A cryptographically secure pseudo-random number generator (CSPRNG) is a pseudo-random number generator (PRNG) with properties that make it suitable for use in cryptography.

In addition to the normal requirements for a PRNG, namely that its output should pass all statistical tests for randomness, a CSPRNG must have two extra properties:

  • it should be difficult to predict the output of the CSPRNG, wholly or partially, from examining previous outputs, and in particular
  • it should be difficult to extract all or part of the internal state of the CSPRNG from examining its output

Most PRNGs are not suitable for use as CSPRNGs, as whilst they appear random to statistical tests, they are not designed to resist determined mathematical reverse-engineering.

CSPRNGs are designed explicitly to resist reverse enginnering. There are a number of examples of CSPRNGs. Blum Blum Shub has the strongest security proofs, though it is slow. Most stream ciphers work by generating a pseudorandom stream of bits that are XORed with the message; this stream can be used as a good CSPRNG (thought not always: see RC4 cipher). A secure block cipher can also be converted into a CSPRNG by running it in counter mode. This is done by choosing an arbitrary key and encrypting a zero, then encrypting a 1, then encrypting a 2, etc. The counter can also be started at an arbitrary number other than zero. Obviously, the period will be 2n for an n-bit block cipher. A cryptographically secure hash of a counter might also act as a good CSPRNG in some cases. If the counter is a bignum, then the CSPRNG could have an infinite period. Finally, there are PRNGs that have been designed to be cryptographically secure. One example is ISAAC (based on a variant of the RC4 cipher) which is fast and has an expected cycle length of 28295 and for which no successful attack in a reasonable time has yet been found.