Do any of the FIPS sponsors or OpenSSL project people think that SP 800-90C section 10.1.2 "Accessing a Source DRBG with Prediction Resistance to Obtain any Security Strength" is worthwhile including in the code base?
The main use is to allow a stronger DRBG to be seeded from a weaker one. For example: seeding AES-CTR-256-DRBG from AES-CTR-128-DRBG. The reasons in favour don't seem very compelling: . There are some obscure use cases for which there is a fairly easy work around (use stronger DRBGs everywhere). . A low quality hardware source could be used for higher strength applications. . It would also provide some benefit for poorly set up DRBG chains. . It can be used to construct randomness of any strength but I'm not aware of a current method to compress this down to high quality entropy that is directly usable (i.e. preserves the strength). The PR is done (#8660 https://github.com/openssl/openssl/pull/8660) but I've closed it since it seems unloved. If anyone here does think that that would beneficial, say something as justification or it is gone. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia
