The Design and Analysis of a True Random Number Generator in a Field Programmable Gate Array. By Paul Kohlbrenner November 20, 2003

Transcription

1 The Design and Analysis of a True Random Number Generator in a Field Programmable Gate Array By Paul Kohlbrenner November 20, 2003

2 Presentation Organization 1. Thesis goal 2. The need for random bits in crypto systems 3. What is an FPGA? 4. Characteristics of Random Number Generators 5. Testing RNGs 6. My RNG design 7. Conclusion and future work 20 November,

3 Thesis Goal Design and build a TRNG in an FPGA with the following characteristics: 1. Uses only the standard CLBs in the FPGA. 2. Output bits pass the standard statistical tests of randomness. 3. Acceptable output bit rate. 20 November,

4 Why Do Cryptographic Processes Need Random Bits? Keys Initialization Vectors Challenges 20 November,

5 Bad Generators Netscape V1.1 (circa: 1996) Used randomness sources of Process IDs and the machine uptime. Mixed the above bits with the MD5 hash function. The resulting keys (used for SSL security) were easily guessed. 20 November,

6 What is a Field Programmable Gate Array (FPGA)? An FPGA is an electrical component that allows on-the-fly reconfiguration of its internal electrical configuration and interconnections. 20 November,

7 FPGA Internals CLB 96 Columns Slice Flip-flops 64 Rows 4-input Lookup Tables Switching Fabric 20 November,

8 Why are FPGAs Good Platforms for Crypto Systems? Algorithm and resource efficiencies In-service algorithm modification Low development costs More effective intrusion detection Near ASIC encryption speeds 20 November,

9 What is a Random Number Generator? Intuitive definition: A RNG is a device that produces a stream of numbers each of which is a surprise, but over the long run the numbers should follow a specified distribution. 20 November,

10 What is a Random Number Generator? Working definition (from Bruce Schneier): 1. The output looks random. 2. It is unpredictable. 3. It cannot be reliably reproduced. 20 November,

11 Kinds of RNGs Pseudo Random Number Generator (PRNG) An algorithm that is initialized with an externally generated sequence and produces a much longer sequence that appears to be random. 20 November,

12 Kinds of RNGs Cryptographically Secure Pseudo Random Number Generators (CSPRNGs) If, given all the previous output from a PRNG and the complete algorithm, it is computationally infeasible to predict the next output, then a PRNG is considered cryptographically secure. 20 November,

13 Kinds of RNGs True Random Number Generators (TRNG) RNGs that base their output entirely on an underlying random physical process. 20 November,

14 Kinds of RNGs TRNG Cannot be Reproduced CSPRNG Unpredictable Unpredictable PRNG Looks Random Looks Random Looks Random 20 November,

15 What RNG? Some users don t want RNGs with all three properties. Simulation Key stream generators 20 November,

16 Sources of Randomness Electrical noise Quantum mechanical properties of photons Radioactivity Human machine interactions Internal systems of computers 20 November,

17 Previous Work 20 November,

18 Previous Work Oscillator based designs: Direct sampling of the noise source. Noise source drives a Voltage Controlled Oscillator (VCO) which is sampled. Signal jitter in a free-running oscillator. 20 November,

19 The Intel RNG: Previous Work From: The Intel Random Number Generator a white paper prepared for Intel by Cryptography Research Inc. 20 November,

20 Testing RNGs Use a variety of statistical tests to examine the output to make sure it meets the desired characteristics. (TRNGs only) Make sure the physical source of randomness is functioning. 20 November,

21 Testing RNGs Two widely used public domain test suites: 1. DIEHARD 2. NIST 20 November,

22 Testing RNGs RNG testing system for small sets of data: 1. Bit frequency test 2. Poker test 3. Runs and gaps test 4. Auto-correlation test 20 November,

23 Current Position: Test 01 Start, Monobit test (pass = < V < 3.841) Segment size: , Ones: , Zeros: , V: [Pass] Test 01 End. Test 02 Start, Poker test SeqSize: 2, V: [Pass] SeqSize: 3, V: [Pass] SeqSize: 4, V: [Pass] SeqSize: 5, V: [Pass] SeqSize: 6, V: [Pass] SeqSize: 7, V: [Pass] SeqSize: 8, V: [Pass] SeqSize: 9, V: [Pass] SeqSize: 10, V: [Pass] Test 02 End. 20 November,

