Pseudo-random number generation method and apparatus

By using a multi-round iterative pseudo-random number generation method and employing a symmetric encryption algorithm to process the seed and the numerical value, the shortcomings of performance and security in existing technologies are solved, achieving high performance and side-channel security.

CN119496609BActive Publication Date: 2026-06-30ZHEJIANG ANT SECRET TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ZHEJIANG ANT SECRET TECH CO LTD
Filing Date
2024-11-01
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing pseudo-random number generation methods cannot balance performance and security, especially in terms of side-channel security.

Method used

A multi-round iterative pseudo-random number generation method is adopted. The seed and numerical value are processed by a symmetric encryption algorithm to generate pseudo-random numbers. The seed is updated in each round of iteration, and the SM4 algorithm is used for encryption.

Benefits of technology

It achieves high-performance pseudo-random number generation while providing effective protection against side-channel leakage, thus improving security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN119496609B_ABST
    Figure CN119496609B_ABST
Patent Text Reader

Abstract

This specification provides a pseudo-random number generation method and apparatus. The method includes: multiple iterations corresponding to the count value of a counter, wherein any t-th iteration includes: obtaining the seed output from the previous round as the current seed; processing the current seed and a first value using a symmetric encryption algorithm to obtain a random number for the current round, wherein the first value is determined based on the current count value of the counter and a preset first constant; processing the current seed and a second value using the symmetric encryption algorithm to obtain the seed for the next round of iteration, wherein the second value is determined based on the current count value and a preset second constant. It features high performance and side-channel security.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This specification relates to one or more embodiments in the field of computers, and more particularly to a method and apparatus for generating pseudo-random numbers. Background Technology

[0002] Secure multi-party computation (MPC) is a cryptographic technique whose core idea is to allow participants to jointly compute a result without revealing their individual inputs, ensuring that each participant's input is protected.

[0003] In privacy-preserving computing scenarios such as MPC, encrypted computation relies on a series of security parameters. For example, a trusted third party can be used to generate the pseudo-random number stream required for the computation in a secure two-party multiplication operation. The security of products based on such algorithms depends on the security of this trusted third party, thus requiring effective security measures. Furthermore, in practical applications, it is desirable to minimize the impact of these measures on computational performance.

[0004] In existing technologies, commonly used methods for generating high-speed pseudo-random numbers cannot simultaneously achieve both performance and security. Some algorithms have comprehensive security designs but lower performance, while others have high performance but lack security considerations for pseudo-random numbers. For example, they do not consider the side-channel security of the pseudo-random number generator. Summary of the Invention

[0005] This specification describes one or more embodiments of a pseudo-random number generation method and apparatus, which features high performance and side-channel security.

[0006] Firstly, a pseudo-random number generation method is provided, which includes multiple iterations corresponding to the count value of a counter, wherein any t-th iteration includes:

[0007] Get the seed from the previous output as the current seed;

[0008] Using a symmetric encryption algorithm, the current seed and the first value are processed to obtain the random number for this round, wherein the first value is determined based on the current count value of the counter and a preset first constant;

[0009] Using the symmetric encryption algorithm, the current seed and the second value are processed to obtain the seed for the next round of iteration, wherein the second value is determined based on the current count value and a preset second constant.

[0010] In one possible implementation, the t-th iteration is the first iteration, and the current seed is the initialized seed.

[0011] In one possible implementation, the step of using a symmetric encryption algorithm to process the current seed and the first value to obtain the random number for this round includes:

[0012] Using the current seed as the key and the first value as the plaintext to be encrypted, the plaintext is encrypted using a symmetric encryption algorithm to obtain the first ciphertext.

[0013] The random number for this round is determined based on the first ciphertext.

[0014] In one possible implementation, the first value is determined in the following manner:

[0015] The first value of the target number of bits is obtained by concatenating the current count value of the first bit and the first constant of the second bit.

[0016] Furthermore, each bit of the first constant of the second bit length is 1.

[0017] In one possible implementation, the step of using the symmetric encryption algorithm to process the current seed and the second value to obtain the seed for this round includes:

[0018] Using the current seed as the key and the second value as the plaintext to be encrypted, the plaintext is encrypted using a symmetric encryption algorithm to obtain the second ciphertext.

[0019] The seed for this round is determined based on the second ciphertext.

[0020] In one possible implementation, the second value is determined in the following manner:

[0021] The current count value of the first bit number and the second constant of the second bit number are concatenated to obtain the second value of the target bit number.

