On-chip jitter measurement for true random number generators

Applications of true random number generators (TRNGs) span from art to numerical computing and system security. In cryptographic applications, TRNGs are used for generating new keys, nonces and masks. For this reason, a TRNG is an essential building block and often a point of failure for embedded security systems. One type of primitives that are widely used as source of randomness are ring oscillators. For a ring-oscillator-based TRNG, the true randomness originates from its timing jitter. Therefore, determining the jitter strength is essential to estimate the quality of a TRNG. In this paper, we propose a method to measure the jitter strength of a ring oscillator implemented on an FPGA. The fast tapped delay chain is utilized to perform the on-chip measurement with a high resolution. The proposed method is implemented on both a Xilinx FPGA and an Intel FPGA. Fast carry logic components on different FPGAs are used to implement the fast delay line. This carry logic component is designed to be fast and has dedicated routing, which enables a precise measurement. The differential structure of the delay chain is used to thwart the influence of undesirable noise from the measurement. The proposed methodology can be applied to other FPGA families and ASIC designs

D2.1 - Report on Selected TRNG and PUF Principles

This report represents the final version of Deliverable 2.1 of the HECTOR work package WP2. It is a result of discussions and work on Task 2.1 of all HECTOR partners involved in WP2. The aim of the Deliverable 2.1 is to select principles of random number generators (RNGs) and physical unclonable functions (PUFs) that fulfill strict technology, design and security criteria. For example, the selected RNGs must be suitable for implementation in logic devices according to the German AIS20/31 standard. Correspondingly, the selected PUFs must be suitable for applying similar security approach. A standard PUF evaluation approach does not exist, yet, but it should be proposed in the framework of the project. Selected RNGs and PUFs should be then thoroughly evaluated from the point of view of security and the most suitable principles should be implemented in logic devices, such as Field Programmable Logic Arrays (FPGAs) and Application Specific Integrated Circuits (ASICs) during the next phases of the project

A STANDARDS COMPLIANT ENTROPY SOURCE WITH A FAST ON-THE-FLY ENTROPY DEGRADATION DETECTION AND CORRECTION

Since the advent of technology and world digitalization, most human interaction relies on data exchange through cloud servers on the internet. However, with the innovation also arose concerns about users' privacy and vulnerability. Therefore, cryptography and authentication are essential to protect users' data so only the owner and trusted parties can access it. The security system is the module responsible for securing data inside the devices. The hardware root of trust dwells inside the security system module. True random number generators are the most crucial root of trust devices since they generate the encryption keys. A weak key gives an advantage to an intruder to quickly break the cryptography and steal the data. However, true random number generators are powered by entropy sources susceptible to voltage, temperature, and process variation, which degrades the key entropy. This work proposes an all-digital reconfigurable entropy source with a dual-mode digital processing unit for entropy degradation detection and correction. The processing unit is powered by a subset of statistical tests from the national institute of Standards and Technologies (NIST) and the German Federal Office for Information Security (BSI), which detect and recover the entropy source output entropy within 1.5ms, 15 to 525x faster than similar works. Measured results show that the application specific integrated circuit (ASIC) entropy source yields random bits at a throughput of 1Mb/s with a min-entropy of 0.993 bits at 0.8V. The design consumes up to 42.6μW and occupies an area of 2834μm2 (without the on-chip register bank). Moreover, both the ASIC and the field programable array (FPGA) implementations passed all the NIST and BSI certification testing procedures

Design of hardware-orientated security towards trusted electronics.

