rng logig
TRANSCRIPT
-
8/13/2019 Rng Logig
1/45
Corporate Research and Technology
Ph sical Random Number Generators
from Logic Gates
Siemens AG
Copyright Siemens AG 2010. All rights reserved.
-
8/13/2019 Rng Logig
2/45
Topics not covered in this talk
Analogue methods of physical random number
Postprocessing of physical random numbers
Do we really need a physical random number
,
random number generator not do?
,
AIS 31
Page 2 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
3/45
Why do we need random numbers?
Many cryptographic protocols use random elements.
xamp es:
Key generation
Nonces without memory
ElGamal-procedures
Randomized implementations against side
channel attacks
Page 3 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
4/45
Environment for FPGA experiments
All my experiments used Xilinx Spartan 3 FPGAs
Page 4 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
5/45
Looking for the simplest digital random number generator
Page 5 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
6/45
Ring Oscillators
Ring Oscillators (ROs) consist of an odd number of inverters
fRO = 1/(2*n*dinv)
fRO frequency of RO
n num er o nver ers
dinv delay time of inverter
Page 6 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
7/45
Pseudorandomness from Sampling ROs
Many RO-based TRNG
design are really pseudorandom number
generators, as the rate
overestimated.
Pseudorandomeness from
sampling a deterministic
oscillation:
Page 7 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
8/45
Broken Motorola TRNG design
The Motorola RNG resented at CHES 2002 was broken at CHES2003, as the ROs do not accumulate jitter fast enough
But Werner Schindler (BSI) showed that it produces enough entropy if
Page 8 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
the sampling rate is reduced by a factor of 60000
-
8/13/2019 Rng Logig
9/45
How to Distinguish True and Pseudo Randomness
Statistical tests can not distinguish good pseudo randomness from true
randomness
Repeated restarting the generator from the same state helps todistinguish:
seu oran omness ea s to t e same e av our or eac restart
True randomness shows varied behaviour despite identical startingcon ons
Page 9 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
10/45
Restarting a Ring Oscillator I
Even after 148 oscillation periods, 100 traces of restarts of a 296 MHz
RO only a small amount of jitter has accumulated
Page 10 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
11/45
Restarting a Ring Oscil lator II
The figure shows the standard deviation of the output voltage of 1000
restarts of a 296 MHz RO.
Page 11 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
12/45
Restarting a Ring Oscillator III
The figure shows the mean of the output voltage of 1000 restarts of a
296 MHz RO.
Page 12 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
13/45
-
8/13/2019 Rng Logig
14/45
The current Infineon smartcard RNG
A feedback loop keeps sampling close to the edge of the
sampled signal.
sampled RO signal time of sampling
voltage
time
Page 14 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
15/45
Pro and Contra of the Infineon Approach
Very clear principle
Can use standard cell library
Hand layout of cells necessary to achieve required
Impossible on FPGAs
Dependencies complicate postprocessing
Page 15 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
16/45
Do many ROs achieve more?
Idea: Use more ROs to get more entropy
Sunar, Martin, Stinson: A Provably Secure True RandomNumber Generator with Built-in Tolerance to Active
Attacks, IEEE Trans. Computers, vol. 56(1), pp. 109-119,Jan. 2007
Schellekens, Preneel, Verbauwhede: FPGA Vendor Agnostic, ,
Page 16 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
17/45
The provably secure TRNG design (Leuven version)
Page 17 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
18/45
First Reason why the Security Proof Fails
The security proof is based on a very unrealistic
It is assumed that each RO has a built in perfect
,
the imaginary clock. The model does not allow theaccumulation of jitter over time.
Page 18 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
19/45
Second Reason why the Security Proof Fails
In the security proof, all the ROs are assumed to be.
In reality, ROs implemented on the same chip interact
.
Page 19 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
20/45
Interaction of two ROs on the same FPGA Chip
Page 20 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
21/45
Non-Interaction of Two ROs on Two FPGA Boards
Page 21 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
22/45
Third Reason why the Security Proof Fails
The XOR of many high frequency oscillations results
compute.
In the Leuven design, the output of the XOR wouldhave to make 139 bil lions of transitions per
second, which is clearly impossible with current
technology.