[0022] Furthermore, each bit of the second constant of the second bit length is 0.

[0023] Furthermore, the first bit has 120 bits, and the second bit has 8 bits.

[0024] Secondly, a pseudo-random number generation device is provided, which is used to perform multiple rounds of iteration corresponding to the count value of a counter, wherein the device includes the following unit for performing any t-th round of iteration:

[0025] The acquisition unit is used to acquire the seed from the previous round's output as the current seed;

[0026] The first processing unit is used to process the current seed and the first value obtained by the acquisition unit using a symmetric encryption algorithm to obtain the random number for this round, wherein the first value is determined based on the current count value of the counter and a preset first constant.

[0027] The second processing unit is used to process the current seed and the second value obtained by the acquisition unit using the symmetric encryption algorithm to obtain the seed for the next round of iteration, wherein the second value is determined based on the current count value and a preset second constant.

[0028] Thirdly, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method of the first aspect.

[0029] Fourthly, a computing device is provided, including a memory and a processor, wherein the memory stores executable code, and the processor executes the executable code to implement the method of the first aspect.

[0030] Using the method and apparatus provided in the embodiments of this specification, in any t-th iteration, the seed output from the previous round is first obtained as the current seed; then, a symmetric encryption algorithm is used to process the current seed and a first value to obtain a random number for this round, wherein the first value is determined based on the current count value of the counter and a preset first constant; finally, the symmetric encryption algorithm is used to process the current seed and a second value to obtain the seed for the next round of iteration, wherein the second value is determined based on the current count value and a preset second constant. As can be seen from the above, the embodiments of this specification, based on existing symmetric encryption algorithms, can generate the relevant pseudo-random number parameters required for privacy computing with high performance. Simultaneously, side-channel security is considered in the pseudo-random number generation scheme. Even if the underlying symmetric encryption algorithm does not employ side-channel leakage prevention, it can still provide effective protection against side-channel leakage, thereby avoiding the performance and resource losses caused by side-channel leakage prevention implementation, thus achieving both high performance and side-channel security. Attached Figure Description

[0031] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0032] Figure 1 This is a schematic diagram illustrating an implementation scenario of one embodiment disclosed in this specification;

[0033] Figure 2 A flowchart of a pseudo-random number generation method according to one embodiment is shown;

[0034] Figure 3 This diagram illustrates the calculation process for generating pseudo-random numbers according to one embodiment.

[0035] Figure 4 A schematic block diagram of a pseudo-random number generation apparatus according to one embodiment is shown. Detailed Implementation

[0036] The solution provided in this specification will now be described with reference to the accompanying drawings.

[0037] Figure 1 This is a schematic diagram illustrating an implementation scenario of one embodiment disclosed in this specification. This implementation scenario involves pseudo-random number generation. It is understood that pseudo-random numbers are not truly random. Random numbers play an important role in fields such as computer science and cryptography. In many applications, such as simulation, encryption, and games, high-quality random numbers need to be generated. However, since computers operate based on deterministic algorithms, they cannot truly generate completely random numbers. Therefore, computers use pseudo-random number generators (PRNGs) to simulate randomness and generate approximately random numerical sequences.

[0038] Reference Figure 1 A pseudo-random number generator is an algorithm that takes an initial value called a seed as input and generates a sequence of numerical values ​​through a series of mathematical operations. This sequence of numerical values ​​can be called a pseudo-random number sequence, which includes multiple pseudo-random numbers. For example, word1 is the first pseudo-random number in the sequence, word2 is the second pseudo-random number, and so on. n Let be the nth pseudo-random number in the sequence. This sequence exhibits statistically similar characteristics to true random numbers and has a relatively long period. The main goal of PRNG is to generate numerical sequences that appear random while being able to reproduce the same sequence using the same seed value.

[0039] The seed is the starting point for generating a sequence; the same seed will generate the same sequence of random numbers. Common seeds include the current timestamp, process ID, hardware state, etc. Using a weak seed or the same seed may lead to predictability of the sequence.

[0040] Unlike pseudo-random number generators, true random number generators utilize the randomness of physical processes to generate random numbers. For example, they can measure atmospheric noise, radioactive decay, or noise in electronic devices. The unpredictability of these physical processes ensures that the generated values ​​are truly random.

[0041] Common methods for generating high-speed pseudo-random numbers include DRBG based on AES / SM4, hash-based methods, and stream cipher-based methods. Among these, the DRBG algorithm offers comprehensive security design but has lower performance. Hash-based and stream cipher-based methods offer relatively higher performance but lack protocol-level security considerations for pseudo-random numbers. These pseudo-random number algorithms typically prioritize the security of the randomness of the pseudo-random numbers in their design, without considering the side-channel security of the pseudo-random number generator.

