MODIFIED NON-OVERLAPPING TEMPLATE MATCHING TEST AND PROPOSAL ON SETTING TEMPLATE

Transcription

1 J. Jpn. Soc. Comp. Statist., 27(2014), DOI: /jjscs MODIFIED NON-OVERLAPPING TEMPLATE MATCHING TEST AND PROPOSAL ON SETTING TEMPLATE Yuichi Takeda, Mituaki Huzii, Norio Watanabe and Toshinari Kamakura ABSTRACT Rukhin et al. (2010) proposed the non-overlapping template matching test as one of methods for statistical testing of randomness in cryptographic applications. This test is the very interesting, but statistical properties of this test and any methods on setting the template have not been shown. Our new contribution in this paper is to propose a modified version of this test including the setting of the template and to show how this modified test works effectively by some simulation studies. 1. Introduction The need for random and pseudorandom numbers arises in many cryptographic applications, for example, stream cipher, encryption key, seed key and so on (see Shannon (1949), Rivest et al. (1978)). Rukhin et al. (2010) proposed 16 randomness tests for a binary sequence to use in the cryptographic field; Frequency (Monobit) Test, Frequency Test within a Block, Runs Test, Test for the Longest Run of Ones in a Block, Binary Matrix Rank Test, Discrete Fourier Transform (Spectral) Test, Non-overlapping Template Matching Test, Overlapping Template Matching Test, Maurer s Universal Statistical Test, Lempel- Ziv Compression Test, Linear Complexity Test, Serial Test, Approximate Entropy Test, Cumulative Sums (Cusum) Test, Random Excursions Test and Random Excursions Variant Test. These tests attract a lot of attention and are widely used in the cryptographic field (see Szczepanskia et al. (2004), Patidar and Sud (2009)). Among them, some tests are unfamiliar in statistical fields and we consider that deep discussions about these tests from a statistical point of view would be necessary. In this paper, we take up the non-overlapping template matching test and discuss this test from a statistical point of view. The non-overlapping template matching test would be effective for finding a binary pattern (template), which appears many times. This is important in cryptography. The purpose of this test is to detect a template that is included and has too many occurrences in the sequence. Our sequence is binary and consists of 0 and 1. A template is a pattern consisting of 0 and 1 with a certain length (e.g. m bits). We take a binary sequence of length n, which we are going to test. The non-overlapping template matching test is as the following. In the first place, we take the first m bits of the sequence. If this first m bits are same as the template, we say we have the occurrence and count the occurrence to be one. Then we carry out the same procedure for the sequence starting from the (m + 1)-th bit. If the first m bits are not same as the template, we carry out the same procedure for the sequence starting from the 2nd bit. For example, the template is 101 and Center for Basic Education and Integrated Learning, Kanagawa Institute of Technology, 1030, Shimo-ogino, Atsugi, Kanagawa , Japan y-takeda@ctr.kanagawa-it.ac.jp Faculty of Science and Engineering, Chuo University, , Kasuga, Bunkyo, Tokyo , Japan Key words: Testing randomness; Non-overlapping template matching test; Cryptographic applications; Kolmogorov-Smirnov test 49

