A new TRNG based on coherent sampling with self-timed rings

Random numbers play a key role in applications such as industrial simulations, laboratory experimentation, computer games, and engineering problem solving. The design of new true random generators (TRNGs) has attracted the attention of the research community for many years. Designs with little hardware requirements and high throughput are demanded by new and powerful applications. In this paper, we introduce the design of a novel TRNG based on the coherent sampling (CS) phenomenon. Contrary to most designs based on this phenomenon, ours uses self-timed rings (STRs) instead of the commonly employed ring oscillators (ROs). Our design has two key advantages over existing proposals based on CS. It does not depend on the FPGA vendor used and does not need manual placement and routing in the manufacturing process, resulting in a highly portable generator. Our experiments show that the TRNG offers a very high throughput with a moderate cost in hardware. The results obtained with ENT, DIEHARD, and National Institute of Standards and Technology (NIST) statistical test suites evidence that the output bitstream behaves as a truly random variable.This work was supported in part by the Ministerio de Economia y Competitividad (MINECO), Security and Privacy in the Internet of You (SPINY), under Grant TIN2013-46469-R, and in part by the Comunidad de Madrid (CAM), Cybersecurity, Data, and Risks (CIBERDINE), underGrant S2013/ICE-3095

A Very High Speed True Random Number Generator with Entropy Assessment

International audienceThe proposed true random number generator (TRNG) exploits the jitter of events propagating in a self-timed ring (STR) to generate random bit sequences at a very high bit rate. It takes advantage of a special feature of STRs that allows the time elapsed between successive events to be set as short as needed, even in the order of picoseconds. If the time interval between the events is set in concordance with the clock jitter magnitude, a simple entropy extraction scheme can be applied to generate random numbers. The proposed STR-based TRNG (STRNG) follows AIS31 recommendations: by using the proposed stochastic model, designers can compute a lower entropy bound as a function of the STR characteristics (number of stages, oscillation period and jitter magnitude). Using the resulting entropy assessment, they can then set the compression rate in the arithmetic post-processing block to reach the required security level determined by the entropy per output bit. Implementation of the generator in two FPGA families confirmed its feasibility in digital technologies and also confirmed it can provide high quality random bit sequences that pass the statistical tests required by AIS31 at rates as high as 200 Mbit/s

A Very High Speed True Random Number Generator with Entropy Assessment

International audienceThe proposed true random number generator (TRNG) exploits the jitter of events propagating in a self-timed ring (STR) to generate random bit sequences at a very high bit rate. It takes advantage of a special feature of STRs that allows the time elapsed between successive events to be set as short as needed, even in the order of picoseconds. If the time interval between the events is set in concordance with the clock jitter magnitude, a simple entropy extraction scheme can be applied to generate random numbers. The proposed STR-based TRNG (STRNG) follows AIS31 recommendations: by using the proposed stochastic model, designers can compute a lower entropy bound as a function of the STR characteristics (number of stages, oscillation period and jitter magnitude). Using the resulting entropy assessment, they can then set the compression rate in the arithmetic post-processing block to reach the required security level determined by the entropy per output bit. Implementation of the generator in two FPGA families confirmed its feasibility in digital technologies and also confirmed it can provide high quality random bit sequences that pass the statistical tests required by AIS31 at rates as high as 200 Mbit/s

D2.1 - Report on Selected TRNG and PUF Principles

This report represents the final version of Deliverable 2.1 of the HECTOR work package WP2. It is a result of discussions and work on Task 2.1 of all HECTOR partners involved in WP2. The aim of the Deliverable 2.1 is to select principles of random number generators (RNGs) and physical unclonable functions (PUFs) that fulfill strict technology, design and security criteria. For example, the selected RNGs must be suitable for implementation in logic devices according to the German AIS20/31 standard. Correspondingly, the selected PUFs must be suitable for applying similar security approach. A standard PUF evaluation approach does not exist, yet, but it should be proposed in the framework of the project. Selected RNGs and PUFs should be then thoroughly evaluated from the point of view of security and the most suitable principles should be implemented in logic devices, such as Field Programmable Logic Arrays (FPGAs) and Application Specific Integrated Circuits (ASICs) during the next phases of the project

