Skip to main content
C
csanchezdll
Associate
March 20, 2026
Solved

NIST configuration for RNG

  • March 20, 2026
  • 3 replies
  • 289 views

Hi!

My application requires NIST-compliant random number generation, and I see some unclear/contradicting info on the Reference Manual, the AN4230 application note, and the public NIST certificate. My MCU is STM32H563ZI.

- Reference Manual: https://www.st.com/resource/en/reference_manual/rm0481-stm32h52333xx-stm32h56263xx-and-stm32h573xx-armbased-32bit-mcus-stmicroelectronics.pdf

- AN4230: https://www.st.com/resource/en/application_note/an4230-introduction-to-random-number-generation-validation-using-the-nist-statistical-test-suite-for-stm32-mcus-and-mpus-stmicroelectronics.pdf

- Public NIST certificate E163: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/entropy/E163_PublicUse.pdf

 

Confusing/contradicting info:

- E163 gives a RNG_CR of 0x08F01EXX, but AN4230 says value should be 0x00F01E00 (note difference in bit 27). Also, manual says bit 27 "must be kept at reset value.".

- Reset values on the manual do not match my observations

    . RNG_CR: manual says 0x00800D00, I see 0x00F00E00

    . RNG_NSRC: manual says 0x0003FFFF, I see 0x3AF66 (which is the value given in AN4230 & E163)

    . ENG_HTCR: manual says 0x000072AC, I see 0x6A91 (which is the value given in AN4230 & E163)

- So, reset values seem to match AN4230 & E163 ones, except for bit 12 (NISTC). Reset value is 0, certified value is 1, but manual describes this field as "NIST Custom" with 0 meaning "Hardware default values for NIST compliant RNG". However, this bit is called "NistCompliance" (which sounds like the opposite to "NIST Custom").

I bias towards taking E163 certificate as the valid one, but the 1 value of bit 27 being different in AN4230 seems suspicious and I wonder if that can be an error in the public certificate.

Questions:

1) Is the HW-reset configuration or RNG NIST-compliant?

2) What is the NIST-compliant value for bit 27 of RNG_CR?

3) What is the NIST-compliant value for bit 12 of RNG_CR?

    Best answer by CMYL

    Hello @csanchezdll,
    Sorry for the delay, please  find below the answers to your questions about STM32H563/573/562 RNG ESV NIST Compliance:
    1) Is the HW-reset configuration or RNG NIST-compliant or RM0481 Rev4, Configuration A (Table313)?

    - The hardware reset configuration of the RNG peripheral on the STM32H563ZI is not compliant with NIST requirements. As mentioned by the Reference manual,  "configuration A" is the certified configuration for NIST SP800-90B compliance (ESV Entropy Source Validated).

    - The NIST Compliant configuration to use (certified one) is the one given by AN4230 table 3:

    • RNG_CR = 0x00F0 1E00  (Bit27 not set and Bit12 is set)
    • RNG_HTCR = 0x6A91
    • RNG_NSCR = 0x3AF66

    2) Regarding your question about the discrepancy between AN4230 and E163 concerning bit 27:

    The reference configuration and characterization results for the random number generator (RNG) are those provided in AN4230 revision 13, table 3. This configuration is the result of characterization and submitted for ESV certification to the external laboratory, which is the interface with the National Institute of Standards and Technology (NIST). The indication of bit 27 being set in E163 is a documentation Typo/mismatch in the ESV report, not a difference in the configuration that was tested and characterized.

    A correction has already been initiated with the laboratory/NIST so that the ESV report will be updated to fully align with AN4230 revision 13, table 3. In the meantime, consider AN4230 revision 13, table 3 as the correct and authoritative reference for the RNG configuration. When the corrected ESV report is available, this thread will be updated.

    2.1) What is the NIST-compliant value for bit 27 of RNG_CR?

    There is no fixed value for bit 27 to ensure NIST compliance. The value, whether set or cleared, depends on characterization results. See table 3 for other STM32 devices, such as H523, H5F, and WBA5. In the case of STM32H562, STM32H563, and STM32H573, bit 27 must be cleared according to the characterization evaluation.

     

    3) What is the NIST-compliant value for bit 12 of RNG_CR?

     

    Bit 12, NIST custom, defines the customization of the number of conditioning loops. Conditioning is a deterministic function that increases the entropy rate of the resulting fixed-length bit-stream output (128 bits).

