## No full-text available

To read the full-text of this research,

you can request a copy directly from the author.

Conference Paper

The issue of random number generation is crucial for the implementation of cryptographic systems. Random numbers are often used in key generation processes, authentication protocols, zeroknowledge protocols, padding, in many digital signature and encryption schemes, and even in some side channel attack countermeasures. For these applications, security depends to a great extent on the quality of the source of randomness and on the way this source is exploited. The quality of the generated numbers is checked by statistical tests. In addition to the good statistical properties of the obtained numbers, the output of the generator used in cryptography must be unpredictable. Besides quality and unpredictability requirements, the generator must be robust against aging effects and intentional or unintentional environmental variations, such as temperature, power supply, electromagnetic emanations, etc. In this paper, we discuss practical aspects of a true random number generator design. Special attention is given to the analysis of security requirements and on the way how this requirements can be met in practice.

To read the full-text of this research,

you can request a copy directly from the author.

... This situation results from the statistical nature of the tests themselves and means that the decisive factor is the negative (rejecting the sequence as definitely pseudorandom) rather than the positive result of such tests. An example of a simple pseudorandom number generator is the congruence algorithm (Linear Congruential Generator): (a, b, m are appropriately selected known constants): the initial state is the seed value, the output bit which is taken arbitrarily, the next bit is generated according to the recipe: new state = aÃ − old state + b mod(m) , generated bit = new state mod (2) . It is a pseudorandom algorithm: (1) it becomes periodic easily, (2) there are known methods of guessing a, b, m based on the sequence observation. ...

... An example of a simple pseudorandom number generator is the congruence algorithm (Linear Congruential Generator): (a, b, m are appropriately selected known constants): the initial state is the seed value, the output bit which is taken arbitrarily, the next bit is generated according to the recipe: new state = aÃ − old state + b mod(m) , generated bit = new state mod (2) . It is a pseudorandom algorithm: (1) it becomes periodic easily, (2) there are known methods of guessing a, b, m based on the sequence observation. Another example of a pseudorandom generator is an iterative call to a cryptographic hash function (such as MD5 or SHA1). ...

... If, for example, the source will provide its own state of the measured quantity with some frequency, the randomness of the result will be strongly disturbed. Therefore, step (1) is as important as step (2). Moreover, the result of step (2) is always to some extent mixed with the classical noise resulting from the macroscopic practical implementation of the von Neumann projection. ...

Generation of random numbers is a central problem for many applications in the field of information processing, including, e.g., cryptography, in classical and quantum regime, but also mathematical modeling, Monte Carlo methods, gambling and many others. Both, the quality of the randomness and efficiency of the random numbers generation process are crucial for the most of these applications. Software produced pseudorandom bit sequences, though sufficiently quick, do not fulfill required randomness quality demands. Hence, the physical hardware methods are intensively developed to generate truly random number sequences for information processing and electronic security application. In the present paper we discuss the idea of the quantum random number generators. We also present a variety of tests utilized to assess the quality of randomness of generated bit sequences. In the experimental part we apply such tests to assess and compare two quantum random number generators, PQ4000KSI (of company ComScire US) and JUR01 (constructed in Wroclaw University of Science and Technology upon the project of The National Center for Research and Development) as well as a pseudorandom generator from the Mathematica Wolfram package. Finally, we present our new prototype of fully operative miniaturized quantum random generator JUR02 producing a random bit sequence with velocity of 1 Mb/s, which successfully passed standard tests of randomness quality (like NIST and Dieharder tests). We also shortly discuss our former concept of an entanglement-based quantum random number generator protocol with unconditionally secure public randomness verification.

... In the system of which hardware implementation is performed, the proposed post-processing technique was compared with the known post-processing techniques, and the design parameters were examined in detail. In Ref. [29], a new genetic algorithm based post-processing model was proposed to improve the statistical quality of TRNGs. ...

... The implementation of the primitives forming the cryptographic system on a single chip as a whole is a desirable feature in terms of system security. FPGA environment, on which crypto systems can be implemented as a whole, is an ideal solution for these basic requirements [29,30]. However, FPGAs are digital devices and operate based on logical transformations of deterministic processes applied on them. ...

... Besides the statistical quality and system security of TRNGs, which generally provide hardware-dependent slow solutions, the cost of operation (speed) is another important evaluation criterion [29]. The structural complexities of the post-processing techniques used in terms of system security lead to a reduction in the system's bit production rate. ...

In this study, the hardware implementation of a TRNG using an alternative post-processing technique is presented. ROs (ROs) are used as the noise source of TRNG and true randomness is obtained from the jitter. The use of an entropy pool composed of discrete-time chaotic systems (quadratic map, cubic map, Bernoulli shift map and tent map) is proposed as the post-processing technique for TRNG. In the system, the statistical quality of true random numbers with low statistical quality, obtained from jitter, is improved to meet cryptographic qualifications with the proposed post-processing technique. Unlike other known post-processing techniques in the literature, the post-processing technique based on the effective use of chaos is user-controlled, and is dynamically adaptable to the chosen chaotic systems. Thus, optional post-processing inputs fed from a single chaotic system or different combinations of those systems can be obtained for the TRNG. The performance of the proposed TRNG with this post-processing is high. In addition to this, the fact that any random number sequence can be generated with the contribution of more than one chaotic input in the post-processing stage makes both the post-processing and TRNG safer and more secure. In addition to the chaos-based comprehensive security analysis of the post-processing, the statistical validation of the TRNG is made by using test-based tools. As a result, it has been found that the proposed post-processing technique can be used for cryptographic purposes.

... In all modern cryptographic algorithms and secure communication protocols, random numbers play an important part. Random numbers are used as cryptographic keys in both symmetric and asymmetric encryption, initialization vectors for stream ciphers, padding values in asymmetric encryption, challenges in zero-knowledge proofs, countermeasure implementation against side-channel attacks, and many more [1]. The overall security of a cryptographic system is critically dependent on the statistical quality of the generated random numbers-if the random numbers have higher predictability, i.e., lower entropy, several powerful attacks exist to break the security of the cryptosystem. ...

... For any cryptosystem, it is important that the cryptographic keys are generated inside the system, and never leave the system in plaintext over an unencrypted communication channel. Hence, if the cryptosystem is implemented on a single chip, the TRNG being used as the key generator is usually also implemented on-chip [1]. ...

... Further, one may argue that given that any randomness testing tool is effective only until the next nondistinguishing attack is reported, is it worth enough to explore different randomness testing strategies at all? We have followed the principles laid out in [1], which says that contemporary TRNG designs should have a three-fold security evaluation criteria which consists of: (a) a proof of robustness; (b) embedded tests of randomness, and (c) a stochastic model of randomness. Our approach to a HTH design that impacts the randomness of a common TRNG also naturally extends to development of stronger randomness evaluation techniques compared to the state-of-the-art. ...

True Random Number Generator (TRNG) circuits are important components of cryptographic systems. Lack of statistical randomness in the generated bitstreams from a TRNG can result in compromised keys, leading to serious security breaches. In this paper, we describe a Hardware Trojan Horse (HTH)-based attack on the TRNG of an FPGA-based cryptosystem, that results in reduced entropy and increased predictability of the generated keys. The proposed HTH does not cause any functional failure in the cryptosystem, and its impact is undetectable by analysis of the compromised bitstream using standard statistical randomness testing software suites (NIST, two enhanced versions of NIST Dieharder, and LIL-tests), and by a circuit-level HTH detection technique using Transition Effect Ring Oscillator (TERO). Finally, we show that the impact of the HTH can be detected by applying Wavelet Transform on the compromised bitstream.

... FPGAs are widely used for implementation and evaluation of cryptographic primitives, algorithms and protocols [1] . Many new TRNGs were recently implemented in FP- GAs as well [2] . However, their quality is mostly evaluated using evaluation boards designed by FPGA vendors with different objectives. ...

... For this reason, when evaluating the generator principle, all noise sources, which do not come from the generator should be reduced to a minimum. This very important condition is neglected very often in scientific papers presenting and evaluating new TRNG principles [2]. From the above mentioned analysis it follows that in order to compare TRNG principles and their implementation in different FPGA families as fairly as possible, the evaluation boards should be identical, they should contain only necessary components and should operate in the same Fig. 1. ...

