RFC 8937: Randomness Improvements for Security Protocols
doc
https://www.rfc-editor.org/rfc/rfc8937.html
cryptographically secure” pseudorandom number generators (CSPRNGs) 的问题在于,熵值的强度。
naxos把随机数x用H(x, sk)处理一下作为random用,其中sk为sender的私钥。
借鉴naxos的思路,把H(x, sk)替换为签名操作Sig(sk, tag1),tag1/tag2固定,G(L)为原始random生成器,G'(n) = Expand(Extract(H(Sig(sk, tag1)), G(L)), tag2, n)
Sig(sk, tag1)的值可缓存,hsm接口兼容性好一点?!
issue
When private keys are public: results from the 2008 Debian OpenSSL vulnerability seed问题
Dual EC: A Standardized Back Door 算法问题
