Re: Analysis of /dev/random

David Honig (honig@sprynet.com)
Fri, 09 Apr 1999 11:11:18 -0700

• Next message: David Honig: "Re: Linux/axp results"
• Previous message: mgraffam@idsi.net: "Re: Analysis of /dev/random"
• In reply to: steven.soroka@mts.mb.ca: "Re: Analysis of /dev/random"
• Next in thread: Ge' Weijers: "Re: Analysis of /dev/random"
• Reply: Ge' Weijers: "Re: Analysis of /dev/random"

At 10:26 AM 4/9/99 -0400, Ge' Weijers wrote:
>I wrote a simple utility a few months back that generates 'random'
>output. It's basically the TEA block cipher encrypting a counter.

>... but it's not
>useful as a cryptographic random generator ... the output is
>perfectly compressible given the right statistical model :-)

[ie the key]

>It's easy to fool MUST.
>
>Ge'

I agree with everything except the last. MUST is a function.
My use of it as a measure of entropy is valid.

Now, any *extrapolation* that /dev/random is *crypto-secure* depends
on several other things (such as its reliance on noncomputational
(ie, physical) processes, proper hashing, etc.)

I know of no perfect tests for 'randomness' other than
compression-like techniques (e.g., MUST) and structure-finding
techniques (e.g., Diehard). (The latter are similar to running
a monte carlo sim driven by the RNG)

So, if you have a technique that can distinguish between a good
PRNG and a TRNG, *without the key*, I'd like to understand it.

(Because doing so for a given block cipher-based PRNG is equivalent to
analytically breaking the cipher, if the PRNG reveals all the bits of the
block cipher, no?)

......

When I was playing with ways of distilling audio hiss into
quality randomness, I needed a gold standard.
I used Blowfish and IDEA in counter modes
to generate very large "known good" samples. I converted the RAND million
to binary as a 'golden' reference also.

In this game, I was cooking
raw bits (which passed neither Diehard nor MUST) into stuff
that passed both tests ---and was therefore *indistinguishable*
(using these tests) from a known-good PRNG.

During this, I realized that the cipher *designer* plays the *opposite*
game ---the designer tries to get his cipher, given a regular
input (counter mode) or no input (except key and IV, in feedback mode),
to produce this high quality, uniformly distributed bits.

Which is why, again, if you can tell a block-cipher-based-PRNG from a TRNG
without
either the key or taking them apart, let us know.

----------
David Honig

        Inside every wafer is a circuit, yearning to be free.

• Next message: David Honig: "Re: Linux/axp results"
• Previous message: mgraffam@idsi.net: "Re: Analysis of /dev/random"
• In reply to: steven.soroka@mts.mb.ca: "Re: Analysis of /dev/random"
• Next in thread: Ge' Weijers: "Re: Analysis of /dev/random"
• Reply: Ge' Weijers: "Re: Analysis of /dev/random"