True Random Number Generators (TRNG) are cryptographic primitives that exploit intrinsic noise sources in electronic devices. Their quality is linked to the underlying technology, activity of the neighboring circuitry and device environment (temperature, power supply, electromagnetic emanations). Consequently, when comparing TRNGs, they should be tested in identical technology, system architecture and operating conditions. We present a unified hardware platform and related open source tools aimed at fair benchmarking of TRNGs implemented in different FPGA technologies. The platform is accessible remotely. Designers can download related tools from the web site and they can upload their configuration bitstream to the remote FPGA and download random data generated in the same hardware and in the same conditions as other concurrent designs and state-of-the-art generators. The proposed tools were approved in many applications and they guarantee safe acquisition of random sequences at data rates of up to 400 Mbits/s.

... Indeed, the side channels can be used very effectively when the target is the security of a critical part of a cryptographic system: the true random number generator (TRNG). The security of the TRNGs is of paramount importance, since they are used to generate the streams of random bits used as confidential encryption keys, random masks (used in countermeasures against side channel attacks), initialization vectors or padding values [3]. If attackers can change the behavior of the embedded TRNG (for instance, if they can change the bias of the generated bit stream), they can drastically reduce the security of the whole cryptographic system. ...

... The second contribution is a method for coupling a passive electromagnetic attack, which allows the inner characteristics of the target TRNG (such as position of the TRNG and ROs and their oscillating frequencies) to be extracted, with an active electromagnetic attack, making it possible to manipulate the TRNG output. Experimental results showed that the proposed methodology enables fine tuning of the active (1,2,3,4) attacks on a TRNG general structure electromagnetic attack and hence significantly increases its efficiency. ...

Many side channels including power consumption, electromagnetic emanation, optical radiation, and even sound have been studied since the first publication of a side channel attack at the end of the 1990s. Most of these channels can be relatively easily used for an overall analysis of the cryptographic system (implementation of efficient passive attacks) or for injection of faults. Until recently, only the optical channel allowed both analysis of locally leaked information and precise injection of faults (single-bit errors). Recent works showed that the near-field electromagnetic channel enables similar results to be obtained. Like the optical channel, the near-field electromagnetic channel allows both active and passive attacks, which, in addition, can be theoretically non-invasive and contactless. However, the cost of the attack bench that is needed to exploit the near-field electromagnetic channel is less than that of an optical channel. Recently, we showed that it is possible to use the near-field electromagnetic channel to perform an efficient active attack targeting the true random number generator (TRNG) based on ring oscillators. In cryptography, TRNGs are chiefly used to generate encryption keys and other critical security parameters, so the proposed active attack could have serious consequences for the security of the whole cryptographic system. Here, we present the coupling of a passive attack and an active attack. The proposed coupled attack first uses a spectral differential analysis of the TRNG electromagnetic radiation to obtain valuable information on the position of ring oscillators and their frequency range. This information is then used to tune the electromagnetic harmonic signal to temporarily synchronize the ring oscillators. In this paper, we propose a fault model of the entropy extractor which shows that the behavior of the ring oscillators changes, and that it occurs additional and unwanted “fake rising edges” of the clock signal which disturb the flip-flops involved in such TRNGs. The effectiveness of our proposed coupled attack questions the use of ring oscillators in the design of TRNGs.

... With high entropy, true random number generator find applications in software security via password generation, protocols to validate aforesaid parties and vector initialization. TRNG overcomes the limitation of pseudo random generators using microscopic or macroscopic phenomenon such as electrical noise, as a sources of randomness which may produce predictable outcomes [1][2]. TRNG based on analogue circuits requires larger area, high power consumption and having low speed. ...

True random number generator is a basic building block of any modern secure communication and cryptography system. FPGA implementation of any system has a flexible architecture and low-cost test cycle. In this paper, we present an FPGA implementation of a high speed true random number generator based on chaos oscillator which gives optimize ratio of bit rate to area. The proposed generator is faster and more compact than the existing chaotic oscillator based TRNGs. The Experimental result shows that the proposed TRNG gives 1439 Mbps with optimizing the use of LUTs and registers. It is verified that the generator passes all the NIST SP 800-22 tests. The proposed TRNG is implemented in two FPGA families Nexus 4 (Artix 7) DDR XC7A100TCSG-1 and Basys 3 XC7A35T1CPG236C (Artix 7) using Xilinx Vivado v.2017.3 design suite.

... For that reason, security recommendations like the AIS 31 standard of the German Bundesamt für Sicherheit in der Informationstechnik (Killmann and Schindler, 2011) or the draft of NIST SP 800-90B (Turan et al., 2016) ask for some kind of self testing inside true random number generators that monitors the state of the device. A subsystem should monitor the state of the device at all times (Bucci and Luzzi, 2005;Fischer, 2012). ...

Random numbers are a fundamental resource in science and engineering with important applications in simulation and cryptography. The inherent randomness at the core of quantum mechanics makes quantum systems a perfect source of entropy. Quantum random number generation is one of the most mature quantum technologies with many alternative generation methods. We discuss the different technologies in quantum random number generation from the early devices based on radioactive decay to the multiple ways to use the quantum states of light to gather entropy from a quantum origin. We also discuss randomness extraction and amplification and the notable possibility of generating trusted random numbers even with untrusted hardware using device independent generation protocols.

... As summarized by Fischer [3], the best way to evaluate unpredictability is to carefully estimate the entropy rate at the generator output. The estimation of entropy must be based on a carefully constructed stochastic model of the random number generation process. ...

Security in random number generation for cryptography is closely related to the entropy rate at the generator output. This rate has to be evaluated using an appropriate stochastic model. The stochastic model proposed in this paper is dedicated to the transition effect ring oscillator (TERO)-based true random number generator (TRNG) proposed by Varchola and Drutarovsky (in: Cryptographic hardware and embedded systems (CHES), 2010, Springer, 2010). The advantage and originality of this model are that it is derived from a physical model based on a detailed study and on the precise electrical description of the noisy physical phenomena that contribute to the generation of random numbers. We compare the proposed electrical description with data generated in two different technologies: TERO TRNG implementations in 40 and 28 nm CMOS ASICs. Our experimental results are in very good agreement with those obtained with both the physical model of TERO’s noisy behavior and the stochastic model of the TERO TRNG, which we also confirmed using the AIS 31 test suites.

... Cryptographic security is needed to prevent users from losing data and to avoid risks related to the inappropriate use of passwords. Many designs providing cryptographic security are based on true random numbers, but their generation is a complex task [6,7]. Some popular random noise algorithms are somehow imperfect, showing defects that make them vulnerable and predictable, which in cryptographic terms is a real concern. ...

Binary sequences are algebraic structures currently used as security elements in Internet of Things devices, sensor networks, e-commerce, and cryptography. In this work, a contribution to the evaluation of such sequences is introduced. In fact, we present a novel algorithm to compute a fundamental parameter for this kind of structure: the linear complexity, which is related to the predictability (or non-predictability) of the binary sequences. Our algorithm reduced the computation of the linear complexity to just the addition modulo two (XOR logic operation) of distinct terms of the sequence. The performance of this procedure was better than that of other algorithms found in the literature. In addition, the amount of required sequence to perform this computation was more realistic than in the rest of the algorithms analysed. Tables, figures, and numerical results complete the work.

... This paper illustrates the design of a chaos based entropy source suitable for TRNGs. The proposal is declined in two consistent with recent ideas on how TRNG should be validated and designed for test [24][25][26]. With respect to [22], this followup illustrates more design options and highlights how the flexibility offered by the use of a lC ADC enables an experimental verification of some recent concepts on the fundamental limits of chaotic maps as RNGs [27] and on the choice of the best way to deliver a digital output from the map analog state. ...

Modern cryptographic protocols require good entropy sources. Unfortunately, many networked devices lack subsystems dedicated to this task, being potentially susceptible to random number generator (RNG) attacks. Yet, most of these systems allow software upgrades and host communication ports, providing the option of a retrofit. This work illustrates how chaotic dynamics can be used to design a sub-10$ entropy source capable of an over 48kbit/s rate and offering multiple serial communication abilities. Operation is based on a standard microcontroller and exploits a loop built around one of its analog to digital converters (ADCs). The design offers self-testing features and enables an experimental validation of some recent results on the choice of the best state quantization function to employ when using chaotic maps as RNGs.

