What is the difference between TRNG and CSPRNG?

Clash Royale CLAN TAG#URR8PPP

up vote
3
down vote

favorite

I understand the output of a $TRNG$ is almost impossible to reproduce, such a flipping a coin $100$ times to produce a $100$-bit sequence. However, it is also my understanding that a $CSPRNG$ produces an unpredictable output.

1. If they are both non-deterministic are they not the same? Are they not both producing unpredictable outputs?


2. Do we not use both $TRNG$ and $CSPRNG$ to produce sessions keys?


3. Can we (do we?) use $TRNG$ to produce $CSPRNG$?

random-number-generator randomness pseudo-random-permutation

share|improve this question

edited 30 mins ago

asked 8 hours ago

Red Book 1

458414

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  This When is an RNG a CSPRNG, a CSRNG, or a TRNG? may help.
  – kelalaka
  6 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Could you adjust your question or at least clarify the difference between CSRNG (in the title) and CSPRNG (over the rest of the question)? As fgrieu's answer has indicates, a CSRNG != CSPRNG.
  – Maarten Bodewes
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @MaartenBodewes My typo. I have edited the question to '... CSPRNG?'.
  – Red Book 1
  28 mins ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

favorite

I understand the output of a $TRNG$ is almost impossible to reproduce, such a flipping a coin $100$ times to produce a $100$-bit sequence. However, it is also my understanding that a $CSPRNG$ produces an unpredictable output.

1. If they are both non-deterministic are they not the same? Are they not both producing unpredictable outputs?


2. Do we not use both $TRNG$ and $CSPRNG$ to produce sessions keys?


3. Can we (do we?) use $TRNG$ to produce $CSPRNG$?

random-number-generator randomness pseudo-random-permutation

share|improve this question

edited 30 mins ago

asked 8 hours ago

Red Book 1

458414

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  This When is an RNG a CSPRNG, a CSRNG, or a TRNG? may help.
  – kelalaka
  6 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Could you adjust your question or at least clarify the difference between CSRNG (in the title) and CSPRNG (over the rest of the question)? As fgrieu's answer has indicates, a CSRNG != CSPRNG.
  – Maarten Bodewes
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @MaartenBodewes My typo. I have edited the question to '... CSPRNG?'.
  – Red Book 1
  28 mins ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

favorite

up vote
3
down vote

favorite

I understand the output of a $TRNG$ is almost impossible to reproduce, such a flipping a coin $100$ times to produce a $100$-bit sequence. However, it is also my understanding that a $CSPRNG$ produces an unpredictable output.

1. If they are both non-deterministic are they not the same? Are they not both producing unpredictable outputs?


2. Do we not use both $TRNG$ and $CSPRNG$ to produce sessions keys?


3. Can we (do we?) use $TRNG$ to produce $CSPRNG$?

random-number-generator randomness pseudo-random-permutation

share|improve this question

edited 30 mins ago

asked 8 hours ago

Red Book 1

458414

I understand the output of a $TRNG$ is almost impossible to reproduce, such a flipping a coin $100$ times to produce a $100$-bit sequence. However, it is also my understanding that a $CSPRNG$ produces an unpredictable output.

