www.Usenet.com

Sci Thread Archive from Usenet.com

Re: Good enough for crypto?

__From__: Mok-Kong Shen
__Subject__: Re: Good enough for crypto?
__Date__: Tue, 02 Dec 2003 06:35:38 -0600

Terry Ritter wrote:
> 
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> 
> [...]
> >If a PRNG is so
> > good that it passes all (currently) available statistical
> > tests,
> 
> First of all, a PRNG which always passes statistical tests
> is bad, not good.

There is an accepted meaning of passing statistical tests,
I suppose. If a PRNG fails a cetain test, it is certainly
not good (relative to the chosen criteria of that test).
If follows that a very good PRNG must pass all (currently)
available statistical tests. If there is one that does
so, then it is among the best that one can have, as far
as PRNGs are concerned.

> 
> A good PRNG will reproduce the ideal null distribution
> for each test.  That will necessarily produce the same
> level of failure as whatever significance has been chosen
> (often, 5 percent).

A statistical test never says anything absolute. It only 
allows one to (reasonably) decide at a chosen confidence 
level whether to reject a certain null hypothesis or
not to reject it.

> >then one (without knowledge of the generation
> > process) would hardly be able to know that there is in
> > fact very little entropy. (On the other hand, it seems
> > to me to be justified that such a superb pseudo-random
> > source could very well substitute a true random source
> > in practical applications.)
> 
> Even a superb pseudo-random source is still deterministic,
> thus potentially predictable.  While statistics may be
> happy with just a good value distribution, cryptography
> further demands effective unpredictability, which
> statistical tests do not measure.
> 
> It is instead necessary to understand the design of the
> generator, and somehow extrapolate an opinion that the
> internal state cannot be developed from the resulting
> sequence.  Alas, such opinions are often wrong.

But if you don't have or can't use good true randomness,
you have to resort to pseudo-randomness. It seems that
many consider AES in CTR mode to be good. But who knows
that it is 'really' secure (there being no really rigorous
and practical measure of crypto security for real-world 
ciphers)?

M. K. Shen

Re: Good enough for crypto?, (continued)

<-- __Chronological__ -->

<-- __Thread__ -->

Please check out one of the premium Usenet Newsgroup Service Providers below for access to Usenet.