Quality test for an hardware source of randomness

Question

Say that I developed an hardware source of randomness, which I would like to use to seed a cryptographically secure random number generator.

How would I go about testing it? Are there standardized tests that one can use to check wether or not his source of entropy is reliable enough to seed cryptographic random number generation?

For example, the guys at onerng.info claim to generate the entropy any user needs to protect his privacy and blablabla. How do they substantiate their claim? How can random number generators be verified?

Related: What tests can I do to ensure my PRNG is working correctly? and How to prove the security of the PRNG? (Potential duplicate even when this Q talks about TRNGs, while those other Qs talk about PRNGs?) — e-sushi, Feb 27 '17 at 17:42
@e-sushi I am sorry but both posts are about PSEUDO random number generators. Here I am talking about hardware random number generators that harvest entropy from physical phenomena. So one cannot prove that a RNG is secure, since the values generated by the measurements are not generated by an algorithm, about which one can write theorems. Or did I misunderstand something? — Matteo Monti, Feb 27 '17 at 17:58
That wraps it up somewhat correctly. In it’s most simple form: you can not prove something is random, you can only prove something is not random. As an aside: I once asked “How exactly is “true randomness” defined in the realms of cryptography?” in relation to TRNGs. The answers there might – or might not – be interesting too. — e-sushi, Feb 27 '17 at 18:54

score 5 · Accepted Answer · answered Feb 27 '17 at 22:44

NIST has a statistical test suite for testing (pseudo) random number generators. There are a number of other suites as well, such as Diehard, Dieharder, and TestU01.

But all these tests can do is disprove the claim that your generator is random; they cannot prove it. So you really need, in addition, an independent argument for why your generator's output really is random. A true random number generators generally comprises of:

A entropy source that outputs digitized samples of a random process (but whose output may be neither uniform nor independent).
A nondeterministic random bit generator (NRBG) that uses the entropy source's output to produce uniform and independent random bits.

So correspondingly, you need:

An argument that your entropy source is random and that justifies a lower bound on its entropy rate (how random it is, per unit of time);
An argument that your NRBG, given the noise source's output, produces full entropy outputs (uniform and independent random bits).

And there's no "bright line" test to be had here. You don't prove that your outputs "really are random"—you prove that the processes you're using to produce your outputs are sound, that your implementation of them reliable, that your hardware resists monitoring and interference, etc. You also provide health check mechanisms and fallbacks to detect and guard against failures.

You may be interested in the NIST SP 800-90 series, which details standards for random number generators:

In particular 90B deals with the entropy sources, and parts of 90C deal with nondeterministic random bit generators (NRBGs)—algorithms designed to take the output of a noise source and produce truly random outputs.

Among the hardest things to demonstrate/ensure is that an entropy source resists/detects plausible attempts to (and mishaps that) lower its entropy rate; e.g. that a ring oscillator won't synchronize on some nearby periodic signal. — fgrieu, Feb 28 '17 at 08:10

Quality test for an hardware source of randomness

1 Answers1

Linked