New High Entropy Element for FPGA Based
True Random Number Generators
Michal Varchola and Milo Drutarovskš ý
Department of Electronics and Multimedia CommunicationsFaculty of Electrical Engineering and Informatics
šé š
Technical University of Ko icePark Komensk ho 13, 04120 Ko ice
Slovak Republic
The 12 Workshop on Cryptographic Hardwareand Embedded Systems (CHES 2010)UC Santa BarbaraAugust 20, 2010
th
Agenda
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- Introduction
- New Entropy Element Design Goals
- Transition Effect Ring Oscillator (TERO)
- Mathematical Model of TERO
- Experimental Results
- Conclusions
2 / 26
IntroductionRandom Numbers are Essential...
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Session Keys
Signature ParametersTemporary Keys
Challenges for AuthenticationZero Knowledge Protocols
NoncesGeneration of Primes
The TRNG of insufficient quality can weaken an
otherwise strong cryptographic system (see e.g. [1]).
...and therefore random numbers must be independent,
unpredictable, and must fulfill strict statistical properties.
True Random Number Generators (TRNGs) translate
a physical phenomena (e.g. thermal noise) to the random digits.
[1] Markettos, Moore:
, CHES 2009
The Frequency Injection Attack on Ring-Oscillator
Based True Random Number Generators
3 / 26
IntroductionRandom Numbers are Essential...
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Session Keys
Signature ParametersTemporary Keys
Challenges for AuthenticationZero Knowledge Protocols
NoncesGeneration of Primes
...and therefore random numbers must be independent,
unpredictable, and must fulfill strict statistical properties.
True Random Number Generators (TRNGs) translate
a physical phenomena (e.g. thermal noise) to the random digits.
The TRNG of insufficient quality can weaken an
otherwise strong cryptographic system (see e.g. [1]).
[1] Markettos, Moore:
, CHES 2009
The Frequency Injection Attack on Ring-Oscillator
Based True Random Number Generators
3 / 26
IntroductionRandom Numbers are Essential...
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Session Keys
Signature ParametersTemporary Keys
Challenges for AuthenticationZero Knowledge Protocols
NoncesGeneration of Primes
...and therefore random numbers must be independent,
unpredictable, and must fulfill strict statistical properties.
True Random Number Generators (TRNGs) translate
a physical phenomena (e.g. thermal noise) to the random digits.
The TRNG of insufficient quality can weaken an
otherwise strong cryptographic system (see e.g. [1]).
[1] Markettos, Moore:
, CHES 2009
The Frequency Injection Attack on Ring-Oscillator
Based True Random Number Generators
3 / 26
IntroductionRandom Numbers are Essential...
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Session Keys
Signature ParametersTemporary Keys
Challenges for AuthenticationZero Knowledge Protocols
NoncesGeneration of Primes
...and therefore random numbers must be independent,
unpredictable, and must fulfill strict statistical properties.
True Random Number Generators (TRNGs) translate
a physical phenomena (e.g. thermal noise) to the random digits.
The TRNG of insufficient quality can weaken an
otherwise strong cryptographic system (see e.g. [1]).
[1] Markettos, Moore:
, CHES 2009
The Frequency Injection
Based True Random Number Generators
Attack on Ring-Oscillator
3 / 26
IntroductionWhy Random Number Generators?True
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
“Any one who considers arithmetical methods
of producing random digits is, of course, in a state of sin.
For, as has been pointed out several times, there is no
such thing as a random number –
there are only methods to produce random numbers,
and a strict arithmetic procedure of course
is not such a method.”
John Von Neumann
The Research Challenge:
To discover such a random source and extraction method,
which can be reliably synthesized in modern electronic devices
such as Field Programmable Gate Arrays (FPGAs),
where cryptographic systems are usually implemeted.
4 / 26
IntroductionWhy Random Number Generators?True
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
“Any one who considers arithmetical methods
of producing random digits is, of course, in a state of sin.
For, as has been pointed out several times, there is no
such thing as a random number –
there are only methods to produce random numbers,
and a strict arithmetic procedure of course
is not such a method.”
John Von Neumann
The Research Challenge:
To discover such a random source and extraction method,
which can be reliably synthesized in modern electronic devices
such as Field Programmable Gate Arrays (FPGAs),
where cryptographic systems are usually implemeted.
