Understanding TRNG NIST Standards: A Complete Guide to the 15 Statistical Tests for True Random Number Generation
- Hasan Kurşun
- Feb 1
- 14 min read
In the era of post-quantum cryptography, the security of cryptographic systems fundamentally depends on one critical component: high-quality random number generation. Whether you're implementing ML-KEM key encapsulation, ML-DSA digital signatures, or securing critical infrastructure, the entropy source at the foundation of your security architecture must be both unpredictable and rigorously validated.
At Aegis Semiconductor, our hardware-accelerated post-quantum cryptography solutions incorporate NIST-compliant True Random Number Generators (TRNGs) that have been rigorously tested against the industry's most stringent standards. This comprehensive guide explores the NIST standards for TRNG validation, with particular focus on the 15 statistical tests that validate the randomness quality of cryptographic random number generators.
Why TRNG Validation Matters for Cryptographic Security
True Random Number Generators are the bedrock of cryptographic security. Unlike Pseudo-Random Number Generators (PRNGs) that produce deterministic outputs from seed values, TRNGs harvest entropy from physical phenomena—thermal noise, quantum effects, or timing jitter—to produce genuinely unpredictable outputs.
The Critical Role in Post-Quantum Cryptography
With quantum computers on the horizon threatening classical encryption schemes like RSA-2048 and ECDSA-256, the transition to post-quantum cryptography (PQC) is no longer optional. The NIST-standardized algorithms—FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA)—all require high-quality random numbers for:
Key generation: Creating lattice-based public/private key pairs
Nonce generation: Ensuring signature uniqueness
Ephemeral key material: Establishing secure communication channels
Salt generation: Protecting against rainbow table attacks
A compromised TRNG undermines the entire security architecture, regardless of how strong the cryptographic algorithms are. This makes TRNG validation not just important—it's essential.
The NIST SP 800-90 Series: A Framework for Random Bit Generation
The National Institute of Standards and Technology (NIST) has developed a comprehensive framework for random bit generation through the Special Publication (SP) 800-90 series:
SP 800-90A: Deterministic Random Bit Generators (DRBGs)
SP 800-90A Rev. 1 specifies approved mechanisms for generating random bits using deterministic methods based on hash functions or block cipher algorithms. These DRBGs extend entropy from a seed to produce longer sequences of random bits.
Reference: NIST SP 800-90A Rev. 1, "Recommendation for Random Number Generation Using Deterministic Random Bit Generators," June 2015
Note: SP 800-90A Rev. 2 is currently under development (public comments open through November 2025) to align with SP 800-90C and add support for SHA-3, SHAKE, and Ascon-based DRBGs
SP 800-90B: Entropy Sources for Random Bit Generation
SP 800-90B (January 2018) is the cornerstone standard for validating entropy sources used by TRNGs. This specification defines:
Design principles for entropy sources
Requirements for noise source validation
Health testing procedures
Min-entropy estimation methods
Statistical tests for IID (Independent and Identically Distributed) data
Reference: NIST SP 800-90B, "Recommendation for the Entropy Sources Used for Random Bit Generation," January 2018
Key Requirements from SP 800-90B
Min-Entropy Requirement: Entropy sources must provide sufficient min-entropy. For IID sources, the requirement is typically ≥7.2 bits per byte.
Health Testing: Continuous monitoring of the noise source to detect failures or degradation.
Statistical Validation: Rigorous testing using both IID and non-IID test suites.
Restart Testing: Verification that entropy quality is maintained after power cycles.
SP 800-90C: Random Bit Generator Construction
SP 800-90C (September 2025) completes the SP 800-90 series by providing specifications for constructing Random Bit Generators that combine the entropy sources from SP 800-90B with the DRBGs from SP 800-90A. This final standard defines four RBG construction classes: RBG1 (seeded from external source), RBG2 (on-demand entropy source), RBG3 (continuous entropy with full entropy output), and RBGC (custom constructions).
Reference: NIST SP 800-90C, "Recommendation for Random Bit Generator (RBG) Constructions," September 2025
NIST SP 800-22: The 15 Statistical Tests for Randomness
While SP 800-90B addresses entropy source validation, NIST SP 800-22 Rev. 1a provides the definitive statistical test suite for validating the quality of both random and pseudorandom number generators for cryptographic applications.
