True Random Number Generation in Reconfigurable Devices - Lirmm
23.01.2013 Views
Share Embed Flag

True Random Number Generation in Reconfigurable Devices - Lirmm

True Random Number Generation in Reconfigurable Devices - Lirmm

True Random Number Generation in Reconfigurable Devices - Lirmm

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
www2.lirmm.fr

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions<br />

<strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><br />

<strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong><br />

Viktor FISCHER<br />

Laboratoire Hubert Curien, UMR 5516 CNRS<br />

Jean Monnet University, Member of University of Lyon<br />

Sa<strong>in</strong>t-Etienne, France<br />

fischer@univ-st-etienne.fr<br />

December 2010<br />

1/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions<br />

Introduction – <strong>True</strong> <strong>Random</strong> <strong>Number</strong>s <strong>in</strong> Cryptography<br />

◮ Use of <strong>Random</strong> <strong>Number</strong> Generators (RNGs) <strong>in</strong> cryptography<br />

<strong>Generation</strong> of cryptographic keys with special security<br />

requirements<br />

<strong>Generation</strong> of <strong>in</strong>itialization vectors, nonces, padd<strong>in</strong>g values, ...<br />

Counter-measures aga<strong>in</strong>st side-channel attacks<br />

◮ Requirements on RNGs<br />

R1: Good statistical properties of the output bitstream<br />

R2: Output unpredictability<br />

R3: Security<br />

Robustness – resistance aga<strong>in</strong>st attacks<br />

Testability of the source of randomness<br />

2/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions<br />

Basic RNG Classes<br />

◮ Determ<strong>in</strong>istic (Pseudo-) random number generators (PRNG)<br />

Algorithmic generators<br />

Usually faster, with good statistical properties<br />

Must be computationally secure, i.e. it should be computationally<br />

difficult to guess the next values<br />

◮ Physical (<strong>True</strong>-) random number generators (TRNG)<br />

Us<strong>in</strong>g some physical source of randomness<br />

Unpredictable, hav<strong>in</strong>g usually suboptimal statistical characteristics<br />

Usually slower<br />

◮ Hybrid random number generators (HRNG)<br />

Determ<strong>in</strong>istic RNG seeded repeatedly by a physical random<br />

number generator<br />

3/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions<br />

TRNGs <strong>in</strong> Logic <strong>Devices</strong><br />

◮ Logic devices (ASICs or FPGAs)<br />

Aimed at implementation of determ<strong>in</strong>istic systems<br />

Designed so that the determ<strong>in</strong>istic behavior dom<strong>in</strong>ates<br />

Some analog blocks are sometimes available (PLL, RC-oscillator,<br />

A/D and D/A converters, etc.)<br />

◮ Employable physical randomness sources<br />

Tim<strong>in</strong>g/phase <strong>in</strong>stability of the clock signal – clock jitter/phase<br />

noise<br />

Metastability & S/H time violation<br />

Sources with limited usability (need<strong>in</strong>g analog components)<br />

Chaos<br />

Thermal noise<br />

4/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions<br />

TRNG Design Strategy<br />

◮ Classical approach<br />

Propose a TRNG pr<strong>in</strong>ciple<br />

Simple – occupy<strong>in</strong>g small area<br />

Giv<strong>in</strong>g (if possible) high bit-rate<br />

Hav<strong>in</strong>g small power consumption<br />

Evaluate the quality by common statistical tests<br />

FIPS 140-2<br />

NIST 800-22<br />

DIEHARD (DIEHARDER)<br />

◮ Modern approach (recommendations AIS31 of the German BSI)<br />

Additional requirements:<br />

Detailed analysis of the orig<strong>in</strong> of random behavior<br />

Research of efficient generator-specific embedded tests<br />

Proposition of mathematical models – entropy estimators<br />

5/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions<br />

Motto<br />

It is quite easy to design a "TRNG" that will<br />

let the statistical tests pass...<br />

�<br />

...but it is much more difficult to know where the "randomness" comes<br />

from and how much true randomness is there... 1<br />

1 know<strong>in</strong>g that only the true randomness cannot be guessed or manipulated<br />

�<br />

6/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions<br />

Outl<strong>in</strong>e<br />

1 TRNG design<br />

<strong>Random</strong>ness, its extraction and post-process<strong>in</strong>g<br />

Stochastic models and entropy estimators<br />

TRNG implementation issues<br />

Classical and new methodology of TRNG evaluation<br />

2 Case study: RO-TRNG simulation and test<strong>in</strong>g<br />

RO-TRNGs of Sunar et al. & Wold and Tan<br />

Experimental set-up overview<br />

Comparison of TRNGs of Sunar and Wold<br />

Impact of the type and size of the jitter<br />

3 Jitter measurements<br />

Jitter measurement/TRNG benchmark<strong>in</strong>g requirements<br />

Hardware modules for fair TRNG benchmark<strong>in</strong>g<br />

Characterization of hardware from jitter measurements<br />

4 On the (<strong>in</strong>)dependence of r<strong>in</strong>gs <strong>in</strong> FPGAs<br />

Experimental set-up<br />

Results. . .<br />

5 Conclusions<br />

7/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

Outl<strong>in</strong>e<br />

1 TRNG design<br />

<strong>Random</strong>ness, its extraction and post-process<strong>in</strong>g<br />