1. If they are both non-deterministic are they not the same? Are they not both producing unpredictable outputs?


2. Do we not use both $TRNG$ and $CSPRNG$ to produce sessions keys?


3. Can we (do we?) use $TRNG$ to produce $CSPRNG$?

random-number-generator randomness pseudo-random-permutation

random-number-generator randomness pseudo-random-permutation

share|improve this question

edited 30 mins ago

asked 8 hours ago

Red Book 1

458414

share|improve this question

edited 30 mins ago

asked 8 hours ago

Red Book 1

458414

share|improve this question

share|improve this question

edited 30 mins ago

edited 30 mins ago

edited 30 mins ago

asked 8 hours ago

Red Book 1

458414

asked 8 hours ago

Red Book 1

458414

asked 8 hours ago

Red Book 1

458414

458414

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  This When is an RNG a CSPRNG, a CSRNG, or a TRNG? may help.
  – kelalaka
  6 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Could you adjust your question or at least clarify the difference between CSRNG (in the title) and CSPRNG (over the rest of the question)? As fgrieu's answer has indicates, a CSRNG != CSPRNG.
  – Maarten Bodewes
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @MaartenBodewes My typo. I have edited the question to '... CSPRNG?'.
  – Red Book 1
  28 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  This When is an RNG a CSPRNG, a CSRNG, or a TRNG? may help.
  – kelalaka
  6 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Could you adjust your question or at least clarify the difference between CSRNG (in the title) and CSPRNG (over the rest of the question)? As fgrieu's answer has indicates, a CSRNG != CSPRNG.
  – Maarten Bodewes
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  @MaartenBodewes My typo. I have edited the question to '... CSPRNG?'.
  – Red Book 1
  28 mins ago
  

  
  
  
  

2

2

This When is an RNG a CSPRNG, a CSRNG, or a TRNG? may help.
– kelalaka
6 hours ago

This When is an RNG a CSPRNG, a CSRNG, or a TRNG? may help.
– kelalaka
6 hours ago

1

1

Could you adjust your question or at least clarify the difference between CSRNG (in the title) and CSPRNG (over the rest of the question)? As fgrieu's answer has indicates, a CSRNG != CSPRNG.
– Maarten Bodewes
3 hours ago

Could you adjust your question or at least clarify the difference between CSRNG (in the title) and CSPRNG (over the rest of the question)? As fgrieu's answer has indicates, a CSRNG != CSPRNG.
– Maarten Bodewes
3 hours ago

1

1

@MaartenBodewes My typo. I have edited the question to '... CSPRNG?'.
– Red Book 1
28 mins ago

@MaartenBodewes My typo. I have edited the question to '... CSPRNG?'.
– Red Book 1
28 mins ago

add a comment | 

2 Answers
2

active

oldest

votes

up vote
6
down vote



accepted

A True Random Number Generator uses a physical phenomenon with no known determinism as origin of the values that it outputs. That phenomenon can be a dice throw, thermal noise, disintegration of a radioactive substance…

What detects this phenomenon can be followed by a conditioning stage to turn the output into an (at least, near) ideal sequence of random bits. The archetypal conditioning stage is Von Neumann's debiaser: it groups the values at the input (such as dice values, binary output of a comparator, count of clock cycles between events…) into pairs, and outputs 0, nothing, or 1, depending on if the first element in the pair is less, equal or more than the second. If the input was consisting of independent values, the output (if any) would be independent random values with 50% probability for 0 and for 1; that is, truly uniform independent random bits (hereafter: true random).

Unless otherwise stated, a TRNG can be imperfect to some degree: it is to be expected that a statistical test distinguishes its output from true random.

---

A (Cryptographically Secure) Pseudo Random Number Generator is a deterministic (hence the pseudo) computational method to turn a (typically short or low-throughput) secret input into a (typically arbitrarily long or/and high-throughput) sequence of bits that are computationally indistinguishable from true random for one not knowing the input, assumed not reused.

A Cryptographically Secure Random Number Generator (not Pseudo) is a random generator which output is computationally indistinguishable from true random, with cryptographic certainty. It can be deterministic, or not.

The archetypal deterministic CSRNG is built from CSPRNG and a random secret seed that is not reused. That is essentially the only way to build a CSRNG withotu a TRNG.

The archetypal non-deterministic CSRNG is built from CSPRNG, and a TRNG which output is used as input of the CSPRNG. The idea is that the cryptographic strength of the CSRNG comes mainly from the (CS)PRNG, and the unpredictability comes from the TRNG.

A TRNG can be a CSRNG. Any CSRNG must include a TRNG, or must have made use of one as the origin of some secret value at an initialization stage (otherwise, knowledge of the CSRNG structure would allow to predict its output).

