Linux-style kernel PRNGs and the FIPS140-2 test
Arnold G. Reinhold
reinhold at world.std.com
Wed Jan 16 11:49:35 EST 2002
At 7:10 PM -0500 1/15/02, Adam Fields wrote:
>"Arnold G. Reinhold" says:
>> This result would seem to raise questions about SHA1 and MD5 as much
>> as about the quality of /dev/random and /dev/urandom. Naively, it
>> should be difficult to create input to these hash functions that
>> cause their output to fail any statistical test.
>
>I would think that this would only be relevant if there was a
>correlation between inputs and outputs. Lack of entropic skew across
>the bits of the output shouldn't give any clues to the specific input,
>unless the outputs are clumping across the output
>space. Theoretically, the hash functions ought to be able to output
>every bit string in the output space, so you'd realistically expect a
>fair number of runs.
>
>You're right - it should be difficult to create inputs to the hash
>functions that cause their output to fail a distribution test, but
>doing so casts doubt on the randomness of the inputs, not the
>distribution space of the hash.
...
Quite the opposite. The only thing you should be able to determine
from the output of a good hash is whether two input strings are
identical. You pretty much acknowledge that in your first paragraph.
You shouldn't be able to tell the difference between a random string
and the sequence n || n+1 || n+2 || ... . Even a mediocre hash should
make it impossible to distinguish between a good random input string
and a not-so-good one. That is one of the criticisms of the Pentium
RNG: the whitening hardware prevents one from analyzing the
underlying randomness of the generator hardware. Any statistical
irregularities in the output of a hash like SHA1 or MD5 are far more
like to be an artifact of the hash algorithm rather than some
regularity in the input.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list