Stochastic models and entropy estimators<br />

TRNG implementation issues<br />

Classical and new methodology of TRNG evaluation<br />

2 Case study: RO-TRNG simulation and test<strong>in</strong>g<br />

RO-TRNGs of Sunar et al. & Wold and Tan<br />

Experimental set-up overview<br />

Comparison of TRNGs of Sunar and Wold<br />

Impact of the type and size of the jitter<br />

3 Jitter measurements<br />

Jitter measurement/TRNG benchmark<strong>in</strong>g requirements<br />

Hardware modules for fair TRNG benchmark<strong>in</strong>g<br />

Characterization of hardware from jitter measurements<br />

4 On the (<strong>in</strong>)dependence of r<strong>in</strong>gs <strong>in</strong> FPGAs<br />

Experimental set-up<br />

Results. . .<br />

5 Conclusions<br />

8/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

TRNGs General Structure<br />

Source of<br />

randomness<br />

Digitized noise source<br />

Entropy<br />

extractor<br />

Algorithmic<br />

post-process<strong>in</strong>g<br />

Embedded<br />

tests<br />

TRNG output<br />

Raw signal output<br />

Dysfunction alarm<br />

◮ Source of randomness and entropy extractor<br />

Should give as much entropy per bit as possible<br />

Should enable sufficient bit-rate<br />

Shouldn’t be manipulable (robustness)<br />

◮ Algorithmic post-process<strong>in</strong>g<br />

Enhances statistical properties of the output without reduc<strong>in</strong>g the<br />

entropy<br />

◮ Embedded tests<br />

Detect immediately the generator’s total failure<br />

Evaluate the quality of the source of randomness <strong>in</strong> real time<br />

9/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

<strong>Random</strong>ness and its Extraction<br />

◮ <strong>Random</strong>ness sources<br />

Jitter: short-term variation of an event from its ideal position<br />

Metastability: ability of an unstable equilibrium electronic state to<br />

persist for an <strong>in</strong>def<strong>in</strong>ite period <strong>in</strong> a digital system<br />

Chaos: stochastic behavior of a determ<strong>in</strong>istic system which<br />

exhibits sensitive dependence on <strong>in</strong>itial conditions<br />

Thermal noise: noise developed <strong>in</strong> a resistor (or passive<br />

component), even <strong>in</strong> the absence of current flow<br />

◮ <strong>Random</strong>ness extraction from a jittery clock – clock sampl<strong>in</strong>g <strong>in</strong><br />

regular <strong>in</strong>tervals us<strong>in</strong>g DFFs or latches<br />

State-dependent generators: their state evolves also without any<br />

randomness source, <strong>in</strong> this case they have a pseudo-random<br />

behavior (<strong>in</strong>ner tests will not detect even the total failure)<br />

Stateless generators: if without source of randomness, their<br />

output rema<strong>in</strong> constant (<strong>in</strong>ner test will detect immediately<br />

randomness <strong>in</strong>sufficiency)<br />

10/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

Post-process<strong>in</strong>g<br />

◮ Enhance statistical parameters of the TRNG output<br />

Reduce bias<br />

Increase entropy per bit (while reduc<strong>in</strong>g the bit-rate)<br />

◮ Simple post-process<strong>in</strong>g methods<br />

XOR corrector (↗ entropy, ↘ constant bit-rate)<br />

Von Neumann corrector (↗ entropy, ↘ variable bit-rate)<br />

L<strong>in</strong>ear feed-back shift registers (LFSRs) (→ entropy, → bit-rate)<br />

◮ Complex post-process<strong>in</strong>g methods<br />

Resilient functions based on error correctors (↗ entropy, ↘ constant bit-rate)<br />

Hash<strong>in</strong>g, e.g. us<strong>in</strong>g SHA1 (↗ entropy, ↘ constant bit-rate)<br />

Encipher<strong>in</strong>g of generated data, e.g. us<strong>in</strong>g AES and generated key<br />

(→ entropy, → bit-rate)<br />

11/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

Stochastic Models and Entropy Estimators<br />

◮ Stochastic models<br />

Estimate output statistical parameters (e.g. bias or entropy)<br />

depend<strong>in</strong>g on<br />

<strong>Random</strong> <strong>in</strong>put variables (source of randomness)<br />

Generator pr<strong>in</strong>ciple (randomness extraction)<br />

◮ Bias of the output bit-stream<br />

Probability of ones on the output: Pr(X = 1) = 0.5 + ∆<br />

Accord<strong>in</strong>g to AIS31, the bias (∆) should be smaller than 0.0173<br />

For uncorrelated random variables the bias can be easily reduced<br />

us<strong>in</strong>g post-process<strong>in</strong>g<br />

◮ Entropy<br />

Def<strong>in</strong>ition for "iid" random variables from a f<strong>in</strong>ite set Ω:<br />

H(X) = − ∑ Pr(X = x)log2Pr(X = x)<br />

x∈Ω<br />

Gives the uncerta<strong>in</strong>ty conta<strong>in</strong>ed <strong>in</strong> a unit of <strong>in</strong>formation (bit)<br />

