DRBG nonce lengths #1520
Comments
|
@livebe01 right, but that table still shows a minimum nonce length. Would it not be more accurate to set the minimum nonce length to 0 for all of them? Then the maximum entropy length would also need to be updated to support the case where entropy_input_len = 3/2*s and nonce_len = 0 |
|
@livebe01 correct |
|
I don't think the maximum entropy lengths would need to updated. I think most of those values are restrictions we built into ACVTS b/c we didn't want to deal w/ values that were too large. There are a number of things going on in the DRBG spec. 1) We're trying to tie it in w/ SP 800-90A and the different restrictions and requirements it puts in place. 2) The DRBG spec has evolved over time. I wasn't its original author and I believe Table 4 used to be located in a different spot. Per the introduction to section 7.3, one of Table 4's intended uses was to default test values that are used. I've updated the DRBG spec several times to try to make it more cohesive and easier to understand, but we're happy to get feedback on them from others who need to read and try to understand them. 4) For the nonceLen, we're trying to communicate that one of the following requirements needs to be met: How does #1522 look? |
|
That looks reasonable to me |
|
Great, thank you. I do think that's more clear. If you have any other thoughts, let me know. |
According to #1432, the ACVP now supports DRBG capabilities with 0-length nonces, as long as the combination of entropy input+nonce is greater than 3/2 * security strength.
However, the table on https://github.com/livebe01/ACVP/blob/master/src/drbg/sections/05-capabilities.adoc still lists a minimum value for the nonces of all derivation function-based DRBGs. Is the table outdated?
The text was updated successfully, but these errors were encountered: