XDRBG: A Proposed Deterministic Random Bit Generator Based on Any XOF


  • John Kelsey National Institute of Standards and Technology (NIST), Gaithersburg, USA; COSIC, KU Leuven, Leuven, Belgium
  • Stefan Lucks Bauhaus-Universität, Weimar, Germany
  • Stephan Müller atsec information security corp, Austin, USA




pseudorandom bit generation, forward security, backward security, extendable output function (XOF)


A deterministic random bit generator (DRBG) generates pseudorandom bits from an unpredictable seed, i.e., a seed drawn from any random source with sufficient entropy. The current paper formalizes a security notion for a DRBG, in which an attacker may make any legal sequence of requests to the DRBG and sometimes compromise the DRBG state, but should still not be able to distingush DRBG outputs from ideal random bits. The paper proposes XDRBG, a new DRBG based on any eXtendable Output Function (XOF) and proves the security of the XDRBG in the ideal-XOF model. The proven bounds are tight, as demonstrated by matching attacks. The paper also discusses the security of XDRBG against quantum attackers. Finally, the paper proposes concrete instantiations of XDRBG, employing either the SHAKE128 or the SHAKE256 XDRBG. Alternative instantiations suitable for lightweight applications can be based on ASCON.







How to Cite

XDRBG: A Proposed Deterministic Random Bit Generator Based on Any XOF. (2024). IACR Transactions on Symmetric Cryptology, 2024(1), 5-34. https://doi.org/10.46586/tosc.v2024.i1.5-34