High entropy level guarantees that the preced<strong>in</strong>g or succeed<strong>in</strong>g<br />

values cannot be guessed with a probability different from 0.5<br />

Property of random variables and not of observed realizations<br />

The entropy per bit of a good TRNG should be close to 1<br />

12/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

Entropy-based Model 1/2<br />

◮ Proposed <strong>in</strong> 1 , specifies the <strong>in</strong>crease of entropy per sample<br />

Conditional entropy<br />

H(Rn|R1,...,Rn−1) = − ∑ Pr(R1 = r1,...,Rn−1 = rn−1)×<br />

r1,...,rn−1∈Ω<br />

∑ Pr(Rn = rn|Ri = ri for i < n)log2Pr(Rn = rn|Ri = ri for i < n)<br />

rn∈Ω<br />

where r1,r2,... ∈ Ω (Ω = {0,1} k for k ≥ 1) are realizations of random variables R1,R2,...<br />

◮ If R1,R2,... form a homogeneous Markov cha<strong>in</strong>, the conditional<br />

probabilities depend only on the preced<strong>in</strong>g value rn−1, and for<br />

sufficiently large n the probability Pr(Rn−1 = rn−1) has a<br />

stationary distribution<br />

1 W. Sch<strong>in</strong>dler, W. Killmann, Evaluation Criteria for <strong>True</strong> (Physical) <strong>Random</strong><br />

<strong>Number</strong> Generators Used <strong>in</strong> Cryptographic Applications, CHES2002.<br />

13/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

Entropy-based Model 2/2<br />

◮ Important consequences<br />

Example<br />

Post-process<strong>in</strong>g without data compression (such as LFSR and<br />

bijective transforms) does not <strong>in</strong>crease the entropy – it only<br />

transforms weaknesses to others and masks them<br />

For this reason, only unprocessed b<strong>in</strong>ary raw signal should be<br />

used to estimate the entropy of the randomness source<br />

If the entropy per bit is not sufficient, only the bit-rate reduction &<br />

some data compression can <strong>in</strong>crease it<br />

We suppose that a b<strong>in</strong>ary raw signal is biased, but the subsequent bits are<br />

<strong>in</strong>dependent. Input<strong>in</strong>g this bit-stream <strong>in</strong>to the LFSR that is clocked with the<br />

same frequency as the sampler, will remove the bias, but the bits obta<strong>in</strong>ed at<br />

the output will not be <strong>in</strong>dependent any more.<br />

14/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

TRNG Implementation Issues<br />

◮ Resource usage (type and quantity)<br />

◮ Frequency (bit-rate)<br />

◮ Power consumption<br />

◮ Feasibility <strong>in</strong> selected technology (available logic and rout<strong>in</strong>g<br />

resources)<br />

◮ Design automation<br />

Manual <strong>in</strong>tervention (P/R) is needed for each device <strong>in</strong>dividually<br />

Manual <strong>in</strong>tervention is needed for each device package and/or<br />

family<br />

Completely automated – no manual <strong>in</strong>tervention is needed<br />

15/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

Evaluation of the TRNG Us<strong>in</strong>g General Statistical Tests<br />

◮ Classical approach: various general-purpose statistical tests are<br />

applied on the generator output<br />

◮ FIPS140-2 tests 1<br />

4 tests (Monobit, Poker, Runs, Long runs) applied on bit-streams<br />

of 20000 bits<br />

These tests are not <strong>in</strong>cluded <strong>in</strong> the last version of the standard<br />

◮ NIST 800-22 tests 2<br />

15 statistical tests with given test<strong>in</strong>g strategy<br />

About 1 Gbit of random data is necessary<br />

◮ DIEHARD tests 3<br />

15 statistical tests with the test<strong>in</strong>g strategy similar to NIST tests<br />

At least 80 millions bits are necessary to realize the tests<br />

1<br />

Federal Information Process<strong>in</strong>g Standard FIPS140-2: Security Requirements for<br />

Cryptographic Modules<br />

2<br />

A. Rukh<strong>in</strong> et al., A statistical test suite for random and pseudorandom number<br />

generators for cryptographic applications, NIST special publication 800-22, 2001<br />

3<br />

G. Marsaglia, DIEHARD: Battery of tests of randomness, 1996<br />

16/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

AIS31 Evaluation Methodology Adapted for Physical RNG 1/4<br />

◮ New approach: test<strong>in</strong>g TRNG output AND randomness source<br />

◮ Security requirements depend on the strength of the security<br />

mechanism<br />

◮ The AIS31 TRNG evaluation methodology 1 , recognizes two<br />

functionality classes<br />

Class 1 applications<br />

Challenge – response protocols<br />

Initialization vectors transmitted <strong>in</strong> clear<br />

Seeds for PRNGs class K1 and K2<br />

Class 2 applications<br />

Symmetric and asymmetric cryptographic keys<br />

Padd<strong>in</strong>g bits<br />

Zero-knowledge proofs<br />

Seeds for PRNGs class K3 and K4<br />

1 W. Killmann and W. Sch<strong>in</strong>dler. AIS 31: Functionality classes and evaluation<br />

methodology for true (physical) random number generators, 2001<br />

17/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

AIS31 Evaluation Methodology Adapted for Physical RNG 2/4<br />

◮ Eight statistical tests are proposed for us<strong>in</strong>g <strong>in</strong> different phases of<br />

