ESTRNG A Highthroughput Lowarea True Random Number Generator
ES-TRNG A High-throughput, Low-area True Random Number Generator based on Edge Sampling Bohan Yang, Vladimir Rožić, Miloš Grujić Nele Mentens and Ingrid Verbauwhede COSIC, KU Leuven
Generic TRNG Architecture • Timing jitter based TRNG Digital Noise Source ES-TRNG Entropy Source Digitization Total Failure Tests 18 -Jun-21 • Compact implementation Internal Raw • Reasonable throughput Numbers Post Applications • Security analysis using a stochastic model Processing Online Tests COSIC, KU Leuven 1
Stochastic model oriented security analysis Initialization Vectors For Cryptographic Applications: The SECURITY of a TRNG depends on its unpredictability. ? which NIST 800 -22 DIEHARD FIPS 140 -1 18 -Jun-21 cannot be measured by statistical tests can be estimated by stochastic model COSIC, KU Leuven AIS-31 NIST 800 -90 B ? ? 2
Timing jitter based TRNG Noise Free Noise A random bit is generated only when measuring the position of a edge. D 0 Q 1 clk Elementary TRNG Timing Jitter accumulation is slow Low throughput Solution: increasing the sampling resolution! 18 -Jun-21 COSIC, KU Leuven 3
How to increase the sampling resolution Sampling at a higher frequency ? D D Q Q clk Highest sampling frequency is limited by technology, platform, system, power, energy…. 18 -Jun-21 COSIC, KU Leuven 4
How to increase the sampling resolution DC-TRNG Resolution: ~ 17 ps (@~60 GHz) 1000 0111 1100 Using high resolution TDC (Time-to-Digital Converter) LUT Period: ~ 2. 2 ns 20 V. Rozic, B. Yang, W. Dehaene, and I. Verbauwhede, "Highly Efficient Entropy Extraction for True Random Number Generators on FPGAs, " In DAC 2015 18 -Jun-21 COSIC, KU Leuven 5
How to increase the sampling resolution DC-TRNG ES-TRNG Resolution: ~ 17 ps (@~60 GHz) 1000 0111 1100 Using high resolution TDC (Time-to-Digital Converter) LUT Period: ~ 2. 2 ns 20 V. Rozic, B. Yang, W. Dehaene, and I. Verbauwhede, "Highly Efficient Entropy Extraction for True Random Number Generators on FPGAs, " In DAC 2015 18 -Jun-21 COSIC, KU Leuven 6
A closer look at ES-TRNG architecture 18 -Jun-21 COSIC, KU Leuven 7
Technique 1: variable-precision phase encoding 0 18 -Jun-21 0 1 0 1 2 COSIC, KU Leuven Stages [2: 0] Valid Raw bit 110, 001 1 1 100, 011 1 0 111, 000 0 N 101, 010 0 n/a 8
Technique 1: variable-precision phase encoding Elementary TRNG 1 18 -Jun-21 COSIC, KU Leuven 0 9
Technique 2: repetitive sampling Dependency between each samples 18 -Jun-21 COSIC, KU Leuven 10
ES-TRNG: platform parameters RO 1 RO 2 2. 172 ns 2. 740 ns 35. 93 ps 40. 90 ps 22. 25 ps 24. 12 ps D 0. 43 2. 9 fs 18 -Jun-21 COSIC, KU Leuven 11
ES-TRNG: design parameters Entropy claim! 18 -Jun-21 COSIC, KU Leuven 12
! ct pa m Co Implementation of ES-TRNG on Xilinx FPGA 5 DFFs 1 CARRY 4 6 LUTs + 4 LUTs 18 -Jun-21 COSIC, KU Leuven 13
Conclusion ES-TRNG Compact Hardware: 10 LUTs + 5 FFs @ Xilinx Spartan-6 or 10 LUTs + 6 FFs @ Intel Cyclone-V Relative High Throughput: 1. 15 Mbps @ Xilinx Spartan-6 or 1. 07 Mbps @ Intel Cyclone-V Security analysis supported by stochastic model DC-TRNG & ES-TRNG resources (in progress): https: //github. com/ybhphoenix/DC-ES-TRNG 18 -Jun-21 COSIC, KU Leuven 14
Q&A 18 -Jun-21 COSIC, KU Leuven 15
How many samples you need to capture an edge? 18 -Jun-21 Your Name / Affiliation 16
What is the Noise in Ring Oscillators? Noise Free Positions of transitions Constant Noise Free Gaussian Noise Variable Random Constant Noise Free Gaussian Noise 18 -Jun-21 Other Noise Deterministic Bohan Yang/ ESAT-COSIC, KU Leuven Variable Random Variable Deterministic 17
Why a better resolution leads to a better throughput? 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven 18