    The NIST SP800-90B target is full entropy on the output (128 bits). The number of conditioning loops is a parameter evaluated by characterization. The number of loops required to reach full entropy can be 2 (default) or custom, depending on characterization. When 2 loops are required, clear NISTC to 0. Set NISTC when a custom number of loops is required.

    In the case of STM32H562, STM32H563, and STM32H573 NISTC=1, means the number of conditioning loop is custom.

    Sorry again for the delay, hope my answer is helpfull

    Kind Regards,

    Younes

    3 replies

    C
    csanchezdllAuthor
    Associate
    March 20, 2026

    Where I said:

    However, this bit is called "NistCompliance" (which sounds like the opposite to "NIST Custom").

    I should have said:

    However, *in the stm32h5xx-hal-driver*, this bit is called "NistCompliance" (which sounds like the opposite to "NIST Custom").

    C
    CMYLBest answer
    Technical Moderator
    April 1, 2026

    Hello @csanchezdll,
    Sorry for the delay, please  find below the answers to your questions about STM32H563/573/562 RNG ESV NIST Compliance:
    1) Is the HW-reset configuration or RNG NIST-compliant or RM0481 Rev4, Configuration A (Table313)?

    - The hardware reset configuration of the RNG peripheral on the STM32H563ZI is not compliant with NIST requirements. As mentioned by the Reference manual,  "configuration A" is the certified configuration for NIST SP800-90B compliance (ESV Entropy Source Validated).

    - The NIST Compliant configuration to use (certified one) is the one given by AN4230 table 3:

    • RNG_CR = 0x00F0 1E00  (Bit27 not set and Bit12 is set)
    • RNG_HTCR = 0x6A91
    • RNG_NSCR = 0x3AF66

    2) Regarding your question about the discrepancy between AN4230 and E163 concerning bit 27:

    The reference configuration and characterization results for the random number generator (RNG) are those provided in AN4230 revision 13, table 3. This configuration is the result of characterization and submitted for ESV certification to the external laboratory, which is the interface with the National Institute of Standards and Technology (NIST). The indication of bit 27 being set in E163 is a documentation Typo/mismatch in the ESV report, not a difference in the configuration that was tested and characterized.

    A correction has already been initiated with the laboratory/NIST so that the ESV report will be updated to fully align with AN4230 revision 13, table 3. In the meantime, consider AN4230 revision 13, table 3 as the correct and authoritative reference for the RNG configuration. When the corrected ESV report is available, this thread will be updated.

    2.1) What is the NIST-compliant value for bit 27 of RNG_CR?

    There is no fixed value for bit 27 to ensure NIST compliance. The value, whether set or cleared, depends on characterization results. See table 3 for other STM32 devices, such as H523, H5F, and WBA5. In the case of STM32H562, STM32H563, and STM32H573, bit 27 must be cleared according to the characterization evaluation.

     

    3) What is the NIST-compliant value for bit 12 of RNG_CR?

     

    Bit 12, NIST custom, defines the customization of the number of conditioning loops. Conditioning is a deterministic function that increases the entropy rate of the resulting fixed-length bit-stream output (128 bits).

    The NIST SP800-90B target is full entropy on the output (128 bits). The number of conditioning loops is a parameter evaluated by characterization. The number of loops required to reach full entropy can be 2 (default) or custom, depending on characterization. When 2 loops are required, clear NISTC to 0. Set NISTC when a custom number of loops is required.

    In the case of STM32H562, STM32H563, and STM32H573 NISTC=1, means the number of conditioning loop is custom.

    Sorry again for the delay, hope my answer is helpfull

    Kind Regards,

    Younes

      C
      CMYL
      Technical Moderator
      April 1, 2026

      Hi @csanchezdll 

      Thank you for the clarification. You are correct to emphasize this point.

      To be precise, the NistCompliance naming in the stm32h5xx-hal-driver is only a software developer’s naming of this bit, and it is not correct in this context. The name is misleading with respect to the actual purpose of the bit, which relates to the NIST custom configuration, as discussed above.

      We will recommend internally that this naming be corrected in a future version of the hardware abstraction layer (HAL), and that the current name be treated as deprecated, so that it better reflects the actual hardware behavior and avoids further confusion.

      In the meantime, please consider the reference manual as the authoritative sources for the meaning of this bit.

      Best regards,

      Younes

        Terms & ConditionsAccessibility statement