Presentation is loading. Please wait.

Presentation is loading. Please wait.

ES-TRNG A High-throughput, Low-area

Published byPhilomena Welch Modified over 6 years ago

Similar presentations

Presentation on theme: "ES-TRNG A High-throughput, Low-area"— Presentation transcript:

1 ES-TRNG A High-throughput, Low-area
True Random Number Generator based on Edge Sampling Bohan Yang, Vladimir Rožić, Miloš Grujić Nele Mentens and Ingrid Verbauwhede COSIC, KU Leuven

2 Generic TRNG Architecture
ES-TRNG Timing jitter based TRNG Compact implementation Reasonable throughput Security analysis using a stochastic model Entropy Source Digitization Post Processing Online Tests Applications Total Failure Raw Numbers Internal Digital Noise Source 7-Nov-18 COSIC, KU Leuven

3 ? Stochastic model oriented security analysis Initialization Vectors
For Cryptographic Applications: The SECURITY of a TRNG depends on its unpredictability. ? which cannot be measured by statistical tests NIST800-22 DIEHARD FIPS 140-1 can be estimated by stochastic model AIS-31 NIST800-90B ? 7-Nov-18 COSIC, KU Leuven

4 Timing jitter based TRNG
Noise Free Noise Free Noise A random bit is generated only when measuring the position of a edge. jitter accumulates proportionally to the square root of the accumulation time 1 D Q clk Low throughput Timing Jitter accumulation is slow Elementary TRNG Solution: increasing the sampling resolution! 7-Nov-18 COSIC, KU Leuven

5 How to increase the sampling resolution
Sampling at a higher frequency ? D Q clk D Q clk jitter accumulates proportionally to the square root of the accumulation time Highest sampling frequency is limited by technology, platform, system, power, energy…. 7-Nov-18 COSIC, KU Leuven

6 How to increase the sampling resolution
Using high resolution TDC (Time-to-Digital Converter) 0111 1000 1100 DC-TRNG LUT Resolution: ~ 17 ps GHz) Period: ~ 2.2 ns jitter accumulates proportionally to the square root of the accumulation time 2200 𝑝𝑠÷2÷17 𝑝𝑠÷4≈17 20 V. Rozic, B. Yang, W. Dehaene, and I. Verbauwhede, "Highly Efficient Entropy Extraction for True Random Number Generators on FPGAs," In DAC 2015 7-Nov-18 COSIC, KU Leuven

7 How to increase the sampling resolution
Using high resolution TDC (Time-to-Digital Converter) 0111 1000 1100 DC-TRNG ES-TRNG LUT LUT Resolution: ~ 17 ps GHz) Period: ~ 2.2 ns jitter accumulates proportionally to the square root of the accumulation time 20 2200 𝑝𝑠÷2÷17 𝑝𝑠÷4≈17 V. Rozic, B. Yang, W. Dehaene, and I. Verbauwhede, "Highly Efficient Entropy Extraction for True Random Number Generators on FPGAs," In DAC 2015 7-Nov-18 COSIC, KU Leuven

8 A closer look at ES-TRNG architecture
jitter accumulates proportionally to the square root of the accumulation time 7-Nov-18 COSIC, KU Leuven

9 Technique 1: variable-precision phase encoding
1 1 1 1 Stages [2:0] Valid Raw bit 110,001 1 100,011 111,000 N 101,010 n/a jitter accumulates proportionally to the square root of the accumulation time 1 2 𝑡 𝑓,1 𝑡 𝑓,2 𝑡 𝑟,1 𝑡 𝑟,2 7-Nov-18 COSIC, KU Leuven

10 Technique 1: variable-precision phase encoding
𝑡 𝑓,1 𝑡 𝑓,2 𝑡 𝑟,1 𝑡 𝑟,2 Elementary TRNG jitter accumulates proportionally to the square root of the accumulation time 1 7-Nov-18 COSIC, KU Leuven

11 Technique 2: repetitive sampling
jitter accumulates proportionally to the square root of the accumulation time Dependency between each samples 7-Nov-18 COSIC, KU Leuven

12 ES-TRNG: platform parameters
2.172 ns RO 2 2.740 ns RO 1 𝑡 𝑓,1 𝑡 𝑓,2 𝑡 𝑟,1 𝑡 𝑟,2 35.93 ps 22.25 ps 40.90 ps 24.12 ps jitter accumulates proportionally to the square root of the accumulation time D 𝜎 𝑚 2 𝑡 𝑚 2.9 fs 0.43 7-Nov-18 COSIC, KU Leuven

13 ES-TRNG: design parameters
jitter accumulates proportionally to the square root of the accumulation time Entropy claim! 7-Nov-18 COSIC, KU Leuven

14 Implementation of ES-TRNG on Xilinx FPGA
Compact! 5 DFFs 6 LUTs + 4 LUTs 1 CARRY4 jitter accumulates proportionally to the square root of the accumulation time 7-Nov-18 COSIC, KU Leuven

