Skip to content

A random-number generator passes a standard statistical test suite, so what is the safest conclusion before trusting it for cryptography?

Show answer & explanation

Answer: Only a first screening

Only a first screeningPassing statistical tests is useful evidence, but it is only a first screening. NIST SP 800-22 explicitly warns that tests cannot certify a generator's cryptographic suitability or replace cryptanalysis. A clean test report is encouraging, yet the source model, entropy, implementation, and threat model still matter.

Proof of future bitsFuture bits are not proven merely because past output looked statistically normal. A flawed physical device can contain predictable noise, and a deterministic generator can pass many tests until its state is exposed. Certification needs a reason that an adversary could not have known the bits in advance, not just a clean histogram.

No need for seed secrecySeed secrecy still matters for pseudorandom generators. SP 800-22 frames the goal as next-output unpredictability despite previous outputs when the seed is unknown. If the seed becomes known, the argument changes completely; passing a battery of tests does not make seed exposure harmless.

🚀 Play today's quiz — new questions daily

More Physics in Daily Life questions