2 TAKEDA, HUZII, WATANABE and KAMAKURA the binary sequence is The first 3 bits are 010, and this pattern is not same as the template. Then the next 3 bits from the 2nd bit through the 4th bit of the sequence are 101, and this pattern is the same as the template. So we say the count of occurrence is 1. Then skip the 3rd and 4th bits in the sequence, we start at the 5th bit. So we examine from the fifth through 7th bits of the sequence and repeat the same procedure. For this sequence, we say the number of the occurrences of the template 101 is two in total. In general, this test depends on the setting of the template. However, in Rukhin et al. (2010), no method for setting the template is proposed. So, in this paper, we modify this test, propose a method for operating this test, including how we set the template, and show how the method we propose works effectively by some simulation studies. In Rukhin et al. (2010), the authors are using a χ 2 statistic, for comparing the empirical distribution of the number of occurrences of the template with theoretical probability distribution under the null hypothesis. However, this is a test about the mean. In cryptographic applications, we consider that we have to pay for frequent occurrences of the template and, this means, it would be better to use a one-sided test and pay our attention to the frequency distribution of the number of occurrences of the template. So we try to test the deviation of the frequency distribution from the probability distribution under the null hypothesis. For obtaining the probability distribution of the number of occurrences of a given template under the null hypothesis, we use the results shown in Guibas and Odlyzko (1981). In Section 2., we propose a test which is a modification of the non-overlapping template matching test in Rukhin et al. (2010), propose a method for setting the template and, in Section 3., show how our methods work effectively by simulation studies. Throughout this paper we use the following setup, notions and notations. We denote a binary sequence as {Z j }, which is a sequence of random variables taking values 0 and 1. Z j denotes a random number or, sometimes, an addition of a word component and a random number. We here discuss the situation that a word is expressed in m bits and we do not know the value of m when we receive a binary sequence. This is because, this case happens frequently in cryptographic field and, when we know the value of m, we can use other more powerful methods (e.g., examining the uniformity of appearance of each m-dimensional vector) for finding the template. Let us denote the template as B, e.g. B = when m = 7, and the length of the entire bit string under test as n. We assume B is expressed as B = b 1 b 2 b m, where b i = 0 or 1. We say B is periodic with period i if we can find an integer i(1 i m 1) such that b 1 b 2 b i b i+1 b m = b 1 b 2 b i b 1 b 2. (1) If B is not periodic, we say B is non-periodic. Let {ξ i } be a binary sequence constructed by 0 and 1, which is a message. And we send the coded binary sequence {X i }, where X i = ξ i +Z i. Here we adopt the rule: 0+0 = 1+1 = 0 and = = 1. And, if a, b, x {0, 1}, we define x = b a when a + x = b. The null hypothesis concerning {Z i } should be that {X i } cannot be decoded. However, it is very difficult to express {X i } cannot be decoded, mathematically. Let {Z i } be a sequence of mutually independent random variables and Z i takes on values 0 and 1 with probability 1/2, respectively. Then we have for any positive integer m and any x l which is 0 or 1, for 1 l m, 50

3 Modified Non-overlapping Template Matching Test P (X l = x l ; 1 l m) = = a 1=0 a 2=0 a 1=0 a 2=0 ( ) m 1 = 2 a ( ) 1=0 m 1 =. 2 a m=0 a m=0 a 2=0 P (Z l = a l, ξ l = x l a l ; 1 l m) ( m ) P (Z l = a l ) P (ξ l = x l a l ; 1 l m) l=1 a m=0 P (ξ l = x l a l ; 1 l m) This means that it is difficult to get information about the message {ξ i } from {X i }, statistically (see Shannon (1949)). So here, we take the hypothesis {Z j } is a sequence of mutually independent random variables and Z j takes 0 and 1 with probability 1/2, respectively (simply, Simplified Null Hypothesis (abbreviated to SNH)) as the null hypothesis in the following. Let P (n; k) and P per (n; k) denote the probabilities that B occurs k times within n-bit string with non-overlapping when B is non-periodic and periodic, respectively, under the SNH. (1) Case when B is non-periodic; Let t(n) denote the number of strings, which do not contain the template B, of length n and be obtained by using Theorem 1 in Guibas and Odlyzko (1981) such that Then we have t(n) = 2 n, for 0 n m 1, t(n + 1) = 2t(n) t(n + 1 m), for n m 1. P (n; 0) = t(n) 2 n. And using {P (l; 0), 1 l n}, we obtain P (n; k), k 1, by dividing the whole set of the strings, in which B occurs k times within n-bit string, into (n km + 1) disjoint sets of strings, where, in the j-th set, the first (j 1) bits do not include B, B starts at the j-th bit and, from the (j + m)-th bit through n-th bit, B is included (k 1) times with non-overlapping. Then we have for k 1 with P (0; 0) = 1. P (n; k) = 1 n km+1 2 m P (j 1; 0)P (n j m + 1; k 1) j=1 (2) Case when B is periodic; Let ip 1, ip 2,, ip L (ip 1 < ip 2 < < ip L ) be the periods of B. We assume that those are mutually different and ip l1 is not an integral multiple of ip l2 for any l 1 and l 2 such that l 1 l 2 and 1 l 1, l 2 L. The number of strings, which do not contain the template B, of length n is given as 51

