What SP 800-90B Actually Tests

NIST SP 800-90B specifies how to validate the min-entropy of a noise source. The standard provides a battery of estimators — collision, compression, Markov, t-tuple, longest repeated substring, predictor-based estimators — and computes the minimum across them as the certified min-entropy rate. The estimators are designed to detect the kinds of structure that deterministic generators exhibit.

The procedure is rigorous and useful, but it is designed around an adversarial assumption: the noise source could have algorithmic structure that the estimators must catch. For physical noise sources (ring oscillators, jitter, thermal noise, avalanche diodes), the estimators provide a defensible bound. For software-only generators, the exercise becomes a check that the algorithm's structure has been buried beneath enough cryptographic post-processing to evade the battery — not that the underlying source is genuinely non-deterministic.

Clausius-Gibbs-Boltzmann-Shannon Formulation

ATOFIA's compliance argument is structurally different. The noise source is a thermodynamic mixing event whose entropy is bounded from below by physical formulations of entropy — Clausius (macroscopic state-function), Gibbs and Boltzmann (microcanonical and canonical ensembles), Shannon (information-theoretic). The estimators in SP 800-90B see this output as the high-quality physical noise it is; the underlying compliance argument, however, is not "the estimators didn't detect structure" but "there is no algebraic structure to detect."

Physical assurance constraints derived from Clausius-Gibbs-Boltzmann-Shannon entropy formulations
Physical assurance constraints — Clausius-Gibbs-Boltzmann-Shannon formulations of min-entropy.

What This Changes for Validation

  • Compliance via measurement, not obfuscation. The min-entropy claim is physical, not statistical sleight-of-hand.
  • Future-proof against estimator improvements. A future addition to the SP 800-90B battery cannot retroactively invalidate a physical measurement.
  • Auditable in physical units. The min-entropy rate is grounded in thermodynamic quantities the auditor can inspect.

Operational Posture

For organizations pursuing FIPS-validated modules with SP 800-90B-compliant noise sources, the practical effect is a cleaner validation package. The noise source is a physical apparatus, the entropy claim is a physical measurement, and the post-processing chain (DRBG construction per SP 800-90A) sits on top of a substrate the standard already understands. The certification effort moves from "prove the algorithm hides its structure" to "characterize the physical source" — a problem the standard was originally designed to solve.

TW
Dr. Thurman Richard White

Chief cryptographer and co-founder of ATOFIA. Research in quantum statistical mechanics, thermodynamic entropy, and physical cryptography.