Testing Stream Ciphers by Finding the Longest ... - Springer Link

Testing Stream Ciphers by Finding the Longest Substring of a Given Density Serdar Bozta¸s1 , Simon J. Puglisi2 , and Andrew Turpin2 1

2

School of Mathematical & Geospatial Sciences School of Computer Science & Information Technology, RMIT University, Melbourne VIC, Australia [email protected], {simon.puglisi,andrew.turpin}@rmit.edu.au

Abstract. Given a string x[1..n] drawn from the alphabet {0, 1}, and a rational density parameter 0 ≤ θ ≤ 1, this paper considers algorithms for finding the longest substring of x with density θ. That is, if the length of the substring is m, the number of one-bits in the substring is exactly θ × m. It is surprisingly difficult to devise an algorithm that has worst case time less than the obvious brute-force algorithm’s O(n2 ). We present three new approaches to reducing the running time, and an algorithm that solves the problem in O(n log n) expected time. We then apply the new algorithm, as well as an empirical estimate of the lim-sup and the lim-inf of a centred statistic which is expected to obey a law of the iterated logarithm, to the randomness testing of (a) the output of the BSD function Random, and (b) the output of the stream cipher Dragon. The results for these outputs warrant further study.

1

Introduction

“A method of producing random numbers should not be chosen at random”−Donald Knuth, in [8]. The security of modern information systems depends on the quality of pseudorandom number generators and the “randomness” of numbers they produce. As such, algorithms that test these generators are of interest – they provide some level of assurance. Randomness testing has been investigated by various authors in the past: Knuth [8] has a good overview of such tests, L’Ecuyer [4] has also considered the same problem, from a different point of view. Other references in this area include The Handbook of Applied Cryptography [10] (see Chapter 5), Marsaglia’s work [9] including his DIEHARD battery of randomness tests, and the recent volume [12] by Neuenschwander. A suite of randomness tests are implemented by the US Government’s NIST [13], and another suite of randomness tests called CRYPT-XS are implemented by the Queensland University of Technology(QUT)’s Information Security Institute [15]. 

This work is supported by the Australian Research Council.

C. Boyd and J. Gonz´ alez Nieto (Eds.): ACISP 2009, LNCS 5594, pp. 122–133, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Testing Stream Ciphers by Finding the Longest Substring

123

In this paper we consider algorithms for an easy to state problem that is useful for randomness testing, but which is deceptively difficult to solve in worst case asymptotic time less than an obvious brute-force solution. We discuss the problem of randomness testing and its application to security further in Section 3 and focus on algorithmics below. Throughout we consider a string x[1..n] = x[1]x[2] . . . x[n] of n symbols drawn from a binary alphabet Σ = {0, 1}. We call x[i..j] = x[i]x[i + 1] . . . x[j], 1 ≤ i ≤ j ≤ n a substring of x. A substring x[i..j] is a suffix of x if j = n and a prefix of x if i = 1. The density of a string x is the ratio of the number of one-bits in the string to the length of the string. More formally given a string x and θ = c/d, c and d positive integers c ≤ d, we say a substring x[i..j] is θ-dense (or has density θ) if and only if j − i + 1 = kd and x[i..j] contains kc one-bits, for some positive integer k. Problem 1 (Longest θ-dense substring). Given a string x[1..n] on {0, 1} and θ = c/d, c and d positive integers, with c ≤ d and gcd(c, d) = 1, find the longest substring of x having density θ. In other words, find the largest k such that there is a substring of x of length kd that has kc one-bits. Note that, a string as defined in Problem 1, need not exist, and if it does, the problem is finding it efficiently. Throughout this paper, we use log to denote logarithms to the base 2. The remainder of this paper is as follows. Section 2 considers Problem 1 and gives a basic solution to which we add several heuristics. We show that one of the heuristics leads to a O(n log n) expected time solution to the problem. We discuss randomness testing and display experimental results using the new algorithm in in Section 3. Finally, in Section 4 we offer some reflections and future directions.