While the Internet of Things (IoT) becomes one of the critical components in the cyber-physical system of industry 4.0, its root of trust still lacks consideration. The purpose of this thesis was to increase the root of trust in electronic devices by enhance the reliability, testability, and security of the bottom layer of the IoT system, which is the Very Large-Scale Integration (VLSI) device. This was achieved by implement a new class of security primitive to secure the IJTAG network as an access point for testing and programming. The proposed security primitive expands the properties of a Physically Unclonable Function (PUF) to generate two different responses from a single challenge. The development of such feature was done using the ring counter circuit as the source of randomness of the PUF to increase the efficiency of the proposed PUF. The efficiency of the newly developed PUF was measured by comparing its properties with the properties of a legacy PUF. The randomness test done for the PUF shows that it has a limitation when implemented in sub-nm devices. However, when it was implemented in current 28nm silicon technology, it increases the sensitivity of the PUF as a sensor to detect malicious modification to the FPGA configuration file. Moreover, the efficiency of the developed bimodal PUF increases by 20.4% compared to the legacy PUF. This shows that the proposed security primitive proves to be more dependable and trustworthy than the previously proposed approach.Samie, Mohammad (Associate)PhD in Transport System

Improving Quantum Key Distribution and Quantum Random Number Generation in presence of Noise

The argument of this thesis might be summed up as the exploitation of the noise to generate better noise. More specifically this work is about the possibility of exploiting classic noise to effectively transmit quantum information and measuring quantum noise to generate better quantum randomness. What do i mean by exploiting classical noise to transmit effectively quantum information? In this case I refer to the task of sending quantum bits through the atmosphere in order set up transmissions of quantum key distribution (QKD) and this will be the subject of Chapter 1 and Chapter 2. In the Quantum Communications framework, QKD represents a topic with challenging problems both theoretical and experimental. In principle QKD offers unconditional security, however practical realizations of it must face all the limitations of the real world. One of the main limitation are the losses introduced by real transmission channels. Losses cause errors and errors make the protocol less secure because an eavesdropper could try to hide his activity behind the losses. When this problem is addressed under a full theoretical point of view, one tries to model the effect of losses by means of unitary transforms which affect the qubits in average according a fixed level of link attenuation. However this approach is somehow limiting because if one has a high level of background noise and the losses are assumed in average constant, it could happen that the protocol might abort or not even start, being the predicted QBER to high. To address this problem and generate key when normally it would not be possible, we have proposed an adaptive real time selection (ARTS) scheme where transmissivity peaks are instantaneously detected. In fact, an additional resource may be introduced to estimate the link transmissivity in its intrinsic time scale with the use of an auxiliary classical laser beam co-propagating with the qubits but conveniently interleaved in time. In this way the link scintillation is monitored in real time and the selection of the time intervals of high channel transmissivity corresponding to a viable QBER for a positive key generation is made available. In Chapter 2 we present a demonstration of this protocol in conditions of losses equivalent to long distance and satellite links, and with a range of scintillation corresponding to moderate to severe weather. A useful criterion for the preselection of the low QBER interval is presented that employs a train of intense pulses propagating in the same path as the qubits, with parameters chosen such that its fluctuation in time reproduces that of the quantum communication. For what concern the content of Chapter 3 we describe a novel principle for true random number generator (TRNG) which is based on the observation that a coherent beam of light crossing a very long path with atmospheric turbulence may generate random and rapidly varying images. To implement our method in a proof of concept demonstrator, we have chosen a very long free space channel used in the last years for experiments in Quantum Communications at the Canary Islands. Here, after a propagation of 143 km at an altitude of the terminals of about 2400 m, the turbulence in the path is converted into a dynamical speckle at the receiver. The source of entropy is then the atmospheric turbulence. Indeed, for such a long path, a solution of the Navier-Stokes