4 TAKEDA, HUZII, WATANABE and KAMAKURA t(n) = 2 n, for 0 n m 1, t(n + 1) = 2t(n) [(m 1)/ip 1 ] τ=1 ( t(n + 1 τip1 ) 2t(n τip 1 ) ) L ( t(n + 1 ipl ) 2t(n ip l ) ) t(n + 1 m), l=2 for n m 1, by using Theorem 1 in Guibas and Odlyzko (1981). And we have P per (n; 0) = t(n) 2 n. Also we can obtain the number t B (j) of strings of length j, which have only single appearance of B at the end of the j-bit string, by using Theorem 1 in Guibas and Odlyzko (1981). t B (j) is given as t B (j) = 0, for 0 j m 1, t B (m) = 1, t B (j) = 2t B (j 1) [(m 1)/ip 1 ] τ=1 ( ) t B (j τip 1 ) 2t B (j τip 1 1) L ( ) t B (j ip l ) 2t B (j ip l 1) t B (j m), l=2 Now we put Then we have P per (n; 0) = t(n) 2 n, P per (n; 1) = P per (n; k) = P B (j; 1) = t B(j) 2 j. n P B (j; 1)P per (n j; 0), j=m n (k 1)m j=m P B (j; 1)P per (n j; k 1), for j m + 1. for 2 k [n/m], P per (n; k) = 0, for k > [n/m]. 52

5 Modified Non-overlapping Template Matching Test And the probability distribution function is k P (n; u) when B is non-periodic, F 0 u=0 (k) = k P per (n; u) when B is periodic, under SNH. u=0 2. Modification of non-overlapping template matching test In the non-overlapping template matching test, we consider the null hypothesis to be the SNH. It is very difficult to show the alternative hypothesis. In Rukhin et al. (2010), the authors explain that the purpose of this test is to detect generators that produce too many occurrences of a given non-periodic (aperiodic) pattern. Here we take that the alternative hypothesis is a template of certain length appears too many times. We give a mathematical expression of this alternative hypothesis later. In this paper, we treat not only non-periodic templates but also periodic templates. The most difficult problem in this test is how to set the template. Rukhin et al. (2010) does not mention this problem much. If we have a pre-specified template B of length m, we have to use this template, examine the number of occurrences of the template within an n-bit string, and repeat this examination N times. In this case, we know the length of the template. Then we can use another simpler test for finding extraordinary many occurrences of the template. Suppose we have a binary string of length nn. Then we divide the binary string into [nn/m] segments of length m. We assume B appears τ B times among [nn/m] segments. Then we construct the test statistic t N = τ B [nn/m] 2 ( m ). [nn/m] m 2 m When N tends to, we can see the distribution of t N tends to the standard Normal distribution N(0, 1) under the SNH. Let α be the level of significance. We consider the case when N is sufficiently large. We obtain a sample value d of the statistic t N and its p-value P (t N d). If p -value α, we reject the SNH. We consider that our main target of the non-overlapping template matching test is to deal with the case when both the template and its length m are unknown. In the following, we mainly discuss this case. In this case, we have to choose the length m and the template. We formulate our task in the following way. Experiment A. Let B be a template and n be the length of the entire bit string under test. We examine the number of times that B occurs in this string with non-overlapping. We repeat, independently, this operation N times and obtain the frequency distribution of the numbers of occurrences in the n-bit string. When we do not know the length m and the template B, we have to try the test for all possible m s and B s. However, usually this is too much and too complicated. Here, we propose another method, in which we try to shorten the necessary steps for examining all possible m s and B s. We take a small positive integer m, e.g. m = 3, and try the test 53