2

Locating the Longest Substring with Given Density

An O(n2 ) worst case solution to Problem 1, finding the longest θ-dense substring, is relatively straightforward. Firstly we preprocess x so that we can answer rank queries on x in constant time. The answer to a rank query rankx (i) is the number of one-bits in x[1..i]. A simple data structure to support rank queries is an array of integers containing the a count of the number of one-bits in x up to that position in the array. Such an array can be calculated in a single pass over x, requiring θ(n) time, and the largest element in such an array would be n, requiring at least log n bits of storage, so total space for the auxiliary data structure would be O(n log n). A more sophisticated data structure supporting constant time rank queries can be built in O(n) time and requires n + o(n) bits of extra space [6,11,14]. Once the auxiliary data structure is constructed so rank queries can be answered in constant time, the number of bits in substring x[i..j] can be calculated as rankx (j) − rankx (i − 1), also in O(1) time. Then for each position in the string i ∈ [1..n − d + 1], compute the number of bits in each substring x[i..i+kd], k ∈ [1..(n−i+1)/d] keeping track of the longest substring containing

124

S. Bozta¸s, S.J. Puglisi, and A. Turpin BruteForce (x[1..n],θ = c/d) Set up a rank data structure that computes rankx (i) in O(1) time. Set max ← (0, 0). for i ← 1 to n − d + 1 do Set kc ← c. for j ← i + d − 1 to n in steps of d do if (rankx (j) − rankx (i − 1)) = kc and (j − i > max.j − max.i) then Set max ← (i, j). Set kc ← kc + c. if max = (0, 0) then output x[max.i..max.j] else no substring found.

Fig. 1. Algorithm BruteForce to find the longest substring of x[1..n] that is θ-dense

kc one-bits. For each position we ask at most O(n/d) rank queries, there are at most n positions, so overall the time spent is O(n2 /d) = O(n2 ). Figure 1 shows some pseudo code for this approach. Given that the rank data structure allows a constant time decision on whether a given substring of length kd contains the necessary number of one-bits, the difficulty with Problem 1 seems to be the number of substrings an algorithm must consider, so any reduction in running time must be gained through a reduction in the number of substrings. This observation is consistent with literature describing O(n) algorithms for finding θ-dense substrings with bounded lengths [7]. In the next two subsections we examine two approaches to reducing the number of substrings considered. 2.1

Exploiting θ-Primitives

It would seem intuitive that long θ-dense strings would contain substrings that were themselves θ-dense. If this were true, then an inductive style algorithm that constructs long θ-dense strings by combining smaller θ-dense substrings should reduce the running time of an algorithm to solve Problem 1. In this regard, we observe the following lemma. Lemma 1. A θ-dense string x of length kd containing exactly kc one-bits must have at least one substring of length d containing c one-bits. Proof. Call a substring of x of length d under or over if it contains less than or more than c one-bits respectively. We proceed with a proof by contradiction. Assume the Lemma is not true, then every substring of x of length d must be either under or over. If all length d substrings were under, then there would be less than kc one bits in x in total; similarly, if all of the length d substrings were over, then there would be more than kc one bits in x in total. Hence, there must be at least one under and one over substring in x as it is θ-dense. Moreover, there must be a point in the string where an over and under substring overlap by d − 1 characters, otherwise all substrings must be under, or all over. Without loss of generality say that position in x where the overlap between an under and an over substring occurs is i+1; that is, x[i..i+d] is under and x[i+1..d+1]

