America's National Institute for Science and Technology (NIST) is looking for public input into its long-running project to improve cryptography.
The recommendation NIST's put up for discussion covers the design principles and requirements for random bit generators, and tests to validate entropy sources.
It's the entropy validation that NIST regards as most important in Special Publication 800-90B: rather than trying to tell crypto designers what crypto sources to use, it wants reliable ways to check the outputs.
NIST’s Elaine Barker, one of the publication’s authors, says in its release: “When you’re assessing your process for generating randomness, you want to make sure nothing is broken and that it is performing consistently. We would like the public’s input on ways we can improve these tests.”
The standard NIST is working on focusses on what's known as “independent” entropy sources – for non-cryptographers, that means sources of noise that don't depend on numbers like packet arrival times. It also covers the conditioning a developer might apply to the source, and techniques for testing entropy health at startup, continuously (that is, while the entropy source is in use), and on-demand.
SP 800-90B also sets out the workflow for accredited test laboratories in the process.
SP 800-90B is one of three documents in the 800-90 series: 800-90A specifies random number generation algorithms (aiming, along the way, to avoid a repeat of the Dual_EC_DRBG scandal exposed by Edward Snowden's document dumps), while SP 800-90C specifies how to put entropy sources and random number algorithms together at the system level.
SP 800-90B is open for comment until May 9, 2016, and on May 2, NIST is hosting a random bit generation workshop. ®