A High-Entropy True Random Number Generator with Keccak Conditioning for FPGA
Abstract
:1. Introduction
2. State-of-the-Art
2.1. RO-Based Noise Sources
2.2. RO-Based TRNG Designs
3. Entropy and Randomness Assessment
- IID tests/non-IID tests: These two batteries are mutually exclusive as they determine whether or not the source generates Independent and Identically Distributed (IID) samples. A million samples are provided in input; if just one of the IID tests is failed, the bitstream is defined as non-IID and the other battery of tests must be applied to assess the min-entropy. Otherwise, the IID tests provide the result.
- Restart tests: The input consists in a 1000 × 1000 matrix. Each row corresponds to a sequence of 1000 consecutive samples to be taken immediately after the restart of the noise source. The restart tests check that there are no correlations between the samples.
- Conditioning tests: If the random number generator design also includes a conditioning component, these tests assess the min-entropy reduction due to the deterministic post-processing.
4. Noise Source
4.1. Design Parameters Analysis
4.1.1. Power and Area Analysis
4.1.2. Entropy Analysis
5. TRNG Architecture
5.1. Noise Source
5.2. Health Test
- Repetition Count Test: The purpose of this test is to verify that the data stream does not become stuck at any single value, whether 0 or 1. The steps are reported in Algorithm 1. The minimum value for the threshold C is obtained by the formula , with being the false positive probability.
- Adaptive Proportion Test: This is a statistical procedure that examines the frequency of specific bit patterns within a sample window, aiming to identify those that occur with excessive regularity. The procedure is presented in Algorithm 2. For binary sources, the sample window, W, must be equal to 1024 [14], whereas the value of the threshold, C, depends on the desired level of entropy, as reported in [14].
Algorithm 1: Repetition Count Test Algorithm |
Algorithm 2: Adaptive Proportion Test Algorithm |
5.3. Control Unit
5.4. Keccak
Algorithm 3: Keccak Permutation |
Output Key Characteristics | Throughput and Output Entropy Trade-Off Tuning | Flexibility | |
---|---|---|---|
Advantages | More uniform distribution of output bits and reduced bias (see Table 5) | Input can be less than 1600 bits, fixed 1600-bit output: depending on the application constraints, the user can achieve higher throughput at the cost of lower output entropy and vice-versa. | The Keccak block can function as a standalone block, a conditioning block, or as a deterministic random bit generator (DRBG). Easy to integrate into larger cryptographic systems. |
Test | No Conditioning | With Conditioning | ||||
---|---|---|---|---|---|---|
p-Value | Prop. | Res. | p-Value | Prop. | Res. | |
Freq | 0.3873 | 0.988 | PASS | 0.8596 | 0.987 | PASS |
BlockFreq | 0.0786 | 0.993 | PASS | 0.5811 | 0.987 | PASS |
CSums | 0.5287 | 0.988 | PASS | 0.5625 | 0.989 | PASS |
Runs | 0.7887 | 0.986 | PASS | 0.7096 | 0.992 | PASS |
Long.Run | 0.6470 | 0.990 | PASS | 0.1007 | 0.995 | PASS |
Rank | 0.9061 | 0.988 | PASS | 0.9703 | 0.994 | PASS |
FFT | 0.3686 | 0.989 | PASS | 0.1223 | 0.993 | PASS |
NonOvTem | 0.4810 | 0.990 | PASS | 0.5134 | 0.990 | PASS |
OvTemp | 0.7811 | 0.980 | PASS | 0.6018 | 0.986 | PASS |
Univ | 0.1816 | 0.985 | PASS | 0.3086 | 0.988 | PASS |
ApproxEnt | 0.2296 | 0.990 | PASS | 0.2689 | 0.988 | PASS |