Reference: NIST SP 800-22 Rev. 1a, "A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications," April 2010
Document: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-22r1a.pdf
Test Suite Software: Available at https://csrc.nist.gov/projects/random-bit-generation/documentation-and-software
Understanding the NIST Statistical Test Suite
The NIST SP 800-22 test suite consists of 15 distinct tests (with some tests containing multiple sub-tests, bringing the total to 188 test items). These tests examine different aspects of randomness to detect various types of non-randomness that could compromise cryptographic security.
Test Methodology
Each test uses hypothesis testing with:
Null Hypothesis (H₀): The sequence is random
Alternative Hypothesis (Hₐ): The sequence is non-random
Significance Level (α): Typically set to 0.01 (1%)
For each test, a p-value is calculated:
P-value ≥ 0.01: Sequence passes (accept randomness with 99% confidence)
P-value < 0.01: Sequence fails (reject randomness)
Recommended Test Parameters
Sequence Length: Minimum 1,000,000 bits (1 Mbit) per sequence
Number of Sequences: At least 10 sequences, recommended 100-1000 for robust validation
Binary Format: Tests operate on binary data (0s and 1s)
The 15 NIST SP 800-22 Statistical Tests: Detailed Breakdown
Test 1: Frequency (Monobit) Test
Purpose: Determines whether the number of ones and zeros in the entire sequence are approximately equal, as expected in a random sequence.
What It Tests: Global balance of 0s and 1s
Test Statistic:
sobs = |Σ(2Xi - 1)| / √n
Where Xi are the bits in the sequence and n is the sequence length.
Pass Condition:
P-value ≥ 0.01
Proportion of passing sequences: 0.99 ± 0.0094392 (for 1000 sequences)
Why It Matters: An imbalance suggests bias in the generator, which could be exploited to predict outputs.
Example Application: A sequence with 500,400 ones and 499,600 zeros in 1 million bits would likely pass, while 520,000 ones would likely fail.
Test 2: Frequency Test within a Block (Block Frequency Test)
Purpose: Determines whether the frequency of ones within M-bit blocks is approximately M/2.
What It Tests: Local balance of 0s and 1s across subsequences
Parameters:
Block size M (typically M = 128 or M = 10,000)
Number of blocks N = ⌊n/M⌋
Test Statistic:
χ² = 4M Σ(πi - 0.5)²
Where πi is the proportion of ones in block i.
Pass Condition: P-value ≥ 0.01
Why It Matters: Detects localized non-randomness that the monobit test might miss.
Recommended Input Size: n ≥ 100
Test 3: Runs Test
Purpose: Determines whether the number of runs (uninterrupted sequences of identical bits) of various lengths is as expected for a random sequence.
What It Tests: Oscillation between 0s and 1s
Definition: A run is an uninterrupted sequence of identical bits bounded by bits of opposite value.
Test Statistic:
Proportion π = Σ Xi / n
Pre-test: |π - 0.5| < 2/√n
Vobs = Σ r(k) + 1 (where r(k) = 0 if Xk = Xk+1, else 1)
Pass Condition:
P-value ≥ 0.01
Pre-test must pass first
Why It Matters: Too few runs suggest clustering; too many suggest rapid oscillation.
Recommended Input Size: n ≥ 100
Test 4: Test for the Longest Run of Ones in a Block
Purpose: Determines whether the length of the longest run of ones is consistent with the expected length in a random sequence.
What It Tests: Distribution of longest runs in subsequences
Parameters:
For n < 6,272: M = 8, K = 3
For 6,272 ≤ n < 750,000: M = 128, K = 5
For n ≥ 750,000: M = 10⁴, K = 6
Pass Condition: P-value ≥ 0.01
Why It Matters: Unusually long or short runs indicate non-randomness in the generator's output.
Recommended Input Size: n ≥ 128
Test 5: Binary Matrix Rank Test
Purpose: Checks for linear dependence among fixed-length substrings of the original sequence.