---

It is notoriously difficult to make a good non-deterministic CSRNG even by applying the above principle and using a good CSPRNG. That's because in practice, TRNGs often fail, spontaneously or under adversarial influence (for example, an adversary can reduce thermal noise by putting the device in cold condition using evaporation of some liquefied gas, or remotely feed controlled events to a sensor of disintegration). If that goes undetected, the output of the TRNG can become highly predictable, and knowledge of the PRNG will allow to predict its output. Thus a practical CSRNG must test its TRNG, and somewhat prevent any output when it does not operate properly.

---

Summary of terminology:

• A TRNG is not deterministic. Unless otherwise stated, that's its only defining characteristic.


• A (CS)PRNG is deterministic, and its output is indistinguishable from true random if its input is random, secret, and not reused.


• A CSRNG at least appears not deterministic, and its output is computationally indistinguishable from true random. It can be deterministic, or not. In the former case, it's a CSPRNG with a random secret key that is not reused. In the later case, it includes (or perhaps is) a TRNG.

---

The question uses CSRNG in the title, and CSPRNG in the body, sometime where CSRNG is thought.

If they (TRNG and CSRNG) are both non-deterministic are they not the same? Are they not both producing unpredictable outputs?

A TRNG must derive randomness from a physical source while it operates. A CSRNG needs not: it can be purely deterministic after initialization. Also, a TRNG could have its outputs perceptibly biased or/and correlated, a CSRNG must not.

Do we not use both TRNG and CSPRNG to produce sessions keys?

Often we use a CSPRNG initialized with a shared secret and some other element (like a nonce) to initialize session keys, so that the session keys needs not be transmitted secretly.

If we use the output of a CSRNG or TRNG as a session key, we need to encipher the value produced on one side to transfer it to the other side, which has no way to produce the same session key independently. Further, it we use a TRNG directly, we must use one that is close enough to a CSRNG that the key can't be guessed (that's an issue for short keys).

Another practice is to use a CSRNG or TRNG (often, one on each side) as input to an asymmetric key exchange protocol (like Diffie-Hellman) to produce a shared secret session key.

Can we (do we?) use TRNG to produce CSPRNG?

No. But we often use a TRNG and a CSPRNG to produce a CSRNG.

share|improve this answer

edited 2 hours ago

answered 6 hours ago

fgrieu

75k7153316

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Aren't there lots of PRNGs that completely insecure in the crypto sense? I'm not sure if grouping CSPRNGs and PRNGs together is a good idea even in summary.
  – ilkkachu
  54 mins ago
  

  
  
  
  

add a comment | 

up vote
2
down vote

A TRNG is a physical device that produces a non deterministic output, whilst a CSPRNG is a mathematical device that always produces an identical output given the same starting point (deterministic).

You have to be able to hold a TRNG in your hand.

share|improve this answer

answered 4 hours ago

Paul Uszak

6,61011433

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63555%2fwhat-is-the-difference-between-trng-and-csprng%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
6
down vote



accepted

A True Random Number Generator uses a physical phenomenon with no known determinism as origin of the values that it outputs. That phenomenon can be a dice throw, thermal noise, disintegration of a radioactive substance…

What detects this phenomenon can be followed by a conditioning stage to turn the output into an (at least, near) ideal sequence of random bits. The archetypal conditioning stage is Von Neumann's debiaser: it groups the values at the input (such as dice values, binary output of a comparator, count of clock cycles between events…) into pairs, and outputs 0, nothing, or 1, depending on if the first element in the pair is less, equal or more than the second. If the input was consisting of independent values, the output (if any) would be independent random values with 50% probability for 0 and for 1; that is, truly uniform independent random bits (hereafter: true random).

Unless otherwise stated, a TRNG can be imperfect to some degree: it is to be expected that a statistical test distinguishes its output from true random.

