On Seedless PRNGs and Premature Next

Authors Sandro Coretti, Yevgeniy Dodis, Harish Karthikeyan, Noah Stephens-Davidowitz, Stefano Tessaro

Thumbnail PDF


  • Filesize: 0.86 MB
  • 20 pages

Document Identifiers

Author Details

Sandro Coretti
  • IOHK, Zürich, Switzerland
Yevgeniy Dodis
  • New York University, NY, USA
Harish Karthikeyan
  • New York University, NY, USA
Noah Stephens-Davidowitz
  • Cornell University, Ithaca, NY, USA
Stefano Tessaro
  • University of Washington, Seattle, WA, USA

Cite AsGet BibTex

Sandro Coretti, Yevgeniy Dodis, Harish Karthikeyan, Noah Stephens-Davidowitz, and Stefano Tessaro. On Seedless PRNGs and Premature Next. In 3rd Conference on Information-Theoretic Cryptography (ITC 2022). Leibniz International Proceedings in Informatics (LIPIcs), Volume 230, pp. 9:1-9:20, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2022)


Pseudorandom number generators with input (PRNGs) are cryptographic algorithms that generate pseudorandom bits from accumulated entropic inputs (e.g., keystrokes, interrupt timings, etc.). This paper studies in particular PRNGs that are secure against premature next attacks (Kelsey et al., FSE '98), a class of attacks leveraging the fact that a PRNG may produce an output (which could be seen by an adversary!) before enough entropy has been accumulated. Practical designs adopt either unsound entropy-estimation methods to prevent such attacks (as in Linux’s /dev/random) or sophisticated pool-based approaches as in Yarrow (MacOS/FreeBSD) and Fortuna (Windows). The only prior theoretical study of premature next attacks (Dodis et al., Algorithmica '17) considers either a seeded setting or assumes constant entropy rate, and thus falls short of providing and validating practical designs. Assuming the availability of random seed is particularly problematic, first because this requires us to somehow generate a random seed without using our PRNG, but also because we must ensure that the entropy inputs to the PRNG remain independent of the seed. Indeed, all practical designs are seedless. However, prior works on seedless PRNGs (Coretti et al., CRYPTO '19; Dodis et al., ITC '21, CRYPTO'21) do not consider premature next attacks. The main goal of this paper is to investigate the feasibility of theoretically sound seedless PRNGs that are secure against premature next attacks. To this end, we make the following contributions: 1) We prove that it is impossible to achieve seedless PRNGs that are secure against premature-next attacks, even in a rather weak model. Namely, the impossibility holds even when the entropic inputs to the PRNG are independent. In particular, our impossibility result holds in settings where seedless PRNGs are otherwise possible. 2) Given the above impossibility result, we investigate whether existing seedless pool-based approaches meant to overcome premature next attacks in practical designs provide meaningful guarantees in certain settings. Specifically, we show the following. 3) We introduce a natural condition on the entropic input and prove that it implies security of the round-robin entropy accumulation PRNG used by Windows 10, called Fortuna. Intuitively, our condition requires the input entropy "not to vary too wildly" within a given round-robin round. 4) We prove that the "root pool" approach (also used in Windows 10) is secure for general entropy inputs, provided that the system’s state is not compromised after system startup.

Subject Classification

ACM Subject Classification
  • Security and privacy → Mathematical foundations of cryptography
  • Security and privacy → Information-theoretic techniques
  • Theory of computation → Pseudorandomness and derandomization
  • seedless PRNGs
  • pseudorandom number generators
  • PRNG
  • Fortuna
  • premature next


