[huntaub]

I know that this has a disclaimer that isn't to be used in production. But, just know that hash functions are not there to provide randomness. There is no guarantee that a hash will be statistically indistinguishable from random noise.

[benchaney]

There is no guarantee that any PRNG will be indistinguishable from random noise but a properly designed hash function will be as close as any.

[huntaub]

Sorry - guarantee was probably too strong. I meant it in the mathematical sense (no more than a negligible chance of distinguishing from random noise) [1].

[1] https://en.wikipedia.org/wiki/Cryptographically_secure_pseud...

[mikeash]

There are a bunch of CSPRNGs built out of hash functions. Are they all doing it wrong?

[huntaub]

Of course, I'm sure that it is possible to construct one out of a hash function. I am also pretty confident that they do more than just serve the raw bytes of the hash.

[mikeash]

I think you're technically correct that there's no guarantee, in that it's not part of the definition of a hash. A magical function which somehow returned an incrementing counter value for each unique chunk of data you fed to it, globally, would fit the definition of a cryptographic hash.

Real-world cryptographic hash functions, however, just try to approximate a random oracle. They attempt to achieve pre-image resistance and collision resistance by making their output look random. Certainly that's the case with SHA-224, which is what this code uses.

Some real-world CSPRNGs do just use hash functions directly. Linux's /dev/random implementation, for example, just returns a SHA-1 hash of its entropy pool contents. Yarrow (used in Mac OS X, iOS, and FreeBSD) does a final pass on its output using a block cipher, but requires that the hash function used in its earlier stages produce random-looking output. Fortuna is similar.

Of course, this code is insecure and should not be used in production, regardless of the internal details, simply because all of the inputs are known to a third party i.e. Twitter.