Randen - fast backtracking-resistant random generator with AES+Feistel+Reverie

TL;DR

The paper introduces 'Randen', a fast, backtracking-resistant pseudorandom generator based on AES, Feistel, and Reverie, offering strong security properties and outperforming existing generators in benchmarks, suitable for non-cryptographic applications.

Contribution

It presents a new open-source generator 'Randen' with enhanced security and performance, utilizing an improved Feistel structure and hardware acceleration, and provides new bounds on active s-boxes for its construction.

Findings

Randen outperforms Mersenne Twister, PCG, ChaCha8, ISAAC, and Philox in benchmarks.

Randen is computationally indistinguishable from true randomness and resistant to backtracking attacks.

The generator is suitable for protecting randomized algorithms like reservoir sampling.

Abstract

Algorithms that rely on a pseudorandom number generator often lose their performance guarantees when adversaries can predict the behavior of the generator. To protect non-cryptographic applications against such attacks, we propose 'strong' pseudorandom generators characterized by two properties: computationally indistinguishable from random and backtracking-resistant. Some existing cryptographically secure generators also meet these criteria, but they are too slow to be accepted for general-purpose use. We introduce a new open-sourced generator called 'Randen' and show that it is 'strong' in addition to outperforming Mersenne Twister, PCG, ChaCha8, ISAAC and Philox in real-world benchmarks. This is made possible by hardware acceleration. Randen is an instantiation of Reverie, a recently published robust sponge-like random generator, with a new permutation built from an improved generalized Feistel structure with 16 branches. We provide new bounds on active s-boxes for up to 24 rounds of this construction, made possible by a memory-efficient search algorithm. Replacing existing generators with Randen can protect randomized algorithms such as reservoir sampling from attack. The permutation may also be useful for wide-block ciphers and hashing functions.