Randomness Improvements for Security Protocols

Document Type Replaced Internet-Draft (individual)
Authors Cas Cremers  , Luke Garratt  , Stanislav Smyshlyaev  , Nick Sullivan  , Christopher Wood 
Last updated 2018-09-02 (latest revision 2018-03-01)
Replaced by RFC 8937
Stream (None)
Intended RFC status (None)
Expired & archived
plain text pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-irtf-cfrg-randomness-improvements
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


Randomness is a crucial ingredient for TLS and related security protocols. Weak or predictable "cryptographically-strong" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. The Dual EC random number backdoor and Debian bugs are relevant examples of this problem. This document describes a way for security protocol participants to mix their long- term private key into the entropy pool(s) from which random values are derived. This augments and improves randomness from broken or otherwise subverted CSPRNGs.


Cas Cremers (cas.cremers@cs.ox.ac.uk)
Luke Garratt (luke.garratt@cs.ox.ac.uk)
Stanislav Smyshlyaev (svs@cryptopro.ru)
Nick Sullivan (nick@cloudflare.com)
Christopher Wood (cawood@apple.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)