0Pricing
Cryptology Academy · Lesson

Hash-DRBG, HMAC-DRBG, and CTR-DRBG Internals

Examine the internal state and output generation of each approved NIST DRBG mechanism.

DRBG Internal State Components

Each of the three NIST DRBG mechanisms maintains different internal state components, reflecting their underlying algorithmic approach. Hash_DRBG stores V (a hash-length seed) and C (a constant derived from V used during output generation). HMAC_DRBG stores Key K (a hash-length secret key) and Value V (a hash-length chaining value). CTR_DRBG stores Key K (an AES key) and V (a block-length counter). All three maintain a reseed_counter tracking generate calls since last seeding. The state size determines the memory footprint: Hash/HMAC_DRBG with SHA-256 use 64 bytes of state; CTR_DRBG with AES-256 uses 48 bytes (32-byte key + 16-byte counter).

Hash_DRBG: Hash_df Derivation Function

Hash_DRBG uses Hash_df (hash derivation function) to derive state from entropy material. Hash_df(input_string, no_of_bits_to_return) iterates: for counter = 1, 2, ..., compute H(counter || no_of_bits || input_string) and concatenate outputs until enough bits are produced. This stretches short entropy inputs into state-sized seeds. During Generate, the output function computes W = H(0x03 || V) where the 0x03 prefix distinguishes this from other hash uses. The output loop: data = H(0x01 || V); V = V + 1; repeat for more output. After generating, V is updated: V = V + H(0x03 || V) + C + reseed_counter. The domain separation via prefix bytes (0x01, 0x03) prevents output from the generate phase being confused with the state update phase.

All lessons in this course

  1. NIST SP 800-90A: DRBG Standards
  2. Hash-DRBG, HMAC-DRBG, and CTR-DRBG Internals
  3. The Dual EC DRBG Backdoor Incident
  4. Testing and Validating RNG Implementations
← Back to Cryptology Academy