Random number generators play an important role in the field of cryptography and security. It is often required that a random number generator consists of digital logic blocks only, so that it can be implemented on reconfigurable platforms. Since randomness cannot be proved by statistical tests there is a need for a provably secure hardware random number generator. In order to provide a proof of security, an experimental investigation of various physical effects on reconfigurable platforms is needed. In this paper we focus on the effect of narrow transitions suppression in the logic gates. The estimation of this effect may be crucial for the validity of the security proof of a RNG design. We explain our views on how experiments on FPGA should be performed and we give description of the measurement setup. We show that up to 98% of the transitions are suppressed in our experimental FPGA setup.
INTRODUCTION
Random number generators (RNGs) are important primitives in many cryptographic protocols. They are used for generating challenges and nonce in authentication protocols as well as for generating session keys. Every weakness in generated random sequences (e. g. if Pseudo-RNGs are used instead) can potentially be used to perform an attack and, therefore, represents a threat to the overall security of the system.
There are four major techniques to generate entropy in hardware. These are: direct noise amplification from an analog component [1] , chaotic circuits [2] [3] [4] [5] , metastable circuits [6] [7] and jitter sampling [8] [9] [10] [11] [12] . First two methods require either analog components or specialized A/D and D/A blocks that are not available on all platforms, while metastability-based RNGs have drawbacks such as low bit-rate or the need for the extensive search for a metastable challenge in the PUF-based design. RNGs based on jitter sampling seem like a promising solution for FPGA.
The problem with RNG designs is that they are rearly supported with proofs of security. Authors usually provide results of statistical tests, usually NIST [13] or DIEHARD [14] set of tests, but this only proves that there are no statistical weaknesses in the output, it doesn't prove unpredictability. Since it is impossible to prove randomness with statistical tests, RNG designs should also be supported with mathematical models based on realistic assumptions that are at least experimentally confirmed [15] . Modeling and measuring jitter of ring oscillators on FPGA [16] is a step following that direction. Another issue important for modeling RNGs is the suppression of narrow transitions in XOR networks. In this article we address that issue empirically, by performing measurements on FPGA.
Section 2 of this paper gives the description of a design proposed by Sunar et al. [11] which uses a XOR network for entropy harvesting. Here we also discuss some criticism of this design. Section 3 describes our measurement methodology and in section 4 we give results of our experiments. The conclusion is formed in section 5.
RING OSCILLATOR BASED DESIGN
The RNG design proposed in [11] uses oscillation jitter as a source of randomness. Oscillators are created by connecting an odd number of inverters in a ring configuration. This causes digital value of the oscillator's output to change with a period of approximately 2lt D where l is the number of inverters in an oscillator and t D is the delay of a single inverter. Period of these oscillations varies from cycle to cycle causing jitter of the rising and falling edges. This jitter is a source of randomness. The idea is to sample signal from a point in time that is in close proximity of a transition zone thereby making sampled value unpredictable. The approach taken in this design is to perform a xor operation on many oscillator outputs in order to fill the large portion of time spectrum with transition zones. Figure 1 shows the design architecture. All oscillators have the same number of inverters. Their outputs are connected to a xor network, and the This design has been criticized [17] soon after it appeared. One of the reasons for the criticism was the estimation that the majority of transitions will not propagate through the xor network. When inputs of a 2-input xor gate change state shortly after one another, a glitch should appear at the output. However, if time between input transitions is shorter than or comparable to the gate delay, a glitch will not appear. This causes narrow transitions to be suppressed. Due to a large number of transitions and the inability of the circuit to operate extremely fast, some of the transitions will be cancelled out. MATLAB simulations of this effect [18] showed that at most 50% of the transitions will get lost in the xor tree. On the other hand, SPICE simulations of a design with 114 ring oscillators of length 13 showed that more than 98% of transitions is suppressed [19] . We considered that this issue is important enough to be investigated experimentally and this is the focus of our paper.
MEASUREMENT METHODOLOGY
The approach we have used in our experiments is to implement the complete measurement circuitry on the FPGA. This way measurements are done on chip and only the final results are sent to the output via communication interface. The alternative approach would be to rout signals from the oscillator outputs and xor gates to the output pins and observe waveforms on the oscilloscope. This may, however, lead to a severe signal corruption due to a limited bandwidth of the I/O pads and long routing lines. Also, extra capacitive load may alter the circuit's behavior (e. g. oscillation frequency may drop). If measurements are done on chip then circuit's behavior is minimally affected by the measurement interface. This approach was proposed by Fischer et al. [20] , and it was used for measuring jitter in the ring oscillators.
Oscillators we used are shown on Fig. 2 . They are implemented with a nand gate and an even number of inverters connected in a ring configuration. This allows us to start and stop oscillations by setting the enable signal. Since our goal was to make the circuit minimally affected by the measurement interface, we provided every oscillator with a buffer so that the oscillating frequency is not affected by the extra capacitive load caused by the counters. Connections of oscillators with the xor network and counters are given on Fig. 3 .