What It Tests: Linear independence and structural complexity
Method:
Divide sequence into 32×32 bit matrices
Compute rank of each matrix using binary arithmetic
Compare distribution of ranks to expected distribution
Expected Ranks for Random Data:
Full rank (32): ~29.3%
Rank 31: ~69.3%
Rank ≤30: ~1.4%
Pass Condition: P-value ≥ 0.01
Why It Matters: Detects linear dependencies that could be exploited cryptographically.
Recommended Input Size: n ≥ 38,912
Test 6: Discrete Fourier Transform (Spectral) Test
Purpose: Detects periodic features in the bit stream that would indicate non-randomness.
What It Tests: Presence of periodic patterns via frequency domain analysis
Method:
Convert binary sequence to ±1 values
Apply Discrete Fourier Transform (DFT)
Analyze peak heights in frequency spectrum
Test Statistic: Measures deviation from expected 95% threshold
Pass Condition: P-value ≥ 0.01
Why It Matters: Periodic patterns are a critical weakness in cryptographic applications.
Recommended Input Size: n ≥ 1,000 (optimal: 1,000,000)
Note: NIST recommends using this test only for sequences of 1,000,000 bits.
Test 7: Non-overlapping Template Matching Test
Purpose: Detects generators that produce too many occurrences of a given non-periodic pattern.
What It Tests: Frequency of specific m-bit patterns (templates)
Parameters:
Template length m (typically m = 9 or m = 10)
Number of templates: 148 for m = 9, 300+ for m = 10
Method: Count non-overlapping occurrences of each template
Pass Condition: P-value ≥ 0.01 for each template
Why It Matters: Detects pattern biases that could reveal information about the generator's internal state.
Recommended Input Size: n ≥ 10⁶
Test 8: Overlapping Template Matching Test
Purpose: Similar to Test 7, but counts overlapping occurrences of a specific pattern.
What It Tests: Frequency of specific patterns (typically all-ones)
Standard Template: m = 9 bits, all ones (111111111)
Method: Count overlapping occurrences across the sequence
Pass Condition: P-value ≥ 0.01
Why It Matters: Complements the non-overlapping test by detecting clustering of patterns.
Recommended Input Size: n ≥ 10⁶
Test 9: Maurer's Universal Statistical Test
Purpose: Detects whether the sequence can be significantly compressed without loss of information.
What It Tests: Compressibility and statistical complexity
Method:
Divide sequence into blocks
Measure spacing between repeated patterns
Calculate average compression metric
Theory: Random sequences are not compressible; patterns allow compression.
Parameters:
L: block length (6 ≤ L ≤ 16)
Q: initialization blocks (~10 × 2^L)
Pass Condition: P-value ≥ 0.01
Why It Matters: Compressibility indicates predictability, a fatal flaw in cryptographic RNGs.
Recommended Input Size: n ≥ (Q + K) × L × 10
Test 10: Linear Complexity Test
Purpose: Determines whether the sequence is complex enough to be considered random.
What It Tests: Linear complexity via Berlekamp-Massey algorithm
Definition: Linear complexity is the length of the shortest Linear Feedback Shift Register (LFSR) that can produce the sequence.
Expected Complexity: For a truly random n-bit sequence, complexity ≈ n/2
Parameters: Block size M (typically M = 500 or M = 1000)
Pass Condition: P-value ≥ 0.01
Why It Matters: Low complexity means the sequence can be reproduced with a small LFSR, compromising security.
Recommended Input Size: n ≥ 10⁶
Test 11: Serial Test
Purpose: Determines whether the number of occurrences of m-bit overlapping patterns is approximately the same as would be expected for a random sequence.
What It Tests: Frequency of all possible m-bit patterns and (m-1)-bit patterns
Parameters: Block length m (typically m = 16)
Outputs: Two p-values
∇ψ²(m): First derivative statistic
∇²ψ²(m): Second derivative statistic
Pass Condition: Both p-values ≥ 0.01
Why It Matters: Detects non-uniform distribution of overlapping patterns.
Recommended Input Size: n ≥ max(m × 2^(m-2), 100)
Test 12: Approximate Entropy Test
Purpose: Compares the frequency of overlapping blocks of two consecutive lengths against the expected result for a random sequence.
