What is the correct way to seed CSPRNG functions?

Question

When using CSPRNG (crypto secure pseudo random number generation) functions seeding is an important step. So what is the best way to seed a random number function?

Answer 1

As anywhere in engineering, there's no "unique" best way; there's always going to be tradeoffs between:

• entropy of the source of randomness,
• rate of the entropy (i.e. how many bits/second can you get?),
• suitability of the source distribution,
• computational resource and energy usage,
• lack of side-channel attacks on the entropy generation,

and finally, and really not unimportant,

• cost.

For example, if you had a truly random source of entropy that you could ask arbitrarily often per second, you'd need to do little CSPRNG – you'd basically have a CSRNG, nothing pseudo about that! All that the generation would do would be a bit of distribution shaping to get uniformly distributed bits, which is what most crypto algorithms need.

Now, since you don't have that, in general, you'd want a source that is

• uncorrelated, actually even
• unpredictable,
• unmanipulatable, and
• doesn't have any side effects, neither whether it's currently working, nor about the random data it's producing.

As such, high-quality sources used where it actually matters are often of a quantum nature: spontaneous emissions of photons in excited matter, often.

However, as anything, "the best possible" will set you back a couple thousand dollars, not fit in your rack server, laptop or smartphone, and actually be resistant to ... no attack anyone would ever try to do, realistically.

So, as always: Model your threads. Then define the number of truly random bits per second you'll need. See whether built-in methods (CPUs these days have truly random number generation – is that enough for you, assuming that you can isolate that CPU well enough to make any kind of side channel attack impossible?), together with state-of-the-art entropy pools. For all things I can imagine, Linux' /dev/urandom, using the ChaCha20 algorithm on such hardware sources, is cryptographically secure!