[Cryptography] Dieharder & symmetric cryptosystems
james hughes
hughejp at me.com
Thu Jan 16 17:37:05 EST 2020
OFB with a plaintext of 0s is a permutation, not a random permutation. It will cycle, usually around 2^{n-1} where the n is the block size. The cycle could (improbably) be as short as 1 block.
So OFB is not usable as an RNG.
CTR mode is better, (but still not random since values do not repeat)
Hash is better.
> On Jan 16, 2020, at 9:05 AM, Michel Arboi <michel.arboi at gmail.com> wrote:
>
> In May 2019, I noticed strange results of the Dieharder statistical test suite with Linux /dev/urandom
> Very often, dieharder reported inconclusive "WEAK" results on some tests, even when running "dieharder -a -g 501 -k 2 -Y 1", which looks suspicious (-Y 1 = "resolve ambiguity" mode)
> (WEAK is inconclusive, FAIL reports a real weakness.See the thread "Dieharder & /dev/urandom" on this ML, starting from 2019-05-14)
>
> A totally predictable PRNG which just hashes (SHA1) a counter with a constant string passes all Dieharder tests with flying colours. I expected a cryptographic PRNG to exhibit the same behaviour.
>
> Now, I noticed that AES_OFB produces the same suspicious results. Once again, I cannot explain this. As far as I know, AES_OFB should be totally unpredictable and immune from any statistical weaknesses. I do not get any FAIL, but I don't understand why Dieharder reports so many inconclusive results.
>
> $ dieharder -a -g 205 -k 2 -Y 1
> #=============================================================================#
> # dieharder version 3.31.1 Copyright 2003 Robert G. Brown #
> #=============================================================================#
> rng_name |rands/second| Seed |
> AES_OFB| 2.45e+07 |3424392396|
> #=============================================================================#
> test_name |ntup| tsamples |psamples| p-value |Assessment
> #=============================================================================#
> diehard_birthdays| 0| 100| 100|0.55850015| PASSED
> [snip]
> diehard_2dsphere| 2| 8000| 100|0.31695338| PASSED
> diehard_3dsphere| 3| 4000| 100|0.72645403| PASSED
> diehard_squeeze| 0| 100000| 100|0.99526250| WEAK
> diehard_squeeze| 0| 100000| 200|0.75277078| PASSED
> [snip]
> rgb_lagged_sum| 2| 1000000| 100|0.97574458| PASSED
> rgb_lagged_sum| 3| 1000000| 100|0.99541232| WEAK
> rgb_lagged_sum| 3| 1000000| 200|0.87608184| PASSED
> [snip]
> rgb_lagged_sum| 2| 1000000| 100|0.97574458| PASSED
> rgb_lagged_sum| 3| 1000000| 100|0.99541232| WEAK
> rgb_lagged_sum| 3| 1000000| 200|0.87608184| PASSED
> [snip]
> dab_monobit2| 12| 65000000| 1|0.58649430| PASSED
> $
>
> I am looking for any kind of explanation.Is there a bug in Dieharder? Did I over-estimated the importance of WEAK results? Is OFB_AES known to be slightly biased?
>
> --
> Michel Arboi
> PGP key ID : 0x85A1C6A1 - 0x05054F8485A1C6A1
> Fingerprint: 1DC3 8857 B930 0B6B 9420 5D56 0505 4F84 85A1 C6A1
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200116/f12f206d/attachment.htm>
More information about the cryptography
mailing list