Testing Stream Ciphers by Finding the Longest Substring

125

is over. The substring x[i..i+d] can have at most c − 1 one-bits, as it is under, hence the substring x[i..i+d]x[i+d+1] = x[i..i+d+1] can have at most c one-bits. But if x[i..i+d+1] can have at most c one-bits, it is not possible for its suffix x[i+1..i+d+1] to have more than c bits hence x[i + 1..d + 1] cannot be over. Therefore x cannot consist of only substrings of length d that are a mix of under and over. Therefore x contains a substring of length d that contains c one-bits. 2 We call a θ-dense string of length d a θ-primitive string. It would be nice if the θ-primitive substrings of a string could be used as a base for constructing longer θ-dense substrings. That is, beginning with θprimitives of length d, expand them to θ-dense strings of length 2d, and so on. Unfortunately if x is of length kd and contains kc one-bits, there is no guarantee that it must contain a substring of length (k − 1)d containing (k − 1)c bits. For example, if x = 111000111 and d = 3, c = 2, then the entire string (k = 3) has density 2/3, but there is no substring of length 6 containing 4 one-bits (k = 2). So while any θ-dense string must contain a θ-primitive of length d containing c one-bits, there is no guarantee that it must contain a substring of length 2d containing 2c one-bits. This limits the power of Lemma 1 to reduce the number of substrings that must be considered by any algorithm designed to find the longest θ-dense substring of a string below O(n2 ). Interestingly, Lemma 1 can be used to solve the following (weaker) problem in O(n) time. Problem 2. Given a string x[1..n] on {0, 1} and θ = c/d, c and d relatively prime positive integers, c < d, determine if x has any substrings with density of one-bits equal to θ. Lemma 1 allows us to only check the substrings of length d — if none are present then there can be no longer ones. The substrings of length d can be checked for in O(n) time by sliding a window of size d over x. Although there is no ready inductive argument that might allow an algorithm to identify all θ-primitive regions, and then use them to construct longer substrings in sub-O(n2 ) time, in practice Lemma 1 may provide some useful heuristics that will reduce running time on random strings. Lemma 2. Let i1 and i2 be the positions of consecutive θ-primitive substrings in x. No θ-dense substring can begin after position i1 and end before position i2 + d − 1. Proof. From Lemma 1 we know that any θ-dense substring must contain a θprimitive substring. Any substring beginning after i1 and ending before i2 will not contain a θ-primitive substring, so cannot be θ-dense. 2 If θ-primitives are few and far between, as we might expect in random strings for large d, then this Lemma allows us to discard quite a few substrings from consideration. An algorithm similar to BruteForce, where i and j, the left and right boundaries of possible substrings respectively, move right along x can exploit this. The right boundary, j must be to the right of the closest primitive

126

S. Bozta¸s, S.J. Puglisi, and A. Turpin SkipMisMatch (x[1..n],θ = c/d) Set up a rank data structure that computes rankx (i) in O(1) time. for k ← n/d downto 1 do Set i ← 1, and j ← kd. while i ≤ n − kd + 1 do Set δ ← |kc − rankx (j) + rankx (i − 1)|. if δ = 0 then Set max ← (i, j) and terminate. Set i ← i + δ, and j ← j + δ. Output no suitable substring found.

Fig. 2. Algorithm SkipMisMatch to find the longest substring of x[1..n] that is θdense

to i, if such a primitive exists, allowing j to skip several positions from consideration. For each pair, however, all strings beginning at i and ending at a position greater than j must be checked, so the algorithm still requires O(n2 ) time. The worst case is realised when every position in the string is the end of a θ-primitive; for example, x = 110110110.. when θ = 2/3. 2.2

Exploiting Mismatches

A reversal of the loops in Figure 1 yields an alternate brute force algorithm that for every possible substring length, every position is checked; rather than one that checks every possible length for every position. This simple reversal of loops does not lower the asymptotic cost of Algorithm BruteForce, but it does allow an optimisation, as captured in the following Lemma. Lemma 3. If the number of one-bits, say m, in a substring of length kd beginning at position i, where 1 ≤ i ≤ n − kd + 1, x[i..i + kd − 1], is not equal to kc, then there can be no θ-dense substring of length kd beginning in positions x[i..i + |kc − m|]. Proof. By definition, a θ-dense substring of length kd must contain kc one-bits. If a substring of x of length kd contains only m < kc one-bits, then at least a further kc − m bits must be added to the substring to bring the count of onebits up to kc. That is, the end of the substring must be increased by kc − m positions. In order to remain of length kd, however, the left boundary of the substring must also be increased by kc − m positions, hence it cannot begin in positions x[i..i + (kc − m)]. Similarly, if m > kc, then m − kc zero-bits must be added to the end of x to reduce its density to θ. 2 This lemma allows us to exploit mismatches in windows of length kd in much the same way that pattern matching algorithms such as KMP or Boyer-Moore skip over mismatching areas of text [3]. Algorithm SkipMisMatch outlines the approach. Note that the order of loops is reversed from Algorithm BruteForce, and k decreases from the maximum possible until some θ-dense substring is found. Because

Testing Stream Ciphers by Finding the Longest Substring

127

the algorithm searches from longest to shortest substrings, it can terminate as soon as it has found a θ-dense substring, as there can be no longer such substrings. For each substring considered, if there is an abundance or deficit of one-bits (δ = 0), then i and j are stepped by the difference as per Lemma 3. The worst case running time of Algorithm SkipMisMatch is still O(n2 ), but the expected running time can be less, depending on the number and size of the skips arising from Lemma 3. Lemma 4. Algorithm SkipMisMatch requires O(n log n) expected time. Proof. Let us assume that the string x has been generated by a source that emits a one-bit with probability p. For some substring of length kd, the expected number of one-bits is p × kd, and the number of one-bits required for a θ-dense substring is θ × kd. The expected value of δ, therefore, is δˆk = |θkd− pkd|. So for each possible k value we expect to skip over δˆk positions for every position examined, so at most n/δˆk positions are examined. Given that examining each position requires O(1) time, The expected time is bounded by n/d

n/d+1  n − kd + 1  n ≤ 1/k = O(n log n), |θ − p|d δˆk

k=1

k=1

2

and the proof is complete. 2.3

Experimental Results on BSD Function Random

In order to confirm that the expected running time of Algorithm SkipMisMatch is sub-O(n2 ) we ran some simple timing experiments on strings generated using

50

1

30

0.501 0.503 0.509 0.513 0.519

2 1

20

Time (secs)

40

1 2 3 4 5

3 4 5

0

10

2

1 2 3 4 2 1 5 55 33 2 44 1 0

1 2 3 4 5

1 2 3 4 5 10

3 4 5

20

30

40

50

60

n (’000,000)

Fig. 3. Mean time taken for Algorithm SkipMisMatch on strings of varying length generated by the BSD function Random (x-axis) when p = 0.5. The values in the legend indicate the θ value used for each run.

S. Bozta¸s, S.J. Puglisi, and A. Turpin

20000 15000 10000 5000

Maximum length of sequence

25000

128

1

2

4

8

16

32

64

128

256

512

n (’000,000)

Fig. 4. Length of the longest θ-dense sequence, generated by Random, where θ = 0.519, p = 0.5. Boxes show 0.25 and 0.75 quantiles, the black line is the median, and whiskers and dots show extreme values. The solid curve is the bound given by the Strong Law of Large Numbers: log(n)/H(0.519, 0.5).

the BSD function random on a Sun Fire V210 Server with 16GB of RAM running Solaris 10, utilising one of the two 1.34 GHz UltraSPARCIII-i processors. Times reported are the CPU time as reported by the Solaris command line time program. Figure 3 shows the mean running time of Algorithm SkipMisMatch, where the mean is over 20 runs with a different random seed for the random function at each run, for various θ values. The standard deviations of each group of runs were very small, and so are not plotted as error bars. The digits labelling the curves represent data points, and the lines are drawn for clarity. In all cases, the time required increases sub-O(n2 ) as n increases. As |θ − p| increases (curves 1 down to 5) the running time of SkipMisMatch decreases accordingly, as the constant of proportionality in the O(n log n) expected running time bound includes 1/|θ − p|. To examine the effect of varying p, we fixed θ at 0.6, and ran 20 runs for various p values, again using new random seeds for each run. The data is consistent with an expected running time of O(|θ − p|−1 n log n). Figure 4 shows some of the lengths of the longest sequences we observed at the output of Random. The plot is consistent with the expectation that the length of the longest sequence is proportional to log(n)/H(θ, p), as discussed in detail in the next section.

Testing Stream Ciphers by Finding the Longest Substring

3

129

Application to Randomness Testing of Stream Ciphers

The eStream project www.ecrypt.eu.org/stream/ is a recently completed project described as a “multi-year effort running from 2004 to 2008 [which] has identified a portfolio of promising new stream ciphers”. An interesting and highly efficient cipher submitted to that project is Dragon [16] designed by researchers at QUT. Dragon has been subjected to extensive randomness testing with no weaknesses identified. While many randomness tests are currently known and used, it is still of interest to look for further tests, since in cryptography, a cipher is considered suspect as soon as its output fails a single well-designed test. Moreover, recent work has shown that the issue of statistical dependence between commonly used tests is quite complicated. In particular some tests output test results which have a much higher correlation than what would be expected if the tests were statistically independent. See Turan et. al. [17] for more details. 3.1

Testing Dragon Using the Erd¨ os-R´ enyi Strong Law of Large Numbers

25000 15000 5000 0

Maximum length of dense sequence

The relevance of Problem 1 to randomness testing comes from the fact that for a random sequence, the statistic computed by Problem 1 has an almost-sure limit as n → ∞. Let X1 , . . . , Xn be a given sequence of {0, 1}−valued random variables and define Ln (θ), the length of the “longest run of 1’s with density θ” by

0

1

2

3

4

5

6

7

8

9

10

log2(n/1,000,000)

Fig. 5. Length of the longest θ-dense sequence, generated by Dragon, where θ = 0.519, p = 0.5. Boxes show 0.25 and 0.75 quantiles, the black line is the median, and whiskers and dots show extreme values. The solid curve is the bound given by the SLLN: log(n)/H(0.519, 0.5).

130

S. Bozta¸s, S.J. Puglisi, and A. Turpin



1 Ln (θ) = max t : ∃i ∈ {0, . . . , n − t}, θ ≤ Xi+k t t

 .

k=1

Erd¨ os and R´enyi [5] have proved the following. Theorem 1. If X1 , . . . , Xn are i.i.d. with P r[Xi = 1] = p, for all θ ∈ (p, 1], we log(n) , almost surely, where the binary relative entropy is given have Ln (θ) → H(θ,p) by H(θ, p) = θ log(θ/p) + (1 − θ) log((1 − θ)/(1 − p)). We now give an intuitive and non-rigorous explanation of what the phrase converges almost surely (implicit in the Theorem above) means. The rigorous definition of this measure-theoretic terminology can be found in many statistics textbooks. If we say that a random quantity Tn converges in probability to a constant T , this means that, for the random sequence Tn , for all ε > 0, the quantity P r[|Tn − T | > ε] goes to zero as n → ∞. But this probability is averaged over all possible realizations of the random sequence (Tn )n≥1 so that there can be some realizations for which the convergence above does not hold, albeit for a vanishing fraction as of all possible realizations n → ∞. If we say that a random quantity Tn almost surely converges to a constant T , this means that, for the random sequence Tn , for all ε > 0, the quantity P r[|Tn − T | > ε] goes to zero as n → ∞ for essentially all possible realizations of the random sequence (equivalently except for a set of probability zero among all possible realizations). It is, however, possible that the rate of convergence of P r[|Tn − T | > ε] to zero depends on the realization. Note that limθ→p H(θ, p) = 0, and that’s why we take θ ∈ (p, 1]. It is relatively simple to obtain an upper bound on this growth rate by using large deviations, see [2], but much harder to get the lower bound and hence the exact growth rate. Using this almost sure growth rate to test the randomness of a given sequence would essentially proceed as follows (for simplicity, we assume the sequence is unbiased, i.e., p = 1/2) which should hold for the output of any good random bit generator. For i = 1, 2, . . . , s compute the length of the longest substring in X1 , . . . , Xni with density θ1 , . . . , θm . Use the theorem to visually observe whether the growth rate of the length of the longest substring is roughly: (i) Proportional to log(ni ), i = 1, . . . , s; and (ii) Inversely Proportional to H(θj , 1/2) for j = 1, . . . , m. As a preliminary experiment to exploit Theorem 1 for solving Problem 1, we could assume a value of p, and assume that string x is long enough for the strong law to be accurate, and only search the string for substrings of length log(n)/H(θ, p). We have done this for the function Random and displayed the results in Figure 4. We have also applied this approach as a preliminary test of the output of Dragon. In particular, for keystream output lengths of 225 + 1000k, with k =

Testing Stream Ciphers by Finding the Longest Substring

131

−6

−4

−2

0

2

Wn Tn

−5000

−3000

−1000

0

1000

3000

5000

n − 225

Fig. 6. The values of the quantities Tn defined in (1) (solid circles) and and Wn defined in (2) for the output of Dragon, where the output length ranges from 225 − 5000 to 225 + 5000 bits at equal intervals of 1000 bits

−5, −4, . . . , +4, +5, we have generated 100 random keys from /dev/random for each nk and used the 100 output keystreams thus generated as input to our algorithm computing the length of the longest substring with density θ = 0.519 assuming p = 1/2. The results look as expected and are plotted in Figure 5. These results are, of course, very preliminary, and extensive testing will follow. Note that we have used a logarithmic plot of the x−axis in Figure 5, hence the straight line of the solid curve, when compared to the curved line of the solid curve in Figure 4. When an x−axis value of Figure 5 is converted to the corresponding x−axis value in Figure 4, the statistical behaviour (in terms of median and dispersion) of Ln (θ) is essentially the same for Dragon and for the BSD function Random. 3.2

Testing Dragon Using the Law of the Iterated Logarithm

A related statistical strong law, described in [1], has also been used to test Dragon, and is described below. Let X1 , X2 , . . . be an i.i.d. sequence of binary random variables with p = P [Xi = 1] = 1 − P [Xi = 0] for all i ≥ 1, and let Sn:t be defined as the maximum number of ones occuring in a window of length t starting within the first n tosses: Sn:t = max (Xi + Xi+1 + · · · + Xi+t−1 ). 1≤i≤n

Assume that a ∈ (p, 1) and use a Law of the Iterated Logarithm from [1] to 

plot the variability of the output of Dragon. Fix θ ∈ (p, 1). With t = t(n) = 

log(n)/H(θ, p) , and the “odds ratio” r = r(θ, p) =

132

S. Bozta¸s, S.J. Puglisi, and A. Turpin 

= p(1 − θ)/(θ(1 − p)), as n → ∞ define centering constants b(n, t) = b(n, t; θ, p) by   2πθ(1 − θ) θ log n 1 1 b(n, t) = − log1/r log(n) − log1/r + log1/r (θ − p). H(θ, p) 2 2 H(θ, p)  Sn:t − b(n, t) = 1 = 1. P lim sup log1/r log n n 

We then have:

(1)

This means that for  > 0 arbitrarily small and for n large enough if we plot the time series Tn = (Sn:t − b(n, t))/ log1/r log n, Tn will approach arbitrarily closely to 1 from below but never reach it, infinitely often. Similarly

 (2) P lim inf Sn:t − b(n, t) + log1/r log log n = −1 = 1. n

which means that the time series Wn = Sn:t − b(n, t) + log1/r log log n will approach -1 arbitrarily closely from above but never reach it, infinitely often. Interestingly, when we apply this test to Dragon, as seen in Figure 6, Tn (shown as circles) exceeds +1 somewhat but is usually under it, which is reasonable. However, Wn (shown as diamonds) varies around a mean of roughly -5, which may be an indicator of a problem with Dragon. Clearly, this preliminary observation deserves further study.

4

Conclusions and Discussion

In this paper we have presented a new algorithm for finding the longest substring of a given density in a string, and shown that it runs in O(n log n) expected time. Moreover, we have given two alternate approaches to solving the problem: exploiting the idea of θ-primitives as introduced in Lemma 1; and exploiting the bound given by the Strong Law of Large Numbers. While our implementations of these ideas did not decrease running times below those of Algorithm SkipMisMatch for parameterisations that would be typical in randomness testing, both seem promising avenues of exploration. In particular, one ready optimisation for an algorithm that solves the problem could be to check for the existence of any θ-primitive during the construction of the data structure used for rank queries. If no such primitive exists, then no further work is required. This is particularly useful when |θ − p| is large, but is not so useful if the data structure is computed once for a string, but used for many different θ values. For the output of a stream cipher, the assumption p = 1/2 is eminently reasonable, and is tested by the basic frequency test which is O(n) in complexity. Once the cipher passes that test, one can apply the tests developed here. We have presented preliminary results on the output of Dragon which deserves further study.

