随机数相关标准SP800-90A.pdf

发布时间：2022-06-06 发布人：admin 分类：说明书资料大小：1.32M 资料格式：pdf 举报版权申诉

momo459548255-10486228-SP800-90A.pdf-第1页.png

第1页 / 共137页

momo459548255-10486228-SP800-90A.pdf-第2页.png

第2页 / 共137页

momo459548255-10486228-SP800-90A.pdf-第3页.png

第3页 / 共137页

momo459548255-10486228-SP800-90A.pdf-第4页.png

第4页 / 共137页

momo459548255-10486228-SP800-90A.pdf-第5页.png

第5页 / 共137页

momo459548255-10486228-SP800-90A.pdf-第6页.png

第6页 / 共137页

momo459548255-10486228-SP800-90A.pdf-第7页.png

第7页 / 共137页

momo459548255-10486228-SP800-90A.pdf-第8页.png

第8页 / 共137页

文本预览

Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: Title: Publication Date(s): Withdrawal Date: Special Publication 800-90A Recommendation for Random Number Generation Using Deterministic Random Bit Generators January 2012 June 2015 Withdrawal Note: NIST Released Special Publication (SP) 800-90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 25, 2015 NIST announces the completion of Revision 1 of NIST Special Publication (SP) 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. In this revision, the specification of the Dual_EC_DRBG has been removed. The remaining DRBGs (i.e., Hash_DRBG, HMAC_DRBG and CTR_DRBG) are recommended for use. Other changes included in this revision are listed in an appendix. Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: Special Publication 800-90A Revision 1 Title: Author(s): Recommendation for Random Number Generation Using Deterministic Random Bit Generators Elaine Barker John Kelsey Publication Date(s): June 2015 URL/DOI: Direct Link: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf DOI: http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 Date updated: May 18, 2016

NIST SP 800-90A January 2012 NIST Special Publication 800-90A Recommendation for Random Number Generation Using Deterministic Random Bit Generators Elaine Barker and John Kelsey Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y January 2012 U.S. Department of Commerce John Bryson, Secretary National Institute of Standards and Technology Patrick Gallagher, Director Under Secretary of Commerce for Standards and Technology ii

NIST SP 800-90A January 2012 Abstract This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. The methods provided are based on either hash functions, block cipher algorithms or number theoretic problems. KEY WORDS: deterministic random bit generator (DRBG); entropy; hash function; random number generator iii

NIST SP 800-90A January 2012 Acknowledgements The National Institute of Standards and Technology (NIST) gratefully acknowledges and appreciates contributions by Mike Boyle and Mary Baish from NSA for assistance in the development of this Recommendation. NIST also thanks the many contributions by the public and private sectors. iv

NIST SP 800-90A January 2012 Table of Contents 1 Authority ........................................................................................................... 1 2 Introduction ...................................................................................................... 2 3 Scope ................................................................................................................ 3 4 Terms and Definitions ..................................................................................... 4 5 Symbols and Abbreviated Terms ................................................................. 10 6 Document Organization ................................................................................. 12 7 Functional Model of a DRBG ......................................................................... 13 7.1 Entropy Input ................................................................................................................ 13 7.2 Other Inputs .................................................................................................................. 14 7.3 The Internal State ......................................................................................................... 14 7.4 The DRBG Mechanism Functions .............................................................................. 14 8. DRBG Mechanism Concepts and General Requirements ......................... 16 8.1 DRBG Mechanism Functions ...................................................................................... 16 8.2 DRBG Instantiations .................................................................................................... 16 8.3 Internal States .............................................................................................................. 16 8.4 Security Strengths Supported by an Instantiation ................................................... 17 8.5 DRBG Mechanism Boundaries ................................................................................... 18 8.6 Seeds ............................................................................................................................. 19 8.6.1 Seed Construction for Instantiation .............................................................. 20 8.6.2 Seed Construction for Reseeding .................................................................. 20 8.6.3 Entropy Requirements for the Entropy Input ............................................... 21 8.6.4 Seed Length ..................................................................................................... 21 8.6.5 Source of Entropy Input .................................................................................. 21 8.6.6 Entropy Input and Seed Privacy .................................................................... 21 8.6.7 Nonce ................................................................................................................ 22 8.6.8 Reseeding ......................................................................................................... 22 8.6.9 Seed Use ........................................................................................................... 23 8.6.10 Entropy Input and Seed Separation .............................................................. 23 8.7 Other Input to the DRBG Mechanism ........................................................................ 23 8.7.1 Personalization String ..................................................................................... 23 v

