Score:1

Can AES fail PractRand?

tf flag
Tom

Mellisa O'Neil tested Xoroshiro128+ with 512 terabytes (2^49 bytes) of data. And finally it failed. Would AES fail PractRand with enough data?

When we can expect that AES will fail? Maybe with $2^{64}$ of data?

the default. avatar
id flag
I don't know if PractRand can handle so much data, but I don't expect AES (assuming CTR mode) to fail around 2^64: the only statistical anomaly I know about is that there will be no duplicate outputs, but detecting this would require 2^64 memory (and more than 2^64 data, for confidence). There may be some statistical anomalies nobody knows about, but nobody knows about them, and seems unlikely that a general-purpose test will detect them. I don't know how did xoroshiro128+ last so long: its least significant output bit is a LFSR of period 128.
Maarten Bodewes avatar
in flag
@thedefault. has shown a bit of an issue with your question: AES is a block cipher and is therefore restricted to a 128 bit output for a 128 bit input. So specifying the mode of operation is really required CFB-8 or AES-CBC may have rather different characteristics than AES-CTR. For AES-CTR we'd have to assume e.g. a 128-bit counter suppose. Generally we would expect AES to last a long time given the correct mode, but these tests may fail at different times given different seeds.
Tom avatar
tf flag
Tom
@thedefault. I was wrong. She tested Xoroshiro128+ with discarded the entire low 32 bits: https://www.pcg-random.org/posts/xoroshiro-fails-truncated.html
Tom avatar
tf flag
Tom
@MaartenBodewes I thought about feeding AES just numbers: 1,2,3,... and so on. I forgot to write about it.
Maarten Bodewes avatar
in flag
That would be the *key stream* of AES in counter mode, assuming that the key is not reused for separate streams.
Thorham avatar
jp flag
@the default - PractRand tests 64 bit values, and AES-CTR will certainly produce duplicate 64 bit values.
Score:0
cn flag

Of course $AES_{K_1} \oplus AES_{K_2}$ will pass as that's a pseudorandom function. One $AES$ isn't meant to be. But how can you prove that empirically?

PractRand is written by one guy (sorry Chris). It's not used in the mainstream literature. TRNG's are principally validated using dieharder or NIST STS. Randomness has been well studied but PractRand hasn't. Therefore you can't rely on some arbitrary code to disprove much researched mathematics.

And these suites aren't that clever anyway. RC4 passes all of them, and the Twister passes 95% of them, yet... And consider the huge flaws in diehard, but we still use it. Therefore Tom, the question is kinda moot.

the default. avatar
id flag
The second paragraph seems completely absurd to me. PractRand doesn't become any worse at detecting non-random input because it is not used in the mainstream literature. What does 'PractRand hasn't been studied' mean and how does "you can't use it to disprove much researched mathematics" follow from that? (and what stops me from using some arbitrary code to disprove much researched mathematics? AES probably won't fail any randomness test in a reasonable amount of time, but if it did, that would, obviously, mean that it is broken)
Tom avatar
tf flag
Tom
@Paul Uszak Quite many authors use PractRand to evaluate the randomness of their generators. I thought it is now one of the best, most modern testers. What's more, they wrote at http://pracrand.sourceforge.net, that Dieharder is heavily overdated: "Pretty bad at the moment, but some parts show the potential to be very good with a little more work. The command line interface can be very convenient for scripting. I was unable to build it on win32. The default test set is particularly awful. Several tests have false-positive issues."
Tom avatar
tf flag
Tom
@Paul Uszak how do you know that xoring two AES should pass and one AES may not?
Paul Uszak avatar
cn flag
@Tom See https://crypto.stackexchange.com/q/75535/23115. It takes two (plus) of them to create a proper non distinguishable PRF, but people don't generally do that.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.