What tests can I do to ensure my random number generator is working correctly?

Question

In the past I have used the Chi-squared test to check the statistical randomness of my generator. Is this a good test to use? Are there other tests?

Answer 1

Checking statistical randomness is a semi-good test. What I mean by that is that if a given PRNG does not look good statistically, then it is utterly proven to be pure junk. On the other hand, good statistical randomness does not tell you much with regards to cryptographic security. Cryptographic security is about whether the PRNG output could be predicted by a sentient attacker who knows the in and outs of your algorithm (but not its internal state). Statistical randomness is about whether the PRNG output could be predicted by a trained monkey.

"Diehard tests" used to be popular for testing non-cryptographic PRNG. During the AES competition (a dozen years ago), NIST ran them on all AES candidates, and found nothing, and the general opinion among cryptographers was that it was mostly a waste of time.

A Linear Feedback Shift Register has handsome results with Diehard -- and using it for cryptography is immediate failure.

Answer 2

What tests can I do to ensure my PRNG is working correctly?

That depends on what exactly you mean by “working correctly”.

You can do statistical tests to check for various statistical flaws your random number generator might be subject to, but you have be aware of the fact that statistical testing cannot serve as a substitute for cryptanalysis… meaning: when it comes to cryptographic security, you’ll have to dive into cryptanalysis, like I described in another answer to a somewhat related question.

Are there other tests?

Of course… besides the Chi-squared test you already know and mentioned in your question, there are whole batteries of statistical tests available! All you have to do is to pick your favorite poison:

• Dieharder
  ^{http://www.phy.duke.edu/~rgb/General/dieharder.php}

  Dieharder – my personal favorite – incorporates all of George Marsaglia's Diehard tests, as well as all the tests from the NIST STS (Statistical Test Suite developed by the National Institute for Standards and Technology), and some additional tests developed by rgb.

• TestU01
  ^{http://simul.iro.umontreal.ca/testu01/tu01.html}

  Another battery of tests, comparable to Dieharder. It provides general implementations of the classical statistical tests for random number generators, as well as several others proposed in literature, and even some original ones. Some claim that – sooner or later – TestU01 will make every RNG fail at least one of it’s test, no matter what RNG you throw at it. But failing a test does not immediately indicate a flaw in the individual rng, as some tests will produce more exact results when adhering to the specific requirements of those tests (eg: feeding them enough RNG output).

• Statistical Test Suite by the US National Institute for Standards
  ^{http://csrc.nist.gov/groups/ST/toolkit/rng/index.html}

  This is the official battery of statistical tests which NIST provides. The STS (Statistical Test Suite) is available as a download via the NIST website and details about it are described both on their website as well as in their related paper "NIST SP 800-22, A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications" (PDF).

• Diehard
  ^{http://www.stat.fsu.edu/pub/diehard/}

  This is what I would call the “old classic”. Diehard represents a battery of statistical tests, developed by George Marsaglia and first published in 1995 on a CD-ROM of random numbers. While Diehard itself may have come of age, the tests surely haven’t. Both Dieharder and TestU01 include Marsaglia’s tests.

There might be other solutions out there which may or may not be interesting to look at, but – to limit the scope to a usable level – I decided to only mention some of the (more prominent) statistical test suites.

Answer 3

Section 5.4 "Statistical tests" of Handbook of Applied Cryptography lists several such tests. However, note that if you're after a provably secure PRNG, such tests are far from being perfect.

For a provably secure PRNG, you need to formally prove the indistinguishability of its output from a truly-random sequence. See chapter 3 of Foundations of Cryptography for more info.

Answer 4

Tests of randomness with only data as input can give proof of non-randomness, but never a credible indication of randomness unless their result is coupled with an analysis of how the random data tested has been generated. Without such knowledge, such tests give a falsely reassuring PASS, or a FAIL.

Illustration: consider the PRNG that outputs 512-bit blocks computed as the HMAC-SHA-512 of the previous block under some key. That pass any randomness test for one not knowing the key, yet is trivially predictable from past output with that knowledge.

In cryptography, randomness tests with PASS result can only be useful when and if we have a model of the source tested. This is at the heart of the AIS 31 methodology of Common Criteria evaluation for True Random Numbers Generators; see there (under AIS 31; in German, but with links to many documents in English and a Reference implementation of the statistical tests).

This AIS 31 methodology is routinely used in things like Smart Cards, and referenced in certification reports like this and this. It is made some model matching the device, and justified that per that model, any likely defect that do not raise alarm won't result in using a significantly predictable bitstream. Typically there is:

• a TRNG based on some analog phenomenon, e.g. sampling of a noise source, delivering a bitstream that can be sampled for testing purposes;
• hardware or/and software testing that source, at startup and/or runtime, in order to check that this source delivers entropy; including, at least, some test that raise alarm if anything makes that source totally defective (that could be an attacker with a needle, a laser, evaporation of some liquefied gas..);
• a hardware or/and software conditioning of the output of that source, into another bitstream, that won't have discernible bias even if the source is only passable; that conditioned bitstream can be used e.g. as source of randomness for DPA countermeasures, or a key generator.
• possibly, an additional test that conditioning works as intended.