## Abstract

Real-world random number generators (RNGs) cannot afford to use (slow) cryptographic hashing every time they refresh their state R with a new entropic input X. Instead, they use “superefficient” simple entropy-accumulation procedures, such as R←rotα,n(R)⊕X, where rot_{α} _{,} _{n} rotates an n-bit state R by some fixed number α. For example, Microsoft’s RNG uses α= 5 for n= 32 and α= 19 for n= 64. Where do these numbers come from? Are they good choices? Should rotation be replaced by a better permutation π of the input bits? In this work we initiate a rigorous study of these pragmatic questions, by modeling the sequence of successive entropic inputs X_{1}, X_{2}, … as independent (but otherwise adversarial) samples from some natural distribution family D. Our contribution is as follows. We define 2-monotone distributions as a rich family D that includes relevant real-world distributions (Gaussian, exponential, etc.), but avoids trivial impossibility results.For any α with gcd (α, n) = 1, we show that rotation accumulates Ω(n) bits of entropy from n independent samples X_{1}, …, X_{n} from any (unknown) 2-monotone distribution with entropy k> 1.However, we also show some choices of α perform much better than others for a given n. E.g., we show α= 19 is one of the best choices for n= 64 ; in contrast, α= 5 is good, but generally worse than α= 7, for n= 32.More generally, given a permutation π and k≥ 1, we define a simple parameter, the covering number C_{π} _{,} _{k}, and show that it characterizes the number of steps before the rule (Formula presented.) accumulates nearly n bits of entropy from independent, 2-monotone samples of min-entropy k each.We build a simple permutation π^{∗}, which achieves nearly optimal Cπ∗,k≈n/k for all values of k simultaneously, and experimentally validate that it compares favorably with all rotations rot_{α} _{,} _{n}.

Original language | English (US) |
---|---|

Title of host publication | Advances in Cryptology – CRYPTO 2021 - 41st Annual International Cryptology Conference, CRYPTO 2021, Proceedings |

Editors | Tal Malkin, Chris Peikert |

Publisher | Springer Science and Business Media Deutschland GmbH |

Pages | 548-576 |

Number of pages | 29 |

ISBN (Print) | 9783030842581 |

DOIs | |

State | Published - 2021 |

Event | 41st Annual International Cryptology Conference, CRYPTO 2021 - Virtual, Online Duration: Aug 16 2021 → Aug 20 2021 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 12828 LNCS |

ISSN (Print) | 0302-9743 |

ISSN (Electronic) | 1611-3349 |

### Conference

Conference | 41st Annual International Cryptology Conference, CRYPTO 2021 |
---|---|

City | Virtual, Online |

Period | 8/16/21 → 8/20/21 |

## Keywords

- Entropy accumulation
- RNGs
- Randomness extractors

## ASJC Scopus subject areas

- Theoretical Computer Science
- General Computer Science