Security Analysis of NIST CTR-DRBG

“…• We provide full security proof for BKRNG in the robustness security game by Dodis et al [2] . The proof bears similarity to the proofs for FCRNG [5] and CTR_DRBG [4] . Similar to the previous PRNG security proofs, we treat the internal TPRF primitive as ideal, which means that we consider it to be randomly drawn from all possible TPRFs with the same input, output, and tweakey size.…”

“…Following [4,12] , we consider the interactions of a distinguisher A with an abstract system 𝑆 that answers A's queries. The resulting interaction then generates a transcript 𝜏 = ((𝑋 1 , 𝑌 1 ), ..., (𝑋 𝑞 , 𝑌 𝑞 )) of query-answer pairs.…”

“…(Cohney et al [3] noted that 67.8% of all certified implementations from NIST's Cryptographic Module Validation Program (CMVP) in 2019 supported CTR_DRBG, making it the most popular design among these certifications.) Its security was formally analyzed in 2020 by Hoang and Shen [4] . The CTR_DRBG design includes some odd choices, such as running CBC-MAC three times for the randomness extraction algorithm (called CtE by Hoang and Shen [4] ), without a clear justification for its provable security.…”

“…Its security was formally analyzed in 2020 by Hoang and Shen [4] . The CTR_DRBG design includes some odd choices, such as running CBC-MAC three times for the randomness extraction algorithm (called CtE by Hoang and Shen [4] ), without a clear justification for its provable security.…”

A TPRF-based pseudo-random number generator

“…• We provide full security proof for BKRNG in the robustness security game by Dodis et al [2] . The proof bears similarity to the proofs for FCRNG [5] and CTR_DRBG [4] . Similar to the previous PRNG security proofs, we treat the internal TPRF primitive as ideal, which means that we consider it to be randomly drawn from all possible TPRFs with the same input, output, and tweakey size.…”

“…Following [4,12] , we consider the interactions of a distinguisher A with an abstract system 𝑆 that answers A's queries. The resulting interaction then generates a transcript 𝜏 = ((𝑋 1 , 𝑌 1 ), ..., (𝑋 𝑞 , 𝑌 𝑞 )) of query-answer pairs.…”

“…(Cohney et al [3] noted that 67.8% of all certified implementations from NIST's Cryptographic Module Validation Program (CMVP) in 2019 supported CTR_DRBG, making it the most popular design among these certifications.) Its security was formally analyzed in 2020 by Hoang and Shen [4] . The CTR_DRBG design includes some odd choices, such as running CBC-MAC three times for the randomness extraction algorithm (called CtE by Hoang and Shen [4] ), without a clear justification for its provable security.…”

“…Its security was formally analyzed in 2020 by Hoang and Shen [4] . The CTR_DRBG design includes some odd choices, such as running CBC-MAC three times for the randomness extraction algorithm (called CtE by Hoang and Shen [4] ), without a clear justification for its provable security.…”

A TPRF-based pseudo-random number generator

“…The performance of the 𝐴𝐸𝑆_𝐶𝑇𝑅 algorithm was tested in [47] to ensure that it is suitable as the internal state algorithm in DRBG block encryption. However, some researchers found security vulnerability in the 𝐶𝑇𝑅_𝐷𝑅𝐵𝐺, as discussed in [48][49][50]. A practical attack occurred in 𝐶𝑇𝑅_𝐴𝐸𝑆 𝐷𝑅𝐵𝐺 128, and the attacker could obtain the input of the internal state that was being used.…”

A Novel Secure Root Key Updating Scheme for LoRaWANs Based on CTR_AES DRBG 128

Security Analysis of NIST CTR-DRBG