Entropy Evaluation for Oscillator-based True Random Number Generators

Similar documents
Generation of True Random Numbers using quasi-monte Carlo methods

Design of Secure TRNGs for Cryptography Past, Present, and Future

A Highly Flexible Lightweight and High Speed True Random Number Generator on FPGA

True Random Number Generation on FPGA

ONLINE TEST BASED ON MUTUAL INFORMATION FOR TRUE RANDOM NUMBER GENERATORS

Entropy Extraction in Metastability-based TRNG

An Approach for Entropy Assessment of Ring Oscillator- Based Noise Sources. InfoGard, a UL Company Dr. Joshua Hill

Pseudo-Random Generators

Pseudo-Random Generators

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

Random Bit Generation

Logic BIST. Sungho Kang Yonsei University

Random number generators

Power Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography.

Random Number Generation Is Getting Harder It s Time to Pay Attention

FPGA based entropy source for cryptographic use

Physically Unclonable Functions

A Gray Code Based Time-to-Digital Converter Architecture and its FPGA Implementation

Fibonacci Ring Oscillators as True Random Number Generators - A Security Risk. Markus Dichtl. Siemens Corporate Technology

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Survey of Hardware Random Number Generators (RNGs) Dr. Robert W. Baldwin Plus Five Consulting, Inc.

Digital Circuits ECS 371

Problem Set 9 Solutions

Network Security (NetSec)

A Design for a Physical RNG with Robust Entropy Estimators

EECS150 - Digital Design Lecture 16 Counters. Announcements

Network Security. Random Numbers. Cornelius Diekmann. Version: November 21, 2015

AIR FORCE INSTITUTE OF TECHNOLOGY

Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator

A Provably Secure True Random Number Generator with Built-in. Tolerance to Active Attacks

CHAPTER 3 CHAOTIC MAPS BASED PSEUDO RANDOM NUMBER GENERATORS

ENGG 1203 Tutorial _03 Laboratory 3 Build a ball counter. Lab 3. Lab 3 Gate Timing. Lab 3 Steps in designing a State Machine. Timing diagram of a DFF

Lecture 9: Clocking, Clock Skew, Clock Jitter, Clock Distribution and some FM

EECS150 - Digital Design Lecture 23 - FFs revisited, FIFOs, ECCs, LSFRs. Cross-coupled NOR gates

Formal Design of Composite Physically Unclonable Function

EECS150 - Digital Design Lecture 25 Shifters and Counters. Recap

EECS150 - Digital Design Lecture 11 - Shifters & Counters. Register Summary

Sequential Logic Worksheet

DPA-Resistance without routing constraints?

How does the computer generate observations from various distributions specified after input analysis?

On the security of oscillator-based random number generators

Dual-Field Arithmetic Unit for GF(p) and GF(2 m ) *

King Fahd University of Petroleum and Minerals College of Computer Science and Engineering Computer Engineering Department

Successive approximation time-to-digital converter based on vernier charging method

Introduction. Entropy and Security

Measuring Deterministic Jitter with a K28.5 Pattern and an Oscilloscope

EE115C Winter 2017 Digital Electronic Circuits. Lecture 19: Timing Analysis

Review: Designing with FSM. EECS Components and Design Techniques for Digital Systems. Lec09 Counters Outline.

Outline. EECS Components and Design Techniques for Digital Systems. Lec 18 Error Coding. In the real world. Our beautiful digital world.

Stop Watch (System Controller Approach)

EECS150 - Digital Design Lecture 23 - FSMs & Counters

Information Security

Designing Sequential Logic Circuits

IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers

CPSC 531: Random Numbers. Jonathan Hudson Department of Computer Science University of Calgary

Delhi Noida Bhopal Hyderabad Jaipur Lucknow Indore Pune Bhubaneswar Kolkata Patna Web: Ph:

Enough Entropy? Justify It!