[0042] This specification provides an embodiment of a pseudo-random number generation scheme that offers high performance and side-channel security.

[0043] Figure 2 This diagram illustrates a pseudo-random number generation method according to one embodiment, which can be based on... Figure 1 The implementation scenario is shown. For example... Figure 2 As shown, the pseudo-random number generation method in this embodiment includes multiple rounds of iteration corresponding to the counter's count value. Each t-th iteration includes the following steps: Step 21, obtaining the seed from the previous round's output as the current seed; Step 22, using a symmetric encryption algorithm to process the current seed and a first value to obtain the random number for this round, wherein the first value is determined based on the counter's current count value and a preset first constant; Step 23, using the symmetric encryption algorithm to process the current seed and a second value to obtain the seed for the next round's iteration, wherein the second value is determined based on the current count value and a preset second constant. The specific execution methods of each of the above steps are described below.

[0044] First, in step 21, the seed from the previous round's output is obtained as the current seed. It's understandable that in each iteration, not only are random numbers generated for the current round, but also the seed used in the next round's iteration is generated.

[0045] In the embodiments described in this specification, the seed length can be 128 bits, or 16 bytes.

[0046] For example, you can define two variables as follows to represent the current seed and the counter's count value, respectively.

[0047] “Variable: S∈{0,1} 128 / / 128-bit (16-byte) internal state

[0048] cnt∈{0,1,…,2 120 -1} / / 120-bit (15-byte) counter”

[0049] As can be seen from the code above, S is the internal state, which represents the current seed, and cnt is the counter, which represents the counter's count value.

[0050] In one example, the t-th iteration is the first iteration, and the current seed is the initial seed.

[0051] For example, initialization can be performed using the following code.

[0052] "AlgorithmInit(seed)"

[0053] / / Initialize the PRG with a 128-bit seed, similar to the C++ standard srand function.

[0054] S←seed

[0055] cnt←0

[0056] "

[0057] As can be seen from the code above, the value of S after initialization is seed, the value of cnt after initialization is 0, and PRG represents a pseudo-random number generation algorithm.

[0058] Then, in step 22, a symmetric encryption algorithm is used to process the current seed and the first value to obtain the random number for this round. The first value is determined based on the current count value of the counter and a preset first constant. It can be understood that in each iteration, the counter's count value increases relative to the previous iteration, and a random number for this round is obtained in each iteration.

[0059] The embodiments in this specification can be implemented based on the symmetric encryption algorithm SM4. The pseudo-random number generation algorithm can be denoted as AlgorithmLRPRG-SM4(seed), or simply PRG. It should be noted that SM4 can be replaced with other symmetric encryption algorithms to achieve similar results.

[0060] In one example, the process of using a symmetric encryption algorithm to process the current seed and the first value to obtain the random number for this round includes:

[0061] Using the current seed as the key and the first value as the plaintext to be encrypted, the plaintext is encrypted using a symmetric encryption algorithm to obtain the first ciphertext.

[0062] The random number for this round is determined based on the first ciphertext.

[0063] In this example, the first ciphertext can be used directly as the random number for this round, or the first ciphertext can be processed and then used as the random number for this round.

[0064] In one example, the first value is determined as follows:

[0065] The first value of the target number of bits is obtained by concatenating the current count value of the first bit and the first constant of the second bit.

[0066] Furthermore, each bit of the first constant of the second bit length is 1.

[0067] Furthermore, the first bit has 120 bits, and the second bit has 8 bits.

[0068] For example, the following code can be used to obtain the random number for this round.

[0069] “word←SM4(S,cnt||[1]8) / / Generate a 128-bit (16-byte) pseudo-random word using a single SM4 call”

[0070] As can be seen from the above code, S is the current seed, cnt is the current count value, [1]8 is the first constant, and word is the random number for this round.

[0071] Finally, in step 23, the symmetric encryption algorithm is used to process the current seed and the second value to obtain the seed for the next iteration. The second value is determined based on the current count value and a preset second constant. It is understood that in each iteration, the counter's count increases relative to the previous iteration, and a seed is obtained in each iteration.

[0072] In one example, the process of using the symmetric encryption algorithm to process the current seed and the second value to obtain the seed for this round includes:

[0073] Using the current seed as the key and the second value as the plaintext to be encrypted, the plaintext is encrypted using a symmetric encryption algorithm to obtain the second ciphertext.