the TRNG evaluation<br />

Tests applied to generated random numbers (TRNG output)<br />

T0 – Disjo<strong>in</strong>tness test (subsequent random values should be<br />

different), rejection probability for an ideal random source: 10 −17<br />

T1 – T4 – Four tests from FIPS140-1 with rejection probability limit<br />

10 −6 (not from FIPS140-2, where rejection limit is 10 −4 )<br />

Tests applied to the raw b<strong>in</strong>ary signal (some weaknesses are<br />

tolerable)<br />

T5 – Autocorrelation test<br />

T6 – Uniform distribution test<br />

T7 – Comparative test for mult<strong>in</strong>omial distribution<br />

T8 – Coron’s entropy test 1<br />

1 J.-S. Coron: On the Security of <strong>Random</strong> Sources, Gemplus, Technical Report<br />

IT02-1998.<br />

18/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

AIS31 Evaluation Methodology Adapted for Physical RNG 3/4<br />

◮ Class 1 requirements<br />

Generated random vectors must pass T0 Disjo<strong>in</strong>tness test<br />

Output random bit-streams have to pass selected statistical tests<br />

(e.g. T1 – T4)<br />

The raw b<strong>in</strong>ary signal should be tested for the total failure of the<br />

source of randomness (fast total failure test)<br />

When <strong>in</strong>tended for high-end security applications, the statistical<br />

properties have to be verified <strong>in</strong> different operational conditions<br />

(temperature, power-supply)<br />

On-l<strong>in</strong>e test(s) must check the <strong>in</strong>ternal random numbers on<br />

demand or <strong>in</strong> regular <strong>in</strong>tervals<br />

19/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions <strong>Random</strong>ness Models Implementation TRNG Evaluation<br />

AIS31 Evaluation Methodology Adapted for Physical RNG 4/4<br />

◮ Class 2 requirements = Class 1 requirements, plus:<br />

The bias of the digitized noise (raw signal) should be ≤ 0.025<br />

Tests T5 to T7 applied on the raw b<strong>in</strong>ary signal have to pass<br />

The entropy test T8 applied on the raw b<strong>in</strong>ary signal must pass,<br />

too<br />

The post-process<strong>in</strong>g must not reduce the average entropy per bit<br />

Special statistical tests have to be applied on each TRNG start<br />

(startup test)<br />

For high-strength mechanisms, the statistical parameters and<br />

namely the entropy of the digitized noise signal must be tested <strong>in</strong><br />

different operational conditions<br />

For high-strength mechanisms, the TRNG must trigger on-l<strong>in</strong>e<br />

tests itself <strong>in</strong> regular <strong>in</strong>tervals.<br />

20/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Outl<strong>in</strong>e<br />

1 TRNG design<br />

<strong>Random</strong>ness, its extraction and post-process<strong>in</strong>g<br />

Stochastic models and entropy estimators<br />

TRNG implementation issues<br />

Classical and new methodology of TRNG evaluation<br />

2 Case study: RO-TRNG simulation and test<strong>in</strong>g<br />

RO-TRNGs of Sunar et al. & Wold and Tan<br />

Experimental set-up overview<br />

Comparison of TRNGs of Sunar and Wold<br />

Impact of the type and size of the jitter<br />

3 Jitter measurements<br />

Jitter measurement/TRNG benchmark<strong>in</strong>g requirements<br />

Hardware modules for fair TRNG benchmark<strong>in</strong>g<br />

Characterization of hardware from jitter measurements<br />

4 On the (<strong>in</strong>)dependence of r<strong>in</strong>gs <strong>in</strong> FPGAs<br />

Experimental set-up<br />

Results. . .<br />

5 Conclusions<br />

21/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

R<strong>in</strong>g Oscillator-based <strong>True</strong> <strong>Random</strong> <strong>Number</strong> Generators<br />

Pr<strong>in</strong>ciple<br />

◮ Use the RO-generated clock jitter as a source of randomness,<br />

◮ In order to <strong>in</strong>crease entropy per bit at the output, more r<strong>in</strong>gs are<br />

needed.<br />

Sunar et al. [Sun2007]<br />

RO 1<br />

RO 2<br />

RO 114<br />

Fs<br />

D Q<br />

Post<br />

process<strong>in</strong>g<br />

TRNG output<br />

"Provably secure" RNG based on XOR-<strong>in</strong>g outputs of 114 "<strong>in</strong>dependent"<br />

ROs.<br />

22/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Sunar’s Approach<br />

◮ Good approach...<br />

1 Mathematical model (Urn model),<br />

2 Entropy estimators based on jitter size,<br />

3 Post-process<strong>in</strong>g us<strong>in</strong>g resilient functions.<br />

◮ But... unrealistic hypotheses (Dichtl & Golic, Wold & Tan, . . . ):<br />

1 Jitter size determ<strong>in</strong>ed by external measurements,<br />

2 Too many transitions <strong>in</strong> the XOR tree,<br />

3 Set-up and Hold time violation <strong>in</strong> the D-Flip Flop,<br />

4 (In)dependence between ROs (coupl<strong>in</strong>g).<br />

23/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Improvement of Sunar’s Pr<strong>in</strong>ciple<br />

