An Analysis of NIST SP 800-90A

  • Joanne WoodageEmail author
  • Dan Shumow
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11477)


We investigate the security properties of the three deterministic random bit generator (DRBG) mechanisms in NIST SP 800-90A [2]. The standard received considerable negative attention due to the controversy surrounding the now retracted \(\mathsf{{DualEC\text {-}DRBG}}\), which appeared in earlier versions. Perhaps because of the attention paid to the DualEC, the other algorithms in the standard have received surprisingly patchy analysis to date, despite widespread deployment. This paper addresses a number of these gaps in analysis, with a particular focus on \(\mathsf{{HASH\text {-}DRBG}}\) and \(\mathsf{{HMAC\text {-}DRBG}}\). We uncover a mix of positive and less positive results. On the positive side, we prove (with a caveat) the robustness [13] of \(\mathsf{{HASH\text {-}DRBG}}\) and \(\mathsf{{HMAC\text {-}DRBG}}\) in the random oracle model (ROM). Regarding the caveat, we show that if an optional input is omitted, then – contrary to claims in the standard—\(\mathsf{{HMAC\text {-}DRBG}}\) does not even achieve the (weaker) property of forward security. We then conduct a more informal and practice-oriented exploration of flexibility in the standard. Specifically, we argue that these DRBGs have the property that partial state leakage may lead security to break down in unexpected ways. We highlight implementation choices allowed by the overly flexible standard that exacerbate both the likelihood, and impact, of such attacks. While our attacks are theoretical, an analysis of two open source implementations of \(\mathsf{{CTR\text {-}DRBG}}\) shows that these potentially problematic implementation choices are made in the real world.



The authors thank Kenny Paterson and the anonymous reviewers for their insightful comments which greatly improved the paper. The first author is supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1); much of this work was completed during an internship at Microsoft Research.


  1. 1.
    Abdalla, M., Belaïd, S., Pointcheval, D., Ruhault, S., Vergnaud, D.: Robust pseudo-random number generators with input secure against side-channel attacks. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 635–654. Springer, Cham (2015). Scholar
  2. 2.
    Barker, E., Kelsey, J.: NIST SP 800-90A Rev. 1 Recommendation for random number generation using deterministic random bit generators (2015)Google Scholar
  3. 3.
    Barker, E., Kelsey, J.: Draft NIST SP 800-90C. Recommendation for random bit generator (RBG) constructions (2012)Google Scholar
  4. 4.
    Bernstein, D.J.: Cache-timing attacks on AES (2005).
  5. 5.
    Bernstein, D.J.: Fast-key-erasure random-number-generators (2017).
  6. 6.
    Bernstein, D.J., et al.: Factoring RSA keys from certified smart cards: Coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013). Scholar
  7. 7.
    Bogdanov, A.: Improved side-channel collision attacks on AES. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 84–95. Springer, Heidelberg (2007). Scholar
  8. 8.
    Butcher, S., Follath, J., García, A.A.: mbed TLS (2015–2018).
  9. 9.
    Campagna, M.J.: Security bounds for the NIST codebook-based deterministic random bit generator. ePrint (2006)Google Scholar
  10. 10.
    Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: USENIX (2014)Google Scholar
  11. 11.
    Cornejo, M., Ruhault, S.: Characterization of real-life PRNGs under partial state corruption. In: ACM CCS (2014)Google Scholar
  12. 12.
    Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004). Scholar
  13. 13.
    Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input:/dev/random is not robust. In: ACM CCS (2013)Google Scholar
  14. 14.
    Dodis, Y., Ristenpart, T., Steinberger, J.P., Tessaro, S.: To hash or not to hash again? (In)differentiability results for H2 and HMAC. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 348–366. Springer, Heidelberg (2012). Scholar
  15. 15.
    Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS (2008)Google Scholar
  16. 16.
    FIPS PUB 140-2. Security Requirements for Cryptographic Modules (2001)Google Scholar
  17. 17.
    Gaži, P., Tessaro, S.: Provably robust sponge-based PRNGs and KDFs. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 87–116. Springer, Heidelberg (2016). Scholar
  18. 18.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: USENIX (2012)Google Scholar
  19. 19.
    Hirose, S.: Security analysis of DRBG using HMAC in NIST SP 800-90. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 278–291. Springer, Heidelberg (2009). Scholar
  20. 20.
    Kan, W.: Analysis of underlying assumptions in NIST DRBGs (2007)Google Scholar
  21. 21.
    Katherine, Q.Y., Green, M., Sanguansin, N., Beringer, L., Petcher, A., Appel, A.W.: Verified correctness and security of mbedTLS HMAC-DRBG. In: ACM CCS (2017)Google Scholar
  22. 22.
    Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. JCEN 1, 5–27 (2011)Google Scholar
  23. 23.
    Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). Scholar
  24. 24.
    Krawczyk, H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF) (2010)Google Scholar
  25. 25.
    Mangard, S.: A simple power-analysis (SPA) attack on implementations of the AES key expansion. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 343–358. Springer, Heidelberg (2003). Scholar
  26. 26.
    Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004). Scholar
  27. 27.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). Scholar
  28. 28.
    Percival, C.: Cache missing for fun and profit (2005)Google Scholar
  29. 29.
    Perlroth, N.: Government announces steps to restore confidence on encryption standards (2013)Google Scholar
  30. 30.
    The OpenSSL Project: OpenSSL (1998–2018).
  31. 31.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011). Scholar
  32. 32.
    Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: NDSS (2010)Google Scholar
  33. 33.
    Ruhault, S.: SoK: security models for pseudo-random number generators. IACR Trans. Symmetric Cryptol. 2017, 506–544 (2017)Google Scholar
  34. 34.
    Shrimpton, T., Terashima, R.S.: A provable-security analysis of Intel’s secure key RNG. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 77–100. Springer, Heidelberg (2015). Scholar
  35. 35.
    Shrimpton, T., Terashima, R.S.: Salvaging weak security bounds for blockcipher-based constructions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 429–454. Springer, Heidelberg (2016). Scholar
  36. 36.
    Shumow, D., Ferguson, N.: On the possibility of a back door in the NIST SP800-90 Dual EC PRNG (2007)Google Scholar
  37. 37.
    Turan, M.S., Barker, E., Kelsey, J., McKay, K.A., Baish, M.L., Boyle, M.: SP 800-90B. Recommendation for the entropy sources used for random bit generation (2012)Google Scholar
  38. 38.
    Vassilev, A., May, W.: Annex C: approved random number generators for FIPS PUB 140-2, security requirements for cryptographic modules (2016)Google Scholar
  39. 39.
    Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 Debian OpenSSL vulnerability. In: ACM SIGCOMM (2009)Google Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Royal Holloway, University of LondonEghamUK
  2. 2.Microsoft ResearchRedmondUSA

Personalised recommendations