[rini17]

> And before you go on objecting that a physical true RNG remains better than a could-theoretically-be-broken CSPRNG, understand that your random output often must have no detectable bias to be secure. That means a distribution so uniform you can’t detect a bias even after analysing 2^64 samples.

Why not, actually? I would think simple and trivially auditable HW RNG with, say, only 0.9 bits of entropy per output bit (raw! no whitening) is preferable to "perfect" but fragile algorithm.

Anything that requires the randomness in practice has enough overhead so that the 90% good entropy is not a problem. Failures caused by wrong assumptions and complications are.