Hacker News new | comments | show | ask | jobs | submit login
NIST removes Dual_EC_DRBG (nist.gov)
113 points by silenteh on Apr 22, 2014 | hide | past | web | favorite | 22 comments

"Draft Special Publication 800-90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators."


Acknowledgements: The National Institute of Standards and Technology (NIST) gratefully acknowledges.... Mike Boyle and Mary Baish from NSA for assistance in the development of this Recommendation

Shit! Everyone, switch back to Dual_EC!

making the best of a bad pr situation, me thinks

I'm glad that NIST removed this from their recommendations.

That said, I'm surprised that it took them this long to do so. From the article:

    "In September 2013, news reports prompted public
    concern about the trustworthiness of Dual_EC_DRBG..."
Dual_EC_DRBG has been suspect for quite a while longer. There were concerns going back to at least 2006: http://eprint.iacr.org/2006/190

Yes, this is 8 years overdue. As djb points out in a letter to NIST here [1], this is not just about one specific NIST recommendation that had problems. There are problems with the standardization process as a whole.

[1] http://blog.cr.yp.to/20140411-nist.html

Well, given for how long Dual_EC_DRBG has been under suspicion, one cannot congratulate NIST for a proactive stance on security. For what it's worth, just go to this page on the NIST homepage:


And it still says:

  Random Number Generation

  - Recommendation for Random Number Generation Using Deterministic Random Bit Generators

  - Dual_EC_DRBG (link)
  CryptoToolkit Webmaster, Disclaimer Notice & Privacy Policy
  NIST is an Agency of the U.S. Department of Commerce
  Last updated: Jan 30, 2006
Time for an update or what?

NIST should get a clue and follow Dan Bernstein's advices:


If you read the bottom of NIST's press release, they've tasked their Visiting Committee on Advanced Technology (recently co-chaired by Vint Cerf) to do a review of NIST's crypto standardization process. Their review will be released to the public.

See the following for more info on the VCAT:


Thanks to Snowden & Greenwald!

I've gotten a response from Walter Fumy on the ISO stance on Dual_EC_DRBG:

"Regarding Dual_EC_DRBG, SC 27 / WG 2 resolved at its April 2014 meetings in Hong Kong to issue a corrigendum to ISO/ IEC 18031:2011 with the effect of removing the Dual_EC_DRBG scheme from the standard. Processing the corrigendum takes some time but should be completed by the end of 2014.

In parallel, SC 27 Standing Document SD 12 "Assessment of cryptographic algorithms and key lengths" will be updated to include appropriate advice regarding Dual_EC_DRBG. This should happen by the end of the month."

I found a presentation (pdf) from a ISO/IEC meering late 2013 by Walter Fumy regarding crypto with details on Dual_EC_DRBG and recommendations to ISO. (I've also submitted this to HN, don't know if that is ok, but I find thing preso pretty interesting.)


So now we wait for the reaction from ISO and ANSI.

I have yet to see any reaction from either organisations regarding the standards ANSI X9.82, Part 3 and ISO/IEC 18031:2005 both of which includes Dual_EC_DRBG.

NIST rightfully gets a lot of blame and shame for not reacting to Dual_EC_DRBG in a timely manner. But ANSI and ISO standardized Dual_EC_DRBG before NIST and AFAIK has been very numb (and deaf and blind) the whole time. Would love to be proven wrong.

I wish they'd also remove the NSA

Long waited decision.

Was anyone really waiting?

Yes. Lots of large corporations and government agencies point to NIST standards when making purchasing decisions. So until this got officially updated, vendors were obligated to sell potentiality insecure products.

There's NIST which publishes the definitions, and then there's FIPS which required the availability of Dual-EC DRBG.

Following FIPS is nontrivial. I've never heard of anyone doing it that wasn't the US government itself, or a contractor, or a stooge like RSA (which made Dual-EC their default crypto RNG).

Because if NIST waited much longer we couldn't even trust them on the length of a meter.

Surely you mean a foot :)

The foot is defined as 12 inches, each inch is 25.4 millimeters. A meter is defined as "the length of the path travelled by light in vacuum during a time interval of 1/299792458 of a second." So the foot is defined in terms of exact rational seconds.

NIST offers calibration and measurement services for length. http://nist.gov/calibrations/dimensional_links.cfm "Traceability to NIST" http://nist.gov/traceability/index.cfm is a big deal to people who care about calibration in the US. NIST and other national calibration labs circulate "transfer standards" amongst each other in order to ensure international agreement.

each inch is 25.4 millimeters.

Huh, I missed that development. https://en.wikipedia.org/wiki/Inch#Modern_standardisation

Just to be sure, I'll keep a few aristocrats' appendages in my toolbox, for reference should a real foot needed...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact