Digital Random Number Generation
• True random numbers are needed for -seeding pseudorandom number generators -generating cryptographic keys (e.g., one-time pad, symmetric keys, asymmetric keys) -generating random nonces and salts -protection against side-channel attacks • Digital random number generator (RNG) uses digital elements -logic gates only -suitable for implementation on digital chips -cost effective
Common Digital RNGs
• Ring oscillators (ROs) exploit digital jitter -random delays and transition times of logic gates -A slow oscillator samples a fast ring oscillator -Edge-triggered D-type flip-flop is used for sampling, with clock and data inputs provided by slow and fast ring oscillators, resp.
Out

Common Digital RNGs (2)
-Mutual coupling reduces relative phase jitter -Sensitivity to jitter is higher near the edges of oscillating signal, but this happens rarely -Regular oscillating waveform is not suitable for extraction of true randomness by sampling -Low entropy rate -Can we transform randomness caused by jitter into a form more suitable for fast sampling?
Common Digital RNGs (3)
• RS latches and edge-triggered flip-flops exploit metastability events 
FPGA Experiments (2)
• An example of FIRO output signal
Distinguishing between True and Pseudo Randomness
• Usually, randomness is measured by statistical test suits; however, good pseudorandom sequences also satisfy these tests • How to distinguish between true and pseudo randomness in a FIRO or GARO? • If we use restarting from the same conditions, then changes in the output signal at any given time are due to randomness (CHES 2007) 
Restarting versus Continuous Operation
• Restarting mode: One bit generated at a time, needs time for transitory voltages to settle down, output bits are statistically independent and, hence, postprocessing is easy (highsecurity applications) • Continuous mode: As many bits as needed generated at a time (restarting from a fixed state), independence plausible for higher sampling rates, but pseudo randomness is not ideally separated (high-speed applications) 
Digital Postprocessing (2)
• If the raw binary sequence is not correlated (i.e., is a sequence of statistically independent, possibly biased bits, such as in the restarting mode of operation), then one may apply theoretical algorithms -von Neumann algorithm, treating pairs of consecutive bits, but inefficient in terms of entropy rate achieved -Juels, Jakobbson, Shriver, Hillyer [JJSH2000] algorithm "How to turn loaded dice into fair coins", treating n-tuples of consecutive bits -For any given n, [JJSH2000] algorithm is provably optimal and, asymptotically in n, is able of extracting the full Shannon entropy
Digital Postprocessing (3)
• If the raw binary sequence is possibly correlated (e.g., as in the continuous mode of operation), then one may apply heuristic algorithms -Data rate has to be reduced -Bias and correlations need to be diffused among output bits -Synchronous nonautonomous FSM with one input (raw data) and one output, which implements a sequential transformation -Input can be introduced into the next-state function one symbol/bit at a time by using a latin-square/XOR operation -Output sequence can be irregularly decimated for speed reduction
Digital Postprocessing (4)
• Theoretical criterion: if input sequence is purely random, then output sequence is also purely random -e.g., reversible sequential transformation -in particular, a current input bit can be XOR-ed with a current output bit of autonomous FSM and also with one or more state bits to influence the next state; FSM initial state can be fixed • Heuristic criteria:
-Computational distinguishibility from purely random sequence, for any (or zero) input sequence -A change of the first input bit induces a computationally unpredictable change of subsequent output sequence (propagation effect)
