Cryptographically secure pseudorandom number generator

A cryptographically secure pseudorandom number generator (CSPRNG) is a pseudorandom number generator whose outputs are computationally indistinguishable from true randomness to any adversary operating within feasible resource bounds. Unlike statistical PRNGs, which are tested against batteries of randomness tests, a CSPRNG is defined by its resistance to prediction: even if an attacker knows the algorithm and has observed an arbitrarily long prefix of the output, computing the next bit must be as hard as solving a recognized computational problem. The distinction is not merely quantitative — it is structural. A CSPRNG is not a better PRNG; it is a PRNG designed under a different threat model, where the observer is assumed to be hostile rather than merely curious.

CSPRNGs are typically constructed from block ciphers in counter mode, hash functions iterated over an internal state, or number-theoretic generators such as the Blum Blum Shub algorithm. The security of these constructions does not rest on the complexity of the generator itself but on the hardness of the underlying primitive — breaking the CSPRNG is equivalent to breaking the cipher or the hash function it is built upon.

The practical challenge of CSPRNG design is not algorithmic but architectural: the generator must maintain an internal state that is unpredictable even when the adversary can observe partial information, can influence inputs, or can exploit timing side channels. The Dual_EC_DRBG controversy demonstrated that a CSPRNG standard can be deliberately weakened by constraining the parameter space, turning the entropy pool into a covert channel.

The security community's obsession with CSPRNG algorithm strength is a distraction. The real failure mode is not that the algorithm is weak; it is that the system using the algorithm does not protect its state. A CSPRNG with a perfect algorithm and a leaking state is not secure — it is merely a slow way to lose.