NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

NIST SP 800-90A, Revision 1

April 21, 2014: NIST Invites Comments on Draft SP 800-90A, Revision 1

NIST requests comments on a draft revision of SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. Based on public concerns and an evaluation of the algorithm, NIST is proposing the removal of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). The revised document is available for a 30-day public comment period.

Background: Public concern has been expressed that one of the random bit generators in SP 800-90A, the Dual_EC_DRBG, could contain a backdoor when used with the parameters specified in the publication. This could allow attackers to successfully predict the secret cryptographic keys that form the foundation for the assurances provided by security products. Cryptographers identified this potential weakness during the development of this guideline, and the issue was initially mitigated by providing mechanisms to generate alternative parameters that would not be susceptible to this weakness. However, news reports on leaked classified information have heightened concern over the possibility of a backdoor in this algorithm.

In response, NIST issued an ITL Bulletin in September 2013 that provided a high-level discussion of the issues, announced that the SP 800-90 series of publications were being reopened for a 60-day public comment period, and recommended that the Dual_EC_DRBG no longer be used, pending the resolution of the security concerns. The comments subsequently received during the public-comment period included several requests for the removal of the Dual_EC_DRBG from SP 800-90A.

The comment period for the SP 800-90 publications closed on November 6, 2013. It is clear from the received comments and conversations with representatives from industry and academia that the public does not have confidence in the security provided by the Dual_EC_DRBG. Although it is possible that the concern could be addressed by generating new parameters using the method in SP 800-90A, after reviewing these comments and conducting its own review of the algorithm, NIST has decided to remove the DRBG from the document.

Next Steps: Pending review of public comments on this revised draft, NIST intends to publish a final version of SP800-90A that formally withdraws the Dual_EC_DRBG as an approved DRBG. NIST does not intend to provide a transition period allowing continued use of Dual_EC_DRBG by vendors or users after its removal from SP 800-90A. Users and implementers would be instructed to transition to one of the three other approved DRBGs specified in SP 800-90A as soon as possible. As part of the transition plan, NIST’s Cryptographic Algorithm Validation Program (CAVP) would update the validation list for these implementations to reflect the decision that this algorithm would no longer be approved. The Cryptographic Module Validation Program (CMVP) would ensure that modules that depend on an approved DRBG have an alternative DRBG available for use.

NIST requests comments on this second draft of SP 800-90A that omits the Dual_EC_DRBG from the document, along with providing a few other changes that are listed in Appendix F of the document.

The comment period closed May 23, 2014.

Comments Received for Draft SP 800-90A Rev. 1 (2nd draft)