equations for the {atmospheric flow in which the beam propagates is out of reach. Several models are based on the Kolmogorov statistical theory, which parametrizes the repartition of kinetic energy as the interaction of decreasing size eddies. However, such models only provide a statistical description for the spot of the beam and its wandering and never an instantaneous prediction for the irradiance distribution. These are mainly ruled by temperature variations and by the wind and cause fluctuations in the air refractive index. For such reason, when a laser beam is sent across the atmosphere, this latter may be considered as a dynamic volumetric scatterer which distorts the beam wavefront. We will evaluate the experimental data to ensure that the images are uniform and independent. Moreover, we will assess that our method for the randomness extraction based on the combinatorial analysis is optimal in the context of Information Theory. In Chapter 5 we will present a new approach for what concerns the generation of random bits from quantum physical processes. Quantum Mechanics has been always regarded as a possible and valuable source of randomness, because of its intrinsic probabilistic Nature. However the typical paradigm is employed to extract random number from a quantum system it commonly assumes that the state of said system is pure. Such assumption, only in theory would lead to full and unpredictable randomness. The main issue however it is that in real implementations, such as in a laboratory or in some commercial device, it is hardly possible to forge a pure quantum state. One has then to deal with quantum state featuring some degree of mixedness. A mixed state however might be somehow correlated with some other system which is hold by an adversary, a quantum eavesdropper. In the extreme case of a full mixed state, practically one it is like if he is extracting random numbers from a classical state. In order to do that we will show how it is important to shift from a classical randomness estimator, such as the min-classical entropy H-min(Z) of a random variable Z to quantum ones such as the min-entropy conditioned on quantum side information E. We have devised an effective protocol based on the entropic uncertainty principle for the estimation of the min-conditional entropy. The entropic uncertainty principle lets one to take in account the information which is shared between multiple parties holding a multipartite quantum system and, more importantly, lets one to bound the information a party has on the system state after that it has been measured. We adapted such principle to the bipartite case where an user Alice, A, is supplied with a quantum system prepared by the provider Eve, E, who could be maliciously correlated to it. In principle then Eve might be able to predict all the outcomes of the measurements Alice performs on the basis Z in order to extract random numbers from the system. However we will show that if Alice randomly switches from the measurement basis to a basis X mutually unbiased to Z, she can lower bound the min entropy conditioned to the side information of Eve. In this way for Alice is possible to expand a small initial random seed in a much larger amount of trusted numbers. We present the results of an experimental demonstration of the protocol where random numbers passing the most rigorous classical tests of randomness were produced. In Chapter 6, we will provide a secure generation scheme for a continuos variable (CV) QRNG. Since random true random numbers are an invaluable resource for both the classical Information Technology and the uprising Quantum one, it is clear that to sustain the present and future even growing fluxes of data to encrypt it is necessary to devise quantum random number generators able to generate numbers in the rate of Gigabit or Terabit per second. In the Literature are given several examples of QRNG protocols which in theory could reach such limits. Typically, these are based on the exploitation of the quadratures of the electro-magnetic field, regarded as an infinite bosonic quantum system. The quadratures of the field can be measured with a well known measurement scheme, the so called homodyne detection scheme which, in principle, can yield an infinite band noise. Consequently the band of the random signal is limited only by the passband of the devices used to measure it. Photodiodes detectors work commonly in the GHz band, so if one sample the signal with an ADC enough fast, the Gigabit or Terabit rates can be easily reached. However, as in the case of discrete variable QRNG, the protocols that one can find in the Literature, do not properly consider the purity of the quantum state being measured. The idea has been to extend the discrete variable protocol of the previous Chapter, to the Continuous case. We will show how in the CV framework, not only the problem of the state purity is given but also the problem related to the precision of the measurements used to extract the randomness

