Random number generator testing

white noise

Random number generation is typically a two-step process. First you create a source of uniformly distributed random numbers, then you transform these numbers into the form you need.

Testing random number generators is very different depending on whether you’re testing the original source of bits or testing the transformation of those bits.

Testing random number generators for use in cryptographic applications is different still. Statistical quality is necessary, but it’s not enough.

This page discusses each of these testing scenarios below: uniform, non-uniform, and cryptographic. We offer testing services for each case.

Testing uniform RNGs

One of the earliest and still most widely known test suites for random number generators was George Marsaglia’s DIEHARD suite. This suite evolved into the DIEHARDER test suite now maintained by Robert G. Brown and colleagues. More recent test suites include Practically Random (PractRand) and TestU01 (BigCrush).

These tests, while statistically rigorous, are not easy to use and the results can be hard to interpret. We will run the tests for you and help you interpret the results.

Testing nonuniform RNGs

Not many people develop their own uniform random number generator. Far more people trust a third party RNG as a source of uniform random values then transform the values to meet their needs: randomly permuting lists, generating random points on a sphere, sampling from a gamma distribution, etc.

Starting with a high quality uniform random number generator does little good if the output is not transformed appropriately for the task at hand. We provide validation for not just a random number generator but also the statistical application of that generator.

Cryptographic random number generation

For cryptographic applications, statistical quality is necessary but not sufficient. A random number generator can have excellent statistical properties and yet be cryptographically weak.

For example, while the popular Mersenne Twister is suitable for statistical applications, it is not appropriate for use in cryptography because its future output can be predicted from past output by solving a system of linear recurrence equations.

The NIST Statistical Test Suite (STS) is recommended for testing CSPRNGs (cryptographically secure pseudorandom number generators) though it in no way guarantees an RNG is secure. The Mersenne Twister, for example, passes STS without any issues. STS is not a very demanding test for statistical quality, much less cryptographic quality, but it is a test any CSPRNG should pass.

Free consultation

Get started with a free consultation to discuss your testing project.


Trusted consultants to some of the world’s leading companies

Amazon, Facebook, Google, US Army Corp of Engineers, Amgen, Microsoft, Hitachi Data Systems