Why is a nonce used to initialize Hash_DRBG, HMAC_DRBG, and CTR_DRBG?

Question

In NIST 800-90A, Hash_DRBG, HMAC_DRBG and CTR_DRBG (with derivation function) all require a nonce for instantiation.

I understand the usual application for a nonce to prevent replay attacks. However, I don't understand the security benefit a nonce provides for a CSPRNG. Additionally, I am wondering why CTR_DRBG without a derivation function does not require a nonce.

What am I missing here?

Mike Edward Moras · Answer 1 · 2017-12-17T16:48:07.527

2

What am I missing here?

You could re-use the master secret over multiple invocations and just rely on different nonces.

This may come handy – for example – on embedded hardware without a proper True Random Number Generator.

edited Dec 17 '17 at 16:48

answered Dec 17 '17 at 16:17

Mike Edward Moras

18,161
12
87
240

Why is a nonce used to initialize Hash_DRBG, HMAC_DRBG, and CTR_DRBG?

1 Answers1