Hardware design of cryptographic algorithms for low-cost RFID tags

Mención Internacional en el título de doctorRadio Frequency Identification (RFID) is a wireless technology for automatic identification that has experienced a notable growth in the last years. RFID is an important part of the new trend named Internet of Things (IoT), which describes a near future where all the objects are connected to the Internet and can interact between them. The massive deployment of RFID technology depends on device costs and dependability. In order to make these systems dependable, security needs to be added to RFID implementations, as RF communications can be accessed by an attacker who could extract or manipulate private information from the objects. On the other hand, reduced costs usually imply resource-constrained environments. Due to these resource limitations necessary to low-cost implementations, typical cryptographic primitives cannot be used to secure low-cost RFID systems. A new concept emerged due to this necessity, Lightweight Cryptography. This term was used for the first time in 2003 by Vajda et al. and research on this topic has been done widely in the last decade. Several proposals oriented to low-cost RFID systems have been reported in the literature. Many of these proposals do not tackle in a realistic way the multiple restrictions required by the technology or the specifications imposed by the different standards that have arose for these technologies. The objective of this thesis is to contribute in the field of lightweight cryptography oriented to low-cost RFID tags from the microelectronics point of view. First, a study about the implementation of lightweight cryptographic primitives is presented . Specifically, the area used in the implementation, which is one of the most important requirements of the technology as it is directly related to the cost. After this analysis, a footprint area estimator of lightweight algorithms has been developed. This estimator calculates an upper-bound of the area used in the implementation. This estimator will help in making some choices at the algorithmic level, even for designers without hardware design skills. Second, two pseudo-random number generators have been proposed. Pseudorandom number generators are essential cryptographic blocks in RFID systems. According to the most extended RFID standard, EPC Class-1 Gen-2, it is mandatory to include a generator in RFID tags. Several architectures for the two proposed generators have been presented in this thesis and they have been integrated in two authentication protocols, and the main metrics (area, throughput and power consumption) have been analysed. Finally, the topic of True Random Number Generators is studied. These generators are also very important in secure RFID, and are currently a trending research line. A novel generator, presented by Cherkaoui et al., has been evaluated under different attack scenarios. A new true random number generator based on coherent sampling and suitable for low-cost RFID systems has been proposed.La tecnología de Identificación por Radio Frecuencia, más conocida por sus siglas en inglés RFID, se ha convertido en una de las tecnologías de autoidentificación más importantes dentro de la nueva corriente de identificación conocida como Internet de las Cosas (IoT). Esta nueva tendencia describe un futuro donde todos los objetos están conectados a internet y son capaces de identificarse ante otros objetos. La implantación masiva de los sistemas RFID está hoy en día limitada por el coste de los dispositivos y la fiabilidad. Para que este tipo de sistemas sea fiable, es necesario añadir seguridad a las implementaciones RFID, ya que las comunicaciones por radio frecuencia pueden ser fácilmente atacadas y la información sobre objetos comprometida. Por otro lado, para que todos los objetos estén conectados es necesario que el coste de la tecnología de identificación sea muy reducido, lo que significa una gran limitación de recursos en diferentes ámbitos. Dada la limitación de recursos necesaria en implementaciones de bajo coste, las primitivas criptográficas típicas no pueden ser usadas para dotar de seguridad a un sistema RFID de bajo coste. El concepto de primitiva criptográfica ligera fue introducido por primera vez 2003 por Vajda et al. y ha sido desarrollado ampliamente en los últimos años, dando como resultados una serie de algoritmos criptográficos ligeros adecuados para su uso en tecnología RFID de bajo coste. El principal problema de muchos de los algoritmos presentados es que no abordan de forma realista las múltiples limitaciones de la tecnología. El objetivo de esta tesis es el de contribuir en el campo de la criptografía ligera orientada a etiquetas RFID de bajo coste desde el punto de vista de la microelectrónica. En primer lugar se presenta un estudio de la implementación de las primitivas criptográficas ligeras más utilizadas, concretamente analizando el área ocupado por dichas primitivas, ya que es uno de los parámetros críticos considerados a la hora de incluir dichas primitivas criptográficas en los dispositivos RFID de bajo coste. Tras el análisis de estas primitivas se ha desarrollado un estimador de área para algoritmos criptográficos ultraligeros que trata de dar una cota superior del área total ocupada por el algoritmo (incluyendo registros y lógica de control). Este estimador permite al diseñador, en etapas tempranas del diseño y sin tener ningún conocimiento sobre implementaciones, saber si el algoritmo está dentro de los límites de área mpuestos por la tecnología RFID. También se proponen 2 generadores de números pseudo-aleatorios. Estos generadores son uno de los bloques criptográficos más importantes en un sistema RFID. El estándar RFID más extendido entre la industria, EPC Class-1 Gen-2, establece el uso obligatorio de dicho tipo de generadores en las etiquetas RFID. Los generadores propuestos han sido implementados e integrados en 2 protocolos de comunicación orientados a RFID, obteniendo buenos resultados en las principales características del sistema. Por último, se ha estudiado el tema de los generadores de números aleatorios. Este tipo de generadores son frecuentemente usados en seguridad RFID. Actualmente esta línea de investigación es muy popular. En esta tesis, se ha evaluado la seguridad de un novedoso TRNG, presentado por Cherkaoui et al., frente ataques típicos considerados en la literatura. Además, se ha presentado un nuevo TRNG de bajo coste basado en la técnica de muestreo por pares.Programa Oficial de Doctorado en Ingeniería Eléctrica, Electrónica y AutomáticaPresidente: Teresa Riesgo Alcaide.- Secretario: Emilio Olías Ruiz.- Vocal: Giorgio di Natal