Testing Stream Ciphers by Finding the Longest Substring

133

Acknowledgements The authors acknowledge the constructive comments by the anonymous referees whose suggestions have improved the presentation of the results in this paper.

References 1. Arratia, R., Gordon, L., Waterman, M.S.: The Erd¨ os-R´enyi Law in Distribution, for Coin Tossing and Pattern Matching. Annals of Statistics 18(2), 539–570 (1990) 2. Arratia, R., Waterman, M.S.: The Erd¨ os-R´enyi Strong Law for Pattern Matching with a Given Proportion of Mismatches. Annals of Probability 17(3), 1152–1169 (1989) 3. Boyer, R.S., Moore, J.S.: A Fast String Searching Algorithm. Comm. of the ACM 20(10), 762–772 (1977) 4. L’Ecuyer, P.: Testing Random Number Generators. In: Proceedings of the 1992 Winter Simulation Conference, pp. 305–313 (1992) 5. Erd¨ os, P., R´enyi, A.: On a New Law of Large Numbers. J. Analyse Math. 22, 103–111 (1970) 6. Gonz´ alez, R., Grabowski, S., M¨ akinen, V., Navarro, G.: Practical implementation of rank and select queries. In: Nikoletseas, S.E. (ed.) WEA 2005. LNCS, vol. 3503, pp. 27–38. Springer, Heidelberg (2005) 7. Greenberg, R.I.: Fast and Space-Efficient Location of Heavy or Dense Segments in Run-Length Encoded Sequences. In: Warnow, T.J., Zhu, B. (eds.) COCOON 2003. LNCS, vol. 2697, pp. 528–536. Springer, Heidelberg (2003) 8. Knuth, D.: The Art of Computer Programming: Seminumerical Algorithms, vol. 2. Addison-Wesley, Reading (1981) 9. Marsaglia, G.: A Current View of Random Number Generators. Computer Science and Statistics: The Interface, pp. 3–10. Elsevier Science, Amsterdam (1985) 10. Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996) 11. Munro, J.I.: Tables. In: Chandru, V., Vinay, V. (eds.) FSTTCS 1996. LNCS, vol. 1180, pp. 37–42. Springer, Heidelberg (1996) 12. Neuenschwander, D.: Probabilistic and Statistical Methods in Cryptology: An Introduction by Selected Topics. In: Andr´e, E., Dybkjær, L., Minker, W., Heisterkamp, P. (eds.) ADS 2004. LNCS, vol. 3068. Springer, Heidelberg (2004) 13. National Institute of Standards and Technology, Random Number Generation and Testing, Publication SP-800-22 (visited February 4, 2009), http://csrc.nist.gov/rng/ 14. Okanohara, D., Sadakane, K.: Practical entropy-compressed rank/select dictionary. In: Proceedings of the Ninth Workshop on Algorithm Engineering and Experiments (ALENEX 2007) (visited February 6, 2009), http://www.siam.org/proceedings/alenex/2007/ 15. Queensland University of Technology, Information Security Institute, CRYPT-XS, http://www.isi.qut.edu.au/resources/cryptx/ (visited February 6, 2009) 16. Queensland University of Technology, Information Security Institute, Dragon Stream Cipher, http://www.isi.qut.edu.au/resources/dragon/ (visited February 6, 2009) 17. Turan, M.S., Doganaksoy, A., Bozta¸s, S.: On Independence and Sensitivity of Statistical Randomness Tests. In: Golomb, S.W., Parker, M.G., Pott, A., Winterhof, A. (eds.) SETA 2008. LNCS, vol. 5203, pp. 18–29. Springer, Heidelberg (2008)