Abstract -in cryptography, we often require sequences of numbers with unpredictable elements. Such sequences have to pass all known statistical tests for random sequences, e.g. NIST 800-22 test suite, Diehard, TestU01 or UC1. To hamper different attacks, random number generators should be implemented in the same chip as a cryptographic system using random numbers. It forces a designer to create a true random number generator purely digitally. The obtained sequences are biased and do not pass many statistical tests. Therefore an output of the random number generator should be subjected to a transformation called post-processing. In this paper a true random number generator consisted of several uniformly sampled ring oscillators and using hash function SHA-256 as post-processing, is presented. Both components are implemented in a single Field Programmable Gate Array (FPGA). We expect that the proposed solution, implemented in the same FPGA together with a cryptographic system, is more attack-resistant owing to many sources of randomness with significantly different nominal frequencies.
INTRODUCTION
True random number generators are common in many scientific fields. They are used as one of the basic element of cryptographic systems, but also in identification systems as a seed for pseudo-random number generators, and in simulations, e.g., in the Monte Carlo method. True random numbers for cryptographic usage must satisfy certain conditions of security. Output sequences should have good statistical properties verified with the use of statistical tests, e.g. from NIST 800-22 statistical test suite, Diehard, TestU01 or UC1. Apart from perfect statistical properties, the sequences have to be unpredictable, so they should be produced by sources using a non-deterministic phenomenon. Nowadays, true number random generators are based on different physical phenomena, mainly noises, available in electronic devices, e.g. avalanche diode [1] . Those sources generates bits with low bitrate (e.g. about 1Mbit/s). Moreover, they are not resistant to external attacks. Due to this issue, a good solution needs to have an additional circuit or devices, dedicated to detect and disable a potential attack. Second main problem is the lack of possibility to integrate an analog TRNG in one microchip in order to be used in encryption/decryption process in dedicated solutions. Most of cryptographic systems are digital constructions. Therefore, it is expected that true random number generators should be purely digital constructions, simply integrated in one chip. Nowadays there is a trend to find in digital circuits some behaviors or methods that will give possibility to generate random bit sequences "on demand", with high bitrate, without any possibility to having access to elements of the sequences. It is proposed to use generators with jitter which are constructed by using reprogrammable digital circuits or constructions based on meta-stability [2] , [3] . Recently, the most significant are concepts using ring oscillators (RO) or Galois Ring Oscillators (GARO). In both approaches jitter is used for signal generation [2] , [4] . Random bit sequence is obtained by sampling signal generated by RO or GARO with significantly lower frequency. In this paper we propose to use RO generators as basic unit for a combined True Random Number Generator (TRNG) and SHA-256 hash function as postprocessing. Both elements -TRNG and SHA-256, were implemented in the same Virtex 5 FPGA (XL5VLX50T). Through experiments it has been shown that the minimal number of ROs that should be used for building TRNG with SHA-256 to pass all statistical tests from the NIST 800-22 test suite is equal to eight.
The paper is organized as follows. The idea of generating random bits by a combined TRNG with post-processing is presented in Section II. Experiments description and the results are presented in Section III. Sources which have been used to implementation of solution are presented in Section IV. The paper ends with conclusion.
II. TRNG WITH SHA-256 HASH FUNCTION
The simplest TRNG that can be completely integrated with any digital system in the same FPGA used a ring oscillator which output signal is sampled with a D flip-flop. Such kind of TRNG is shown on Figure 1 . Generator uses jitter and frequency drift found in CMOS ring oscillator for random bit generation. A D-type flip-flop is being triggered by a quartz oscillator which establishes the bit rate. 