Reconfig’08: Improvement proposed by Wold and Tan<br />

RO 1<br />

RO 2<br />

RO 25<br />

Fs<br />

Fs<br />

Fs<br />

D Q<br />

D Q<br />

D Q<br />

Fs<br />

D Q<br />

DAS output<br />

◮ Closer to the hypotheses of Sunar’s "security proof" (XOR tree)<br />

⇒ undeniable improvement !<br />

◮ Conclusions of Wold and Tan:<br />

1 114 ROs are not needed because statistical tests pass for<br />

configurations with 50 and even with only 25 ROs,<br />

2 Post-process<strong>in</strong>g not necessary anymore,<br />

3 Lower cost and power consumption, because less ROs are used.<br />

24/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Experimental Set-up<br />

Configuration for TRNG output test<strong>in</strong>g<br />

RO 1<br />

RO 2<br />

RO N<br />

FPGA / MODELSIM COMPUTER<br />

F s<br />

F s<br />

F s<br />

F s<br />

B<strong>in</strong>ary File<br />

01011010<br />

11001010<br />

10010101<br />

11001010<br />

11001000<br />

11001101<br />

Simulation and hardware test<strong>in</strong>g<br />

a) RO <strong>in</strong> Simulation<br />

MATLAB<br />

Jitter Evolution<br />

File<br />

10ps<br />

-3ps<br />

2ps<br />

-16ps<br />

...<br />

Δi<br />

Delay H + Δi<br />

b) RO <strong>in</strong> Altera device<br />

FIPS<br />

TESTS<br />

LCELL LCELL LCELL<br />

c) RO <strong>in</strong> Actel device<br />

◮ VHDL description,<br />

◮ 20000-bit b<strong>in</strong>ary file,<br />

◮ FIPS 140-2 tests.<br />

a) Matlab R2008b,<br />

Modelsim SE 6.4<br />

b) Altera Cyclone III,<br />

Quartus II 9.0<br />

c) Actel Fusion,<br />

Libero IDE 8.4<br />

25/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Test1: Sunar versus Wold <strong>in</strong> VHDL Simulations<br />

11000<br />

10000<br />

9000<br />

monobit<br />

8000<br />

0 5 10 15 20<br />

800<br />

600<br />

400<br />

200<br />

poker<br />

0<br />

0 5 10 15 20<br />

10<br />

5<br />

failed runs<br />

0<br />

0 5 10 15 20<br />

wold_sig30 sunar_sig30<br />

Test<strong>in</strong>g conditions<br />

◮ <strong>Number</strong> of ROs varies from 1 to 20,<br />

◮ Each RO is composed of 9 <strong>in</strong>verters,<br />

◮ Half-period: H +N (0,30),<br />

◮ Same random files used for generator of<br />

Sunar and Wold.<br />

Results<br />

◮ Similar (almost identical) results,<br />

◮ Coherent with the mathematical analysis,<br />

◮ Start<strong>in</strong>g from 8 ROs, the tests always<br />

pass,<br />

◮ Long run test not presented: it always<br />

pass.<br />

26/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Test2: Sunar versus Wold <strong>in</strong> Actel FPGA<br />

11000<br />

10000<br />

9000<br />

monobit<br />

8000<br />

0 20 40 60 80 100<br />

800<br />

600<br />

400<br />

200<br />

poker<br />

0<br />

0 20 40 60 80 100<br />

10<br />

5<br />

failed runs<br />

0<br />

0 20 40 60 80 100<br />

sunar_actel wold_actel<br />

Test<strong>in</strong>g conditions<br />

◮ Actel Fusion FPGA,<br />

◮ <strong>Number</strong> of ROs varies from:<br />

1 to 20 by <strong>in</strong>crements of 1,<br />

20 to 115 by <strong>in</strong>crements of 5.<br />

◮ Each RO is composed of 9 <strong>in</strong>verters,<br />

◮ FS = 25 MHz.<br />

Results<br />

◮ Tests never (!) pass for Sunar’s generator<br />

<strong>in</strong> this technology,<br />

◮ Tests pass for Wold’s generator start<strong>in</strong>g<br />

from 8 ROs.<br />

27/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Test3: Sunar versus Wold <strong>in</strong> Altera FPGA<br />

11000<br />

10000<br />

9000<br />

monobit<br />

8000<br />

0 20 40 60 80 100<br />

800<br />

600<br />

400<br />

200<br />

poker<br />

0<br />

0 20 40 60 80 100<br />

10<br />

5<br />

failed runs<br />

0<br />

0 20 40 60 80 100<br />

sunar_altera wold_altera<br />

Test<strong>in</strong>g conditions<br />

◮ Altera Cyclone III FPGA<br />

◮ <strong>Number</strong> of ROs varies from<br />

1 to 20 by <strong>in</strong>crements of 1,<br />

20 to 115 by <strong>in</strong>crements of 5.<br />

◮ Each RO is composed of 9 <strong>in</strong>verters<br />

implemented <strong>in</strong> the same LAB,<br />

◮ FS = 25 MHz.<br />

Results<br />

◮ Tests pass <strong>in</strong> very few (7/39)<br />

configurations for Sunar’s TRNG,<br />

◮ Tests pass for Wold’s TRNG start<strong>in</strong>g from<br />

8 ROs.<br />

28/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Conclusion of Comparison<br />

