Investigation and Design of the Efficient Hardwarebased RNG for Cryptographic Applications

Transcription

1 Investigation and Design of the Efficient Hardwarebased RNG for Cryptographic Applications Ahmad Firdaus Mohamad Razy, Siti Zarina Md Naziri, Rizalafande Che Ismail and Norina Idris School of Microelectronic Engineering Universiti Malaysia Perlis Arau, Malaysia Abstract The best security factor in any encryption algorithm is the random values used in key management or the structure of the algorithm itself. Thus, some of the encryption algorithm employed random number generator to produce this type of numbers. This paper describes the process of selecting the most efficient algorithm to represent the hardware RNG for the usage in cryptography. For this purpose, a number of RNG algorithms are selected and analyzed in terms of the sequence s randomness using theoretical simulator analysis. Among of the algorithms, the Inverse Congruential Generator algorithm was chosen based on the analysis as it provides the most high quality random sequence and insensitivity in initial condition. The algorithm was further proceed to the NIST test for nonrandomness test and it shown reasonable complexity. The design was proven to be implemented successfully on hardware as it then been designed using Verilog HDL and been simulated and verified using Altera QuartusII 9.0sp2 web edition software. The design utilized 7,711 logic elements of Cyclone EP1C20F400C6. Benefited the usage of FPGA, the design could possibly provide reduction in size of the RNG, low power consumption and low cost production for hardware-based encryption. Keywords random number generator; Inverse Congruential Generator; Verilog; hardware; encryption I. INTRODUCTION Random number generator (RNG) is designed to generate a sequence of number that will appear random. RNG have been used for many application such as statistical sampling, computer simulation, cryptography, security system and identification, depending to the purpose of the development and the method been used. There are two types of RNG. Firstly, the RNG which are generated by computers through special algorithm called pseudorandom number generators (PRNG). Secondly is the true random number generator (TRNG) that can be generated by the environment or other methods that do not have periodicity sequences. PRNG numbers are not random in the way might be expect, as repeating sequence is acceptable for certain applications. Special RNG algorithms use mathematical formulae or simple pre-calculated tables to produce sequences of numbers that appear random. From that it can automatically create long runs of numbers with good random properties, but eventually the sequence repeats because of finite range. A TRNG could be created from a PRNG, as the PRNG performs the production of the seed for the cryptographic application. Seed in RNG is an initial parameter to execute PRNG algorithm in generating a random number. Since PRNG relies on an initial short key and a deterministic algorithm, the security is not comparable to the TRNG output [1]. While cryptography and certain numerical algorithms require a very high degree of apparent randomness, many other operations only need a modest of unpredictability sequences. PRNG algorithms is efficient because they can produce many number in a short time, and also deterministic, meaning that a given sequences of numbers can be reproduced at a later time if the starting point in the sequences is known. PRNG are also periodic-able, which means that the sequence will eventually repeat itself. While periodicity is hardly ever a desirable characteristic, modern PRNG have a long period that can be ignore the periodicity criteria for most practical purposes. These characteristics make PRNG suitable for application where many numbers are required and where it is useful that the same sequence can be replayed easily such as simulation and modelling applications. In cryptography, RNG plays a major role as a vital ingredient in many algorithms and systems, such as generation of keys in secret key cryptography and public key cryptography, generation of challenge or response in user authentication algorithm, and commercial applications like lottery games and slot machines. The security of such systems highly relies on the quality of the random output produces by the generators [2]. The purpose of this research is to select the best RNG algorithm to be further proceed into hardware design, purposely for cryptographic applications. Due to this objective, the selection must be made according to the musthave criteria of a good RNG in producing quality sequence of random numbers. As in [3], a good random number sequence must have good distribution, each random number must be distributed according to what will expect from a truly random distribution. The sequence must not have high correlations between the outputs that have been produced. Good algorithm must have long period, to avoid undesired correlation and repeated sequence. For some purpose, the algorithm must have /14/$ IEEE

