On statistical distance based testing of pseudo random sequences and experiments with PHP and Debian OpenSSL

NIST SP800-22 (2010) proposed the state of the art statistical testing techniques for testing the quality of (pseudo) random generators. However, it is easy to construct natural functions that are considered as GOOD pseudorandom generators by the NIST SP800-22 test suite though the output of these functions is easily distinguishable from the uniform distribution. This paper proposes solutions to address this challenge by using statistical distance based testing techniques. We carried out both NIST tests and LIL based tests on commonly deployed pseudorandom generators such as the standard C linear congruential generator, Mersenne Twister pseudorandom generator, and Debian Linux (CVE-2008-0166) pseudorandom generator with OpenSSL 0.9.8c-1. Based on experimental results, we illustrate the advantages of our LIL based testing over NIST testing. It is known that Debian Linux (CVE-2008-0166) pseudorandom generator based on OpenSSL 0.9.8c-1 is flawed and the output sequences are predictable. Our LIL tests on these sequences discovered the flaws in Debian Linux implementation. However, NIST SP800-22 test suite is not able to detect this flaw using the NIST recommended parameters. It is concluded that NIST SP800-22 test suite is not sufficient and distance based LIL test techniques be included in statistical testing practice. It is also recommended that all pseudorandom generator implementations be comprehensively tested using state-of-the-art statistically robust testing tools. Extensive testing shows that NIST's state of the art testing techniques for pseudorandom generators are not sufficient.Design and implementation of LIL based testing techniques.Comprehensive documentation of OpenSSL pseudorandom generators and entropy collection process.Based on the comprehensive documentation, identification of potential attacks and flaws on OpenSSL pseudorandom generators.

[1]  William Feller,et al.  An Introduction to Probability Theory and Its Applications , 1967 .

[2]  Takuji Nishimura,et al.  Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator , 1998, TOMC.

[3]  Feller William,et al.  An Introduction To Probability Theory And Its Applications , 1950 .

[4]  J. A. Clarkson,et al.  On definitions of bounded variation for functions of two variables , 1933 .

[5]  Yongge Wang Randomness, Stochasticity and Approximations , 1997, RANDOM.

[6]  David Ahmad Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise , 2008, IEEE Security & Privacy.

[7]  Yongge Wang,et al.  A comparison of two approaches to pseudorandomness , 2002, Theor. Comput. Sci..

[8]  Bakhadyr Khoussainov,et al.  Recursively enumerable reals and Chaitin Ω numbers , 1998 .

[9]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[10]  Yongge Wang Randomness, Stochasticity, and Approximations , 1999, Theory of Computing Systems.

[11]  Yongge Wang A Separation of Two Randomness Concepts , 1999, Inf. Process. Lett..

[12]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[13]  Yongge Wang Genericity, Randomness, and Polynomial-Time Approximations , 1998, SIAM J. Comput..

[14]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[15]  Cristian S. Calude,et al.  Recursively enumerable reals and Chaitin Ω numbers , 2001, Theoretical Computer Science.

[16]  John Kelsey,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2014 .

[17]  B. Harshbarger An Introduction to Probability Theory and its Applications, Volume I , 1958 .

[18]  Yongge Wang Resource bounded randomness and computational complexity , 2000, Theor. Comput. Sci..

[19]  Elaine B. Barker,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2007 .

[20]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[21]  Bruce Schneier,et al.  Practical cryptography , 2003 .

[22]  E. Hellinger,et al.  Neue Begründung der Theorie quadratischer Formen von unendlichvielen Veränderlichen. , 1909 .

[23]  A. Khintchine Über einen Satz der Wahrscheinlichkeitsrechnung , 1924 .