NIST Revises Random Number Generation

Wednesday, July 1, 2015 @ 04:07 PM gHale

In response to concerns about cryptographic security, the National Institute of Standards and Technology (NIST) revised its recommended methods for generating random numbers, which is a crucial element in protecting private messages and other types of electronic data.

The move implements changes to the methods proposed by NIST last year in a draft document issued for public comment.

NIST Updates ICS Security Guide
Grant Money for Security Projects
Students Defend ‘Operation Transit Storm’
Cyber Lab Available for Training

The updated document, “Recommendation for Random Number Generation Using Deterministic Random Bit Generators,” describes algorithms to reliably generate random numbers, a key step in data encryption.

One of the most significant changes to the document is the removal of the Dual_EC_DRBG algorithm, often referred to conversationally as the “Dual Elliptic Curve random number generator.”

That algorithm spawned controversy because of concerns it might contain a weakness that attackers could exploit to predict the outcome of random number generation. NIST continues to recommend the other three algorithms included in the previous version of the Recommendation document, which released in early 2012.

The revised version also contains several other changes. One is the CTR_DRBG — one of the three remaining random number algorithms — and allows additional options for its use. Another change recommends reintroducing randomness into deterministic algorithms as often as it is practical, because refreshing them provides additional protection against attack. The document also includes a link to examples that can help developers to implement the SP 800-90A random number generators correctly.

The revised publication reflects public comments received on a draft version for the “Recommendation for Random Number Generation Using Deterministic Random Bit Generators.”