2 repeatability characteristic for testing and development, because it is necessary or not possible to repeat an exact sequence as the previous run. Lastly the efficiency, which is one of the important factor in security system. Meanwhile, hardware design of RNG could benefit in terms of the security, speed and power as it is designed on an all-in-one platform, which is the IC. Conventional hardware design which requires solely electronic components are bulky in size, problematic and gain high rate of thermal noise produced by the components [4]. All-in-one design could overcome these problems. However, the research is to prove that the selected RNG algorithm could possibly be translated into hardware design. The process and the outcome of the study is elaborated in this paper through several sections. Section II will discussed on the process and the analysis that been done in gaining the best RNG algorithm. Further section will elaborating on the special test done on the chosen algorithm, which is the NIST test. The hardware design of the chosen algorithm is described in Section IV. II. PRNG ALGORITHMS: COMPARISON AND ANALYSIS In order to retrieve the best PRNG algorithm, a number of algorithms have been selected for the investigation. The comparison which involves data distribution analysis, comprised of eight algorithms; which were Linear Congruential Generator, Multiply With Carry Generator, Complimentary Multiply With Carry Generator, Additive Lagged Fibonacci Generator, Park Miller/Lehmar Random Number Generator, Blum Blum Shub Generator, Linear Feedback Shift Register Generator and Inverse Congruential Generator. The generation of random number sequence from these algorithms that forms several sequence patterns, were tabled and plotted using Microsoft Excel. These algorithms were selected from the several pseudorandom number generator algorithms, according to each requirements and the output sequence characteristic offered. A. Selected RNG Algorithms 1) Linear Congruential Generator (LCG) LCG is the oldest and the most basic of pseudorandom number generator algorithm. The random values are generated from (1). X n+ 1 = ( a X n+ C ) mod m m, 0 < m is the modulus a, 0 < a < m is the multiplier c, 0 c < m is the increment X 0, 0 X 0 < m is the seed 2) Multiply With carry Generator (MWCG) MWCG has been introduced by George Marsaglia for generating sequence of random integer from an initial set of (1) two into thousands of randomly choosed seed values. The generator is represented by (2) and (3). X = ( a X + C ) mod m n n r n 1 ( a X n r + Cn 1) Cn = m b, is the base a, is the multiplier c, is the increment r, is the lag number (previous number as initial number) 3) Complimentary Multiply With Carry Generator (CMWCG) CMWCG is a based on MWCG with slight modification to form the new X n. The random values are produced according to (4), with the specification in (5). where X = (( b 1) ( a X + C )) (mod m) n n r n 1 C n ( a X n r + Cn 1) = m b, is the base a, is the multiplier c, is the increment r, is the lag number 4) Additive Lagged Fibonacci Generator (ALFG) Lagged Fibonacci Generator is an improved LCG algorithm. The algorithm s idea is based on a generalization of Fibonacci sequence. By using addition operation as its general operation, the algorithm s name is changed to ALFG. Eq. (6) illustrates how the random number is generated. X = ( X + X ) mod m n n 1 n k S n, is the sequence of pseudorandom values j, random number at previous output k, random number at previous output (at least odd number) m, is the modulus *ratio between j and k was suggested as golden ratio 5) Park Miller/Lehmar Generator Park Miller generator which is also known as Lehmar Generator, is a variant of LCG that operates with multiplicative operations of integer modulo n. The random numbers for this algorithm are generated based on (7). (2) (3) (4) (5) (6) X = n 1 ( X + n g) mod m (7)

3 X k, is the sequence of pseudorandom values g, is the multiplier (high multiplicative) n, is the modulus (prime number) 6) Blum Blum Shub Generator (BBS) BBS is believed to be one of the strongest cryptographically secure random bit generator (CSRBG) algorithm [5]. The algorithm that was proposed in 1986 by Lenore Blum, Manuel Blum and Michael Shub is appropriate for the use in cryptographic applications since it has a strong security proof. The generation of random numbers for the algorithm is represented by (8) and (9). 2 X = n+ 1 X n mod M (8) M = p q M, is the product of two large prime number p and q, is the large prime number 7) Linear Feedback Shift Register Generator (LFSR) LFSR is a well-known mechanism for generating a sequence of binary bits. The register consists of a series of cells that set by an initialization vector that is, most often, the secret seed. LFSR has been implemented into many hardware application that need very fast generation of random number sequences. Simple XOR operations (represented by the symbol ^) are utilized effectively in generating random numbers, as denoted in (10). x, is the position of bits (9) y = x8 ^ x6 ^ x5 ^ x4 (10) 8) Inverse Congruential Generator (ICG) ICG was introduced by Eichenauer and Lehn in This algorithm is a nonlinear congruential pseudorandom number generator, which uses the modular multiplicative inverse to generate the next number in a sequence as designated in (11). 