◮ Claims of Wold and Tan confirmed <strong>in</strong> simulations and <strong>in</strong> both<br />

technologies (Actel, Altera),<br />

◮ XOR gate output now fits Sunar’s hypothesis,<br />

◮ What k<strong>in</strong>d of randomness makes the test pass<br />

Pseudo-randomness which can be attacked,<br />

<strong>True</strong>-randomness that we are search<strong>in</strong>g for?<br />

◮ Simulation platform helps to answer these questions:<br />

Wold’s and Sunar’s TRNGs have the same idealized behavior,<br />

In the follow<strong>in</strong>g experiments, only Wold’s design is evaluated:<br />

closer to the idealized mathematical model.<br />

29/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Test4: Impact of the Local Gaussian Jitter Size<br />

11000<br />

10000<br />

monobit<br />

9000<br />

0 5 10 15 20<br />

800<br />

600<br />

400<br />

200<br />

poker<br />

0<br />

0 5 10 15 20<br />

10<br />

5<br />

failed runs<br />

0<br />

0 5 10 15 20<br />

sigma50 sigma30 sigma10 sigma0<br />

Test<strong>in</strong>g conditions<br />

◮ <strong>Number</strong> of ROs varies from 1 to 20,<br />

◮ Frequencies of RO vary between 197.5<br />

MHz and 202 MHz,<br />

◮ 9 <strong>in</strong>verters,<br />

◮ Gaussian jitter: σ = 0, 10, 30 and 50 ps.<br />

Results<br />

1 ↗ random jitter ⇒ tests pass more<br />

easily. . . as expected,<br />

2 Tests pass from only 18 ROs without<br />

any jitter . . . surpris<strong>in</strong>g!<br />

3 NIST tests pass also from 18 ROs<br />

without any randomness . . .<br />

30/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Important Remarks before Go<strong>in</strong>g Further<br />

◮ Wold and Tan: number of ROs reduction, from 114 downto 50 or<br />

25 because tests passed,<br />

◮ Mathematical problem: urn model of Sunar no more valid,<br />

◮ Experimental result: tests passed without any randomness . . .<br />

Remark 1<br />

Sunar’s orig<strong>in</strong>al pr<strong>in</strong>ciple (and Wold’s improvements too) produce a huge amount of<br />

pseudo-randomness that can be predicted (mathematical equation) or manipulated<br />

from outside the chip.<br />

Remark 2<br />

Analysis of statistical tests and derived conclusions of these tests to evaluate TRNG<br />

security must be done carefully.<br />

Remark 3<br />

Reduc<strong>in</strong>g the number of ROs as proposed by Wold and Tan represents a<br />

security-critical attempt for cryptographic applications and should be certa<strong>in</strong>ly avoided.<br />

31/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Two RO-TRNG Set-up Sunar versus Wold Jitter type and size<br />

Test5: Influence of a Global Determ<strong>in</strong>istic Jitter Component<br />

11000<br />

10000<br />

monobit<br />

9000<br />

0 5 10 15 20<br />

800<br />

600<br />

400<br />

200<br />

poker<br />

0<br />

0 5 10 15 20<br />

10<br />

5<br />

failed runs<br />

0<br />

0 5 10 15 20<br />

d10 d5 d1 d0<br />

Test<strong>in</strong>g conditions<br />

◮ Fixed Gaussian component σ = 30 ps,<br />

◮ Determ<strong>in</strong>istic component: s<strong>in</strong>usoidal<br />

signal<br />

Results<br />

Frequency: 3 KHz,<br />

Amplitude: 0 to 10 ps.<br />

◮ ↗ determ<strong>in</strong>istic part ⇒ tests passed<br />

more easily<br />

Problems<br />

1 Results strongly dependent on the<br />

frequency of <strong>in</strong>jected signal<br />

(predictability),<br />

2 Determ<strong>in</strong>istic jitter can be manipulated.<br />

32/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions HW Requirements Available HW HW Characterization<br />

Outl<strong>in</strong>e<br />

1 TRNG design<br />

<strong>Random</strong>ness, its extraction and post-process<strong>in</strong>g<br />

Stochastic models and entropy estimators<br />

TRNG implementation issues<br />

Classical and new methodology of TRNG evaluation<br />

2 Case study: RO-TRNG simulation and test<strong>in</strong>g<br />

RO-TRNGs of Sunar et al. & Wold and Tan<br />

Experimental set-up overview<br />

Comparison of TRNGs of Sunar and Wold<br />

Impact of the type and size of the jitter<br />

3 Jitter measurements<br />

Jitter measurement/TRNG benchmark<strong>in</strong>g requirements<br />

Hardware modules for fair TRNG benchmark<strong>in</strong>g<br />

Characterization of hardware from jitter measurements<br />

4 On the (<strong>in</strong>)dependence of r<strong>in</strong>gs <strong>in</strong> FPGAs<br />

Experimental set-up<br />

Results. . .<br />

5 Conclusions<br />

33/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions HW Requirements Available HW HW Characterization<br />

Fair TRNG Benchmark<strong>in</strong>g <strong>in</strong> Different FPGA Technologies<br />