6 TAKEDA, HUZII, WATANABE and KAMAKURA for each of all 2 m binary patterns of length m. For example, when m = 3, we try the test for all possible 2 3 (= 8) binary patterns, i.e., B = 000, 001, 010, 011, 100, 101, 110, 111. By taking one by one from all 2 m binary patterns for the template B, we carry out the non-overlapping template matching test for the binary sequence being under test of the length n. We summarize our proposed test in the following way. Short-bit non-overlapping test (Short-Bit-N O-T est) Let α be the level of significance. We set a short length m, which is supposed to be m < m. By considering each of 2 m binary patterns to be the template B, we carry out Experiment A, evaluate the value of Kolmogorov-Smirnov test statistic (onesided) and obtain p-value. If we have p value < α, we reject the SNH for the pattern. We carry out this procedure for these patterns. Let k be the number of occurrences of B with non-overlapping in the binary sequence of the length n, where 0 k [n/m ]. Among the N repetitions, we assume k appears τ k times. Now we discuss the following two cases. Case (C - 1). We have to find the existence of a template, which has extraordinary many occurrences, of certain length in the string, but we do not need to specify the template. In this case, we have to test the null hypothesis SNH against the alternative hypothesis the number of times that a template of certain length occurs in the string is greater than one which is expected under the null hypothesis. More precisely, let F 0 (k) be the probability distribution function of the number k, which is a nonnegative integer, of times that a template of certain length occurs under the null hypothesis, and F A (k) be one of the string we are going to test. Then our alternative hypothesis is that F A (k) F 0 (k) and < holds for, at least, one k. The template, with which we should carry out Experiment A and Short-Bit-NO-T est, is each of the set of 2 m binary patterns of length m. If the SNH is rejected for, at least, one pattern (template), we reject the SNH for the string. Our test procedure is as the following. For each pattern B of the set, we put and F 0 (k) = F N (k) = k u=0 τ u N k P (n; u) or F 0 (k) = u=0 k P per (n; u), where P (n; u) or P per (n; u) is the probability that B occurs u times within the n-bit string with non-overlapping when B is non-periodic or periodic, respectively. By using F N (k) and F 0 (k), we apply the Kolmogorov-Smirnov test (one-sided) for testing the null hypothesis SN H. This means the following. We are concerned with cryptographic applications and interested in extraordinary many occurrences of a word. So we use a one-sided test. We construct the test statistic (see Conover (1972)) ( ( ) ) D N = max max F 0 (k) F N (k), 0. k Let d > 0 be a sample value of D N and put K = [n/m ]. Then if the p-value, i.e., P ( D N d ) is less than the level of significance α, we reject the SNH. For j, 1 j N, u=0 54

7 Modified Non-overlapping Template Matching Test we put c j = 1 j/n d when we have k, 0 k K, such that j/n + d = F 0 (k) and c j = 1 F 0 (k) when we have k such that F 0 (k 1) < j/n + d < F 0 (k). And we construct the sequence {b k, k 0} by k 1 ( k b k = 1 c j) k j j b j, for k 1, (2) j=0 with b 0 = 1. Then, by using the result in Conover (1972), we have the following. Theorem 2..1 (Conover). It holds P (D N d) = [N(1 d)] j=0 ( N j ) c N j j b j. In cryptographic applications, n and N are supposed to be large and, e.g., n is usually assumed to be of the order 10 3 to 10 7 (see Rukhin et al. (2010), page 2-2). For applying Theorem 2.1, we have certain difficulty in computation when N is large, especially in simulation study. Also we may use the asymptotic distribution shown in Theorem in Wood and Altavela (1978) or an approximation by a normal distribution for the statistic D N when N is sufficiently large. But we need a simpler form for evaluating the p-value, because we have to evaluate the p-value many times for carrying out the methods we propose, especially, in simulation studies with large n and N. For example, when we use an approximation by a normal distribution, we need the values {P (n; u)} or {P per (n; u)} under the null hypothesis, which can be obtained recursively with u and n, have a difficulty for obtaining in practical use and are lacking for a fine prospect. So we use the following theorem. Theorem It holds, for d > 0, lim P ( ND N d) exp( 2d 2 ). N This result can be obtained in the way shown in Gibbons and Chakraborti (2011), Section 4.4. For any pattern B, we obtain the sample value d of the statistic ND N for the sample and evaluate its p-value P ( ND N d). Here we sometimes use the notation P ( ND N d; B) for P ( ND N d) to clarify that ND N is evaluated under the template B. In the following, we consider the case when N is sufficiently large. And, by taking account of Theorem 2..2, we use exp ( 2d 2) instead of the p-value P ( ND N d; B). Although the result in Theorem 2..2 is an inequality, using exp ( 2d 2) is safer. The function exp ( 2d 2) is a monotone decreasing function of d, d > 0. Therefore we pay our attention to the value of d for a pattern B when we discuss comparisons among exp ( 2d 2). Case (C-2). We need to specify the template which appears extraordinary many times. Now we prepare some notions. Let two patterns be B 1 and B 2, whose lengths in bits are m 1 and m 2, respectively. We say a pattern B, whose length is m, is constructed by combining B 1 and B 2 if (a) max(m 1, m 2 ) + 1 m m 1 + m 2 and (b) the first m 1 bits of B are same as B 1 and the last m 2 bits are same as B 2, or, the first m 2 bits of B are same as B 2 and the last m 1 bits are same as B 1. We express the set of all patterns, which are constructed by combining B 1 and B 2, by B 1 B 2. And let B 1 = {B (t) 1 ; 1 t T 1 } and 55

