Skip to main content

7.2.1. X9.82 Pseudo-Random Number Generation

The ANSI X9F1 committee is in the final stages of creating a standard for random number generation covering both true randomness generators and pseudo-random number generators. It includes a number of pseudo-random number generators based on hash functions, one of which will probably be based on HMAC SHA hash constructs [RFC2104]. The draft version of this generator is described below, omitting a number of optional features [X9.82].

In the subsections below, the HMAC hash construct is simply referred to as HMAC but, of course, a particular standard SHA function must be selected in an particular use. Generally speaking, if the strength of the pseudo-random values to be generated is to be N bits, the SHA function chosen must generate N or more bits of output, and a source of at least N bits of input entropy will be required. The same hash function must be used throughout an instantiation of this generator.

7.2.1.1. Notation

In the following sections, the notation give below is used:

  • hash_length is the output size of the underlying hash function in use.
  • input_entropy is the input bit string that provides entropy to the generator.
  • K is a bit string of size hash_length that is part of the state of the generator and is updated at least once each time random bits are generated.
  • V is a bit string of size hash_length and is part of the state of the generator. It is updated each time hash_length bits of output are generated.
  • | represents concatenation.

7.2.1.2. Initializing the Generator

Set V to all zero bytes, except the low-order bit of each byte is set to one.

Set K to all zero bytes, then set:

K = HMAC ( K, V | 0x00 | input_entropy )
V = HMAC ( K, V )
K = HMAC ( K, V | 0x01 | input_entropy )
V = HMAC ( K, V )

Note: All SHA algorithms produce an integral number of bytes, so the lengths of K and V will be integral numbers of bytes.

7.2.1.3. Generating Random Bits

When output is called for, simply set:

V = HMAC ( K, V )

and use the leading bits from V. If more bits are needed than the length of V, set "temp" to a null bit string and then repeatedly perform:

V = HMAC ( K, V )
temp = temp | V

stopping as soon as temp is equal to or longer than the number of random bits requested. Use the requested number of leading bits from temp. The definition of the algorithm prohibits requesting more than 2^35 bits.

After extracting and saving the pseudo-random output bits as described above, before returning you must also perform two more HMACs as follows:

K = HMAC ( K, V | 0x00 )
V = HMAC ( K, V )
Last updated on