NIST SP 800-90A January 2012 8.7.2 Additional Input ............................................................................................... 24 8.8 Prediction Resistance and Backtracking Resistance .............................................. 24 9 DRBG Mechanism Functions ........................................................................ 26 9.1 Instantiating a DRBG ................................................................................................... 27 9.2 Reseeding a DRBG Instantiation ................................................................................ 30 9.3 Generating Pseudorandom Bits Using a DRBG ....................................................... 32 9.3.1 The Generate Function .................................................................................... 33 9.3.2 Reseeding at the End of the Seedlife ............................................................ 35 9.3.3 Handling Prediction Resistance Requests ................................................... 36 9.4 Removing a DRBG Instantiation ................................................................................. 36 10 DRBG Algorithm Specifications ................................................................. 38 10.1 DRBG Mechanisms Based on Hash Functions......................................................... 38 10.1.1 Hash_DRBG ..................................................................................................... 39 10.1.1.1 Hash_DRBG Internal State ............................................................ 39 10.1.1.2 Instantiation of Hash_DRBG .......................................................... 40 10.1.1.3 Reseeding a Hash_DRBG Instantiation ....................................... 41 10.1.1.4 Generating Pseudorandom Bits Using Hash_DRBG ................. 42 10.1.2 HMAC_DRBG ................................................................................................... 44 10.1.2.1 HMAC_DRBG Internal State .......................................................... 44 10.1.2.2 The HMAC_DRBG Update Function (Update) ............................ 45 10.1.2.3 Instantiation of HMAC_DRBG ........................................................ 46 10.1.2.4 Reseeding an HMAC_DRBG Instantiation .................................. 47 10.1.2.5 Generating Pseudorandom Bits Using HMAC_DRBG ............... 47 10.2 DRBG Mechanisms Based on Block Ciphers ........................................................... 49 10.2.1 CTR_DRBG ...................................................................................................... 49 10.2.1.1 CTR_DRBG Internal State ............................................................. 51 10.2.1.2 The Update Function (CTR_DRBG_Update) ............................... 52 10.2.1.3 Instantiation of CTR_DRBG .......................................................... 53 10.2.1.4 Reseeding a CTR_DRBG Instantiation ........................................ 55 10.2.1.5 Generating Pseudorandom Bits Using CTR_DRBG................... 56 10.3 DRBG Mechanisms Based on Number Theoretic Problems .................................. 60 10.3.1 Dual Elliptic Curve Deterministic RBG (Dual_EC_DRBG) .......................... 60 vi

