Cicero (cicero@redneck.efga.org)
19 Jul 1998 23:54:25 -0000
On Fri, 17 Jul 1998, Mike Rosing wrote:
>On 17 Jul 1998, Cicero wrote:
>
>> Statistical tests can demonstrate failure, but not success. Any good
>> PRNG will pass all such tests, with a seed of 0, and you know there is
>> no entropy there. If Murry has a test that will distinguish a RNG
>> from a PRNG I would be surprised.
>
>That shouldn't be too hard really. A real random bit generator has to
>fail when the frequency of data collection is too high, you can run a
>pseudo generator on faster machines and get good stats out. I'd also
>expect a RNG to fail stats tests more often, a PRNG should be pure white.
You are correct. I should have said "a RNG generating 100% usable
entropy" instead of "RNG". If the entropy is less than 100%, you need
to use a seed a PRNG (with more bits than you are going to use) before
you can use the output as a session key.
I still don't think you've demonstrated that statistical tests can
show that the generator wasn't tampered with. For instance, if your
RNG is known, as is discussed below, I can determine the expected
statistics of the output, including the slight bias, and easily
fashion a PRNG whose output has exactly those statistics. You have to
open the hardware to determine I have tampered with your chip, and
that you are getting output from my PRNG; you can't tell from the
output.
I am assuming the the chip is generating at some constant rate. I
don't understand your reference to frequency of data collection, but I
am not as knowledgeable in RNG hardware as you are, can you help me
out with a clarification on that?
>> You are correct here. I can verify that my hash really is the SHA-1
>> in FIPS 180-1, and you can verify that your hardware design is one
>> which has been just as extensively analysed. Can you cite an example
>> of such a design?
>
>Vincent wrote a whole book on random bit generation in 1972. I got the
>book from the library and it sits at home. Check Ritter's web page for
>the reference. In fact he's got a lot of papers, and many of them cover
>the analysis of RNG's. I've started to read some of them, but it'll be a
>while before I get thru most of 'em. I'll have more examples after I do.
That would be great if you could post them.
...
>> I can run specific test vectors to gain some confidence that my PRNG
>> is the one that I think it is, but no tests that you can run will
>> distinguish a correct RNG from a PRNG, or distinguish one RNG from
>> another (unless one is broken), or give you confidence that your RNG
>> is the one that you thought it was. If I switch your chip with one
>> that produces 3DES OFB output, you can never find out without
>> inspecting the hardware. The output will not differ from what you
>> would expect.
>
>That's part of my experiment. It will be very interesting to see what
>the differences are. I suspect they are subtle, but visible. Real
>measurement is better than conjecture :-)
It certainly is.
I'd be glad to help in experiments. Let me know if you come up with
any PRNG tests whose results would be interesting. Given that we
agree that the output of "a PRNG should be pure white", though, it
sounds as if you don't anticipate PRNG tests.
>Patience, persistence, truth,
>Dr. mike
Cicero
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:38 ADT