Where are the FIPS 140-1 tests for randomness now?
in [Cryptography]
|
Prev: Operator Protocols for using a PRF
Next: 6th Int. Conf. on Technology and Medical Sciences – Announce & Call for Papers
From: Scott Fluhrer on 5 Apr 2010 11:33 "Mok-Kong Shen" <mok-kong.shen(a)t-online.de> wrote in message news:hp85oj$jbl$03$1(a)news.t-online.com... > Scott Fluhrer wrote: >> "Mok-Kong Shen" wrote: >>> I just looked at FIPS 140-2 which replaces FIPS-1 and saw that >>> the statistical tests for randomness have been crossed out there. >>> Is there no replacement? Why? (Sorry for this ignorant's question.) >> >> Well, I suspect it's because FIPS changed how they dealt with random >> number >> generators between 140-1 and 140-2. >> > > Thanks for the informations. Still I am of the personal opinion that > a revision of a standard should spend a couple of words hinting at some > major changes and the reasons thereof. Actually, that wouldn't be a bad notion. There are a couple of FIPS requirements that don't have any obvious justification; it'd be interesting to see what they were thinking when they were mandating them. > > It may be interesting to note that the German BSI has a document: > > https://www.bsi.bund.de/cae/servlet/contentblob/478152/publicationFile/30275/ais20e_pdf.pdf > > (I just accessed it in order to know that it is still current) that > contains statistical tests practically the same as those in FIPS 140-1 > (with some differences in the ranges) plus an autocorrelation test. Yes, but even there, those aren't the main requirements. For K3 and K4, you need to provide justification (mathematical proof, actually) that your generator meets the security requirements. Given that K3 is the least you want for any real cryptographical work, the statistical tests are comparatively unimportant (yes, you have to do them, but most generators that would be realistically be considered candidates for K3 or K4 would likely pass those tests anyways). > > It may also be noted that, apparently encouraged by FIPS 140-1, there > have since been (till fairly recently, if I don't err) quite some > scientific papers on design or applications of random number generators > employing results of tests conforming to that standard, implicitly > implying that everything must be o.k., if these "standard" tests were > passed. (I have even seen one paper where one of the tests was left > out, presumably failed.) Hmmm, I haven't seen any of those papers. Now, if they're developing a random number generator for, say, Monte Carlo simulations, it's quite possible that this is an appropriate standard. If they're developing a random number generator that they hope to be cryptographically secure, well, their implicit assumption is less well founded. -- poncho
From: Mok-Kong Shen on 5 Apr 2010 12:53
Scott Fluhrer wrote: > "Mok-Kong Shen" wrote: [snip] >> It may also be noted that, apparently encouraged by FIPS 140-1, there >> have since been (till fairly recently, if I don't err) quite some >> scientific papers on design or applications of random number generators >> employing results of tests conforming to that standard, implicitly >> implying that everything must be o.k., if these "standard" tests were >> passed. (I have even seen one paper where one of the tests was left >> out, presumably failed.) > > Hmmm, I haven't seen any of those papers. Now, if they're developing a > random number generator for, say, Monte Carlo simulations, it's quite > possible that this is an appropriate standard. If they're developing a > random number generator that they hope to be cryptographically secure, well, > their implicit assumption is less well founded. Unfortunately I didn't take note of the references (because, to be honest, I had somehow certain negative gut-feeling instinctively). What I could now remember is that these concern employing chaos theory to generate randomness but do claim of being eligible for crypto use. M. K. Shen |