True Random Number Generation with Logic Gates Only

Similar documents
How to Predict the Output of a Hardware Random Number Generator

Logic Design. Flip Flops, Registers and Counters

Introduction. NAND Gate Latch. Digital Logic Design 1 FLIP-FLOP. Digital Logic Design 1

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 2 Stream Ciphers ver.

LFSR Counter Implementation in CMOS VLSI

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 2 Stream Ciphers ver.

IT T35 Digital system desigm y - ii /s - iii

Lecture 8: Sequential Logic

NH 67, Karur Trichy Highways, Puliyur C.F, Karur District UNIT-III SEQUENTIAL CIRCUITS

YEDITEPE UNIVERSITY DEPARTMENT OF COMPUTER ENGINEERING. EXPERIMENT VIII: FLIP-FLOPS, COUNTERS 2014 Fall

Asynchronous (Ripple) Counters

The outputs are formed by a combinational logic function of the inputs to the circuit or the values stored in the flip-flops (or both).

A FOUR GAIN READOUT INTEGRATED CIRCUIT : FRIC 96_1

RS flip-flop using NOR gate

Combinational vs Sequential

RS flip-flop using NOR gate

Synchronous Sequential Logic

Flip-Flops. Because of this the state of the latch may keep changing in circuits with feedback as long as the clock pulse remains active.

Digital Logic Design Sequential Circuits. Dr. Basem ElHalawany

D Latch (Transparent Latch)

LAB #4 SEQUENTIAL LOGIC CIRCUIT

Design of Fault Coverage Test Pattern Generator Using LFSR

LATCHES & FLIP-FLOP. Chapter 7

Digital Design, Kyung Hee Univ. Chapter 5. Synchronous Sequential Logic

DEPARTMENT OF ELECTRICAL &ELECTRONICS ENGINEERING DIGITAL DESIGN

Digital Circuits I and II Nov. 17, 1999

CSE 352 Laboratory Assignment 3

Clocking Spring /18/05

Figure 1 shows a simple implementation of a clock switch, using an AND-OR type multiplexer logic.

CHAPTER 1 LATCHES & FLIP-FLOPS

EMT 125 Digital Electronic Principles I CHAPTER 6 : FLIP-FLOP

Counter dan Register

Introduction to Sequential Circuits

EL302 DIGITAL INTEGRATED CIRCUITS LAB #3 CMOS EDGE TRIGGERED D FLIP-FLOP. Due İLKER KALYONCU, 10043

Chapter 5 Synchronous Sequential Logic

Experiment 8 Introduction to Latches and Flip-Flops and registers

Report on 4-bit Counter design Report- 1, 2. Report on D- Flipflop. Course project for ECE533

CHAPTER 4: Logic Circuits

CS3350B Computer Architecture Winter 2015

data and is used in digital networks and storage devices. CRC s are easy to implement in binary

ASNT8140. ASNT8140-KMC DC-23Gbps PRBS Generator with the (x 7 + x + 1) Polynomial. vee. vcc qp. vcc. vcc qn. qxorp. qxorn. vee. vcc rstn_p.

SEQUENTIAL LOGIC. Satish Chandra Assistant Professor Department of Physics P P N College, Kanpur

Chapter 6. Flip-Flops and Simple Flip-Flop Applications

MC9211 Computer Organization

LFSRs as Functional Blocks in Wireless Applications Author: Stephen Lim and Andy Miller

Scanned by CamScanner

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Exercises. 162 CHAPTER THREE Sequential Logic Design

CHAPTER 4: Logic Circuits

WINTER 15 EXAMINATION Model Answer

ISSN:

ECEN620: Network Theory Broadband Circuit Design Fall 2014


DIFFERENTIAL CONDITIONAL CAPTURING FLIP-FLOP TECHNIQUE USED FOR LOW POWER CONSUMPTION IN CLOCKING SCHEME

MAHARASHTRA STATE BOARD OF TECHNICAL EDUCATION (Autonomous) (ISO/IEC Certified) WINTER 2018 EXAMINATION MODEL ANSWER

cascading flip-flops for proper operation clock skew Hardware description languages and sequential logic

Name Of The Experiment: Sequential circuit design Latch, Flip-flop and Registers

(CSC-3501) Lecture 7 (07 Feb 2008) Seung-Jong Park (Jay) CSC S.J. Park. Announcement

Flip-Flops and Sequential Circuit Design

Laboratory 1 - Introduction to Digital Electronics and Lab Equipment (Logic Analyzers, Digital Oscilloscope, and FPGA-based Labkit)

Software Engineering 2DA4. Slides 9: Asynchronous Sequential Circuits

EEC 118 Lecture #9: Sequential Logic. Rajeevan Amirtharajah University of California, Davis Jeff Parkhurst Intel Corporation

Design and Simulation of a Digital CMOS Synchronous 4-bit Up-Counter with Set and Reset

Midterm Exam 15 points total. March 28, 2011

Sequencing. Lan-Da Van ( 范倫達 ), Ph. D. Department of Computer Science National Chiao Tung University Taiwan, R.O.C. Fall,

Chapter 8 Sequential Circuits

SIC Vector Generation Using Test per Clock and Test per Scan

Sequential Digital Design. Laboratory Manual. Experiment #7. Counters

ESE 570 STATIC SEQUENTIAL CMOS LOGIC CELLS. Kenneth R. Laker, University of Pennsylvania, updated 25Mar15

Memory elements. Topics. Memory element terminology. Variations in memory elements. Clock terminology. Memory element parameters. clock.

Segmented Leap-Ahead LFSR Architecture for Uniform Random Number Generator

Vignana Bharathi Institute of Technology UNIT 4 DLD

Experiment # 9. Clock generator circuits & Counters. Digital Design LAB

VLSI System Testing. BIST Motivation

Logic and Computer Design Fundamentals. Chapter 7. Registers and Counters

A Novel Low Power pattern Generation Technique for Concurrent Bist Architecture

Computer Systems Architecture

Rangkaian Sekuensial. Flip-flop

CPS311 Lecture: Sequential Circuits

DIGITAL CIRCUIT LOGIC UNIT 11: SEQUENTIAL CIRCUITS (LATCHES AND FLIP-FLOPS)

6. Sequential Logic Flip-Flops

CSE115: Digital Design Lecture 23: Latches & Flip-Flops

Chapter 5 Flip-Flops and Related Devices

Advanced Digital Logic Design EECS 303

FLIP-FLOPS AND RELATED DEVICES

2.6 Reset Design Strategy

ELCT201: DIGITAL LOGIC DESIGN

Clocks. Sequential Logic. A clock is a free-running signal with a cycle time.

Latches, Flip-Flops, and Registers. Dr. Ouiem Bchir

ASNT8142-KMC Generator of DC-to-23Gbps PRBS with Selectable Polynomials

EKT 121/4 ELEKTRONIK DIGIT 1

CS8803: Advanced Digital Design for Embedded Hardware

Efficient 500 MHz Digital Phase Locked Loop Implementation sin 180nm CMOS Technology

Retiming Sequential Circuits for Low Power

Individual Project Report

Unit 11. Latches and Flip-Flops

Long and Fast Up/Down Counters Pushpinder Kaur CHOUHAN 6 th Jan, 2003

Design of BIST with Low Power Test Pattern Generator

DIGITAL CIRCUIT COMBINATORIAL LOGIC

Sequential Circuits: Latches & Flip-Flops

Transcription:

True Random Number Generation with Logic Gates Only Jovan Golić Security Innovation, Telecom Italia Winter School on Information Security, Finse 2008, Norway Jovan Golic, Copyright 2008 1

Digital Random Number Generation True random numbers are needed for seeding pseudorandom number generators generating cryptographic keys (e.g., one-time pad, symmetric keys, asymmetric keys) generating random nonces and salts protection against side-channel attacks Digital random number generator (RNG) uses digital elements logic gates only suitable for implementation on digital chips cost effective Jovan Golic, Copyright 2008 2

Common Digital RNGs Ring oscillators (ROs) exploit digital jitter random delays and transition times of logic gates Out A slow oscillator samples a fast ring oscillator Edge-triggered D-type flip-flop is used for sampling, with clock and data inputs provided by slow and fast ring oscillators, resp. Jovan Golic, Copyright 2008 3

Common Digital RNGs (2) Mutual coupling reduces relative phase jitter Sensitivity to jitter is higher near the edges of oscillating signal, but this happens rarely Regular oscillating waveform is not suitable for extraction of true randomness by sampling Low entropy rate Can we transform randomness caused by jitter into a form more suitable for fast sampling? Jovan Golic, Copyright 2008 4

Common Digital RNGs (3) RS latches and edge-triggered flip-flops exploit metastability events Out States (0,0) and (1,1) are metastable High sensitivity to manufacturing variations and changes in temperature and voltage Low entropy rate Jovan Golic, Copyright 2008 5

