GM/T 0105-2021 Design guide for software-based random number generators
1 Scope
This document provides a basic model for the design of software-based RNGs, design guide for the basic components and a security classification method, as well as examples of SM3 algorithm- and SM4 algorithm-based designs attached in the annexes.
This document is applicable to the design, development, testing and evaluation of software-based RNGs.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 15852.1 Information technology - Security techniques - Message authentication codes - Part 1: Mechanisms using a block cipher
GB/T 17964 Information technology - Security techniques - Modes of operation for a block cipher
GB/T 32905 Information security techniques - SM3 cryptographic hash algorithm
GB/T 32907 Information security technology - SM4 block cipher algorithm
GB/T 32915-2016 Information security technology - Randomness test methods for binary sequence
GB/T 37092-2018 Information security technology - Security requirements for cryptographic modules
GM/Z 4001 Cryptology terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 32915-2016, GB/T 37092-2018 and GM/Z 4001 and the following apply.
3.1
entropy
measure of the state of a closed system in terms of disorder, randomness or variability
Note: The entropy of a random variable X is a mathematical measure of the amount of information obtained by observing X.
3.2
entropy source
component, device, or event that generates an output, when the output is captured and processed in some way, a bit string containing entropy is generated
3.3
known-answer test
method of testing a deterministic mechanism by which a given input is processed and the resulting output is then compared to a known value
3.4
entropy pool
storage area where entropy is temporarily stored
3.5
min-entropy
lower bound of entropy, which is a worst-case estimate for determining the entropy of a sample
Note: If k is the maximum such that P(X = x)≤2-k, then the min-entropy of a bit string X (or, more precisely, the corresponding random variable forming such a random bit string) is k. That is, X contains at least k bits of entropy or randomness.
3.6
random number generator; RNG
device or program for generating random binary sequences
[Source: GB/T 32915-2016, 2.2]
3.7
seed
bit string used as an input to a RNG
3.8
reseed function
specific internal state transition function that updates the internal state when a new seed value is provided
3.9
critical security parameter
security relevant secret information which may endanger the security of cryptographic module once divulged or modified
Note: critical security parameter may be in plain text or encrypted.
[Source: GB/T 37092-2018, 3.3]
3.10
deterministic random number generator; DRNG
RNG that generates a sequence of randomly patterned bits by applying a deterministic algorithm to an appropriate random initial value (referred to as a "seed")
3.11
entropy rate
average size of the entropy contained per bit of data
3.12
cryptographic boundary
clearly defined perimeter that establishes physical and/or logical boundaries and includes all hardware, software and/or firmware components of the cryptographic module
[Source: GB/T 37092-2018, 3.4]
3.13
software-based RNG
RNG component in a software cryptographic module (or in the software component of a hybrid cryptographic module), either as a separate software cryptographic module or as part of a software cryptographic module (or the software component of a hybrid cryptographic module)
3.14
cryptographic module
set of hardware, software, and/or firmware that implements security functions and is contained within the cryptographic boundary
Note: By composition, cryptographic modules may be classified into hardware cryptographic module, firmware cryptographic module, software cryptographic module and hybrid cryptographic module.
[Source: GB/T 37092-2018, 3.5]
3.15
public security parameter
security-related public information which may endanger the security of cryptographic module once modified.
Note: For example, public key, public key certificate, self-signed certificate, trust anchor, one-time password associated with the counter and the date and time kept internally. A public security parameter is considered protected if it cannot be modified or if it can be discovered by the cryptographic module after being modified.
[Source: GB/T 37092-2018, 3.14]
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Design of software-based RNGs
5.1 Basic model
5.2 Entropy source
5.3 Entropy pool
5.4 Entropy estimation
5.5 Robustness test
5.6 DRNG
6 Method for classification of security levels
6.1 General
6.2 Security level I in GB/T 37092
6.3 Security level II in GB/T 37092
7 Implementation
7.1 General
7.2 Definition of critical security parameter
7.3 Exclusivity of entropy source
Annex A (Informative) Examples for structures of entropy source and entropy pool
Annex B (Normative) Design of SM3 algorithm-based RNG
Annex C (Informative) Entropy estimation method
Annex D (Normative) Continuous health test methods
Annex E (Normative) RNG design based on SM4 algorithm
Bibliography
GM/T 0105-2021 Design guide for software-based random number generators
1 Scope
This document provides a basic model for the design of software-based RNGs, design guide for the basic components and a security classification method, as well as examples of SM3 algorithm- and SM4 algorithm-based designs attached in the annexes.
