Improving Ring-oscillator-based True Random Number Generators using Multiple Sampling - JSTS
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
JOURNAL OF SEMICONDUCTOR TECHNOLOGY AND SCIENCE, VOL.19, NO.3, JUNE, 2019 ISSN(Print) 1598-1657
https://doi.org/10.5573/JSTS.2019.19.3.305 ISSN(Online) 2233-4866
Improving Ring-oscillator-based True Random Number
Generators using Multiple Sampling
Piljoo Choi1, Ji-Hoon Kim2, and Dong Kyue Kim3
Abstract—A ring-oscillator-based true random implemented via simple structures. TRNGs based on ring
number generator (TRNG) can be implemented using oscillators (ROs) [1-6] are widely used because of their
only digital standard cells. However, this requires simple structures and low cost of implementation; such
significant hardware resources to compensate for the generators use only digital standard cells without
low bit rate. In this letter, we propose an improved complex analog circuits. However, the main entropy in
Fibonacci and Galois ring oscillator (FIGARO) RO-based TRNGs occurs because of jitter accumulation
TRNG based on a multiple-sampling technique. We in ROs, which is very time consuming. Although low bit
implemented FIGARO TRNGs with and without rates due to jitter accumulation can be overcome by using
multiple sampling in the same field-programmable multiple ROs, this uses more hardware resources [2].
gate array and tested the generators’ randomness In previous work [6], we proposed a multiple-
using the National Institute of Standards and sampling technique and compared it to a conventional
Technology (NIST) random test suite. Our RO-based TRNG method. To compensate for the low bit
experimental results show that the proposed FIGARO rate, we did not increase the number of ROs like the
TRNG with multiple sampling requires 3.67-4.76 conventional method, but used multiple clock signals
times fewer resources than when only FIGAROs are with different phases instead of a single clock signal.
used for the same bit rates. Here, using our multiple-sampling technique as a basis,
we improve the Fibonacci and Galois ring oscillator
Index Terms—Random number generation, entropy, (FIGARO) TRNG [3-5], which is widely used [7-9].
oscillators, signal sampling, field programmable gate Because jitter accumulates randomly in a FIGARO, a
arrays TRNG using a FIGARO can generate entropy faster than
TRNGs using only normal ROs. Although a FIGARO
I. INTRODUCTION TRNG also requires multiple FIGAROs to achieve high
bit rates, the number of required FIGAROs can be
Random numbers can be generated by two types of reduced by using multiple sampling [6]. We
generators: pseudo-random number generators (PRNGs) implemented both the original FIGARO TRNG without
and true random number generators (TRNGs). PRNGs multiple sampling and our new FIGARO TRNG with
use complex algorithms, whereas TRNGs can be multiple sampling in the same field-programmable gate
array (FPGA) and compared these two types of TRNGs
in terms of their bit rates and hardware resource usage.
Manuscript received Nov. 30, 2018; accepted Apr. 9, 2019
1 During our experiments, we verified the randomness of
Software Education Committee, Hanyang University, 222
Wangsimni-ro, Seongdong-gu, Seoul 04763, Korea the TRNGs using the National Institute of Standards and
2
Dept. of Electronic and Electrical Engineering, Ewha Womans
University, 52 Ewhayeodae-gil, Seodaemun-gu, Seoul 03760, Korea
Technology (NIST) random test suite [10].
3
Dept. of Electronic Engineering, Hanyang University, 222
Wangsimni-ro, Seongdong-gu, Seoul 04763, Korea
E-mail : dqkim@hanyang.ac.kr
306 PILJOO CHOI et al : IMPROVING RING-OSCILLATOR-BASED TRUE RANDOM NUMBER GENERATORS USING MULTIPLE …
Fig. 1. Structure of FIGARO.
II. PREVIOUS TRNG
The FIGARO TRNG was proposed in [3] and only
Fig. 2. Our new FIGARO TRNG using multiple sampling.
approximately 50 ns are required after a restart until the
standard deviation of its outputs reaches a value close to
0.5. This is a much shorter duration than the thousands of III. PROPOSED DESIGN
ns required for a normal RO [4]. Compared to a normal
RO, this difference is caused by the more complex By applying multiple-sampling technique, our
structure of the FIGARO, which consists of a Fibonacci improved TRNG can generate random bits at high bit
RO (FIRO) and a Galois RO (GARO), as illustrated in rates and requires a single FIGARO rather than multiple
Fig. 1. FIGAROs. Including the additional circuits for multiple
A FIRO and a GARO are configured using the binary sampling, the structure of our TRNG is described in Fig.
r1 -1 r2 -1 2, where N is the number of cells in the clock generator.
polynomials f ( x ) = 1 + å f i x i + x r1 and g ( x ) = 1 + ågi x i In contrast to a conventional FIGARO TRNG depicted
i =1 i =1
in Fig. 1, our new TRNG additionally has a multiple-
+ x r2 , respectively. The paths marked f i and gi are sampling unit (MSU) before the FIGAROs are sampled
shorted or open depending on the values of f i and gi . by the clksystem. The N-phase clock signals for MSU come
This creates multiple inner loops in the feedback from the cells connected within a feedback structure in
structure, which causes pseudo-randomness. In contrast, the clock generator, and one by one, they are distributed
a normal RO has only a single loop. As a result, sampling to N pairs of falling-edge and rising-edge-triggered flip-
the FIGARO rather than a normal RO is much more flops (FFs) in the MSU. The total 2N FFs sample the
advantageous for obtaining entropy [4]. common data signal from the FIGARO at the falling-
Depending on the frequency of the system clock or the edge and rising-edge of the N-phase clock signals.
required bit rate, more than one FIGARO can be used; Because the intervals between the sampling points at
for example, M = 5 at 12 MHz in [5], where M is the 2N FFs are very short, the multiple-sampling technique
minimum number of FIGAROs required to pass the increases the probability that the data signals are sampled
NIST random test suite [10]. When M > 1, before being near the threshold voltage. This unstable state, which
sampled by the system clock, clksystem, the FIGARO does not have a definite value of one or zero, is referred
outputs are combined into one signal using simple logic to as meta-stable. This meta-stability is a source of
gates, such as the exclusive-or (XOR) gate shown in Fig. entropy in TRNGs. Multiple sampling can cause meta-
1. To remove bias and further improve randomness, the stability, which improves randomness and reduces M
XOR gate can be replaced with more complex logic gates, compared to TRNGs using FIGAROs alone [5].
called a post-processing unit (PPU). As a PPU, we chose to use a linear feedback shift
register (LFSR), as used in [6]. The LFSR is configured
2 N -1
using an irreducible polynomial p ( x) = 1+ åp x i
i
i =1
JOURNAL OF SEMICONDUCTOR TECHNOLOGY AND SCIENCE, VOL.19, NO.3, JUNE, 2019 307
Table 1. Random test results of our TRNG at 100 and 50 MHz Table 2. Implementation results at 50 and 100 MHz
With FIGARO With FIRO BPA
Clk freq. Area Bit rate æ
Test @ 100 MHz @ 50 MHz TRNG M (LUTs + Mbps ö
(MHz) Regs.)
(Mbps) çç ÷÷
P-valueT Prop. P-valueT Prop. è LUTs + Regs. ø
Frequency 0.3925 0.992 0.6080 0.989 50 3 211 + 3 50 0.23
FIGAROs only
Block frequency 0.4673 0.990 0.5524 0.992 100 5 351 + 5 100 0.28
Forward 0.5605 0.992 0.4808 0.984 FIGARO + MSU 50 0.5 33 + 12 50 1.11
Cumulative sums
Inverse 0.3787 0.990 0.7177 0.988 (ours) 100 1 85 + 12 100 1.03
Runs 0.4354 0.991 0.6018 0.982 RO + MSU [6]V5 50 - 23 + 15 12.5 0.33
Longest run 0.9323 0.992 0.0460 0.990 V5
Implemntation results of [6] in Vertex 5.
Rank 0.1959 0.991 0.1644 0.999
FFT 0.1188 0.984 0.2122 0.989
proportions for a level of significance of a = 0.01 and
Non-overlap. (B = 000000001) 0.8596 0.989 0.1529 0.988
Overlapping 0.6038 0.988 0.4808 0.989
with a uniform distribution.
Universal 0.0017 0.990 0.0088 0.986 We compared the performance of our improved TRNG
Approximate entropy 0.8395 0.987 0.8291 0.991 with that of the original FIGARO TRNG. For a fair
Random excursions (x = +1) 0.1866 0.987 0.5196 0.987 comparison, we also implemented the original FIGARO
Random excur. var. (x = –1) 0.9720 0.987 0.0853 0.986 TRNG in the same FPGA with an LFSR-based PPU
Serial (m = 16, Ñψ 2m ) 0.1094 0.989 0.9962 0.994 instead of just the XOR gate in Fig. 1. Only the size of
Linear complexity 0.7944 0.993 0.5873 0.985 the LFSR in the PPU was different, depending on M. The
implementation results for 50 and 100 MHz are shown in
+ x 2 N , which is similar to the configuration method used Table 2. A FIRO is considered as M = 0.5 because a
for the FIRO and GARO. Because of its complex FIRO is a part of the FIGARO.
structure, the LFSR is more advantageous for post- Table 2 shows that the use of multiple-sampling
processing than the XOR gate in Fig. 1. Note that to technique can significantly reduce the value of M.
generate one random bit, the TRNG in [6] requires the Considering that a FIGARO occupies 70 LUTs and an
accumulation of multiple clock cycles in the PPU. In MSU occupies only six registers and nine LUTs, adding
contrast, our TRNG can generate one random bit every an MSU is more effective for entropy enhancement than
clock cycle without accumulation. Therefore, unlike in adding more multiple FIGAROs. As a result, our TRNG
[6], the bit rate does not decrease. requires 3.67 and 4.76 times fewer resources at 50 and
100 MHz, respectively, than the original FIGARO
IV. IMPLEMENTATION AND TESTING RESULTS TRNGs for the same bit rates.
Table 2 also shows that our new TRNG has much
Our TRNG was implemented in Xilinx XC6SLX150 higher bit rate and BPA than the TRNG in our previous
(Spartan 6) using the same configuration described in [4- work [6]. Although the TRNG in [6] already has a higher
BPA than those of the TRNGs in [11, 12] for compliance
6]: f ( x ) = x + x + x + x + x + x + x + 1, g ( x) =
15 14 7 6 5 4 2
with the NIST random test suite, it is difficult to increase
x 31 + x 27 + x 23 + x 21 + x 20 + x17 + x16 + x15 + x13 + x10 + x 9 + its bit rate any further even when higher bit rates are
x8 + x 6 + x 5 + x 4 + x 3 + x + 1, N = 3, and p ( x ) = x 6 + required. For higher bit rates, our new TRNG can be a
x 5 + 1 . A total of 109 bits were generated continuously at good alternative rather than the TRNG in [6], requiring
a clock frequency of 100 MHz. Then, the bit sequence small area overhead.
was extracted via USB and examined using the NIST
random test suite [10]. We also conducted an additional V. CONCLUSIONS
test at 50 MHz. In the additional test, we replaced the
FIGARO with a smaller RO: a FIRO. The test results in We proposed an improved FIGARO TRNG using
Table 1 show that all proportions are > 0.9805607 and all multiple sampling; this allowed the number of FIGAROs
P-valuesT are > 0.001. This means that the bit sequences to be reduced in exchange for small additional logic costs
from our TRNG passed the test suite with acceptable for the multiple sampling. Our implementation results308 PILJOO CHOI et al : IMPROVING RING-OSCILLATOR-BASED TRUE RANDOM NUMBER GENERATORS USING MULTIPLE …
showed that for the same bit rate, our improved FIGARO implementation on reconfigurable hardware,”
TRNG required fewer resources than the previous Computers, IEEE Transactions on, Vol. 64, No. 7,
method that uses only multiple FIGAROs. This means pp. 1954-1967, July, 2015.
that applying multiple sampling is very effective to [8] K. Liao, X. Cui, N. Liao, T. Wang, D. Yu, and X.
improve bit rates, and we expect that the multiple- Cui, “High-performance noninvasive side-channel
sampling technique will be also applicable to other RO- attack resistant ECC coprocessor for GF(2m),”
based TRNGs. Additionally, the NIST random test Industrial Electronics, IEEE Transactions on, Vol.
results showed that our TRNG generated random 64, No. 1, pp. 727-738, Oct., 2016.
numbers sufficiently secure to be used in applications [9] A. Das, B. Ege, S. Ghosh, L. Batina, and I.
such as cryptography [7-9]. Verbauwhede, “Security analysis of industrial test
compression schemes,” Computer-Aided Design of
ACKNOWLEDGMENTS Integrated Circuits and Systems, IEEE Transac-
tions on, Vol. 32, No. 12, pp. 1966-1977, Nov.,
We thank Sung-Ha Lee, who helped our implemen- 2013.