---

A (Cryptographically Secure) Pseudo Random Number Generator is a deterministic (hence the pseudo) computational method to turn a (typically short or low-throughput) secret input into a (typically arbitrarily long or/and high-throughput) sequence of bits that are computationally indistinguishable from true random for one not knowing the input, assumed not reused.

A Cryptographically Secure Random Number Generator (not Pseudo) is a random generator which output is computationally indistinguishable from true random, with cryptographic certainty. It can be deterministic, or not.

The archetypal deterministic CSRNG is built from CSPRNG and a random secret seed that is not reused. That is essentially the only way to build a CSRNG withotu a TRNG.

The archetypal non-deterministic CSRNG is built from CSPRNG, and a TRNG which output is used as input of the CSPRNG. The idea is that the cryptographic strength of the CSRNG comes mainly from the (CS)PRNG, and the unpredictability comes from the TRNG.

A TRNG can be a CSRNG. Any CSRNG must include a TRNG, or must have made use of one as the origin of some secret value at an initialization stage (otherwise, knowledge of the CSRNG structure would allow to predict its output).

---

It is notoriously difficult to make a good non-deterministic CSRNG even by applying the above principle and using a good CSPRNG. That's because in practice, TRNGs often fail, spontaneously or under adversarial influence (for example, an adversary can reduce thermal noise by putting the device in cold condition using evaporation of some liquefied gas, or remotely feed controlled events to a sensor of disintegration). If that goes undetected, the output of the TRNG can become highly predictable, and knowledge of the PRNG will allow to predict its output. Thus a practical CSRNG must test its TRNG, and somewhat prevent any output when it does not operate properly.

---

Summary of terminology:

• A TRNG is not deterministic. Unless otherwise stated, that's its only defining characteristic.


• A (CS)PRNG is deterministic, and its output is indistinguishable from true random if its input is random, secret, and not reused.


• A CSRNG at least appears not deterministic, and its output is computationally indistinguishable from true random. It can be deterministic, or not. In the former case, it's a CSPRNG with a random secret key that is not reused. In the later case, it includes (or perhaps is) a TRNG.

---

The question uses CSRNG in the title, and CSPRNG in the body, sometime where CSRNG is thought.

If they (TRNG and CSRNG) are both non-deterministic are they not the same? Are they not both producing unpredictable outputs?

A TRNG must derive randomness from a physical source while it operates. A CSRNG needs not: it can be purely deterministic after initialization. Also, a TRNG could have its outputs perceptibly biased or/and correlated, a CSRNG must not.

Do we not use both TRNG and CSPRNG to produce sessions keys?

Often we use a CSPRNG initialized with a shared secret and some other element (like a nonce) to initialize session keys, so that the session keys needs not be transmitted secretly.

If we use the output of a CSRNG or TRNG as a session key, we need to encipher the value produced on one side to transfer it to the other side, which has no way to produce the same session key independently. Further, it we use a TRNG directly, we must use one that is close enough to a CSRNG that the key can't be guessed (that's an issue for short keys).

Another practice is to use a CSRNG or TRNG (often, one on each side) as input to an asymmetric key exchange protocol (like Diffie-Hellman) to produce a shared secret session key.

Can we (do we?) use TRNG to produce CSPRNG?

No. But we often use a TRNG and a CSPRNG to produce a CSRNG.

share|improve this answer

edited 2 hours ago

answered 6 hours ago

fgrieu

75k7153316

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Aren't there lots of PRNGs that completely insecure in the crypto sense? I'm not sure if grouping CSPRNGs and PRNGs together is a good idea even in summary.
  – ilkkachu
  54 mins ago
  

  
  
  
  

add a comment | 

up vote
6
down vote



accepted

A True Random Number Generator uses a physical phenomenon with no known determinism as origin of the values that it outputs. That phenomenon can be a dice throw, thermal noise, disintegration of a radioactive substance…

What detects this phenomenon can be followed by a conditioning stage to turn the output into an (at least, near) ideal sequence of random bits. The archetypal conditioning stage is Von Neumann's debiaser: it groups the values at the input (such as dice values, binary output of a comparator, count of clock cycles between events…) into pairs, and outputs 0, nothing, or 1, depending on if the first element in the pair is less, equal or more than the second. If the input was consisting of independent values, the output (if any) would be independent random values with 50% probability for 0 and for 1; that is, truly uniform independent random bits (hereafter: true random).