[0074] The seed for this round is determined based on the second ciphertext.

[0075] In this example, the second ciphertext can be used directly as the seed for this round, or the second ciphertext can be processed and then used as the seed for this round.

[0076] In one example, the second value is determined as follows:

[0077] The current count value of the first bit number and the second constant of the second bit number are concatenated to obtain the second value of the target bit number.

[0078] Furthermore, each bit of the second constant of the second bit length is 0.

[0079] Furthermore, the first bit has 120 bits, and the second bit has 8 bits.

[0080] For example, the seed for this round can be obtained using the following code.

[0081] “S←SM4(S,cnt||[0]8) / / Update state using SM4”

[0082] As can be seen from the above code, the input S of SM4 is the current seed, cnt is the current count value, [0]8 is the second constant, and the output S of SM4 is the seed of this round.

[0083] Figure 3 A schematic diagram illustrating the computational process for pseudo-random number generation according to one embodiment is shown. (Refer to...) Figure 3 The calculation process includes four iterations, including the first iteration. Here, `seed` is the initial seed, the two SM4 values ​​in the first column correspond to the first iteration, the two SM4 values ​​in the second column correspond to the second iteration, the two SM4 values ​​in the third column correspond to the third iteration, and the two SM4 values ​​in the fourth column correspond to the fourth iteration. The output of the SM4 values ​​in the first row of each column is the seed for the current iteration, used for the next iteration, and the output of the SM4 values ​​in the second row is the random number for the current iteration. For example, [0] 120 This represents the current count value as 0, the bit length as 120 bits, [0]8 as the second constant, [1]8 as the first constant, and word1 as the random number obtained in this round when the current count value is 0; [1] 120 This represents the current count value as 1, with 120 bits. [0]8 is the second constant, [1]8 is the first constant, and word2 is the random number obtained in this round when the current count value is 1; [2] 120 This represents the current count value as 2, with 120 bits. [0]8 is the second constant, [1]8 is the first constant, and word3 is the random number obtained in this round when the current count value is 2; [3] 120 This represents the current count value as 3, the number of bits as 120, [0]8 as the second constant, [1]8 as the first constant, and word4 as the random number obtained in this round when the current count value is 3.

[0084] For example, each iteration can be implemented using the following code.

[0085]

[0086] As can be seen from the code above, the SM4 algorithm is used twice in each iteration. Once is used to generate word, which is the random number of this round, also known as pseudo-random word, and the other is used to generate S, which is the seed of this round. After generating the random data and seed of this round, the counter value also needs to be updated.

[0087] In the embodiments of this specification, regarding its security in a leak-free environment, assuming the attacker's computational complexity is T and the number of extracted pseudo-random words is D, then, based on existing conclusions, the probability of an attacker successfully cracking the pseudo-randomness of the extracted words is no higher than...

[0088]

[0089] This indicates that the generator can generate approximately 2 121 Each 128-bit (16-byte) pseudo-random word can withstand a computational load of no more than 2. 121 The attack.

[0090] The following is a proof of the leakage resistance of the aforementioned algorithm LRPRG-SM4:

[0091] Based on existing conclusions, it can be proven that if the attacker's computational complexity is T and the number of extracted pseudo-random words is D, then the attacker's success rate in cracking the pseudo-randomness of the extracted words is no higher than [a certain percentage].

[0092]

[0093] The proof is as follows: First, replace SM4 with the ideal cipher E:{0,1} n ×{0,1} n →{0,1} n We obtain the idealized model LRPRG-E, where the block length and key length are replaced by general parameters n.

[0094] Introducing stream ciphers based on ideal cryptography The algorithm for the completely random stream cipher IStream is described as follows:

[0095] “Al gor ithm (D)

[0096] Fori = 1, ..., Ddo

[0097] y i ←E(k i-1 [i-1] n-8 ∥[1]8),k i ←E(k i-1 [i-1] n-8 ∥[0]8)

[0098] Side channel leakage is generated as

[0099] EndFor

[0100] Return(y1,…,yD )”

[0101] The above algorithm describes stream ciphers. Side-channel leakage that occurs during the calculation process.