... High-quality randomness is the "wicked problem" of the cyber world [1] [2] that hounds cryptographic applications such as statistics, encryption, e-commerce, gambling and other fields. Given the necessity to generate strong cryptographic keys, random number generators (RNGs) must supply a good source of randomness, which should be computationally difficult to predict but requires less computational efforts to produce [3] [4]. ...

... As summarized by Fischer in 2012 [3], the best way to ensure unpredictability is to carefully estimate the entropy rate at the generator output. The estimation of entropy must be based on a carefully constructed model of the random number generation process. ...

Security in random number generation for cryptography is closely related to the entropy rate at the generator output. This rate has to be evaluated using an appropriate stochastic model. The stochastic model proposed in this paper is dedicated to the transition effect ring oscillator (TERO) based true random number generator (TRNG) proposed by Varchola and Drutarovsky in 2010. The advantage and originality of this model is that it is derived from a physical model based on a detailed study and on the precise electrical description of the noisy physical phenomena that contribute to the generation of random numbers. We compare the proposed electrical description with data generated in a 28 nm CMOS ASIC implementation. Our experimental results are in very good agreement with those obtained with both the physical model of TERO’s noisy behavior and with the stochastic model of the TERO TRNG, which we also confirmed using the AIS 31 test suites.

... Cryptographic algorithms and protocols base their security on the uniformity and the unpredictability (entropy) of the random numbers. Consequently, in the last 20 years, there has been a growing interest in TRNGs that generate random bits from intrinsically nondeterministic physical processes and satisfy high security requirements [2,10]. ...

The generation of high quality true random numbers is essential in security applications. For secure communication, we also require high quality true random number generators (TRNGs) in embedded and IoT devices. This paper provides insights into modern TRNG design principles and their evaluation, based on standard's requirements and design experience. We illustrate our approach with a case study of a recently proposed delay chain based TRNG.

... Security of a TRNG design must be thoroughly evaluated [5]. Namely, two security requirements must be fulfilled: ...

Jittery clock signals produced in oscillators, particularly in ring oscillators are commonly used as a source of randomness in true random number generators (TRNG). The robustness of the generators, and hence their security, is closely linked to the entropy of the generated bit stream, which depends on the size of the jitter. Known jitter size can be used as an input parameter in a stochastic model for the estimation of entropy. Good entropy management can guarantee the security of the generator. We propose a simple precise method for measuring jitter that can be easily embedded in logic devices. It can be used to calibrate an oscillator based TRNG and/or for assessment of the entropy rate while the TRNG is in operation. The method was thoroughly evaluated in simulations and hardware tests and we show that despite its simplicity and small area requirements, it enables the jitter to be measured with an error of less than 5 %.

... TRNGs are key element of the security of cryptographic systems. Indeed, random numbers are often used in key generation processes, authentication protocols, zeroknowledge protocols, padding, in many digital signature and encryption schemes, and even in some side channel attack countermeasures [1] [25]. These two lectures describe random number generation mechanisms and physical entropy extraction. ...

Teaching FPGA security to electrical engineering students is new at graduate level. It requires a wide field of knowledge and a lot of time. This paper describes a compact course on FPGA security that is available to electrical engineering master's students at the Saint-Etienne Institute of Telecom, University of Lyon, France. It is intended for instructors who wish to design a new course on this topic. The paper reviews the motivation for the course, the pedagogical issues involved, the curriculum, the lab materials and tools used, and the results. Details are provided on two original lab sessions, in particular, a compact lab that requires students to perform differential power analysis of FPGA implementation of the AES symmetric cipher.

... Key generation is an essential aspect of the system, since if these values are manipulated or predicted to some extent, the security of the entire system can be compromised. To derive good cryptographic keys TRNGs are needed [3]. However, the generated numbers are not necessarily statistically perfect, since some bias and correlation between the bits might be present. ...

Security is becoming ubiquitous in our society. However, the vulnerability of electronic devices that implement the needed cryptographic primitives has become a major issue. This paper starts by presenting a comprehensive overview of the existing attacks to cryptography implementations. Thereafter, the state-of-the-art on some of the most critical aspects of designing cryptographic co-processors are presented. This analysis starts by considering the design of asymmetrical and symmetrical cryptographic primitives, followed by the discussion on the design and online testing of True Random Number Generation. To conclude, techniques for the detection of Hardware Trojans are also discussed.

... Responsible Editor: M. B. Tahoori Random number generators (RNG) have extensive practical applications. Besides cryptographic algorithms and secure protocols, random number also play a crucial role in IP piracy and IC overproduction [4,5], countermeasures against side channel attacks [6,7], generating nonces or random seeds [8][9][10], and anti-counterfeit measures [11]. Consequently, much research is focused on developing "true" RNGs (TRNGs) with provable randomness properties as specified in certification tests, such as those recommended by National Institute of Standards and Technology (NIST). ...

A random number generator (RNG) is an important building block for cryptographic operations primarily to generate random nonces and secret keys. The power-up value of an SRAM array has been widely accepted as an entropy source for generating random numbers. However, only a few cells of the SRAM are truly random upon repeated power-ups; the vast majority of cells display a distinct bias from manufacturing process variations. Consequently, a relatively large SRAM array is required to obtain sufficient entropy for generating random numbers. Earlier research has proposed the use of controlled device aging at pre-deployment stage to enhance the initial entropy of an SRAM array. However, aging in the field can adversely affect the entropy and degrade randomness; we show here that any initial aging to increase SRAM entropy can even be counterproductive. Instead, we propose an SRAM-based random number generation approach, which continually manipulates device aging during operation to constantly maximize entropy for the entire deployment period. The key idea is to continually stress the SRAM cells in their power-up states at regular intervals. This helps counteract the aging caused by the random memory states that occur during operation. Silicon results are presented to validate our proposed approach.

... Putting into effect cryptographic security is complicated. Most of the security systems are based on true random numbers, but their generation is really a difficult task [1,2]. Many popular random "noise" algorithms, for example, algorithms that are part of IoT devices, end up to be imperfect, showing glitches that make them predictable and vulnerable. ...

Output sequences of the cryptographic pseudo-random number generator, known as the generalized self-shrinking generator, are obtained self-decimating Pseudo-Noise (PN)-sequences with shifted versions of themselves. In this paper, we present three different representations of this family of sequences. Two of them, the p and G-representations, are based on the parameters p and G corresponding to shifts and binary vectors, respectively, used to compute the shifted versions of the original PN-sequence. In addition, such sequences can be also computed as the binary sum of diagonals of the Sierpinski’s triangle. This is called the B-representation. Characteristics and generalities of the three representations are analyzed in detail. Under such representations, we determine some properties of these cryptographic sequences. Furthermore, these sequences form a family that has a group structure with the bit-wise XOR operation.

... It was shown in [12] that ring oscillators are sensitive to signal injection attack which lead to synchronization of the ring oscillators and a dramatic reduction in the entropy rate of the TRNG. Further analyses (see [2], [6]) showed that even in the absence of signal injection, ring oscillators can lock on small common harmonics of their frequency. It so happens that it is possible to internally compute small common harmonics of a couple of ring oscillators and, as a consequence, predict and detect the most probable frequency-lock occurrences. ...

We describe a practical and efficient method to estimate the entropy rate of a TRNG based on free running oscillators that does not require outputting and analyzing the clock signals with external equipment. Rather it relies on very simple computations that can be embedded in any logic device such as FPGA or ASIC. The method can be used for the calibration of an oscillator based TRNG or for online certification of its entropy rate. Our approach, which is inspired by the coherent sampling method, works under the general assumption that the period jitter is small compared to the period of the generated clock signal. We show that, in this case, it is possible to measure the relative phase between clocks of two oscillators with far higher precision than the time resolution given by the period of any internal clock signal. We use this observation to recover, under some reasonable heuristics, the distribution of the random walk component of the jitter, from which it is possible to obtain a lower bound on the entropy rate of the TRNG. Our method was thoroughly tested in simulations and in hardware. At the end of the paper, we draw some conclusions and make recommendations for a reliable implementation of TRNGs in cryptographic applications.

... Variations in the inherent process, operating temperature, VDD, and aging may bias the TRNG output by introducing large asymmetry between them. An attacker might exploit the dependence of the TRNG on supply voltage and temperature to intentionally bias the TRNG [9,10]. In addition, the randomness of a TRNG is affected by limited PV when inner random noise source cannot provide enough source of entropy alone. ...