What It Tests: Local randomness and pattern distribution
Parameter: Block length m (typically m = 10)
Method: Measures regularity using Shannon entropy concepts
Test Statistic:
ApEn(m) = Φ(m) - Φ(m+1)
Pass Condition: P-value ≥ 0.01
Why It Matters: Approximate entropy quantifies unpredictability and irregularity.
Recommended Input Size: n ≥ 100 × 2^m
Test 13: Cumulative Sums (Cusum) Test
Purpose: Determines whether the cumulative sum of the sequence is too large or too small relative to the expected behavior of random sequences.
What It Tests: Bias in different portions of the sequence
Modes:
Forward mode: cumulative sum from start to end
Backward mode: cumulative sum from end to start
Method: Track maximum excursion of cumulative sum from zero
Pass Condition: P-value ≥ 0.01 for both modes
Why It Matters: Detects localized bias that global tests might miss.
Recommended Input Size: n ≥ 100
Test 14: Random Excursions Test
Purpose: Determines if the number of visits to a particular state within a cycle deviates from what would be expected for a random sequence.
What It Tests: Distribution of visits to states in a random walk
Applicability: Only for sequences where cumulative sum crosses zero sufficiently (≥500 times recommended)
States Tested: x = -4, -3, -2, -1, +1, +2, +3, +4
Method:
Convert sequence to random walk
Identify cycles (excursions between zero crossings)
Count visits to each state
Compare to theoretical distribution
Pass Condition: P-value ≥ 0.01 for each state
Why It Matters: Detects deviations in random walk behavior that indicate non-randomness.
Recommended Input Size: n ≥ 10⁶
Test 15: Random Excursions Variant Test
Purpose: Detects deviations from expected number of total visits to particular states in a random walk.
What It Tests: Total occurrences of states across all cycles
Applicability: Same as Test 14 (requires ≥500 zero crossings)
States Tested: x = -9 through +9 (excluding 0)
Difference from Test 14: Counts total visits across all cycles, not per-cycle distribution
Pass Condition: P-value ≥ 0.01 for each state
Why It Matters: Complements Test 14 by examining aggregate behavior.
Recommended Input Size: n ≥ 10⁶
Interpreting NIST Test Results: Pass/Fail Criteria
Individual Test Pass Criteria
For each individual test on a single sequence:
P-value ≥ 0.01: PASS
P-value < 0.01: FAIL
Multi-Sequence Testing
When testing multiple sequences (recommended N = 100 to 1000):
1. Proportion of Passing Sequences
For α = 0.01 significance level, the expected proportion of passing sequences is 0.99.
Acceptance Interval (for 1000 sequences):
0.99 ± 3√[(0.99 × 0.01)/1000] = 0.99 ± 0.0094392
Range: [0.9805608, 0.9994392]
Refined Interval (using constant 2.6 instead of 3):
0.99 ± 0.0081673
Range: [0.9818327, 0.9981673]
2. Uniformity of P-values Test
The distribution of p-values should be uniform across [0,1].
Method:
Divide [0,1] into K = 10 equal sub-intervals
Count p-values in each sub-interval
Perform chi-square goodness-of-fit test
Pass Condition: P_T ≥ 0.0001
Overall Pass Criteria
According to research on NIST STS interpretation, sequences can be considered random if:
They fail less than 7 individual NIST tests out of 188 total test items
They fail less than 7 tests of uniformity of p-values (for 100 sequences)
They fail less than 10 tests of proportion of passing sequences
Binary vs. IID Testing: SP 800-90B Considerations
IID (Independent and Identically Distributed) Testing
SP 800-90B includes specific tests for IID data:
IID Track Requirements:
Min-entropy ≥ 7.2 bits per byte
Chi-square independence tests
Permutation tests
Collision tests
Non-IID Track:
18 different estimators for min-entropy
