mercredi 10 novembre 2021

Count test on uniformity of occurrence in uuid (hex)

Here reported is a test result I did in search of "cryptographically strong" PRNG. The purpose of count test is to see if the UUID algorithm favors/dislikes certain letters or numbers by counting the occurrence of each letter/number in a UUID (8.3.2. hex) generated. There are total of 10,000 UUIDs generated and counted. Here is the code for the test:

import { v4 as uuidv4 } from 'uuid';
let round = 10000, temp1, objuuid={};
for (let i=0;i<round;i++) {
            console.log("ith round : ", i);
            temp1 = uuidv4(); //uuid generated
            //uuid
            for (let j=0;j<temp1.length;j++) {
                let a1 = temp1.charAt(j);
                if (a1 !== "-") {. //don't count "-"
                    let hit = false;
                    Object.keys(objuuid).map(k => {
                        if (k == a1) {
                            hit = true;
                            //break;
                        }
                    });
                    if (hit) {
                        objuuid[a1] = objuuid[a1] + 1;
                    } else {
                        objuuid[a1] = 1;
                    }
    
                }
            }
        };

Here is output of objuuid in 3 run:

1st one:

0: 18934
1: 18723
2: 18789
3: 18712
4: 28840
5: 18491
6: 18628
7: 18732
8: 21498
9: 21241
a: 21238
b: 21223
c: 19003
d: 18820
e: 18492
f: 18636

2nd one:

0: 18768
1: 18837
2: 18572
3: 18945
4: 28557
5: 18908
6: 18922
7: 18734
8: 21265
9: 21044
a: 21274
b: 21344
c: 18681
d: 18604
e: 18775
f: 18770

3rd one:

0: 18676
1: 18743
2: 18712
3: 18741
4: 28722
5: 18947
6: 18747
7: 18736
8: 21316
9: 21253
a: 21111
b: 21413
c: 18795
d: 18704
e: 18737
f: 18647

From the result above (did more than 3 runs), It seems that "4, 8 ,9 , a, b" are more favored than others. According to this ietf article, this is by design. I am not an expert on PRNG and security. Will this "favor" negatively impact the security of the uuid generated (make it a bit easier to be guessed out)? How PRNG needs to be unbiased towards the pick to be called "cryptographically strong"?




Aucun commentaire:

Enregistrer un commentaire