Re: [dsfjdssdfsd] software tools for testing entropy (was: Any plans for drafts or discussions on here?)

Michael Hammer <> Fri, 24 January 2014 00:41 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F2E5A1A0491 for <>; Thu, 23 Jan 2014 16:41:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.436
X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mxHD36ytWfHX for <>; Thu, 23 Jan 2014 16:41:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 89B8B1A0224 for <>; Thu, 23 Jan 2014 16:41:04 -0800 (PST)
Received: from ([fe80::149d:c2e1:8065:2a47]) by ([::1]) with mapi id 14.03.0123.003; Thu, 23 Jan 2014 16:41:03 -0800
From: Michael Hammer <>
To: "" <>, "" <>
Thread-Topic: [dsfjdssdfsd] software tools for testing entropy (was: Any plans for drafts or discussions on here?)
Thread-Index: AQHPGJv+nJMhr9DohUaIoac1IFVu95qTCHrg
Date: Fri, 24 Jan 2014 00:41:00 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0180_01CF1859.E5493590"
MIME-Version: 1.0
Subject: Re: [dsfjdssdfsd] software tools for testing entropy (was: Any plans for drafts or discussions on here?)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jan 2014 00:41:07 -0000

Thanks.  This is useful to me.

Michael Hammer
Principal Engineer
Mobile: +1 408-202-9291
500 Yosemite Drive Suite 120
Milpitas, CA 95035 USA

-----Original Message-----
From: dsfjdssdfsd [] On Behalf Of =JeffH
Sent: Thursday, January 23, 2014 4:32 PM
To: IETF Pseudorandom Number Generator PRNG discussion list
Subject: Re: [dsfjdssdfsd] software tools for testing entropy (was: Any
plans for drafts or discussions on here?)

 > are there good software tools for testing entropy, that could help  >
applications determine if the underlying system is giving them good  >

well, from..

[0] Akram, Raja Naeem, Konstantinos Markantonakis, and Keith Mayes.
"Pseudorandom Number Generation in Smart Cards: An Implementation,
Performance and Randomness Analysis." New Technologies, Mobility and
Security (NTMS), 2012 5th International Conference on. IEEE, 2012.

..there's the sections reproduced at [1] below which may (or may not) be

also, NIST has these resources..

NIST SP 800-22: A Statistical Test Suite for Random and Pseudorandom Number
Generators for Cryptographic Application.

Random Number Generators (RNG) Testing Requirements:

RNG Test Vectors

One could also ask the authors of [0] if they might share their impl.



E. Experimental Proof

To provide experimental proof, the NIST statistical test suite was applied.
Each algorithm was provided with a common seed file, and generated sequences
from it were saved in a binary file. This binary file was used as input to
the statistical test. Point to note here is that seed files given to all
algorithms were the same. The reason for doing so was to analyse differences
in the quality of output while using the same entropy source.

For statistical analysis, each algorithm was executed to generate 1,048,578
pseudorandom sequences of 128 bits.
Concatenating the outputs into a binary file that was then used for NIST SP
800-22 statistical analysis. The results of each algorithm are listed in
Appendix A. Taking into account the Common Criteria AIS 20 [18], our
implementation fulfils the requirements for the K4 DRNG. Below is the
discussion on how our implementation satisfies these requirements.

1) K1 DRNG: Its a simple requirement that states that if the generated
values is of set C =f c1, c2, c3, .., cm g then all members of the set
should be distinct regardless of the statistical properties.

2) K2 DRNG: Requires that the implementation should satisfy the statistical
properties such as monobit test, poker test and tests on runs. Our
implementations were subjected to the NIST SP 800-22 test suite.

3) K3 DRNG: This requires that the entropy of the PRNG is at least 80. All
SHA based algorithms has 440 bits seed and block cipher based algorithms has
128 bits seed. All of the seed values were chosen from an external high
entropy source that is carefully tested.

4) K4 DRNG: This level requires that the PRNG should be forward-secure. A
PRNG is forward-secure if after n iteration of the PRNG, a malicious user is
unable to guess the internal state of the generator. The implemented PRNG
feed back to the internal seed that is changing in each of the iterations.
Furthermore, block cipher based implementation of the PRNG use different key
in each of the iterations. Even retrieving a cryptographic key would not
help a malicious user to successfully know the entire state of the seed

In our implementations we tested SHA and block cipher based algorithms for
the PRNGs. In general block cipher based algorithms, only a single key is
used for the entire lifetime of the generator. However, we have tested that
a PRNG could be modified to use a new key on each execution of the
The internal key generation mechanism of the block cipher based PRNG
implementations are light weight and they do not hamper the overall
performance of the generator. Therefore, it could be argued that it provides
a more secure block cipher based PRNG then an PRNG that only uses a single
key for entire lifetime.

Table IV details the percentage of passing sequences pro duced by individual
algorithms. As it is evident from table III and IV, there is not a big
difference between the implemented algorithms both in terms of performance
and percentage of sequence passing the NIST statistical tests. Of particular
note, if we take the accumulated average of the passing sequences percentage
in the table IV an interesting result emerges. The
SHA-1 performs comparative better than other algorithms and AES based PRNG
has the least accumulated average of passing sequence as illustrated in
figure 4. This measure represents the randomness of the generated sequences
- not the security of the algorithm. If we also account for the performance,
SHA based algorithms perform better than the encryption based algorithms
(e.g. DES and AES).

Our research into the possibility of using a test suite like NIST SP 800-SP
to check pseudorandom number generators in smart cards has showed that it is
a workable concept. The tests listed in the NIST SP 800-22 are substantially
more then the one recommended for the smart card pseudorandom number
generators in AIS20 [18] and AIS31 [13]. This research has demonstrated that
even with limited resources and an entropy constrained environment like a
smart card, good quality pseudorandom sequences can be generated that can
satisfy all the requirements for a PRNG even the ones that are used for
general purpose computers.


dsfjdssdfsd mailing list