4 / 26
IntroductionFPGA-based TRNG Randomness Sources & Designs
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Timing Jitter:
ROs- of Ring Oscillators ( ):
- Two accompanied with LFSRs (Tkacik; CHES 2002; by Dichtl)
- Fibonacci and Galois Combined by XOR (Golic; Tran. on Comp. 2006)
- 114 combined by XOR (Sunar; Tran. on Comp.; by Dichtl)
- 20 combined by XOR - the modification of Sunar’s 114 ROs design
(Wold, Tan; Int. J. of Reconfig. Comp. 2009; by Fischer)
ROs compromised
ROs
ROs
ROs
compromised
compromised
RO attack- The general frequency injection (Markettos, Moore; CHES 2009)
(Fischer & Drutarovsky, CHES 2002)- of PLLs’ output
Metastability:
- Metastable Ring Oscillator ( et.al.; CHES 2008)
- Authors mentioned difficulties realated to implementation in FPGA hardware
Vasyltsov
the
5 / 26
IntroductionRing Oscillator Randomness Extraction Method
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
&
restart
output
Basic RO circuitry
6 / 26
IntroductionRing Oscillator Randomness Extraction Method
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Basic RO operation t1
output t1
restart t1
&
restart
output
Basic RO circuitry
6 / 26
IntroductionRing Oscillator Randomness Extraction Method
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
&
restart
output
Basic RO-based TRNG
Basic RO operation t1
DFF rnd. bit
sample
output t1
restart t1
sample t1
rnd. bit t1Randomness
Extractor
sampling
6 / 26
IntroductionRing Oscillator Randomness Extraction Method
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
&
restart
output
Basic RO operation t1, t2
DFF rnd. bit
sample
output t2
rnd. bit t2
output t1
restart t1,t2
sample t1,t2
rnd. bit t1Randomness
Extractor
Basic RO-based TRNG
sampling
6 / 26
IntroductionRing Oscillator Randomness Extraction Method
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Pros ROsof the Popular :
- Employs standard logic cells
Easy synthesis in FPGAs and ASICs-
&
restart
output
Basic RO operation t1, t2
DFF rnd. bit
sample
output t2
rnd. bit t2
output t1
restart t1,t2
sample t1,t2
rnd. bit t1
Basic RO-based TRNG
sampling
6 / 26
IntroductionRing Oscillator Randomness Extraction Method
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Pros ROs
Cons ROs
of the Popular :
of the Popular :
- Employs standard logic cells
Easy synthesis in FPGAs and ASICs
- Low entropy rate (acquired from
internal noise processes in RO electronic components)
- Strong dependence on working conditions and external perturbation
- RO can synchronize on parallel operating ROs or on perturbation
-
&
restart
output
Basic RO operation t1, t2
DFF rnd. bit
sample
output t2
rnd. bit t2
output t1
restart t1,t2
sample t1,t2
rnd. bit t1
Basic RO-based TRNG
sampling
6 / 26
Agenda
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- Introduction
- Transition Effect Ring Oscillator (TERO)
- Mathematical Model of TERO
- Experimental Results
- Conclusions
- New Entropy Element Design Goals
7 / 26
New Entropy Element Design Goals
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
New
Entropy
Element
entropy rate
higher than RO
8 / 26
New Entropy Element Design Goals
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
entropy rate
higher than RO sensitivity on
global interference
and working cond.
lower than RO
New
Entropy
Element
8 / 26
New Entropy Element Design Goals
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
entropy rate
higher than RO sensitivity on
global interference
and working cond.
lower than RO
provable
ability to extract
the intrinsic noise
of logic elements
New
Entropy
Element
8 / 26
New Entropy Element Design Goals
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
entropy rate
higher than RO sensitivity on
global interference
and working cond.
lower than RO
provable
ability to extract
the intrinsic noise
of logic elements
New
Entropy
Element
acceptable
math. model for
wide scientific
community
8 / 26
New Entropy Element Design Goals
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
entropy rate
higher than RO sensitivity on
global interference
and working cond.
lower than RO
provable
ability to extract
the intrinsic noise
of logic elements
acceptable
math. model for
wide scientific
communityfeature of
inner testability
for the instant
evaluation
low number
of logic elements
in its structurecombination of
multiple known
rnd. extraction
methods
New
Entropy
Element
8 / 26
New Entropy Element Design Goals
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
entropy rate
higher than RO sensitivity on
global interference
and working cond.
lower than RO
provable
ability to extract
the intrinsic noise
of logic elements
acceptable
math. model for
wide scientific
communityfeature of
inner testability
for the instant
evaluation
stateless
entropy
concept
parallel
operation
low number
of logic elements
in its structure
straightforward
place & route
strategies
combination of
multiple known
rnd. extraction
methods
New
Entropy
Element
8 / 26
Agenda
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- Introduction
- New Entropy Element Design Goals
- Mathematical Model of TERO
- Experimental Results
- Conclusions
- Transition Effect Ring Oscillator (TERO)
9 / 26
&
restart (rst)
output
Transition Effect Ring Oscillator (TERO)TERO Circuitry and Operation in FPGA Hardware
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Starting from simple RO...