Comparison of Self-Timed Ring and Inverter Ring Oscillators as Entropy Sources in FPGAs

International audienceMany True Random Numbers Generators (TRNG) use jittery clocks generated in ring oscillators as a source of entropy. This is especially the case in Field Programmable Gate Arrays (FPGA), where sources of randomness are very limited. Inverter Ring Oscillators (IRO) are relatively well characterized as entropy sources. However, it is known that they are very sensitive to working conditions. This fact makes them vulnerable to attacks. On the other hand, Self-Timed Rings (STR) are currently considered as a promising solution to generate robust clock signals. Although many studies deal with their temporal behavior and robustness in Application Specific Integrated Circuits (ASIC), equivalent study does not exist for FPGAs. Furthermore, these oscillators were not analyzed and characterized as entropy sources aimed at TRNG design. In this paper, we analyze STRs as entropy sources for TRNGs implemented in FPGAs. Next, we compare STRs and IROs when serving as sources of randomness. We show that STRs represent very interesting alternative to IROs: they are more robust to environmental fluctuations and they exhibit lower extra-device frequency variations

Hardware design of cryptographic algorithms for low-cost RFID tags

Mención Internacional en el título de doctorRadio Frequency Identification (RFID) is a wireless technology for automatic identification that has experienced a notable growth in the last years. RFID is an important part of the new trend named Internet of Things (IoT), which describes a near future where all the objects are connected to the Internet and can interact between them. The massive deployment of RFID technology depends on device costs and dependability. In order to make these systems dependable, security needs to be added to RFID implementations, as RF communications can be accessed by an attacker who could extract or manipulate private information from the objects. On the other hand, reduced costs usually imply resource-constrained environments. Due to these resource limitations necessary to low-cost implementations, typical cryptographic primitives cannot be used to secure low-cost RFID systems. A new concept emerged due to this necessity, Lightweight Cryptography. This term was used for the first time in 2003 by Vajda et al. and research on this topic has been done widely in the last decade. Several proposals oriented to low-cost RFID systems have been reported in the literature. Many of these proposals do not tackle in a realistic way the multiple restrictions required by the technology or the specifications imposed by the different standards that have arose for these technologies. The objective of this thesis is to contribute in the field of lightweight cryptography oriented to low-cost RFID tags from the microelectronics point of view. First, a study about the implementation of lightweight cryptographic primitives is presented . Specifically, the area used in the implementation, which is one of the most important requirements of the technology as it is directly related to the cost. After this analysis, a footprint area estimator of lightweight algorithms has been developed. This estimator calculates an upper-bound of the area used in the implementation. This estimator will help in making some choices at the algorithmic level, even for designers without hardware design skills. Second, two pseudo-random number generators have been proposed. Pseudorandom number generators are essential cryptographic blocks in RFID systems. According to the most extended RFID standard, EPC Class-1 Gen-2, it is mandatory to include a generator in RFID tags. Several architectures for the two proposed generators have been presented in this thesis and they have been integrated in two authentication protocols, and the main metrics (area, throughput and power consumption) have been analysed. Finally, the topic of True Random Number