True random number generators (TRNGs) are needed for a variety of security applications and protocols. The quality (randomness) of TRNGs depends on sensitivity to random noise, environmental conditions, and aging. Random sources of noise improve TRNG quality. In older or more mature technologies, the random sources are limited resulting in low TRNG quality. Prior work has also shown that attackers can manipulate voltage supply and temperature to bias the TRNG output. In this paper, we propose bias detection mechanisms and a technology independent TRNG (TI-TRNG) architecture. The TI-TRNG enhances power supply noise for older technologies and uses a self-calibration mechanism that reduces bias in TRNG output due to aging and attacks. Experiment results on 130nm, 90nm, and 45nm FPGAs demonstrate the quality of random sequences from the TI-TRNG across aging and different environmental conditions.

... These are more prone to physical attacks, especially because of t he dependence on a physical phenomenon, which can be altered by a very efficient attacker and the worst part being that the device failure may even go undetected i f it keeps generating some output. So, it is desirable to have a subsystem that monitors the state of the device at all times (Bucci and Luzzi, 2005 [18]; Fischer, 2012 [19]). ...

... Nowadays, implantable sensing devices for the health sector and other wearable devices in consumer electronics are considered to be one of the prominent IoT applications that have the tremendous potential to transform the whole world in future [3]. Moreover, the constraints of Pseudo-Random number generator (PRNG) using different types of macroscopic and microscopic aspects like the electrical disturbance as a root of randomness which may produce predictable results [4,5] that can be easily overcome by our proposed ADPLL-based TRNG. Considering the crucial contribution of True Random number on various smart devices connected with multiple sensors, new opportunity and challenges arise in designing more versatile random generator, which can fit with the present demand of more secure data protection. ...

This study is a unique approach for the design and implementation of True Random Number Generator (TRNG) using ADPLL, on Field-Programmable Gate Array (FPGA) board Artrix-7 (XC7A35T-CPG236-1) and the simulation was done on Vivado v.2015.2 design suite. TRNG is solely based on the different seeds of entropy like Jitter, and metastability was produced from Ring Oscillator, Flip Flop (FF) and other primitives. In this paper, we have realized and implemented two architectures based on the use of ADPLL. TRNG with single ADPLL is represented as Novel design-1 (ND-1) and TRNG with two ADPLL as Novel design-2 (ND-2) cascading with other primitive like ring Oscillator combined with FF. Different from other approaches, this proposed TRNG architecture has higher speed, consumes less power in spite of employing 2 Look-Up-Tables (LUTs) and 1 slice block without compromising the overall throughput producing at 680.7 Mbps for ND-1 (Single ADPLL) and 676 Mbps for ND-2 (Two ADPLL). Comparing with other existing designs in the Field of TRNG and found out to have higher throughput and less power consumption, less complexity by employing a reduced FPGA hardware resource. Digital storage oscilloscope (DSO) is used to capture output waveform and FFT waveform for both ND-1 (single ADPLL) and ND-2 (two ADPLL). The randomness of the generated bitstream output of the design architecture is validated by passing the NIST SP 800-22 test which evidences that the proposed ADPLL-based TRNG can be better suited for different industrial applications such as security Network system, cybersecurity, Banking security, IIOT, IOT.

... A Random Number Generator (RNG) is a crucial component of any cryptographic system. Many protocols use RNG to generate encryption and decryption keys, initialization vectors, one-time passwords, padding, nonces, and many more applications [10]. The strength of the RNG determines the strength of the underlying protocols. ...

With the rapid growth of the Internet of Things technologies, individuals’ security and privacy concerns increase. There has been a leaky ecosystem webbed by the presence of sensors and devices around us. It has become a threat for the users and raises concerns for its widespread applicability. Many works have been proposed in a similar direction, building innovations for enhancing security. Meanwhile, Physical unclonable functions (PUFs) and Random Number Generators (RNGs) have proved to be the most useful for building security applications, especially in resource restraining devices. The security protocols, including identification, authentication, and key agreement, can be developed using PUFs, while RNGs can produce ephemeral keys and nonces. The true random number generator (TRNG) and PUF as a re-configurable circuit reduce the hardware cost and become favorable in the resource-constrained environment. This paper proposes a low-cost re-configurable TRNG–PUF, which can be used as both TRNG and PUF to harness their benefits. The proposed re-configurable TRNG–PUF is implemented on FPGA to verify the design. We evaluate the proposed scheme against various parameters and compare them with the existing designs, which proves our claim of better performance.

... For a TRNG, if the entropy extractor samples the source of randomness too fast, adjacent bits can be correlated. Therefore, it is a good practice to check the autocorrelation of generated bit-stream [21]. Figure 6 shows the autocorrelation of the one million consecutive bits generated at the frequencies of 1 MHz. ...

True random number generators (TRNGs) are important hardware primitives required for many applications including cryptography, communication, and statistical simulation. This paper presents a TRNG with failure detection capability targeting cryptographic applications with a limited power budget. The proposed TRNG extracts entropy from latch comparators, whose metastable states are detected and encoded as an additional alarm bit leading to ternary valued outputs. Furthermore, several such ternary valued latches (TVLs) are employed in an N-modular redundant configuration to address the bias problem caused by unmatched conditions. The statistical properties of the proposed TVL-TRNG are examined by the NIST 800-22 and NIST 800-90B test suits showing resistance against environmental changes and process variations. The proposed TRNG circuit designed in 65 nm CMOS consumes 825.36 nW at 1 Mbps.

Bias phenomenon has been a ubiquitous problem in the designs of digital True Random Number Generator (TRNG). Circuit performance can be improved with some auxiliary modules such as analog circuits and post-processing components, which usually involve the compromising of cost, compatibility, throughput, and security as well. In some cases only sub-optimal designs can be achieved. In this paper, by utilizing the diverse timing characteristics of different initial states, a staged-running Self-timed Ring (STR) architecture, which is able to suppress the degree of bias, is proposed. The proposed architecture is compared with some conventional free-running architectures using a Xilinx Zynq-7000 Field Programmable Gate Array (FPGA) platform for a throughput of 100 Mbps. With the increase of the ring size, the bias degree of the newly proposed structure is within a negligible level of less than 1%; whereas those of the conventional architectures can exceed 10%. Statistical tests were also conducted and the results show that the quality of randomness rises as the complexity in initial-state mapping and the ring nodes of the proposed structure increases. The test passes the National Institute of Standards and Technology (NIST) test suite with high p-values.

We present a HW/SW platform for on-the-fly detection of failures and weaknesses in entropy sources. By splitting the operations between hardware and software, we achieve sufficient flexibility to control the level of significance of the tests. This approach also enables sharing resources between different tests thereby reducing the area and power. Statistical tests were selected from the NIST test suite. We propose several versions of hardware co-processors for monitoring random bit sequences, ranging from 52 slices (5 tests) to 552 slices (9 tests) on Spartan-6 FPGA. We are the first to provide implementations of the Serial test and the Approximate entropy test for on-the-fly monitoring.

The security of many cryptographic applications relies heavily on the quality of the random numbers used. Therefore, random number generation is one of the most critical primitives for cryptography. This paper focuses on true random number generators (TRNGs) and the analysis of their security requirements. After illustrating issues associated with adversarial influences on TRNGs, we propose a simple method to obtain a secure TRNG based on n TRNGs originating from (potentially) untrusted vendors. The untrusted generators are combined such that as long as one out of the n vendors does not collude with the other vendors, the generator is secure, i.e., the output is unpredictable and uniformly distributed even in the presence of an active attacker. In order to achieve this, we review several choices of functions to be used as combiner. The advantage of our design is that only the (black-box) input-output behavior of the vendor's TRNGs needs to be evaluated. No overhead is introduced by the combiner. The resulting generator offers faultresilience and ease of maintenance.

