Score:1

Why the DRBG can mask the small deviations in the behavior of the entropy source?

de flag

In NIST SP 800-90C, it said:"Small deviations in the behavior of the entropy source in an NRBG will be masked by the DRBG output" Why the DRBG can mask the small deviations in the behavior of the entropy source?

Can anyone give the mathematical or reference?

Score:-2
cn flag

Consider this construct from 90C:-

thing

The HMAC-DRBG is just NIST's overly complicated (intentionally?) PRNG. But it's still only a RNG with an iterated internal state. Once the state is instantiated (seeded) from the live entropy source, it runs.

If 'poor' entropy is used to seed it, the cryptographic hash functions (SHA-256) inside the DRBG along with their avalanche behaviours will still produce what looks like perfectly distributed random numbers. It will 'mask' the poor entropy. Imagine if the seed was only 16 bits of true entropy. 65,536 different output streams would probably go unnoticed (at least for a while).

And it can keep running even if the live entropy source dies or is disconnected. If the internal state is capable of a 256 bit security strength, the RNG could even cycle round and around (theoretically). If the DRBG was something else with a much small state, cycling is a real possibility. And from this Q & A, no randomness test will detect that what you have left is just a CSPRNG and not a TRNG.

Thus the masking effect. Dangerous.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.