RndEx | 0.4826 | 0.989 | PASS | 0.5030 | 0.990 | PASS |
RndExVar | 0.5091 | 0.989 | PASS | 0.4975 | 0.989 | PASS |
Serial | 0.9607 | 0.991 | PASS | 0.2336 | 0.988 | PASS |
LinComp | 0.5463 | 0.991 | PASS | 0.5483 | 0.995 | PASS |
6. Results
6.1. Randomness Evaluation
6.1.1. NIST SP 800-22
6.1.2. NIST SP 800-90B
6.1.3. BSI AIS-31 Tests
6.2. Different Operating Conditions
6.3. FPGA Results and Comparison
7. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
Abbreviations
ASIC | Application-Specific Integrated Circuit |
BSI | Bundesamt für Sicherheit in der Informationstechnik |
DCM | Digital Clock Manager |
DRBG | Deterministic Random Bit Generator |
FPGA | Field Programmable Gate Array |
PLL | Phase Locked Loops |
PPA | Power, Performance, and Area |
PRNG | Pseudo Random Number Generators |
RO | Ring Oscillators |
NIST | National Institute of Standards and Technology |
TRNG | True Random Number Generator |
References
- Cassiers, G.; Masure, L.; Momin, C.; Moos, T.; Moradi, A.; Standaert, F.X. Randomness Generation for Secure Hardware Masking—Unrolled Trivium to the Rescue. IACR Commun. Cryptol. 2024, 1. [Google Scholar] [CrossRef]
- Kotipalli, S.; Kim, Y.B.; Choi, M. Asynchronous Advanced Encryption Standard Hardware with Random Noise Injection for Improved Side-Channel Attack Resistance. J. Electr. Comput. Eng. 2014, 2014, 837572. [Google Scholar] [CrossRef]
- Gross, H.; Mangard, S.; Korak, T. Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order. In Proceedings of the 2016 ACM Workshop on Theory of Implementation Security, TIS ’16, New York, NY, USA, 24–28 October 2016; p. 3. [Google Scholar] [CrossRef]
- Sunar, B.; Martin, W.J.; Stinson, D.R. A Provably Secure True Random Number Generator with Built-In Tolerance to Active Attacks. IEEE Trans. Comput. 2007, 56, 109–119. [Google Scholar] [CrossRef]
- Lu, Z.; Qidiao, H.; Chen, Q.; Liu, Z.; Zhang, J. An FPGA-Compatible TRNG with Ultra-High Throughput and Energy Efficiency. In Proceedings of the 2023 60th ACM/IEEE Design Automation Conference (DAC), San Francisco, CA, USA, 9–13 July 2023; pp. 1–6. [Google Scholar] [CrossRef]
- Varchola, M.; Drutarovsky, M. New High Entropy Element for FPGA Based True Random Number Generators. In Proceedings of the Cryptographic Hardware and Embedded Systems, CHES 2010, Santa Barbara, CA, USA, 17–20 August 2010; Mangard, S., Standaert, F.X., Eds.; Springer: Berlin/Heidelberg, Germany, 2010; pp. 351–365. [Google Scholar]
- Di Patrizio Stanchieri, G.; De Marcellis, A.; Faccio, M.; Palange, E. An FPGA-Based Architecture of True Random Number Generator for Network Security Applications. In Proceedings of the 2018 IEEE International Symposium on Circuits and Systems (ISCAS), Florence, Italy, 27–30 May 2018; pp. 1–4. [Google Scholar] [CrossRef]
- Fischer, V.; Drutarovský, M. True Random Number Generator Embedded in Reconfigurable Hardware; Springer: Berlin/Heidelberg, Germany, 2002; Volume 2523, pp. 415–430. [Google Scholar] [CrossRef]
- Fischer, V.; Bernard, F.; Bochard, N.; Dallison, Q.; Skórski, M. Enhancing Quality and Security of the PLL-TRNG. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2023, 2023, 211–237. [Google Scholar] [CrossRef]
- Saarinen, M.J.O. On Entropy and Bit Patterns of Ring Oscillator Jitter. Cryptology ePrint Archive, Paper 2021/1363. 2021. Available online: https://eprint.iacr.org/2021/1363 (accessed on 1 July 2024).
