CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France [email protected]...

12
CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France [email protected] Miloš Drutarovský Technical University of Košice, Slovakia [email protected] True Random Number Generator Embedded in Reconfigurable Hardware

Transcript of CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France [email protected]...

Page 1: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 11

Viktor Fischer Université Jean Monnet,

Saint-Etienne, France

[email protected]

Miloš Drutarovský

Technical University of Košice,

Slovakia

[email protected]

Viktor Fischer Université Jean Monnet,

Saint-Etienne, France

[email protected]

Miloš Drutarovský

Technical University of Košice,

Slovakia

[email protected] Random Number Generator Embedded in Reconfigurable Hardware

True Random Number Generator Embedded in Reconfigurable Hardware

Page 2: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 22

IntroductionIntroduction

Motivation Motivation • Embedded cryptographic system in reconfigurable hardware - system in a programmable chip (SOPC) solution

• Embedded cryptographic system in reconfigurable hardware - system in a programmable chip (SOPC) solution

OfferingOffering • Higher security

• Lower price

• Adaptability

• Higher security

• Lower price

• Adaptability

ProblemProblem • Missing cryptographic primitive in programmable logic applications - True Random Number Generator (TRNG)

• Missing cryptographic primitive in programmable logic applications - True Random Number Generator (TRNG)

Page 3: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 33

Source of randomness

Source of randomness

Problem Problem Field Programmable Logic Device (FPLD) - suitable especially for pseudo-random number generators (logic circuitry), usually the source of randomness is missing

Field Programmable Logic Device (FPLD) - suitable especially for pseudo-random number generators (logic circuitry), usually the source of randomness is missing

SolutionSolution Analog part of recent FPLD - a PLL used usually for the clock synthesis - introduces very small random jitter

Analog part of recent FPLD - a PLL used usually for the clock synthesis - introduces very small random jitter

Jitter parametersJitter parameters

Page 4: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 44

Analog PLL in Altera FPLD

Analog PLL in Altera FPLD

• Analog PLL with high multiplication and division factors (up to 160)

• Used for high-speed clock generation (typically up to 200 MHz)

• Instability reduced to a minimum - clock jitter 1-sigma value: ~ 15 ps (very good for a clock synthesis, less good for a TRNG implementation)

• Analog PLL with high multiplication and division factors (up to 160)

• Used for high-speed clock generation (typically up to 200 MHz)

• Instability reduced to a minimum - clock jitter 1-sigma value: ~ 15 ps (very good for a clock synthesis, less good for a TRNG implementation)

Parameters Parameters

:n

PhaseComparator

:k

:v:m

Voltage-ControlledOscillator

ClockShiftCircuitry

InputClock

FOUT1=FINm

n k

FOUT2=FINm

n v

FIN

Page 5: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 55

TRNG principleTRNG principle

• Summation modulo 2 of the synthesized clock signal (CLJ) sampled in the fixed clock intervals (CLK) during the period TQ

• If FCLJ = FCLK KM / KD

and KM and KD are relative primes

then

TQ = KD TCLK = KM TCLJ

• Summation modulo 2 of the synthesized clock signal (CLJ) sampled in the fixed clock intervals (CLK) during the period TQ

• If FCLJ = FCLK KM / KD

and KM and KD are relative primes

then

TQ = KD TCLK = KM TCLJ

Principle Principle

CLK

PLL D

CLK

QCLJ x(nTQ)Decimator

(KD)

q(nTCLK)

Page 6: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 66

Example of the clock relationship

KM = 5KD = 7

FCLJ < FCLK

Example of the clock relationship

KM = 5KD = 7

FCLJ < FCLK

• Sampling of the signal CLJ in KD discrete positions (phases)

• Sampling of the signal CLJ in KD discrete positions (phases)

Note Note

jit > TCLJ /4 KD = TCLK /4 KMjit > TCLJ /4 KD = TCLK /4 KM

Condition for the jitter detection

Condition for the jitter detection

T = 2MAX(Tmin)

CLK

CLJ

TQ

Q

Tmin= 0jit

3 4

6 1

2 5

5 2

1 6

4 3

7 0

Critical samples

Page 7: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 77

TRNG realizationTRNG realization

• Increases the probability of CLK and CLJ edge zones overlapping during the TQ period

• Increases the probability of CLK and CLJ edge zones overlapping during the TQ period

XOR corrector XOR corrector

• Removes deterministic part of the signal with the TQ period

• Removes deterministic part of the signal with the TQ period

XOR decimator XOR decimator

CLK

PLL D

CLK

QCLJ

. . .