10 / 26
Transition Effect Ring Oscillator (TERO)TERO Circuitry and Operation in FPGA Hardware
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
AND1
output
rst
...two inverters are replaced by buffers, still the same circuit behavior...
10 / 26
Transition Effect Ring Oscillator (TERO)TERO Circuitry and Operation in FPGA Hardware
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
AND
XOR AND22
1XOR1
‘0’
‘1’
output
Normal Ring
Oscillator Operation
(RO Mode)
rst
...buffer and inverter are replaced by XORs, which act as andbuffer inverter,
second buffer is replaced by AND (in order to have the loop symmetric)...
10 / 26
Transition Effect Ring Oscillator (TERO)TERO Circuitry and Operation in FPGA Hardware
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
rst
ctrlAND
XOR AND22
1XOR1 AND
XOR AND22
1XOR1
output
Transition Effect Ring
Oscillator Operation
(TERO Mode)
...both XORs can be switched from inverter to buffer logic function simultaneously
what can cause oscillations in the circuit if the feedback path is long enough ...
10 / 26
Transition Effect Ring Oscillator (TERO)TERO Circuitry and Operation in FPGA Hardware
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Isolated TERO loop
Internal
terout
Single CLB Implementation
clr
tffout
tffout2
rst
ctrl INVAND
XOR AND22
1 1XOR1
INV2
INV3
INV4
INV5
TFF
TFF2
Isolated TERO loop
AND
XOR AND22
1XOR1
Neighboring Logic Isolation(in order to prevent routing of
internal TERO loop signals
outside the CLB )
Randomness Extractor(TFF resolves whether TERO
made even or odd number
of oscillations)
10 / 26
Transition Effect Ring Oscillator (TERO)TERO Circuitry and Operation in FPGA Hardware
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
ctrl
rst
terout
tffout
nrstT = 3200 ns
ctrlT = 4000 nsrnd. bit gener.start
rnd. bit gener. finish
TEROoscillation
randombit
TFF is clearedVariation
of s# oscillation
Isolated TERO loop
Internal
terout
Single CLB Implementation
clr
tffout
tffout2
rst
ctrl INVAND
XOR AND22
1 1XOR1
INV2
INV3
INV4
INV5
TFF1
TFF2
Single CLB Implementation in Xilinx Spartan 3E FPGA and the Oscilloscope Screenshot
Isolated TERO loop
AND
XOR AND22
1XOR1
tffout2INV2 TFF2
10 / 26
Transition Effect Ring Oscillator (TERO)TERO Circuitry Simulation ResultLT Spice
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
1 sμ 3 μs
3.02 μs 3.10 μs0 V
0 V
2.5 V
3.06 μs
2 μs
ST MT
2.5 V
T - width of pulse
when the oscillations
are started
S T - width of pulse
when the oscillations
disappear
M
terout
ctrl edge ctrl edge
TT ≈ 5 ns
T - period of a
single TERO
oscillation
T
11 / 26
Transition Effect Ring Oscillator (TERO)TERO Circuitry Simulation ResultLT Spice
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
The raised pulse plays a crucial role...shortening of
1 sμ 3 μs
3.02 μs 3.10 μs0 V
0 V
2.5 V
3.06 μs
2 μs
ST TT ≈ 5 ns MT
2.5 V
T - width of pulse
when the oscillations
are started
S T - width of pulse
when the oscillations
disappear
MT - period of a
single TERO
oscillation
T
terout
ctrl edge ctrl edge
1T 2T
T - each oscillation
(average) pulse
shortening factor
D
DT T T= -1 2
DT ≈ 10 ps T ≈ 80 psD
11 / 26
Transition Effect Ring Oscillator (TERO)TERO vs. RO comparison using VHDL Macro-Model
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
VHDL Macro-Model of TERO (and RO - when ctrl = ‘1’ for XOR and ctrl = ‘0’ for XOR )1 2
wire CNT
results file
stim
uli
noise file 1 noise file 2 noise file 3 noise file 4
clr
rst
ctrl
smp
wire wire wireXOR AND XOR AND2211
12 / 26
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
VHDL Macro-Model of TERO (and RO - when ctrl = ‘1’ for XOR and ctrl = ‘0’ for XOR )1 2
0 50 100143
148
153
TE
RO
#oscs.
σ= 1ps, b= 0ps
0 50 100
110
150
190
σ= 10ps, b= 50ps
0 50 100146
152
158
σ= 0.5ps, b= 50ps
0 100
319320321
ctrl period
RO
#oscs.
σ= 1ps, b= 0ps
0 100
310320330
ctrl period
σ= 10ps, b= 50ps
0 100
310320330
ctrl period
σ= 0.5ps, b= 50ps
wire CNT
results file
stim
uli
noise file 1 noise file 2 noise file 3 noise file 4
clr
rst
ctrl
smp
wire wire wireXOR AND XOR AND2211
The ModelSim simulation results of the VHDL structure for both TERO and RO modes
12 / 26
Transition Effect Ring Oscillator (TERO)TERO vs. RO comparison using VHDL Macro-Model
Agenda
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- Introduction
- New Entropy Element Design Goals
- Transition Effect Ring Oscillator (TERO)
- Experimental Results
- Conclusions
- Mathematical Model of TERO
13 / 26
Mathematical Model of TERO
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
“Remember that all models are wrong;
the practical question is how wrong do they
have to be to not be useful.”
George E. P. Box
14 / 26
Mathematical Model of TERO
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
“Remember that all models are wrong;
the practical question is how wrong do they
have to be to not be useful.”
George E. P. Box
We need the useful mathematical model in order to:
- show that “randomness” relies on the physical phenomena
- determine how much “randomness” is available
- fulfill TRNG evaluation criteria
- persuade a community on the reliability of a random number
generation method
14 / 26
Mathematical Model of TEROTERO Mathematical Model Definition
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Σ ΣYTj
i =1
( )Δ +T = T Y + ΔTij DT T =-S M
i =1
YTj
D Tj Tij
N(0, )σ 2
TD T T-S M ctrl
stopcondition
start &reset
noise model
ΣYTj
i =1
sum the inputuntil reaching the stopcondition: = -
each periodΣ T T
ctrl(comb filter)
Y ,Y Y,..., ,...T1 T2 Tj
ΔT2( -1)j
sumationinput
TT TM
ΔTij
TS
TS
TD
Tctrl
ΔTΣ ij
lastpulse
firstpulse
ctrl
terout
S M
Δ +TTij D
Tctrl j -1Tctrl j
TT1TT2
TTiTTi +1
T - width of pulse
when the oscillations
are started
S
T - width of pulse
when the oscillations
disappear
M
T - each oscillation
(average) pulse
shortening factor
D
Δ period jitter or
instability of
shortening factor
-Tij
Y - number of
oscillations done
each -th ctrl periodj
Tj
T - period of a
single TERO
oscillation
T
15 / 26
Mathematical Model of TEROTERO Mathematical Model Definition
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Σ ΣYTj
i =1
( )Δ + = T Y +T ΔTij DT T =-S M
i =1
YTj
D Tj Tij
TD T T-S M ctrl
stopcondition
start &reset
ΣYTj
i =1
sum the inputuntil reaching the stopcondition: = -
each periodΣ T T
ctrl(comb filter)
Y ,Y Y,..., ,...T1 T2 Tj
ΔT2( -1)j
sumationinput
TT TM TS
TS
TD
Tctrl
ΔTΣ ij
lastpulse
firstpulse
ctrl
terout
S M
Δ +TTij D
Tctrl j -1Tctrl j
TT1TT2
TTiTTi +1
T - width of pulse
when the oscillations
are started
S
T - width of pulse
when the oscillations
disappear
M
D
Δ period jitter or
instability of
shortening factor
-Tij
Y - number of
oscillations done
each -th ctrl periodj
Tj
T - period of a
single TERO
oscillation
T
T - each oscillation
(average) pulse
shortening factor
N(0, )σ 2
noise model
ΔTij
15 / 26
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Σ ΣYTj
i =1
( )Δ + = T Y +T ΔTij DT T =-S M
i =1
YTj
D Tj Tij
TD T T-S M ctrl
stopcondition
start &reset
ΣYTj
i =1
sum the inputuntil reaching the stopcondition: = -
each periodΣ T T
ctrl(comb filter)
Y ,Y Y,..., ,...T1 T2 Tj
ΔT2( -1)j
sumationinput
TT TM TS
TS
TD
Tctrl
ΔTΣ ij
lastpulse
firstpulse
ctrl
terout
S M
Δ +TTij D
Tctrl j -1Tctrl j
TT1TT2
TTiTTi +1
T - width of pulse
when the oscillations
are started
S
T - width of pulse
when the oscillations
disappear
M
D
Δ period jitter or
instability of
shortening factor
-Tij
Y - number of
oscillations done
each -th ctrl periodj
Tj
