Why can't I use a normal random function like rand() for cryptography?

Ordinary random number generators are built for statistical uniformity and speed, not unpredictability; their output can be predicted from a few samples. Cryptography needs generators whose future output is infeasible to predict even given past output, which requires a cryptographically secure RNG seeded with real entropy.

What is the difference between true randomness and pseudorandomness?

True randomness comes from a physical, unpredictable source and is limited in supply. Pseudorandomness is generated deterministically from a short true-random seed and can be produced in bulk; it only needs to be indistinguishable from true randomness to any efficient adversary, which suffices for cryptographic use.

Randomness and Pseudorandomness

Randomness is the lifeblood of cryptography — keys, nonces, and challenges must be unpredictable — and pseudorandomness lets a short truly-random seed be stretched into long sequences indistinguishable from random to any efficient adversary.

Definition

Pseudorandomness is the property of being computationally indistinguishable from true randomness; a pseudorandom generator deterministically expands a short random seed into a longer output that no efficient algorithm can distinguish from random.

Scope

This topic covers the role of randomness in cryptography: the requirements on entropy sources and true random number generators, the definitions and constructions of cryptographically secure pseudorandom generators and pseudorandom functions, and the catastrophic consequences of weak or reused randomness. It addresses how pseudorandom objects formalize symmetric primitives. It excludes the specific ciphers and the hardness assumptions, treated in sibling topics.

Core questions

Why does cryptography require unpredictable randomness, and what goes wrong without it?
What distinguishes a cryptographically secure generator from a statistical one?
How can a short truly-random seed be stretched into long pseudorandom output?
What are pseudorandom functions and permutations, and how do they model ciphers?
How is high-quality entropy gathered and conditioned in real systems?

Key concepts

entropy and true randomness
random number generators
pseudorandom generator (PRG)
pseudorandom function (PRF)
pseudorandom permutation (PRP)
computational indistinguishability
seed and key derivation
randomness reuse failures
entropy conditioning

Key theories

Pseudorandom generators: A pseudorandom generator expands a short seed into a longer string indistinguishable from uniform randomness to any efficient distinguisher; such generators exist if and only if one-way functions do, linking pseudorandomness to the foundations of cryptography.
Pseudorandom functions and permutations: A pseudorandom function family, constructible from any pseudorandom generator, is indistinguishable from a truly random function to an adversary querying it; this object underlies the security modeling of block ciphers and message authentication codes.

Mechanisms

A true random number generator harvests physical entropy (thermal noise, timing jitter), which is conditioned and used to seed a cryptographically secure pseudorandom generator that deterministically produces all the random-looking bits a system needs. Pseudorandom functions are built from generators (the GGM construction) and model keyed primitives; a block cipher is treated as a pseudorandom permutation. Security definitions require that no efficient adversary, given outputs, can predict further bits or distinguish them from random.

Clinical relevance

Randomness failures are a recurring source of catastrophic real-world breaks: the 2008 Debian OpenSSL bug crippled key generation, predictable ECDSA nonces leaked private keys (Sony PlayStation 3, some Bitcoin wallets), and weak embedded-device entropy produced guessable keys at scale. Robust randomness — proper entropy collection and vetted pseudorandom generators — is therefore essential to every cryptographic deployment.

Evidence & guidelines

NIST SP 800-90A/B/C specify approved deterministic random-bit generators, entropy-source validation, and construction guidance. Best practice uses the operating system's vetted cryptographic RNG (rather than rolling one's own), ensures sufficient entropy before generating keys, and never reuses nonces. Statistical test suites help detect gross flaws but cannot establish cryptographic strength.

History

The computational theory of pseudorandomness was founded by Blum and Micali and by Yao around 1982, defining unpredictability and indistinguishability. Goldreich, Goldwasser, and Micali showed how to construct pseudorandom functions from generators in 1986, and Hastad, Impagliazzo, Levin, and Luby later proved pseudorandom generators exist if one-way functions do. Repeated practical disasters from weak randomness have kept entropy and RNG quality a central engineering concern.

Key figures

Oded Goldreich
Shafi Goldwasser
Silvio Micali
Manuel Blum
Andrew Yao

Seminal works

goldreich1986
goldreich2001
katz2020

Frequently asked questions

Why can't I use a normal random function like rand() for cryptography?: Ordinary random number generators are built for statistical uniformity and speed, not unpredictability; their output can be predicted from a few samples. Cryptography needs generators whose future output is infeasible to predict even given past output, which requires a cryptographically secure RNG seeded with real entropy.
What is the difference between true randomness and pseudorandomness?: True randomness comes from a physical, unpredictable source and is limited in supply. Pseudorandomness is generated deterministically from a short true-random seed and can be produced in bulk; it only needs to be indistinguishable from true randomness to any efficient adversary, which suffices for cryptographic use.