[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9288.1396708446@critter.freebsd.dk>
Date: Sat, 05 Apr 2014 14:34:06 +0000
From: "Poul-Henning Kamp" <phk@....freebsd.dk>
To: discussions@...sword-hashing.net, Daniel Franke <dfoxfranke@...il.com>
Subject: Mechanical tests (was: POMELO fails the dieharder tests)
In message <87ob0gnvxf.fsf@...fjaw.dfranke.us>, Daniel Franke writes:
>#=============================================================================#
># dieharder version 3.31.1 Copyright 2003 Robert G. Brown #
>#=============================================================================#
> rng_name |rands/second| Seed |
>stdin_input_raw| 1.33e+06 |3893399644|
>#=============================================================================#
> test_name |ntup| tsamples |psamples| p-value |Assessment
>#=============================================================================#
> diehard_birthdays| 0| 100| 100|0.00000000| FAILED
> diehard_operm5| 0| 1000000| 100|0.00000000| FAILED
> diehard_rank_32x32| 0| 40000| 100|0.00000000| FAILED
I spent some time thinking about "mechanical tests" for the PHC,
as a way to be able to contribute a bit "orthogonally" to all the
card-carrying cryptographers in the panel.
I do not dispute that dieharder is onto something here, but it is
not a valid test for our purposes.
If I take the ultimate password scrambler and hexdump its output,
it is going to fail dieharder even more spectaculary than the above,
Yet, it is still the ultimate password scrambler.
Dieharder looks for bits which do not carry one full bit of entropy,
whivh is important if you are in the market for random-looking bits.
We are not, we are in the business of making sure that entropy is
not lost, and we do not care if an algorithm spits out 100 bits
with full entropy or 1000 bits each with only 1/10th bit of entropy.
So one of my ideas for "mechanical tests" was to use compressors
as measurement entropy, and run sanity-checking test along the
general scheme of:
Generate_test_data > file1
candidate_algorithm < file1 > file2
gzip -9v file1 file2
Any algorithm where file2.gz can be smaller than file1.gz is toast.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@...eBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Powered by blists - more mailing lists