Compression tests
Markov chain models
Predictability testing
Min-Entropy Benchmarks
High-Quality TRNGs typically achieve:
IID min-entropy: 7.85+ bits per byte
Comparison: ID Quantique Quantis achieves 7.8744 bits/byte
Software TRNGs: 7.4+ bits per byte (e.g., Red Hat CPU Time Jitter RNG: 7.4528 bits/byte)
TRNG Implementation in Aegis Semiconductor Products
At Aegis Semiconductor, all our post-quantum cryptography solutions incorporate NIST-compliant hardware TRNGs:
PQCAsic-Lite
Our compact, power-efficient solution includes:
Hardware TRNG: Noise source compliant with SP 800-90B
Post-processing: Conditioning circuit meeting SP 800-90A requirements
Health Testing: Continuous monitoring per SP 800-90B
Entropy Rate: High-quality entropy suitable for all PQC operations
Applications: IoT devices, satellites, automotive ECUs, medical devices
PQCAsic-Pro
Our high-performance solution features:
Enhanced TRNG: High-throughput entropy source
FIPS 140-3 Path: Designed for Level 2/3 certification
Hardware Security: PUF (Physical Unclonable Function) integration
Tamper Detection: Active monitoring of physical attacks
Applications: Data centers, financial services, telecommunications, government & defense
AegisPQC-HSM USB
Our portable HSM includes:
Secure TRNG: Protected against side-channel attacks
Key Generation: On-device random key material generation
Certification: NIST SP 800-90 compliant design
Applications: Code signing, document encryption, VPN authentication
Testing Your TRNG: Practical Guidelines
Step 1: Data Collection
Requirements:
Collect at least 1,000,000 bits (125 KB) per test sequence
Recommended: 100-1000 sequences for robust statistical validation
Format: Binary or ASCII (0s and 1s)
Tools:
Direct hardware readout
UART/QSPI interface for embedded TRNGs
PCIe interface for high-throughput devices
Step 2: Running NIST SP 800-22 Tests
Software: Download from NIST
Source: https://csrc.nist.gov/projects/random-bit-generation/documentation-and-software
Current version: sts-2.1.2
Platform: Linux/Unix (or Windows with Cygwin/WSL)
Execution:
./assess <sequence_length>
# Select test parameters
# Provide data file
# Wait for analysis completion
Step 3: Running NIST SP 800-90B Tests
Software: EA (Entropy Assessment) tool
Key Tests:
IID permutation tests
Non-IID entropy estimation
Restart tests
Health test validation
Step 4: Analyzing Results
Check:
Individual p-values for each test
Proportion of passing sequences
Uniformity of p-value distribution
Min-entropy estimates (SP 800-90B)
Documentation:
Save finalAnalysisReport.txt
Review individual test reports
Document any failures and investigate root causes
Common Pitfalls and How to Avoid Them
1. Insufficient Sequence Length
Problem: Short sequences don't provide enough data for robust statistical analysis.
Solution: Always use ≥1,000,000 bits per sequence, preferably more for critical applications.
2. Post-Processing Masking Issues
Problem: Heavy post-processing can mask underlying entropy source problems.
Solution: Test raw entropy source separately from conditioned output.
3. Environmental Dependencies
Problem: TRNG performance varies with temperature, voltage, aging.
Solution: Test under various conditions (temperature extremes, voltage variations, post-burn-in).
4. Autocorrelation in Hardware TRNGs
Problem: Sampling rate too high relative to noise source bandwidth.
Solution: Use appropriate sampling rate or implement decorrelation in post-processing.
5. Neglecting Restart Testing
Problem: TRNG produces poor entropy immediately after power-on.
Solution: Implement proper initialization and test restart behavior per SP 800-90B.
