Weak Randomness Issue

[JanetCohen]

In the current code, random.SystemRandom()

pybtc/pybtc/functions/shamir.py

Line 106 in 3d8a496

q = random.SystemRandom().randint(1, index_max)

is used to generate the indices for shares and the polynomial coefficients. there are a few serious problems that could undermine its security in a real-world scenario:
virtual Environments and Containers,on systems like virtual machines or containers, the entropy pool might be weaker. This means that the randomness produced by SystemRandom() can be predictable, or worse, it could repeat in a way that’s easier for an attacker to exploit.

limited Entropy, Even if we’re using SystemRandom(), the quality of randomness heavily depends on the available entropy. If the system doesn't have enough entropy (like on a freshly booted machine or a heavily constrained environment), the randomness could become weak. This means the values generated for the share indices and polynomial coefficients could be predictable or repeatable, which would allow an attacker to reconstruct the secret more easily with fewer shares than necessary.

whats the risk?

predictable randomness,If the randomness is predictable or repeated, an attacker can figure out the polynomial or even the secret itself, just by analyzing a few shares.

weakened Security,even if we have more shares than needed, the randomness fails to provide the expected level of security, as the key entropy could be easily guessed or reproduced.

entropy check,before generating any randomness, ensure that the system has enough entropy. We could add a quick check to verify that the entropy pool is sufficiently populated before generating random values. If it’s not, maybe we need to delay or even use another source of entropy.My advice is to avoid anything that has to do with /dev/urandom in cryptography.