Distributed EaaS simulation using TEEs: A case study in the implementation and practical application of an embedded computer cluster

Internet of Things (IoT) devices with limited resources struggle to generate the high-quality entropy required for high-quality randomness. This results in weak cryptographic keys. As keys are a single point of failure in modern cryptography, IoT devices performing cryptographic operations may be susceptible to a variety of attacks. To address this issue, we develop an Entropy as a Service (EaaS) simulation. The purpose of EaaS is to provide IoT devices with high-quality entropy as a service so that they can use it to generate strong keys. Additionally, we utilise Trusted Execution Environments (TEEs) in the simulation. TEE is a secure processor component that provides data protection, integrity, and confidentiality for select applications running on the processor by isolating them from other system processes (including the OS). TEE thereby enhances system security. The EaaS simulation is performed on a computer cluster known as the Magi cluster. Magi cluster is a private computer cluster that has been designed, built, configured, and tested as part of this thesis to meet the requirements of Tampere University's Network and Information Security Group (NISEC). In this thesis, we explain how the Magi cluster is implemented and how it is utilised to conduct a distributed EaaS simulation utilising TEEs.Esineiden internetin (Internet of Things, IoT) laitteilla on tyypillisesti rajallisten resurssien vuoksi haasteita tuottaa tarpeeksi korkealaatuista entropiaa vahvan satunnaisuuden luomiseen. Tämä johtaa heikkoihin salausavaimiin. Koska salausavaimet ovat modernin kryptografian heikoin lenkki, IoT-laitteilla tehtävät kryptografiset operaatiot saattavat olla haavoittuvaisia useita erilaisia hyökkäyksiä vastaan. Ratkaistaksemme tämän ongelman kehitämme simulaation, joka tarjoaa IoT-laitteille vahvaa entropiaa palveluna (Entropy as a Service, EaaS). EaaS-simulaation ideana on jakaa korkealaatuista entropiaa palveluna IoT-laitteille, jotta ne pystyvät luomaan vahvoja salausavaimia. Hyödynnämme simulaatiossa lisäksi luotettuja suoritusympäristöjä (Trusted Execution Environment, TEE). TEE on prosessorilla oleva erillinen komponentti, joka tarjoaa eristetyn ja turvallisen ajoympäristön valituille ohjelmille. TEE:tä hyödyntämällä ajonaikaiselle ohjelmalle voidaan taata datan suojaus, luottamuksellisuus sekä eheys eristämällä se muista järjestelmällä ajetuista ohjelmista (mukaan lukien käyttöjärjestelmä). Näin ollen TEE parantaa järjestelmän tietoturvallisuutta. EaaS-simulaatio toteutetaan Magi-nimisellä tietokoneklusterilla. Magi on Tampereen Yliopiston Network and Information Security Group (NISEC) -tutkimusryhmän oma yksityinen klusteri, joka on suunniteltu, rakennettu, määritelty ja testattu osana tätä diplomityötä. Tässä diplomityössä käymme läpi, kuinka Magi-klusteri on toteutettu ja kuinka sillä toteutetaan hajautettu EaaS-simulaatio hyödyntäen TEE:itä