Unless otherwise stated, a TRNG can be imperfect to some degree: it is to be expected that a statistical test distinguishes its output from true random.

---

A (Cryptographically Secure) Pseudo Random Number Generator is a deterministic (hence the pseudo) computational method to turn a (typically short or low-throughput) secret input into a (typically arbitrarily long or/and high-throughput) sequence of bits that are computationally indistinguishable from true random for one not knowing the input, assumed not reused.

A Cryptographically Secure Random Number Generator (not Pseudo) is a random generator which output is computationally indistinguishable from true random, with cryptographic certainty. It can be deterministic, or not.

The archetypal deterministic CSRNG is built from CSPRNG and a random secret seed that is not reused. That is essentially the only way to build a CSRNG withotu a TRNG.

The archetypal non-deterministic CSRNG is built from CSPRNG, and a TRNG which output is used as input of the CSPRNG. The idea is that the cryptographic strength of the CSRNG comes mainly from the (CS)PRNG, and the unpredictability comes from the TRNG.

A TRNG can be a CSRNG. Any CSRNG must include a TRNG, or must have made use of one as the origin of some secret value at an initialization stage (otherwise, knowledge of the CSRNG structure would allow to predict its output).

---

It is notoriously difficult to make a good non-deterministic CSRNG even by applying the above principle and using a good CSPRNG. That's because in practice, TRNGs often fail, spontaneously or under adversarial influence (for example, an adversary can reduce thermal noise by putting the device in cold condition using evaporation of some liquefied gas, or remotely feed controlled events to a sensor of disintegration). If that goes undetected, the output of the TRNG can become highly predictable, and knowledge of the PRNG will allow to predict its output. Thus a practical CSRNG must test its TRNG, and somewhat prevent any output when it does not operate properly.

---

Summary of terminology:

• A TRNG is not deterministic. Unless otherwise stated, that's its only defining characteristic.


• A (CS)PRNG is deterministic, and its output is indistinguishable from true random if its input is random, secret, and not reused.


• A CSRNG at least appears not deterministic, and its output is computationally indistinguishable from true random. It can be deterministic, or not. In the former case, it's a CSPRNG with a random secret key that is not reused. In the later case, it includes (or perhaps is) a TRNG.

---

The question uses CSRNG in the title, and CSPRNG in the body, sometime where CSRNG is thought.

If they (TRNG and CSRNG) are both non-deterministic are they not the same? Are they not both producing unpredictable outputs?

A TRNG must derive randomness from a physical source while it operates. A CSRNG needs not: it can be purely deterministic after initialization. Also, a TRNG could have its outputs perceptibly biased or/and correlated, a CSRNG must not.

Do we not use both TRNG and CSPRNG to produce sessions keys?

Often we use a CSPRNG initialized with a shared secret and some other element (like a nonce) to initialize session keys, so that the session keys needs not be transmitted secretly.

If we use the output of a CSRNG or TRNG as a session key, we need to encipher the value produced on one side to transfer it to the other side, which has no way to produce the same session key independently. Further, it we use a TRNG directly, we must use one that is close enough to a CSRNG that the key can't be guessed (that's an issue for short keys).

Another practice is to use a CSRNG or TRNG (often, one on each side) as input to an asymmetric key exchange protocol (like Diffie-Hellman) to produce a shared secret session key.

Can we (do we?) use TRNG to produce CSPRNG?