24 Test 03 Start, Runs and Gaps test Len 0's 1's MaxGap=24, MaxRun=24 (max: 24) 1 : : : : : : : : : : : : : : : : : : : : : : : : 1 1 Test 03 End. 20 November,

25 Test 04 Start, Autocorrelation test Shift: 1, misses: , X: Shift: 2, misses: , X: Shift: 3, misses: , X: Shift: 4, misses: , X: Shift: 5, misses: , X: Shift: 6, misses: , X: Shift: 7, misses: , X: Shift: 8, misses: , X: Shift: 9, misses: , X: Shift: 10, misses: , X: Shift: 11, misses: , X: Shift: 12, misses: , X: Shift: 13, misses: , X: Shift: 14, misses: , X: Shift: 15, misses: , X: Shift: 16, misses: , X: Test 04 End. Test 05 Start, Approximate Entropy (ApEn) test Phi(1)= ; ApEn[1]= ; Chi2= ; [Passed] Phi(2)= ; ApEn[2]= ; Chi2=3.0131; [Passed] Phi(3)= ; ApEn[3]= ; Chi2= ; [Passed] Phi(4)= ; ApEn[4]= ; Chi2= ; [Passed] Phi(5)= ; ApEn[5]= ; Chi2=24.967; [Passed] Phi(6)= ; ApEn[6]= ; Chi2= ; [FAILED] ( <= <= Phi(7)= ; ApEn[7]= ; Chi2= ; [Passed] Test 05 End. Test 06 Start. Parameters: L=9, Q=5120, K= Xu: , (Exp: , Var: 3.311) Zu: Universal P-Value is: Test 06 End. 20 November,

26 TRNG Certification Two possible routes: 1. FIPS-140-2: National Institute of Standards and Technology (NIST) - Security Requirements for Cryptographic Modules. 2. AIS 31: German Federal Office for Information Security (BSI) Functionality Classes and Evaluation Methodology for True (Physical) Random Number Generators. 20 November,

27 My Design The Ring Oscillators ClkOut D Q D Q 0 G 0 G 20 November,

28 My Design The Ring Oscillators FeedBack1 ClkOut A4 A3 A2 A1 LUT D=A1 D D G Q Init A4 A3 A2 A1 LUT D=~A 1 D D G Q Init ClkEnable ClkReset FeedBack0 20 November,

29 20 November,

30 S26 S21 S16 S11 S S1 20 November,

31 My Design The Sampler Clk0 D Q S0 1 D Q BitReady Clk1 CE Init ReadAck D Q C0 D Q RandOut Init CE R0 S0 E0 From/To Control 20 November,

32 My Design The Sampler Clk1 Clk0 S0 C0 RandOut November,

33 My Design The Control Circuits Disable the output flip-flops in the sampler after a bit is sampled to prevent bounce. Reset the counter flip-flop to prevent correlations between successive bits. 20 November,

34 My Design Evidence of Jitter Experiment Add a counter to the clk0 signal and latch the count every time a random bit is output. If there is no jitter then the count will always be at most two different values. 20 November,

35 My Design Evidence of Jitter Number of Occurances More Signal S0 Size 20 November,

36 My Design Evidence of Jitter 1600 Number of Occurances Signal S0 Size 20 November,

37 My Design - Testing Windows 2000 VHDL (Text files) Compiler (Synplify V7.2) Placement and Routing (Xilinx ISE-4 toolset) Bit file (Binary file) Red Hat Linux Control file (Compiled C++) Control Process SLAAC Board (Contains FPGAs and control logic) 20 November,

38 My Design - Testing Create 128MByte file of bits (1Gbit). NIST suite ran for three days on CPE02. Results showed no failures. 20 November,

39 Future Work I created a design that used one CLK1 signal sampling four CLK0s. Initial tests showed that out of 78 placements across the top half of the FPGA only four failed to produce initial evidence of randomness. 20 November,

40 Future Work Slower ring oscillators might produce wider tolerances for oscillator differences. 20 November,

41 Questions 20 November,