8 TAKEDA, HUZII, WATANABE and KAMAKURA B 2 = {B 2 (u) ; 1 u T 2 } be two sets of patterns, where T 1 and T 2 are positive integers. Then we mean B 1 B 2 = {B 1 (t) B 2 (u) ; 1 t T 1, 1 u T 2 }. Now our procedure (Specifying Template Procedure ( simply, Specify-T emp-p roc ), which we propose for specifying the template, is as follows. Let α be the level of significance. We consider the case when N is sufficiently large and use exp ( 2(d (t) ) 2) instead of the p-value P ( ND N d(t) ; B (t) ) as in Case (C-1). First step. We carry out the Short-Bit-NO-T est. If we do not have any m -bit pattern B, with which the SNH is rejected, we accept the null hypothesis SNH. If we have m -bit patterns, with which the SNH is rejected, we proceed to the Second step. Let B 1 = {B 1 (t) ; 1 t T 1 } be the set of patterns, for which the SNH is rejected in the first step. For any B 1 (t), we obtain the sample value d 1 (t) of ND N. Then we have d 1 (t) > log α/2. In general, our procedure is as the following. κ-th step (κ 2). Let B (κ 1) = {B (κ 1) (t) ; 1 t T κ 1 }, where T κ 1 is a positive integer, be the set of patterns, with which the SNH is rejected in the (κ 1)-th step. We obtain the sample value d (κ 1) (t) of ND N for each pattern B(κ 1) (t). And, for the κ-th step, we carry out the Short-Bit-NO-T est for patterns, whose length m satisfies 2 κ 2 m + 1 m 2 κ 1 m, belonging to the set B (κ 1) B (κ 1). By this test, if we do not have any pattern, with which the SNH is rejected, we conclude that the template, which we are trying to specify, is included in the subset, which consists of patterns whose d (κ 1) (t) s attain max d (κ 1) (t), 1 t T κ 1 of B (κ 1). If we have patterns, with which the SNH is rejected, we carry out the following. Let B κ = {B κ (t) ; 1 t T κ } be the set of patterns, with which the SNH is rejected in the κ-th step. We obtain the sample value d κ (t) of ND N for each pattern B κ (t). If max d (κ 1) (t) > max d κ (t) 1 t T κ 1 1 t T κ holds, we conclude that the template, which we are seeking, is included in the subset B (κ 1), which is the set of patterns whose d (κ 1) (t) s attain max d (κ 1) (t), 1 t T κ 1 of B (κ 1). Otherwise we proceed to the (κ + 1)-th step. We continue this process until κ 0 -th step, where κ 0 is the pre-assigned value. If we still have the set of patterns B κ0, for which SNH is rejected, and have to proceed to the (κ 0 + 1)-th step, we conclude that the template, which we are seeking, is included in the subset B κ0, which is the set of patterns whose d κ0 (t) s take max d κ0 (t), 1 t T κ 0 of B κ0, where T κ 0 is a positive integer. For example, let m = 3, T 1 = 3 and the patterns B 1 (1) = 001, B 1 (2) = 010, B 1 (3) = 101 be rejected at the first step. The length m of the pattern in the second step is m The patterns for testing the SNH in the second step are 56

