rns – rngs thomas risse why? generating random · pdf filegenerating random numbers a...
TRANSCRIPT
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
Generating Random Numbersa quick overview
Thomas RisseInstitute of Informatics & Automation, IIA
Faculty E & I, Hochschule BremenUniversity of Applied Sciences
LSBU, February 21st 2014
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
Agenda
1 Why Generating Random Numbers?
2 How to Generate Random Numbers?
Deterministic RNGs
True Physical RNGs
3 Quality
The generation of random numbers is too important to be leftto chance – Robert R. Coveyou
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
Why Generating Random Numbers?
’Random number generation is the Achilles heel ofcryptography.’1 ’Good random numbers are fundamental toalmost all secure computer systems!’2
cryptography is the most important application area:• sessionIDs are random numbers: if
guessable one can impersonate a person• zero knowledge authentication• SSL, HTTPS, one-time-pads, . . .
simulation etc randomized algorithms (Las Vegas or MonteCarlo methods), testing
No wonder, e.g. every compiler library provides randomnumber generators.
1http://electronicdesign.com/learning-resources/
understanding-intels-ivy-bridge-random-number-generator
2http://blog.cloudflare.com/why-randomness-matters
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
How to Generate Random Numbers?
Random number generators, RNGs, fall in two classes:
(Pseudo-)RNGs, Deterministic RNGsgenerating chance by algorithms, typicallyset seed, specify some internal state;
from both: generate first random number
iterate: from actual internal state
and from last random number
generate next random number
True RNGs, Physical RNGsharvesting chance from physical phenomenalike thermal or atmospheric noise, radioactivedecay, jitter etc. possibly followed bypostprocessing to adjust symbol frequencies
From a 0-1-random number generator one can construct anyother generator of uniformly distributed random numbers!
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
Deterministic RNGsTypical is some initialisation (seed) and computation of thenext random number based on the last random number(s).
• John von Neumann’s middle-square method from 1946:take any number (seed), square it, remove the middledigits of the resulting number as the ’random number’,then use that number as the seed for the next iteration.
• Linear congruential generators [5]:choose seed xo and compute xk+1 = a xk + c mod mfor k = 0, 1, . . . and suitable parameters a, c and mhttp://en.wikipedia.org/wiki/Linear_congruential_generator
• Linear Feedback Shift Registers, LFSRs:choose some initial state and run hardware, for example
next bit p(x) = x16 + x14 + x13 + x11 + 1 in GF2
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
Deterministic RNGs’
• Mersenne3 twister algorithm [7]:choose N = 624 seeds, Y1, ... YN . Compute Yi for i>Nby h := Yi−N − Yi−N mod 231 + Yi−N+1 mod 231
Yi := Yi−227 ⊕ bh/2c ⊕ ((h mod 2) · 9908b0dfhex)Postprocessing then guarantees uniform distribution:x := Yi ⊕ bYi/211c; y := x ⊕ ((x · 27) ∧ 9d2c5680hex);z := y ⊕ ((y · 215) ∧ efc60000hex); Zi := z ⊕ bz/218cPeriod is 219937 − 1 ≈ 4, 3·106001. Improvements see [8]
• Blum-Blum-Shub generator [2]:choose n = pq for suitable primes p and q, seed s withgcd(s, n) = 1, compute s0 = s2 mod n and for i = 0, 1, ...si+1 = s2
i mod n.If desired, get random bits by bi = si mod 2 or similar.Choose n > 10200, 2 < p/q < 1000 etc.
3M. Mersenne (1588-1648) www-history.mcs.st-andrews.ac.uk/Biographies/Mersenne.html
was the first to examine integers of the form 2n − 1. Some are prime! see GIMPS
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
Examples of True Physical RNGs
Utilizing diode noise [4] . . .A proposal for: Functionality classes for random number generators
18 September 2011 AIS 20 / AIS 31 page 117
Figure 9: Basic design of RNG with noisy diodes
443 The circuit for AC coupling, the negative feedback to the operational amplifier, the stabilization of the power supply and the temperature compensating effects are not shown in this figure. A drift of the noisy voltages or the operational amplifier output results in impulses that are too long or too small, causing a biased digitised noise signals. Therefore, the digitised random signal shall be passed to a Neumann/Peres unbiasing control. Clearly, long-term aging effects may be neglected here.
Variant of RNG Design with noise diodes
444 The advanced variant of the basic design outputs the number of Schmitt trigger impulses (caused by 0-1-crossings) modulo 2 as the digitised noise signal.