T - period of a
single TERO
oscillation
T
Mathematical Model of TEROTERO Mathematical Model Definition
T - each oscillation
(average) pulse
shortening factor
N(0, )σ 2
noise model
ΔTij
15 / 26
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
oscillationsY oscillationsYTj-1 Tj
Σ ΣYTj
i =1
( )Δ +T = T Y + ΔTij DT T =-S M
i =1
YTj
D Tj Tij
TD T T-S M ctrl
stopcondition
start &reset
ΣYTj
i =1
sum the inputuntil reaching the stopcondition: = -
each periodΣ T T
ctrl(comb filter)
Y ,Y Y,..., ,...T1 T2 Tj
ΔT2( -1)j
sumationinput
TT TM TS
TS
TD
Tctrl
ΔTΣ ij
lastpulse
firstpulse
ctrl
terout
S M
Δ +TTij D
Tctrl j -1Tctrl j
TT1TT2
TTiTTi +1
T - width of pulse
when the oscillations
are started
S
T - width of pulse
when the oscillations
disappear
M
D
Δ period jitter or
instability of
shortening factor
-Tij
Y - number of
oscillations done
each -th ctrl periodj
Tj
T - period of a
single TERO
oscillation
T
Mathematical Model of TEROTERO Mathematical Model Definition
T - each oscillation
(average) pulse
shortening factor
N(0, )σ 2
noise model
ΔTij
=Y YTj-1 Tj
15 / 26
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
oscillationsY oscillationsYTj-1 Tj
Σ ΣYTj
i =1
( )Δ +T = T Y + ΔTij DT T =-S M
i =1
YTj
D Tj Tij
TD T T-S M ctrl
stopcondition
start &reset
ΣYTj
i =1
sum the inputuntil reaching the stopcondition: = -
each periodΣ T T
ctrl(comb filter)
Y ,Y Y,..., ,...T1 T2 Tj
ΔT2( -1)j
sumationinput
TT TM TS
TS
TD
Tctrl
ΔTΣ ij
lastpulse
firstpulse
ctrl
terout
S M
Δ +TTij D
Tctrl j -1Tctrl j
TT1TT2
TTiTTi +1
T - width of pulse
when the oscillations
are started
S
T - width of pulse
when the oscillations
disappear
M
D
Δ period jitter or
instability of
shortening factor
-Tij
Y - number of
oscillations done
each -th ctrl periodj
Tj
T - period of a
single TERO
oscillation
T
Mathematical Model of TEROTERO Mathematical Model Definition
T - each oscillation
(average) pulse
shortening factor
N(0, )σ 2
noise model
ΔTij
=Y YTj-1 Tj
15 / 26
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Y ≈T
T T-S M
TD
mean value of
number of oscs.
in TERO mode
std. deviation of
number of oscs.
in TERO mode
where aσ is std. deviation of period jitter
σ ≈Y
σ
TDT
YT
Mathematical Model of TEROTERO Mathematical Model Practical Impact
16 / 26
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Y ≈T
T T-S M
TD
Y ≈R
Tnrst
2TT
mean value of
number of oscs.
in RO mode
where time when RO is oscillatingT isnrst
where aσ is std. deviation of period jitter
std. deviation of
number of oscs.
in RO mode
σ ≈Y
σ
TDT
YT
σ ≈Y
σ
2TTR
YR
Mathematical Model of TEROTERO Mathematical Model Practical Impact
mean value of
number of oscs.
in TERO mode
std. deviation of
number of oscs.
in TERO mode
16 / 26
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Y ≈T
T T-S M
TD
Y ≈R
Tnrst
2TT
where time when RO is oscillatingT isnrst
where aσ is std. deviation of period jitter
σ ≈Y
σ
TDT
YT
σ ≈Y
σ
2TTR
YR
~ ps ~ ns
Mathematical Model of TEROTERO Mathematical Model Practical Impact
mean value of
number of oscs.
in RO mode
std. deviation of
number of oscs.
in RO mode
mean value of
number of oscs.
in TERO mode
std. deviation of
number of oscs.
in TERO mode
16 / 26
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Y ≈T
T T-S M
TD
Y ≈R
Tnrst
2TT
where time when RO is oscillatingT isnrst
σYT
σYR
≈2TT
TD
2TT ( )T T-S M
TD Tnrst
≈ 100 500 !!!~
where aσ is std. deviation of period jitter
σ ≈Y
σ
TDT
YT
σ ≈Y
σ
2TTR
YR
~ ps ~ ns
≈
Mathematical Model of TEROTERO Mathematical Model Practical Impact
mean value of
number of oscs.
in RO mode
std. deviation of
number of oscs.
in RO mode
mean value of
number of oscs.
in TERO mode
std. deviation of
number of oscs.
