[PATCH 0/2] SP800-90A DRBG

Stephan Mueller smueller at chronox.de
Wed Feb 17 18:30:36 CET 2016


Am Mittwoch, 17. Februar 2016, 17:20:17 schrieb Werner Koch:

Hi Werner,

>Hi Stephan,
>
>On Tue, 16 Feb 2016 22:03, smueller at chronox.de said:
>> as the SP800-90A DRBG is considered for inclusion into 1.7, I ported the
>> existing DRBG patch set in [1] to the current git tree of libgcrypt.
>
>Thanks for that update.  Actually integration of your code was on my
>short list.
>
>You added a new API gcry_randomize_drbg along with a new structure and a
>lot of new constants which seem to be only there to expose internal
>stuff.  Why can't we just use a replacement for the current X9.31
>generator?  There should be just an RNG and not a way to configure it.

The question is what kind of support do you want to have with the DRBG. The 
implementation in the patch includes all bells and whistles defined in 
SP800-90A. The following listing enumerates options which may be removed from 
the current implementation:

- implementation of either Hash, HMAC or CTR DRBG with only one cipher

- remove prediction resistance

- remove support for additional information

- remove support for personalization string

- remove reseed support

All these items are options at the disposal of the caller.

The mentioned function of gcry_randomize_drbg is a convenience wrapper to 
gcry_randomize as this function has no natural API for supplying an additional 
information string.

I am happy to distill out the unwanted pieces. But I am not sure what I shall 
remove.

Note, the default DRBG is the HMAC DRBG with SHA-256 core without prediction 
resistance. I favor the HMAC DRBGs as they are the leanest ones.

Ciao
Stephan



More information about the Gcrypt-devel mailing list