[contravariant]

Something about using a PRNG with a large internal state just to generate an output in a large space of possibilities feels wrong to me. If you have enough entropy to fill a high entropy RNG, why not use all that entropy to generate the output in the first place?

Also I'm curious how they generate the latin squares, their claims require a uniform distribution of some kind, which is interesting.

[dfox]

The issue is that you cannot directly pick one of the outputs using the entropy, you have to use some kind of probabilistic algorithm to traverse the state space and find valid output. When the PRNG's cycle is smaller than the output space then the output distribution is obviously non-uniform. This might seem like inconsequential observation with CSPRNG, but depending on how exactly the state traversal works, such constructions can have real output spaces that are several orders of magnitude smaller than cycle of the used RNG. (to the extent that when used with (CS)PRNG with 128b state the output bias is observable from practical amount of outputs)

[Iwan-Zotow]

> If you have enough entropy to fill a high entropy RNG, why not use all that entropy to generate the output in the first place?

Problem is the entropy generation rate. PRNG even with large space typically is running at 10 or better Gbit/sec. PCG with 256/64bit could generate decent numbers at 50Gbit/sec

[contravariant]

That's not entropy that is data. You fundamentally can't increase entropy, hence why they wanted to use a PRNG with a big internal state so they can put more entropy in.

So if your argument is that you want a big entropy PRNG to get more possible outputs then the generation rate can't be the problem because that's entirely dependent on you being able to generate a big enough seed.