Regulatory Requirements and Certifications
FIPS 140-3 Validation
The Federal Information Processing Standard (FIPS) 140-3 requires:
Compliance with SP 800-90A/B/C
Physical security measures
Self-tests and health monitoring
Documentation of entropy source design
Levels:
Level 1: Basic security
Level 2: Physical tamper evidence
Level 3: Tamper response, identity-based authentication
Level 4: Comprehensive physical protection
NSA/CNSA 2.0 Requirements
Commercial National Security Algorithm Suite 2.0 mandates:
Approved entropy sources per SP 800-90B
Post-quantum cryptography algorithms
Timeline: 2025-2030 transition for NSS
Industry-Specific Requirements
Financial Services (PCI DSS v4.0):
Strong cryptographic key generation
Approved RNGs for payment systems
Timeline: 2025-2028 quantum-safe requirements
Automotive (ISO/SAE 21434):
Secure random number generation for V2X
Protection against adversarial attacks
Hardware security module integration
Healthcare (HIPAA Security Rule):
Encrypted PHI requires strong RNGs
Audit trails for key generation
Compliance with NIST standards
Future Developments in TRNG Standards
SP 800-90A Revision 2
NIST is actively working on SP 800-90A Rev. 2 with several key updates:
Status: Public comment period open through November 4, 2025
Expected Updates:
Alignment with finalized SP 800-90C (published September 2025)
Updated definition of full entropy output
Removal of deprecated algorithms (TDES and SHA-1)
New XOF_DRBG construction
Addition of SHA-3, SHAKE, and Ascon options for existing DRBGs
Replacement of nonces with larger entropy input requirements
SP 800-22 Revision
NIST announced plans to revise SP 800-22:
Status: Revision approved (April 19, 2022), but draft preparation has not yet started as of February 2026
Expected Updates:
Refined statistical tests
Improved guidance on interpretation
Updates for modern RNG architectures
Timeline: No public draft available yet; monitor CSRC News for updates
Quantum Random Number Generators (QRNGs)
Emerging standards for quantum-based entropy sources:
SP 800-90B compliance for quantum sources
Additional validation for quantum-specific phenomena
Integration with PQC workflows
Post-Quantum Cryptography Impact
As PQC deployments accelerate:
Higher entropy requirements for larger key sizes
Faster TRNG throughput needed
Hardware acceleration becoming essential
Conclusion: Ensuring Cryptographic Integrity Through Rigorous Testing
The security of post-quantum cryptography—and indeed all cryptographic systems—depends on the quality of random number generation. The NIST SP 800-90 series and SP 800-22 statistical tests provide a comprehensive framework for validating TRNGs, ensuring they produce the unpredictable, high-entropy outputs that cryptographic security demands.
At Aegis Semiconductor, we've built this rigorous validation into our hardware-accelerated PQC solutions. Our TRNGs undergo extensive testing against all 15 NIST SP 800-22 statistical tests and meet the stringent requirements of SP 800-90B entropy assessment. This ensures that whether you're deploying our PQCAsic-Lite in resource-constrained IoT devices or our PQCAsic-Pro in high-security data centers, you can trust that the cryptographic foundation is solid.
Key Takeaways
NIST SP 800-90B defines requirements for entropy sources, including min-entropy estimation and health testing.
NIST SP 800-22 provides 15 statistical tests that rigorously validate randomness quality.
Pass criteria require p-values ≥ 0.01, with proper proportion of passing sequences and uniform p-value distribution.
Comprehensive testing should include multiple sequences (100-1000), various environmental conditions, and restart scenarios.
Hardware TRNGs offer superior performance and security compared to software alternatives, especially for PQC applications.
Continuous validation through health testing ensures ongoing entropy quality in production systems.
Ready to Secure Your Systems Against Quantum Threats?
Explore our NIST-compliant post-quantum cryptography solutions:
PQCAsic-Lite: Compact, power-efficient PQC for edge devices
PQCAsic-Pro: High-performance PQC for enterprise infrastructure
AegisPQC-HSM USB: Portable hardware security module
AegisPQC Software Suite: Complete PQC software stack
Contact our team to discuss how Aegis Semiconductor's TRNG-equipped PQC solutions can protect your critical infrastructure: https://www.aegissemi.com/contact
References and Further Reading
NIST SP 800-90A Rev. 1 - "Recommendation for Random Number Generation Using Deterministic Random Bit Generators" (June 2015)
NIST SP 800-90B - "Recommendation for the Entropy Sources Used for Random Bit Generation" (January 2018)
NIST SP 800-90C - "Recommendation for Random Bit Generator (RBG) Constructions" (September 2025)
NIST SP 800-22 Rev. 1a - "A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications" (April 2010)
NIST Random Bit Generation Documentation
NIST SP 800-90B Entropy Assessment Tool
FIPS 203 - "Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)" (August 13, 2024)
FIPS 204 - "Module-Lattice-Based Digital Signature Standard (ML-DSA)" (August 13, 2024)
FIPS 205 - "Stateless Hash-Based Digital Signature Standard (SLH-DSA)" (August 13, 2024)
FIPS 140-3 - "Security Requirements for Cryptographic Modules"
NSA CNSA 2.0 - "Commercial National Security Algorithm Suite 2.0"
Comments