Towards an oscillator based TRNG with a certified entropy rate

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Chapter 5. Digital Design and Computer Architecture, 2 nd Edition. David Money Harris and Sarah L. Harris. Chapter 5 <1>

Review: Designing with FSM. EECS Components and Design Techniques for Digital Systems. Lec 09 Counters Outline.

Pseudo-random Number Generation. Qiuliang Tang

Digital Logic Design - Chapter 4

ELCT201: DIGITAL LOGIC DESIGN

LINEAR FEEDBACK SHIFT REGISTER BASED UNIQUE RANDOM NUMBER GENERATOR

The Entropy Bogeyman. Ed Morris and Khai Van November 5, 2015 International Crypto Module Conference

LOGIC CIRCUITS. Basic Experiment and Design of Electronics. Ho Kyung Kim, Ph.D.

Sequential Logic Design: Controllers

Q: Examine the relationship between X and the Next state. How would you describe this circuit? A: An inverter which is synched with a clock signal.

Ch 7. Finite State Machines. VII - Finite State Machines Contemporary Logic Design 1

Introduction to Phase Locked Loop (PLL) DIGITAVID, Inc. Ahmed Abu-Hajar, Ph.D.

Solving All Lattice Problems in Deterministic Single Exponential Time

74LS393 Dual 4-Bit Binary Counter

3. Complete the following table of equivalent values. Use binary numbers with a sign bit and 7 bits for the value

Topics in Computer Mathematics

Multi-Map Orbit Hopping Chaotic Stream Cipher

Outline. Computer Arithmetic for Cryptography in the Arith Group. LIRMM Montpellier Laboratory of Computer Science, Robotics, and Microelectronics

A novel pseudo-random number generator based on discrete chaotic iterations

What is the Q in QRNG?

10/12/2016. An FSM with No Inputs Moves from State to State. ECE 120: Introduction to Computing. Eventually, the States Form a Loop

Entropy Estimation Methods for SW Environments in KCMVP. NSR: Seogchung Seo, Sangwoon Jang Kookmin University: Yewon Kim, Yongjin Yeom

Metastability. Introduction. Metastability. in Altera Devices

Traversing a n-cube without Balanced Hamiltonian Cycle to Generate Pseudorandom Numbers

Linear Feedback Shift Registers (LFSRs) 4-bit LFSR

LOGIC CIRCUITS. Basic Experiment and Design of Electronics

EECS Components and Design Techniques for Digital Systems. Lec 26 CRCs, LFSRs (and a little power)

EE371 - Advanced VLSI Circuit Design

Reduce-by-Feedback: Timing resistant and DPA-aware Modular Multiplication plus: How to Break RSA by DPA

24.2: Self-Biased, High-Bandwidth, Low-Jitter 1-to-4096 Multiplier Clock Generator PLL

PAST EXAM PAPER & MEMO N3 ABOUT THE QUESTION PAPERS:

Low complexity bit-parallel GF (2 m ) multiplier for all-one polynomials

Random Delay Insertion: Effective Countermeasure against DPA on FPGAs

Logic Design II (17.342) Spring Lecture Outline

EECS150 - Digital Design Lecture 21 - Design Blocks

Looking at a two binary digit sum shows what we need to extend addition to multiple binary digits.

Introduction to Algorithms

Enhancing the Signal to Noise Ratio

c 2009 Michael Alan Wayne

EECS150 - Digital Design Lecture 18 - Counters

EECS150 - Digital Design Lecture 18 - Counters

Transcription:

Entropy Evaluation for Oscillator-based True Random Number Generators Yuan Ma DCS Center Institute of Information Engineering Chinese Academy of Sciences

Outline RNG Modeling method Experiment Entropy evaluation On the external perturbation 2

RNG RNGs (Random number generators) are used in cryptography to initialize keys, seed pseudo-random number generators, help in generating digital signature RNG security is crucial for cryptographic systems 3

TRNG Security How to make sure a true (physical) RNG is secure? Providing a reasonable mathematical model based on some physical assumptions Figuring out the precise/minimum/maximum entropy Confirming the sufficiency of the calculated entropy Not a easy work Ideal physical assumption is not usually practical or is hard to be proved. white noise vs. correlated noise independent ring oscillators vs. coupled ring oscillators Entropy estimation is complex though the design structure is simple from noises to random bits, bit correlation 4

Our work Proposing a new modeling method to calculate a precise entropy for oscillator-based TRNGs Designing a jitter measuring circuit to acquire critical parameters and also verify the theoretical results Performing a comprehensive study on the effect of deterministic perturbations 5

Oscillator-based TRNG Fast Oscillator D Q Random Bits Reset And Gate Slow Clock CLK How a random bit is generated Randomness is (accumulated) jitter. The cycle number of fast oscillator signal is random /unpredictable during the period of the slow clock More precisely, how many half-cycles/edges B i = B i 1 (R i mod 2), R i represents the number of edges The xor operation with the last bit has no impact on the information entropy, so we take B i = R i mod 2. 6

Model Setup X 1 W 1 s 0 (=0) s 1 Half-period: X k, mean μ, variance σ 2 Sampling interval: s = vμ, r = v mod 1 (fractional part) Prob(R i = k + 1) = Prob(T k s) Prob(T k+1 s) (T k = X 1 + X 2 + + X k ) T k kμ N 0,1, k (CLT) σ k μ μ = Φ((v k) ) Φ((v k 1) σ k Prob B i = 1 = j=1 Prob R i = 2j 1 W s i i σ k + 1 ) From Killmann, et al. CHES 2008 7

One-time sampling: model approximation Physical assumption: small jitter Prob R i = k + 1 μ μ Φ((v k) ) Φ((v k 1) σ k by defining q = Φ v k q Φ σ v μ (Quality Factor) v k 1 q σ k + 1 ) 8

Understanding Prob R i = k + 1 Φ v k q Φ v k 1 In one-time sampling, the phase difference is set to 0. The area (equaling to 1) is divided at 1/q interval. The area of each column corresponds to the probability of R i equaling to each k. The larger q is, the finer the column is divided, which means that the areas of 0 and 1 are closer. Besides q, the value of r also affects the bias of the sampling bit. q r/q 1 0 1 0 1 0 1 0 1 0 1 0 9 1/q

Consecutive sampling: waiting time W 1 W i s 0 (=0) W i :the distance of the ith sampling position to the following closest edge [Killmann et al. CHES 2008] In consecutive sampling, two adjacent sampling processes are dependent, as the waiting time W i generated by the ith sampling affects the next one. B i W i B i+1 s 1 s i 10

W i probability distribution Referring to renewal theory (i.i.d. assumption): P W y = Prob W i y = 1 μ 0 y 1 P X u du,s Due to σ μ (small jitter), P W y approximates to a uniform distribution of [0,μ] Prob W i y y 1 μ 0 1du = y, 0 y μ μ 1, y > μ 11

Independence Condition No matter what b i is, W i is always a uniform distribution. b i {0,1}, Prob(W i x b i ) = Prob(W i x) = x μ q > 0.6 Observation: when q is approximately larger than 0.6, the distribution becomes uniform and the correlation is almost eliminated. Only observation is not enough, precise entropy is needed. 12

Entropy Calculation Bit-rate entropy H = H n /n H n = b n 0,1 n p b n logp b n p(b n ) = Prob(b n,, b 1 ) = n i=1 K(b i ) = Prob(b i b i 1,..., b 1 ) K (b i ) The goal is calculating the probability of b i in the condition of knowing the previous bits. Method: using the waiting time W i to represent the relationship and then eliminating W i 13

Entropy Calculation Basic function 1: + Prob b i+1 w i = i= Φ 2i + 1 c i q : = J i+1 (w i ) Φ 2i c i q ideal W i x x x x x x s i s i+1 14

Entropy Calculation Basic function 2: Prob W i+1 x, b i+1 w i = + i= 2i + 1 c i Φ q : = F i+1 x, w i Φ 2i c i + 1 x q ideal W i x x x x x x s i s i+1 15

