Testing the Fortuna random number generator?

Question

I have implemented the Fortuna random number generator as described in chapter 10 of "Practical Cryptography" (Ferguson and Schneier, Wiley, 2003), the result can be found at http://www.seehuhn.de/pages/fortuna .

My question: How can I test my implementation? Or more specifically:

• Are there any known-correct test vectors for the Fortuna generator available?
• Are there automated tests for the cryptographic properties of the output? (I know how to test the statistical properties of the output, but I don't know how to test the cryptographic properties.)
• Any other testing methodologies I should consider?

Answer 1

Perhaps obvious, but couldn't you download other implementations, design a test set of your own, and run it through multiple implementations to verify the same results?

There are these implementations:

• http://sourceforge.net/projects/fortunaprng/
• https://github.com/dlitz/pycrypto/tree/master/lib/Crypto/Random/Fortuna

If system entropy is an issue, you might be able to tweak all implementations to fudge the updates to be equal.

Answer 2

Testing properly implemented Fortuna is little different than testing any alleged cryptographically secure random number generator. The fundamental problem is a philosophical one, as well as a practical one. For simulation it may be sufficient to choose digits from pi, which is universally believed to be randomly distributed. But, as a cryptographic key or initialization vector or most anything else cryptographic, this would be a spectacularly bad choice. Any attacker who suspected you of using pi digits has broken your system -- everybody knows those digits or can compute them with little effort.

Random requires that no attacker can predict, and given that some attackers will have half a brain, this is much more difficult than random for some simulation model.

Fortuna has the virtue that a great many practical issues have been addressed to maximize the entropy in the pool from which numbers are drawn. And, furthermore, Fortuna can be so configured to make this approach closer than for the usual random generator.

Knuth (vol 2) concluded, and no one has been able to do any better really, that the best you can do with any random number generator is to apply lots of statistical tests looking for patterns (he suggests many) and abandon any that show any patterns. Thase that are left are about as good as one can do.

A reading of a good account of information theory (originally Shannon) will give you much to think about in regard to entropy and the provision therefor.

Answer 3

Robert Brown of Duke University has an excellent test suite called "Dieharder". Supposedly this is the most stringent battery of PRG tests available. I have never used it but it will be worth your while to check it out.