New Paradigm FIROs & GAROs Golić proposed to make feedback in a RO-like design more complex and, hence, transform the randomness caused by jitter J. Dj. Golić, New Methods for Digital Generation and Postprocessing of Random Data, IEEE Trans. Computers, vol. 55(10), pp. 1217-1229, Oct. 2006 Two different circuits are suggested: FIROs (Fibonacci Ring Oscillators) GAROs (Galois Ring Oscillators) Jovan Golic, Copyright 2008 6

Fibonacci Ring Oscillator (FIRO) Out f 1 f 2 f r-1 Galois Ring Oscillator (GARO) f r-1 f 2 f 1 Out Jovan Golic, Copyright 2008 7

Basic Design Criteria for FIROs & GAROs Avoid fixed points by choosing the feedback r i polynomial ( x ) f i x appropriately f = i = 0 Characterization: f ( x) = (1 + x) h( x) f (1) = 0, where h( 1) = 1, for FIRO, and r odd, for GARO If h(x) is primitive, then synchronous statetransition diagram contains a long cycle of length 2 r 2 and a short cycle of length 2, which is metastable in asynchronous operation Jovan Golic, Copyright 2008 8

Combined Oscillator FIGARO FIBONACCI RING OSCILLATOR GALOIS RING OSCILLATOR D D-type F-F C Binary output Clock Jovan Golic, Copyright 2008 9

Advantages High-speed, noise-like irregular oscillating signal, with random, pseudorandom, and chaotic properties on analog/digital level Unlike RO, total jitter increases with number of inverters, as switching frequency does not decrease Sensivity to jitter significantly increases, as jitter is quickly propagated and transformed through feedback, resulting in oscillating waveform more suitable for extraction of true randomness by sampling Jovan Golic, Copyright 2008 10

Advantages (2) Mutual coupling/interlocking reduced considerably More robustness of randomness properties Easy for implementation, also in FPGA technology Internal metastability events in oscillator Sampling metastability events in sampling circuit, such as D-type flip-flop, due to noiselike irregular oscillating signal As a consequence, much higher entropy rate Jovan Golic, Copyright 2008 11

FPGA Experiments Joint work with Markus Dichtl (CHES 2007) Xilinx Spartan-3 Starter Kit based on Xilinx FPGA XC3S200-4FT256C Each logic inverter is implemented as 1 inverter logic gate It is easy to find feedback polynomials yielding good randomness; for very short oscillators, in some cases, periodicity effects are observed A FIRO of length 15 and a GARO of length 31 are used in reported experiments Jovan Golic, Copyright 2008 12

FPGA Experiments (2) An example of FIRO output signal Jovan Golic, Copyright 2008 13

Distinguishing between True and Pseudo Randomness Usually, randomness is measured by statistical test suits; however, good pseudorandom sequences also satisfy these tests How to distinguish between true and pseudo randomness in a FIRO or GARO? If we use restarting from the same conditions, then changes in the output signal at any given time are due to randomness (CHES 2007) Jovan Golic, Copyright 2008 14

Distinguishing between True and Pseudo Randomness (2) Bucci & Luzzi, at CHES 2005, proposed to restart RNGs in order to produce statistically independent outputs Restarting can be performed by resetting each inverter to a fixed state (e.g., by using NAND gates) and by allowing the outputs of XOR gates to stabilize In testing, controllable disturbances should be eliminated (e.g., quartz clock for sampling should follow the same state sequence, for each restart) Jovan Golic, Copyright 2008 15

FIRO Restarts from Identical States (I) Jovan Golic, Copyright 2008 16

FIRO Restarts from Identical States (II) Jovan Golic, Copyright 2008 17

FIRO Restarts from Identical States (III) Jovan Golic, Copyright 2008 18

Standard Deviation of 1000 FIRO Restarts Standard deviation of output voltage in V 1.4 1.2 1 0.8 0.6 0.4 0.2 Time in ns after restart Jovan Golic, Copyright 2008 19

Restarting a RO, of length 3, 100 Times 2.5 Voltage in V 2.25 2 1.75 1.5 1.25 495 500 505 Time in ns after restart 1 Jovan Golic, Copyright 2008 20

Standard Deviation of 1000 RO Restarts Jovan Golic, Copyright 2008 21

Extraction of Bits by Sampling Direct sampling Jovan Golic, Copyright 2008 22

Extraction of Bits by Sampling (2) Transition sampling with intermediate edgetriggered T-type flip-flop, reduces bias of bits Jovan Golic, Copyright 2008 23

