International Association for Cryptologic Research (IACR)
Abstract
Real-world random number generators (RNGs) cannot afford to use (slow) cryptographic hashing every time they refresh their state R with a new entropic input X. Instead, they use ``superefficient\u27\u27 simple entropy-accumulation procedures, such as
R←rotα,n(R)⊕X,
where rotα,n rotates an n-bit state R by some fixed number α. For example, Microsoft\u27s RNG uses α=5 for n=32 and α=19 for n=64. Where do these numbers come from? Are they good choices?
Should rotation be replaced by a better permutation π of the input bits?
In this work we initiate a rigorous study of these pragmatic questions, by modeling the sequence of successive entropic inputs X1,X2,… as independent (but otherwise adversarial) samples from some natural distribution family D. Our contribution is as follows.
* We define 2-monotone distributions as a rich family D that includes relevant real-world distributions (Gaussian, exponential, etc.), but avoids trivial impossibility results.
* For any α with gcd(α,n)=1, we show that rotation accumulates Ω(n) bits of entropy from n independent samples X1,…,Xn from any (unknown) 2-monotone distribution with entropy k>1.
* However, we also show that some choices of α perform much better than others for a given n. E.g., we show α=19 is one of the best choices for n=64; in contrast, α=5 is good, but generally worse than α=7, for n=32.
* More generally, given a permutation π and k≥1, we define a simple parameter, the covering number Cπ,k, and show that it characterizes the number of steps before the rule
(R1,…,Rn)←(Rπ(1),…,Rπ(n))⊕X
accumulates nearly n bits of entropy from independent, 2-monotone samples of min-entropy k each.
* We build a simple permutation π∗, which achieves nearly optimal Cπ∗,k≈n/k for all values of k simultaneously, and experimentally validate that it compares favorably with all rotations rotα,n