- Markettos, A.T.; Moore, S.W. The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators. In Proceedings of the Cryptographic Hardware and Embedded Systems–CHES 2009, Lausanne, Switzerland, 6–9 September 2009; Clavier, C., Gaj, K., Eds.; Springer: Berlin/Heidelberg, Germany, 2009; pp. 317–331. [Google Scholar]
- Osuka, S.; Fujimoto, D.; Hayashi, Y.i.; Homma, N.; Beckers, A.; Balasch, J.; Gierlichs, B.; Verbauwhede, I. EM Information Security Threats Against RO-Based TRNGs: The Frequency Injection Attack Based on IEMI and EM Information Leakage. IEEE Trans. Electromagn. Compat. 2019, 61, 1122–1128. [Google Scholar] [CrossRef]
- Barker, E.B.; Kelsey, J.M. Recommendation for Random Bit Generator (RBG) Constructions; Technical Report; US Department of Commerce, National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. [CrossRef]
- Turan, M.S. Recommendation for the Entropy Sources Used for Random Bit Generation; Technical Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2018. [CrossRef]
- Peter, M.; Schindler, W. A Proposal for Functionality Classes for Random Number Generators; Technical Report; BSI: Bonn, Germany, 2022. [Google Scholar]
- Vasyltsov, I.; Hambardzumyan, E.; Kim, Y.S.; Karpinskyy, B. Fast Digital TRNG Based on Metastable Ring Oscillator. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2008, Washington, DC, USA, 10–13 August 2008; Oswald, E., Rohatgi, P., Eds.; Springer: Berlin/Heidelberg, Germany, 2008; pp. 164–180. [Google Scholar]
- Nannipieri, P.; Di Matteo, S.; Baldanzi, L.; Crocetti, L.; Belli, J.; Fanucci, L.; Saponara, S. True Random Number Generator Based on Fibonacci-Galois Ring Oscillators for FPGA. Appl. Sci. 2021, 11, 3330. [Google Scholar] [CrossRef]
- Frustaci, F.; Spagnolo, F.; Perri, S.; Corsonello, P. A High-Speed FPGA-Based True Random Number Generator Using Metastability With Clock Managers. IEEE Trans. Circuits Syst. II Express Briefs 2023, 70, 756–760. [Google Scholar] [CrossRef]
- National Institute of Standards and Technology. FIPS PUB 202—SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions; CreateSpace Independent Publishing Platform: Scotts Valley, CA, USA, 2015. [Google Scholar]
- Wold, K.; Tan, C.H. Analysis and Enhancement of Random Number Generator in FPGA Based on Oscillator Rings. In Proceedings of the 2008 International Conference on Reconfigurable Computing and FPGAs, Cancun, Mexico, 3–5 December 2008; pp. 385–390. [Google Scholar] [CrossRef]
- Bassham, L.E.; Rukhin, A.L.; Soto, J.; Nechvatal, J.R.; Smid, M.E.; Barker, E.B.; Leigh, S.D.; Levenson, M.; Vangel, M.; Banks, D.L.; et al. SP 800-22 Rev. 1a. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications; Technical Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2010.
- Fujieda, N. On the Feasibility of TERO-Based True Random Number Generator on Xilinx FPGAs. In Proceedings of the 2020 30th International Conference on Field-Programmable Logic and Applications (FPL), Gothenburg, Sweden, 31 August–4 September 2020; pp. 103–108. [Google Scholar] [CrossRef]
- Della Sala, R.; Bellizia, D.; Scotti, G. A Novel Ultra-Compact FPGA-Compatible TRNG Architecture Exploiting Latched Ring Oscillators. IEEE Trans. Circuits Syst. II Express Briefs 2022, 69, 1672–1676. [Google Scholar] [CrossRef]
- Lu, Y.; Yang, Y.; Hu, R.; Liang, H.; Yi, M.; Zhengfeng, H.; Ma, Y.; Chen, T.; Yao, L. High-efficiency TRNG Design Based on Multi-bit Dual-ring Oscillator. Acm Trans. Reconfigurable Technol. Syst. 2023, 16, 1–23. [Google Scholar] [CrossRef]
- Zhang, Y.; Zhong, K.; Zhang, J. DH-TRNG: A Dynamic Hybrid TRNG with Ultra-High Throughput and Area-Energy Efficiency. In Proceedings of the 61st ACM/IEEE Design Automation Conference, DAC ’24, New York, NY, USA, 23–27 June 2024. [Google Scholar] [CrossRef]
- Park, J.; Kim, B.; Sim, J.Y. A PVT-Tolerant Oscillation-Collapse-Based True Random Number Generator with an Odd Number of Inverter Stages. IEEE Trans. Circuits Syst. II Express Briefs 2022, 69, 4058–4062. [Google Scholar] [CrossRef]
