Greg Rose <[EMAIL PROTECTED]> writes: >While priming the RC4 table, I accidentally filled the data buffer instead >(D'oh!) with consecutive byte values 0x00, 0x01, ... 0xFF, 0x00, ... > >This very much passes the FIPS 140 tests for randomness, despite being nothing >like it:
A generic order-0 entropy estimator (think Huffman coder) will pass this, because each symbol occurs with equal probability. The reason this is a problem is because any introductory information theory text will give the standard formula for entropy estimation (H = -sum(prob(x) * log( prob(x)))) and users will either stop reading there or the text won't go any further. I've seen a (fielded) crypto RNG which uses this sort of estimator, which won't catch a whole pile of failure modes which the FIPS tests would get. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]