Generators is studied. These generators are also very important in secure RFID, and are currently a trending research line. A novel generator, presented by Cherkaoui et al., has been evaluated under different attack scenarios. A new true random number generator based on coherent sampling and suitable for low-cost RFID systems has been proposed.La tecnología de Identificación por Radio Frecuencia, más conocida por sus siglas en inglés RFID, se ha convertido en una de las tecnologías de autoidentificación más importantes dentro de la nueva corriente de identificación conocida como Internet de las Cosas (IoT). Esta nueva tendencia describe un futuro donde todos los objetos están conectados a internet y son capaces de identificarse ante otros objetos. La implantación masiva de los sistemas RFID está hoy en día limitada por el coste de los dispositivos y la fiabilidad. Para que este tipo de sistemas sea fiable, es necesario añadir seguridad a las implementaciones RFID, ya que las comunicaciones por radio frecuencia pueden ser fácilmente atacadas y la información sobre objetos comprometida. Por otro lado, para que todos los objetos estén conectados es necesario que el coste de la tecnología de identificación sea muy reducido, lo que significa una gran limitación de recursos en diferentes ámbitos. Dada la limitación de recursos necesaria en implementaciones de bajo coste, las primitivas criptográficas típicas no pueden ser usadas para dotar de seguridad a un sistema RFID de bajo coste. El concepto de primitiva criptográfica ligera fue introducido por primera vez 2003 por Vajda et al. y ha sido desarrollado ampliamente en los últimos años, dando como resultados una serie de algoritmos criptográficos ligeros adecuados para su uso en tecnología RFID de bajo coste. El principal problema de muchos de los algoritmos presentados es que no abordan de forma realista las múltiples limitaciones de la tecnología. El objetivo de esta tesis es el de contribuir en el campo de la criptografía ligera orientada a etiquetas RFID de bajo coste desde el punto de vista de la microelectrónica. En primer lugar se presenta un estudio de la implementación de las primitivas criptográficas ligeras más utilizadas, concretamente analizando el área ocupado por dichas primitivas, ya que es uno de los parámetros críticos considerados a la hora de incluir dichas primitivas criptográficas en los dispositivos RFID de bajo coste. Tras el análisis de estas primitivas se ha desarrollado un estimador de área para algoritmos criptográficos ultraligeros que trata de dar una cota superior del área total ocupada por el algoritmo (incluyendo registros y lógica de control). Este estimador permite al diseñador, en etapas tempranas del diseño y sin tener ningún conocimiento sobre implementaciones, saber si el algoritmo está dentro de los límites de área mpuestos por la tecnología RFID. También se proponen 2 generadores de números pseudo-aleatorios. Estos generadores son uno de los bloques criptográficos más importantes en un sistema RFID. El estándar RFID más extendido entre la industria, EPC Class-1 Gen-2, establece el uso obligatorio de dicho tipo de generadores en las etiquetas RFID. Los generadores propuestos han sido implementados e integrados en 2 protocolos de comunicación orientados a RFID, obteniendo buenos resultados en las principales características del sistema. Por último, se ha estudiado el tema de los generadores de números aleatorios. Este tipo de generadores son frecuentemente usados en seguridad RFID. Actualmente esta línea de investigación es muy popular. En esta tesis, se ha evaluado la seguridad de un novedoso TRNG, presentado por Cherkaoui et al., frente ataques típicos considerados en la literatura. Además, se ha presentado un nuevo TRNG de bajo coste basado en la técnica de muestreo por pares.Programa Oficial de Doctorado en Ingeniería Eléctrica, Electrónica y AutomáticaPresidente: Teresa Riesgo Alcaide.- Secretario: Emilio Olías Ruiz.- Vocal: Giorgio di Natal

True random number generator based on RRAM-bias current starved ring oscillator

This work presents a RRAM-bias current starved ring oscillator (CSRO) as TRNG, where the cycle-to-cycle variability of a RRAM device is exploited as source of randomness. A simple voltage divider composed of this RRAM and a resistor is considered to bias the gate terminal of the extra transistor of every current starved (CS) inverter of the RO. In this way, the delay of the inverters is modified, deriving an unpredictable oscillation frequency every time the RRAM switches to the HRS. The oscillation frequency is finally leveraged to extract the sequence of random bits. The design is simple and add low area overhead. Experimental measurements are performed to analyze the cycle-to-cycle variability in the HRS. The very same measurements are subsequently used to validate the TRNG by means of electrical simulations. The obtained results passed all the NIST tests without the need for post-processing.This work was supported by the Spanish MCIN/AEI/10.13039/501100011033 under Project PID2019-103869RB-C33. The work of M. B. González was supported by the Ramón y Cajal under Grant RYC2020-030150-I.Peer ReviewedPostprint (published version

Implementation and study of a true random number generator

Securing information has been a concern throughout history. Especially nowadays since many user applications such as smart cards or Internet connections deal with sensible data. To protect this information dfferent cryptography protocols are used. These are algorithms that encapsulate the data by ciphering it. However, this is done by programming an application to run a digital mathematical function. This means that it is also possible to program malign applications to decode the cipher. In order to avoid this it is necessary to add unpredictability or randomness to the encoding process which can be done by employing a Random Number Generator. A RNG can be implemented in both software and hardware; however, a truly unpredictable sequence is not achieved through a digital process governed by mathematical formulae. This results in most RNGs producing a form of pseudo-randomness. A True Random Number Generator must be implemented on a technology that allows it to harvest entropy from an unpredictable or even chaotic physical process. This is why TRNGs are designed and implemented for hardware. In fact, it is possible to gather entropy through integrated circuits like ASICs or FPGAs. The objective of this project is to design and implement a TRNG on FPGA technology because its pre-defined logic blocks that only require a small amount of resources make it an appealing solution. First, an analysis of typical RNG designs is presented to understand the between a pseudo-RNG and a TRNG. Once this is stablished, the specific ways of designing TRNGs for integrated circuits are delved into. Moreover, the need for evaluation of the quality of randomness is also stated. This is ensured by a battery of tests that study the statistical properties of the output of a RNG. Secondly, the TRNG design proposals by B ohl on which this project is based on are introduced and analyzed before creating the design and implementation. Afterwards, the four experiments performed are explained. It was decided to first test the behavior of the TRNG at different frequencies to decide which provided randomness with the best quality. Afterwards, the TRNG was placed in different areas of the FPGA at the optimal frequency to test the variability of the device. A third experiment consisted of comparing these results in more devices to further study the variability. The final experiment consisted on forcing a reset of the circuit to ensure that the TRNG was resilient against this type of attacks. Last but not least, the results are summarized and several future developments are presented. After this the legal aspects and management of the project are explained.La protección de información ha sido una constante preocupación a lo largo de la historia. Especialmente hoy en día debido a las muchas aplicaciones que manejan datos confidenciales como tarjetas inteligentes o conexiones a Internet. Para proteger esta información diferentes protocolos criptográficos son usados. Estos son algoritmos que cifran los datos para encapsularlos. Sin embargo, esto se hace programando una aplicación que corre una formula matemática digital. Esto significa que también es posible programar aplicaciones maliciosas para decodificar el cifrado. Para poder evitar esto es necesario añadir aleatoriedad o un elemento impredecible al proceso de codificación. Esto puede hacerse empleando un Generador de Números Aleatorios cuyas siglas en inglés son RNG. Es posible implementar un RNG tanto en software como en hardware; sin embargo, una secuencia realmente impredecible no se puede generar a través de un proceso digital basado en la computación de fórmulas matemáticas. Esto es lo que hace que la mayoría de RNGs produzcan una especie de pseudo-aleatoriedad. Un Generador de Números Realmente Aleatorios (True Random Number Generator o TRNG) debe ser implementado en una tecnología que le permita extraer entropía de un proceso físico impredecible o caótico. Es por esto que los TRNG se implementan en hardware. De hecho, es posible obtener entropía a través de circuitos integrados como ASICs o FPGAs. El objetivo de este proyecto es diseñar e implementar un TRNG en tecnología FPGA puesto que sus bloques lógicos prede finidos que solo necesitan unos recursos reducidos la convierten en una solución atractiva. Se empieza por presentar un análisis de los diseños de RNG típicos para comprender la diferencia entre generadores pseudo aleatorios y TRNGs. Tras esto, se especifica la forma en la que los TRNGs se diseñan para circuitos integrados. Además, se expone la necesidad de evaluar la calidad de la aleatoriedad que se genera. Esta se comprueba a través de una batería de tests que estudian las propiedades estadísticas del output del TRNG. A continuación, las propuestas de diseño de TRNGs de Böhl en las que este proyecto se basa son introducidas y analizadas seguidas del diseño e implementación propios. Tras lo cual se explican los cuatro experimentos realizados. Primero se decidió comprobar el comportamiento del TRNG a diferentes frecuencias con el fin de determinar a cuál de ellas se producía la aleatoriedad de mayor calidad. Segundo, el TRNG fue posicionado en diferentes áreas de la FPGA a la frecuencia óptima para evaluar la variabilidad de la placa. El tercer experimento explora aún más la variabilidad al realizar el experimento anterior en otras placas. El último experimento consistió en forzar un reset del circuito para comprobar la resistencia TRNG ante ataque de este tipo. Finalmente, los resultados obtenidos se presentan resumidos junto con varias propuestas de mejoras futuras. Tras ello se muestran los aspectos legales del proyecto y su gestión.Ingeniería en Tecnologías de Telecomunicació

