Summary. Circuits for True Random Number Generation with On-Line Quality Monitoring. Applications of Random Numbers Generators (RNGs)

Transcription

1 Summary Circuits for True Random Number Generation with On-Line Quality Monitoring Arnaud Tisserand CNRS, IRISA laboratory, CAIRN research team RAIM, June Motivations and context Randomness quality evaluation True random number generators (TRNGs) OCHRE circuits Implementation and evaluation results Conclusion, future prospects, references 2/4 Applications of Random Numbers Generators (RNGs) Lotteries, games and gambling Cryptography and security: key generation, initialization vectors, padding, nonces, stream ciphers, masking, blinding, randomization,... Probabilistic / randomized algorithms: Monte Carlo simulations, Las Vegas algorithms,... VLSI testing: random patterns, random schedules,... Digital communications: channel estimation/modeling, simulation,... 3/4 RNG Uses in Crypto Applications Encryption algorithms Digital signature schemes Authentication protocols Stream ciphers Key generation Padding Initialization vectors (IVs) Nonces Protection against side channel attacks: Masking (e.g. [] for AES) Blinding (e.g. blinded a b mod m for RSA [7] ) Random recoding for [k]p in ECC (e.g. [2]) Thomas talk 4/4

2 Probabilistic / Randomized Algorithms Random Numbers: Definition (/3) Numerical probabilistic algorithm: approximation of the correct result (using random choices) Examples: Buffon s needle ( /π), numerical integration, linear algebra,... Monte Carlo algorithm: always gives a result, but occasionally makes errors (incorrect result) Examples: primality tests (using Fermat s little theorem, Rabin-Miller), optimization,... E random drawings x = 4 x 2 = 6 x 3 = 2 x 4 = 7 x 5 = 5 S: random sequence Las Vegas algorithm: always gives a good result, but occasionally fails to give a result Examples: randomized quick-sort, some algorithms on graphs,... Problem in parallel randomized algorithms: initialization of many RNGs E (finite) set of numbers, n is the size of E x i the random numbers S : (x, x 2,..., x m ) sequence of random numbers (S length: m) 5/4 6/4 True random sequence: Random Numbers: Definition (2/3) equiprobable and uniform distribution P(x i = k) = n k E, i {, 2,..., m} statistical independence and non-predictability known numbers (x, x 2, x 3,..., x j ) non-reproducible: S S 2 S 3 RNG restart new number x j+ S : (x,..., x m ) S 2 : (y,..., y m ) S 3 : (z,..., z m ) 7/4 Random Numbers: Definition (3/3) Simple definition (B. Schneier): The output: looks random is unpredictable cannot be reproduced (for TRNGs) Standard definition (e.g. see D. Knuth [6, chap. 3]): The sequence of numbers (x, x 2, x 3,..., x m, x m ), with i, x i E, is random when the m numbers are: statistically independent uniformly distributed (equally probable) unpredictable Chapter 3, Random Numbers, from [6] D. E. Knuth. Seminumerical Algorithms, volume 2 of The Art of Computer Programming. Addison-Wesley, 3rd edition, 997 8/4

3 Random Sequences in Integrated Circuits Standard assumptions: 2 electrical states (voltages) as binary code: 0 and periodic sampling (at frequency f s ) Types of Random Number Generators Pseudo random number generator (PRNG): deterministic algorithms very high throughput and good statistical properties various algorithms quality/throughput/cost trade-offs state True random number generator (TRNG): THIS WORK non-deterministic algorithms (physical random source) limited throughput quality = func(environment parameters,... ) attacks 0 Hybrid random number generator (HRNG): TRNG PRNG output FUTURE WORK very high speed and very good quality selection needs more research 9/4 0/4 Randomness Quality Evaluation is Required Extract from [2] (988): Many generators have been written, most of them have demonstrably nonrandom characteristics, and some are embarrassingly bad. Randomness quality evaluation required at : design (ensures minimal randomness for ideal environment) run (check environment modifications, attacks) Randomness quality evaluation methods: mathematical and physical models statistical tests AND [2] S. K. Park and K. W. Miller. Random number generators: Good ones are hard to find. Communications of the ACM, 3(0):92 20, October 988 /4 Statistical Tests for Randomness Evaluation FIPS 40- (994): Security Requirements for Cryptographic Modules, 4 basic tests (removed in 40-2 version, 200/2002) AIS 3 (200+): Functionality Classes and Evaluation Methodology for Physical Random Number Generators. Specific tests for TRNGs NIST (2008+): A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. More complete test suite DIEHARD (995): by G. Marsaglia, DIEHARDER (2003+): very complete test suite, maintained by R. Brown, TestU0: C library from P. L Ecuyer and R. Simard [9] (2007+) Universal test from U. Maurer [0] (992) 2/4

