]> Cryptography - Pseudo-Random Number Generators

We want to be able to take a few "true random bits" (seed) and generate more "random looking bits", i.e. construct a function G:{0,1 } t{0,1 } T,Tt. The generated bit strings should "look random" to an adversary. In cryptography, PRNG's are used to construct session keys and stream ciphers.

True Randomness is generated from some source such as thermal noise. Abstractly, a random source defines a distribution on {0,1 } n.

Example: n-way independent bits b 1 ,...,b n and Pr[b i=1 ]=p, Pr[b i=0 ]=1 p.

Example: b 1 ,...,b n uniform on {0,1 } n

Extractors convert a random source with unknown distribution on {0,1 } n into a uniform distribution on {0,1 } m, mn, e.g. Von Neumann extractor for binomial distribution. We shall take an n-bit random source uniform on {0,1 } n for granted.


The traditional definition of pseudorandom number generators involves a bunch of statistical tests (see Knuth's "The Art of Computer Programming Vol. 2"), but this is insufficient for cryptographic purposes.

For example, a linear congruential generator: pick a prime p, pick a,b p, pick random seed s p, and iterate with sas+bmodp and output LSB(s) is considered a PRNG under the traditional definition, but is completely predictable, because given lgp bits one can recover the seed efficiently.

Instead, we require the pseudo-random number generator to fool any statistical test.

Definition (fixed security parameter version): A (t,ε)-PRNG is a function G:0,1 n0,1 m(mn) such that

  • G is efficiently computable by a deterministic algorithm.

  • G "ε-fools" all t-time statistical tests, that is, for all t-time algorithms A

Pr[A(G(S)) accepts S{0,1 } m]Pr[A(R)R{0,1 } m]<ε

We say that the uniform distribution on 0,1 m is (t,ε)-indistinguishable from distributions {G(S)S{0,1 } n}.

The Next-Bit Test

We derive an equivalent characterization of PRNG's to that of Yao that is easier to work with. For R{0,1 } m, denote the ith bit of R by R i and the first i bits of R by R 1 ,...,i.

We say G:{0,1 } n{0,1 } m (t,ε) passes the next bit test if for all 0 i<m no t-time algorithm can predict G(S) i+1 from G(S) 1 ,...,i, that is, for all t-time algorithms M and for all 0 i<m

Pr[M(G(S) 1 ,...,i)=G(S) i+1 ]S{0,1 } m]1 /2 <ε

Theorem: [Yao '82]

Suppose G:{0,1 } n{0,1 } m (t/m,ε) passes the next bit test. Then G is a (t,ε)-PRNG. ("The next bit test is universal.")

Proof: Suppose we have a (t,ε)-algorithm A for G. Then we shall build a (t,ε/m)-next bit predictor for G, by using a "hybrid argument":

Define the following collection of distributions 𝒫 0 ,...,𝒫 m as follows: the first i bits of a member of 𝒫 i are found by picking a random S{0,1 } n and setting them to G(S) 1 ,...,i. The last mi bits are generated at random from {0,1 } mi. Then

Pr[A(R)acceptsR𝒫 0 ]=Pr[A(R)acceptsR{0,1 } m]


Pr[A(R)acceptsR𝒫 m]=Pr[A(R)acceptsS{0,1 } n,RG(S)]


ε Pr[A(R)R𝒫 0 ]Pr[A(R)R𝒫 m] = i=0 m1 Pr[A(R)R𝒫 i]Pr[A(R)R𝒫 i+1 ] i=0 m1 Pr[A(R)R𝒫 i]Pr[A(R)R𝒫 i+1 ]

Thus there exists 0 i<m with

Pr[A(R)R𝒫 i]Pr[A(R)R𝒫 i+1 ]ε/m

We can use A to build a next bit predictor for R i+1 .

The "hybrid argument" is quite useful: in general, suppose experiment (game) E 0 is distinguishable from experiment E m. Then build experiments E 1 ,...,E m1 , and then it can be shown that there exists 0 i<m such that E i is distinguishable from E i+1 , which can be used to solve a challenge problem.

Hardcore bits can be used to construct PRNGs using a method due to Blum and Micali.