Fortuna

A secure pseudorandom number generator

Designed by Niels Ferguson and Bruce Schneier

About Fortuna

What's a PRNG? It's a mechanism for generating random numbers on a computer. They're called pseudorandom, because you can't get truly random numbers from a completely non-random thing like a computer. In theory, true random numbers only come from truly random sources: atmospheric noise, radioactive decay, political press announcements. If a computer generates the number, another computer can reproduce the process.

A PRNG is the unsexy part of a cryptographic system. People don't think much about them, but they're used just about everywhere in cryptography. Random numbers are in session keys, initialization vectors, public-key generation, and many other places. If the random numbers are insecure, then the entire application is insecure. Algorithms and protocols can't cover for bad random numbers. When a couple of Berkeley students broke the security on Netscape Navigator, it was the PRNG they broke. (See attacks on PRNGs.)

Fortuna is a PRNG; it generates cryptographically secure pseudorandom numbers on a computer. It can also be used as a real random number generator, accepting random inputs from analog random sources. We wrote Fortuna because after analyzing existing PRNGs and breaking our share of them, we wanted to build something secure.

Fortuna is superior to the past ad hoc PRNGs that have been easily compromised. We are releasing Fortuna copyright-free, at no charge, in the public domain for general business use.

Note: Fortuna replaces the Yarrow PRNG.

Description

Description of Fortuna
This description comes from Chapter 9 of Cryptography Engineering, the updated version of Practical Cryptography. However, please cite the original publication, Practical Cryptography by Ferguson and Schneier.

Analysis

An analysis of Fortuna—and a proposed improvement—can be found in Y. Dodis, A. Shamir, N. Stephens-Davidowitz, D. Wichs, How to Eat Your Entropy and Have it Too —Optimal Recovery Strategies for Compromised RNGs Cryptology ePrint Archive, Report 2014/167, 2014.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc..