On 7/10/2026 11:54 AM, Nico Williams wrote:

...

So in a way hashing `m` adds no value because if the attacker knows
you'll be hashing `m`: since we're talking about an attacker that can
convince you to use their RNG they can just make you use one where
hashing `m` achieves nothing.

But it might be more difficult to switch out the RNG at this late a
stage.  On that basis one might recommend some application level
whitening of RNG outputs: on the off chance that the attacker was in
fact counting on the use of raw RNG outputs for `m` [and nonces].

Yes, just hashing the RNG achieves little. What you want is whitening the RNG. You could do that by including a nonce in the hash or by encrypting the RNG output with a local key. Or you could do all kind of elaborate solutions, maybe some kind of sponge construct. Or you could use something likeĀ AES-CTR-DRBG, which satisfies the requirements forĀ NIST SP 800-90A Compliance, and which I understand is included in Boring SSL.

-- Christian Huitema

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to