[10] E. Lawrence, L.E. Bassham III, et al., “SP 800-22
tation and testing.
rev. 1a. a statistical test suite for random and
pseudorandom number generators for crypto-
REFERENCES
graphic applications,” National Institute of
Standards and Technology (NIST), Apr., 2010.
[1] J. Wu and M. O'Neill, “Ultra-lightweight true
[11] O. Petura, U. Mureddu, N. Bochard, V. Fischer,
random number generators,” Electronics Letters,
and L. Bossuet, “A survey of AIS-20/31 compliant
Vol. 46, No. 14, pp. 988-990, July, 2010.
TRNG cores suitable for FPGA devices,” Field
[2] B. Sunar, W. J. Martin, and D. R. Stinson, “A
Programmable Logic and Application, International
provably secure true random number generator
Conference on, pp. 1–10, Aug., 2016.
with built-in tolerance to active attacks,”
[12] B. Yang, V. Rožic, M. Grujic, N. Mentens, and I.
Computers, IEEE Transactions on, Vol. 56, No. 1,
Verbauwhede, “ES-TRNG: A high-throughput,
pp. 109-119, Jan., 2007.
low-area true random number generator based on
[3] J. D. Golić, “New methods for digital generation
edge sampling,” Cryptographic Hardware and
and postprocessing of random data,” Computers,
Embedded Systems, IACR Transactions on, pp.
IEEE Transactions on, Vol. 55, No. 10, pp. 1217-
267-292, 2018.
1229, Aug., 2006.
[4] M. Dichtl and J. D. Golić, “High-speed true
random number generation with logic gates only,”
Cryptographic Hardware and Embedded Systems Piljoo Choi received the B.S., M.S.,
2007, CHES 2007, International Workshop on, pp. Ph.D. degrees in Electronic Computer
45-62, Sep., 2007. Engineering from Hanyang Univer-
[5] Ü. Güler, S. Ergün, and G. Dündar, “A digital IC sity, Seoul, South Korea, in 2010,
random number generator with logic gates only,” 2012, and 2018, respectively. He is
Electronics, Circuits, and Systems, 2010, ICECS, currently a professor in Software
17th IEEE International Conference on, pp. 239- Education Committee at Hanyang
242, Dec., 2010. University. His research interests are in the areas of
[6] P. Choi, M.-K. Lee, and D. K. Kim, “Fast compact security SoC (System on Chip), crypto-coprocessors, and
true random number generator based on multiple information security.
sampling,” Electronics Letters, Vol. 53, No. 13, pp.
841-843, June, 2017.
[7] T. Güneysu, V. Lyubashevsky, and T. Pöppelmann,
“Lattice-based signatures: optimization andJOURNAL OF SEMICONDUCTOR TECHNOLOGY AND SCIENCE, VOL.19, NO.3, JUNE, 2019 309
Ji-Hoon Kim received the B.S. Dong Kyue Kim received the B.S.,
(summa cum laude) and Ph.D. M.S. and Ph.D. degrees in Computer
degrees in electrical engineering and Engineering from Seoul National
computer science from KAIST, University in 1992, 1994, and 1999,
Daejeon, South Korea, in 2004 and respectively. From 1999 to 2005, he
2009, respectively. In 2009, he was an assistant professor in the
joined Samsung Electronics. In 2018, Division of Computer Science and
he joined the faculty of the department of electronic and Engineering at Pusan National University. From 2006, he
electrical engineering, Ewha Womans University, where is a professor in the Department of Electronic
he is currently an associate professor. His current Engineering at Hanyang University. His research
interests include CPU/DSP, communication modem, and interests are in the areas of security SoC, secure
low-power SoC design for security/biomedical systems. processor, crypto-coprocessors, and information security
Dr. Kim is a technical committee member of the circuits systems.
and systems for communications and VLSI systems and
applications in the IEEE Circuits and Systems Society.
He was a recipient of the best design award at Dongbu
HiTek IP Design Contest in 2007 and first place award at
the International SoC Design Conference Chip Design
Contest in 2008.You can also read
