Randomness Tests in Hostile Environments

An acceptable way to assess the quality of an RNG(PRNG) is to apply a standard battery of statistical randomness tests to a sampled output. Such tests compare some observed properties of the sample to properties of a uniform distribution, with the hope to detect deviations from the expected behavior. Consider a (P) RNG that outputs M-bit values which, due to a failure or an attack, are coerced to a subset of {0, 1}(M) of only 2(n) elements, for some n < M. Such outputs are predictable with a probability of at least 2(-n) > 2(-M), but the standard randomness tests do not necessarily detect this behavior. We show here deterministic M-bit sequences (M = 128) that belong to a subset of size 2 n, but pass the DIEHARD Battery of Tests of Randomness [1] and the NIST Statistical Test Suite [2], even with a relatively small value of n = 29. To address the difficulty, we propose a detection method that is feasible even for large values of n (e.g., n = 64). As a practical example, we apply our method to rule out the existence of the speculative stealthy hardware Trojan that is discussed in [3].