NIST SP 800-90A January 2012 10.3.1.1 Dual_EC_DRBG Internal State...................................................... 62 10.3.1.2 Instantiation of Dual_EC_DRBG................................................... 62 10.3.1.3 Reseeding of a Dual_EC_DRBG Instantiation ............................ 64 10.3.1.4 Generating Pseudorandom Bits Using Dual_EC_DRBG ........... 64 10.4 Auxiliary Functions ..................................................................................................... 67 10.4.1 Derivation Function Using a Hash Function (Hash_df) .............................. 67 10.4.2 Derivation Function Using a Block Cipher Algorithm (Block_Cipher_df) ........................................................................................... 68 10.4.3 BCC Function ............................................................................................... 70 11 Assurance ..................................................................................................... 72 11.1 Minimal Documentation Requirements .................................................................... 72 11.2 Implementation Validation Testing ........................................................................... 73 11.3 Health Testing 73 11.3.1 Known Answer Testing .................................................................................. 73 11.3.2 Testing the Instantiate Function .................................................................... 74 11.3.3 Testing the Generate Function ...................................................................... 74 11.3.4 Testing the Reseed Function ......................................................................... 75 11.3.5 Testing the Uninstantiate Function ............................................................... 75 11.3.6 Error Handling ................................................................................................. 75 11.3.6.1 Errors Encountered During Normal Operation ............................ 75 11.3.6.2 Errors Encountered During Health Testing ................................ 76 Appendix A: (Normative) Application-Specific Constants ............................... 77 A.1 Constants for the Dual_EC_DRBG ............................................................................. 77 A.1.1 Curve P-256 ..................................................................................................... 77 A.1.2 Curve P-384 ..................................................................................................... 78 A.1.3 Curve P-521 ..................................................................................................... 78 A.2 Using Alternative Points in the Dual_EC_DRBG ...................................................... 79 A.2.1 Generating Alternative P, Q ........................................................................... 79 A.2.2 Additional Self-testing Required for Alternative P, Q ................................. 80 Appendix B: (Normative) Conversion and Auxilliary Routines ....................... 81 B.1 Bitstring to an Integer .................................................................................................. 81 B.2 Integer to a Bitstring .................................................................................................... 81 vii

NIST SP 800-90A January 2012 B.3 Integer to an Byte String ............................................................................................. 81 B.4 Byte String to an Integer ............................................................................................. 82 B.5 Converting Random Numbers from/to Random Bits ............................................... 82 B.5.1 Converting Random Bits into a Random Number ....................................... 82 B.5.1.1 The Simple Discard Method ........................................................... 83 B.5.1.2 The Complex Discard Method ....................................................... 83 B.5.1.3 The Simple Modular Method .......................................................... 84 B.5.1.4 The Complex Modular Method ....................................................... 84 B.5.2 Converting a Random Number into Random Bits ....................................... 85 B.5.2.1 The No Skew (Variable Length Extraction) Method ..................... 85 B.5.2.2 The Negligible Skew (Fixed Length Extraction) Method ............. 86 Appendix C: (Informative) Security Considerations when Extracting Bits in the Dual_EC_DRBG ................................................................................. 88 C.1 Potential Bias Due to Modular Arithmetic for Curves Over Fp ................................ 88 C.2 Adjusting for the missing bit(s) of entropy in the x coordinates. ........................... 88 Appendix D: (Informative) Example Pseudocode for Each DRBG Mechanism ................................................................................................... 92 D.1 Hash_DRBG Example .................................................................................................. 92 D.1.1 Instantiation of Hash_DRBG .......................................................................... 93 D.1.2 Reseeding a Hash_DRBG Instantiation ........................................................ 95 D.1.3 Generating Pseudorandom Bits Using Hash_DRBG .................................. 96 D.2 HMAC_DRBG Example ................................................................................................ 98 D.2.1 Instantiation of HMAC_DRBG ........................................................................ 98 D.2.2 Generating Pseudorandom Bits Using HMAC_DRBG .............................. 100 D.3 CTR_DRBG Example Using a Derivation Function ................................................ 101 D.3.1 The CTR_DRBG_Update Function .............................................................. 102 D.3.2 Instantiation of CTR_DRBG Using a Derivation Function ........................ 103 D.3.3 Reseeding a CTR_DRBG Instantiation Using a Derivation Function ...... 104 D.3.4 Generating Pseudorandom Bits Using CTR_DRBG .................................. 106 D.4 CTR_DRBG Example Without a Derivation Function ............................................. 108 D.4.1 The CTR_DRBG_Update Function .............................................................. 108 D.4.2 Instantiation of CTR_DRBG Without a Derivation Function ..................... 108 viii

分享到：

赞收藏

资料库

随机数相关标准SP800-90A.pdf

相关推荐

安全技术

热门标签

最新资料