rng logig

8/13/2019 Rng Logig

1/45

Corporate Research and Technology

Ph sical Random Number Generators

from Logic Gates

Siemens AG

Copyright Siemens AG 2010. All rights reserved.

8/13/2019 Rng Logig

2/45

Topics not covered in this talk

Analogue methods of physical random number

Postprocessing of physical random numbers

Do we really need a physical random number

,

random number generator not do?

,

AIS 31

Page 2 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl

8/13/2019 Rng Logig

3/45

Why do we need random numbers?

Many cryptographic protocols use random elements.

xamp es:

Key generation

Nonces without memory

ElGamal-procedures

Randomized implementations against side

channel attacks


8/13/2019 Rng Logig

4/45

Environment for FPGA experiments

All my experiments used Xilinx Spartan 3 FPGAs


8/13/2019 Rng Logig

5/45

Looking for the simplest digital random number generator


8/13/2019 Rng Logig

6/45

Ring Oscillators

Ring Oscillators (ROs) consist of an odd number of inverters

fRO = 1/(2*n*dinv)

fRO frequency of RO

n num er o nver ers

dinv delay time of inverter


8/13/2019 Rng Logig

7/45

Pseudorandomness from Sampling ROs

Many RO-based TRNG

design are really pseudorandom number

generators, as the rate

overestimated.

Pseudorandomeness from

sampling a deterministic

oscillation:


8/13/2019 Rng Logig

8/45

Broken Motorola TRNG design

The Motorola RNG resented at CHES 2002 was broken at CHES2003, as the ROs do not accumulate jitter fast enough

But Werner Schindler (BSI) showed that it produces enough entropy if


the sampling rate is reduced by a factor of 60000

8/13/2019 Rng Logig

9/45

How to Distinguish True and Pseudo Randomness

Statistical tests can not distinguish good pseudo randomness from true

randomness

Repeated restarting the generator from the same state helps todistinguish:

seu oran omness ea s to t e same e av our or eac restart

True randomness shows varied behaviour despite identical startingcon ons


8/13/2019 Rng Logig

10/45

Restarting a Ring Oscillator I

Even after 148 oscillation periods, 100 traces of restarts of a 296 MHz

RO only a small amount of jitter has accumulated


8/13/2019 Rng Logig

11/45

Restarting a Ring Oscil lator II

The figure shows the standard deviation of the output voltage of 1000

restarts of a 296 MHz RO.


8/13/2019 Rng Logig

12/45

Restarting a Ring Oscillator III

The figure shows the mean of the output voltage of 1000 restarts of a

296 MHz RO.


8/13/2019 Rng Logig

13/45

8/13/2019 Rng Logig

14/45

The current Infineon smartcard RNG

A feedback loop keeps sampling close to the edge of the

sampled signal.

sampled RO signal time of sampling

voltage

time


8/13/2019 Rng Logig

15/45

Pro and Contra of the Infineon Approach

Very clear principle

Can use standard cell library

Hand layout of cells necessary to achieve required

Impossible on FPGAs

Dependencies complicate postprocessing


8/13/2019 Rng Logig

16/45

Do many ROs achieve more?

Idea: Use more ROs to get more entropy

Sunar, Martin, Stinson: A Provably Secure True RandomNumber Generator with Built-in Tolerance to Active

Attacks, IEEE Trans. Computers, vol. 56(1), pp. 109-119,Jan. 2007

Schellekens, Preneel, Verbauwhede: FPGA Vendor Agnostic, ,


8/13/2019 Rng Logig

17/45

The provably secure TRNG design (Leuven version)


8/13/2019 Rng Logig

18/45

First Reason why the Security Proof Fails

The security proof is based on a very unrealistic

It is assumed that each RO has a built in perfect

,

the imaginary clock. The model does not allow theaccumulation of jitter over time.


8/13/2019 Rng Logig

19/45

Second Reason why the Security Proof Fails

In the security proof, all the ROs are assumed to be.

In reality, ROs implemented on the same chip interact

.


8/13/2019 Rng Logig

20/45

Interaction of two ROs on the same FPGA Chip


8/13/2019 Rng Logig

21/45

Non-Interaction of Two ROs on Two FPGA Boards


8/13/2019 Rng Logig

22/45

Third Reason why the Security Proof Fails

The XOR of many high frequency oscillations results

compute.

In the Leuven design, the output of the XOR wouldhave to make 139 bil lions of transitions per

second, which is clearly impossible with current

technology.


