How does a cryptographically secure random number generator work?

Question

I understand how standard random number generators work. But when working with crytpography, the random numbers really have to be random.

I know there are instrumen

Answer 1

First of all, the point of a cryptographically secure PRNG is not to generate entirely unpredictable sequences. As you noted, the absence of something that generates large volumes of (more or less) true randomness¹ makes that impossible.

So you resort to something which is only hard to predict. “Hard” meaning here that it takes unfeasibly long by which time whatever it was necessary for would be obsolete anyway. There are a number of mathematical algorithms that play a part in this—you can get a glimpse if you take some well-known CSPRNGs and look at how they work.

The most common variants to build such a PRNG are:

• Using a stream cipher, which already outputs a (supposedly secure) pseudo-random bit stream.
• Using a block cipher in counter mode

Hash functions on a counter are also sometimes used. Wikipedia has more on this.

General requirements are just that it's unfeasible to determine the original initialization vector from a generator's bit stream and that the next bit cannot be easily predicted.

As for initialization, most CSPRNGs use various sources available on the system, ranging from truly random things like line noise, interrupts or other events in the system to other things like certain memory locations, &c. The initialization vector is preferrably really random and not dependent on a mathematical algorithm. This initialization was broken for some time in Debian's implementation of OpenSSL which led to severe security problems.

---

¹ Which has its problems too and one has to be careful in eliminating bias as things such as thermal noise has different characteristics depending on the temperature—you almost always have bias and need to eliminate it. And that's not a trivial task in itself.