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Boaz Barak and Shai Halevi. A model and architecture for pseudo-random generation with applications to /dev/random. In Vijayalakshmi Atluri, Catherine Meadows, and Ari Juels, editors, ACM CCS 2005, pages 203-212, Alexandria, Virginia, USA, November 7-11 2005. ACM Press. URL: https://doi.org/10.1145/1102120.1102148.
  2. Elaine Barker and John Kelsey. Recommendation for random number generation using deterministic random bit generators. NIST Special Publication 800-90A, 2012. Google Scholar
  3. Benny Chor and Oded Goldreich. Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM J. Comput., 17(2):230-261, 1988. URL: https://doi.org/10.1137/0217015.
  4. Sandro Coretti, Yevgeniy Dodis, Harish Karthikeyan, and Stefano Tessaro. Seedless Fruit is the sweetest: Random number generation, revisited. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part I, volume 11692 of LNCS, pages 205-234, Santa Barbara, CA, USA, August 18-22 2019. Springer, Heidelberg, Germany. URL: https://doi.org/10.1007/978-3-030-26948-7_8.
  5. Yevgeniy Dodis, Siyao Guo, Noah Stephens-Davidowitz, and Zhiye Xie. No time to hash: On super-efficient entropy accumulation. In Tal Malkin and Chris Peikert, editors, CRYPTO 2021, Part IV, volume 12828 of LNCS, pages 548-576, Virtual Event, August 16-20 2021. Springer, Heidelberg, Germany. URL: https://doi.org/10.1007/978-3-030-84259-8_19.
  6. Yevgeniy Dodis, Siyao Guo, Noah Stephens-Davidowitz, and Zhiye Xie. Online linear extractors for independent sources. In Stefano Tessaro, editor, 2nd Conference on Information-Theoretic Cryptography, ITC 2021, July 23-26, 2021, Virtual Conference, volume 199 of LIPIcs, pages 14:1-14:14. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2021. URL: https://doi.org/10.4230/LIPIcs.ITC.2021.14.
  7. Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. Security analysis of pseudo-random number generators with input: /dev/random is not robust. In Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors, ACM CCS 2013, pages 647-658, Berlin, Germany, November 4-8 2013. ACM Press. URL: https://doi.org/10.1145/2508859.2516653.
  8. Yevgeniy Dodis, Adi Shamir, Noah Stephens-Davidowitz, and Daniel Wichs. How to eat your entropy and have it too: Optimal recovery strategies for compromised rngs. Algorithmica, 79(4):1196-1232, 2017. URL: https://doi.org/10.1007/s00453-016-0239-3.
  9. Niels Ferguson. The windows 10 random number generation infrastructure, October 2019. URL: https://aka.ms/win10rng.
  10. Niels Ferguson and Bruce Schneier. Practical cryptography. Wiley, 2003. Google Scholar
  11. Peter Gazi and Stefano Tessaro. Provably robust sponge-based PRNGs and KDFs. In Marc Fischlin and Jean-Sébastien Coron, editors, EUROCRYPT 2016, Part I, volume 9665 of LNCS, pages 87-116, Vienna, Austria, May 8-12 2016. Springer, Heidelberg, Germany. URL: https://doi.org/10.1007/978-3-662-49890-3_4.
  12. Viet Tung Hoang and Yaobin Shen. Security analysis of NIST CTR-DRBG. In Daniele Micciancio and Thomas Ristenpart, editors, CRYPTO 2020, Part I, volume 12170 of LNCS, pages 218-247, Santa Barbara, CA, USA, August 17-21 2020. Springer, Heidelberg, Germany. URL: https://doi.org/10.1007/978-3-030-56784-2_8.
  13. Shlomo Hoory, Nathan Linial, and Avi Wigderson. Expander graphs and their applications. BULL. AMER. MATH. SOC., 43(4):439-561, 2006. Google Scholar
  14. Daniel Hutchinson. A robust and sponge-like PRNG with improved efficiency. In Roberto Avanzi and Howard M. Heys, editors, SAC 2016, volume 10532 of LNCS, pages 381-398, St. John’s, NL, Canada, August 10-12 2016. Springer, Heidelberg, Germany. URL: https://doi.org/10.1007/978-3-319-69453-5_21.
  15. John Kelsey, Bruce Schneier, and Niels Ferguson. Yarrow-160: Notes on the design and analysis of the yarrow cryptographic pseudorandom number generator. In In Sixth Annual Workshop on Selected Areas in Cryptography, pages 13-33. Springer, 1999. Google Scholar
  16. John Kelsey, Bruce Schneier, David Wagner, and Chris Hall. Cryptanalytic attacks on pseudorandom number generators. In Serge Vaudenay, editor, FSE'98, volume 1372 of LNCS, pages 168-188, Paris, France, March 23-25 1998. Springer, Heidelberg, Germany. URL: https://doi.org/10.1007/3-540-69710-1_12.
  17. Noam Nisan and David Zuckerman. Randomness is linear in space. J. Comput. Syst. Sci., 52(1):43-52, 1996. URL: https://doi.org/10.1006/jcss.1996.0004.
  18. Amit Sahai and Salil Vadhan. A complete problem for statistical zero knowledge. Journal of the ACM, 50(2):196-249, 2003. Extended abstract in FOCS quoteright97. Google Scholar
  19. Thomas Shrimpton and R. Seth Terashima. A provable-security analysis of Intel’s secure key RNG. In Elisabeth Oswald and Marc Fischlin, editors, EUROCRYPT 2015, Part I, volume 9056 of LNCS, pages 77-100, Sofia, Bulgaria, April 26-30 2015. Springer, Heidelberg, Germany. URL: https://doi.org/10.1007/978-3-662-46800-5_4.
  20. Wikipedia contributors. /dev/random - Wikipedia, the free encyclopedia, 2021. [Online; accessed 9-January-2022]. URL: https://en.wikipedia.org/w/index.php?title=/dev/random&oldid=1056079736.
  21. Joanne Woodage and Dan Shumow. An analysis of NIST SP 800-90A. In Yuval Ishai and Vincent Rijmen, editors, EUROCRYPT 2019, Part II, volume 11477 of LNCS, pages 151-180, Darmstadt, Germany, May 19-23 2019. Springer, Heidelberg, Germany. URL: https://doi.org/10.1007/978-3-030-17656-3_6.