Simon Josefsson <[email protected]> writes: >>> DRBG-CTR is strange in several ways (e.g., non-uniform seeds), to the >>> point of being unsafe since it is easy to misuse it. >> >> Is that detailed in the paper you link to? > > The details and assumptions are clear from the NIST spec, but the > subjective opinion that it is easy to mis-use is my own.
It would be nice with some reference for this critique. You also link to https://eprint.iacr.org/2006/379.pdf, which seems related. According to a quick look at the conclusions, it looks like DRBG AES256 does not provide advertised security. Is the "code book width" in the paper the same as the cipher block size, so that the problem is that security depends on min(key size, block size), assuming underlying primitives are secure? I haven't read the paper carefully. > My initial patch contained documentation. While it can always be > expanded a lot more, I can't think of any further modifications. Let's use those docs, then. I don't think I've seen any revision of the patch after my first round of review, could you post an update (on list or as a merge request)? Regards, /Niels -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
