Random Number Generators for Cryptographic Applications

  • Werner Schindler


A large number of cryptographic applications require random numbers, e.g., as session keys, signature parameters, ephemeral keys (DSA, ECDSA), challenges or in zero-knowledge protocols. For this reason, random number generators (RNGs) are part of many IT-security products. Inappropriate RNGs may totally weaken IT systems that are principally strong, e.g., if an adversary is able to determine session keys.

It is intuitively clear that random numbers should remain unpredictable, even if an adversary knows a large number of other random numbers (predecessors or successors of the random numbers of interest) that have been generated with the same RNG, e.g., from openly transmitted challenges or session keys from messages that the adversary has received legitimately. Ideally, random numbers should be uniformly distributed on their range and independent. However, this characterizes an ideal RNG, which is a mathematical construction.

In Section 2.2we formulate the general...


Random Number Internal State Smart Card Shannon Entropy Block Cipher 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    ISO/IEC 18031. Random Bit Generation. November, 2005.Google Scholar
  2. 2.
    NIST. Digital Signature Standard (DSS). FIPS PUB 186-2, 27.01.2000 with Change Notice 1, 5.10.2001. Scholar
  3. 3.
    Lucent Technologies, Bell Labs. Scientist discovers significant flaw that would have threatened the integrity of on-line transactions, press article at
  4. 4.
    L. Dorrendorf, Z. Gutterman, and B. Pinkas. Cryptanalysis of the Windows Random Number Generator. In Proc. ACM–-CCS 2007, ACM Press, pp. 476–485, New York, 2007.Google Scholar
  5. 5.
    A. J. Menezes, P. C. v. Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, Boca Raton (1997).Google Scholar
  6. 6.
    J. C. Lagarias. Pseudorandom Number Generators in Cryptography and Number Theory. Proc. Symp. Appl. Math., 42: 115–143, 1990.MathSciNetGoogle Scholar
  7. 7.
    G. Marsaglia. Diehard (Test Suite for Random Number Generators).
  8. 8.
    D. E. Knuth. Deciphering a Linear Congruential Encryption. IEEE Trans. Inform. Theory, 31: 49–52, 1985.MATHMathSciNetGoogle Scholar
  9. 9.
    C. Shannon. Mathematical Theory of Communication. Bell System Technology, 27, 1949.Google Scholar
  10. 10.
    A. Réenyi. On the Measure of Entropy and Information. In Proc. Fourth Berkeley Symp. Math. Stat. Prob. 1 1960, University of California Press, Berkeley, 1961.Google Scholar
  11. 11.
    J. O. Pliam. The Disparity Between the Work and the Entropy in Cryptology, 01.02.1999. Scholar
  12. 12.
    J. O. Pliam. Incompatibility of Entropy and Marginal Guesswork in Brute-Force Attacks. In B. K. Roy, E. Okamoto editors, Indocrypt 2000, Springer, Lecture Notes in Computer Science, Vol. 2177, 67–79, Berlin, 2000.Google Scholar
  13. 13.
    T. Ts’o. random.c–-Linux kernel random number generator.
  14. 14.
    Z. Gutterman, B. Pinkas, and T. Reinman. Analysis of the Linux Random Number Generator. IEEE Symp. on Security and Privacy, IEEE, pp. 371–385, 2006.Google Scholar
  15. 15.
    AIS 20. Functionality Classes and Evaluation Methodology for Deterministic Random Number Generators. Version 1, 02.12.1999 (mandatory if a German IT security certificate is applied for; English translation).
  16. 16.
    AIS 31. Functionality Classes and Evaluation Methodology for Physical Random Number Generators. Version 1, 25.09.2001 (mandatory if a German IT security certificate is applied for; English translation). zert/interpr/ais31e.pdf
  17. 17.
    ANSI X9.82. Random Number Generation (Draft Version).Google Scholar
  18. 18.
    NIST. Security Requirements for Cryptographic Modules. FIPS PUB 140-2, 25.05.2001 and Change Notice 1, 10.10.2001. fips/fips140-2/fips1402.pdfGoogle Scholar
  19. 19.
    W. Schindler. Functionality Classes and Evaluation Methodology for Deterministic Random Number Generators. Version 2.0, 02.12.1999, mathematical-technical reference of (15) (English translation); zert/interpr/ais20e.pdf
  20. 20.
    W. Killmann and W. Schindler. A Proposal for Functionality Classes and Evaluation Methodology for True (Physical) Random Number Generators. Version 3.1, 25.09.2001, mathematical-technical reference of (16) (English translation);
  21. 21.
    NIST. Security Requirements for Cryptographic Modules. FIPS PUB 140-1, 11.04.1994.
  22. 22.
    M. Blum and S. Micali. How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits. SIAM Journal of computers, 13 850–864: 1984.MATHMathSciNetGoogle Scholar
  23. 23.
    J.-S. Coron and D. Naccache. An Accurate Evaluation of Maurer’s Universal Test. In S. Tavares and H. Meijer editors. Selected Areas in Cryptography–-SAC ’98. Springer, Lecture Notes in Computer Science, Vol. 1556 pp. 57–71, Berlin, 1999.Google Scholar
  24. 24.
    L. Devroye. Non-Uniform Random Variate Generation. Springer, New York, 1986.Google Scholar
  25. 25.
    U. Maurer. A Universal Statistical Test for Random Bit Generators. Journal of Cryptology, 5: 89–105, 1992.MATHMathSciNetGoogle Scholar
  26. 26.
    A. Rukhin et al. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. NIST Special Publication 800–22 with revisions dated (15.05.2001). Scholar
  27. 27.
    W. Schindler and W. Killmann. Evaluation Criteria for True (Physical) Random Number Generators Used in Cryptographic Applications. In B. S. Kaliski Jr., Ç. K. Koç, C. Paar editors, Cryptographic Hardware and Embedded Systems–-CHES 2002, Springer, Lecture Notes in Computer Science 2523, pp. 431-449, Berlin, 2003.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  1. 1.Bundesamt füur Sicherheit in der InformationstechnikUSA

Personalised recommendations