[Cryptography] Dieharder & symmetric cryptosystems

[Stephan Neuhaus]

On 3/15/22 00:24, Ray Dillinger wrote:
> 
> 
> It's normal to see diehard(er) rate something WEAK occasionally; It
> happens usually in inverse proportion to the (log of) the number of
> elements in the tested sample.

To be more precise, assuming that the null hypothesis is "these random 
numbers are OK" (the exact meaning of "OK" depends on the test), and 
assuming that the null hypothesis is true, then the p-values will be 
uniformly distributed. Assuming that the classification of a test as 
WEAK, PASSED etc is based on a p-value, a WEAK classification will then 
happen regularly, as exemplified by the canonical xkcd on the matter: 
https://xkcd.com/882/

People have correctly pointed out that what one should look out for is 
when tests are consistently WEAK. However, it is also unlikely that a 
good source of random numbers consistently PASSes. A good source of 
random numbers ought to be WEAK occasionally, at any level. For example, 
if your threshold for WEAK is "p < 0.01 or p > 0.99", it should be WEAK 
once per 50 tests on average. If it is "p < 0.001 or p > 0.999", it 
should still be WEAK once per 500 tests on average.

In my opinion, gauging random number generators (for cryptographic 
purposes or otherwise) by how close they are to a source of "true random 
bits" (whatever that is) is extremely tricky.  For example, even if you 
use your generator "only" to drive a statistical simulation, you might 
still not be happy if the first fifty bits of it were zero, no matter 
that the probability of that happening is nonzero. So you may not want 
an actual true random number generator. IIRC, NIST has deprecated tests, 
or something very much like it, and if that is so, I think it's a good 
thing.

Fun

Stephan