What are platform parameters and design parameters? • FIPS • NIST • DIEHARD Obsoleted way: Random Number Generator 10110001010… Statistical Tests Overestimating your entropy results in a compromised security Use lower bound ! New method: Experiments Platform parameters Design parameters Stochastic Model Entropy claim (AIS 31) DGA NIST 800 -90 B? Assumptions 11/15/2017 PASS/FAIL Bohan / ESAT-COSIC and imec, KU Leuven Experiments 19
How to measure the step of delay chain? By nicoguaro - Own work, CC BY 3. 0, ttps: //commons. wikimedia. org/w/i ndex. php? curid=14609430 Ring Oscillator REG Sys CLK 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven 20
How to measure the step of delay chain? By nicoguaro - Own work, CC BY 3. 0, ttps: //commons. wikimedia. org/w/i ndex. php? curid=14609430 Longer delay PUF? Higher counts The Monte-Carlo PUF @ FPL 17 The International Conference on Field-Programmable Logic and Applications (FPL) 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven 21
How does jitter accumulate overtime? k k 2 11/15/2017 Less required jitter, less accumulation time Bohan / ESAT-COSIC and imec, KU Leuven 22
Is there any other ways to improve throughput of Ring. OSC based TRNG? CLK RANDOM D Delay=d 0+Δd Q Timing Jitter More Oscillators More Transitions Efficient Entropy Extraction
What is the stochastic model when ring. OSC is noise free after t A? 18 -Jun-21 Your Name / Affiliation 24
What is the stochastic model when ring. OSC is not noise free after t A? 18 -Jun-21 Your Name / Affiliation 25
Did you verification your model? How can you be sure your model is correct? …. ? 18 -Jun-21 Your Name / Affiliation 26
Where is the comparison with other TRNGs? BUT…. . Model? Estimated jitter strength? Ho wt oc om par e 18 -Jun-21 Your Name / Affiliation TRN Gf air ly? 27
HOW is DC-TRNG working? 60 carry stages 15 slices Osc Clk. A 18 -Jun-21 Bohan Yang/ ESAT-COSIC, KU Leuven 28
Is there any other applications of random numbers? Games Lottery Prediction? Cryptography Session Keys Scientific Computation Stochastic Simulations Numerical Analysis 11/15/2017 Signature Parameters Challenges Masking Bohan / ESAT-COSIC and imec, KU Leuven 29
Why TRNG? Why not PRNG? Or LFSR? Pseudo-Random Number Generator True Random Number Generator My questions as well… I will forward your questions to other speakers at CHES during their presentation, why do they need TRN for Post-quantum PK, masking, block ciphers? Isn’t PRNG or LFSR good enough? 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven 30
Why should I care about online tests? Ageing Temperature Active Attacks Pseudo-Random Number Generator True Random Number Generator • TRNG -> the root of a cryptographic system • TRNG -> the target of attackers • Solution: On-line testing 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven 31
Timing jitter based TRNG: MURO Multiple Ring Oscillator TRNG RO 1 RO 2 RO n clk If ROs are independent, when n is sufficiently large, at least one edge is close to the rising edge of clk. Large n Low accumulated jitter required B. Sunar, W. J. Martin, D. R. Stinson: A Provably Secure True Random Number Generator with Built-in Tolerance to Active Attacks, IEEE TC 2007 K. Wold, C. H. Tan: Analysis and Enhancement of Random Number Generator in FPGA Based on Oscillator Rings, IJRC 2009 18 -Jun-21 COSIC, KU Leuven 32
Timing jitter based TRNG: Coherent Sampling Clk 1 Clk 2 Clk 1 & Clk 2 can be generated by PLLs or Free-running Ring. OSCs. P. Kohlbrenner, K. Gaj: An embedded true random number generator fpgas. FPGA 2004 V. Fischer, M. Drutarovský: True random number generator embedded in reconfigurable hardware. CHES 2002 18 -Jun-21 COSIC, KU Leuven 33
- Slides: 34