used to generate the random bitstream and the TRNG is used to refresh the seed at regular intervals.
In this chapter, several different TRNGs will be compared in order to analyse their performance on an FPGA platform. Post-processing techniques and testing of the statistical properties of TRNGs will also be discussed. These specific designs were chosen as they are, at the time of writing, the most recent designs published and have displayed the ability to produce a raw stream of bits with good statistical properties, in previous implementations. A detailed list of TRNG designs, can also be found in Chapter 4 of [21].
6.2
Implementation of TRNGs
TRNGs are one of the most critical components of a cryptographic system to implement, as they are used to produce secret keys and initialisation vectors for other cryptographic algorithms. A TRNG should be able to provide a high entropy source of random data, at an acceptable bitrate. For this to be possible, the circuit must be able to sample some unpredictable physical source, at often enough intervals, without there being any correlation between the resulting bits. Sources of entropy on an FPGA are usually in the form of phase or frequency jitter in ring oscillators, or some type of metastable circuit. The underlying physical mechanisms that provide these sources of randomness are generally attributed to the existence of thermal and shot noise in semiconductor devices [21, Section 4.2]. Semiconductor devices are designed to minimise these sources of noise, which therefore makes the implementation of TRNGs using standard logic components a difficult task.
To provide security against an attacker, a TRNG should be implemented within the FPGA, as opposed to being an external component. If the TRNG, which is effectively a noise source, is implemented off chip, an attacker may be able to inject some bias into the noise source; thus, causing the TRNG to fail as a random source. An attacker would also be able to intercept all data that is transmitted between the external RNG and the FPGA, completely compromising the secrecy of the data. When implementing a TRNG inside an FPGA, only digital components are available; this poses a more difficult design challenge when compared to ASICs. Consequently, a large amount of research has been conducted in this area [66, 112, 116, 119, 120].
Although it’s preferable that the TRNG produces a stream of bits with good sta- tistical properties, this is not usually the case. FPGA vendors try to minimise the amount of unpredictable behaviour in their ICs; therefore, designing an unpredictable
6.2 Implementation of TRNGs
noise source can be difficult. For this reason, the bitstream generated by most TRNGs contains a certain amount of bias. In order to correct this, some form of post-processing can be applied to the bitstream in order to improve its statistical properties. A common post-processing technique is to use a cryptographic hash function [36, pages 161–182] or PRNG to process the output of the TRNG. A hash function provides a very robust method of post-processing as it has strong cryptographic properties that prevent an adversary from predicting output sequences, see Section 5.3 and [6]. It is also advan- tageous to monitor the statistical properties of the raw stream of bits that the TRNG produces (i.e., before any post-processing is applied), as TRNGs can at times fail to produce sufficiently random data and it is necessary to be able to detect these events in order to maintain the security of the overall system.
6.2.1 Analysing the Quality of TRNG Output Data
When designing a TRNG, the quality of the output bitstream must be analysed to ensure that the TRNG is working correctly and that the data it produces is sufficiently random. In order to test the quality of a bitstream, several offline test suites have been developed [62, 86, 108, 113]. These test suites can be used, during the design phase, to process a file of binary data taken from the TRNG and will return a pass/fail result as to whether the data has good statistical properties and appears random. This process of testing the statistical properties of the TRNG allows for any weaknesses in the underlying architecture to be found, such as any bias in the output bitstream.
One of the most thorough test suites is the diehard battery of statistical tests [74]. It cannot guarantee that a TRNG is producing truly random random data, however, it does indicate what quality of output the circuit is producing. There are 16 diehard tests in total:
1. Birthday spacings test: Based on the birthday paradox, this test uses the input
data as birthdays in a year of 224days. The spacings between birthdays form a list
and the occurrence of each value in the list should follow a certain distribution. 2. Overlapping permutations test: The ordering of each set of 5 consecutive 32 bit
numbers from input data are tested. Each set can be in one of 120 orders, which are then counted and should follow a known distribution.
3. Binary rank test for 31 × 31 matrices: The leftmost bits of random integers in
6.2 Implementation of TRNGs
each of the generated matrices is calculated and a chi-squared test is applied to the set of results.
4. Binary rank test for 32 × 32 matrices: Same as test 3, except 32 × 32 matrices are used.
5. Binary rank test for 6 × 8 matrices: Same as test 3, except 6 × 8 matrices are used.
6. Bitstream test on 20 bit words: The input file is divided into overlapping 20 bit
words (b0, b1, b2, . . . b20, b1, b2, b3, . . . b21 etc..). Each word can therefore be one of
220 possible values. The number of missing possibilities are counted and should
follow a certain distribution.
7. In a similar method to test 6, the OPSO, OQSO, and DNA tests convert the input data into words and count the number of missing words in the generated sequence. Each test uses a different word length or alphabet.
- Overlapping-Pairs-Sparse-Occupancy (OPSO) - Overlapping-Quadruples-Sparse-Occupancy (OQSO) - DNA test
8. Count the 1’s in a stream of bytes: The input test data is broken into a stream of 8 bit bytes. The number of 1’s in each byte are counted and each count converted to a letter; resulting in a sequence of letters based on the input data. This sequence is broken up into overlapping five letter words. The frequency of each possible five letter word is counted and should follow a known distribution.
9. Count the 1’s in specific bytes: Follows the same principle as test 8, however, only one randomly chosen byte in every four of the input bytes is used to generate a letter.
10. Parking lot test: Attempts are made to place circles of radius 1 in a square of side 100 such that they do not overlap. The test data provides the coordinates of each attempt. The number of attempts versus the number of successfully placed circles should follow a known distribution.
11. Minimum distance test: The test data is used to generate the coordinates of 8000 points in a square of side 10000. The square of the minimum distance between points should follow a known distribution.