The proposed true random number generator (TRNG) exploits the jitter of events propagating in a self-timed ring (STR) to generate random bit sequences at a very high bit rate. It takes advantage of a special feature of STRs that allows the time elapsed between successive events to be set as short as needed, even in the order of picoseconds. If the time interval between the events is set in concordance with the clock jitter magnitude, a simple entropy extraction scheme can be applied to generate random numbers. The proposed STR-based TRNG (STRNG) follows AIS31 recommendations: by using the proposed stochastic model, designers can compute a lower entropy bound as a function of the STR characteristics (number of stages, oscillation period and jitter magnitude). Using the resulting entropy assessment, they can then set the compression rate in the arithmetic post-processing block to reach the required security level determined by the entropy per output bit. Implementation of the generator in two FPGA families confirmed its feasibility in digital technologies and also confirmed it can provide high quality random bit sequences that pass the statistical tests required by AIS31 at rates as high as 200 Mbit/s.

Balancing security, privacy, safety, and utility is a necessity in the health care domain, in which implantable medical devices (IMDs) and body area networks (BANs) have made it possible to continuously and automatically manage and treat a number of health conditions. In this work, we survey publications aimed at improving security and privacy in IMDs and health-related BANs, providing clear definitions and a comprehensive overview of the problem space. We analyze common themes, categorize relevant results, and identify trends and directions for future research. We present a visual illustration of this analysis that shows the progression of IMD/BAN research and highlights emerging threats. We identify three broad research categories aimed at ensuring the security and privacy of the telemetry interface, software, and sensor interface layers and discuss challenges researchers face with respect to ensuring reproducibility of results. We find that while the security of the telemetry interface has received much attention in academia, the threat of software exploitation and the sensor interface layer deserve further attention. In addition, we observe that while the use of physiological values as a source of entropy for cryptographic keys holds some promise, a more rigorous assessment of the security and practicality of these schemes is required.

In cryptography, there is no simple methodology to obtain a True Random Number Generator (TRNG) that meets statistical requirements such as unpredictability, uniform distribution (bias) and independence (correlation) for random numbers. The statistical weakness occurring especially as a result of physical randomness and tried to be overcome by post-processing techniques is an important deficiency of TRNGs. In this study, the use of a novel lightweight post-processing technique based on chaotic substitution box (s-box) is proposed that can successfully solve this problem of TRNGs. The proposed post-processing is applied in real time to the ring oscillator-based TRNG in two different scenarios on the Altera Cyclone IV GX Field-Programmable Gate Array chip. Bias, correlation, entropy, Chi-square, Berlekamp–Massey and National Institute of Standards and Technology Special Publication 800–22 test techniques are used for statistical verification of real-time results. In addition, for the proposed method, the area–energy consumption parameters of TRNG are examined and a detailed literature (performance) comparison has been made. The acquired results indicate that the proposed method can overcome the statistical weakness problem of TRNGs by providing better trade-off than the methods in the literature. In addition, it has been observed that the performance of TRNG is high due to the advantages of the method such as simplicity, low area–energy requirement and high output bit rate. Performance and statistical analysis results confirm the cryptographic suitability of the proposed method and that TRNG can be used successfully in lightweight architecture and applications.

A talk given at the pre-EUROCRYPT workshop WR0NG

In this paper we propose the method of generating true random numbers utilizing the circuit primarily designed as Physically Unclonable Function (PUF) based on ring oscillators. The goal is to show that it is possible to design the universal crypto system, that can be used for various applications - the PUF can be utilized for asymmetric cryptography and generating asymmetric keys, True Random Number Generator (TRNG) for symmetric cryptography (generating session and ephemeral keys), nonces and salts. In the paper the results of evaluation of such a circuit utilized for TRNG purpose are presented.

In this study, FPGA implementation of a hybrid random number generator (HRNG) based on digital design techniques is given. The ring oscillators (ROs) are used as the noise source of HRNG, and true randomness is obtained by sampling jitter signals forming on the oscillators. The statistical quality and reliability of random number generators that used jitter as source of true randomness alone are often cryptographically insufficient. For this reason, one-dimensional discrete-time chaotic maps such as quadratic map, logistic map and Bernoulli shift map are benefited in order for HRNG to meet these cryptographic requirements. In contrast to many studies in the literature, non-periodic signals derived from chaotic systems of a powerful source of entropy are used instead of periodic signals for the sampling of jitter signals in the system. Depending on the usage of chaotic systems, output bit rate and reliability of high generator model that does not need post-processing techniques and is easily applicable to digital devices are obtained. The hybrid system is tested in total six different scenarios for two separate ring oscillator (RO) architectures of 25 and 114 pieces consisting of three different chaotic maps and equal-length inverters. The statistical qualifications of the random numbers obtained from HRNG for each scenario are verified by NIST 800-22 tests. Also, for each scenario, the design parameters of the generator are examined and the hardware performances and non-periodicity analyses of the chaotic maps are performed. Based on the obtained results, it is demonstrated that the HRNG based on non-periodic sampling can be used for cryptographic purposes.

Quantum phenomena cannot be predicted by the uncertainty principle. As a quantum phenomenon, radioactive decay has been used as an entropy source to generate random numbers. In this article, we present the design and development of an innovative quantum entropy chip (QEC) that produces analog random pulses when emitted alpha particles resulted from radioactive isotope (americium-241) decay hit the sensor. The analog pulse generated by a QEC can be digitized into random numbers by an entropy extractor. The QEC provides security foundation for device authentication as well as a quantum random number generator (QRNG), especially suited for the Internet of Things (IoT) devices due to its small size. We have successfully designed and fabricated the QEC as a wafer for supporting a system-on-chip (SoC) Internet Protocol (IP) so that the QEC can be embedded into a microcontroller unit (MCU) or central processing unit (CPU). In addition, we built a stochastic model to estimate the entropy of the quantum source and evaluated statistical randomness and robustness against temperature, voltage variations, aging effects, and physical attacks. Finally, we demonstrate various applications using the QEC such as side-channel-resistant primitives and device authentication.

Les objets connectés sont omniprésents dans notre société actuelle (ex. véhicules, transports en commun, santé, domotique, smartphone, moyen de paiement, etc.). La connexion et l'accès à distance des appareils d'usage quotidien améliorent considérablement notre confort et notre efficacité dans notre vie professionnelle comme personnelle. Cependant, cela peut également nous confronter à des problèmes de sécurité sans précédent. Les risques liés à la large expansion des systèmes embarqués et de l'internet des objets sont doubles :- L'accès d'une personne non autorisée aux données pour la lecture, la copie, l'écriture ou l'effacement complet. - L'utilisation de l'objet connecté pour une action non prévue par celui-ci, sa mise hors service du système ou bien sa destruction.Pour répondre à de tels risques, il est nécessaire de mettre en place des mécanismes de sécurité permettant le chiffrement des données sensibles, ainsi qu'une authentification et une autorisation pour chaque appareil de l'internet des objets. Fort heureusement, les fonctions cryptographiques permettent de répondre à ces besoins en garantissant confidentialité, authenticité, intégrité et non-répudiation. Dans ce contexte, les générateurs physiques d'aléa (Générateurs de nombres aléatoires et fonctions physiques non clonables) sont essentiels puisqu'ils assurent le bon fonctionnement des fonctions cryptographiques. En effet, ils exploitent des sources de bruit analogique présentes dans les circuits électroniques pour générer: des clés secrètes permettant de chiffrer les données, ou encore, des identifiants uniques permettant l'authentification des circuits. La sécurité des fonctions cryptographiques repose sur la qualité des clés et identifiant générés par ces générateurs d'aléa. Les nombres produits par ces générateurs doivent être imprévisibles. A défaut, les clés utilisées pour chiffrer les données pourraient être cassées et les identifiants recopiés. C'est pourquoi il est d'une extrême nécessité d'étudier les générateurs physiques d'aléa. Dans ce manuscrit, nous proposons tout d'abord une approche rigoureuse d'implémentation et de comparaison de TRNG et de PUF sur les circuits électroniques numériques, suivis d'une intégration au sein d'un système complet de ces générateurs physiques d'aléa. Ensuite, nous amorçons une démarche de modélisation des PUF afin d'améliorer l'évaluation de leur imprévisibilité. Nous réalisons aussi une étude complète de l'impact du phénomène de verrouillage sur les cellules oscillantes et le. conséquences sur les générateurs physiques d'aléa. Enfin, nous démontrons la sensibilité d'un type particulier de PUF à une attaque par analyse électromagnétique.

In this paper, we describe a post-processing technique having high extraction efficiency (ExE) for de-biasing and de-correlating the random bitstream generated by true random number generators (TRNGs). This research is based on the N-bit von Neumann (VN_N) post-processing method. It improves the ExE of the original von Neumann method close to the Shannon entropy bound by a large N value. However, as the N value increases, the mapping table complexity increases exponentially (2N), which made VN_N unsuitable for low-power TRNGs. To overcome this problem, at the algorithm level, we propose a waiting strategy to achieve high ExE with a small N value. At the architectural level, a Hamming weight mapping-based hierarchical structure is used to reconstruct the large mapping table using smaller tables. The hierarchical structure also decreases the correlation factor in the raw bitstream. To develop a technique with high ExE and low-cost, we designed and fabricated an 8-bit von Neumann with waiting strategy (VN_8W) in a 130-nm CMOS. The maximum ExE of VN_8W is 62.21%, which is 2.49 times larger than the ExE of the original von Neumann. NIST SP 800-22 randomness test results proved the de-biasing and de-correlation abilities of VN_8W. As compared with the state-of-the-art optimized 7-element iterated von Neumann, VN_8W achieved more than 20% energy reduction with higher ExE. At 0.45 V and 1 MHz, VN_8W achieved the minimum energy of 0.18 pJ/bit, which was suitable for sub-pJ low energy TRNGs.

The statistical weakness problem occurring as a result of physical randomness is an important shortcoming of TRNGs. Post-processing techniques are generally used in the literature to overcome this shortcoming. In this study, the hardware implementation of Advanced Encryption Standard (AES) substitution box (s-box)-based novel post-processing technique is presented. The low-cost novel method is based on the substitution s-box transformations and can successfully remove the statistical weakness problem of TRNGs. The real-time verification of the proposed post-processing is done by applying ring oscillator (RO) based TRNG architecture in four different scenarios on Field Programmable Gate Array (FPGA) environment. Successful statistical results obtained from bias, correlation, entropy and NIST 800-22 tests confirm the usability of the proposed method for cryptographic purposes. The low area-energy requirement, practicality and compressionless properties of the post-processing provide better tradeoff for TRNG compared to known methods in the literature. For this reason, TRNG’s performance is high. Furthermore, the presented study is important in demonstrating that s-boxes with good mathematical encryption properties can also be used for different cryptographic purposes.

We improve entropy bounds for a self-timed ring based true random number generator, taking the timing of the reference clock signals into account. The models we discuss encompass both perfect and jittered reference clocks. Importantly, our novel analysis of jittered reference clocks can be used to study how robust the improved entropy bounds are. We use parity filters as post-processing blocks and improve results on the required minimal parity filter size to obtain a given target entropy. In addition, we see in numerical experiments that these models are robust in the sense that the minimal required size of a parity filter to exceed a given entropy bound does not change when weakening the assumption on the reference clock; i.e. when considering jittered instead of perfect reference clocks.

The paper presents several modifications of the True Random Number Generator proposed by Kohlbrenner and Gaj in 2004. The generator is based on a coherent sampling principle and it is aimed at cryptographic applications. It uses the timing jitter present in two clock signals with close frequencies as entropy source. The proposed enhancements are related to the setting of generator parameters (e. g. the frequency of the clock signals) and configuration (simple or mutual sampling) depending on size and composition of the clock jitters. Several versions of the generator have been implemented in two FPGA families, giving the output bit-rate up to 2 Mbits/s. Three generator configurations deliver a high-quality unbiased raw bit-stream, so that post-processing is not necessary and the generated raw random data pass both the FIPS 140-2 and NIST statistical tests. One of the proposed configurations can be fully automated and does not need manual intervention during placement and routing.

It is shown that the amount of true randomness produced by the recently introduced Galois and Fibonacci ring oscillators can
be evaluated experimentally by restarting the oscillators from the same initial conditions and by examining the time evolution
of the standard deviation of the oscillating signals. The restart approach is also applied to classical ring oscillators and
the results obtained demonstrate that the new oscillators can achieve orders of magnitude higher entropy rates. A theoretical
explanation is also provided. The restart and continuous modes of operation and a novel sampling method almost doubling the
entropy rate are proposed. Accordingly, the new oscillators appear to be by far more effective than other known solutions
for random number generation with logic gates only.

The paper presents a simple stochastic model of a true random number generator, which extracts randomness from the tracking jitter of a phase-locked loop. The existence of such a model is a necessary condition in the security certification process. The proposed model can be used to test, in real time, the proper behavior of the generator and thus to guarantee its robustness against cryptographic attacks. The model is validated on real data, which have been obtained using Altera Stratix Nios and Altera Stratix DSP professional boards

Many embedded security chips require a high-quality random number generator (RNG). Unfortunately, hardware RNG randomness can vary in time due to implementation defects or certain kinds of attacks. To overcome this issue, this paper presents the implementation of a battery of statistical test for randomness. The battery is selected for its efficient implementation, making the area and power consumption insignificant. Performance and cost of the hardware implementation are given for FPGA and VLSI targets. Results show that statistical tests can easily be implemented in low-cost embedded security circuits and can enhance on-line monitoring of RNG randomness to prevent RNG failures.

We present concepts and implementations to transform write collisions in memory blocks into an entropy source for random number generation. Write collisions in dual-ported block memories occur when both memory ports write simultaneously different data at the same memory location. After a thorough analysis of this effect, we present a robust methodology to generate digitized noise and randomness from such write collisions and also provide details how to implement post-processing methods for efficient bias and correlation removal. Finally, we present three concepts and implementations for random number generators stages that can deliver random data at an output rate of more than 100 MBit/s.

This paper presents a new True Random Number Generator (TRNG) based on an analog Phase-Locked Loop (PLL) implemented in a digital Altera Field Programmable Logic Device (FPLD). Starting with an analysis of the one available on chip source of randomness - the PLL synthesized low jitter clock signal, a new simple and reliable method of true randomness extraction is proposed. Basic assumptions about statistical properties of jitter signal are confirmed by testing of mean value of the TRNG output signal. The quality of generated true random numbers is confirmed by passing standard NIST statistical tests. The described TRNG is tailored for embedded System-On-a-Programmable-Chip (SOPC) cryptographic applications and can provide a good quality true random bit-stream with throughput of several tens of kilobits per second. The possibility of including the proposed TRNG into a SOPC design significantly increases the system security of embedded cryptographic hardware.

The paper presents a novel and efficient method to generate true random numbers on FPGAs by inducing metastability in bi-stable circuit elements, e.g. flip-flops. Metastability is achieved by using precise programmable delay lines (PDL) that accurately equalize the signal arrival times to flip-flops. The PDLs are capable of adjusting signal propagation delays with resolutions higher than fractions of a pico second. In addition, a real time monitoring system is utilized to assure a high degree of randomness in the generated output bits, resilience against fluctuations in environmental conditions, as well as robustness against active adversarial attacks. The monitoring system employs a feedback loop that actively monitors the probability of output bits; as soon as any bias is observed in probabilities, it adjusts the delay through PDLs to return to the metastable operation region. Implementation on Xilinx Virtex 5 FPGAs and results of NIST randomness tests show the effectiveness of our approach.

We demonstrate a new high-entropy digital element suitable for True Random Number Generators (TRNGs) embedded in Field Programmable
Gate Arrays (FPGAs). The original idea behind this principle lies in the randomness extraction on oscillatory trajectory when
a bi-stable circuit is resolving a metastable event. Although such phenomenon is well known in the field of synchronization
flip-flops, this feature has not been applied for TRNG designs. We propose a new bi-stable structure – Transition Effect Ring
Oscillator (TERO) where oscillatory phase can be forced on demand and be reliably synthesized in FPGA. Randomness is represented
as a variance of the TERO oscillations number counted after each excitation. Variance is highly dependent on the internal
noise of logic cells and can be used easily for reliable instant inner testing of each generated bit. Our proposed mathematical
model, simulations and hardware experiments show that TERO is significantly more sensitive to intrinsic noise in FPGA logic
cells and less sensitive to global perturbations than a ring oscillator composed from the same elements. The experimental
TERO-based TRNG passes NIST 800-22 tests.

