Random Numbers From Hard Problems: Lwe Based Toy Rng

Posted3 months agoActive2 months ago

s20n

21 points

2 comments

blog.s20n.devTechstory

calmpositive

Debate

10/100

CryptographyRandom Number GenerationLwe

Key topics

Cryptography

Random Number Generation

Lwe

The post explores using the Learning With Errors (LWE) problem to create a toy random number generator (RNG), sparking interest in cryptographic applications and discussions around its security and practicality.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

13d

Peak period

Day 14

Avg / period

Key moments

01Story posted
Oct 11, 2025 at 9:44 AM EDT
3 months ago
Step 01
02First comment
Oct 24, 2025 at 3:48 PM EDT
13d after posting
Step 02
03Peak activity
2 comments in Day 14
Hottest window of the conversation
Step 03
04Latest activity
Oct 24, 2025 at 8:29 PM EDT
2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (2 comments)

Showing 2 comments

elchananHaas

2 months ago

TLDR - this RNG is completely and totally broken.

First, I don't think the error term is contributing much to the solution. It almost never affects the high bit. In addition, it isn't fed back into updating the secret vectors, so I think an analysis can pretend it doesn't exist.

The nonlinear step where each value is squared looks questionable to me. You will only produce quadratic residues (https://en.wikipedia.org/wiki/Quadratic_residue) when you square the numbers. This roughly halves the number of possibilities.

So what this really boils down to is this:

You have a matrix G and a vector s and a prime p. You repeatedly compute s' = Gs (Hadamard) Gs mod p. Each time you run this step you are projecting into a space with dimensionality (p/2)^N from a space p^N. My guess is that most operations will get trapped into short cycles.

Using you example values, after 10 iterations it gets to [9, 16, 13, 8]. This then repeats with a cycle length of 20. Given 4 values with p = 17 you could get up to 83520 values before repeating.

In some random tests, 6 values with p=97 enters a cycle at iteration 3802 even though there were 832,972,004,929 values.

6 values with p=271 enters a cycle at iteration 166,684 even though there were 396,109,944,105,121 values.

RainyDayTmrw

2 months ago

The nice thing about Blum-Blum-Shub or Blum-Micali is that they come with a proof of security. Even then, they tend to be impractical, due to performance and side channels.

This one is missing the most important part, the proof. Indeed, a sibling comment notes that empirical results look pretty flawed.

View full discussion on Hacker News

ID: 45549099Type: storyLast synced: 11/20/2025, 4:11:17 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN