The Design and Analysis of a True Random Number Generator in a Field Programmable Gate Array By Paul Kohlbrenner November 20, 2003
Presentation Organization 1. Thesis goal 2. The need for random bits in crypto systems 3. What is an FPGA? 4. Characteristics of Random Number Generators 5. Testing RNGs 6. My RNG design 7. Conclusion and future work 20 November, 2003 2
Thesis Goal Design and build a TRNG in an FPGA with the following characteristics: 1. Uses only the standard CLBs in the FPGA. 2. Output bits pass the standard statistical tests of randomness. 3. Acceptable output bit rate. 20 November, 2003 3
Why Do Cryptographic Processes Need Random Bits? Keys Initialization Vectors Challenges 20 November, 2003 4
Bad Generators Netscape V1.1 (circa: 1996) Used randomness sources of Process IDs and the machine uptime. Mixed the above bits with the MD5 hash function. The resulting keys (used for SSL security) were easily guessed. 20 November, 2003 5
What is a Field Programmable Gate Array (FPGA)? An FPGA is an electrical component that allows on-the-fly reconfiguration of its internal electrical configuration and interconnections. 20 November, 2003 6
FPGA Internals CLB 96 Columns Slice Flip-flops 64 Rows 4-input Lookup Tables Switching Fabric 20 November, 2003 7
Why are FPGAs Good Platforms for Crypto Systems? Algorithm and resource efficiencies In-service algorithm modification Low development costs More effective intrusion detection Near ASIC encryption speeds 20 November, 2003 8
What is a Random Number Generator? Intuitive definition: A RNG is a device that produces a stream of numbers each of which is a surprise, but over the long run the numbers should follow a specified distribution. 20 November, 2003 9
What is a Random Number Generator? Working definition (from Bruce Schneier): 1. The output looks random. 2. It is unpredictable. 3. It cannot be reliably reproduced. 20 November, 2003 10
Kinds of RNGs Pseudo Random Number Generator (PRNG) An algorithm that is initialized with an externally generated sequence and produces a much longer sequence that appears to be random. 20 November, 2003 11
Kinds of RNGs Cryptographically Secure Pseudo Random Number Generators (CSPRNGs) If, given all the previous output from a PRNG and the complete algorithm, it is computationally infeasible to predict the next output, then a PRNG is considered cryptographically secure. 20 November, 2003 12
Kinds of RNGs True Random Number Generators (TRNG) RNGs that base their output entirely on an underlying random physical process. 20 November, 2003 13
Kinds of RNGs TRNG Cannot be Reproduced CSPRNG Unpredictable Unpredictable PRNG Looks Random Looks Random Looks Random 20 November, 2003 14
What RNG? Some users don t want RNGs with all three properties. Simulation Key stream generators 20 November, 2003 15
Sources of Randomness Electrical noise Quantum mechanical properties of photons Radioactivity Human machine interactions Internal systems of computers 20 November, 2003 16
Previous Work 20 November, 2003 17
Previous Work Oscillator based designs: Direct sampling of the noise source. Noise source drives a Voltage Controlled Oscillator (VCO) which is sampled. Signal jitter in a free-running oscillator. 20 November, 2003 18
The Intel RNG: Previous Work From: The Intel Random Number Generator a white paper prepared for Intel by Cryptography Research Inc. 20 November, 2003 19
Testing RNGs Use a variety of statistical tests to examine the output to make sure it meets the desired characteristics. (TRNGs only) Make sure the physical source of randomness is functioning. 20 November, 2003 20
Testing RNGs Two widely used public domain test suites: 1. DIEHARD 2. NIST 20 November, 2003 21
Testing RNGs RNG testing system for small sets of data: 1. Bit frequency test 2. Poker test 3. Runs and gaps test 4. Auto-correlation test 20 November, 2003 22
Current Position: 8388608 Test 01 Start, Monobit test (pass = 0.00393 < V < 3.841) Segment size: 8388608, Ones: 4195161, Zeros: 4193447, V: 0.350213 [Pass] Test 01 End. Test 02 Start, Poker test SeqSize: 2, V: 2.00927 [Pass] SeqSize: 3, V: 2.79469 [Pass] SeqSize: 4, V: 11.727 [Pass] SeqSize: 5, V: 38.62 [Pass] SeqSize: 6, V: 57.0581 [Pass] SeqSize: 7, V: 124.818 [Pass] SeqSize: 8, V: 230.43 [Pass] SeqSize: 9, V: 507.068 [Pass] SeqSize: 10, V: 1075.83 [Pass] Test 02 End. 20 November, 2003 23
