A DRBG (Deterministic Random Bit Generator) is used to obtain pseudorandom bits for different purposes. In NIST SP 800-90A Revision 1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Link: https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final), the following three constructions of DRBG are provided: Hash_DRBG, HMAC_DRBG and CTR_DRBG. The construction of the hash DRBG includes the modular arithmetic of big number, which results in its low efficiency. CTR_DRBG is preferred when performance is more important in practical use.
The hash DRBG is defined in chapter 10.1.1 of NIST SP 800-90A Rev.1. An implementation based on the big number arithmetic and the hash function provided by OpenSSL 1.1.1 is given here. Header files and library files of OpenSSL 1.1.1 are needed while compiling and linking. OpenSSL website is: https://www.openssl.org
The security strength of DRBG is determined by the hash algorithm used. This implementation only supports hash functions whose output length is 256-bit or 512-bit. SHA-1 is deprecated for its insecurity. Only SHA-256 or SHA-512 is recommended to use as the building block for DRBG here. As noted in NIST SP 800-90A, there is no efficiency benefit when using SHA-224 rather than SHA-256 since SHA-224 is based on SHA-256. Similarly, there is no efficiency benefit for using SHA-384, SHA-512/224 and SHA-512/256 rather than using SHA-512 since these three SHA mechanisms are based on SHA-512. A structure called EVP_MD is employed to specify the hash function. EVP_MD is defined in OpenSSL. Such a structure implies that any hash function can be used to build the hash DRBG here as long as its output length is 256-bit or 512-bit. For example, SHA3-256 and SHA3-512 are not included in NIST SP 800-90A, but either of them can be used to build a non-standard hash DRBG in certain circumstances.
Note:
There is a macro _HASH_DRBG_DEBUG in hash_drbg.h. It is undefined at default. The macro can only be defined while displaying intermediate values in debug process. It MUST be undefined in practical use! Make sure that it is UNDEFINED!
Work with OpenSSL 3.0.0 ?
The codes here is designed to be run with OpenSSL 1.1.1. But it can be compiled and run with OpenSSL 3.0.0 on Linux platform. Test with CentOS Linux 7.9 + gcc 4.8.5 + OpenSSL 3.0.0 has passed. The codes cannot be compiled on Windows platform with OpenSSL 3.0.0.