1

I understand that PRNG are Random Number Generators that uses a deterministic algorithm based off of a seed.

I also understand that CSRNG are PRNG that are cryptographic-ally safe to use for generating random numbers.

And by cryptographic-ally safe, I believe this means that even if an attacker knows the deterministic algorithm and the seed, they would not be able to predict the next random number. I understand this is due to CSRNG also making use of some internal states.

If there are any errors in the above, I will appreciate a clarification because my questions depends on them being accurate.

So my main question is, when do you need a PRNG? and when must you use a CSPRNG?

My initial answer to that was that CSPRNG should be used when generating keys, but when I searched for "what are prng used for", one of the pages I found was this which states that:

In cryptography, PRNG’s are used to construct session keys and stream ciphers

Which leaves me a bit confused, why should PRNG, that is not cryptographically strong be that is used for keys? I would expect CSPRNG to be used instead.

This makes me realise that perhaps I do not fully understand PRNG's and CSPRNG's yet and how they are used. Hence this question: In Cryptography, When exactly are PRNG used and when are CSPRNG used?

Finlay Weber
  • 504
  • 1
  • 3
  • 12

2 Answers2

2

First, some definitions:

  • A PRNG is a pseudo-random number generator. It can be a very poor one, or one with very strong mathematical properties. It does not matter for this definition.
  • A CSPRNG is a cryptographically secure PRNG. It is a PRNG, with some strong requirements.

In your link, the author is writing about CSPRNGs, but calling them PRNGs. The "cryptographically secure" element is implied by this requirement:

The generated bit strings should "look random" to an adversary.

Indeed, CSPRNG are required when the output of the PRNG must be indistinguishable from perfectly uniform randomness (this implies the output to be unpredictable). This is required by some cryptographic algorithms.

Most CSPRNG provided by operating systems will update their internal state from random input, so that even if the seed or the inner state leak at some point, it will automatically correct itself to a secured state. But this is not a requirement for a CSPRNG. Some CSPRNG provided by cryptographic libraries do not update their state automatically, while others do.

CSPRNG can always be used instead of PRNG when there is no need to be able to generate the same output twice. For example, when generating video game levels from a seed, or when fuzzing, it is important to be able to reproduce the output. In those case, a PRNG should be used, or a CSPRNG which does not automatically update its inner state from other sources than its initial seed. A stream cipher could also be used, but a simple PRNG might be more than enough and more efficient, depending on the requirements.

To directly answer your questions: you must use a CSPRNG when it is specified by the cryptographic algorithm (which is often the case). And you must use a PRNG or a CSPRNG which does not automatically update its inner state when reproducing its output is needed. For the other cases, most of the time which kind of RNG you use does not matter.

Also, if you somehow need a reproducible output that is indistinguishable from perfectly uniform randomness, then you need a stream cipher, not a PRNG.

A. Hersean
  • 954
  • 11
  • 22
1

It's actually pretty simple.

P. Random number generators produce random looking numbers (see below). Sometimes all that is expected is that the numbers are computationally indistinguishable from random looking (PRNG). If you can predict the next number algorithmically, it doesn't matter. For example, Monte Carlo experiments. The Mersenne Twister is pretty good and probably the most used PRNG in the world (it's inside Python), yet completely predictable after observing ~624 outputs. Therefore useless for hiding secrets.

C. A CSPRNG is an upgraded PRNG in that you cannot predict the next number. It's called the next bit test, i.e. you cannot predict the next output bit no matter what observations you undertake (not knowing the hidden internal state). So:-

$$ P(x_{i} = 1) = \frac{1}{2} + \epsilon $$

where the bias from evens is (typically) $< 2^{-64}$. If you then make assumptions about the first part of a cipher text, it won't help with the next part and you end up nowhere. Which is what we want to hide secrets. An example is Salsa20 as part of a stream cipher.

In cryptography, PRNG’s are used to construct session keys and stream ciphers

Is just sloppy talk. I call all of them RNGs unless a narrower definition is required.

  1. Nuance: a PRNG can generate numbers with all sorts of wacky distributions useful for science and that stuff. In cryptography, we generate uniform distributions in order to mask our messages.

  2. Have a look at https://en.m.wikipedia.org/wiki/List_of_random_number_generators.

  3. Also note the existence of TRNGs, which are a blend of the above and hardware.

Paul Uszak
  • 15,905
  • 2
  • 32
  • 83