[0102] “Algor ithm IStream(D):

[0103] B← $ {0,1} κ

[0104] S ′ 0←B||IV,S1← $ {0,1} b Side-channel leakage occurs as follows:

[0105] Fori = 1, ..., Ddo

[0106] y i ← $ {0,1} n ,k i ← $ {0,1} n

[0107] Side channel leakage is generated as

[0108] EndFor

[0109] Return(y1,…,y D )”

[0110] The algorithm described above describes the side-channel leakage that occurs during the computation of the stream cipher IStream.

[0111] As can be seen from the algorithm above, a single call The output key stream (y1,…,y D The corresponding side-channel leakage is precisely the D pseudo-random outputs and observable side-channel leakage that can be obtained after performing D NextWord calls on LRPRG-E, while the output (y1,…,y) obtained by calling IStream(D) is... D ) is a truly random number. Therefore, The difference from IStream demonstrates the security of LRPRG-π. This can be proven by demonstrating that if an attacker queries the ideal cipher E a number of times, T, then the attacker's ability to target... The upper bound of the distinguishing advantage over IStream is

[0112]

[0113] Therefore, the probability of an attacker of equal complexity successfully attacking the idealized scheme LRPRG-E is also...

[0114]

[0115] When attacking the idealized scheme LRPRG-E, the number of queries T to the ideal cipher E actually reflects the attacker's offline computational complexity. Finally, the actual parameter of LRPRG-SM4 is n = 128. Substituting this into the equation, we obtain the claimed security boundary. The LRPRG-SM4's leakage-resistant security boundary is inferior to the corresponding leakage-free security boundary, but this security loss is unavoidable because side-channel leakage enhances the attacker's capabilities.

[0116] The method provided in the embodiments of this specification, in any t-th iteration, firstly, obtains the seed from the previous round as the current seed; then, uses a symmetric encryption algorithm to process the current seed and a first value to obtain the random number for this round, wherein the first value is determined based on the current count value of the counter and a preset first constant; finally, uses the symmetric encryption algorithm to process the current seed and a second value to obtain the seed for the next round, wherein the second value is determined based on the current count value and a preset second constant. As can be seen from the above, the embodiments of this specification, based on existing symmetric encryption algorithms, can generate the relevant pseudo-random number parameters required for privacy computing with high performance. Simultaneously, the pseudo-random number generation scheme considers side-channel security; even if the underlying symmetric encryption algorithm does not employ side-channel leakage prevention, it can still provide effective protection against side-channel leakage, thereby avoiding the performance and resource losses caused by side-channel leakage prevention implementation, thus achieving both high performance and side-channel security.

[0117] According to another embodiment, a pseudo-random number generation apparatus is also provided for performing the methods provided in the embodiments of this specification. Figure 4 A schematic block diagram of a pseudo-random number generation apparatus according to one embodiment is shown. Figure 4 As shown, the device 400 is used to perform multiple iterations corresponding to the count value of a counter, and includes the following unit for performing any t-th iteration:

[0118] Acquisition unit 41 is used to acquire the seed of the previous round as the current seed;

[0119] The first processing unit 42 is used to process the current seed and the first value obtained by the acquisition unit 41 using a symmetric encryption algorithm to obtain the random number of this round, wherein the first value is determined according to the current count value of the counter and a preset first constant.

[0120] The second processing unit 43 is used to process the current seed and the second value obtained by the acquisition unit 41 using the symmetric encryption algorithm to obtain the seed for the next round of iteration, wherein the second value is determined based on the current count value and a preset second constant.

[0121] Optionally, as an example, the t-th iteration is the first iteration, and the current seed is the initialized seed.

[0122] Optionally, as an embodiment, the first processing unit 42 includes:

[0123] The first encryption subunit is used to use the current seed as the key, the first value as the plaintext to be encrypted, and to encrypt the plaintext using a symmetric encryption algorithm to obtain the first ciphertext.

[0124] The first determining subunit is used to determine the random number for this round based on the first ciphertext obtained from the first encryption subunit.

[0125] Optionally, as an embodiment, the first value is determined in the following manner:

[0126] The first value of the target number of bits is obtained by concatenating the current count value of the first bit and the first constant of the second bit.

[0127] Furthermore, each bit of the first constant of the second bit length is 1.

[0128] Optionally, as one embodiment, the second processing unit 43 includes:

[0129] The second encryption subunit is used to use the current seed as the key, the second value as the plaintext to be encrypted, and to encrypt the plaintext using a symmetric encryption algorithm to obtain the second ciphertext.

[0130] The second determining subunit is used to determine the seed for this round based on the second ciphertext obtained from the second encryption subunit.

[0131] Optionally, as an embodiment, the second value is determined in the following manner:

[0132] The current count value of the first bit number and the second constant of the second bit number are concatenated to obtain the second value of the target bit number.

