Archived NIST Technical Series Publication
The attached publication has been archived (withdrawn), and is provided solely for historical purposes.
It may have been superseded by another publication (indicated below).
Archived Publication
Series/Number:
Title:
Publication Date(s):
Withdrawal Date:
Special Publication 800-90A
Recommendation for Random Number Generation Using Deterministic
Random Bit Generators
January 2012
June 2015
Withdrawal Note:
NIST Released Special Publication (SP) 800-90A Revision 1,
Recommendation for Random Number Generation Using Deterministic
Random Bit Generators
June 25, 2015
NIST announces the completion of Revision 1 of NIST Special Publication
(SP) 800-90A, Recommendation for Random Number Generation Using
Deterministic Random Bit Generators. This Recommendation specifies
mechanisms for the generation of random bits using deterministic
methods. In this revision, the specification of the Dual_EC_DRBG has been
removed. The remaining DRBGs (i.e., Hash_DRBG, HMAC_DRBG and
CTR_DRBG) are recommended for use. Other changes included in this
revision are listed in an appendix.
Superseding Publication(s)
The attached publication has been superseded by the following publication(s):
Series/Number:
Special Publication 800-90A Revision 1
Title:
Author(s):
Recommendation for Random Number Generation Using Deterministic
Random Bit Generators
Elaine Barker
John Kelsey
Publication Date(s):
June 2015
URL/DOI:
Direct Link:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
DOI: http://dx.doi.org/10.6028/NIST.SP.800-90Ar1
Date updated: May 18, 2016
NIST SP 800-90A
January 2012
NIST Special Publication 800-90A
Recommendation for Random Number
Generation Using Deterministic
Random Bit Generators
Elaine Barker and John Kelsey
Computer Security Division
Information Technology Laboratory
C O M P U T E R S E C U R I T Y
January 2012
U.S. Department of Commerce
John Bryson, Secretary
National Institute of Standards and Technology
Patrick Gallagher, Director Under Secretary
of Commerce for Standards and Technology
ii
NIST SP 800-90A
January 2012
Abstract
This Recommendation specifies mechanisms for the generation of random bits using
deterministic methods. The methods provided are based on either hash functions, block
cipher algorithms or number theoretic problems.
KEY WORDS: deterministic random bit generator (DRBG); entropy; hash function;
random number generator
iii
NIST SP 800-90A
January 2012
Acknowledgements
The National Institute of Standards and Technology (NIST) gratefully acknowledges and
appreciates contributions by Mike Boyle and Mary Baish from NSA for assistance in the
development of this Recommendation. NIST also thanks the many contributions by the
public and private sectors.
iv
NIST SP 800-90A
January 2012
Table of Contents
1 Authority ........................................................................................................... 1
2
Introduction ...................................................................................................... 2
3 Scope ................................................................................................................ 3
4 Terms and Definitions ..................................................................................... 4
5 Symbols and Abbreviated Terms ................................................................. 10
6 Document Organization ................................................................................. 12
7 Functional Model of a DRBG ......................................................................... 13
7.1 Entropy Input ................................................................................................................ 13
7.2 Other Inputs .................................................................................................................. 14
7.3 The Internal State ......................................................................................................... 14
7.4 The DRBG Mechanism Functions .............................................................................. 14
8. DRBG Mechanism Concepts and General Requirements ......................... 16
8.1 DRBG Mechanism Functions ...................................................................................... 16
8.2 DRBG Instantiations .................................................................................................... 16
8.3
Internal States .............................................................................................................. 16
8.4 Security Strengths Supported by an Instantiation ................................................... 17
8.5 DRBG Mechanism Boundaries ................................................................................... 18
8.6 Seeds ............................................................................................................................. 19
8.6.1 Seed Construction for Instantiation .............................................................. 20
8.6.2 Seed Construction for Reseeding .................................................................. 20
8.6.3 Entropy Requirements for the Entropy Input ............................................... 21
8.6.4 Seed Length ..................................................................................................... 21