4 Statistical Tests Examples and Limitations FIPS 40- tests 20kb sequences Monobit: check that 9654 < #(S) < 0346 Results format Poker: split S into bit blocs, #Bi (S) number of blocs equal to X = P or F monobit poker long run run(0,) run(,) run(0,2) run(,2) run(0,3) run(,3) run(0,4) run(,4) run(0,5) run(,5) run(0,6+) run(,6+) FIPS 40- Statistical Tests Input: sequence S of bits (from the RNG) Output: PASS or FAIL X X X X X X X X X X X X X X X i ((0000)2, (000)2,..., ()2 ), with 0 i 5, check that χ25 :.03 < generator 5 X 6 #Bi (S) < i=0 x0 (*) FIPS 40- test results Mersenne twister x0 PPPPPPPPPPPPPPP xn = xn mod 23 many x0 9, 23233,... 37, 7,... PPPPPPPPPPPPPPP FPPPPPPPPPPPPPP FFPPPPPPPPPPPPP Run: check that #run(k, S) Ik for k 6 and k Ik [2267, 2733] 2 [079, 42] 3 [502, 748] 4 [223, 402] 5 [90, 223] 6+ [90, 223] xn = 33 xn mod 02,... FFPFFPPPPFPFPPF xn = xn +, 2, ,... FFPFPPPPPPPPPFP PFPPPPPPPPPPPPP Long run: check that k 34, #run(k, S) = 0 (*) some bad values for x0 Notation: run(k, S) = string of k consecutive 0s/s (i.e } or 0.{z.. } 0).{z k k 3/4 Historical Hardware TRNGs (/2) 4/4 Historical Hardware TRNGs (2/2) ATT Patent 946, source: P. Kohlbrenner YouTube: Self-Loading LEGO Dice Tower Dice-O-Matic 5/4 6/4

5 TRNGs Selection Physical noise source: quantum physics radioactive decay atmospheric noise thermal/johnson noise jitter in ring oscillator sampling meta-stability noises in circuits: /f, shot, popcorn, crosstalk,... Characteristics: throughput (? Mb/s) randomness quality (bias, entropy/bit, stability, effects of environment variations,... ) security fully integrated in the chip cost (silicon area, power consumption) VLSI implement. 7/4 Example of TRNG: Quantum Physics Source: White paper from ID Quantique (Switzerland): Random Number Generation using Quantum Physics, Apr ( photon source semi-transparent mirror photon? 50 % 0 50 % single-photon detectors Extract from IDQ white paper p. 7: The fact that a photon incident on such a component be reflected or transmitted is intrinsically random and cannot be influenced by any external parameters. Quantis-PCI-4M: random data rate 4 Mb/s ± 0 % (< % thermal noise contribution in randomness) 8/4 Basic Electronic Gates Free Running Ring Oscillator (RO) Inverter: a XOR: a b s s a 0 s 0 a 0 0 b 0 0 s 0 0 inverter: in out 0 0 S odd # of inverters (n) 0 0 ring oscillator period = f (n, delay(inv ),...) S Flip-flop: a clk s at clk edge: s(t + ) = a(t) φ random jitter (timing/phase instability) S φ period = f (n, φ,...) Remark: area scale is not respected 9/4 20/4

6 Towards a TRNG Example of Ring Oscillator (RO) Based TRNG RO RO RO 2 xor tree post processing random bits RO 2 RO 3. RO k f s on-line test alarm optional quality evaluation t output clk Remark: very limited randomness using only 2 ROs 2/4 Description: k free running ring oscillators f s is the sampling frequency post processing: enhance statistical parameters on-line quality test (environment variations, attacks,... ) 22/4 Post Processing Purpose: enhance statistical parameters of the output sequence reduce bias Pr(x = ) = ɛ (AIS 3: ɛ < 0.073) increase entropy per bit (the real randomness) Typical post processing methods: Von Neumann correction input bits (0,0) (0,) (,0) (,) output bit none 0 none Linear feedback shift register (LFSR) Hash function (e.g. SHA) Ciphering (e.g. AES) Resilient function (e.g. error code computations) Trade-off: entropy per bit, data rate, cost, quality RO Based TRNG Example [8] B. Sunar, W. J. Martin, and D. R. Stinson. A provably secure true random number generator with built-in tolerance to active attacks. IEEE Transactions on Computers, 56():09 9, January 2007 Description: k = 4 RO of 3 inverters resilient function: BCH(256, 3, 3) code mathematical model (but not realistic assumptions) data rate 2.5 Mb/s on FPGA Problems: very complex calibration (external measurement of the jitter!!!) too many transitions in the xor tree setup/hold violations in the flip-flop 23/4 24/4