Restarting versus Continuous Operation Restarting mode: One bit generated at a time, needs time for transitory voltages to settle down, output bits are statistically independent and, hence, postprocessing is easy (highsecurity applications) Continuous mode: As many bits as needed generated at a time (restarting from a fixed state), independence plausible for higher sampling rates, but pseudo randomness is not ideally separated (high-speed applications) Jovan Golic, Copyright 2008 24

Autocorrelation for Continuous Mode of FIRO 1 0.8 0.6 0.4 0.2 25 50 75 100 Jovan Golic, Copyright 2008 Time in ns 25

Data Rates Achieved FIRO Restarting mode, run for 60 ns, stop for 40 ns, transition sampling: 7.14 Mbit/s (probability of 1: 51.62 %) FIRO Continuous mode, transition sampling, passing chi-square statistical independence test for 4-tuples: 12.5 Mbit/s (probability of 1: 51.92 %) Jovan Golic, Copyright 2008 26

Doubling Entropy Rate Simultaneous direct and transition sampling doubles (raw) data rate, e.g., from 7.14 to 14.28 Mbits/s Two bits from one run are weakly dependent, but the pairs from different runs are independent Suitable postprocessing can yield almost all the Shannon entropy, which was 1.933 per pair, in the considered example with restarting Achieved output entropy rate is thus 13.8 Mbits/s Jovan Golic, Copyright 2008 27

Power Consumption Theoretically, FIRO or GARO power consumption could increase linearly with length, as average inverter gate switching frequency does not decrease with length, and more power consumption means more primary randomness due to jitter For FIRO of length 15 on CMOS ICs 74HCTXX, measured power consumption was 3 to 4 times higher than for a RO (depending also on feedback) FIRO entropy rate is orders of magnitude higher Jovan Golic, Copyright 2008 28

Generalizations Instead of FIRO or GARO, other autonomous asynchronous logic circuits with feedback, without fixed points, may be used Next-state function of associated (synchronous) finitestate machine (FSM) should satisfy: Loops should not exist (no fixed points) Cycles of length two (states) should be metastable in asynchronous operation In particular, (programmable linear) cellular automata mayalsobeused Jovan Golic, Copyright 2008 29

Digital Postprocessing RNG generates a raw binary sequence, possibly biased and correlated, where, typically, correlations may extend over a small number of consecutive bits The bias and correlations are usually difficult to quantify and should, hence, be considered as unknown The objective of postprocessing is to obtain a purely random binary output sequence, without using auxiliary purely random bits (unlike what is known as randomness extraction) Jovan Golic, Copyright 2008 30

Digital Postprocessing (2) If the raw binary sequence is not correlated (i.e., is a sequence of statistically independent, possibly biased bits, such as in the restarting mode of operation), then one may apply theoretical algorithms von Neumann algorithm, treating pairs of consecutive bits, but inefficient in terms of entropy rate achieved Juels, Jakobbson, Shriver, Hillyer [JJSH2000] algorithm How to turn loaded dice into fair coins, treating n-tuples of consecutive bits For any given n, [JJSH2000] algorithm is provably optimal and, asymptotically in n, is able of extracting the full Shannon entropy Jovan Golic, Copyright 2008 31

Digital Postprocessing (3) If the raw binary sequence is possibly correlated (e.g., as in the continuous mode of operation), then one may apply heuristic algorithms Data rate has to be reduced Bias and correlations need to be diffused among output bits Synchronous nonautonomous FSM with one input (raw data) and one output, which implements a sequential transformation Input can be introduced into the next-state function one symbol/bit at a time by using a latin-square/xor operation Output sequence can be irregularly decimated for speed reduction Jovan Golic, Copyright 2008 32

Digital Postprocessing (4) Theoretical criterion: if input sequence is purely random, then output sequence is also purely random e.g., reversible sequential transformation in particular, a current input bit can be XOR-ed with a current output bit of autonomous FSM and also with one or more state bits to influence the next state; FSM initial state can be fixed Heuristic criteria: Computational distinguishibility from purely random sequence, for any (or zero) input sequence A change of the first input bit induces a computationally unpredictable change of subsequent output sequence (propagation effect) Jovan Golic, Copyright 2008 33

Digital Postprocessing (5) For example, one may use a self-clock-controlled linear feedback shift register (LFSR) in Galois configuration f r-1 f γ-1 =1 f 2 f 1 j k τ 1 τ 2 Clock Clock Control Input Output Jovan Golic, Copyright 2008 34

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback