#
Cryptographically Secure Pseudo-Random Number Generator IP-Core Based on SHA2 Algorithm^{ †}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

## 2. DRBG Algorithms Trade-Off Analysis

- they rely on a one-way cryptographic function, thus providing backtracking resistance;
- the internal status memories are secret and inaccessible to the user;
- the following essential operations are allowed:
- -
- instance, to acquire a random seed (i.e., concatenation of input entropy content, possibly input or internal random nonce, and personalization string) and to initialize the internal state to a random value derived from the seed;
- -
- reseed, to acquire a random seed (i.e., concatenation of internal state, input entropy content, and personalization string) and update the internal state to a random value derived from the seed;
- -
- generate, to generate an output bits sequence based on current state and then to update the state to a random value derived from previous state;
- -
- uninstantiate, to delete the internal state;

- they support a maximum security strength (112, 128, 192 or 256) and all of the lower ones;
- a reseed counter counter, and the corresponding threshold called seed lifetime, is present to signal the user that the mechanism needs a new seed;
- user is always able to run a command with an associated personalization string, which needs not to be secret but it contributes to the internal state randomization.

- SHA-256 has lower latency per block than SHA-512;
- SHA-512 offers a higher throughput with respect to SHA-256, since it provides 512 bits every 83 clock cycles instead of 256 bits every 67 clock cycles;
- SHA-256 is more compact in terms of area, which reflects also on internal state registers area footprint. As shown in Table 1, $seedlen$ is 440 for SHA-256 and 888 for SHA-512, meaning that the internal state requires around 900 registers for the former and 1800 for the latter.

## 3. SHA-256 Core Implementation

- the message schedule;
- the compression function.

- ${T}_{1}$$\leftarrow H\u229e{\Sigma}_{1}\left(E\right)\u229eCh(E,F,G)\u229e{K}_{j}\u229e{W}_{j}$
- ${T}_{2}$$\leftarrow {\Sigma}_{0}\left(A\right)\u229eMaj(A,B,C)$
- H$\leftarrow G$
- F$\leftarrow E$
- E$\leftarrow D\u229e{T}_{1}$
- D$\leftarrow C$
- C$\leftarrow B$
- B$\leftarrow A$
- A$\leftarrow {T}_{1}\u229e{T}_{2}$

## 4. CSPRNG Design Architecture

- state registers for 440-bits V, 440-bits C and 20-bits reseed counter; in addition to them, a 128-bits register is available to store optional personalization string (i.e., to randomize the internal state), while a 512-bits entropy register is used to store the input entropy content for a size larger than necessary: to ensure the minimum number of entropy bits per bit string, instance requires 394 bits, while reseed requires 256 bits;
- a SHA-256 core, with 512-bits input and 256-bits output; the core is designed to execute operations on a 512-bits block of a message in 67 clock cycles; if the message is composed by a single block (length ≤ 443 bits), the complete Hash is performed in 67 clock cycles, while if the message is longer, it must be divided in blocks to be processed sequentially;
- a serial adder with 440-bits inputs and modulo 440-bits output; since the adder always runs in parallel with the SHA-256 core, which at least requires 67 cycles to output data, there were no need to implement a low latency adder; intermediate results are stored to one of the input registers to minimize the area occupation;
- multiplexer network to address all data in internal state and from the previous operation to the inputs of the SHA-256 core and adder; as an example, consider the following configuration, where the adder calculates at every Hash cycle the incremented value of V and provides this data to the input of the SHA-256 for it to be hashed:
- sha_256_in = adder_out || 1’d1 || 7’d0 || 64’d440
- adder_x = adder_out
- adder_y = 440’d1

- a Finite State Machine (FSM), which controls the flow of operations: it is articulated in three main branches (i.e., instance, reseed and generate), and after the completion of a command, it remains stable in idle mode until another command is issued;
- a DRBG self test module (i.e., not shown in Figure 6), which provides built-in self-test functionalities to diagnose possible failures; multiplexers are used to feed the procedures with known values, and compare logic check if outputs match with the expected values.

## 5. Results

- every generation command requests four blocks, i.e., 1024 bits;
- during a seed lifetime, 1000 generation commands are issued;
- the reseed operation is commanded 1000 times to reseed the generator.

## 6. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Baldanzi, L.; Crocetti, L.; Di Matteo, S.; Fanucci, L.; Saponara, S.; Hameau, P. Crypto Accelerators for Power-Efficient and Real-Time on-Chip Implementation of Secure Algorithms. In Proceedings of the 2019 26th IEEE International Conference on Electronics, Circuits and Systems (ICECS), Genova, Italy, 27–29 November 2019; pp. 775–778. [Google Scholar]
- Baldanzi, L.; Crocetti, L.; Falaschi, F.; Belli, J.; Fanucci, L.; Saponara, S. Digital Random Number Generator Hardware Accelerator IP-Core for Security Applications. In Proceedings of the Applications in Electronics Pervading Industry, Environment and Society, Pisa, Italy, 11–13 September 2019; Volume 627, pp. 117–123. [Google Scholar]
- Paar, C.; Pelzl, J. Understanding Cryptography; Springer: Berlin/Heidelberg, Germany, 2011. [Google Scholar]
- Lo Bello, L.; Mariani, R.; Mubeen, S.; Saponara, S. Recent Advances and Trends in On-Board Embedded and Networked Automotive Systems. IEEE Trans. Ind. Inf.
**2019**, 15, 1038–1051. [Google Scholar] [CrossRef] - Barker, E.; Kelsey, J. Recommendation for Random Bit Generator (RBG) Constructions, 2nd Draft; US Department of Commerce, National Institute of Standards and Technology: Gaithersburg, MD, USA, 2016. [Google Scholar]
- Barker, E.; Kelsey, J. Recommendation for Random Number Generation Using Deterministic Random Bit Generators; US Department of Commerce, National Institute of Standards and Technology: Gaithersburg, MD, USA, 2015. [Google Scholar]
- Dang, Q.H. Secure Hash Standard—Technical Report; US Department of Commerce, National Institute of Standards and Technology: Gaithersburg, MD, USA, 2015. [Google Scholar]
- Dichtl, M.; Golić, J.D. High Speed True Random Number Generation with Logic Gates Only. Cryptographic Hardware and Embedded Systems. Lect. Notes Comput. Sci.
**2007**, 4727, 45–62. [Google Scholar] - Vasyltsov, I.; Hambardzumyan, E.; KimBohdan, Y.S.; Karpinskyy, B. Fast Digital TRNG Based on Metastable Ring Oscillator. Cryptographic Hardware and Embedded Systems. Lect. Notes Comput. Sci.
**2008**, 5154, 164–180. [Google Scholar] - Yang, B.; Mentens, N. ES-TRNG: A high-throughput, low-area true random number generator based on edge sampling. IACR Trans. Cryptogr. Hardw. Embedded Syst.
**2018**, 2018, 267–292. [Google Scholar] - Stevens, M.; Karpman, P.; Peyrin, T. Freestart collision for full SHA-1. In Annual International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin, Germany, 2016; pp. 459–483. [Google Scholar]
- ECDSA—Application and Implementation Failures. Available online: https://www.semanticscholar.org/paper/ECDSA-Application-and-Implementation-Failures-Schmid/f528fb05f0709923e22c04239503b4289a24cb4f (accessed on 25 March 2020).
- US Department of Commerce and National Institute of Standards and Technology. Secure Hash Standard—SHS: Federal Information Processing Standards Publication 180-4; CreateSpace Independent Publishing Platform: North Charleston, SC, USA, 2012. [Google Scholar]
- Bassham, L.E.; Rukhin, A.; Soto, J.; Nechvatal, J.; Smid, M.; Barker, E.; Leigh, S.; Levenson, M.; Vangel, M.; Banks, D.; et al. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications—Technical Report; US Department of Commerce, National Institute of Standards and Technology: Gaithersburg, MD, USA, 2010. [Google Scholar]
- Silvaco PDK 45 nm Open Cell Library. Available online: https://www.silvaco.com/products/nangate/FreePDK45_Open_Cell_Library/index.html (accessed on 25 March 2020).
- Artisan TSMC 7 nm Cell Library. Available online: https://www.tsmc.com/english/dedicatedFoundry/technology/7nm.htm (accessed on 25 March 2020).

**Figure 1.**Comparison between NIST approved DRBG mechanisms based on logic complexity in kGE and throughput.

SHA2 Algorithm | ||||
---|---|---|---|---|

SHA-224 | SHA-256 | SHA-384 | SHA-512 | |

Highest Security Strength | 192 bits | 256 bits | 256 bits | 256 bits |

Output Block Length ($outlen$) | 224 bits | 256 bits | 384 bits | 512 bits |

Min. Entropy for $instance$ and $reseed$ | 192 bits | 256 bits | 256 bits | 256 bits |

Seed Length ($seedlen$) | 440 bits | 440 bits | 888 bits | 888 bits |

Max. Num. of Bit per Request | ${2}^{19}$ | ${2}^{19}$ | ${2}^{19}$ | ${2}^{19}$ |

Max. Num. of Request between $reseeds$ | ${2}^{48}$ | ${2}^{48}$ | ${2}^{48}$ | ${2}^{48}$ |

AES Algorithm | ||||
---|---|---|---|---|

3 Key TDEA | AES-128 | AES-192 | AES-256 | |

Highest Security Strength | 112 bits | 128 bits | 192 bits | 256 bits |

Input/Output Block Length ($blocklen$) | 64 bits | 128 bits | 128 bits | 128 bits |

Key Length Length ($keylen$) | 168 bits | 128 bits | 192 bits | 256 bits |

Counter Field Length ($ctr\_len$) | 4 <$ctr\_len$ <$blocklen$ | |||

Min. Enctropy for $instance$ and $reseed$ | 112 bits | 128 bits | 192 bits | 256 bits |

Seed Length ($seedlen$) | 232 bits | 256 bits | 320 bits | 384 bits |

Max. Num. of Bit per Request | min(B, ${2}^{13}$) | min(B, ${2}^{19}$) | min(B, ${2}^{19}$) | min(B, ${2}^{19}$) |

Max. Num. of Request between $reseeds$ | ${2}^{48}$ | ${2}^{48}$ | ${2}^{48}$ | ${2}^{48}$ |

SHA2 Algorithm | Area | Latency per Block | Output Block Size |
---|---|---|---|

SHA-224 | 15 kGE | 67 clock cycles | 224 bits |

SHA-256 | 15 kGE | 67 clock cycles | 256 bits |

SHA-384 | 30 kGE | 83 clock cycles | 384 bits |

SHA-512 | 30 kGE | 83 clock cycles | 512 bits |

AES Algorithm | Area | Latency per Block | Output Block Size |
---|---|---|---|

AES-128 | 11 kGE | 11 clock cycles | 128 bits |

AES-256 | 12.5 kGE | 15 clock cycles | 128 bits |

Canonical | Area | Max. Frequency | Optimized | Area | Max. Frequency |
---|---|---|---|---|---|

45 nm ASIC | 16.85 kGE | 640 MHz | 45 nm ASIC | 15.38 kGE | 1.00 GHz |

7 nm ASIC | 17.18 kGE | 3.15 GHz | 7 nm ASIC | 15.45 kGE | 5.15 GHz |

Sub-Block | ${\mathit{T}}_{4\xb7\mathbf{CSA}}$ | ${\mathit{T}}_{2\xb7\mathbf{CSA}+1\xb7\mathbf{CLA}}$ | ${\mathit{T}}_{2\xb7\mathbf{CLA}}$ | ${\mathit{T}}_{5\xb7\mathbf{CLA}}$ |
---|---|---|---|---|

Max. Latency | 606.06 ps | 833.33 ps | 714.29 ps | 1111.11 ps |

Test | Block/Template Length | Pass Rate |
---|---|---|

Frequency (Monobit) | - | 0.9924 |

Frequency Within a Block | 256 | 0.9876 |

Runs | - | 0.9901 |

Longest-Run-of-Ones in a Block | - | 0.9878 |

Binary Matrix Rank | - | 0.9901 |

Discrete Fourier Transform (Spectral) | - | 0.9874 |

Non-overlapping Template Matching | 10 | [0.9801–0.9974] |

Overlapping Template Matching | 10 | 0.9848 |

Maurer’s Universal Statistical | - | 0.9901 |

Linear Complexity | 1024 | 0.9900 |

Serial | 16 | 0.9825, 0.9876 |

Approximate Entropy | 10 | 0.9901 |

Cumulative Sums (Cusums) | - | 0.9901 |

Random Excursions | - | [0.9826–0.9947] |

Random Excursions Variant | - | [0.9875–0.9975] |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Baldanzi, L.; Crocetti, L.; Falaschi, F.; Bertolucci, M.; Belli, J.; Fanucci, L.; Saponara, S.
Cryptographically Secure Pseudo-Random Number Generator IP-Core Based on SHA2 Algorithm. *Sensors* **2020**, *20*, 1869.
https://doi.org/10.3390/s20071869

**AMA Style**

Baldanzi L, Crocetti L, Falaschi F, Bertolucci M, Belli J, Fanucci L, Saponara S.
Cryptographically Secure Pseudo-Random Number Generator IP-Core Based on SHA2 Algorithm. *Sensors*. 2020; 20(7):1869.
https://doi.org/10.3390/s20071869

**Chicago/Turabian Style**

Baldanzi, Luca, Luca Crocetti, Francesco Falaschi, Matteo Bertolucci, Jacopo Belli, Luca Fanucci, and Sergio Saponara.
2020. "Cryptographically Secure Pseudo-Random Number Generator IP-Core Based on SHA2 Algorithm" *Sensors* 20, no. 7: 1869.
https://doi.org/10.3390/s20071869