Page 22 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
23/45
Third Reason why the Security Proof Fails (II)
SPICE simulation of the design with 114 ROs of length 13.
Page 23 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
.
-
8/13/2019 Rng Logig
24/45
Fourth Reason why the Security Proof Fails
Even if the extremely high speed XOR-signal could be, ,
flip-flop has to respect setup and hold times.
to be sampled reliably.
The Leuven FPGA has to sample a signal with on
average 23.8 transitions during the 170 ps the input
.
Page 24 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
25/45
Is it secure?
The design is definitely not provably secure, but is it
,
between true randomness and pseudorandomness
The completely deterministic XOR of only 16 oscillators
with slightly different frequencies is so complex that it
.
Page 25 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
26/45
Restarting the XOR of 114 ROs
The results are surprisingly good, but sampling results in
Page 26 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
quite biased output
-
8/13/2019 Rng Logig
27/45
How the provably secure RNG was cured
Knut Wold and Chik How Tan, Analysis and Enhancement of
,
ReConfig 08
The idea: To sample each RO individiually, and to XORonl the sam led values
Page 27 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
28/45
How the provably secure RNG was cured II
No more theoretical provable security, but convincing
It works well, but why does it work so well ?
Page 28 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
29/45
Going beyond ROs
Jovan Goli (Telecom Italia) invented two strongly improved
,
Fibonacci ring oscil lators (FIRO) and
Galois rin oscillators GARO
The designs show similarities with Fibonacci and Galois
s, a e e reg s ers are rep ace w nver ers
. . ,
Postprocessing of Random Data, IEEE Trans. Computers,
-
Page 29 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
30/45
FIRO
Page 30 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
31/45
GARO
Page 31 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
32/45
Example of FIRO Output
Is it really random?
Page 32 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
(Feedback polynomial x15+x14+x7+x6+x5+x4+x2+1)
-
8/13/2019 Rng Logig
33/45
FIRO Restarts from Identical States (I)
Page 33 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
34/45
FIRO Restarts from Identical States (II)
Page 34 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
35/45
FIRO Restarts from Identical States (III)
Page 35 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
36/45
Standard Deviation of 1000 FIRO Restarts
1.4nV
1.2
tvoltage
i
0.8
nofou
tp
0.4
0.6
d
deviatio
0.2
Time in ns after restartStanda
Page 36 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
37/45
ASICs with FIROs and GAROs
Asymmetric authentication
Page 37 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
chip with FIRO
-
8/13/2019 Rng Logig
38/45
Problems with FIROs and GAROs on CMOS ASICS
Non-random behaviour of the FIRO on the SPIKE-Chip
-
On ASICs, XORs are up to 10 times slower thaninverters
Problems of sampling the high speed output signal of
the FIRO/GARO
Page 38 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
39/45
First Steps Towards Modell ing FIROs and GAROs (I)
Analysis of the numbers of inverter-delays and XOR-
Page 39 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
40/45
First Steps Towards Modell ing FIROs and GAROs (II)
Page 40 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
41/45
A Cute Idea
-, ,Kim, Bohdan Karpinskyy (Samsung)
suggest in Fast Digital TRNG Based on Metastable
Ring Oscillator (CHES 2008) a new design of astateless RO variant called meta-RO, which starts for the
genera on o eac rom e nver er s a e w ere e
input and output voltage are identical.
Page 41 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
42/45
A Meta-RO
Page 42 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
43/45
A Cute Idea which Does Not Work So Well on FPGAs
starts to oscillate with a frequency of about 680 MHz on
Spartan 3. It seems to be quite tricky to get a stable state
on Virtex 2.
Page 43 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
44/45
A Cute Idea which Does Not Work So Well on ASICs either
- ,tend to show very often the same output signal after
restarts.
Page 44 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl
-
8/13/2019 Rng Logig
45/45
Conclusion
ROs are a reliable, albeit slow source of randomness
secure, but may be secure anyway for unclear reasons.
The construction can be made sound by sampling each
RO individually. FIROs and GAROs are the way to go on FPGAs, but
urne ou o e pro ema c on s
Meta-ROs were a nice idea, but did not meet the
No ideal low cost TRNG solution yet
Many nice research topics
Page 45 February 2010 Siemens Corporate Research and TechnologyMarkus Dichtl