[Cryptography] SP800-90A B & C
Watson Ladd
watsonbladd at gmail.com
Sun Nov 10 15:09:56 EST 2013
On Fri, Nov 8, 2013 at 2:10 PM, David Johnston <dj at deadhat.com> wrote:
> For those with insomnia issues, I have submitted public comments to NIST
> against SP800-90A, B and C.
>
> The current comments are here:
> http://www.davidsdesktop.com/media/sp80090/SP800-90commentsNov8th_2013.pdf
>
> Earlier comments on earlier drafts are here:
> http://www.davidsdesktop.com/media/sp80090/Comments_on_first_draft_SP80090BC.pdf
> and here:
> http://www.davidsdesktop.com/media/sp80090/Comments_SP80090BC_Aug2011.pdf
>
I disagree with some of these comments, and agree with others, but I
think it would be productive to have a broader discussion of the
issues you raise (modulo
editorial foibles)
There are (broadly speaking) two different designs for random number
generators. NIST is using the physics+stretch approach: A low
bandwidth source of random bits, defined in 90B, periodically reseeds
a pseudorandom generator as in 90A.
The other design, exemplified by Yarrow, Fortuna, the Linux kernel
randomness subsystem, and others, uses large numbers of inputs of
unknown entropy, and attempts to distill a few bits of known entropy.
I believe that we have a much better handle on the first class of
designs from a cryptanalytic perspective then the second. In
particular the pooling design can fail in very subtle ways if it has
too few sources. By contrast the first approach is guaranteed by
design to have a seed from a random process if it works.
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
--
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin
More information about the cryptography
mailing list