In many cryptographic systems, it is necessary to use arbitrarily chosen numbers. One situation is the generation of cryptographic keys. Sources of truly random numbers are preferred, but such sources typically only provide a limited number of random bits at a time, or are very expensive or cumbersome to use. An inexpensive and easy to use alternative is to use a pseudo-random number generator, which provides a sequence of arbitrary numbers given one input called the seed. The numbers in the sequence appear to be random to standard statistical tests. Using the same seed results in the same sequence being produced again.
The harder it is to predict the next or previous number in the sequence, the more secure the pseudo-random number generator is considered to be. The strongest kind of pseudo-random number generators are called cryptographically secure pseudo-random number generators. These use entropy from a high-quality source such as a hardware-based random-number generator to produce very hard to predict sequences. However, these types of generator have a specific disadvantage: their output is not reproducible as there is no way to input a fixed seed.
A pseudo-random number generator may be used to avoid having to store or transmit a cryptographic key, which typically is much longer than the seed used for pseudo-random number generators. If the same pseudo-random number generator is used with the same seed, the same sequence of arbitrary numbers is obtained.
An inherent disadvantage of this approach is that if the seed used to generate a key is exposed, the key and hence all messages encrypted using that key can be recovered. Thus, keeping the seed a secret is an important requirement. (Of course, once the key has been generated the seed may be erased, but that only shifts the problem to keeping the key a secret.)
Therefore there is a need for a method of generating arbitrary numbers using a pseudo-random number generator in which the seed does not have to be kept a secret yet the output of the pseudo-random number generator cannot be reproduced given the seed and the pseudo-random number generator itself.