0

I'm thinking about the evaluation of a cipher or separate cipher round as a PRNG. In general, we can encrypt consecutive natural numbers and check them with some randomness test. But PRNGs don't work like this. They use their output like a new input.

Shouldn't it be like that the ciphers should have long periods in such a test? Do they have long periods? If not, they should not be considered good PRNGs, correct? And is it possible that a cryptographically secure PRNG will have a short period for some inputs?

Patriot
  • 3,162
  • 3
  • 20
  • 66
Tom
  • 1,251
  • 8
  • 17

1 Answers1

3

They use their output like a new input.

That's not correct, generally CS-PRNG's keep a state and use separate bits (or possibly the state run through a PRF) as output.

Shouldn't it be like that the ciphers should have long periods in such a test?

Yes, and the same goes for the CS-PRNG's. Yes, if you can trigger a CS-PRNG to repeat a long enough pattern then something is wrong. There are many other reasons why a PRNG is broken of course. It may be biased or how an attacker could get the state back, for instance. Beware that a cipher is not necessarily a CS-PRNG.

And is it possible that cryptographically secure PRNG will have short period for some inputs?

When correctly seeded they should have unpredictable output. If you can seed according to the specifications and it is still computationally feasible to get into a cycle then no, then it would not be cryptographically secure.

Generally you should not get repeated output as long as the seed is unique. Secure hash functions are often used to accomplish this.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323