in TERO mode
16 / 26
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Y ≈T
T T-S M
TD
Y ≈R
Tnrst
2TT
where time when RO is oscillatingT isnrst
σYT
σYR
≈2TT
TD
2TT ( )T T-S M
TD Tnrst
where aσ is std. deviation of period jitter
σ ≈Y
σ
TDT
YT
σ ≈Y
σ
2TTR
YR
~ ps ~ ns
140 160 1800
5000
occure
nce
TE
RO
320 325 3300
5
10x 10
4
TD
= 13ps
σ= 10ps
# oscs.
occure
nce
RO
20 22 240
5
10x 10
4
320 325 3300
5
10x 10
4
TD
= 100ps
σ= 10ps
# oscs.
15 30 450
5000
320 325 3300
5
10x 10
4
TD
= 100ps
σ= 150ps
# oscs.
≈
Matlab simulation of TERO and RO math. models
Mathematical Model of TEROTERO Mathematical Model Practical Impact
mean value of
number of oscs.
in RO mode
std. deviation of
number of oscs.
in RO mode
mean value of
number of oscs.
in TERO mode
std. deviation of
number of oscs.
in TERO mode
≈ 100 500 !!!~
16 / 26
Agenda
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- Introduction
- New Entropy Element Design Goals
- Transition Effect Ring Oscillator (TERO)
- Mathematical Model of TERO
- Conclusions
- Experimental Results
17 / 26
Experimental ResultsSynthesis of the Evaluation Platform #1
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
TEROch. A
Asynch.counter
ctrl rst clr, ,
TEROch. B
Asynch.counter
1
1
Xilinx Spartan 3E FPGA
12
Contr
ol
sta
tem
achin
e
3
12
27USBchip
Com-puter
USB2.0
Evaluation Platform implemented in Xilinx Spartan 3E FPGA
18 / 26
Experimental ResultsSynthesis of the Evaluation Platform #1
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
TEROch. A
Asynch.counter
ctrl rst clr, ,
TEROch. B
Asynch.counter
1
1
Xilinx Spartan 3E FPGA
12
Contr
ol
sta
tem
achin
e
3
12
27USBchip
Com-puter
USB2.0
TERO ch. A TERO ch. B
CLB
Evaluation Platform implemented in Xilinx Spartan 3E FPGA
TERO Place & Route detail,
where each channel is implemented
in separated CLB
18 / 26
Experimental ResultsSynthesis of the Evaluation Platform #1
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
TEROch. A
Asynch.counter
ctrl rst clr, ,
TEROch. B
Asynch.counter
1
1
Xilinx Spartan 3E FPGA
12
Contr
ol
sta
tem
achin
e
3
12
27USBchip
Com-puter
USB2.0
TERO ch. A TERO ch. B
CLB
Evaluation Platform implemented in Xilinx Spartan 3E FPGA
TERO Place & Route detail,
where each channel is implemented
in separated CLB
The FPGA Fabric
A B
A
B
Two mutual TERO compositions:
and used in
practical experiments
Next Diagonal
18 / 26
Experimental ResultsResults of the Evaluation Platform #1 (1 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
0 50 100
220270330 TERO ch.A
0 50 100
115130145
TE
RO
#o
scs.
TERO ch.B
0 100315330345
ctrl periodRO
#o
scs.
RO both ch.
The of number of oscillations
for both and
comparison
modesTERO RO
TERO mode:
- higher variance
- uncorrelated
RO mode:
- lower variance
- correlated !!!
19 / 26
Experimental ResultsResults of the Evaluation Platform #1 (1 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
0 50 100
220270330 TERO ch.A
0 50 100
115130145
TE
RO
#o
scs.
TERO ch.B
0 100315330345
ctrl periodRO
#o
scs.
RO both ch.
0 50 100-4
04 LSB TERO ch.A
0 50 100-4
04
TE
RO
no
rm.
au
toco
rr.
LSB TERO ch.B
0 100-4
04
ctrl period shift
LSB(ch.A XOR ch.B)
0 50 100-800
0800 LSB RO ch.A
0 50 100-800
0800
RO
no
rm.
au
toco
rr.
LSB RO ch.B
0 100-800
0800
ctrl period shift
LSB(ch.A XOR ch.B)
The of normalized autocorrelation
of number of oscillations for both and
comparison
modes(LSB) TERO RO
Repetitive
pattern !!!
for RO mode
No repetitive
pattern
for TERO mode
19 / 26
0 50 100
220270330 TERO ch.A
0 50 100
115130145
TE
RO
#o
scs.
TERO ch.B
0 100315330345
ctrl periodRO
#o
scs.
RO both ch.
0 50 100-4
04 LSB TERO ch.A
0 50 100-4
04
TE
RO
no
rm.
au
toco
rr.
LSB TERO ch.B
0 100-4
04
ctrl period shift
LSB(ch.A XOR ch.B)
0 50 100-800
0800 LSB RO ch.A
0 50 100-800
0800
RO
no
rm.
au
toco
rr.
LSB RO ch.B
0 100-800
0800
ctrl period shift
LSB(ch.A XOR ch.B)
Experimental ResultsResults of the Evaluation Platform #1 (1 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
The of normalized autocorrelation
of number of oscillations (LSB) for both and
comparison
modesTERO RO
n d- -1
n d-2( )ΣX = s s n d2 + - / -i i d+( )
i=1
X - should approximately follow (0,1)
- should fall into 3 l: <-3,3>
N
σ interva
Normalized autocorrellation is expressed as:X
s
d d
n n
- random bit sequence
- number of shifts (1 < < 100)
- number of bits ( = 1Mbit)
Repetitive
pattern !!!
for RO mode
No repetitive
pattern
for TERO mode
19 / 26
Experimental ResultsResults of the Evaluation Platform #1 (1 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
0 50 100
220270330 TERO ch.A
0 50 100
115130145
TE
RO
#o
scs.
TERO ch.B
0 100315330345
ctrl periodRO
#o
scs.
RO both ch.
0 50 100-4
04 LSB TERO ch.A
0 50 100-4
04
TE
RO
no
rm.
au
toco
rr.
LSB TERO ch.B
0 100-4
04
ctrl period shift
LSB(ch.A XOR ch.B)
0 50 100-800
0800 LSB RO ch.A
0 50 100-800
0800
RO
no
rm.
au
toco
rr.
LSB RO ch.B
0 100-800
0800
ctrl period shift
LSB(ch.A XOR ch.B)
XOR combination of A and B
and channelsTERO RO
19 / 26
Experimental ResultsResults of the Evaluation Platform #1 (2 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010 20 / 26
Experimental ResultsResults of the Evaluation Platform #1 (2 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
mean value
improved by XOR
combination
20 / 26
mean value
worsened by XOR
combination !!!
Experimental ResultsResults of the Evaluation Platform #1 (2 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
TEROs are uncorelated ROs are correlated !!!
The outputs of The outputs of
20 / 26
mean value
improved by XOR
combination
mean value
worsened by XOR
combination !!!
Experimental ResultsResults of the Evaluation Platform #1 (2 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
NIST 800-22 and
FIPS 140-2 results
improved by
XOR combination
FIPS 140-2 tests
fail completely !!!
TEROs are uncorelated ROs are correlated !!!
The outputs of The outputs of
20 / 26
mean value
improved by XOR
combination
mean value
worsened by XOR
combination !!!
Experimental ResultsResults of the Evaluation Platform #1 (2 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
FIPS 140-2 tests
fail completely !!!Random sequences
are independent
(with high probability)
TEROs are uncorelated ROs are correlated !!!
The outputs of The outputs of
20 / 26
mean value
improved by XOR
combination
mean value
worsened by XOR
combination !!!
NIST 800-22 and
FIPS 140-2 results
improved by
XOR combination
Experimental ResultsSynthesis of the Evaluation Platform #2
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
NAND1 INV1 INV11
NAND2 INV2 INV22
INV TFF
BUF ctrl
tffout
Isolated TERO loop
terout
Actel Fusion Impl.
TERO 1
TERO 2
TERO 16
ACNT 1
ACNT 2
ACNT 16
12
12
12
ctr
l
ControlFSM
USBChip
PCwork-
stationTarget FPGA
27
USB 2.0
TERO structure adapted for Actel Fusion FPGA
Evaluation Platform implemented in Actel Fusion FPGA
21 / 26
Experimental ResultsResults of the Evaluation Platform #2 (1 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
Histograms of number of TERO oscillations of all 16 TERO channels; Placement #1
Histograms of number of TERO oscillations of all 16 TERO channels; Placement #2
22 / 26
Experimental ResultsResults of the Evaluation Platform #2 (2 of 2)
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
V = 1210mVT = +20°C
CORE V = 1240mVT = +20°C
CORE V = 1 0mVT = +20°C
30COREV = 1 0mV
T = +20°C35CORE
V = 1 0mVT = +20°C
40CORE V = 1 0mVT = +20°C
45COREV = 1 0mV
T = +20°C50CORE V = 1 0mV
T = +20°C55CORE
V = 1 0mVT = +20°C
60CORE V = 1 0mVT = +20°C
65CORE V = 12 0mVT = 0°C
5-1
CORE V = 1 0mVT = 0°C
50-1
CORE
V = 1 0mVT = +2°C
50COREV = 1 0mV
T = + °C5035
CORE V = 1 0mVT = + 0°C
507
CORE V = 1 0mVT = + °C
50110
CORE
Histograms of number of TERO oscillations of a single TERO channel
under variously violated working conditions
23 / 26
Agenda
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- Introduction
- New Entropy Element Design Goals
- Transition Effect Ring Oscillator (TERO)
- Mathematical Model of TERO
- Experimental Results
- Conclusions
24 / 26
Conclusion
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- New entropy element (TERO) introduced
- High sensitivity to random processes inside
FPGA logic cells, while rejecting global perturbation
- Inner testability - counting of number of oscillations
- Basic mathematical model was introduced
- Two XOR-combined TERO channels can pass
the NIST 800-22 statistical tests
- Speed from 100kpbs to 250 kbps per single TRNG
- Stateless entropy concept
- Performance of TEROs cluster appears to be
independent from the position in FPGA and from
