How random is crypto.randomBytes(20).toString('hex')
?
Easy as that, all I need to know.
Secure randomness underpins the foundations of the cryptography used in blockchains. An essential ingredient in generating a private key for a cryptocurrency wallet, cryptographic hash functions ensure that it's prohibitively difficult to guess what a particular wallet's private key is.
crypto.randomBytes(size[, callback]) Generates cryptographically strong pseudo-random data. The size argument is a number indicating the number of bytes to generate. This means that the random data is secure enough to use for encryption purposes.
In cryptography randomness is found everywhere, from the generation of keys to encryption systems, even the way in which cryptosystems are attacked. Without randomness, all crypto operations would be predictable and hence insecure.
To generate random numbers, we'll use a secret number that one side of the interaction has and the other does not. However, we'll make sure that the secret number is not on the blockchain. The advantage of XOR here is that it is determined equally by both sides, so neither can choose an advantageous “random” value.
How random is crypto.randomBytes()
? Usually, random enough for whatever purpose you need.
crypto.randomBytes()
generates cryptographically secure random data:
crypto.randomBytes(size[, callback])
Generates cryptographically strong pseudo-random data. The size argument is a number indicating the number of bytes to generate.
This means that the random data is secure enough to use for encryption purposes. In fact, the function is just a wrapper around OpenSSL's RAND_bytes()
function. This part of their documentation states:
RAND_bytes will fetch cryptographically strong random bytes. Cryptographically strong bytes are suitable for high integrity needs, such as long term key generation. If your generator is using a software algorithm, then the bytes will be pseudo-random (but still cryptographically strong).
Unless you have a hardware random number generator, the bytes will be pseudo-random—generated predictably from a seed value. The seed is generated from an OS-specific source (/dev/urandom
on Unix-like systems, CryptGenRandom
on Windows). As long as your seed is relatively random and not known to an attacker, the data produced will appear totally random.
If you like, you could perform the test described here:
Given any arbitrary sequence of binary digits it is possible to examine it using statistical techniques. There are various suites of statistical tests available such as STS (Statistical Test Suite) available from NIST's RANDOM NUMBER GENERATION page. This suite provides a number of different tests including:
- The Frequency (Monobit) Test: Checks whether the proportion of 0s and 1s in a given sequence are approximately as one would expect
- The Runs Test: Tests whether the number of runs of consecutive identical digits of varying lengths within a given sequence is as expected
- The Longest Run of Ones in a block: Confirms whether the longest single run of ones within a sequence is as would be expected
That would give you a very good indication on how random your generator is on your system. Rest assured, though, that it's likely to be virtually indistinguishable from a truly random source, so it should be sufficiently random for nearly any application.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With