No. But we often use a TRNG and a CSPRNG to produce a CSRNG.

share|improve this answer

edited 2 hours ago

answered 6 hours ago

fgrieu

75k7153316

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Aren't there lots of PRNGs that completely insecure in the crypto sense? I'm not sure if grouping CSPRNGs and PRNGs together is a good idea even in summary.
  – ilkkachu
  54 mins ago
  

  
  
  
  

add a comment | 

up vote
6
down vote



accepted

up vote
6
down vote



accepted

A True Random Number Generator uses a physical phenomenon with no known determinism as origin of the values that it outputs. That phenomenon can be a dice throw, thermal noise, disintegration of a radioactive substance…

What detects this phenomenon can be followed by a conditioning stage to turn the output into an (at least, near) ideal sequence of random bits. The archetypal conditioning stage is Von Neumann's debiaser: it groups the values at the input (such as dice values, binary output of a comparator, count of clock cycles between events…) into pairs, and outputs 0, nothing, or 1, depending on if the first element in the pair is less, equal or more than the second. If the input was consisting of independent values, the output (if any) would be independent random values with 50% probability for 0 and for 1; that is, truly uniform independent random bits (hereafter: true random).

Unless otherwise stated, a TRNG can be imperfect to some degree: it is to be expected that a statistical test distinguishes its output from true random.

---

A (Cryptographically Secure) Pseudo Random Number Generator is a deterministic (hence the pseudo) computational method to turn a (typically short or low-throughput) secret input into a (typically arbitrarily long or/and high-throughput) sequence of bits that are computationally indistinguishable from true random for one not knowing the input, assumed not reused.

A Cryptographically Secure Random Number Generator (not Pseudo) is a random generator which output is computationally indistinguishable from true random, with cryptographic certainty. It can be deterministic, or not.

The archetypal deterministic CSRNG is built from CSPRNG and a random secret seed that is not reused. That is essentially the only way to build a CSRNG withotu a TRNG.

The archetypal non-deterministic CSRNG is built from CSPRNG, and a TRNG which output is used as input of the CSPRNG. The idea is that the cryptographic strength of the CSRNG comes mainly from the (CS)PRNG, and the unpredictability comes from the TRNG.

A TRNG can be a CSRNG. Any CSRNG must include a TRNG, or must have made use of one as the origin of some secret value at an initialization stage (otherwise, knowledge of the CSRNG structure would allow to predict its output).

---

It is notoriously difficult to make a good non-deterministic CSRNG even by applying the above principle and using a good CSPRNG. That's because in practice, TRNGs often fail, spontaneously or under adversarial influence (for example, an adversary can reduce thermal noise by putting the device in cold condition using evaporation of some liquefied gas, or remotely feed controlled events to a sensor of disintegration). If that goes undetected, the output of the TRNG can become highly predictable, and knowledge of the PRNG will allow to predict its output. Thus a practical CSRNG must test its TRNG, and somewhat prevent any output when it does not operate properly.

---

Summary of terminology:

• A TRNG is not deterministic. Unless otherwise stated, that's its only defining characteristic.


• A (CS)PRNG is deterministic, and its output is indistinguishable from true random if its input is random, secret, and not reused.


• A CSRNG at least appears not deterministic, and its output is computationally indistinguishable from true random. It can be deterministic, or not. In the former case, it's a CSPRNG with a random secret key that is not reused. In the later case, it includes (or perhaps is) a TRNG.

---

The question uses CSRNG in the title, and CSPRNG in the body, sometime where CSRNG is thought.

If they (TRNG and CSRNG) are both non-deterministic are they not the same? Are they not both producing unpredictable outputs?

A TRNG must derive randomness from a physical source while it operates. A CSRNG needs not: it can be purely deterministic after initialization. Also, a TRNG could have its outputs perceptibly biased or/and correlated, a CSRNG must not.

Do we not use both TRNG and CSPRNG to produce sessions keys?

