[Cryptech Tech] NIST and RNG

[Bernd Paysan]

Am Freitag, 29. Januar 2016, 10:04:44 schrieb Russ Housley:
> > https://fcw.com/articles/2016/01/28/crypto-nist-generator.aspx
> 
> This is a significant improvement over the past, where NIST has a very short
> list of approved PRNG algorithms, and the only place a vendor could
> innovate was the way the selected algorithm got seeded.

Oh, there was another possible way to be innovative: How to backdoor the PRNG 
without being noticed ;-).  E.g. on the AES-based PRNG, you could swap entropy 
input and counter intput (counter=key, entropy=source), and still produce 
something that would pass every random number test, but is fully predictable 
from the outside...

So far, the new stuff looks promising.  Access to noise source and entropy 
directly is definitely a big improvement.  In the entropy tests I miss those I 
do first (because they quickly spot problems): histogram and FFT.

Given that SHA-3 is a NiST-based standard, and Keccak offers a combination of 
conditioner and DRBG expander as a single building block, it's a bit strange 
that it wasn't added into the recommendation.  Just Dual_EC_DRBG was 
dropped...

Does that mean the NSA does not like using Keccak in this mode?

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20160129/a3c0ead0/attachment.sig>