A true random number generator based on gait data for the Internet of You

The Internet of Things (IoT) is more and more a reality, and every day the number of connected objects increases. The growth is practically exponential -there are currently about 8 billion and expected to reach 21 billion in 2025. The applications of these devices are very diverse and range from home automation, through traffic monitoring or pollution, to sensors to monitor our health or improve our performance. While the potential of their applications seems to be unlimited, the cyber-security of these devices and their communications is critical for a flourishing deployment. Random Number Generators (RNGs) are essential to many security tasks such as seeds for key-generation or nonces used in authentication protocols. Till now, True Random Number Generators (TRNGs) are mainly based on physical phenomena, but there is a new trend that uses signals from our body (e.g., electrocardiograms) as an entropy source. Inspired by the last wave, we propose a new TRNG based on gait data (six 3-axis gyroscopes and accelerometers sensors over the subjects). We test both the quality of the entropic source (NIST SP800-90B) and the quality of the random bits generated (ENT, DIEHARDER and NIST 800-22). From this in-depth analysis, we can conclude that: 1) the gait data is a good source of entropy for random bit generation; 2) our proposed TRNG outputs bits that behave like a random variable. All this confirms the feasibility and the excellent properties of the proposed generator.This work was supported in part by the Spanish Ministry of Economy and Competitiveness under Contract ESP2015-68245-C4-1-P, in part by the Leonardo Grant for Researchers and Cultural Creators, BBVA Foundation under Grant P2019-CARDIOSEC, and in part bythe Comunidad de Madrid, Spain, under Project CYNAMON (P2018/TCS-4566), co-financed by the European Structural Funds (ESF andFEDER

FPGA Security Techniques with Applications to Cloud and Multi-Tenant Use Cases

Field programmable gate arrays (FPGAs) are integrated circuits that consist of programmable logic that a user can configure and deploy for applications such as hardware emulation and accelerating high performance computing. In recent years, the emergence of FPGAs in the cloud has led to research on multi-tenant FPGAs. In a multi-tenant scenario, the same FPGA fabric is shared among multiple users, or among multiple untrusting IP cores. Multi-tenancy has economic benefits, largely due to improvements in resource utilization, but also brings new security concerns since the tenants could behave maliciously. Although the tenants sharing an FPGA are logically isolated from each other, they may still have unintended interactions through side channel attacks and fault attacks. In this dissertation, we aim to evaluate security threats and defenses in the multi-tenant FPGA scenario. Firstly, the work in this dissertation studies a true random number generator (TRNG) on cloud FPGAs that is robust against voltage manipulation from co-tenants. The TRNG design is based on harvesting clock jitter using a tunable time-to-digital converter circuit. In accordance with best practices, a stochastic model is built to evaluate the min-entropy of the design, and further validated by NIST entropy assessment test suite and NIST statistical tests. The basic version of the TRNG is extended with a linkable sampling module to increase min-entropy per sample and throughput at a modest resource cost. Then the dissertation analyzes a type of fault attack that can be conducted by one tenant against another in a multi-tenant setting. Specifically, the fault attack is differential fault intensity analysis (DFIA), which is a biased-fault based attack on Advanced Encryption Standard (AES) circuits. Ring oscillators (ROs) are deployed as effective power wasters to cause a supply voltage drop through the shared power distribution network (PDN) of tenants. The attack is highly relevant to multi-tenant scenarios because the attacking tenant can create the voltage drop without physical access, and can precisely control the shape of the voltage drop by adjusting both the number of activated ROs and their duration as required for the attack. The voltage drop will in turn increase the delay in the logic and eventually cause specific timing faults which are analyzed to successfully recover the AES keys. In the last part, we use on-chip voltage sensors to detect the location of a target circuits. The sensing scheme leverages time-to-digital converters (TDCs) as voltage sensors, and a novel differential analysis is applied to the sensor data. In a multi-tenant setting, this method can be used either as part of a defensive scheme to monitor against attacks, or it can be used to probe a system and determine how to effectively target an attack to a particular co-tenant victim