Geração de números verdadeiramente aleatórios baseados em ruído quântico

Quantum Random Number Generators (QRNGs) promise information-theoretic security by exploring the intrinsic probabilistic properties of quantum mechanics. In practice, their security frequently relies on a number of assumptions over physical devices. In this thesis, a randomness generation framework that explores the amplitude quadrature fluctuations of a vacuum state was analyzed. It employs a homodyne measurement scheme, which can be implemented with low-cost components, and shows potential for high performance with remarkable stability. A mathematical description of all necessary stages was provided as security proof, considering the quantization noise introduced by the analog-to-digital converter. The impact of experimental limitations, such as the digitizer resolution or the presence of excess noise due to an unbalanced detection, was characterized. Moreover, we propose a framework to estimate the excess entropy introduced by an unbalanced detection, and its high impact within the Shannon entropy model was experimentally verified. Furthermore, a real-time dedicated QRNG scheme was implemented and validated. The variance characterization curve of the homodyne detector was measured, and the quantum fluctuations were determined to be preponderant for an impinging power PLO < 45.7mW. By estimating the worst-case min-entropy conditioned on the electronic noise, approximately 8.39 true random bits can be extracted from each sample, yielding a maximum generation rate of 8.23 Gbps. With a lengthcompatible Toeplitz-hashing algorithm, these can be extracted at 75 Mbps with an upper security bound of 2−105, which illustrates the quality of this implementation. Moreover, the generation scheme was validated and verified to pass all the statistical tests of the NIST, DieHarder, and TestU01’s SmallCrush batteries, as well as most of TestU01’s Crush evaluations. Finally, we propose a framework for time-interleaving the entropy source within a classical communication channel, which removes the need for a dedicated generation device. After assessing the conditions where quantum noise is dominant, support for generation rates up to 1.3 Gbps was observed. The random bitstream was subjected to the NIST randomness test suite and consistently passed all evaluations. Moreover, a clean quadrature phase shift keying constellation was recovered, which supports the multi-purpose function of the scheme.Geradores quânticos de números aleatórios (QRNGs) prometem sistemas informação-teoricamente seguros explorando as propriedades intrinsecamente probabilísticas da mecânica quântica. No entanto, experimentalmente, um conjunto de pressupostos é tipicamente imposto sobre os dispositivos experimentais. Nesta dissertação, analisou-se uma abordagem para geração de números aleatórios que explora as flutuações de amplitude em quadratura de um estado vácuo. Para tal, recorre-se a um esquema de deteção homodina que permite um elevado desempenho e estabilidade, requerendo apenas dispositivos de baixo custo. Um modelo matemático das diferentes etapas do gerador foi desenvolvido de forma a fornecer uma prova de segurança, e contabilizou-se o ruído de discretização introduzido pelo conversor analógico-digital. Adicionalmente, caracterizou-se o impacto de imperfeições experimentais como a resolução do conversor analógico-digital e a presença de ruído em excesso como consequência de uma deteção não balanceada. Uma abordagem para estimar esta contribuição no modelo de entropia de Shannon foi também proposta e experimentalmente verificada. Adicionalmente, uma implementação em tempo-real foi caracterizada. A curva de caracterização do detetor homodino foi experimentalmente verificada, e uma preponderância de ruído quântico observado para potências óticas inferiores a 45.7mW. Através de uma estimativa da min-entropy condicionada ao ruído eletrónico, aproximadamente 8.39 bits por medição podem ser extraídos, o que corresponde a uma taxa de geração máxima de 8.23 Gbps. Estes podem ser extraídos a uma taxa de 75 Mbps com um parâmetro de segurança de 2−105, ilustrativo da qualidade desta implementação, através de um algoritmo eficiente de multiplicação de matrizes de Toeplitz. Posteriormente, o esquema foi validado, passando todos os testes estatísticos das baterias NIST, DieHarder, e SmallCrush, assim como a maioria das avaliações contidas na bateria Crush. Por último, foi proposta uma abordagem para integrar esta fonte de entropia num canal de comunicação clássico, removendo desta forma a necessidade de uma implementação dedicada. Após avaliação das condições de preponderância do ruído quântico, foram observadas taxas de geração até 1.3 Gbps. Os números obtidos foram também submetidos à bateria de testes do NIST, passando consistentemente todas as avaliações. Adicionalmente, a constelação de modulação de amplitude em quadratura obtida viabiliza a operação multifuncional do sistema.Mestrado em Engenharia Físic