></div><div>---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Burton Smith</b> <span dir="ltr">&lt;<a href="mailto:burtons@microsoft.com">burtons@microsoft.com</a>&gt;</span><br>

Date: Tue, Jun 28, 2011 at 1:28 PM<br>Subject: RE: AESNI-based splittable random number generation for Haskell<br>To: &quot;Newton, Ryan R&quot; &lt;<a href="mailto:ryan.r.newton@intel.com">ryan.r.newton@intel.com</a>&gt;<br>

<br>Mersenne Twister (MT)is a poor choice in my opinion.  First, the generator state is large (2496 bytes) and it must be copied on each call to next.  Split is worse; it will generate twice as many bytes per call as next will.<br>

<br>Second, I see no good way to guarantee independence of the two generators emanating from a split.  MT is hard to initialize anyway, and giant-stepping it to define the newly split generator (as we did back in the 80&#39;s paper) is not only hard for an LFSR like MT but, worse yet, it doesn&#39;t work for Haskell or other fine-grain concurrent languages because split and next will commute.  Other tree RNGs, e.g. SPRNG, have the same commutativity issue.  Block ciphers address this issue head-on by reducing the split independence problem to a crypto problem.<br>

<br>A better choice might be some block cipher other than AES.  Two possibilities are XTEA and RC4.  Both are in Wikipedia.  RC4 has 256 bytes of key &quot;state&quot;, still bigger than I would like.<br><br>Another scheme is to make the number of rounds an option.  With AESNI, this could scream.<br>

<div class="im"><br>Burton</div></div><div><br></div><div><br><div class="gmail_quote">On Wed, Aug 17, 2011 at 12:26 PM, Ertugrul Soeylemez <span dir="ltr">&lt;<a href="mailto:es@ertes.de">es@ertes.de</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">Ryan Newton &lt;<a href="mailto:rrnewton@gmail.com">rrnewton@gmail.com</a>&gt; wrote:<br></div></blockquote>

<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im"></div>Using a cryptographically strong random number generator here is<br>
probably a very bad idea.  Two reasons:<br>
<br>
Firstly while being faster than the current implementation an AES-based<br>
implementation will still be considerably slower than the Mersenne<br>
Twister algorithm.  This may or may not be true, if hardware AES support<br>
is there, but don&#39;t just assume that everybody has AES instructions now.<br>
For example I don&#39;t have them.<br>
<br>
Secondly there is no standard requiring that the default random number<br>
generator is cryptographically safe.  Changing this particular<br>
implementation, which is the one most people use, to a CSPRNG will make<br>
people take for granted that System.Random is safe to use in<br>
security-related products, because it would be very convenient.  This<br>
will render strong security products trivially weak, when compiled with<br>
the wrong Haskell distribution, and you will find packages with<br>
statements like:  &quot;We assume that you use Ryan Newton&#39;s distribution of<br>
the random package.&quot;<br>
<br>
I would rather propose the Mersenne Twister as the default random number<br>
generator.  You could add AES as a secondary generator for people<br>
requiring cryptographic strength, but then do it properly, i.e. impure,<br>
because most people, when reading about a PRNG with &quot;AES&quot; anywhere in<br>
its name, will just assume that it&#39;s a CSPRNG.<br>
<div><div></div><div class="h5"><br>
<br>
Greets,<br>
Ertugrul<br>
<br>
<br>
--<br>
nightmare = unsafePerformIO (getWrongWife &gt;&gt;= sex)<br>
<a href="http://ertes.de/" target="_blank">http://ertes.de/</a><br>
<br>
<br>
<br>
_______________________________________________<br>
Haskell-Cafe mailing list<br>
<a href="mailto:Haskell-Cafe@haskell.org">Haskell-Cafe@haskell.org</a><br>
<a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>
</div></div></blockquote></div><br></div></div></div></div></div></div>