| The article is interesting, but it misses the most practical and unambiguously safe way to generate streams of random data: Use cryptography. To generate a stream of random data, use a hash function with arbitrary-length output (XOF) such as blake2x[^0] or shake256[^1]. Make sure your key contains at least 256 bits of entropy. Absolutely never use a key with less than 128 bits of entropy. Since it's impossible to know how much entropy there is in a key, you probably want to use something like the Fortuna RNG[^2]. Substitute the sha2/AES based construction for your XOF. Bruce Schneier designed Fortuna back when XOFs were harder to come by. If you want more performance, you can use blake2 to compress your input seed into 256 bits and generate the random stream using chacha20[^3]. All of this is usually handled by the Linux kernel[^4], so it's best to just use the getrandom(2)[^5] system call or just read from /dev/urandom[^6]. If you are writing a Rust program, you can use the rand[^7] crate, which uses a mixed approach reading a seed from the operating system and expanding it in-process using chacha[^8]. This is a valid strategy. I am omitting some subtleties[^10] about mathematical definitions of randomness extractors as used by the author of the article. When you are using a cryptographic approach, you are dealing with a complexity-theory based security notion[^9], which does not precisely equate to creating a stream with a specific amount of entropy. Everywhere – except for a physics or a math paper dealing with information theory – I would call this a technicality. For most intents and purposes, cryptographic security notions are the most real-world robust conceptions of randomness available. [^0]: https://www.blake2.net/ [^1]: https://csrc.nist.gov/pubs/fips/202/final (shake256 is part of the SHA-3 standard) [^2]: https://www.schneier.com/academic/fortuna/ [^3]: https://protonvpn.com/blog/chacha20 [^4]: https://lwn.net/Articles/884875/ [^5]: https://man.archlinux.org/man/getrandom.2 [^6]: https://man.archlinux.org/man/urandom.4 [^7]: https://crates.io/crates/rand [^8]: https://docs.rs/rand/0.8.5/rand/rngs/struct.StdRng.html [^9]: https://en.wikipedia.org/wiki/Security_of_cryptographic_hash... [^10]: In particular, PRFs are not guaranteed to output tokens with a certain amount of entropy – if I recall correctly – because they can map two inputs to the same output. --- I am the main author of the Rosenpass[^11] post-quantum secure key exchange for WireGuard. My expertise comes from developing this protocol, as well as a couple of years of engagement with the real-world cryptography community and from my own scientific research on cryptography and secure implementations of cryptography. [^11]: https://rosenpass.eu/ |
Surely if you can just use a strong RNG to generate the key for the cryptographic algorithm you could just use that for all your randomness and ignore the stream of input entirely? The whole point of the article is how to extract the entropy from an unknown/untrusted input stream.
It's like the author has presented a recipe for a chocolate cake and you've said "it's better if you already have a cake, then you can just take a slice of that". Well yes.
Or in the domain of the article, faced with von Neumann's algorithm for getting fair flips from a biased coin, your solution amounts to "Instead I just flip my own coin which I know is fair."