Test 03 Start, Runs and Gaps test Len 0's 1's MaxGap=24, MaxRun=24 (max: 24) 1 : 1049881 1049047 2 : 524072 524624 3 : 262901 262646 4 : 130522 131176 5 : 65605 65388 6 : 32448 32503 7 : 16504 16471 8 : 8234 8274 9 : 4008 4001 10 : 2020 2080 11 : 983 1005 12 : 527 504 13 : 244 239 14 : 109 126 15 : 81 69 16 : 31 27 17 : 19 13 18 : 11 8 19 : 5 4 20 : 3 2 21 : 0 0 22 : 0 1 23 : 0 0 24 : 1 1 Test 03 End. 20 November, 2003 24
Test 04 Start, Autocorrelation test Shift: 1, misses: 4196417, X: 1.45944 Shift: 2, misses: 4194980, X: 0.467492 Shift: 3, misses: 4195929, X: 1.12315 Shift: 4, misses: 4192056, X: -1.55094 Shift: 5, misses: 4195340, X: 0.71712 Shift: 6, misses: 4192718, X: -1.09312 Shift: 7, misses: 4195872, X: 1.08517 Shift: 8, misses: 4194054, X: -0.169871 Shift: 9, misses: 4194819, X: 0.358733 Shift: 10, misses: 4192790, X: -1.04202 Shift: 11, misses: 4193852, X: -0.308324 Shift: 12, misses: 4195906, X: 1.11038 Shift: 13, misses: 4194056, X: -0.166764 Shift: 14, misses: 4195781, X: 1.02475 Shift: 15, misses: 4193244, X: -0.726788 Shift: 16, misses: 4195956, X: 1.14629 Test 04 End. Test 05 Start, Approximate Entropy (ApEn) test Phi(1)=-0.693147; ApEn[1]=0.693147; Chi2=2.48155; [Passed] Phi(2)=-1.38629; ApEn[2]=0.693147; Chi2=3.0131; [Passed] Phi(3)=-2.07944; ApEn[3]=0.693147; Chi2=6.58304; [Passed] Phi(4)=-2.77259; ApEn[4]=0.693146; Chi2=15.0438; [Passed] Phi(5)=-3.46573; ApEn[5]=0.693146; Chi2=24.967; [Passed] Phi(6)=-4.15888; ApEn[6]=0.693144; Chi2=45.1833; [FAILED] (46.595 <= 45.1833 <= 83.675 Phi(7)=-4.85202; ApEn[7]=0.693141; Chi2=104.621; [Passed] Test 05 End. Test 06 Start. Parameters: L=9, Q=5120, K=926947 Xu: 8.17695, (Exp: 8.17642, Var: 3.311) Zu: 0.000286276 Universal P-Value is: 0.654705 Test 06 End. 20 November, 2003 25
TRNG Certification Two possible routes: 1. FIPS-140-2: National Institute of Standards and Technology (NIST) - Security Requirements for Cryptographic Modules. 2. AIS 31: German Federal Office for Information Security (BSI) Functionality Classes and Evaluation Methodology for True (Physical) Random Number Generators. 20 November, 2003 26
My Design The Ring Oscillators ClkOut D Q D Q 0 G 0 G 20 November, 2003 27
My Design The Ring Oscillators FeedBack1 ClkOut A4 A3 A2 A1 LUT D=A1 D D G Q Init A4 A3 A2 A1 LUT D=~A 1 D D G Q Init ClkEnable ClkReset FeedBack0 20 November, 2003 28
20 November, 2003 29
S26 S21 S16 S11 S6 1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81 86 91 96 S1 20 November, 2003 30
My Design The Sampler Clk0 D Q S0 1 D Q BitReady Clk1 CE Init ReadAck D Q C0 D Q RandOut Init CE R0 S0 E0 From/To Control 20 November, 2003 31
My Design The Sampler Clk1 Clk0 S0 C0 RandOut 1 0 20 November, 2003 32
My Design The Control Circuits Disable the output flip-flops in the sampler after a bit is sampled to prevent bounce. Reset the counter flip-flop to prevent correlations between successive bits. 20 November, 2003 33
My Design Evidence of Jitter Experiment Add a counter to the clk0 signal and latch the count every time a random bit is output. If there is no jitter then the count will always be at most two different values. 20 November, 2003 34
My Design Evidence of Jitter 3500 3000 Number of Occurances 2500 2000 1500 1000 500 0 211 212 213 214 215 216 217 218 219 220 221 More Signal S0 Size 20 November, 2003 35
My Design Evidence of Jitter 1600 Number of Occurances 1400 1200 1000 800 600 400 200 0 325 327 329 331 333 335 337 339 341 343 Signal S0 Size 20 November, 2003 36
My Design - Testing Windows 2000 VHDL (Text files) Compiler (Synplify V7.2) Placement and Routing (Xilinx ISE-4 toolset) Bit file (Binary file) Red Hat Linux Control file (Compiled C++) Control Process SLAAC Board (Contains FPGAs and control logic) 20 November, 2003 37
My Design - Testing Create 128MByte file of bits (1Gbit). NIST suite ran for three days on CPE02. Results showed no failures. 20 November, 2003 38
Future Work I created a design that used one CLK1 signal sampling four CLK0s. Initial tests showed that out of 78 placements across the top half of the FPGA only four failed to produce initial evidence of randomness. 20 November, 2003 39
Future Work Slower ring oscillators might produce wider tolerances for oscillator differences. 20 November, 2003 40
Questions 20 November, 2003 41