LPS – L<strong>in</strong>ear Power<br />

Supply<br />

SPS – Switch<strong>in</strong>g Power<br />

Supply<br />

USB<br />

12 V<br />

3.3/5 V<br />

USB<br />

I/F<br />

USB<br />

(CYPRESS)<br />

FILT<br />

SPS<br />

12/5 V<br />

9<br />

Data 16<br />

Control 9<br />

FILT<br />

OSC<br />

FPGA<br />

VCC1<br />

LPS<br />

VCC2<br />

5/3.3V<br />

VCC3<br />

5 V 16<br />

3.3 V<br />

5 V<br />

MODULE FPGA<br />

Data<br />

32<br />

MODULE<br />

FPGA<br />

3.3 V<br />

RAM<br />

32 Mbit<br />

MAINBOARD<br />

Objectives<br />

◮ Hardware for fair TRNG benchmark<strong>in</strong>g <strong>in</strong><br />

various FPGA families,<br />

◮ Carefully designed power supply,<br />

◮ Fast random data acquisition,<br />

◮ High-speed output for precise jitter<br />

measurement,<br />

◮ Interfaced to PC.<br />

Solution<br />

◮ Ma<strong>in</strong>board and pluggable modules,<br />

◮ Ma<strong>in</strong>board: primary power supplies, USB<br />

I/F device (Cypress),<br />

◮ Module: FPGA device, oscillator, 32-MBit<br />

RAM, 2xLVDS outputs.<br />

34/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions HW Requirements Available HW HW Characterization<br />

Available Hardware Modules<br />

Five modules available<br />

◮ Altera FPGA:<br />

◮ Xil<strong>in</strong>x FPGA:<br />

◮ Actel FPGA<br />

Cyclone III – EP3C25,<br />

Arria II – EP2AGX45,<br />

Spartan 3 – XC3S700AN,<br />

Virtex 5 – XC5VLX30T,<br />

Fusion – M7AFS600.<br />

35/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions HW Requirements Available HW HW Characterization<br />

Standard deviation σ T [ps]<br />

Precise Jitter Measurement Us<strong>in</strong>g LVDS Outputs<br />

25<br />

20<br />

15<br />

10<br />

5<br />

LVTTL Active probe<br />

LVTTL Passive probe<br />

LVDS Active probe<br />

0<br />

0 20 40 60 80 100 120 140 160 180 200 220<br />

<strong>Number</strong> of elements <strong>in</strong> the RO<br />

Measurement setup<br />

◮ Oscilloscope LeCroy WavePro 7300,<br />

◮ Standard passive low-bandwidth probe,<br />

◮ Differential active 3.5 GHz probe<br />

DP320-SP.<br />

Results and conclusion<br />

◮ Comments on results: LVDS outputs<br />

together with the differential probe give<br />

the smallest jitter,<br />

◮ Jitter measured by Sunar (standard<br />

probe) was probably overestimated.<br />

Question<br />

◮ Is LVDS & active probe really better?<br />

36/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions HW Requirements Available HW HW Characterization<br />

Characterization of Hardware from Jitter Accumulation<br />

σ Period<br />

10 3<br />

10 2<br />

10 1<br />

10 0<br />

10 0<br />

Standard deviation [ps]<br />

10 2<br />

10 1<br />

10 0<br />

10 0<br />

Simulated Jitter Accumulation<br />

10 1<br />

10 2<br />

<strong>Number</strong> of elements <strong>in</strong> the RO<br />

10 1<br />

10 2<br />

<strong>Number</strong> of elements<br />

Global 200ps Local 25ps<br />

Global 400ps Local 25ps<br />

Global 100ps Local 15ps<br />

0.5 slope<br />

1 slope<br />

Actel Igloo LVDS<br />

Xil<strong>in</strong>x Spartan3 LVDS<br />

0.5 slope<br />

1 slope<br />

10 3<br />

10 3<br />

Theory<br />

◮ The global jitter accumulates l<strong>in</strong>early<br />

(slope 1.0 on a log-log scale), the local<br />

jitter with square root (slope 0.5)<br />

◮ The cross<strong>in</strong>g po<strong>in</strong>t of asymptotes permits<br />

to characterize the system,<br />

◮ For smaller global jitter, the asymptote<br />

1.0 moves to the right,<br />

◮ For bigger Gaussian jitter, the asymptote<br />

0.5 moves up,<br />

◮ Objective: the cross<strong>in</strong>g po<strong>in</strong>t should be<br />

placed <strong>in</strong> North-Est direction as far as<br />

possible.<br />

Results<br />

◮ Actel: more Gaussian noise than Xil<strong>in</strong>x.<br />

37/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Experiment Results<br />

Outl<strong>in</strong>e<br />

1 TRNG design<br />

<strong>Random</strong>ness, its extraction and post-process<strong>in</strong>g<br />

