Clarification on "independent" #93
Description
Regarding XTS-AES, this evaluation activity discusses independence:
"If AES-XTS is claimed then the evaluator shall examine the TSS to verify that the TOE creates full-length keys by methods that ensure that the two key halves are different and independent. The evaluator shall confirm the TSS describes the block of data containing the key and that is full block of data in alignment with selected the AES standard."
The core XTS-AES standards (NIST SP 800-38E and IEEE Std 1619-2007) do not require independence - they require that the two key halves are different, and only discuss independence in the informative (non-normative) sections of IEEE Std 1619-2007.
This language should be clarified to distinguish between information-theoretic independence and computational independence. Common methods for establishing keys (such as KDFs and RBGs as listed) generally provide only computational independence (i.e.: per SP 800-90C: "Real-world RBGs are designed with a security goal of indistinguishability from the output of an ideal randomness source. That is, given some limits on an adversary’s data and computing power, it is expected that no adversary can reliably distinguish between RBG outputs and outputs from an ideal randomness source.").
I suggest updating the verbiage to state explicitly "computationally independent" to reflect the achievable security property.