8.6.5 Source of Entropy Input .................................................................................. 21
8.6.6 Entropy Input and Seed Privacy .................................................................... 21
8.6.7 Nonce ................................................................................................................ 22
8.6.8 Reseeding ......................................................................................................... 22
8.6.9 Seed Use ........................................................................................................... 23
8.6.10 Entropy Input and Seed Separation .............................................................. 23
8.7
Other Input to the DRBG Mechanism ........................................................................ 23
8.7.1 Personalization String ..................................................................................... 23
v
NIST SP 800-90A
January 2012
8.7.2 Additional Input ............................................................................................... 24
8.8 Prediction Resistance and Backtracking Resistance .............................................. 24
9 DRBG Mechanism Functions ........................................................................ 26
9.1
Instantiating a DRBG ................................................................................................... 27
9.2 Reseeding a DRBG Instantiation ................................................................................ 30
9.3 Generating Pseudorandom Bits Using a DRBG ....................................................... 32
9.3.1 The Generate Function .................................................................................... 33
9.3.2 Reseeding at the End of the Seedlife ............................................................ 35
9.3.3 Handling Prediction Resistance Requests ................................................... 36
9.4 Removing a DRBG Instantiation ................................................................................. 36
10 DRBG Algorithm Specifications ................................................................. 38
10.1 DRBG Mechanisms Based on Hash Functions......................................................... 38
10.1.1 Hash_DRBG ..................................................................................................... 39
10.1.1.1
Hash_DRBG Internal State ............................................................ 39
10.1.1.2
Instantiation of Hash_DRBG .......................................................... 40
10.1.1.3
Reseeding a Hash_DRBG Instantiation ....................................... 41
10.1.1.4
Generating Pseudorandom Bits Using Hash_DRBG ................. 42
10.1.2 HMAC_DRBG ................................................................................................... 44
10.1.2.1
HMAC_DRBG Internal State .......................................................... 44
10.1.2.2
The HMAC_DRBG Update Function (Update) ............................ 45
10.1.2.3
Instantiation of HMAC_DRBG ........................................................ 46
10.1.2.4
Reseeding an HMAC_DRBG Instantiation .................................. 47
10.1.2.5
Generating Pseudorandom Bits Using HMAC_DRBG ............... 47
10.2 DRBG Mechanisms Based on Block Ciphers ........................................................... 49
10.2.1 CTR_DRBG ...................................................................................................... 49
10.2.1.1
CTR_DRBG Internal State ............................................................. 51
10.2.1.2
The Update Function (CTR_DRBG_Update) ............................... 52
10.2.1.3
Instantiation of CTR_DRBG .......................................................... 53
10.2.1.4
Reseeding a CTR_DRBG Instantiation ........................................ 55
10.2.1.5
Generating Pseudorandom Bits Using CTR_DRBG................... 56
10.3 DRBG Mechanisms Based on Number Theoretic Problems .................................. 60
10.3.1 Dual Elliptic Curve Deterministic RBG (Dual_EC_DRBG) .......................... 60
vi
NIST SP 800-90A
January 2012
10.3.1.1
Dual_EC_DRBG Internal State...................................................... 62
10.3.1.2
Instantiation of Dual_EC_DRBG................................................... 62
10.3.1.3
Reseeding of a Dual_EC_DRBG Instantiation ............................ 64
10.3.1.4
Generating Pseudorandom Bits Using Dual_EC_DRBG ........... 64
10.4 Auxiliary Functions ..................................................................................................... 67
10.4.1 Derivation Function Using a Hash Function (Hash_df) .............................. 67
10.4.2 Derivation Function Using a Block Cipher Algorithm
(Block_Cipher_df) ........................................................................................... 68
10.4.3
BCC Function ............................................................................................... 70
11 Assurance ..................................................................................................... 72
11.1 Minimal Documentation Requirements .................................................................... 72
11.2 Implementation Validation Testing ........................................................................... 73
11.3 Health Testing 73
11.3.1 Known Answer Testing .................................................................................. 73
11.3.2 Testing the Instantiate Function .................................................................... 74
11.3.3 Testing the Generate Function ...................................................................... 74
11.3.4 Testing the Reseed Function ......................................................................... 75
11.3.5 Testing the Uninstantiate Function ............................................................... 75
11.3.6 Error Handling ................................................................................................. 75
11.3.6.1 Errors Encountered During Normal Operation ............................ 75
11.3.6.2
Errors Encountered During Health Testing ................................ 76
Appendix A: (Normative) Application-Specific Constants ............................... 77
A.1 Constants for the Dual_EC_DRBG ............................................................................. 77
A.1.1 Curve P-256 ..................................................................................................... 77
A.1.2 Curve P-384 ..................................................................................................... 78
A.1.3 Curve P-521 ..................................................................................................... 78
A.2 Using Alternative Points in the Dual_EC_DRBG ...................................................... 79
A.2.1 Generating Alternative P, Q ........................................................................... 79
A.2.2 Additional Self-testing Required for Alternative P, Q ................................. 80
Appendix B: (Normative) Conversion and Auxilliary Routines ....................... 81
B.1 Bitstring to an Integer .................................................................................................. 81
B.2
Integer to a Bitstring .................................................................................................... 81
vii
NIST SP 800-90A
January 2012
B.3
Integer to an Byte String ............................................................................................. 81
B.4 Byte String to an Integer ............................................................................................. 82
B.5 Converting Random Numbers from/to Random Bits ............................................... 82
B.5.1 Converting Random Bits into a Random Number ....................................... 82
B.5.1.1 The Simple Discard Method ........................................................... 83
B.5.1.2 The Complex Discard Method ....................................................... 83
B.5.1.3 The Simple Modular Method .......................................................... 84
B.5.1.4 The Complex Modular Method ....................................................... 84
B.5.2 Converting a Random Number into Random Bits ....................................... 85
B.5.2.1 The No Skew (Variable Length Extraction) Method ..................... 85
B.5.2.2 The Negligible Skew (Fixed Length Extraction) Method ............. 86
Appendix C: (Informative) Security Considerations when Extracting Bits
in the Dual_EC_DRBG ................................................................................. 88
C.1 Potential Bias Due to Modular Arithmetic for Curves Over Fp ................................ 88
C.2 Adjusting for the missing bit(s) of entropy in the x coordinates. ........................... 88
Appendix D: (Informative) Example Pseudocode for Each DRBG
Mechanism ................................................................................................... 92
D.1 Hash_DRBG Example .................................................................................................. 92
D.1.1
Instantiation of Hash_DRBG .......................................................................... 93
D.1.2 Reseeding a Hash_DRBG Instantiation ........................................................ 95
D.1.3 Generating Pseudorandom Bits Using Hash_DRBG .................................. 96
D.2 HMAC_DRBG Example ................................................................................................ 98
D.2.1
Instantiation of HMAC_DRBG ........................................................................ 98
D.2.2 Generating Pseudorandom Bits Using HMAC_DRBG .............................. 100
D.3 CTR_DRBG Example Using a Derivation Function ................................................ 101
D.3.1 The CTR_DRBG_Update Function .............................................................. 102
D.3.2
Instantiation of CTR_DRBG Using a Derivation Function ........................ 103
D.3.3 Reseeding a CTR_DRBG Instantiation Using a Derivation Function ...... 104
D.3.4 Generating Pseudorandom Bits Using CTR_DRBG .................................. 106
D.4 CTR_DRBG Example Without a Derivation Function ............................................. 108
D.4.1 The CTR_DRBG_Update Function .............................................................. 108
D.4.2
Instantiation of CTR_DRBG Without a Derivation Function ..................... 108
viii