9 Modified Non-overlapping Template Matching Test , , 0010, , 01001, , 00101, , , 01010, , 0101, , 1010, , The reason why we use a p-value is as the following. Let B = be the template, which we should specify, and 00101, , be the patterns, with which the SNH is rejected in the second step. If SNH is accepted for each of the patterns {00101, , } {00101, , } in the 3-rd step, we can conclude that the set {00101, , } includes the pattern we are seeking and this result is successful. However, sometimes the pattern , which includes B from the first to 6-th bits, will be rejected with high possibility in the 3-rd step. This means, with high possibility, that we finally obtain some patterns whose successive 6 bits are B and cannot obtain the exact template. However, in this case, we suppose that the empirical distribution of occurrences of the pattern will be closer to F 0 (k) than one of the pattern Therefore we introduced the use of the p-value for specifying the exact template. We cannot have many references which discussed the non-overlapping template matching test from a statistical point of view. So it is very difficult to make comparisons with other methods from a statistical point of view. For examples, Ryabko et al. (2004) and Ryabko and Monarev (2005) propose some tests for finding words. However, their purposes are different from ours and their alternative hypothesis is that the sequence is generated by a stationary and ergodic source. So it is very difficult to compare our method with their methods from the viewpoint of hypothesis testing. The non-overlapping template matching test proposed in Rukhin et al. (2010) includes a very interesting idea, but it seems to be vague from a statistical point of view, e.g., lacking a proposal for choosing the template. The purpose of this paper is to propose a statistical method which overcomes these and has a kind of effectiveness from a statistical point of view. For example, each statistical method used in our proposed method might be replaced by another one, which is more efficient from a statistical point of view. Such an issue is our future task. 3. Simulation studies As it is very difficult to show the good properties of our proposal given in Section 2. generally and mathematically, we show goodness of our proposal by simulation studies. And also, as is stated in Section 2, it is very hard to compare our method with other methods from statistical point of view. So we here only show how our method works effectively by simulation studies. We generate original binary sequences (simply, original sequences), each of which is supposed to satisfy SNH and has length nn in bits. We modify each of these sequences and construct modified binary sequences to use in our simulation studies in the following way. Let B be a template and m be its length in bits. We divide every original sequence of length nn by m and obtain [nn/ m] segments. Among these segments, we choose randomly Γ segments and replace each of these Γ segments by B. Thus we can have a modified binary sequence (simply, modif ied sequence) of length nn. In our simulation studies, by using these modified sequences and assuming we have no information on m and B, we examine how we can reject the null hypothesis SNH in Case (C - 1) and specify B in Case (C - 2) in Section 2., by using Short-Bit-NO-T est and Specify-T emp-p roc, respectively. We take N to be sufficiently large and use exp ( 2(d (t) ) 2) instead of the p-value P ( ND N d(t) ; B (t) ). (1) Simulation studies for Case (C - 1). 57

10 TAKEDA, HUZII, WATANABE and KAMAKURA In our simulation studies, we set m = 3, n = 10 3, N = 10 3, α = 0.05 and B is one of all 2 3 binary patterns in the Short-Bit-NO-T est. We carried out our study for several cases of ( m, B, Γ.ratio), where Γ.ratio = Γ/[nN/ m]. For each case, we repeated our simulation study 10 4 times. The results are shown in Table 1, in which power means the ratio of rejection, i.e., power = times of rejection Table 1: P ower for Case (C-1) m B power Γ.ratio For the original sequences, we have power = , ( ) which corresponds to P B C(0.05, B )/SNH, where C(α, B ) is the critical region such ( ) that P C(α, B )/SNH = α for a template B. From Table 1, we can see that, when Γ.ratio is low, power is not high, however, when Γ.ratio 0.01, we have power 0.9. Therefore, we can say the method we proposed is effective for Γ.ratio 0.01 as far as our simulation studies are concerned. n = 10 3 may be much too large for the sample size for examining the effectiveness of a statistical method, but in cryptographic applications, situations with huge sample sizes are usually discussed. In fact, Rukhin et al. (2010) mentions, in page 2-2, that the size is of the order 10 3 to So, taking account of applications in the cryptographic field, we set n = 10 3 in our simulation studies. (2) Simulation studies for Case (C - 2). m, n, N, α, B and times of repeating the simulation study are the same as in Case (C - 1). We set κ 0 = 9. For each simulation study, we say that we have success when we can finally find the set of patterns, which includes B. And success.ratio means success.ratio = times of success