Entropy Calculation The property of the Markov process Prob b i w i 1, b i 1, w i 2, b i 2, = Prob(b i w i 1 ) From i = 1 to n for a pattern {b n,, b 1 }, by iterating Especially, ) G i (x): = Prob(W i x b i,, b 1 = K b i+1 = G 1 x = 1 J i+1 0 1 F 1 (x, w 0 ) ) 0 x dg i x 1 F i (x, y) G K(b i ) i 1 (dy) 0 J 1 (w 0 dw 0 16

Entropy Evaluation For different q = s μ σ μ The best (worst) performance occurs in r=0.5 (r=0). r is the fractional part of s/μ Maximum entropy and minimum entropy The oscillator frequency is so high that r is hard to adjust. A robust TRNG design should have sufficient entropy even in the worst (most unbiased) case. 17

How to acquire q External measurement needs high-precision oscilloscope to measure jitter output circuit also causes jitter Inner measurement convenient and reliable can be embedded into hardware for online or inner test 18

Experiment Design Positive-edge Counter Ring Oscillator Slow Clock Negative-edge Counter + FIFO Dual-counter measurement circuit: counting the number of edges of fast oscillator signal Clear mechanism 19

Calculating q Counting is a (delayed) renewal process. The variance of counting results is s σ 2 μ 3 + o s = q 2 + o s, o s 0 when s The clear mechanism guarantees after getting numbers of count results in the duration of s, we sum the m non-overlapping results to obtain the number of edges in the duration of m*s only one-time counting is needed for acquire the (approximated) q values under different sampling intervals 20

Measurement Results The overestimation decreases with the sampling interval increasing. Deterministic jitter exists! 21

Dual-RO Measuring The deterministic perturbation is global. Using another RO to measure the fast RO signal to filter deterministic jitter. [Fischer, et al., FPL 2008 ] The existence of correlated noise dominant in low frequency, but sight in the concerned region (q around 1) does not degrade sampling bit quality when accumulated independent jitter is sufficient Basic experimental data for verification 22

Parameters for Sufficient Entropy Simulation for required q Theoretical entropy: H>0.9999 (stricter) Sampling sequence: passing FIPS 140-2 The required q values are close The variation tendencies for q values are consistent When r=0.5 the balance is always satisfied, so, once the independence condition is achieved, the entropy is sufficient and the sequence can pass the test. 23

Parameters for Sufficient Entropy FPGA passing ratio vs. standard variance: q 0.8936,0.9389 It seems infeasible to measure the right r at this point to do a further verification. A tiny measuring error will make the measured r totally different in such a high frequency of the fast oscillator signal. Correlated noise makes an overestimation for independent jitter, especially when m is large. 24

Effect of Deterministic Perturbations making it easier to pass statistical tests from m=11 to m=9 enlarging the amount of estimated randomness jitter 26

Bound for Randomness Improvement With the strength of the perturbation increasing, the passing position does not move up any more after m = 6 (q = 0.68), consistent with the independence condition. Perturbation causes little impact on the correlation but improve the balance of random bits 27

Predicting the Random Bits Under deterministic perturbations for a sequence, the statistical property is satisfied but, for each bit, the entropy might be insufficient making the prediction of each bit probability possible Simulation: by previously knowing the precise design parameters and the function of the deterministic perturbation 28

Conclusion An entropy estimation method is provided, which is well consistent with experiment. helpful for designers to determine the theoretical fastest sampling frequency (r=0.5) and secure frequency (r=0). helpful for verifiers to calculate the entropy of given TRNG parameters. A simple quality factor extraction circuit is designed. Embedded into hardware for online tests A higher precision can be obtained by filtering correlated jitter and deriving from the result with long interval. Detection of deterministic perturbations or even attacks. The accumulated independent jitter should be sufficient. 29

Entropy Evaluation for Oscillator-based True Random Number Generators Thanks! 30

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback