需积分: 26 216 浏览量 更新于2023-05-26 评论 收藏 114KB PDF 举报
bsi发布 Functionality classes and evaluation methodology for true (physical) random number generators
T-Systems debis Systemhaus Information Security Services, Bonn
Priv.-Doz. Dr. Werner Schindler
Bundesamt für Sicherheit in der Informationstechnik (BSI) , Bonn
A proposal for:
Functionality classes and evaluation methodology
for true (physical) random number generators
A. Motivation, aims and overview of contents 2
B. Definitions and notation 2
C. Functionality classes 3
D. Evaluation methodology 16
E. Examples 25
F. Statistical tests 33
G. Literature 37
The authors wish to express their thanks for the numerous comments, suggestions and notes that have been incorporated
into this document.
- 2 -
A. Motivation, aims and overview of contents
A.1 Motivation and aims: Although random numbers play an important role in
numerous cryptographic applications, ITSEC and CC do not specify any uniform
evaluation criteria for random numbers. This document describes the evaluation
criteria for true (physical) random number generators. This paper is a counterpart to
the mathematical basis of [AIS20].
A.2 Overview of contents: Chapter B describes the object of investigation. Chapter C
introduces two functionality classes (P1, P2), providing reasons for this classification.
Chapter D describes the tasks of the evaluator, insofar as they are relevant for
investigating the TRNG, but makes no claim to present the requirements of the ITSEC
and CC criteria in their entirety. Chapter E provides several detailed examples to
explain the class-specific requirements.
(i) These evaluation methods cannot be applied to random number generators whose
noise source lies outside of the TOE (e.g. random keyboard entries by the user).
(ii) If applicants use a physical random number generator that cannot be assigned to
functionality class P1 or P2 and if they are applying for a German IT security
certificate, then BSI must be contacted.
B. Definitions and notation
B.1 Definitions: A true (physical) random number generator (abbreviated to TRNG)
uses the noise signals from an internal physical noise source to generate random
numbers. The values that result directly from the digitisation of analogue noise signals
are referred to as digitised noise signals in the following. The term internal random
number is used to refer to the values following mathematical post-processing
(optional; see also C.2) of the digitised noise signal sequence. An ideal random
number generator (theoretical!) generates independent random numbers that assume
all possible values to the same probability. In the following, we understand online tests
as statistical tests or – more precisely – a test specification applied during effective
operation to the digitised noise signal sequence generated by the TRNG or to internal
random numbers with the aim of verifying that the TRNG is functioning correctly. A
conspicuous statistical feature detected by an online test leads to a noise alarm which
in turn leads to the TRNG being stopped at least temporarily. We speak of total failure
(of the noise source) if the digitised noise signal sequence is constant from this time
on. Depending on the context, we understand the entropy per bit as the quotient
- 3 -
(entropy per digitised noise signal / width of the binary representation of a digitised
noise signal) or (entropy per internal random number / number of bits in the binary
representation of an internal random number).
C. Functionality classes
C.0 Reason for introducing functionality classes: A TRNG contains an internal
physical noise source. It usually delivers an analogue signal that is digitised for further
processing. The digitised noise signal can be transformed into an internal random
number sequence by means of post-processing in order to improve the probability
distribution of the digitised noise signal sequence. For good physical noise sources,
post-processing is not necessary and the digitised noise signal can be transmitted
directly to the output block. In this case, the sequence of internal random numbers
corresponds to the digitised noise signal sequence. The output block synchronises the
continuous or non-periodic generation of the internal random sequence with the calling
of the (external) random number sequence. The noise source delivers the entropy of
the output random number sequence that increases with every generated random
It must be clarified whether – or rather to what extent – a physical random number
generator behaves like an ideal random number generator. In contrast to [AIS20],
however, it is hardly possible to provide theoretical proofs. Instead, the assessment of
a physical random number generator is essentially based on statistical tests. On the
basis of different potential attack scenarios, various applications can place different
requirements on the properties of the external, and therefore of course also the internal,
random numbers. In order to take this circumstance into account, we will introduce
two functionality classes (P1 and P2) in the following. With regard to the intended
applications, classes P1 and P2 essentially correspond to classes K1 and K2 as well as
K3 and K4 in [AIS20].
Roughly speaking, the P1 property requires the internal random numbers to be
statistically inconspicuous. The P2-specific requirements should guarantee that they
are practically impossible to determine even if the predecessors or successors are
known. Depending on the maximum attack potential (specified here in the strength of
mechanisms) attributed to a potential perpetrator, the TOE must itself recognise total
failure or any interference that occurs in the noise source and may need to be able to
resist systematic manipulation attempts.
Various examples are discussed in Chapter E.
- 4 -
C.1 The applicant must at least specify:
(i) The desired functionality class (P1, P2) with the strength of mechanisms (ITSEC)
and functions (CC).
(iia) Information about the TRNG’s structure and mode of functioning, together with
the specification form and specification depth required for the evaluation level, must
be provided in the detailed design from ITSEC E2 and in the low level design as of CC
EAL 4 in accordance with ADV_LLD.1. For ITSEC E1, the applicant must state the
TRNG’s structure and mode of functioning as part of the proof of the strength of
mechanisms in accordance with [JIL], Section 6.5.
(iib) As of ITSEC E3 under implementation or for CC EAL5 under ATE_DPT.2 tests:
Low-level design, the applicant must supply proof of the statistical tests in line with
the intended functionality class.
(iii) A clear description of how the noise signal is generated, together with an
explanation of why a digitised random noise signal is to be induced in this way.
+ additional specifications listed in subsection f) of the corresponding functionality
C.2 Delimitation of the tagrget of evaluation TRNG:
A deterministic random number generator (DRNG) is given a seed by an external
source and uses the state function to calculate a sequence of internal states. An image
of this sequence generated using the output function is output (random number
sequence). The overall entropy of the output sequence lies in the initial value. The
overall entropy of a sequence of internal random numbers generated by a TRNG, on
the other hand, increases with each random number. TRNGs are based on physical
random processes, the observed analogue variables of which are prepared for digital
processing. Processes that are digitised in all their parameters (time, level, etc.), i.e.
limited to a finite number of states, will generally have deterministic behaviour and be
regarded as DRNGs.
The following diagram visualises the essential parts of TRNGs and DRNGs as well as
seed generation for DRNGs as a possible application for TRNGs. It represents the
typical sequential processing of the signals. Network structures, for example a mixture
of different analogue noise sources and post-worked signals that are already digitised,
are basically possible but render the analysis more complicated and costly (e.g.
decomposition). Mathematical post-processing of the digitised noise signals is
optional. If it is not performed, the digitised noise signals agree with the internal
- 5 -
Random number sequence
A TOE can contain a random number generator as a combination of a TRNG for
generating the seed and a DRNG for generating the random number sequence. In such
a case, the analysis of the TRNG serves to back up the reason requested from the
applicant in [AIS20], C.1(iv) that the seed generation really does induce the
. The DRNG must be evaluated in accordance with [AIS20].
C.3 General comment on the specification of the functionality classes:
Sub-section d) describes the class-specific requirements. The details needed for
evaluation in addition to C.1 (i) – (iii) are combined in sub-section f). The remaining
sub-sections illustrate and justify the selection and aim of these requirements. Sub-
sections i) and j) (see Chapter D) describe and explain the tasks of the evaluator.
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额