On 7/10/2026 11:54 AM, Nico Williams wrote: ...
So in a way hashing `m` adds no value because if the attacker knows you'll be hashing `m`: since we're talking about an attacker that can convince you to use their RNG they can just make you use one where hashing `m` achieves nothing. But it might be more difficult to switch out the RNG at this late a stage. On that basis one might recommend some application level whitening of RNG outputs: on the off chance that the attacker was in fact counting on the use of raw RNG outputs for `m` [and nonces].
Yes, just hashing the RNG achieves little. What you want is whitening the RNG. You could do that by including a nonce in the hash or by encrypting the RNG output with a local key. Or you could do all kind of elaborate solutions, maybe some kind of sponge construct. Or you could use something likeĀ AES-CTR-DRBG, which satisfies the requirements forĀ NIST SP 800-90A Compliance, and which I understand is included in Boring SSL.
-- Christian Huitema _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