- Hayashi, K.; Minagawa, R.; Torii, N. Side-channel attack on COSO-based TRNG to estimate output bits. In Proceedings of the 2022 Tenth International Symposium on Computing and Networking Workshops (CANDARW), Himeji, Japan, 21–24 November 2022; pp. 302–308. [Google Scholar] [CrossRef]
- Gimenez, G.; Cherkaoui, A.; Frisch, R.; Fesquet, L. Self-timed Ring based True Random Number Generator: Threat model and countermeasures. In Proceedings of the 2017 IEEE 2nd International Verification and Security Workshop (IVSW), Thessaloniki, Greece, 3–5 July 2017; pp. 31–38. [Google Scholar] [CrossRef]
- Kamadi, A.; Abbas, Z. Implementation of TRNG with SHA-3 for hardware security. Microelectron. J. 2022, 123, 105410. [Google Scholar] [CrossRef]
- An akumar, N.N.; Sanadhya, S.K.; Hashmi, M.S. FPGA-Based True Random Number Generation Using Programmable Delays in Oscillator-Rings. IEEE Trans. Circuits Syst. II Express Briefs 2020, 67, 570–574. [Google Scholar] [CrossRef]
- Chen, T.; Jia, S.; Ma, Y.; Cao, Y.; Lv, N.; Wang, W.; Yang, J.; Lin, J. A Design of High-Efficiency Coherent Sampling Based TRNG With On-Chip Entropy Assurance. IEEE Trans. Circuits Syst. I Regul. Pap. 2023, 70, 5060–5073. [Google Scholar] [CrossRef]
- Valtchanov, B.; Aubert, A.; Bernard, F.; Fischer, V. Modeling and observing the jitter in ring oscillators implemented in FPGAs. In Proceedings of the 2008 11th IEEE Workshop on Design and Diagnostics of Electronic Circuits and Systems, Bratislava, Slovakia, 16–18 April 2008; pp. 1–6. [Google Scholar] [CrossRef]
- Bochard, N.; Bernard, F.; Fischer, V.; Valtchanov, B. True-Randomness and Pseudo-Randomness in Ring Oscillator-Based True Random Number Generators. Int. J. Reconfigurable Comput. 2010, 2010, 879281. [Google Scholar] [CrossRef]
- Banerjee, U.; Ukyab, T.S.; Chandrakasan, A.P. Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019, 2019, 17–61. [Google Scholar] [CrossRef]
- Dolmeta, A.; Mirigaldi, M.; Martina, M.; Masera, G. Implementation and integration of Keccak accelerator on RISC-V for CRYSTALS-Kyber. In Proceedings of the 20th ACM International Conference on Computing Frontiers, CF ‘23, Bologna Italy, 9–11 May 2023; pp. 381–382. [Google Scholar] [CrossRef]
- RISC-V Cryptography Extensions Volume I, Scalar & Entropy Source Instructions. Technical Report. 2021. Available online: https://lists.riscv.org/g/dev-partners/attachment/43/0/riscv-crypto-spec-scalar-v0.9.3-DRAFT.pdf (accessed on 1 September 2024).
- Rožic, V.; Grujic, M.; Mentens, N.; Verbauwhede, I. ES-TRNG: A high-throughput, low-area true random number generator based on edge sampling. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018. Available online: https://tches.iacr.org/index.php/TCHES/article/view/7276 (accessed on 1 July 2024). [CrossRef]
Ref. | Noise Source Basic Block | Key Principle |
---|---|---|
[4] | Ring Oscillator | Variable period of RO-generated clock due to physical phenomena |
[16] | Metastable Ring Oscillator | Metastability of inverters |
[6] | Transition Effect Ring Oscillator | Oscillatory metastability of latches |
[17] | Fibonacci and Galois Ring Oscillator | Flip-flops of Fibonacci and Galois Linear Feedback Shift Registers replaced by inverters |
[7] | Phase Locked Loop (PLL) | Same principle of ROs; the clock is generated by a PLL |
[18] | Digital Clock Manager (DCM) | Same principle of ROs; the clock is generated by a DCM |
Type of Test | Description |
---|---|
Frequency | Checks for equal proportion of 1s and 0s in the entire sequence. |
Block Frequency | Checks for equal proportion of 1s and 0s in M-bit blocks. |
Cumulative Sums | Evaluates the maximal excursion of the cumulative sum random walk, where the sequence digits are adjusted (0 → −1). |
Runs | Counts the total number of uninterrupted sequences of identical bits (runs). |
Longest Run | Checks for the longest run of 1s in M-bit blocks. |
Rank | Analyzes the rank of disjoint sub-matrices within the sequence. |
FFT | Detects peaks in the Discrete Fourier Transform of the sequence. |
Non Overlapping Template | Counts occurrences of m-bit target strings. |