In this paper, the evaluation of random bit generators for security applications is discussed and the concept of stateless generator is introduced. It is shown how, for the proposed class of generators, the verification of a minimum entropy limit can be performed directly on the post-processed random numbers thus not requiring a good statistic quality for the noise source itself, provided that a sufficient compression is adopted in the post-processing unit. Assuming that the noise source is stateless, a straightforward entropy estimator to drive an adaptive compression algorithm is proposed. Examples of stateless sources are also discussed.
Finally, an attack scenario against a noise source is defined and an effective approach to the attack detection is presented. The entropy estimator and the attack detection together guarantee the unpredictability of the generated random numbers.

Field Programmable Gate Arrays (FPGAs) are an increasingly popular choice of platform for the implementation of cryptographic systems. Until recently, designers using FPGAs had less than optimal choices for a source of truly random bits. In this paper we extend a technique that uses on-chip jitter and PLLs to a much larger class of FPGAs that do not contain PLLs. Our design uses only the Configurable Logic Blocks (CLBs) common to all FPGAs, and has a self-testing capability. Using the intrinsic jitter contained in digital circuits, we produce random bits at speeds of up to 0.5 Mbits/second with good statistical characteristics. We discuss the engineering challenges of extracting random bits from digital circuits, and we report the results of running standard statistical tests (NIST) on the output generated by our system.

The paper deals with true random number generators employing oscillator rings, namely, with the one proposed by Sunar et al. in 2007 and enhanced by Wold and Tan in 2009. Our mathematical analysis shows that both architectures behave identically when composed of the same number of rings and ideal logic components. However, the reduction of the number of rings, as proposed by Wold and Tan, would inevitably cause the loss of entropy. Unfortunately, this entropy insufficiency is masked by the pseudo-randomness caused by XOR-ing clock signals having different frequencies. Our simulation model shows that the generator, using more than 18 ideal jitter-free rings having slightly different frequencies and producing only pseudo-randomness, will let the statistical tests pass. We conclude that a smaller number of rings reduce the security if the entropy reduction is not taken into account in post-processing.Moreover, the designer cannot avoid that some of rings will have the same frequency, which will cause another loss of entropy. In order to confirmthis, we show how the attacker can reach a state where over 25% of the rings are locked and thus completely dependent. This effect can have disastrous consequences on the system security.

Random number generators represent one of basic cryptographic primitives used in creating cryptographic protocols. Their security evaluation represents very important part in the design, implementation and employment phase of the generator. One of important security requirements is the existence of a mathematical model describing the physical noise source and the statistical properties of the digitized noise derived from it. The aim of this paper is to propose the model of a class of generators using two jittery clocks with rationally related frequencies. The clock signals with related frequencies can be obtained using phase-locked loops, delay-locked loops or ring oscillators with adjusted oscillation periods. The proposed mathematical model is used to provide entropy per bit estimators and expected bias on the generated sequence. The model is validated by hardware experiments.

Many embedded security chips require a high- quality Random Number Generator (RNG). Unfortunately, hard- ware RNG randomness can vary in time due to implementation defects or certain kinds of attacks. To overcome this issue, this paper presents the implementation of a battery of statistical test for randomness. The battery is selected for its efficient imple- mentation, making the area and power consumption insignificant. Performance and cost of the hardware implementation are given for FPGA and VLSI targets. Results show that statistical tests can easily be implemented in low-cost embedded security circuits and can enhance on-line monitoring of RNG randomness to prevent RNG failures.

This paper deals with an evaluation platform for cryptographic True Random Number Generators (TRNGs) based on the hardware implementation of statistical tests for FPGAs. It was developed in order to provide an automatic tool that helps to speed up the TRNG design process and can provide new insights on the TRNG behavior as it will be shown on a particular example in the paper. It enables to test sufﬁcient statistical properties of various TRNG designs under various working conditions on the ﬂy. Moreover, the tests are suitable to be embedded into cryptographic hardware products in order to recognize TRNG output of weak quality and thus increase its robustness and reliability. Tests are fully compatible with the FIPS 140 standard and are implemented by the VHDL language as an IP-Core for vendor independent FPGAs. A recent Flash based Actel Fusion FPGA was chosen for preliminary experiments. The Actel version of the tests possesses an interface to the Actel’s CoreMP7 softcore processor that is fully compatible with the industry standard ARM7TDMI. Moreover, identical tests suite was implemented to the Xilinx Virtex 2 and 5 in order to compare the performance of the proposed solution with the performance of already published one based on the same FPGAs. It was achieved 25% and 65% greater clock frequency respectively while consuming almost equal resources of the Xilinx FPGAs. On the top of it, the proposed FIPS 140 architecture is capable of processing one random bit per one clock cycle which results in 311.5 Mbps throughput for Virtex 5 FPGA.

A true random number generator (TRNG) is an important component in cryptographic systems. Designing a fast and secure TRNG in an FPGA is a challenging task. In this paper, we analyze the TRNG designed by Sunar et al. (2007) based on XOR of the outputs of several oscillator rings. We propose an enhanced TRNG with better randomness characteristics that does not require postprocessing and passes the statistical tests. We have shown by experiment that the frequencies of the equal length oscillator rings in the TRNG are not identical. The difference is due to the placement of the inverters in the FPGA and the resulting routing between the inverters. We have implemented our proposed TRNG in an Altera Cyclone II FPGA. Our implementation has passed the NIST and DIEHARD statistical tests with a throughput of 100 Mbps and with a usage of less than 100 logic elements in the FPGA. The restart experiments have shown that the output from our TRNG behaves truly random and
not pseudorandom.

This book is designed for all those who would like to upgrade their knowledge in the field of security and digital platforms including reconfigurable FPGAs. It is the result of a national project (ICTER) funded by the French National Research Agency (ANR) and involving four research centers (Montpellier, Paris, Lorient, Saint-Etienne) and a private company.
This book details several solutions for secure application execution and application update. It presents an analysis of current threats against embedded systems and especially FPGAs. The discussion includes requirements to build a secure system, according to the FIPS standard. New secure schemes are proposed to ensure data confidentiality, integrity and authentication. These new schemes fit the tight requirements of embedded systems (performance, memory footprint, logic area and energy consumption). The cost of different architectures for performance, memory, and energy are estimated. Innovative solutions for remote reconfigurations are also detailed, taking into account security when downloading a new bitstream. Since the replay of an old bitstream in the field is a major threat for embedded systems, this issue is discussed and an original solution proposed.
• Proposes solutions at the logical, architecture and system levels in order to provide a global solution
• Clearly defines the security boundaries for a system
• Describes different hierarchical levels of a design, from application to technological levels

This paper discusses some aspects of selecting and testing random and pseudorandom number generators. The outputs of such generators may be used in many cryptographic applications, such as the generation of key material. Generators suitable for use in cryptographic applications may need to meet stronger requirements than for other applications. In particular, their outputs must be unpredictable in the absence of knowledge of the inputs. Some criteria for characterizing and selecting appropriate generators are discussed in this document. The subject of statistical testing and its relation to cryptanalysis is also discussed, and some recommended statistical tests are provided. These tests may be useful as a first step in determining whether or not a generator is suitable for a particular cryptographic application. However, no set of statistical tests can absolutely certify a generator as appropriate for usage in a particular application, i.e., statistical testing cannot serve as a substitute for cryptanalysis. The design and cryptanalysis of generators is outside the scope of this paper.
Key words: random number generator, hypothesis test, P-value

Random number generators (RNG) are important components in various cryptographic systems. Embedded security systems often require a high-quality digital source of randomness. Still, randomness of an RNG can vary due to aging effects, temperature or process conditions or intentional active attacks. This paper presents efficient, compact and reliable hardware implementations of 8 tests from the NIST test suite for statistical evaluation of randomness. These tests can be used for on-the-fly quality monitoring of on-chip random number generators as well as for fast hardware evaluation of RNG designs.

This paper discusses some aspects of selecting and testing random and pseudorandom number generators. The outputs of such generators may he used in many cryptographic applications, such as the generation of key material. Generators suitable for use in cryptographic applications may need to meet stronger requirements than for other applications. In particular, their outputs must he unpredictable in the absence of knowledge of the inputs. Some criteria for characterizing and selecting appropriate generators are discussed in this document. The subject of statistical testing and its relation to cryptanalysis is also discussed, and some recommended statistical tests are provided. These tests may he useful as a first step in determining whether or not a generator is suitable for a particular cryptographic application. The design and cryptanalysis of generators is outside the scope of this paper.

