Linux-style kernel PRNGs and the FIPS140-2 test

[Arnold G. Reinhold]

At 7:10 PM -0500 1/15/02, Adam Fields wrote:
>"Arnold G. Reinhold" says:
>> This result would seem to raise questions about SHA1 and MD5 as much
>> as about the quality of /dev/random and /dev/urandom.  Naively, it
>> should be difficult to create input to these hash functions that
>> cause their output to fail any statistical test.
>
>I would think that this would only be relevant if there was a
>correlation between inputs and outputs. Lack of entropic skew across
>the bits of the output shouldn't give any clues to the specific input,
>unless the outputs are clumping across the output
>space. Theoretically, the hash functions ought to be able to output
>every bit string in the output space, so you'd realistically expect a
>fair number of runs.
>
>You're right - it should be difficult to create inputs to the hash
>functions that cause their output to fail a distribution test, but
>doing so casts doubt on the randomness of the inputs, not the
>distribution space of the hash.
...

Quite the opposite. The only thing you should be able to determine 
from the output of a good hash is whether two input strings are 
identical.  You pretty much acknowledge that in your first paragraph. 
You shouldn't be able to tell the difference between a random string 
and the sequence n || n+1 || n+2 || ... . Even a mediocre hash should 
make it impossible to  distinguish between a good random input string 
and a not-so-good one.  That is one of the criticisms of the Pentium 
RNG: the whitening hardware prevents one from analyzing the 
underlying randomness of the generator hardware.  Any statistical 
irregularities in the output of a hash like SHA1 or MD5 are far more 
like to be an artifact of the hash algorithm rather than some 
regularity in the input.

Arnold Reinhold



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com