1 y = i 1 ( a y + + i b) mod p (11) X -1, is the inverse of previous output p, is the modulus a, is the multiplier b, is the additive B. Algorithm Comparison and Analysis The algorithms stated in the previous section were simulated and analysed for the first 300 random numbers. The analysis was made based on the output data distribution pattern and randomness quality. The LCG data distribution as shown in Fig. 1(a) exposed a high serial correlation output. Nevertheless, the algorithm was fast and used minimal memory when generating these random numbers. This is due to the simplicity of the algorithm s equation. However, the close repetition of data pattern shown in the same figure does not suit for Monte Carlo simulation and cryptography application. Meanwhile, Fig. 1(b) illustrated the simulation of the MWCG. The data distribution pattern of MWCG has slightly biased outputs. In addition, the outputs have some overlapping sequence, instead of very fast generation of sequences numbers caused by the simple computer integer arithmetic. With suitable initial condition parameter, it passed the statistical test that the LCG fails. The difference between LCG and MWCG is the latter needs to select some of the previous output depending on the lag condition in initializing the generator. Next in the row is CMWCG, which is the modification of MWCG. The simulation result is based on equation (4) and (5). Fig. 1(c) showed the results of the algorithm s data distribution. From the data distribution and pattern of CMWCG, it has illustrated that it has low overlapping output compared to MWCG. Similar to MWCG, CMWCG needs to select some of previous values as seed, depending on lag condition to initialize the generator. However, CMWCG is faster in generating random number sequence with immense periods compared to MWCG. It also provides more unpredictability to the recurrence relationship due to the changing carry value affecting the cycle length. Moreover, CMWCG also passed the statistical test that the LCG fails in using suitable parameter for initialization. The ALFG algorithm was obtained from generalisation of Fibonacci number. With additional arithmetic operation, the ALFG had produced a simulation as depicted in Fig. 1(d) based on (6). The result had shown that the algorithm produced low overlapping output compared to MWCG. Similar to MWCG and CMWCG, it uses more than one of previous number to produce random number sequence. Besides, the ALFG mathematical theory is incomplete, so it leads to complex initialization problem. The simulation also shows that this generator needs a very high attention into initial condition, caused by algorithm s ultra-sensitivity to initial condition. Furthermore, the output (i.e. random numbers) seemed partially random in the earlier stage of random number generation. Thus, it needs a very big number to avoid a short period of sequences. The simulation of Park Miller/Lehmar generator is presented in Fig. 1(e). From the data distribution and pattern, it shows that the algorithm is fast and yet requires minimal memory in generating random number sequences due to simple computer arithmetic used by the algorithm. Besides, the output sequences has lack of certain numbers that can be seen clearly by the hole of data distribution result. The random numbers also seemed close to each other, which make the sum of data distribution output were likely overlapped. Fig. 1(f) shows the simulation result based on Blum Blum Shub (BBS) random number generation using the Eq. (8) and (9). The figure demonstrates a not-very-fast generation of random number sequence, thus make it unsuitable for simulation. Furthermore, BBS generator needs large value for M in generating non-random patterns because small value of M

4 (a) Linaer Congruential Generator (b) Multiply with Carry Generator (c) Complementary Multiply with Carry Generator (d) Additive Lagged Fibonacci Generator (e) Park Miller/Lehmar Generator (f) Blum Blum Shub Generator Fig. 1. (g) Linear Feedback Shift Generator Data distribution of selected PRNG algorithms will let the sequence keep repeating themselves as depicted in the same figure, which let them to be unsecure. Additionally, the sequence number contributes difficulties in integer factorization [5]. Theoretically, the algorithm will produce a strong security random pattern using suitable initial conditions. In other simulation, the LFSR generator (Fig. 1(g)) produced deterministic output [6]. The sequence of the random numbers were not really random even though the data distribution seems random. However, the LFSR generator is very fast in generating random number sequence because it used only XOR operation. Contradict to the generation speed, the algorithm requires a lengthy cycle of sequence number for higher bit of operation. Currently, most of the software and hardware which in need of random numbers employed LFSR generator [5] due to its simplicity. The final simulation was done for the ICG algorithm as depicted in Fig. 1(h). The data distribution and pattern of the (h) Inverse Congruential Generator output shows the algorithm has the most random sequence compared to other selected algorithms. It provides a high quality randomness, besides a not-so-sensitive initial condition compared to other algorithms [7]. Even though the algorithm produced a high quality random number sequence, a prime number must be used as the initial condition for the algorithm. In ICG, the prime number characteristics ensures more random number sequence to be created. For this reason, the algorithm has been supported by Euclid algorithm, in which turns the initial value i.e. the seed into an inverse number. The data distribution and pattern of the combined algorithm is illustrated in Fig. 2. From the distribution and pattern, the generated output numbers were more random as a result of the random inverse numbers used as the seed. In conclusion, based on all simulation that have been made and verified, the ICG is found as the most suitable PRNG for security purpose due to its high quality in randomness. The

