int get Random Number return 4 chosen by
int get. Random. Number() { return 4; // chosen by fair dice roll. // guaranteed to be random. } xkcd. com TINY PRNG for TINY CHIPS Keccak-F[200] in 528 bytes Berlin, Germany 2013 -11 -02 Anthony Van Herrewege, Ingrid Verbauwhede <first. last@esat. kuleuven. be> COSIC/ESAT – KU Leuven and i. Minds, Leuven, Belgium
Overview 2 The problem PRNG design Implementation Comparison Conclusion
The problem 3 Generating random numbers is non-trivial Especially on embedded microcontrollers
The problem 4 “Brilliant” solutions by manufacturers int prime. Lookup. Table[9]; // Global lookup table int rand. RSAKey() { int prime. A = prime. Lookup. Table[some. Bad. Rand()]; int prime. B = prime. Lookup. Table[some. Bad. Rand()]; return prime. A * prime. B; } Heninger et al. – Mining your Ps and Qs
The problem 5 Traditional solutions: extra hardware, slow
PRNG design 6 Holcomb et al. [‘ 09]: SRAM as true random number Use standalone, COTS device
PRNG design 7 Check SRAM entropy! What you want What you might find
PRNG design 8 Entropy extraction + PRNG combined: Keccak Ideal version: Keccak-F[200] → 64 + 136 bit
Implementation 9 ARM Cortex-M: powerful, cheap, popular, …
Implementation 10 Optimize area first, then speed
Implementation 11 State unraveling Alignment trade-offs “Fun” effects � Less code → slower‽ � 1 NOP → 2000 cycles � 2 NOPs → 4 cycles
Implementation 12
Implementation 13 Unrolled assembly � 3 872 bytes � ± 1 510 cycles/byte [M 0] Optimized assembly � 528 bytes � ± 4 205 cycles/byte [M 0] � ± 3 337 cycles/byte [M 4 F] Time × area: 38% [M 0]
Comparison 14 Very few implementations Source Keccak(r, c) Platform ROM/RA M [byte] Speed [cycles/byt e] Balasch et al. [‘ 12] 40, 160 ATTiny 45 752 / 48 2 412 This work 64, 136 Cortex-M 0 528 / 32 4 205 This work 64, 136 Cortex-M 4 528 / 32 3 337 Others? J. Balasch, B. Ege, T. Eisenbarth, B. Gérard, Z. Gong, T. Güneysu, S. Heyse, S. Kerckhof, F. Koeune, T. Plos, T. Poppelmann, F. Regazzoni, F. Standaert, G. Van Assche, R. Van Keer, L. Van Oldeneel Tot Oldenzeel, and I. Von Maurich , "Compact Implementation and Performance Evaluation of Hash Functions in ATtiny Devices, " In CARDIS 2012.
Conclusion 15 Drop-in solution Record size (528 byte) “Should” work → check SRAM!
Questions? 16
- Slides: 16