[Cryptography] Dieharder & symmetric cryptosystems
Stephan Neuhaus
stephan.neuhaus at zhaw.ch
Tue Mar 15 03:26:07 EDT 2022
On 3/15/22 00:24, Ray Dillinger wrote:
>
>
> It's normal to see diehard(er) rate something WEAK occasionally; It
> happens usually in inverse proportion to the (log of) the number of
> elements in the tested sample.
To be more precise, assuming that the null hypothesis is "these random
numbers are OK" (the exact meaning of "OK" depends on the test), and
assuming that the null hypothesis is true, then the p-values will be
uniformly distributed. Assuming that the classification of a test as
WEAK, PASSED etc is based on a p-value, a WEAK classification will then
happen regularly, as exemplified by the canonical xkcd on the matter:
https://xkcd.com/882/
People have correctly pointed out that what one should look out for is
when tests are consistently WEAK. However, it is also unlikely that a
good source of random numbers consistently PASSes. A good source of
random numbers ought to be WEAK occasionally, at any level. For example,
if your threshold for WEAK is "p < 0.01 or p > 0.99", it should be WEAK
once per 50 tests on average. If it is "p < 0.001 or p > 0.999", it
should still be WEAK once per 500 tests on average.
In my opinion, gauging random number generators (for cryptographic
purposes or otherwise) by how close they are to a source of "true random
bits" (whatever that is) is extremely tricky. For example, even if you
use your generator "only" to drive a statistical simulation, you might
still not be happy if the first fifty bits of it were zero, no matter
that the probability of that happening is nonzero. So you may not want
an actual true random number generator. IIRC, NIST has deprecated tests,
or something very much like it, and if that is so, I think it's a good
thing.
Fun
Stephan
More information about the cryptography
mailing list