ISO/IEC DIS 20543

Description / Abstract: This International Standard specifies a methodology for the evaluation of non-deterministic or deterministic random bit generators intended to be used for cryptographic applications. The guidelines given herein shall enable the vendor of an RBG to submit well-defined claims of security to an evaluation authority and shall enable an evaluator or a tester, for instance a validation authority, to test, certify or reject these claims.

This International Standard is implementation-agnostic. Hence, it offers no specific guidance on design and implementation decisions for random bit generators. However, design and implementation issues influence the evaluation of an RBG under document, for instance because it requires the use of a stochastic model of the random source and because any such model must be supported by technical arguments pertaining to the design of the device at hand.

Random Bit Generators as evaluated under the present International Standard will aim to output bit strings that appear evenly distributed. Depending on the distribution of random numbers required by the consuming application, however, it is worth noting that additional steps may have to be taken (and may well be critical to security) by the consuming application to transform the random bit strings produced by the RBG into random numbers of a distribution suitable to the application requirements. Such subsequent transformations are outside the scope of evaluations performed under this document.