Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]

Dan Brown <> Fri, 27 December 2013 23:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F35C31AE90F for <>; Fri, 27 Dec 2013 15:35:01 -0800 (PST)
X-Quarantine-ID: <o6gT0EZb5ZD4>
X-Virus-Scanned: amavisd-new at
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "MIME-Version"
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o6gT0EZb5ZD4 for <>; Fri, 27 Dec 2013 15:35:00 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 7BF831AE90D for <>; Fri, 27 Dec 2013 15:34:58 -0800 (PST)
Content-Type: multipart/mixed; boundary="===============1285762031=="
MIME-Version: 1.0
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 27 Dec 2013 18:34:48 -0500
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 27 Dec 2013 18:34:48 -0500
Received: from ([fe80::45d:f4fe:6277:5d1b]) by ([::1]) with mapi id 14.03.0158.001; Fri, 27 Dec 2013 18:34:48 -0500
From: Dan Brown <>
To: "''" <>, "''" <>
Thread-Topic: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]
Thread-Index: AQHPA00Ch315veUHX0690/db6dPF85poqTpQ
Date: Fri, 27 Dec 2013 23:34:46 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-CA, en-US
X-MS-Has-Attach: yes
x-originating-ip: []
MIME-Version: 1.0
Cc: "''" <>
Subject: Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Dec 2013 23:35:02 -0000

> -----Original Message-----
> From: Dan Harkins
> Sent: Friday, December 27, 2013 4:46 PM
> On Fri, December 27, 2013 1:42 pm, David McGrew wrote:
> > I understand that these topics deserve discussion, but in the long
> > term it might be more fruitful to consider what recommendations should
> > be given to implementers and standards group on the subject of PRNGs.

Yes, I just wanted to clarify.   

Now, since you asked about recommendations ...

PRNGs are not needed for interoperability, but the some of the core
"schemes" standards that I am familiar with, such as ANSI X9.62 and SEC1,
make normative requirements about the PRNGs and entropy used to generate
keys.  I think that's reasonable for the sake of security.  In theory, if
IETF "protocols" specs reference these core "schemes" standards, then they
would inherit the PRNG requirements.  I'd recommend IETF "schemes" specs
similarly follow suit, although an alternative is just to require a (secure)
randomly generated key, but that could be little risky to ask implementers
to do this without sufficient guidance.

Maybe I'm biased, but for a PRNG, I'd recommend Dual_EC_DRBG with
alternative P&Q, at least on systems that can afford the extra latency, e.g.
high-end user equipment, if only because of the refereed security analysis.
Also, considerable attention, because of the potential backdoor, has been
paid to Dual_EC_DRBG, yet no major attack since that security analysis has
been uncovered.

The three other DRBG algorithms now in SP 800-90 should be much faster, if
such speed is needed, and should also be secure, since no major attacks have
been published, despite their high profile in NIST specs.  The HMAC_DRBG
also has a proof.

I'm also aware of other research into comparable alternatives:

but I'm not sure if these have been standardized anywhere.  If I had to
summarize these in a few words, I would hazard to say that they provide
constructions to build a PRNG from a PRF (where for a PRF, think RC4, or

There's also lots of research into "randomness extractors", but that's
something slight different.

>   Indeed! And might this discussion move to, the
> list formed to discuss just this very subject?

Thanks. I completely forgot about that mailing list, I saw the announcement
but never looked into it.  Is there a WG site?

Best regards,

This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.