Uniformly sampled ring oscillator (RO) as a TRNG
The fH frequency is at least several times greater than quartz oscillator frequency fL. Realization of the delay element can be done with even number of inverters, a latches chain or a delay line that is built-in many FPGAs. The greater delay , the lower frequency fH is obtained. Due to insufficient nondeterministic factor in a single RO, it is necessary to combine XOR many independent sources of randomness [2] , [5] , [6] . The combined TRNG is shown in Figure 2 . When all rings are built in the same way, they have similar frequencies. It indicates susceptibility to injection attacks [7] . To prevent such situation it was decided to make ROs with different τ. As delay τ the chain of latches was used. In the first RO -one latch, in the second RO -two latches, and in the N th -N latches. Output bits from the combined TRNG may still be biased and correlated for small N [8] , [9] . To overcome this problem it seems to be necessary to use post-processing [10] . The scheme of TRNG with SHA-256 as post-processing is shown in Figure 3 : Random bits from the combined TRNG are collected in blocks of 8 bits. Afterwards, each byte is stored in FIFO buffer which is 64 byte width. This is made to prepare 512 random bits that are processed by SHA-256. Hash functions are used in cryptography mainly to check integrity and in digital signature schemes. The definition of hash function says that by a hash function h we can call all functions that change input into the output such as out = h(in). Input in can consist of such data like text file, binary file, message, data block etc. In general, the length of input is not limited. A general schema that illustrates how does a hash function works is shown in Figure 4 . A family of hash functions SHA-2 includes SHA-256, SHA-384 and SHA-512. In this paper it was used the SHA-256. The algorithm comes from paper [11] . In its first step, input is processing by adding bit 1, next to the last significant bit and any number of bits 0 that L 512 = 488, where L is length of the message. After that L is added as 64-bits big-edian representation. Next step is that 512 blocks split into smaller 32-bits blocks M 
. After preparation initial register values, the algorithm updates registers: a, b, c, d, e, f, g, and h. This update is calculated in 64 steps from j = 0 to j = 63 and it goes as following: 
As an output, we obtain hash value H (N) of message M generated as:
Hash function returns eight 32-bit words. The bits are sent via buffer and USB interface to a personal computer (PC). In PC the quality of generated sequence has been assessed using NIST 800-22 test suite and the restarts mechanism [6] , [9] , [12] .
III. THE EXPERIMENT DESCRIPTION
At the beginning of experiment only one RO was connected to SHA-256. The sequence of 1Gbit was collected and examined by the NIST 800-22 test suite. The results of experiment were unsatisfactory, most of the tests were failed. The experiment was repeated with added XOR another RObased TRNG (source generator) with different τ till the all tests from NIST 800-22 were passed. During analysis, the final report file from NIST 800-22 package were used. The tests passed a combined TRNG using at least eight RO-based source generators with different frequencies of ROs. The frequencies of ROs are shown in Table I . During testing, two approaches proposed by NIST were applied: (1) examination the proportion R of sequences, that passed a statistical test, and (2) examination of distribution of P-values computed by the software; it means, we examined the value of [12] . The standard set of parameters proposed by NIST in v. 2.1.1 was assumed. The significance level was = 0.01. The minimum passing value for the standard set of parameters was approximately 0.9805. The minimum value was 0.0001. An asterisk * denotes that this test consists of several subtests and that the worst result is shown. For tests marked with **, the minimum passing value for the standard set of parameters was approximately 0.9777. Results of the NIST statistical tests are shown in Table II . The combined TRNG uses eight RO-based source generators. There was also performed test based on restarts mechanism [9] . This test is based on multiple restarts of the combined generator with the same initial conditions. It helps to assess the amount of randomness and pseudo-randomness in generated sequences. If during producing bits the amount of deterministic factor is prevalent, the sequences will be almost the same or exactly the same. When the non-deterministic phenomena prevails, the generated sequences will vary [9] . During the restarts N = 2084 sequences were generated and M = 19968 bits were send to PC for each restart. Next, M chisquare tests were performed. If a single bit in the sequences was produced in a non-deterministic process then chi-square test is passed. A computer program searches the results of 19968 chi-square tests for the greatest m for which the sequences failed the chi-square test for m, m-1 and m-2. For j > m and a given significance level of the test, there is no reason to reject the hypothesis that zeros and ones occur with the same probability in 19968 bit sequences. The smallest j is equal to m+1 and denoted by mmin [9] . The results of the restarts mechanism are shown in Table III . Presented approach was implemented in Virtex-5 (XL5VLX50T). Used resources are presented in Table IV . Those resources are about 9% of all resources available in Virtex-5 (XL5VLX50T) FPGA device.
IV. CONCLUSIONS
The proposed true random number generator is able to provide random bits with average bit rate of 36Mbit/s. The minimal number of RO that should be used when building the combined TRNG with SHA-256 as post-processing is eight. For smaller number of RO-based source generators the combined TRNG does not pass all NIST 800-22 tests. The use of SHA-256 function as post-processing enhances significantly the statistical properties of the output sequences, but it works up to a certain level. When a generator produces sequences with very poor statistical properties, postprocessing with SHA-256 does not improve sufficiently the statistical properties.
