<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">OFB with a plaintext of 0s is a permutation, not a random permutation. It will cycle, usually around 2^{n-1} where the n is the block size. The cycle could (improbably) be as short as 1 block. <div class=""><br class=""></div><div class="">So OFB is not usable as an RNG. </div><div class=""><br class=""></div><div class="">CTR mode is better, (but still not random since values do not repeat)</div><div class=""><br class=""></div><div class="">Hash is better. </div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Jan 16, 2020, at 9:05 AM, Michel Arboi <<a href="mailto:michel.arboi@gmail.com" class="">michel.arboi@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class=""><div class="">In May 2019, I noticed strange results of the Dieharder statistical test suite with Linux /dev/urandom <br class="">Very often, dieharder reported inconclusive "WEAK" results on some tests, even when running "<span class="il">dieharder</span> -a -g 501 -k 2 -Y 1", which looks suspicious (-Y 1 = "resolve ambiguity" mode)<br class="">(WEAK is inconclusive, FAIL reports a real weakness.See the thread "<span class="il">Dieharder</span> & /dev/urandom" on this ML, starting from 2019-05-14)<br class=""><br class=""><div class="">A totally predictable PRNG which just hashes (SHA1) a counter with a constant string passes all Dieharder tests with flying colours. I expected a cryptographic PRNG to exhibit the same behaviour.<br class=""></div><div class=""><br class="">Now, I noticed that AES_OFB produces the same suspicious results. Once again, I cannot explain this. As far as I know, AES_OFB should be totally unpredictable and immune from any statistical weaknesses. I do not get any FAIL, but I don't understand why Dieharder reports so many inconclusive results.<br class=""><br class=""><span style="font-family:monospace" class="">$</span><span style="font-family:monospace" class=""><span style="font-family:monospace" class=""> </span> dieharder -a -g 205 -k 2 -Y 1<br class="">#=============================================================================#<br class=""># dieharder version 3.31.1 Copyright 2003 Robert G. Brown #<br class="">#=============================================================================#<br class=""> rng_name |rands/second| Seed |<br class=""> AES_OFB| 2.45e+07 |3424392396|<br class="">#=============================================================================#<br class=""> test_name |ntup| tsamples |psamples| p-value |Assessment<br class="">#=============================================================================#<br class=""> diehard_birthdays| 0| 100| 100|0.55850015| PASSED <br class="">[snip]<br class=""> diehard_2dsphere| 2| 8000| 100|0.31695338| PASSED <br class=""> diehard_3dsphere| 3| 4000| 100|0.72645403| PASSED <br class=""> diehard_squeeze| 0| 100000| 100|0.99526250| WEAK <br class=""> diehard_squeeze| 0| 100000| 200|0.75277078| PASSED </span></div><div class=""><span style="font-family:monospace" class="">[snip]<br class=""> rgb_lagged_sum| 2| 1000000| 100|0.97574458| PASSED <br class=""> rgb_lagged_sum| 3| 1000000| 100|0.99541232| WEAK <br class=""> rgb_lagged_sum| 3| 1000000| 200|0.87608184| PASSED <br class=""></span></div><div class=""><span style="font-family:monospace" class="">[snip]</span></div><div class=""><span style="font-family:monospace" class=""> rgb_lagged_sum| 2| 1000000| 100|0.97574458| PASSED <br class=""> rgb_lagged_sum| 3| 1000000| 100|0.99541232| WEAK <br class=""> rgb_lagged_sum| 3| 1000000| 200|0.87608184| PASSED </span></div><div class=""><span style="font-family:monospace" class="">[snip]</span></div> dab_monobit2| 12| 65000000| 1|0.58649430| PASSED <br class="">$ <br class=""><br class=""></div>I am looking for any kind of explanation.Is there a bug in Dieharder? Did I over-estimated the importance of WEAK results? Is OFB_AES known to be slightly biased?<br class=""></div><div class=""><div class=""><br class="">-- <br class="">Michel Arboi<br class="">PGP key ID : 0x85A1C6A1 - 0x05054F8485A1C6A1<br class="">Fingerprint: 1DC3 8857 B930 0B6B 9420 5D56 0505 4F84 85A1 C6A1</div></div></div>
_______________________________________________<br class="">The cryptography mailing list<br class=""><a href="mailto:cryptography@metzdowd.com" class="">cryptography@metzdowd.com</a><br class="">https://www.metzdowd.com/mailman/listinfo/cryptography<br class=""></div></blockquote></div><br class=""></div></body></html>