A Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) can be used to create random numbers for nonces, one-time pads, key generation and salts in signature schemes such as ECDSA. A CSPRNG can also be used to increase the available entropy over more bits than the source can provide.

A CSPRNG is designed to prevent reverse engineering, and it must be able to resist cryptanalysis and pass statistical randomness tests to differentiate itself from a basic Pseudo-Random Number Generator. A secure block cipher can be converted into a CSPRNG by running it in counter mode. This is done by choosing a random key and encrypting a number (n), then n+1, n+2, and so on, creating an output block that is always unique.

PHP7 introduces two new CSPRNG functions. random_bytes() generates cryptographically secure pseudo-random bytes, and random_int() generates cryptographically secure pseudo-random integers.