xXOR(nTCLK)x(nTQ)Decimator

(KD)

D

CLK

Q

D

CLK

Q XOR Decimator

XOR Corrector

Page 8: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 88

Hardware testing equipment

Hardware testing equipment Altera NIOS development board based on

APEX20K200-2X deviceAltera NIOS development board based on APEX20K200-2X device

PLLs configuration

PLLs configuration

• TRNG

• 4 kB FIFO and I/O control logic

• TRNG

• 4 kB FIFO and I/O control logic

Implemented blocks Implemented blocks

FEXT = 88.245 MHz

PLL4clk1

clk0

PLL2

clk1

clk0

inclk

inclkFEXT

112 = 2.775 MHz

FEXT = 33.3 MHz

FEXT15748 = 108.918 MHz

1595 12

4 DedicatedClocks

G4 G2 G1 G3

2.775 MHz

CLK

:2CLJ

• KM = 785, KD = 1272, TCLK /4KM = 7.2 ps < jit • KM = 785, KD = 1272, TCLK /4KM = 7.2 ps < jit Parameters Parameters

Page 9: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 99

Hardware implementation

Hardware implementation

Description language

Description language

• AHDL

• VHDL

• AHDL

• VHDL

Difficulties Difficulties • Simulation of the jitter and simulation of the TRNG performance is impossible

• Placement and routing results are very important

• Simulation of the jitter and simulation of the TRNG performance is impossible

• Placement and routing results are very important

Development tools Development tools • Quartus II, version 2.0• Quartus II, version 2.0

Requirements Requirements TRNG only TRNG + FIFODevice LCs

#LCs%

ESBs#

ESBs%

LCs#

LCs%

ESBs#

ESBs%

EP20K200EFC484-2X 48 0.6 0 0 121 1.5 4 7.7

Page 10: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 1010

Tests results Tests results

Mean values for 1-Gigabit records

Mean values for 1-Gigabit records

For very long records some small bias can be noticed, this bias should be negligible for cryptographic applications and it can be further reduced

For very long records some small bias can be noticed, this bias should be negligible for cryptographic applications and it can be further reduced

Record 1 2 3 4 5Board A B B B BMean 0.500001 0.500109 0.500001 0.50012 0.50012

Conclusion Conclusion

Frequency, Block-Freq., Cusum, Runs, Long-Run, Rank, FFT, Periodic-Template, Universal, Apen, Serial, Lempel-Ziv, Linear-Complexity

Frequency, Block-Freq., Cusum, Runs, Long-Run, Rank, FFT, Periodic-Template, Universal, Apen, Serial, Lempel-Ziv, Linear-Complexity

NIST test suite NIST test suite

All the tests have passed with some small deviation for some FFT tests All the tests have passed with some small deviation for some FFT tests

Conclusion Conclusion

Page 11: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 1111

ConclusionsConclusions

We have proposed a new method for the true random number generator implementation in reconfigurable hardware:

• the principle of randomness extraction is very reliable (independ on voltage and temperature fluctuation)

• since no external component is needed, it seems to be very difficult to manipulate the generator output values

• the principle is adaptable to all devices using analog PLL with sufficiently high KM and KD and relatively high jitter (all recent Altera FPLDs, some other FPLDs, ASICs, etc.)

We have proposed a new method for the true random number generator implementation in reconfigurable hardware:

• the principle of randomness extraction is very reliable (independ on voltage and temperature fluctuation)

• since no external component is needed, it seems to be very difficult to manipulate the generator output values

• the principle is adaptable to all devices using analog PLL with sufficiently high KM and KD and relatively high jitter (all recent Altera FPLDs, some other FPLDs, ASICs, etc.)

Page 12: CHES 2002 1 Viktor Fischer Université Jean Monnet, Saint-Etienne, France fischer@univ-st-etienne.fr Miloš Drutarovský Technical University of Košice,

CHES 2002 CHES 2002 1212

PerspectivesPerspectives

• Intensive testing in cooperation with other (specialized) organizations

• Improvement of the characteristics of the XOR corrector to reduce the bias

• Exact measurement of the jitter in different conditions

• Design of the complete IP block including on-line FIPS tests

• Improvement of the strategy of the choice of multiplication and division factors

• Intensive testing in cooperation with other (specialized) organizations

• Improvement of the characteristics of the XOR corrector to reduce the bias

• Exact measurement of the jitter in different conditions

• Design of the complete IP block including on-line FIPS tests

• Improvement of the strategy of the choice of multiplication and division factors