445 Figure 10 illustrates the advanced design.
Figure 10: Variant of the basic design of RNG with noisy diodes
clock
tot test online test
Vcc
digitisednoisesignal
+
_
clock
tot test online test
Vcc
digitisednoisesignal
+
_
+
_
+
_
tot test online test
Vcc
clock
digitisednoisesignal
+
_
tot test online test
Vcc
clock
digitisednoisesignal
+
_
+
_
+
_
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
Examples of True Physical RNGs
Harvesting jitter of diode ring oscillators [13] . . .
3. TRNG Ring Design and Interaction
Figure 14: Two rings XOR'ed
Similar to the two rings, several rings with different ring lengths, namely 7-11, 11-13, 13-17 etc.,
can be used as the noise source of the TRNG.
3.3.3 Design with Multiple Rings
A multiple ring-based design was developed with several ring oscillators with different ring lengths.
The rings were designed with the lengths of 7,11,13,17,19 inverters each. Each ring was replicated
40 times amounting to a total of 200 rings. The 200 rings are XORed together to generate the output
signal. The rings are asynchronous to each other, and thus they are not clocked in this part of the
design. Figure 15 shows the multiple ring design. Symbol 'I' represents the length of the ring
according to the number of inverters and 'k' represents the number of rings in total. The period
usually depends on the number of inverters used and the delay of each inverter. The jitter generated
by each oscillator accounts for the randomness of the signal. The output from the XOR would be an
analog signal. It should be sampled, clocked to convert it to a digital signal. The output signal
consists of the periodic transitions of all the included 200 rings. The XOR output will oscillate in
the range of 150 to 200 MHz. The design was coded in VHDL and implemented on the Spartan 3-E
FPGA evaluation board. The output was driven through the I/O pins on the evaluation board and
measured on a Tektronix Oscilloscope.
22
Output Sequence
Exploiting bistable semiconductor ring lasers [12] . . .
Ring laser
CCW
CW
B1
B2CW output
CCW output
Fig. 2. A schematic of a SRL device with spontaneous emission noise sources B1 and B2.
between the bidirectional and bistable regimes: First, the injection current to the SRL is adjustedso that the SRL operates in the bidirectional regime. In this case, the state of the system alwaysrelaxes to the stable point B in the phase space of the bidirectional regime (see Fig. 1 (a)). Itis important to note that the stable point B corresponds to a point on the stable manifold of thesaddle point S in the bistable regime. This means that when the injection current is suddenlyincreased so that the SRL operates in the bistable regime, the state is lain on the stable manifoldof the saddle point S in a bistable regime, as indicated by open circle in Fig. 1 (b). However,since the spontaneous emission noises are always coupled to the counter-propagating modes,the fluctuation of the state of the system due to the noises is amplified by the unstable manifoldof the saddle point S. Consequently, the state of the system relaxes to either of UCW or UCCW .The resetting of the final lasing state can be achieved by again decreasing the injection to thebidirectional regime and relaxing to stable point B. Accordingly, the stochastic mode-selectionis repeated by the modulation of the injection current between the bidirectional and bistableregimes, so that a random optical pulse train can be emitted in the CW and CCW directions.
2.3. Control of spontaneous emission noises
However, in the actual SRL devices, the spontaneous emission will not be isotropic due tomaterial non-uniformities, and they will not be equally coupled to the CW and CCW modes.Thus, actual SRL devices have a preferred direction, and the dominant output direction is repro-ducible [5]. For achieving the random operation with the equal probability of the appearanceof the CW or CCW lasing state, the amounts of the spontaneous emission noises coupled tothe CW and CCW modes should be controlled so that the asymmetry of the coupling is re-duced. We show that this is achieved by using two spontaneous emission noise sources. Figure2 shows a schematic of a SRL device with two spontaneous emission noises sources B1 andB2. The noises emitted from B1 and B2 are injected into a ring laser part in the CCW and CWdirection via a weakly coupled waveguide used as a directional coupler. For example, when B1is active, the amount of the spontaneous emission coupled to the CCW mode can be enhanced.A similar method for the control of the amounts of the spontaneous emission has been used forachieving the switching operation from CW (CCW) mode to CCW (CW) mode [1].
3. SRL device: design and fabrication
In order to implement the random optical pulse generation scheme mentioned in the previoussection, a SRL device was designed and fabricated in a InP/InGaAsP material system with anactive-passive integration. Figures 3 (a) and (b) show the schematic and picture of the fabricated
#140122 - $15.00 USD Received 23 Dec 2010; revised 28 Feb 2011; accepted 9 Mar 2011; published 4 Apr 2011(C) 2011 OSA 11 April 2011 / Vol. 19, No. 8 / OPTICS EXPRESS 7444
Using atmospheric noise etc
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
Examples of True Physical RNGs
INTEL uses a metastable latchwhose output eventually settlesto 0 or 1, depending on thermalnoise. [3], [11]
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
to conclude: QualityOne would like to be able to guarantee
• unpredictability (Markov chain with unbounded memory)
• uniform distribution, e.g. by histogramming or χ2 test
• independence of random variables(Ri)
i∈N, i.e.independence of any subset against any other disjointsubset, e.g. by χ2 test
• test suites, e.g. Diehard test [6], NIST test suite [10] ofNIST, USA, AIS20/31-test suite [4] of BSI, Germany
Necessarily, there is a good deal of degrees of freedom inspecifying test suites [9]
• which test to include? which to exclude?
• which parameter settings to use?
• which error probabilities to assign?
which almost surely cannot exist, unfortunately!
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
References
[1] BSI: Anwendungshinweise und Interpretationen (zum Schema), AIS;https://www.bsi.bund.de/DE/Themen/
ZertifizierungundAnerkennung/ZertifizierungnachCCundITSEC/
AnwendungshinweiseundInterpretationen/AIS/aiscc_node.html
[2] Lenore Blum, Manuel Blum, Michael Shub: A Simple UnpredictablePseudo-Random Number Generator; SIAM Journal on Computing,Vol 15, Nr. 2, 364-383, May 1986
[3] M. Hamburg, P. Kocher, M. Marson: Analysis of Intel’s Ivy BridgeDigital Random Number Generator; http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf
[4] Wolfgang Killmann, Werner Schindler: Functionality Classes andEvaluation Methodology for Random Number Generators; s. [1] 2011AIS31_Functionality_classes_for_random_number_generators.pdf
[5] Derrick H. Lehmer: Mathematical methods in large-scale computingunits; Ann. Computing Lab., Harvard Univ. 26 (1951), 141-146
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
References’
[6] George Marsaglia: The Random Number CDROM including theDiehard Battery of Tests of Randomness;http://www.stat.fsu.edu/pub/diehard/
[7] M. Matsumoto, T. Nishimura: Mersenne Twister – A 623-dimensionallyequidistributed uniform pseudorandom number generator; ACM Trans.on Modeling and Computer Simulation Vol. 8, No. 1, January (1998)3-30 http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/
ARTICLES/mt.pdf
[8] François Panneton, Pierre L’Ecuyer, Makoto Matsumoto: ImprovedLong-Period Generators Based on Linear Recurrences Modulo 2;ACM Transactions on Mathematical Software, Vol. 32, No. 1, 2006,1-16 http://ir.lib.hiroshima-u.ac.jp/metadb/up/
81936204/ACMTraMath_32_1.pdf
[9] Thomas Risse: Quality of PRNGs in MATLAB and SAGE; 31st Int.Conf. Science in Practice, Hochschule Bremen, October 27th − 29th,2013 www.weblearn.hs-bremen.de/risse/papers/SiP31
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Why?
How?DRNGs
TRNGs
Quality
References”
[10] Andrew Rukhin et al: A Statistical Test Suite for Random andPseudorandom Number Generators for Cryptographic Applications;National Institute of Standards and Technology, NIST April 2010http://csrc.nist.gov/publications/nistpubs/
800-22-rev1a/SP800-22rev1a.pdf
[11] Boris Škoric: True random number generation; TU Eindhoven 2003http://security1.win.tue.nl/~bskoric/physsec/files/
slides_03_TrueRandom.pdf
[12] Satoshi Sunada, Takahisa Harayama, Kenichi Arai, KazuyukiYoshimura, Ken Tsuzuki, Atsushi Uchida, Peter Davis: Random opticalpulse generation with bistable semiconductor ring lasers;http://www.opticsinfobase.org/oe/viewmedia.cfm?uri=
oe-19-8-7439&seq=0
[13] Prassanna Shanmuga Sundaram: Development of a FPGA-basedTrue Random Number Generator for Space Applications; LinköpingInstitute of Technologyhttp://liu.diva-portal.org/smash/get/diva2:
305133/FULLTEXT01.pdf