On 5/27/14 12:56 AM, Stephan Mueller wrote:
Am Dienstag, 27. Mai 2014, 17:45:48 schrieb Peter Waltenberg:
Hi Peter,
Not quite correct, the prime rands shouldn't come from a DRBG, they
should come from an NRBG (NIST terminology). There's a considerable
difference between the performance of an entropy source and a DRBG.
Not sure where you see that, but looking into, say, FIPS 186-4 appendix
C.3, it always talks about an "approved RBG". In FIPS 140-2 speak, this
implies a DRBG.
Can you please give a reference?
Ciao
Stephan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Let us consider a model in which the adversary gets to see all the
generated random numbers from a CTR-DRBG generator except the 2048 bits
that are used for a private ECDSA key or the two 1024 bit chunks that
become p and q in an RSA key generation operation. If the adversary
sees all that data, he might be able to do some sort of cryptoanalysis
and at least get some constraints on the key. But in the case we are
considering, all the values that do not result in primes or safe primes
(or whatever) are thrown away. The attacker does not see them. Thus it
suffices for the seed of the CTR-DRBG generator to be "entropic" data.
We do not need every trial value to be from entropic data.
--David
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