7 Flip-Flop Setup/Hold Problems Correct flip-flop behavior: input signal must stable: slightly before the clock edge slightly after the clock edge setup hold There are TRNGs based on (mixing): ring oscillators and Improvement Example LFSR (linear feedback shift register), p(x) = n i=0 p ix i clk XOR XOR XOR XOR XOR p 0 p p 2 p 3 p n input output? Remarks: Mixed true and pseudo random architecture Limited jitter accumulation 25/4 26/4 Metastability Example of Metastability based TRNGs Proba= 2 metastable state Proba= 2 Principle: adjust delay d (w.r.t. d 2 ) to force flip-flop in metastable state stable states clk d output Example: flip-flop output in metastable state voltage random delay d 2 0 Remark: small amount of randomness (use multiple elements in practice) 27/4 28/4

8 Example of Measurements on FPGAs TRNG References [8] P. Kohlbrenner and K. Gaj. An embedded true random number generator for FPGAs. In Proc. Field Programmable Gate Arrays (FPGA), pages ACM, February 2004 TRNG from [4] (Altera Stratix II): [5] V. Fischer, M. Drutarovsky, M. Simka, and N. Bochard. High performance true random number generator in altera stratix FPLDs. In Proc. Field Programmable Logic and Applications (FPL), volume 3203 of LNCS, pages Springer, August 2004 Run test AIS [7] D. Schellekens, B. Preneel, and I. Verbauwhede. FPGA vendor agnostic true random number generator. In Proc. Field Programmable Logic and Applications (FPL), pages 6. IEEE, August 2006 Success percentage (%) [4] M. Dichtl and J. D. Golic. High-speed true random number generation with logic gates only. In Proc. Cryptographic Hardware and Embedded Systems (CHES), volume 4727 of LNCS, pages Springer, September [9] I. Vasyltsov, E. Hambardzumyan, Y.-S. Kim, and B. Karpinskyy. Fast digital TRNG based on metastable ring oscillator. In Proc. Cryptographic Hardware and Embedded Systems (CHES), volume 554 of LNCS, pages Springer, August TRNG by Dichtl and al Data rates (Mb/s) [3] J.-L. Danger, S. Guilley, and P. Hoogvorst. High speed true random number generator 9 6 based on open loop structures in FPGAs. Microelectronics Journal, 40(): , x 0 November /4 OCHRE Circuits (On-Chip Randomness Extraction) (/2) OCHRE V, 2009Q2 30/4 OCHRE Circuits (On-Chip Randomness Extraction) (2/2) 00 % OK mm mw (CMOS 30 nm.2 V STMicro) TRNG from [7] (0 RO with 3 inv.) PRNG (cellular automaton) 95 MHz 89 MHz FIPS 40- embedded statistical tests OCHRE V2, 200Q4 00 % OK 4 mm2 (CMOS 30 nm.2 V STMicro) TRNGs [8]/[9]/[4]/[20] FIPS 40- and AIS 3 tests AES 235/628/746/363 MHz 80 MHz 24 MHz We also have FPGA implementations (Xilinx, Altera and Actel). 3/4 32/4

9 OCHRE V2 Circuit Some Measurement Results (/2) frequency test [x000] µ+σ µ µ σ f s [MHz] B A 33/4 34/4 Some Measurement Results (2/2) TRNG Design and Use poker test χ 2 [x000] 00 0 µ+σ µ µ σ f s [MHz] B electromagnetic interferences circuit random source V dd EMI clk temperature entropy extraction At run : - statistical tests - attack detection At design : - physical/mathematical modeling - simulations post processing on-line test? OK OK random stream alarm quality evaluation results 35/4 36/4