8/13/2019 Rng Logig

23/45

Third Reason why the Security Proof Fails (II)

SPICE simulation of the design with 114 ROs of length 13.


.

8/13/2019 Rng Logig

24/45

Fourth Reason why the Security Proof Fails

Even if the extremely high speed XOR-signal could be, ,

flip-flop has to respect setup and hold times.

to be sampled reliably.

The Leuven FPGA has to sample a signal with on

average 23.8 transitions during the 170 ps the input

.


8/13/2019 Rng Logig

25/45

Is it secure?

The design is definitely not provably secure, but is it

,

between true randomness and pseudorandomness

The completely deterministic XOR of only 16 oscillators

with slightly different frequencies is so complex that it

.


8/13/2019 Rng Logig

26/45

Restarting the XOR of 114 ROs

The results are surprisingly good, but sampling results in


quite biased output

8/13/2019 Rng Logig

27/45

How the provably secure RNG was cured

Knut Wold and Chik How Tan, Analysis and Enhancement of

,

ReConfig 08

The idea: To sample each RO individiually, and to XORonl the sam led values


8/13/2019 Rng Logig

28/45

How the provably secure RNG was cured II

No more theoretical provable security, but convincing

It works well, but why does it work so well ?


8/13/2019 Rng Logig

29/45

Going beyond ROs

Jovan Goli (Telecom Italia) invented two strongly improved

,

Fibonacci ring oscil lators (FIRO) and

Galois rin oscillators GARO

The designs show similarities with Fibonacci and Galois

s, a e e reg s ers are rep ace w nver ers

. . ,

Postprocessing of Random Data, IEEE Trans. Computers,

-


8/13/2019 Rng Logig

30/45

FIRO


8/13/2019 Rng Logig

31/45

GARO


8/13/2019 Rng Logig

32/45

Example of FIRO Output

Is it really random?


(Feedback polynomial x15+x14+x7+x6+x5+x4+x2+1)

8/13/2019 Rng Logig

33/45

FIRO Restarts from Identical States (I)


8/13/2019 Rng Logig

34/45

FIRO Restarts from Identical States (II)


8/13/2019 Rng Logig

35/45

FIRO Restarts from Identical States (III)


8/13/2019 Rng Logig

36/45

Standard Deviation of 1000 FIRO Restarts

1.4nV

1.2

tvoltage

i

0.8

nofou

tp

0.4

0.6

d

deviatio

0.2

Time in ns after restartStanda


8/13/2019 Rng Logig

37/45

ASICs with FIROs and GAROs

Asymmetric authentication


chip with FIRO

8/13/2019 Rng Logig

38/45

Problems with FIROs and GAROs on CMOS ASICS

Non-random behaviour of the FIRO on the SPIKE-Chip

-

On ASICs, XORs are up to 10 times slower thaninverters

Problems of sampling the high speed output signal of

the FIRO/GARO


8/13/2019 Rng Logig

39/45

First Steps Towards Modell ing FIROs and GAROs (I)

Analysis of the numbers of inverter-delays and XOR-


8/13/2019 Rng Logig

40/45

First Steps Towards Modell ing FIROs and GAROs (II)


8/13/2019 Rng Logig

41/45

A Cute Idea

-, ,Kim, Bohdan Karpinskyy (Samsung)

suggest in Fast Digital TRNG Based on Metastable

Ring Oscillator (CHES 2008) a new design of astateless RO variant called meta-RO, which starts for the

genera on o eac rom e nver er s a e w ere e

input and output voltage are identical.


8/13/2019 Rng Logig

42/45

A Meta-RO


8/13/2019 Rng Logig

43/45

A Cute Idea which Does Not Work So Well on FPGAs

starts to oscillate with a frequency of about 680 MHz on

Spartan 3. It seems to be quite tricky to get a stable state

on Virtex 2.


8/13/2019 Rng Logig

44/45

A Cute Idea which Does Not Work So Well on ASICs either

- ,tend to show very often the same output signal after

restarts.


8/13/2019 Rng Logig

45/45

Conclusion

ROs are a reliable, albeit slow source of randomness

secure, but may be secure anyway for unclear reasons.

The construction can be made sound by sampling each

RO individually. FIROs and GAROs are the way to go on FPGAs, but

urne ou o e pro ema c on s

Meta-ROs were a nice idea, but did not meet the

No ideal low cost TRNG solution yet

Many nice research topics


rng logig

Documents