[Cryptography] Dieharder & symmetric cryptosystems

[james hughes]

> On Jan 17, 2020, at 6:25 AM, Michel Arboi <michel.arboi at gmail.com> wrote:
> 
> Le jeu. 16 janv. 2020 à 23:37, james hughes <hughejp at me.com> a écrit :
>> OFB with a plaintext of 0s is a permutation, not a random permutation.
> 
> I'm not sure I understand the role of the plaintext, considering that
> it is just XOR-ed with the cipher stream. Did I miss something?

OFB does feed back. OFB mode also takes in the plaintext. If the plaintext is any constant, then the system will eventually cycle. 

> What do you mean by "not random"? That it will cycle eventually?

Yes

>> It will cycle, usually around 2^{n-1} where the n is the block size. The cycle could (improbably) be as short as 1 block.
>> So OFB is not usable as an RNG.
> 
> 2^127 is safe in practice for any PRNG (if I am lucky). We'd need an
> impractical amount of resources to detect the cycle.
> What is the probability of getting a short cycle?

Roughly, It is a 50/50 chance if it is shorter by at least 1 bit. 25/75 by 2 bits, down to 2^{-128} that it is only 1 cycle. Sure if you use a this PRNG once, it is “good enough”, but if you deploy this in a system that has billions of PRNGs running independently, the probability of at least one of them getting a short cycle is real. 

>> CTR mode is better, (but still not random since values do not repeat)
>> Hash is better.
> 
> Is there a real difference between hashing a counter (concatenated to
> a nounce) and encrypting it as in CTR mode?

Yes, counter mode repeats at the block size 2^128 and never before. Again, if there are billions of people using your PRNG independently, the possibility that two are using the same seed (you call a nonce) is real (which is similar to repeated hash). The cycling with the hash function is also possible but the block sizes are larger. 

Bringing this back to your question… OCB showed as Weak random. I am suggesting the cycle you were in may have had some bias. Change the key and you will be in a different cycle. (You are in a cycle even if you never get all the way through.) This is why the Hash works and OCB does not.

Read the NIST recommendations <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf>. For instance, Hash, HMAC and CTR are recommended, OFB and CBC are not. It also suggests reseeding the CTR_PRNG and HASH_PRNG after 2^{48} reads. 

Maybe the best recommendation is to use the OS supplied recommendations for cryptographically secure random numbers. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200117/1780ca3a/attachment.htm>