Physical random number generators (a.k.a. TRNGs) appear to be critical components of many cryptographic systems. Yet, such
building blocks are still too seldom provided with a formal assessment of security, in comparison to what is achieved for
conventional cryptography. In this work, we present a comprehensive statistical study of TRNGs based on the sampling of an
oscillator subject to phase noise (a.k.a. phase jitters). This classical layout, typically instantiated with a ring oscillator,
provides a simple and attractive way to implement a TRNG on a chip. Our mathematical study allows one to evaluate and control
the main security parameters of such a random source, including its entropy rate and the biases of certain bit patterns, provided
that a small number of physical parameters of the oscillator are known. In order to evaluate these parameters in a secure
way, we also provide an experimental method for filtering out the global perturbations affecting a chip and possibly visible
to an attacker. Finally, from our mathematical model, we deduce specific statistical tests applicable to the bitstream of
a TRNG. In particular, in the case of an insecure configuration, we show how to recover the parameters of the underlying oscillator.
Key wordsHardware random number generators–Ring oscillators–Jitter model–Entropy–Statistical tests

This paper presents a new method for creating TRNGs in Xilinx FPGAs. Due to its simplicity and ease of implementation, the design constitutes a valuable alternative to existing methods for creating single-chip TRNGs. Its main advantages are the high throughput, the portability and the low amount of resources it occupies inside the chip. Therefore, it could further extend the use of FPGA chips in cryptography. Our primary source of entropy is a True Dual-Port Block-RAM operating at high frequency, which is used in a special architecture that creates a concurrent write conflict. The paper also describes the practical issues which make it possible to convert that conflict into a strong entropy source. Depending on the users' requirements, it is possible to connect many units of this generator in parallel on a single FPGA device, thus increasing the bit generation throughput up to the Gbps level. The generator has successfully passed the major statistical test batteries.

The paper deals with the characterization of sources of randomness in true random number generators aimed at cryptographic applications implemented in Field Programmable Gate Arrays (FPGA). One of the most often used source of randomness in logic devices is the timing jitter present in clock signals, generated using ring oscillators (RO). In order to estimate the entropy of the generated random bit-stream, it is necessary to characterize the employed timing jitter. Using the simulation of the clock jitter injection into the gates of RO we show that the proportion of jitter from uncorrelated and correlated noise sources on the overall period jitter depends on the number of delay elements (inverters). We also propose a new and precise method of the jitter measurement outside the device based on the use of the differential device outputs in conjunction with a differential oscilloscope probe. The measured standard deviation of the clock period is more than two times smaller than the one obtained using traditional methods. Employing the proposed measurement method we show that the jitter profile of the RO-generated clock and its sensitivity to global jitter sources (e. g. deterministic jitter) is strongly dependent on the architecture and topology of the oscillator.

This paper presents two novel hardware random number generators (RNGs) based on latch metastability. We designed the first, the DC-nulling RNG, for extremely low power operation. The second, the FIR-based RNG, uses a predictive whitening filter to remove non-random components from the generated bit sequence. In both designs, the use of floating-gate memory cells allows us to predict and compensate for DC offsets and other non-random influences while minimizing power consumption. We also present a simple post-processing technique for improving randomness. We fabricated both RNGs in a standard 2P4M 0.35 μm CMOS process. The DC-nulling RNG utilized .031 mm<sup>2</sup> of die area, while the FIR-based RNG occupied 1.49 mm<sup>2</sup>.

Some of the desirable properties a cryptographic random number generator should have are lack of bias, bit independence, unpredictiability
and nonrepeatability. In this paper, we discuss how a hardware random number generator formed from simple components can provide
these properties. The components include two state machines with different structures, and free-running oscillators. The generated
numbers pass the DIEHARD battery of tests.

This paper is a contribution to the theory of true random number generators based on sampling phase jitter in oscillator rings. After discussing several misconceptions and apparently insurmountable obstacles, we propose a general model which, under mild assumptions, will generate provably random bits with some tolerance to adversarial manipulation and running in the megabit-per-second range. A key idea throughout the paper is the fill rate, which measures the fraction of the time domain in which the analog output signal is arguably random. Our study shows that an exponential increase in the number of oscillators is required to obtain a constant factor improvement in the fill rate. Yet, we overcome this problem by introducing a postprocessing step which consists of an application of an appropriate resilient function. These allow the designer to extract random samples only from a signal with only moderate fill rate and, therefore, many fewer oscillators than in other designs. Last, we develop fault-attack models and we employ the properties of resilient functions to withstand such attacks. All of our analysis is based on rigorous methods, enabling us to develop a framework in which we accurately quantify the performance and the degree of resilience of the design.

Most hardware “True” Random Number Generators (trng) take advantage of the thermal agitation around a flip-flop metastable state. In Field Programmable Gate Arrays (fpga), the classical trng structure uses at least two oscillators, build either from pll or ring oscillators. This creates good trng albeit limited in frequency by the interference rate which cannot exceed a few Mbit/s. This article presents an architecture allowing higher bit rates while maintaining provable unconditional security. This speed requirement becomes stringent for secure communication applications such as the cryptographic quantum key distribution protocols. The proposed architecture is very simple and generic as it is based on an open loop structure with no specific component such as pll.

This paper is a contribution to the theory of true random number generators based on sampling phase jitter in oscillator rings. After discussing several misconceptions and apparently insurmountable obstacles, we propose a general model which, under mild assumptions, will generate provably random bits with some tolerance to adversarial manipulation and running in the megabit-per-second range. A key idea throughout the paper is the fill rate, which measures the fraction of the time domain in which the analog output signal is arguably random. Our study shows that an exponential increase in the number of oscillators is required to obtain a constant factor improvement in the fill rate. Yet, we overcome this problem by introducing a postprocessing step which consists of an application of an appropriate resilient function. These allow the designer to extract random samples only from a signal with only moderate fill rate and, therefore, many fewer oscillators than in other designs. Last, we develop fault-attack models and we employ the properties of resilient functions to withstand such attacks. All of our analysis is based on rigorous methods, enabling us to develop a framework in which we accurately quantify the performance and the degree of resilience of the design

A general model is introduced which is capable of making accurate,
quantitative predictions about the phase noise of different types of
electrical oscillators by acknowledging the true periodically
time-varying nature of all oscillators. This new approach also
elucidates several previously unknown design criteria for reducing
close-in phase noise by identifying the mechanisms by which intrinsic
device noise and external noise sources contribute to the total phase
noise. In particular, it explains the details of how 1/f noise in a
device upconverts into close-in phase noise and identifies methods to
suppress this upconversion. The theory also naturally accommodates
cyclostationary noise sources, leading to additional important design
insights. The model reduces to previously available phase noise models
as special cases. Excellent agreement among theory, simulations, and
measurements is observed

AIS 31: Functionality classes and evaluation methodology for true (physical) random number generators

- W Killmann
- W Schindler

Killmann, W., Schindler, W.: AIS 31: Functionality classes and evaluation methodology for true (physical) random number generators, version 3.1. Bundesamt fur
Sicherheit in der Informationstechnik (BSI), Bonn (2001), http://www.bsi.bund.
de/zertifiz/zert/interpr/ais31e.pdf

Bundesamt fur Sicherheit in der Infor-mationstechnik (BSI)

- Tech
- Rep

Tech. rep., Bundesamt fur Sicherheit in der Infor-mationstechnik (BSI), Bonn (September 2011), https://www.bsi.bund.de/EN/Home/home_node.html

A set of evaluation boards aimed at TRNG design evaluation and testing

- N Bochard
- V Fischer

Bochard, N., Fischer, V.: A set of evaluation boards aimed at TRNG design evaluation and testing. Tech. rep., Laboratoire Hubert Curien, Saint-Etienne, France
(March 2012), http://www.cryptarchi.org

A proposal for: Functionality classes for random number generators, version 2.0. Tech. rep

- W Killmann
- W Schindler

Killmann, W., Schindler, W.: A proposal for: Functionality classes for random
number generators, version 2.0. Tech. rep., Bundesamt fur Sicherheit in der Informationstechnik (BSI), Bonn (September 2011), https://www.bsi.bund.de/EN/
Home/home_node.html

140-1: Security Requirements for Cryptographic Modules

- P Fips

FIPS, P.: 140-1: Security Requirements for Cryptographic Modules. National Institute of Standards and Technology 11 (1994)