Cryptology ePrint Archive: Report 2018/349

An Analysis of the NIST SP 800-90A Standard

Joanne Woodage and Dan Shumow

Abstract: We conduct a multi-faceted investigation of the security properties of the three deterministic random bit generator (DRBG) mechanisms recommended in the NIST SP 800-90A standard [4]. This standard received a considerable amount of negative attention, due to the host of controversy and problems with the now retracted DualEC-DRBG, which was included in earlier revisions. Perhaps because of the attention paid to the DualEC, the other algorithms in the standard have received surprisingly patchy analysis to date, despite widespread deployment. This paper provides an analysis of the remaining DRBG algorithms in NIST SP 800-90A. We uncover a mix of positive and less than positive results, emphasizing and addressing the gap between theoretical models, and the NIST DRBGs as specified and used. As an initial positive result, we verify claims in the standard by proving (with a few caveats) the forward security of all three DRBGs. However, digging deeper into flexibility in implementation and usage choices permitted by the standard, we uncover some undesirable properties of these standardized DRBGs. Specifically, we argue that these DRBGs have the property that leaking certain parts of the state may lead to catastrophic failure of the algorithm. Furthermore, we show that flexibility in the specification allows implementers and users of these algorithms to make choices that considerably weaken the algorithms in these scenarios.

Category / Keywords: pseudorandom generators, standards

Date: received 13 Apr 2018, last revised 17 Apr 2018

Contact author: joanne woodage 2014 at rhul ac uk

Available format(s): PDF | BibTeX Citation

Version: 20180418:192858 (All versions of this report)

Short URL: ia.cr/2018/349


[ Cryptology ePrint archive ]