Overlapping Template | Similar to the non-overlapping template test, but considers sliding m-bit strings with a 1-bit overlap. |
Universal | Measures the distance between matching patterns in the sequence. |
Approximate Entropy | Evaluates the frequency of all possible overlapping m-bit patterns in the sequence. |
Random Excursions | Counts the number of cycles with exactly K visits in a cumulative sum random walk. |
Random Excursions Variant | Tracks the number of visits to a specific state in a cumulative sum random walk. |
Serial | Measures the frequency of all possible overlapping m-bit patterns in the sequence. |
Linear Complexity | Determines the length of the Linear Feedback Shift Register (LFSR) that generates M-bit blocks. |
Test Suite | NIST SP 800-22 | NIST SP 800-90B | BSI AIS-31 | |
---|---|---|---|---|
Procedure A | Procedure B | |||
Focus | Randomness assessment | Entropy assessment | Randomness assessment | Entropy assessment |
Tests | 15 statistical tests | IID tests, non-IID tests, restart tests, conditioning tests | T0, T1 to T5 | T6 to T8 |
Category | Test | |||
---|---|---|---|---|
Statistical Tests | Excursion | 9 | 0 | 6 |
NumDirectionalRuns | 34 | 0 | 6 | |
LenDirectionalRuns | 4 | 2 | 5 | |
NumIncreasesDecreases | 28 | 0 | 6 | |
NumRunsMedian | 6 | 0 | 7 | |
LenRunsMedian | 3 | 3 | 8 | |
AvgCollision | 6 | 0 | 167 | |
MaxCollision | 7 | 1 | 5 | |
Periodicity Tests | Periodicity (1) | 6 | 0 | 13 |
Periodicity (2) | 6 | 0 | 10 | |
Periodicity (8) | 39 | 1 | 5 | |
Periodicity (16) | 6 | 0 | 14 | |
Periodicity (32) | 6 | 0 | 35 | |
Covariance Tests | Covariance (1) | 6 | 0 | 9 |
Covariance (2) | 6 | 0 | 15 | |
Covariance (8) | 6 | 0 | 6 | |
Covariance (16) | 13 | 0 | 6 | |
Covariance (32) | 6 | 0 | 23 | |
Compression Test | Compression | 21 | 0 | 6 |
Chi Square Tests | Chi Square independence | value = 0.6724 | ||
Chi Square goodness of fit | value = 0.3689 | |||
LRS | 46 | |||
Min-Entropy | 0.9982 |
Procedure | Test | Pass Rate |
---|---|---|
Procedure A | T0—Disjointness | 100% |
T1—Monobit | 100% | |
T2—Poker | 100% | |
T3—Runs | 100% | |
T4—Long Run | 100% | |
T5—Autocorrelation | 100% | |
Procedure B | T6a—Uniform Distribution | 100% |
T6b—Uniform Distribution | 100% | |
T7a—Multinomial Distribution | 100% | |
T7b—Multinomial Distribution | 100% | |
T8—Byte Entropy Estimation: 7.998217 |
Ref. | FPGA Device | Area | Thr. [MBps] | Freq. [MHz] | Entropy Rate [Bits/Cycle] | Thr./LUTs | Entr.Rate/LUTs | Min-Entropy | ||
---|---|---|---|---|---|---|---|---|---|---|
LUTs | FFs | NIST | BSI | |||||||
[17] | Stratix IV | 288 | 190 | 400 | 100 | 4.00 | 1.39 | 0.0139 | 0.995 | - |
[23] | Spartan 6 | 4 † | 3 † | 0.76 | 50 | 0.0152 | 0.19 † | 0.0038 † | - | 0.9998 |
[30] | Spartan 3A | 528 | 177 | 6 | 24 | 0.25 | 0.011 | 0.0005 | - | 0.9993 |
[5] | Artix 7 | 24 † | 33 † | 275.8 | 275.8 | 1.00 | 11.49 † | 0.0417 † | 0.9973 | - |
[22] | Artix 7 | 40 ‡ | 29 ‡ | 1.91 | - | - | 0.048 ‡ | - | - | 0.9993 |
[37] | Spartan 6 | 16 ‡ | 11 ‡ | 1.15 | 100 | 0.0115 | 0.072 ‡ | 0.0007 ‡ | 0.910 | - |
OURS | Artix 7 | 98 | 194 | 150 | 150 | 1.00 | 1.53 | 0.0102 | 0.9982 | 0.9998 |
24 † | 33 † | 6.25 † | 0.0417 † |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Piscopo, V.; Dolmeta, A.; Mirigaldi, M.; Martina, M.; Masera, G. A High-Entropy True Random Number Generator with Keccak Conditioning for FPGA. Sensors 2025, 25, 1678. https://doi.org/10.3390/s25061678
Piscopo V, Dolmeta A, Mirigaldi M, Martina M, Masera G. A High-Entropy True Random Number Generator with Keccak Conditioning for FPGA. Sensors. 2025; 25(6):1678. https://doi.org/10.3390/s25061678
Chicago/Turabian StylePiscopo, Valeria, Alessandra Dolmeta, Mattia Mirigaldi, Maurizio Martina, and Guido Masera. 2025. "A High-Entropy True Random Number Generator with Keccak Conditioning for FPGA" Sensors 25, no. 6: 1678. https://doi.org/10.3390/s25061678
APA StylePiscopo, V., Dolmeta, A., Mirigaldi, M., Martina, M., & Masera, G. (2025). A High-Entropy True Random Number Generator with Keccak Conditioning for FPGA. Sensors, 25(6), 1678. https://doi.org/10.3390/s25061678