This document is applicable to the design, development, testing and evaluation of software-based RNGs.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 15852.1 Information technology - Security techniques - Message authentication codes - Part 1: Mechanisms using a block cipher
GB/T 17964 Information technology - Security techniques - Modes of operation for a block cipher
GB/T 32905 Information security techniques - SM3 cryptographic hash algorithm
GB/T 32907 Information security technology - SM4 block cipher algorithm
GB/T 32915-2016 Information security technology - Randomness test methods for binary sequence
GB/T 37092-2018 Information security technology - Security requirements for cryptographic modules
GM/Z 4001 Cryptology terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 32915-2016, GB/T 37092-2018 and GM/Z 4001 and the following apply.
3.1
entropy
measure of the state of a closed system in terms of disorder, randomness or variability
Note: The entropy of a random variable X is a mathematical measure of the amount of information obtained by observing X.
3.2
entropy source
component, device, or event that generates an output, when the output is captured and processed in some way, a bit string containing entropy is generated
3.3
known-answer test
method of testing a deterministic mechanism by which a given input is processed and the resulting output is then compared to a known value
3.4
entropy pool
storage area where entropy is temporarily stored
3.5
min-entropy
lower bound of entropy, which is a worst-case estimate for determining the entropy of a sample
Note: If k is the maximum such that P(X = x)≤2-k, then the min-entropy of a bit string X (or, more precisely, the corresponding random variable forming such a random bit string) is k. That is, X contains at least k bits of entropy or randomness.
3.6
random number generator; RNG
device or program for generating random binary sequences
[Source: GB/T 32915-2016, 2.2]
3.7
seed
bit string used as an input to a RNG
3.8
reseed function
specific internal state transition function that updates the internal state when a new seed value is provided
3.9
critical security parameter
security relevant secret information which may endanger the security of cryptographic module once divulged or modified
Note: critical security parameter may be in plain text or encrypted.
[Source: GB/T 37092-2018, 3.3]
3.10
deterministic random number generator; DRNG
RNG that generates a sequence of randomly patterned bits by applying a deterministic algorithm to an appropriate random initial value (referred to as a "seed")
3.11
entropy rate
average size of the entropy contained per bit of data
3.12
cryptographic boundary
clearly defined perimeter that establishes physical and/or logical boundaries and includes all hardware, software and/or firmware components of the cryptographic module
[Source: GB/T 37092-2018, 3.4]
3.13
software-based RNG
RNG component in a software cryptographic module (or in the software component of a hybrid cryptographic module), either as a separate software cryptographic module or as part of a software cryptographic module (or the software component of a hybrid cryptographic module)
3.14
cryptographic module
set of hardware, software, and/or firmware that implements security functions and is contained within the cryptographic boundary
Note: By composition, cryptographic modules may be classified into hardware cryptographic module, firmware cryptographic module, software cryptographic module and hybrid cryptographic module.
[Source: GB/T 37092-2018, 3.5]
3.15
public security parameter
security-related public information which may endanger the security of cryptographic module once modified.
Note: For example, public key, public key certificate, self-signed certificate, trust anchor, one-time password associated with the counter and the date and time kept internally. A public security parameter is considered protected if it cannot be modified or if it can be discovered by the cryptographic module after being modified.
[Source: GB/T 37092-2018, 3.14]
Contents of GM/T 0105-2021
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Design of software-based RNGs
5.1 Basic model
5.2 Entropy source
5.3 Entropy pool
5.4 Entropy estimation
5.5 Robustness test
5.6 DRNG
6 Method for classification of security levels
6.1 General
6.2 Security level I in GB/T 37092
6.3 Security level II in GB/T 37092
7 Implementation
7.1 General
7.2 Definition of critical security parameter
7.3 Exclusivity of entropy source
Annex A (Informative) Examples for structures of entropy source and entropy pool
Annex B (Normative) Design of SM3 algorithm-based RNG
Annex C (Informative) Entropy estimation method
Annex D (Normative) Continuous health test methods
Annex E (Normative) RNG design based on SM4 algorithm
Bibliography