Stochastic models and entropy estimators<br />

TRNG implementation issues<br />

Classical and new methodology of TRNG evaluation<br />

2 Case study: RO-TRNG simulation and test<strong>in</strong>g<br />

RO-TRNGs of Sunar et al. & Wold and Tan<br />

Experimental set-up overview<br />

Comparison of TRNGs of Sunar and Wold<br />

Impact of the type and size of the jitter<br />

3 Jitter measurements<br />

Jitter measurement/TRNG benchmark<strong>in</strong>g requirements<br />

Hardware modules for fair TRNG benchmark<strong>in</strong>g<br />

Characterization of hardware from jitter measurements<br />

4 On the (<strong>in</strong>)dependence of r<strong>in</strong>gs <strong>in</strong> FPGAs<br />

Experimental set-up<br />

Results. . .<br />

5 Conclusions<br />

38/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Experiment Results<br />

Frequency Dependence on the Power Supply<br />

Absolute period [ns]<br />

10<br />

9<br />

8<br />

7<br />

6<br />

5<br />

4<br />

3<br />

2<br />

1<br />

5 Elements<br />

7 Elements<br />

11 Elements<br />

1 1.2 1.4 1.6<br />

Voltage [V]<br />

Normaliséd period[ns]<br />

0.5<br />

0.45<br />

0.4<br />

0.35<br />

0.3<br />

0.25<br />

0.2<br />

5 Elements<br />

7 Elements<br />

11 Elements<br />

1 1.2 1.4 1.6<br />

Voltage [V]<br />

Test<strong>in</strong>g conditions<br />

◮ Altera Cyclone III Module,<br />

◮ Nom<strong>in</strong>al voltage: 1.2 V,<br />

◮ Vary<strong>in</strong>g power supply between<br />

0.9 and 1.6 V.<br />

Results<br />

◮ Frequency highly depends on the<br />

power supply,<br />

◮ The same effect is observable for<br />

various frequencies.<br />

39/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions Experiment Results<br />

Mutual Dependence of R<strong>in</strong>g Oscillator Frequencies<br />

Périod [ns]<br />

period difference (abs) [ps]<br />

20<br />

18<br />

16<br />

14<br />

12<br />

RO1 Experimental Data<br />

RO2 Experimental Data<br />

0.85 0.9 0.95 1 1.05 1.1 1.15 1.2 1.25 1.3 1.35<br />

Voltage [V]<br />

80<br />

60<br />

40<br />

20<br />

0<br />

0.85 0.9 0.95 1 1.05 1.1 1.15 1.2 1.25 1.3 1.35<br />

Voltage [V]<br />

Test<strong>in</strong>g conditions<br />

◮ Two similar ROs are<br />

implemented <strong>in</strong>side the FPGA,<br />

◮ Frequencies are measured<br />

outside the FPGA,<br />

◮ The power supply is vary<strong>in</strong>g<br />

between 0.9 and 1.3 V.<br />

Results<br />

◮ Frequencies are approach<strong>in</strong>g<br />

and lock to the same value dur<strong>in</strong>g<br />

a short voltage <strong>in</strong>terval.<br />

40/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions<br />

Outl<strong>in</strong>e<br />

1 TRNG design<br />

<strong>Random</strong>ness, its extraction and post-process<strong>in</strong>g<br />

Stochastic models and entropy estimators<br />

TRNG implementation issues<br />

Classical and new methodology of TRNG evaluation<br />

2 Case study: RO-TRNG simulation and test<strong>in</strong>g<br />

RO-TRNGs of Sunar et al. & Wold and Tan<br />

Experimental set-up overview<br />

Comparison of TRNGs of Sunar and Wold<br />

Impact of the type and size of the jitter<br />

3 Jitter measurements<br />

Jitter measurement/TRNG benchmark<strong>in</strong>g requirements<br />

Hardware modules for fair TRNG benchmark<strong>in</strong>g<br />

Characterization of hardware from jitter measurements<br />

4 On the (<strong>in</strong>)dependence of r<strong>in</strong>gs <strong>in</strong> FPGAs<br />

Experimental set-up<br />

Results. . .<br />

5 Conclusions<br />

41/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions<br />

Conclusions<br />

◮ Statistical tests<br />

Necessary BUT far from be<strong>in</strong>g sufficient:<br />

they can pass without any randomness (null entropy),<br />

Their results must be carefully analyzed,<br />

Conclusion about the RNG security must be derived from the tests<br />

even more carefully.<br />

◮ Entropy<br />

It is NOT a property of observed random numbers. . . but of<br />

random variables – it cannot be measured,<br />

A mathematical model is needed for evaluat<strong>in</strong>g the m<strong>in</strong>imum<br />

entropy/bit,<br />

Assumptions made <strong>in</strong> the model must be verified <strong>in</strong> hardware<br />

experiments.<br />

◮ Independence of randomness sources<br />

Must be thoroughly exam<strong>in</strong>ed,<br />

ROs are not only dependent, but they can be locked – RO<br />

coupl<strong>in</strong>g reduces drastically the entropy.<br />

42/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

TRNG Design Case Study Jitter R<strong>in</strong>gs Coupl<strong>in</strong>g Conclusions<br />

<strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><br />

<strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong><br />

Viktor FISCHER<br />

Laboratoire Hubert Curien, UMR 5516 CNRS<br />

Jean Monnet University, Member of University of Lyon<br />

Sa<strong>in</strong>t-Etienne, France<br />

fischer@univ-st-etienne.fr<br />

December 2010<br />

43/43 V. FISCHER <strong>True</strong> <strong>Random</strong> <strong>Number</strong> <strong>Generation</strong><strong>in</strong> <strong>Reconfigurable</strong> <strong>Devices</strong>

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!