Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator

  • John Kelsey
  • Bruce Schneier
  • Niels Ferguson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1758)


We describe the design of Yarrow, a family of cryptographic pseudo-random number generators (PRNG). We describe the concept of a PRNG as a separate cryptographic primitive, and the design principles used to develop Yarrow. We then discuss the ways that PRNGs can fail in practice, which motivates our discussion of the components of Yarrow and how they make Yarrow secure. Next, we define a specific instance of a PRNG in the Yarrow family that makes use of available technology today. We conclude with a brief listing of open questions and intended improvements in future releases.


Hash Function Block Cipher Stream Cipher Pseudorandom Number Generator Generator Gate 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Agn88.
    G. B. Agnew, “Random Source for Cryptographic Systems,” Advances in Cryptology—EUROCRYPT’ 87 Proceedings, Springer-Verlag, 1988, pp. 77–81.Google Scholar
  2. ANSI85.
    ANSI X 9.17 (Revised), “American National Standard for Financial Institution Key Management (Wholesale),” American Bankers Association, 1985.Google Scholar
  3. Bal96.
    R.W. Baldwin, “Proper Initialization for the BSAFE Random Number Generator,” RSA Laboratories Bulletin, n. 3, 25 Jan 1996.Google Scholar
  4. BDR+96.
    M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Wiener, “Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security,” January 1996.Google Scholar
  5. Dai97.
  6. DIF94.
    D. Davis, R. Ihaka, and P. Fenstermacher, “Cryptographic Randomness from Air Turbulience in Disk Drives,” Advances in Cryptology — CRYPTO’ 94 Proceedings, Springer-Verlag, 1994, pp. 114–120.Google Scholar
  7. ECS94.
    D. Eastlake, S.D. Crocker, and J.I. Schiller, “Randomness Requirements for Security,” RFC 1750, Internet Engineering Task Force, Dec. 1994.Google Scholar
  8. FMK85.
    R.C. Fairchild, R.L. Mortenson, and K.B. Koulthart, “An LSI Random Number Generator (RNG),” Advances in Cryptology: Proceedings of CRYPTO’ 84, Springer-Verlag, 1985, pp. 203–230.Google Scholar
  9. Gud85.
    M. Gude, “Concept for a High-Performance Random Number Generator Based on Physical Random Noise,” Frequenz, v. 39, 1985, pp. 187–190.Google Scholar
  10. Gut98.
    P. Gutmann, “Software Generation of Random Numbers for Cryptographic Purposes,” Proceedings of the 1998 Usenix Security Symposium, USENIX Association, 1998, pp. 243–257.Google Scholar
  11. Kah67.
    D. Kahn, The Codebreakers, The Story of Secret Writing, Macmillan Publishing Co., New York, 1967.Google Scholar
  12. Koc95.
    P. Kocher, post to sci.crypt Internet newsgroup (message-ID, 4 Dec 1995.Google Scholar
  13. Koc96.
    P. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” Advances in Cryptology—CRYPTO’ 96 Proceedings, Springer-Verlag, 1996, pp. 104–113.Google Scholar
  14. Koc98.
    P. Kocher, “Differential Power Analysis,” available online from
  15. KSWH98a.
    J. Kelsey, B. Schneier, D. Wagner, and C. Hall, “Cryptanalytic Attacks on Pseudorandom Number Generators,” Fast Software Encryption, 5th International Workshop Proceedings, Springer-Verlag, 1998, pp. 168–188.Google Scholar
  16. KSWH98b.
    J. Kelsey, B. Schneier, D. Wagner, and C. Hall, “Side Channel Cryptanalysis of Product Ciphers,” ESORICS’ 98 Proceedings, Springer-Verlag, 1998, pp. pp 97–110.Google Scholar
  17. LMS93.
    J.B. Lacy, D.P. Mitchell, and W.M. Schell, “CryptoLib: Cryptography in Software,” USENIX Security Symposium IV Proceedings, USENIX Association, 1993, pp. 237–246.Google Scholar
  18. Luc98.
    S. Lucks, Private Communication, 1998.Google Scholar
  19. NIS80.
    National Institute of Standards and Technology. DES Modes of Operation, December 2, 1980. FIPS PUB 81, available from
  20. NIS93.
    National Institute of Standards and Technology. Data Encryption Standard (DES), December 30, 1993. FIPS PUB 46-2, available from
  21. NIS95.
    National Institute of Standards and Technology. Secure Hash Standard, April 17, 1995. FIPS PUB 180-1, available from
  22. NIS99.
    National Institute of Standards and Technology. Data Encryption Standard (DES), 1999. DRAFT FIPS PUB 46-3.Google Scholar
  23. NIST92.
    National Institute for Standards and Technology, “Key Management Using X9.17,” NIST FIPS PUB 171, U.S. Department of Commerce, 1992.Google Scholar
  24. Plu94.
    C. Plumb, “Truly Random Numbers, Dr. Dobbs Journal, v. 19, n. 13, Nov 1994, pp. 113–115.Google Scholar
  25. Ric92.
    M. Richterm “Ein Rauschgenerator zur Gweinnung won quasi-idealen Zufallszahlen fur die stochastische Simulation,” Ph.D. dissertation, Aachen University of Technology, 1992. (In German.)Google Scholar
  26. RSA94.
    RSA Laboratories, RSAREF cryptographic library, Mar 1994,
  27. SV86.
    M. Santha and U.V. Vazirani, “Generating Quasi-Random Sequences from Slightly Random Sources,” Journal of Computer and System Sciences, v. 33, 1986, pp. 75–87.zbMATHCrossRefMathSciNetGoogle Scholar
  28. Sch96.
    B. Schneier, Applied Cryptography, John Wiley & Sons, 1996.Google Scholar
  29. Zim95.
    P. Zimmermann, The Official PGP User’s Guide, MIT Press, 1995.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • John Kelsey
    • 1
  • Bruce Schneier
    • 1
  • Niels Ferguson
    • 1
  1. 1.Counterpane SystemsMinneapolisUSA

Personalised recommendations