10 Conclusion & Future Prospects TRNGs are important elements of security systems Randomness quality evaluation is very complex accurate models, simulations, measurements,... Embedded security systems on-line quality evaluation We have implementations for both ASIC and FPGA targets Future research topics: Very intensive measurements for various parameters and domains: V dd, temperature, electromagnetic radiations, clock variations,... Hybrid generators = TRNG + PRNG Design space exploration at system level References I [] M. Baudet, D. Lubicz, J. Micolod, and A. Tassiaux. On the security of oscillator-based random number generators. Journal of Cryptology, 24(2): , April 20. Special Issue on Hardware and Security. [2] T. Chabrier, D. Pamula, and A. Tisserand. Hardware implementation of DBNS recoding for ECC processor. In Proc. 44rd Asilomar Conference on Signals, Systems and Computers, pages 29 33, Pacific Grove, California, U.S.A., November 200. IEEE. [3] J.-L. Danger, S. Guilley, and P. Hoogvorst. High speed true random number generator based on open loop structures in FPGAs. Microelectronics Journal, 40(): , November [4] M. Dichtl and J. D. Golic. High-speed true random number generation with logic gates only. In Proc. Cryptographic Hardware and Embedded Systems (CHES), volume 4727 of LNCS, pages Springer, September [5] V. Fischer, M. Drutarovsky, M. Simka, and N. Bochard. High performance true random number generator in altera stratix FPLDs. In Proc. Field Programmable Logic and Applications (FPL), volume 3203 of LNCS, pages Springer, August [6] D. E. Knuth. Seminumerical Algorithms, volume 2 of The Art of Computer Programming. Addison-Wesley, 3rd edition, 997. [7] P. C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Proc. Advances in Cryptology (CRYPTO), volume 09 of LNCS, pages Springer, August 996. [8] P. Kohlbrenner and K. Gaj. An embedded true random number generator for FPGAs. In Proc. Field Programmable Gate Arrays (FPGA), pages ACM, February /4 38/4 References II References III [9] P. L Ecuyer and R. Simard. TestU0: A C library for empirical testing of random number generators. ACM Transactions on Mathematical Software, 33(4):22: 40, August [0] U. M. Maurer. A universal statistical test for random bit generators. Journal of Cryptology, 5(2):89 05, January 992. [] T. S. Messerges. Securing the AES finalists against power analysis attacks. In Proc. 7th International Workshop on Fast Software Encryption (FSE), volume 978 of LNCS, pages 50 64, New York, USA, April Springer. [2] S. K. Park and K. W. Miller. Random number generators: Good ones are hard to find. Communications of the ACM, 3(0):92 20, October 988. [3] R. Santoro, S. Roy, and O. Sentieys. Search for optimal five-neighbor FPGA-based cellular automata random number generators. In Proc. Int. Symp. Signals, Systems and Electronics (ISSSE), pages , Montreal, Canada, July [4] R. Santoro, O. Sentieys, and S. Roy. On-line monitoring of random number generators for embedded security. In Proc. IEEE International Symposium on Circuits and Systems (ISCAS), pages , Taipei, Taiwan, May [5] R. Santoro, O. Sentieys, and S. Roy. On-the-fly evaluation of FPGA-based true random number generator. In Proc. Int. Symp. on VLSI (ISVLSI), pages IEEE Computer Society, May [6] R. Santoro, A. Tisserand, O. Sentieys, and S. Roy. Arithmetic operators for on-the-fly evaluation of TRNGs. In Proc. Advanced Signal Processing Algorithms, Architectures and Implementations XVIII, volume 7444, pages 2, San Diego, California, U.S.A., August SPIE. [7] D. Schellekens, B. Preneel, and I. Verbauwhede. FPGA vendor agnostic true random number generator. In Proc. Field Programmable Logic and Applications (FPL), pages 6. IEEE, August [8] B. Sunar, W. J. Martin, and D. R. Stinson. A provably secure true random number generator with built-in tolerance to active attacks. IEEE Transactions on Computers, 56():09 9, January [9] I. Vasyltsov, E. Hambardzumyan, Y.-S. Kim, and B. Karpinskyy. Fast digital TRNG based on metastable ring oscillator. In Proc. Cryptographic Hardware and Embedded Systems (CHES), volume 554 of LNCS, pages Springer, August [20] S.-K. Yoo, D. Karakoyunlu, B. Birand, and B. Sunar. Improving the robustness of ring oscillator TRNGs. ACM Transactions on Reconfigurable Technology and Systems, 3(2):9: 30, May 200. NIST references on RNG: 39/4 40/4

11 The end, some questions? Contact: CAIRN Group IRISA Laboratory, CNRS INRIA Univ. Rennes 6 rue Kérampont, BP 8058, F Lannion cedex, France Thank you 4/4