implementation in another identical FPGA board,
and from working conditions
25 / 26
Conclusion
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- New entropy element (TERO) introduced
- Inner testability - counting of number of oscillations
- Basic mathematical model was introduced
- Two XOR-combined TERO channels can pass
the NIST 800-22 statistical tests
- Speed from 100kpbs to 250 kbps per single TRNG
- Stateless entropy concept
- High sensitivity to random processes inside
FPGA logic cells, while rejecting global perturbation
- Performance of TEROs cluster appears to be
independent from the position in FPGA and from
implementation in another identical FPGA board,
and from working conditions
25 / 26
Conclusion
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- New entropy element (TERO) introduced
- High sensitivity to random processes inside
FPGA logic cells, while rejecting global perturbation
- Basic mathematical model was introduced
- Two XOR-combined TERO channels can pass
the NIST 800-22 statistical tests
- Speed from 100kpbs to 250 kbps per single TRNG
- Stateless entropy concept
- Inner testability - counting of number of oscillations
- Performance of TEROs cluster appears to be
independent from the position in FPGA and from
implementation in another identical FPGA board,
and from working conditions
25 / 26
Conclusion
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- New entropy element (TERO) introduced
- High sensitivity to random processes inside
FPGA logic cells, while rejecting global perturbation
- Inner testability - counting of number of oscillations
- Two XOR-combined TERO channels can pass
the NIST 800-22 statistical tests
- Speed from 100kpbs to 250 kbps per single TRNG
- Stateless entropy concept
- Basic mathematical model was introduced
- Performance of TEROs cluster appears to be
independent from the position in FPGA and from
implementation in another identical FPGA board,
and from working conditions
25 / 26
Conclusion
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- New entropy element (TERO) introduced
- High sensitivity to random processes inside
FPGA logic cells, while rejecting global perturbation
- Inner testability - counting of number of oscillations
- Basic mathematical model was introduced
- Speed from 100kpbs to 250 kbps per single TRNG
- Stateless entropy concept
- Two XOR-combined TERO channels can pass
the NIST 800-22 statistical tests
- Performance of TEROs cluster appears to be
independent from the position in FPGA and from
implementation in another identical FPGA board,
and from working conditions
25 / 26
Conclusion
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- New entropy element (TERO) introduced
- High sensitivity to random processes inside
FPGA logic cells, while rejecting global perturbation
- Inner testability - counting of number of oscillations
- Basic mathematical model was introduced
- Two XOR-combined TERO channels can pass
the NIST 800-22 statistical tests
- Stateless entropy concept
- Speed from 100kpbs to 250 kbps per single TRNG
- Performance of TEROs cluster appears to be
independent from the position in FPGA and from
implementation in another identical FPGA board,
and from working conditions
25 / 26
Conclusion
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- New entropy element (TERO) introduced
- High sensitivity to random processes inside
FPGA logic cells, while rejecting global perturbation
- Inner testability - counting of number of oscillations
- Basic mathematical model was introduced
- Two XOR-combined TERO channels can pass
the NIST 800-22 statistical tests
- Speed from 100kpbs to 250 kbps per single TRNG
- Stateless entropy concept
- Performance of TEROs cluster appears to be
independent from the position in FPGA and from
implementation in another identical FPGA board,
and from working conditions
25 / 26
Conclusion
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
- New entropy element (TERO) introduced
- High sensitivity to random processes inside
FPGA logic cells, while rejecting global perturbation
- Inner testability - counting of number of oscillations
- Basic mathematical model was introduced
- Two XOR-combined TERO channels can pass
the NIST 800-22 statistical tests
- Speed from 100kpbs to 250 kbps per single TRNG
- Stateless entropy concept
- Performance of TEROs cluster appears to be
independent from the position in FPGA and from
implementation in another identical FPGA board,
and from working conditions
25 / 26
Acknowledgment
CHES 2010 - UC Santa Barbara, CA, USA, August 20, 2010
“We would like to thank
Actel University Program
for a donation of 10 Actel Fusion
FPGA evaluation boards,
which enabled us to
confirm the TERO principle using
number of identical FPGA boards.”
26 / 26
Thank You
for the Attention