Random number generation

There are two components to a PRNG: the algorithm and the seed. The algorithm must be a method of generating bytes that produces output indistinguishable from true random and will not repeat output for a very long time, usually repeating only after 2³² bytes of output. The seed is input to the algorithm. If the seed is changed, the output is also changed.

A PRNG is a machine: start it up, ask it to generate output, and it will produce bytes that look random. The next time it is started up, it will generate the same output. This process is predictable.

But if the machine is started and some other seed data is loaded, it will produce different output. If the machine is restarted and the same seed is loaded, it will produce the same output; hence, each time a PRNG is started, new seed data must be loaded. Furthermore, the seed must be unpredictable so that an attacker cannot simply start up a copy of the machine and supply the same seed to produce the same output.

The strength of a seed is measured in “number of bits of entropy”. When seeding a PRNG, ensure that at least 128 bits of entropy is used.

One may ask why a PRNG should be used to generate random output instead of a seed. It is because a seed is generally many bytes long with some non-random bits; that is, there could be 128 bits of entropy in a 256-byte buffer. The PRNG “compresses” the entropy in a seemingly non-random source into a byte array of the appropriate size, a set of bytes that passes tests of randomness. In addition, the PRNG can continue to generate new random bytes even after the entropy of the seed has been matched. For example, if 128 bits of entropy is collected over 300 bytes of seed and fed into a PRNG, it will then generate a 128-bit key, and then another 128-bit key, and a 128-bit salt, and so on.

A PRNG should always be able to accept more seed bytes. That is, adding new seed data to an existing PRNG will not make the algorithm start over; it will just add the new seed data into the internal state.