11 Modified Non-overlapping Template Matching Test The results are shown in Table 2. In this table, 1, 2 and 3 mean that success.ratio is 1.00 when Γ.ratio = 0.02, success.ratios are 0.30, 0.58 and 0.76 when Γ.ratio = 0.11, 0.13 and 0.15,respectively, and success.ratio = 1.00 when Γ.ratio = 0.02, respectively. We can see that success.ratio depends on B. As far as our simulation studies are concerned, in many cases, we have success.ratio 0.9 when Γ.ratio However, when B = , success.ratio still remains 0.19 for Γ.ratio = Anyway, as far as our simulation studies are concerned, the Short-Bit-N O-T est and Specif y-t emp-p roc, which we proposed, show satisfactory results for many cases. Table 2: Success.Ratio for Case (C-2) m B success.ratio Γ.ratio C(α, B ) s, where B belongs to the set of all 2 m patterns of length m, are generally not mutually disjoint with respect to B. Although this fact may affect the success.ratio and the width of the set S(B) of patterns we finally obtained, it is very difficult to show this effect generally. So we showed goodness of our proposal by simulation studies in Table 2. For example, for the case of B = 0001, Γ.ratio = 0.09 and success.ratio = 0.90 in Table 2, S(B) includes the pattern 0001 (true template) for 8,962 times in our simulation studies. The number of elements of S(B) is 1 (only true template) for 8,377 times and is 2 (the patterns are 0001 and 1000) for 585 times. In this case the number of elements of S(B) is not large. Also we have to show why the success.ratio is going up slowly as Γ.ratio increases for the string, in which B = is embedded, in Table 2. We would like to leave the above problems for our future tasks. Acknowledgments The authors thank Professor Andrew L. Rukhin of the National Institute of Standards and Technology, United States Department of Commerce, for helpful discussions and pointing out an important reference. They also thank the referees and the editor for helpful comments and suggestions, which were very useful for improving the paper. This work was supported by The Research on Security and Reliability in Electronic Society, Chuo University 21st Century COE Program. 59

12 TAKEDA, HUZII, WATANABE and KAMAKURA REFERENCES Conover, W.J. (1972). A Kolmogorov goodness-of-fit test for discontinuous distributions. Journal of the American Statistical Association, 67, Darling, D.A. (1957). The Kolmogorov-Smirnov, Cramer-von Mises tests. The Annals of Mathematical Statistics, 28, Gibbons, J. D. and Chakraborti, S. (2011). Nonparametric statistical inference. Fifth edition. Statistics: Textbooks and Monographs. Chapman and Hall/CRC. Guibas, L. J. and Odlyzko, A. M. (1981). String overlaps, pattern matching, and nontransitive games. Journal of Combinatorial Theory, Series A, 30, Patidar, V. and Sud, K.K. (2009). A novel pseudo random bit generator based on chaotic standard map and its testing, Electronic Journal of Theoretical Physics, 6, Pettitt, A.N. and Stephens, M.A. (1977). The Kolmogorov-Smirnov goodness-of-fit statistic with discrete and grouped data. Technometrics, 19, Rivest, R.L., Shamir, A. and Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21, Ryabko, B.Ya., Stognienko, V.S. and Shokin, Yu.I. (2004). A new test for randomness and its application to some cryptographic problems. Journal of Statistical Planning and Inference, 123, Ryabko, B.Ya. and Monarev, V.A. (2005). Using information theory approach to randomness testing. Journal of Statistical Planning and Inference, 133, Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigh, S., Levenson, M., Vangel, M., Banks, D., Heckert, A., Dray, J. and Vo, S. (2010). A statistical test suite for random and pseudorandom number generators for cryptographic applications. NIST Special Publication Revision 1a, The National Institute of Standards and Technology, U.S.A. Schmid, P. (1958). On the Kolmogorov and Smirnov limit theorems for discontinuous distribution functions. Annals of Mathematical Statistics, 29, Shannon, C.E. (1949). Communication theory of secrecy systems. Bell System Technical Journal, 28, Szczepanskia, J., Wajnryba, E., Amigob, J.M., Sanchez-Vivesc, M. and M. Slaterd. (2004). Biometric random number generators. Computers & Security, 23, Wood, C.L. and Altavela, M.M. (1978). Large-sample results for Kolmogorov-Smirnov statistics for discrete distributions. Biometrika, 65, (Received: November 28, 2013, Accepted: August 30, 2014) 60