5 high quality of randomness increases the security level of any encryption algorithm and information. Moreover, ICG also is the only non-linear algorithm that makes the random number sequence undeterministic. The second part of test is non-parameterized test that includes 9 tests. This test includes Cumulative Sums test, Runs test, Longest Runs of Ones test, Rank test, Spectral DFT test, Random Excursion test, Random Excursion Variant test, Frequency test and Lempel Ziv test. The purpose of these 9 tests is to verify the tester whether it can run thoroughly without any specific of properties or not. Table II shows the NIST non-parameterized test result for the same 5 data selected in previous test. TABLE II. NIST NON-PARAMETERIZED TEST RESULT Fig. 2. Combined ICG and Euclid algorithm generator data distribution. III. NIST TESTER NIST test will detects the deviations from randomness due to either poorly designed generator or anomalies that appeared in the binary sequence that is tested. However, it is up to the tester to determine the correct interpretation of the test result. Various statistical tests can be applied to a sequence to attempt, compare and evaluate the sequence to a truly random sequence. Randomness is a probabilistic property, that is the properties of a random sequence can be characterized and described in terms of probability [8]. NIST Tester have three main goal, but in this research the test is focusing on one goal, that is to detect the nonrandomness in binary sequence using random number generator that will be utilized in cryptographic application. This generator will generate 5 different seed in order to know the average of NIST tester result. For this research, the NIST tester conducted 16 tests that would verify based on the algorithms function and characteristic of randomness. NIST tester is divided into 2 parts; first is parameterized test and secondly is non-parameterized test. Parameterized test includes 7 test; named as Block Frequency test, Overlapping Templates test, Non-Overlapping Templates test, Serial test, Approximate Entropy test, Linear Complexity test and Universal test. These tests needs a certain specific properties that must be used to operate the tester. Table I shows the NIST parameterized test result for 5 data that had been generated by the ICG-based programme. Test TABLE I. Linear Complexity NIST PARAMETERIZED TEST RESULT Properties Block Length = 500 Focus to length of Linear Feedback Shift Register (LFSR). It Function determine whether or not the sequence is complex enough to be considered random From all data only 4 data get P-value >= 0.01 that show the sequence have enough of complexity, other than that it does t Result have enough complexity in random number sequence to be considered as random Test Function Result Test Function Result Rank Focus to testing the rank of disjoint sub-matrices of the entire sequence. The test purpose is to check the linear dependence among fixed length substrings of the original sequence 2 out of 5 data sequence get P-value >=1, means that the random number sequence considered as random. Otherwise it will indicated a deviation of the rank distribution from corresponding random number sequence Lempel Ziv Focus to testing the number of cumulatively distinct pattern (words) in the sequence. It determine how far the tested sequence can be compressed All data get P-value >= 0.01, means that the sequence can t be compressed significantly and can be consider as random From the NIST test, the data passed 3 out of 16 conducted tests, which were the Linear Complexity test, Rank test and Lempel Ziv test. In overall, the ICG-based programme passed 13.75% of NIST test. Nonetheless, NIST test result is not the absolute benchmark of a good generator. For example, one algorithm could be a very good generator in a real application but it shows unimpressive result in NIST test. Thus, NIST test is a good medium to show the characteristic of the tested algorithm. Concluding the test, the ICG algorithm test result exposed reasonable complexity and significant uncompressed random number sequence. Thus, ICG algorithm can be considered and selected as the best PRNG algorithm for further application. IV. HARDWARE DESIGN The most efficient algorithm based on previous analysis, which was the ICG algorithm, was then proceed to hardware design. For a rapid proof of hardware implementation, the design was implemented on the Altera FPGA. Consequently, the hardware design of ICG algorithm was described in Verilog, and been simulated, verified and debugged using the Altera QuartusII 9.0sp2 web edition software. Targeting the Cyclone EPIC20F400C6 FPGA, the design utilized 7,711 logic elements with 244 I/O pins. Table III summarizes the configuration of the ICG-based hardware RNG generator. Based on the settings in Table III, the simulated results were gain and verified, as shown in Fig. 3. From this table of configuration, the design was simulated and generated appropriate waveform as shown in Fig. 3.

