At 05:55 AM 2/7/2002 +1300, Peter Gutmann wrote: >Greg Rose <[EMAIL PROTECTED]> writes: > > >While priming the RC4 table, I accidentally filled the data buffer instead > >(D'oh!) with consecutive byte values 0x00, 0x01, ... 0xFF, 0x00, ... > > > >This very much passes the FIPS 140 tests for randomness, despite being > nothing > >like it: > >A generic order-0 entropy estimator (think Huffman coder) will pass this, >because each symbol occurs with equal probability. The reason this is a >problem is because any introductory information theory text will give the >standard formula for entropy estimation (H = -sum(prob(x) * log( >prob(x)))) and >users will either stop reading there or the text won't go any further.
But it is interesting that, had the FIPS test worked on a multiple of 256 bytes, it would have caught it, because it uses a two-sided ChiSquare test. In other words, perfect frequency distribution (of nybbles) is also something it will reject... but it wasn't perfect because a sequence stopped early. Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/ Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