Often we use a CSPRNG initialized with a shared secret and some other element (like a nonce) to initialize session keys, so that the session keys needs not be transmitted secretly.

If we use the output of a CSRNG or TRNG as a session key, we need to encipher the value produced on one side to transfer it to the other side, which has no way to produce the same session key independently. Further, it we use a TRNG directly, we must use one that is close enough to a CSRNG that the key can't be guessed (that's an issue for short keys).

Another practice is to use a CSRNG or TRNG (often, one on each side) as input to an asymmetric key exchange protocol (like Diffie-Hellman) to produce a shared secret session key.

Can we (do we?) use TRNG to produce CSPRNG?

No. But we often use a TRNG and a CSPRNG to produce a CSRNG.

share|improve this answer

edited 2 hours ago

answered 6 hours ago

fgrieu

75k7153316

A True Random Number Generator uses a physical phenomenon with no known determinism as origin of the values that it outputs. That phenomenon can be a dice throw, thermal noise, disintegration of a radioactive substance…

What detects this phenomenon can be followed by a conditioning stage to turn the output into an (at least, near) ideal sequence of random bits. The archetypal conditioning stage is Von Neumann's debiaser: it groups the values at the input (such as dice values, binary output of a comparator, count of clock cycles between events…) into pairs, and outputs 0, nothing, or 1, depending on if the first element in the pair is less, equal or more than the second. If the input was consisting of independent values, the output (if any) would be independent random values with 50% probability for 0 and for 1; that is, truly uniform independent random bits (hereafter: true random).

Unless otherwise stated, a TRNG can be imperfect to some degree: it is to be expected that a statistical test distinguishes its output from true random.

---

A (Cryptographically Secure) Pseudo Random Number Generator is a deterministic (hence the pseudo) computational method to turn a (typically short or low-throughput) secret input into a (typically arbitrarily long or/and high-throughput) sequence of bits that are computationally indistinguishable from true random for one not knowing the input, assumed not reused.

A Cryptographically Secure Random Number Generator (not Pseudo) is a random generator which output is computationally indistinguishable from true random, with cryptographic certainty. It can be deterministic, or not.

The archetypal deterministic CSRNG is built from CSPRNG and a random secret seed that is not reused. That is essentially the only way to build a CSRNG withotu a TRNG.

The archetypal non-deterministic CSRNG is built from CSPRNG, and a TRNG which output is used as input of the CSPRNG. The idea is that the cryptographic strength of the CSRNG comes mainly from the (CS)PRNG, and the unpredictability comes from the TRNG.

A TRNG can be a CSRNG. Any CSRNG must include a TRNG, or must have made use of one as the origin of some secret value at an initialization stage (otherwise, knowledge of the CSRNG structure would allow to predict its output).

---

It is notoriously difficult to make a good non-deterministic CSRNG even by applying the above principle and using a good CSPRNG. That's because in practice, TRNGs often fail, spontaneously or under adversarial influence (for example, an adversary can reduce thermal noise by putting the device in cold condition using evaporation of some liquefied gas, or remotely feed controlled events to a sensor of disintegration). If that goes undetected, the output of the TRNG can become highly predictable, and knowledge of the PRNG will allow to predict its output. Thus a practical CSRNG must test its TRNG, and somewhat prevent any output when it does not operate properly.

---

Summary of terminology:

• A TRNG is not deterministic. Unless otherwise stated, that's its only defining characteristic.


• A (CS)PRNG is deterministic, and its output is indistinguishable from true random if its input is random, secret, and not reused.


• A CSRNG at least appears not deterministic, and its output is computationally indistinguishable from true random. It can be deterministic, or not. In the former case, it's a CSPRNG with a random secret key that is not reused. In the later case, it includes (or perhaps is) a TRNG.

---

The question uses CSRNG in the title, and CSPRNG in the body, sometime where CSRNG is thought.

