[19511] in cryptography@c2.net mail archive
Re: RNG quality verification
daemon@ATHENA.MIT.EDU (James A. Donald)
Tue Jan 3 18:37:45 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 03 Jan 2006 15:28:23 -0800
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
In-Reply-To: <8246493.1136318893229.JavaMail.root@elwamui-ovcar.atl.sa.earthlink.net>
--
John Kelsey wrote:
> To assess a cryptographic PRNG, you need to know two things:
>
> a. If it had a starting point or seed which was impossible to
> guess, would you be able to find any problems with its outputs?
>
> b. Does it get a starting point or seed which is impossible to
> guess?
>
> Assessing (a) is about cryptanalysis; statsitics can help there, but
> mostly, you're looking at the output from some cryptographic
> function like SHA1 or AES or 3DES. Assessing (b) is about data
> analysis--you're going to look at the sources for seed material, and
> try to determine what makes them ultimately unpredictable, and to
> model them somehow. You can't assess how much entropy some variable
> has without some kind of probability model for it.
All observables are necessarily theory laden. Entropy and randomness
are more theory laden than most, so theory laden as to be impossible
to observe directly. One must study what goes in, not what goes out.
For any test, ask yourself this: If the source of "random" numbers
was the current time, hashed with SHA and a sixteen bit fixed code,
would your test show any problem?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
KU60aORMS6eP2TWG+XjML/Cp7egySzT8UZW/n9Zo
40TzrkMfMK52cZ0Rdu5DMlo9ngx84PkNXCHQrnXQ+
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