[0133] Furthermore, each bit of the second constant of the second bit length is 0.

[0134] Furthermore, the first bit has 120 bits, and the second bit has 8 bits.

[0135] In the apparatus provided in the embodiments of this specification, in any t-th iteration, the acquisition unit 41 first acquires the seed output from the previous round as the current seed; then, the first processing unit 42 uses a symmetric encryption algorithm to process the current seed and a first value to obtain the random number for this round, wherein the first value is determined based on the current count value of the counter and a preset first constant; finally, the second processing unit 43 uses the symmetric encryption algorithm to process the current seed and the second value to obtain the seed for the next round of iteration, wherein the second value is determined based on the current count value and a preset second constant. As can be seen from the above, the embodiments of this specification, based on existing symmetric encryption algorithms, can generate the relevant pseudo-random number parameters required for privacy computing with high performance. Simultaneously, side-channel security is considered in the pseudo-random number generation scheme. Even if the underlying symmetric encryption algorithm does not employ side-channel leakage prevention, it can still provide effective protection against side-channel leakage, thereby avoiding the performance and resource losses caused by the implementation of side-channel leakage prevention, thus possessing both high performance and side-channel security.

[0136] According to another embodiment, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed in a computer, causes the computer to perform a combination Figure 2 The method described.

[0137] According to another embodiment, a computing device is also provided, including a memory and a processor, wherein the memory stores executable code, and when the processor executes the executable code, it implements a combination... Figure 2 The method described.

[0138] Those skilled in the art will recognize that, in one or more of the examples above, the functions described in this invention can be implemented using hardware, software, firmware, or any combination thereof. When implemented in software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or code on a computer-readable medium.

[0139] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above description is only a specific embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made on the basis of the technical solution of the present invention should be included within the scope of protection of the present invention.

Claims

1. A method of pseudo-random number generation, the method comprising a plurality of rounds of iterations corresponding to a count value of a counter, wherein, Any iteration in round t includes: Get the seed from the previous output as the current seed; Using the current seed as the key and the first value as the plaintext to be encrypted, the plaintext is encrypted using a symmetric encryption algorithm to obtain the first ciphertext; the random number for this round is determined based on the first ciphertext, wherein the first value is determined according to the current count value of the counter and a preset first constant; The current seed is used as the key, and the second value is used as the plaintext to be encrypted. The plaintext is encrypted using a symmetric encryption algorithm to obtain the second ciphertext. The seed for this round is determined based on the second ciphertext for the next round of iteration, wherein the second value is determined according to the current count value and a preset second constant.

2. The method of claim 1, wherein, The t-th iteration is the first iteration, and the current seed is the initialized seed.

3. The method of claim 1, wherein, The first value is determined in the following way: The first value of the target number of bits is obtained by concatenating the current count value of the first bit and the first constant of the second bit.

4. The method of claim 3, wherein, Each bit of the first constant of the second bit length is 1.

5. The method of claim 1, wherein, The second value is determined in the following way: The current count value of the first bit number and the second constant of the second bit number are concatenated to obtain the second value of the target bit number.

6. The method of claim 5, wherein, Each bit of the second constant of the second bit length is 0.

7. The method of claim 3 or 5, wherein, The first bit has 120 bits, and the second bit has 8 bits.

8. A pseudo-random number generation apparatus, the apparatus being configured to perform a plurality of rounds of iterations corresponding to a count value of a counter, wherein, Includes the following units for performing any t-th iteration: The acquisition unit is used to acquire the seed from the previous round's output as the current seed; The first processing unit is used to use the current seed as a key, the first value as the plaintext to be encrypted, and to encrypt the plaintext using a symmetric encryption algorithm to obtain the first ciphertext. The random number for this round is determined based on the first ciphertext, wherein the first value is determined according to the current count value of the counter and a preset first constant; The second processing unit is used to use the current seed as a key, the second value as the plaintext to be encrypted, and to encrypt the plaintext using a symmetric encryption algorithm to obtain the second ciphertext. The seed for this round is determined based on the second ciphertext and used for the next round of iteration, wherein the second value is determined based on the current count value and a preset second constant.

9. A computer-readable storage medium having a computer program stored thereon, which, when executed in a computer, causes the computer to perform the method of any one of claims 1-7.

10. A computing device comprising a memory and a processor, wherein the memory stores executable code, and the processor, when executing the executable code, implements the method of any one of claims 1-7.