A deterministic random bit generator (DRBG).

Create a DRBG with new, and then use and reuse it to generate bytes as needed.

A HMAC function, taking a key as the first argument and the input value as the second, producing a MAC digest.

>>> import qualified Crypto.Hash.SHA256 as SHA256
>>> :t SHA256.hmac
SHA256.hmac :: BS.ByteString -> BS.ByteString -> BS.ByteString

Create a DRBG from the supplied HMAC function, entropy, nonce, and personalization string.

You can instantiate the DRBG using any appropriate HMAC function; it should merely take a key and value as input, as is standard, and return a MAC digest, each being a strict ByteString.

The DRBG is returned in any PrimMonad, e.g. ST or IO.

>>> import qualified Crypto.Hash.SHA256 as SHA256
>>> new SHA256.hmac entropy nonce personalization_string
"<drbg>"

Generate bytes from a DRBG, optionally injecting additional bytes per SP 800-90A.

>>> import qualified Data.ByteString.Base16 as B16
>>> drbg <- new SHA256.hmac entropy nonce personalization_string
>>> bytes0 <- gen addl_bytes 16 drbg
>>> bytes1 <- gen addl_bytes 16 drbg
>>> B16.encode bytes0
"938d6ca6d0b797f7b3c653349d6e3135"
>>> B16.encode bytes1
"5f379d16de6f2c6f8a35c56f13f9e5a5"

Reseed a DRBG.

Each DRBG has an internal reseed counter that tracks the number of requests made to the generator (note requests made, not bytes generated). SP 800-90A specifies that a HMAC-DRBG should support 2 ^ 48 requests before requiring a reseed, so in practice you're unlikely to ever need to use this to actually reset the counter.

Note however that reseed can be used to implement "explicit" prediction resistance, per SP 800-90A, by injecting entropy generated elsewhere into the DRBG.

>>> import qualified System.Entropy as E
>>> entropy <- E.getEntropy 32
>>> reseed entropy addl_bytes drbg
"<reseeded drbg>"