Real-world random number generators (RNGs) cannot afford to use (slow) cryptographic hashing every time they refresh their state R with a new entropic input X. Instead, they use “superefficient” simple entropy-accumulation procedures, such as R← rotα,n(R)⊕X, where rotα,n rotates an n-bit state R by some fixed number α. For example, Microsoft’s RNG uses α = 5 for n = 32 and α = 19 for n = 64. Where do these numbers come from? Are they good choices? Should rotation be replaced by a better permutation π of the input bits? In this work we initiate a rigorous study of these pragmatic questions, by modeling the sequence of successive entropic inputs X1, X2, . . . as independent (but otherwise adversarial) samples from some natural distribution family D. Our contribution is as follows. • We define 2-monotone distributions as a rich family D that includes relevant real-world distributions (Gaussian, exponential, etc.), but avoids trivial impossibility results. • For any α with gcd(α, n) = 1, we show that rotation accumulates Ω(n) bits of entropy from n independent samples X1, . . . , Xn from any (unknown) 2-monotone distribution with entropy k > 1. • However, we also show some choices of α perform much better than others for a given n. E.g., we show α = 19 is one of the best choices for n = 64; in contrast, α = 5 is good, but generally worse than α = 7, for n = 32. • More generally, given a permutation π and k ≥ 1, we define a simple parameter, the covering number Cπ,k, and show that it characterizes the number of steps before the rule (R1, . . . , Rn)← (Rπ(1), . . . , Rπ(n))⊕X accumulates nearly n bits of entropy from independent, 2-monotone samples of min-entropy k each. • We build a simple permutation π∗, which achieves nearly optimal Cπ∗,k ≈ n/k for all values of k simultaneously, and experimentally validate that it compares favorably with all rotations rotα,n. ∗Partially supported by gifts from VMware Labs, Facebook and Google, and NSF grants 1815546, 2055578. †Supported by Shanghai Eastern Young Scholar Program SMEC-0920000169. ‡Some of this work was done at MIT supported in part by NSF Grants CNS-1350619, CNS-1414119 and CNS1718161, Microsoft Faculty Fellowship and an MIT/IBM grant. Some of this work was done at the Simons Institute in Berkeley.
[1]
Avi Wigderson,et al.
Extracting randomness using few independent sources
,
2004,
45th Annual IEEE Symposium on Foundations of Computer Science.
[2]
Avi Wigderson,et al.
Extracting randomness via repeated condensing
,
2000,
Proceedings 41st Annual Symposium on Foundations of Computer Science.
[3]
Stefano Tessaro,et al.
Provably Robust Sponge-Based PRNGs and KDFs
,
2016,
EUROCRYPT.
[4]
Noam Nisan,et al.
Randomness is Linear in Space
,
1996,
J. Comput. Syst. Sci..
[5]
Bruce Schneier,et al.
Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator
,
1999,
Selected Areas in Cryptography.
[6]
Ran Raz,et al.
On recycling the randomness of states in space bounded computation
,
1999,
STOC '99.
[7]
Adi Shamir,et al.
How to Eat Your Entropy and Have it Too: Optimal Recovery Strategies for Compromised RNGs
,
2017,
Algorithmica.
[8]
Yevgeniy Dodis,et al.
Seedless Fruit is the Sweetest: Random Number Generation, Revisited
,
2019,
IACR Cryptol. ePrint Arch..
[9]
Oded Goldreich,et al.
Unbiased Bits from Sources of Weak Randomness and Probabilistic Communication Complexity
,
1988,
SIAM J. Comput..
[10]
Alan H. Karp.
Bit Reversal on Uniprocessors
,
1996,
SIAM Rev..
[11]
David Zuckerman,et al.
Deterministic extractors for small-space sources
,
2011,
J. Comput. Syst. Sci..
[12]
David Zuckerman,et al.
Explicit two-source extractors and resilient functions
,
2016,
Electron. Colloquium Comput. Complex..
[13]
Bruce Schneier,et al.
Practical cryptography
,
2003
.
[14]
Shai Halevi,et al.
A model and architecture for pseudo-random generation with applications to /dev/random
,
2005,
CCS '05.
[15]
Luca Trevisan,et al.
Streaming computation of combinatorial objects
,
2002,
Proceedings 17th IEEE Annual Conference on Computational Complexity.
[16]
David Pointcheval,et al.
Security analysis of pseudo-random number generators with input: /dev/random is not robust
,
2013,
CCS.
[17]
Daniel Hutchinson.
A Robust and Sponge-Like PRNG with Improved Efficiency
,
2016,
SAC.
[18]
Leonid A. Levin,et al.
A Pseudorandom Generator from any One-way Function
,
1999,
SIAM J. Comput..