[Cryptography] Dieharder & symmetric cryptosystems

james hughes hughejp at me.com
Thu Jan 16 17:37:05 EST 2020


OFB with a plaintext of 0s is a permutation, not a random permutation. It will cycle, usually around 2^{n-1} where the n is the block size. The cycle could (improbably) be as short as 1 block. 

So OFB is not usable as an RNG. 

CTR mode is better, (but still not random since values do not repeat)

Hash is better. 



> On Jan 16, 2020, at 9:05 AM, Michel Arboi <michel.arboi at gmail.com> wrote:
> 
> In May 2019, I noticed strange results of the Dieharder statistical test suite with Linux /dev/urandom 
> Very often, dieharder reported inconclusive "WEAK" results on some tests, even when running "dieharder -a -g 501 -k 2 -Y 1", which looks suspicious (-Y 1 = "resolve ambiguity" mode)
> (WEAK is inconclusive, FAIL reports a real weakness.See the thread "Dieharder & /dev/urandom" on this ML, starting from 2019-05-14)
> 
> A totally predictable PRNG which just hashes (SHA1) a counter with a constant string passes all Dieharder tests with flying colours. I expected a cryptographic PRNG to exhibit the same behaviour.
> 
> Now, I noticed that AES_OFB produces the same suspicious results. Once again, I cannot explain this. As far as I know, AES_OFB should be totally unpredictable and immune from any statistical weaknesses. I do not get any FAIL, but I don't understand why Dieharder reports so many inconclusive results.
> 
> $  dieharder -a -g 205 -k 2 -Y 1
> #=============================================================================#
> #            dieharder version 3.31.1 Copyright 2003 Robert G. Brown          #
> #=============================================================================#
>    rng_name    |rands/second|   Seed   |
>         AES_OFB|  2.45e+07  |3424392396|
> #=============================================================================#
>         test_name   |ntup| tsamples |psamples|  p-value |Assessment
> #=============================================================================#
>    diehard_birthdays|   0|       100|     100|0.55850015|  PASSED  
> [snip]
>     diehard_2dsphere|   2|      8000|     100|0.31695338|  PASSED  
>     diehard_3dsphere|   3|      4000|     100|0.72645403|  PASSED  
>      diehard_squeeze|   0|    100000|     100|0.99526250|   WEAK   
>      diehard_squeeze|   0|    100000|     200|0.75277078|  PASSED  
> [snip]
>       rgb_lagged_sum|   2|   1000000|     100|0.97574458|  PASSED  
>       rgb_lagged_sum|   3|   1000000|     100|0.99541232|   WEAK   
>       rgb_lagged_sum|   3|   1000000|     200|0.87608184|  PASSED  
> [snip]
>       rgb_lagged_sum|   2|   1000000|     100|0.97574458|  PASSED  
>       rgb_lagged_sum|   3|   1000000|     100|0.99541232|   WEAK   
>       rgb_lagged_sum|   3|   1000000|     200|0.87608184|  PASSED  
> [snip]
>         dab_monobit2|  12|  65000000|       1|0.58649430|  PASSED  
> $  
> 
> I am looking for any kind of explanation.Is there a bug in Dieharder? Did I over-estimated the importance of WEAK results? Is OFB_AES known to be slightly biased?
> 
> -- 
> Michel Arboi
> PGP key ID : 0x85A1C6A1 - 0x05054F8485A1C6A1
> Fingerprint: 1DC3 8857 B930 0B6B 9420  5D56 0505 4F84 85A1 C6A1
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200116/f12f206d/attachment.htm>


More information about the cryptography mailing list