15 Conclusion Compact Hardware: 10 LUTs + 5 Xilinx Spartan-6 ES-TRNG or 10 LUTs + 6 Intel Cyclone-V Relative High Throughput: 1.15 Xilinx Spartan-6 or 1.07 Intel Cyclone-V Security analysis supported by stochastic model jitter accumulates proportionally to the square root of the accumulation time DC-TRNG & ES-TRNG resources (in progress): 7-Nov-18 COSIC, KU Leuven

16 Q&A 7-Nov-18 COSIC, KU Leuven

17 How many samples you need to capture an edge?
7-Nov-18 Your Name / Affiliation

18 What is the Noise in Ring Oscillators?
Noise Free Positions of transitions Constant Noise Free Gaussian Noise Constant Variable Random Noise Free Gaussian Noise Other Noise Deterministic Variable Random 7-Nov-18 Bohan Yang/ ESAT-COSIC, KU Leuven

19 Why a better resolution leads to a better throughput?
Limited use: CyptoIC workshop Leuven, Why a better resolution leads to a better throughput? 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven Bohan Yang, Vladimir Rožić and Ingrid Verbauwhede, ESAT/COSIC, KU Leuven

20 What are platform parameters and design parameters?
FIPS NIST DIEHARD Obsoleted way: Random Number Generator Statistical Tests PASS/FAIL Overestimating your entropy results in a compromised security Use lower bound ! New method: Quotes from Professor Viktor Fischer, It is quite easy to design a “TRNG” that will pass the statistical tests… Bu….t it is much more difficult to know where the “randomness” comes from and how much true randomness there is… (Knowing that only the true randomness cannot be guessed or manipulated) Now we answered why we need to measure the jitter. What you need when you are measuring something ? You need a ruler. Experiments Stochastic Model (AIS31) DGA NIST B? Assumptions Platform parameters Entropy claim Design 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven

21 How to measure the step of delay chain?
By nicoguaro - Own work, CC BY 3.0, ttps://commons.wikimedia.org/w/index.php?curid= Ring Oscillator REG Sys CLK 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven

22 How to measure the step of delay chain?
By nicoguaro - Own work, CC BY 3.0, ttps://commons.wikimedia.org/w/index.php?curid= Details are not important…. The delays for rising and falling edge are different Longer delay Higher counts PUF? The Monte-Carlo FPL17 The International Conference on Field-Programmable Logic and Applications (FPL) 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven

23 How does jitter accumulate overtime?
Limited use: CyptoIC workshop Leuven, How does jitter accumulate overtime? k k2 Less required jitter, less accumulation time 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven Bohan Yang, Vladimir Rožić and Ingrid Verbauwhede, ESAT/COSIC, KU Leuven

24 Is there any other ways to improve throughput of RingOSC based TRNG?
Limited use: CyptoIC workshop Leuven, Is there any other ways to improve throughput of RingOSC based TRNG? Timing Jitter Delay=d0+Δd RANDOM CLK D Q More transitions means: within the same period, more toggles happened( like STR, fabonacci and FIGaRO) More Oscillators More Transitions Efficient Entropy Extraction Samples with better resolution 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven Bohan Yang, Vladimir Rožić and Ingrid Verbauwhede, ESAT/COSIC, KU Leuven

25 What is the stochastic model when ringOSC is noise free after tA?
7-Nov-18 Your Name / Affiliation

26 What is the stochastic model when ringOSC is not noise free after tA?
7-Nov-18 Your Name / Affiliation

27 Your Name / Affiliation
Did you verification your model? How can you be sure your model is correct? ….? 7-Nov-18 Your Name / Affiliation

28 Where is the comparison with other TRNGs?
BUT….. Model? Estimated jitter strength? How to compare TRNG fairly? 7-Nov-18 Your Name / Affiliation

29 Bohan Yang/ ESAT-COSIC, KU Leuven
HOW is DC-TRNG working? 60 carry stages 15 slices Osc ClkA 7-Nov-18 Bohan Yang/ ESAT-COSIC, KU Leuven

30 Is there any other applications of random numbers?
Limited use: CyptoIC workshop Leuven, Is there any other applications of random numbers? Lottery Prediction? Games Cryptography Session Keys Signature Parameters Challenges Masking When people ask one of the famous random number generation website about where they get their random number certified by an independent third part. The website provided three organizations, and all of them are working for online gaming industry. Not AIS not EAL, not NIST. Gambler cares about the fairness Scientist cares about TRNG, because they can shift the blame and question on their theorem and experiment to the unpredictable of the random number they are using. Crypto people need the random number, because they don’t know to make their crypto-system deterministic and secure at the same time. The conclusion is Random number people saved the world  Stochastic Simulations Numerical Analysis Scientific Computation 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven Bohan Yang, Vladimir Rožić and Ingrid Verbauwhede, ESAT/COSIC, KU Leuven

31 Why TRNG? Why not PRNG? Or LFSR?
True Random Number Generator Pseudo-Random Number Generator My questions as well… I will forward your questions to other speakers at CHES during their presentation, why do they need TRN for Post-quantum PK, masking, block ciphers? Isn’t PRNG or LFSR good enough? 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven

32 Why should I care about online tests?
Ageing Temperature Active Attacks True Random Number Generator Pseudo-Random Number Generator TRNG -> the root of a cryptographic system TRNG -> the target of attackers Solution: On-line testing 11/15/2017 Bohan / ESAT-COSIC and imec, KU Leuven

33 Timing jitter based TRNG: MURO
Multiple Ring Oscillator TRNG RO 1 RO 2 RO n clk jitter accumulates proportionally to the square root of the accumulation time If ROs are independent, when n is sufficiently large, at least one edge is close to the rising edge of clk. Low accumulated jitter required Large n Conceptually corresponding to sampling a RO with a resolution around 𝑇 𝑛 B. Sunar, W. J. Martin, D. R. Stinson: A Provably Secure True Random Number Generator with Built-in Tolerance to Active Attacks, IEEE TC 2007 K. Wold, C. H. Tan: Analysis and Enhancement of Random Number Generator in FPGA Based on Oscillator Rings, IJRC 2009 7-Nov-18 COSIC, KU Leuven

34 Timing jitter based TRNG: Coherent Sampling
Clk1 Clk2 Clk1 jitter accumulates proportionally to the square root of the accumulation time 𝑇 𝐶𝑙𝑘1 𝑇 𝐶𝑙𝑘2 = 5 7 Clk1 & Clk2 can be generated by PLLs or Free-running RingOSCs. The case above is conceptually corresponding to sampling a RO with a resolution of 𝑇 𝐶𝑙𝑘1 5 (starting phase difference might not be 0) P. Kohlbrenner, K. Gaj: An embedded true random number generator for fpgas. FPGA 2004 V. Fischer, M. Drutarovský: True random number generator embedded in reconfigurable hardware. CHES 2002 7-Nov-18 COSIC, KU Leuven

Download ppt "ES-TRNG A High-throughput, Low-area"

Similar presentations

Request Dispatching for Cheap Energy Prices in Cloud Data Centers

Request Dispatching for Cheap Energy Prices in Cloud Data Centers
SpringerLink Training Kit

SpringerLink Training Kit
Luminosity measurements at Hadron Colliders

Luminosity measurements at Hadron Colliders
From Word Embeddings To Document Distances

From Word Embeddings To Document Distances
Choosing a Dental Plan Student Name

Choosing a Dental Plan Student Name
Virtual Environments and Computer Graphics

Virtual Environments and Computer Graphics
Chương 1: CÁC PHƯƠNG THỨC GIAO DỊCH TRÊN THỊ TRƯỜNG THẾ GIỚI

Chương 1: CÁC PHƯƠNG THỨC GIAO DỊCH TRÊN THỊ TRƯỜNG THẾ GIỚI
THỰC TIỄN KINH DOANH TRONG CỘNG ĐỒNG KINH TẾ ASEAN –

THỰC TIỄN KINH DOANH TRONG CỘNG ĐỒNG KINH TẾ ASEAN –
D. Phát triển thương hiệu

D. Phát triển thương hiệu
NHỮNG VẤN ĐỀ NỔI BẬT CỦA NỀN KINH TẾ VIỆT NAM GIAI ĐOẠN

NHỮNG VẤN ĐỀ NỔI BẬT CỦA NỀN KINH TẾ VIỆT NAM GIAI ĐOẠN
Điều trị chống huyết khối trong tai biến mạch máu não

Điều trị chống huyết khối trong tai biến mạch máu não
BÖnh Parkinson PGS.TS.BS NGUYỄN TRỌNG HƯNG BỆNH VIỆN LÃO KHOA TRUNG ƯƠNG TRƯỜNG ĐẠI HỌC Y HÀ NỘI Bác Ninh 2013.

BÖnh Parkinson PGS.TS.BS NGUYỄN TRỌNG HƯNG BỆNH VIỆN LÃO KHOA TRUNG ƯƠNG TRƯỜNG ĐẠI HỌC Y HÀ NỘI Bác Ninh 2013.
Nasal Cannula X particulate mask

Nasal Cannula X particulate mask
Evolving Architecture for Beyond the Standard Model

Evolving Architecture for Beyond the Standard Model
HF NOISE FILTERS PERFORMANCE

HF NOISE FILTERS PERFORMANCE
Electronics for Pedestrians – Passive Components –

Electronics for Pedestrians – Passive Components –
Parameterization of Tabulated BRDFs Ian Mallett (me), Cem Yuksel

Parameterization of Tabulated BRDFs Ian Mallett (me), Cem Yuksel
L-Systems and Affine Transformations

L-Systems and Affine Transformations
CMSC423: Bioinformatic Algorithms, Databases and Tools

CMSC423: Bioinformatic Algorithms, Databases and Tools
Some aspect concerning the LMDZ dynamical core and its use

Some aspect concerning the LMDZ dynamical core and its use

Similar presentations

Ads by Google