1

I'm trying to create a exponential random number generator using JavaScript, which works using methods from a previous StackOverflow answer. :

function randomNumGen() {
        var u = Math.random();
        var mu = 0.3;
        return -Math.log(1.0 - u) / mu;
}

However, I later discovered that using Math.random() is not cryptographically secure from another StackOverflow answer. However, I'm not entirely sure if it is cryptographically secure in my case, as it uses the uniform randomness of u against an exponential distribution to make a sample, but I assume it isn't secure.

In the second site, it recommends other libraries, however they use different distribution, not exponential. I assume I cannot simply replace the Math.random() with their one (e.g window.crypto.getRandomValues) as it's not uniform.

Any insights on what I can do?

plasmacel
  • 8,183
  • 7
  • 53
  • 101
user153882
  • 337
  • 1
  • 3
  • 15
  • What do you mean by "mathematically secure"? Cryptographical security involves both the state space being too large to brute force and the computational infeasibility of predicting future output based on past output. Neither of those considerations are terribly important in things like Monte Carlo simulations (which is the main place exponential random variables would be used). What sort of attack are you trying to secure against? – John Coleman May 18 '17 at 19:01
  • @JohnColeman My apologies, i thought they were synonymous. I'm trying to achieve cryptographical security – user153882 May 18 '17 at 19:10
  • 1
    What are you trying to achieve as the end goal? The combination of exponential distribution and cryptographic security looks kind of weird. – kraskevich May 18 '17 at 19:13
  • @kraskevich I'm trying to implement my own implementation of a (stop and go) mixer which delays messages. The delays are a random number from a exponential distribution – user153882 May 18 '17 at 19:19
  • 1
    Running a cryptographically secure RNG through an easily invertible function yields a secure RNG. Otherwise -- attackers of the original RNG would be able to exploit this. Break the transformed RNG then work backwards. – John Coleman May 18 '17 at 19:21
  • @John Coleman that makes sense, so in essence I can in fact replace Math.random() with those other ones. So the only requirement left is for it to be uniformally distributed. My question is then, how do I check if getRandomValues or other RNG are uniformally random? – user153882 May 18 '17 at 19:56
  • Look at the documentation to be sure, but I suspect that passing the diehard tests is a small part of vetting an RNG as being cryptographically secure, so sufficient uniformity should be almost automatic. Departures from uniformity would yield an exploitable bias. – John Coleman May 18 '17 at 19:58
  • 1
    The output of a CSPRNG is *by definition* computationally indistinguishable from true randomness, so the random numbers are guaranteed to be uniformly distributed. – r3mainer May 18 '17 at 21:59

1 Answers1

2

No, the presented exponential distribution sampler is cryptographically not secure. JavaScript's Math.random() is cryptographically not secure and the inverse transform method you use for sampling the distribution doesn't change this fact.

While it's not clear to me why do you really want to use cryptographically secure source of randomness, you can, if you please.

However you are maybe confused about the terminologies. Do you really need high amount of unpredictability for cryptographical purposes, or just high amount of statistical randomness?

If you really need cryptographical security, then use a CSPRNG transformed to the floating-point interval [0, 1) instead of Math.random(), otherwise you should be fine with a simple high-quality PRNG.

plasmacel
  • 8,183
  • 7
  • 53
  • 101