PRNGs which are not CSPRNG

Question

From Definition of CSPRNG, it has two characteristics

It satisfies the next-bit test.
It withstands 'state compromise extensions' - part of all of the state being compromised does not allow for reconstruction of the prior stream of random numbers.

I am looking for PRNGs which fail the 2nd Characteristic. Infact they are PRNG but not CSPRNG.

score 4 · Answer 1 · answered Jun 01 '17 at 09:36

Item (2) is not part of the definition of a standard CSPRNG. If you look at where this definition was taken from in Wikipedia, this item refers to a "forward secure CSPRNG". So, this is a definition of forward security and not the standard notion.

Also, the next-bit test is one way of defining, but certainly not the only way.

In any case, it is easy to construct a CSPRNG that is not forward secure; simply always store the initial state.

score 1 · Answer 2 · answered May 12 '18 at 08:41

1

The ChaCha cipher is definitely not forward secure: the only state modification is to increment a counter.

answered May 12 '18 at 08:41

dhardy

111
2

PRNGs which are not CSPRNG

2 Answers2