2

I don't know if this question even makes sense, but:

Is there be any benefit or impact to some sort of hierarchical (e.g. a PRNG drives the decision for which PRN to pull from a set of PRNGs) or state-based model (e.g. a PRNG determines the next PRNG to pull from, which in turn determines the next, etc.) or combination thereof. Or might this somehow lead to a less-random output.

If there is some benefit to the aforementioned, then what about the difference between using multiple PRNGs with same implementation using different seeds, versus using multiple different PRNG implementations.

Scott
  • 23
  • 2
  • 4
    No need to do any kind of complex decision-making logic. Simply XORing PRNG outputs will do; at worst, the result has the same entropy as the most entropic of the inputs. For instance, if one of the inputs is truly random, and the other is completely attacker-controlled, the XOR of the two is still completely random and unpredictable to an attacker. – Stephen Touset Jun 26 '14 at 03:50
  • 1
    @Stephen Touset: that's true in an information-theoretic sense, and only with the critical assumption that the PRNGs are seeded from independent sources. However it is possible to devise (bad) PRNGs that individually have output in any particular run indistinguishable from random, but which XOR has horrible properties, even when both are seeded with true random. A trivial example is two identical CSPRNGs modified to entirely ignore their seed input; but it is possible to extend this to make the generators pass many, perhaps any fixed test. – fgrieu Jun 26 '14 at 05:55
  • I must confess I took the assumption about being seeded from individual sources for granted; thanks for pointing it out! Actually, an even better example would be two identical PRNGs seeded from the same TRNG — they would produce the same bit sequence, and thus their XOR would be all zeroes. – Stephen Touset Jun 26 '14 at 06:01
  • 1
    @Stephen Touset: Yes, and in my comment above I'm also making that assumption of seed independence past the first sentence. The rest is to stress that such assumption is NOT enough to ensure that the XOR of the PRNGs behaves at least as well as the worst of the originals in a particular practical test intended to assert a PRNG's quality. – fgrieu Jun 26 '14 at 06:14

1 Answers1

5

There are many ways to combine random number generators:

  1. XOR the outputs. Very simple and fast. If they are independent and at least one is strong, the output is strong as well. However, if those assumptions are not true, this can be very broken.

  2. Hash the outputs. With a strong hash you combine the entropy of both. Good if the RNGs have some entropy, but their output is not uniform. Can be significantly slower, if your RNGs are fast.

  3. Seed one using the other. Mostly used for seeding a CSPRNG with a true RNG. If the former is weak or the latter doesn't have enough entropy, the whole is weak as well.

  4. Entropy pool, with multiple inputs combined into a large state, which is iterated to produce the next state and hashed to produce output. Can include pseudo-random inputs, but a normal PRNG is not a good input.

In practice, if you have a CSPRNG, seeding with a random number (3.) is the only one you should be concerned with. If you have poor, non-cryptographic PRNGs, no games you play with the outputs will get you anything better than (or usually even as good as) simply moving to a CSPRNG.

An entropy pool is usually already available in the OS (/dev/urandom or CryptGenRandom), so there are few situations where you should go there yourself. Number 2. is often used in TRNGs for whitening, but that too is not something you should usually need to be doing in software. Maybe, if paranoid about the design, you could be seeding two completely different CSPRNGs with true entropy, then XORing the outputs, but then you are trusting on them to really be independent.

otus
  • 32,132
  • 5
  • 70
  • 165