If they (TRNG and CSRNG) are both non-deterministic are they not the same? Are they not both producing unpredictable outputs?

A TRNG must derive randomness from a physical source while it operates. A CSRNG needs not: it can be purely deterministic after initialization. Also, a TRNG could have its outputs perceptibly biased or/and correlated, a CSRNG must not.

Do we not use both TRNG and CSPRNG to produce sessions keys?

Often we use a CSPRNG initialized with a shared secret and some other element (like a nonce) to initialize session keys, so that the session keys needs not be transmitted secretly.

If we use the output of a CSRNG or TRNG as a session key, we need to encipher the value produced on one side to transfer it to the other side, which has no way to produce the same session key independently. Further, it we use a TRNG directly, we must use one that is close enough to a CSRNG that the key can't be guessed (that's an issue for short keys).

Another practice is to use a CSRNG or TRNG (often, one on each side) as input to an asymmetric key exchange protocol (like Diffie-Hellman) to produce a shared secret session key.

Can we (do we?) use TRNG to produce CSPRNG?

No. But we often use a TRNG and a CSPRNG to produce a CSRNG.

share|improve this answer

edited 2 hours ago

answered 6 hours ago

fgrieu

75k7153316

share|improve this answer

share|improve this answer

edited 2 hours ago

edited 2 hours ago

edited 2 hours ago

answered 6 hours ago

fgrieu

75k7153316

answered 6 hours ago

fgrieu

75k7153316

answered 6 hours ago

fgrieu

75k7153316

75k7153316

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Aren't there lots of PRNGs that completely insecure in the crypto sense? I'm not sure if grouping CSPRNGs and PRNGs together is a good idea even in summary.
  – ilkkachu
  54 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Aren't there lots of PRNGs that completely insecure in the crypto sense? I'm not sure if grouping CSPRNGs and PRNGs together is a good idea even in summary.
  – ilkkachu
  54 mins ago
  

  
  
  
  

Aren't there lots of PRNGs that completely insecure in the crypto sense? I'm not sure if grouping CSPRNGs and PRNGs together is a good idea even in summary.
– ilkkachu
54 mins ago

Aren't there lots of PRNGs that completely insecure in the crypto sense? I'm not sure if grouping CSPRNGs and PRNGs together is a good idea even in summary.
– ilkkachu
54 mins ago

add a comment | 

up vote
2
down vote

A TRNG is a physical device that produces a non deterministic output, whilst a CSPRNG is a mathematical device that always produces an identical output given the same starting point (deterministic).

You have to be able to hold a TRNG in your hand.

share|improve this answer

answered 4 hours ago

Paul Uszak

6,61011433

add a comment | 

up vote
2
down vote

A TRNG is a physical device that produces a non deterministic output, whilst a CSPRNG is a mathematical device that always produces an identical output given the same starting point (deterministic).

You have to be able to hold a TRNG in your hand.

share|improve this answer

answered 4 hours ago

Paul Uszak

6,61011433

add a comment | 

up vote
2
down vote

up vote
2
down vote

A TRNG is a physical device that produces a non deterministic output, whilst a CSPRNG is a mathematical device that always produces an identical output given the same starting point (deterministic).

You have to be able to hold a TRNG in your hand.

share|improve this answer

answered 4 hours ago

Paul Uszak

6,61011433

A TRNG is a physical device that produces a non deterministic output, whilst a CSPRNG is a mathematical device that always produces an identical output given the same starting point (deterministic).

You have to be able to hold a TRNG in your hand.

share|improve this answer

answered 4 hours ago

Paul Uszak

6,61011433

share|improve this answer

share|improve this answer

answered 4 hours ago

Paul Uszak

6,61011433

answered 4 hours ago

Paul Uszak

6,61011433

answered 4 hours ago

Paul Uszak

6,61011433

6,61011433

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63555%2fwhat-is-the-difference-between-trng-and-csprng%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email