6 Fig. 3. Simulation waveform of hardware ICG design. TABLE III. CONFIGURATION OF ICG-BASED HARDWARE RNG DESIGN Family Cyclone Device EP1C20F400C6 Total Logic 7,711/20,060 (38%) Elements Total Pins 244/301 (81%) Clk, rst = low, enable = high, Input P = 251, y = 17 (first cycle only), A = 43, B = 29 Remainder = (R1, R2, R3, R4, R5, R6, R7, R8, R9, R10), Multiplier = (V1, V2, V3, V4, V5, V6, V7, V8, V9, V10), Output inverse number = inv, final value = icg V. CONCLUSION Based on the conducted data simulation and theoretical analysis of selected RNG algorithms, the ICG algorithm was chosen as the most efficient algorithm to represent the research s hardware RNG design. The selection was made as the ICG provides high quality of randomness compared to other investigated algorithms, besides the non-linear characteristic of the algorithm that provides the quality of the random number generated. The data distribution pattern simulation analysis proved that ICG have met the requirements of a good RNG criteria compared to other algorithms. From the simulation, ICG have shown a good distribution, owned a long period to avoid undesired correlation if the initialization parameter was been set-up for big numbers. Other than that, ICG can be used in cryptography because it has repeatability function in repeating the exact sequence to be used in future functions. Besides, the efficiency of the algorithm was considerable, because it used simple combination of mathematical operation that doesn t need big memory and lengthy execution time duration except for inverse operation. The analysis of the randomness quality by NIST tester resulted percent of the sequence that was considered as acceptably random. The advantage of ICG is the non-linear characteristic, which allows the algorithm to produce more random values. For further improvements, the ICG could be combined with other algorithms in producing better results, with exploiting the strength and abilities of the ICG algorithm. In this study, the ICG was designed successfully using Verilog. The Cyclone-based hardware design was synthesized using the Altera QuartusII 9.0sp2 web edition software and comprised reasonable amount of logic elements, which are 7,711 logic elements in total. Improvements could be done in near future in optimizing the hardware design using better styles of Verilog representations, besides implementing the design using the latest FPGA which could provide better speed and less power consumption. REFERENCES [1] S. H. M. Kwok, and E. Y. Lam, "FPGA-based High-speed True Random Number Generator for Cryptographic Applications," TENCON IEEE Region 10 Conference, pp. 1-4, [2] D. C. Hyde, CSCI 320 Computer Architecture Handbook on Verilog HDL. Computer Science Department, Lewisburg: Bucknell University, [3] J. D. Golic, "New Methods for Digital Generation and Postprocessing of Random Data," Computers, IEEE Transactions on, vol. 55, pp , [4] W. D. Passos, Numerical Methods, Algorithms and Tools in C#. vol. null, ed: CRC Press,, pp , [5] K. H. Tsoi, K. H. Leung, and P.H.-W. Leong, "Compact FPGA-based true and pseudo random number generators," Field-Programmable Custom Computing Machines, FCCM th Annual IEEE Symposium on, vol., no., pp.51,61, 9-11 April [6] Y. Wang, H. Y. Wang, A. Guan and H. Zhang, "Evolutionary Design of Random Number Generator," jcai, 2009 International Joint Conference on Artificial Intelligence, pp , [7] P. Hellekalek. Inversive pseudorandom number generators: concepts, results and links. Proceedings of the 27th conference on Winter simulation (WSC '95), pp , [8] L. E. Bassham, A. L. Rukhin, J. Soto, J. R. Nechvatal, M. E. Smid, E. B. Barker, S. D. Leigh, M. Levenson, M. Vangel, D. L. Banks, N. A. Heckert, J. F. Dray, and S. Vo, SP Rev. 1a. a Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. Technical Report. NIST, Gaithersburg, MD, United States