A New Entropy Evaluation Framework: the Spanish CCN-MEGA Methodology (N31a)
Randomness is a core building block of modern cryptography, yet evaluating random number generators in a repeatable and auditable way remains challenging. To address this at scheme level, the Spanish National Cryptologic Centre (CCN), in collaboration with jtsec, has developed the Random Generators Evaluation Methodology (CCN-MEGA), a dedicated RNG evaluation methodology that supports Spain’s cryptographic evaluation methodology (CCN-MEMEC). MEGA takes inspiration from AIS-20/31 and NIST SP 800-90A/B/C and aims to harmonize their key ideas into a single framework. For each class of generator, physical and hybrid physical TRNGs, deterministic RNGs and non-physical TRNGs, it defines concrete security requirements the generator must meet, the evidence the vendor must provide, and the evaluation tasks the tester must perform, with a focus on addressing common entropy pitfalls and high-risk design choices. The talk will present CCN-MEGA as a practical case study of how RNG evaluation is structured within a national certification scheme while maintaining stringent security requirements.