Counters are implemented using toggle flip-flops. This is a fast implementation of a transition counter with a critical path of only one inverter. Flip-flop corresponding to the least significant bit is clocked by the input signal, and every other flip-flop is clocked by the inverted value of the previous bit. This implementation was chosen because high frequencies of signals that we are measuring range to 300 MHz which is three times higher than the frequency of the system clock. For this reason, standard method of sampling with a flip-flop and comparing consecutive values, could not be used.
The complete measurement setup is given on Fig. 4 . The circuit we are observing consists of 64 ring oscillators of the same length and a binary xor tree. Measurement circuit consists of counters, time-base generator and control and communication interfaces. Output of each oscillator is connected to a xor tree and also to a corresponding counter. Counters are clocked by oscillators so that the counter value is equal to the number of transitions at the oscillator outputs. The output of a xor tree is also connected to a counter so that the number of these transitions is also measured. Control block is implemented as a finite state machine and it operates in the following way. First, trigger signal is sent to the time base generator and counters are reset. After detecting trigger, time base generator changes output value from zero to one and keeps it for a fixed time period before changing it back to zero. This signal is used as enable signal for the oscillators. During this time, oscillators are running and transitions are propagating through the XOR tree. At the end of the measurement all counter values correspond to the num- Fig. 4 . Measurement setup ber of transitions that happened since the reset signal was applied. In the end counter values are transmitted through communication interface and a serial port. After the transmission is over the whole process can be repeated. Obtained values are used to calculate the ratio of suppressed transitions.
Our design was implemented on a Xilinx XUPV2P development board with a Virtex II Pro FPGA (XC2VP30).
RESULTS
We have performed experiments for several different sizes of ring oscillators. The number of inverters in the ring oscillators l in our measurements ranges from 3 to 23. These are the most probable values to be used in practice since using larger ring oscillators would produce a design that it is no longer practical for compact implementations. Also, the relative jitter of ring oscillators is decreasing as the number of inverter increases which results in less random bits produced in time unit per unit area. This may be another reason why shorter ring lengths are likely to be chosen by the designer.
Histogram on Fig. 5 shows the percentage of suppressed transitions for different values of l. As expected, shorter ring lengths have higher rates of suppressed transitions. This is because smaller ring oscillators oscillate at higher frequencies, hence producing more transitions per time unit. We can see that for all tested ring lengths the ratio of suppressed transitions after six levels of XOR tree is higher than 87% and that for ring length of 3 it reaches 97.6%. This means that a theoretical model that neglects the narrow transitions suppression cannot hold.
In order to estimate suppression rates at different levels of the xor tree we have performed the same type of measurement on a modified setup which also contains counters on intermediate levels of the XOR tree. This measurement was only performed for a ring length of 23. The results are shown on Fig. 6 . In out notation, xor gates conected to the oscillators outputs are labeled level 1, while higher numbers correspond to the gates closer to the output. Level six is the last one and it consists of only one gate. We can see that the suppression ratio is higher in the higher levels of the xor tree. This is simply because there are more input transitions at higher xor tree levels. We can also see that almost 50% of transitions are suppressed at level six. This implies that at level five, a maximal frequency at which a logic gate output can oscillate is reached and only about one half of transitions can pass through. This means that the circuit is overdesigned. Maximal frequency of the xor gate output transitions that we detected in experiments is 570 MHz. For faster ring oscillators this frequency can be reached before level five.
CONCLUSIONS
Even though it is not possible to prove randomness of a RNG by means of testing, the physical effects on which RNG relies, can often be investigated empirically. It is our belief that testing a RNG should include not only statistical tests of the output stream, but also a set of experiments which verify assumptions about the physical effects. Proof of security is valid only if all assumptions made in the model correspond to the experimental results. For our investigation of a narrow transitions supression effect we have created a measurement setup in which complete measurement interface is implemented on the FPGA and only the final results are transmitted. We have explained our methods for making the circuit under test unsensitive to the measurement interface. We have shown that the effect of suppression of narrow transitions cannot be neglected. Our results show that over 87% of transitions are lost in the xor tree for all tested values of ring lengths. Further more we have investigated transition suppression at different levels of a xor tree and provided results. The results indicate that there is a maximal frequency at which the output of a logic gate can oscillate. This frequency is reached at a certain level. If the goal is to increase the number of transitions at the output than using a xor network with more levels would have no effect and would only lead to an overdesigned circuit. A theoretical model of a RNG design that uses xor network for entropy extraction should take experimental data provided into account.
ACKNOWLEDGEMENTS
This work was supported in part by the K.U.Leuven, by the IBBT, and by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy).
