SlideShare a Scribd company logo

2009-06-30.ppt

Download as PPT, PDF
H
HiraAshfaqSubhan

Add more information to your uploadAdd more information to your uploadAdd more information tAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd morAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to youAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadr uploadAdd more information to your uploade information to your uploado your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more information to your uploadAdd more infAdd more info

Business
1 of 24
Actel Corporation © 2009 Conditioner and Health Monitor for Use in Conjunction with a Non-Deterministic Random Bit Generator G. Richard Newell Senior Principal Product Architect Actel Corporation for CryptArchi 2009 Hardware testing performed by James Vorgert Actel Area Technical Manager
Actel Corporation © 2009 2 Generic Random Bit Generator Architecture Non-Deterministic Random Bit Generator (NRBG) Raw Entropy Source Conditioner Deterministic Random Bit Generator (DRBG) Full entropy conditioned bits [re-]seed input Output Potentially much larger quantity of pseudo-random bits Raw bits (biased) Health Monitor Re-seeding DRBG provides “prediction resistance” Cryptographic design of the DRBG provides “backtracking resistance” & low information leakage
Actel Corporation © 2009 3 NRBG blocks  Raw Entropy Source  Uses random physical process to generate raw bits  Raw bits likely have biases and correlations  Plus, some susceptibility to environment such as supply voltages & temperature  Due to finite gains and bandwidths, mis-matching of components, materials, etc.  Thus, raw output bits contains less than 1 bit of entropy each  But, more than some design minimum  Health Monitor  Ensures raw entropy source is performing to specification  Entropy generation hasn’t dropped too close to zero  Environmental monitors (if available) ensure valid operational conditions  Conditioner  Compresses entropy of raw bits so output bits have full entropy  Removes any biases and correlations (referred to as “deskewing”)  Output bits should pass statistical tests for randomness  e.g., NIST Statistical Test Suite (SP800-22)
Actel Corporation © 2009 4 FPGA-friendly Health Monitors and Conditioners  This paper presents FPGA-friendly Health Monitors and Conditioners  Partly survey  Plus some observations and a few new practical proposals  It does not address:  The physical raw bit source  Many other Cryptarchi papers on this subject  The cryptographically strong Deterministic RBG which follows the conditioner  See NIST SP800-90 for approved DRBG algorithms Non-Deterministic Random Bit Generator (NRBG) Raw Entropy Source Conditioner Deterministic Random Bit Generator (DRBG) [re-]seed input Output Health Monitor Focus of this paper
Actel Corporation © 2009 5 Common Defects in Raw Bits  DC Biases  The probability of a bit being “1” is above or below 50%  For example, due to electrical offsets, the raw bit generator returns 49% ones and 51% zeroes for large sample sizes  Time Correlations  The expected value of a bit depends upon the prior state of the system  The current output bit is [anti-]correlated with past outputs  Possibly characterized as a first- or higher-order Markov chain  For example:  Due to bandwidth limitations (high frequencies under-represented), the probability of a bit matching the preceding bit is greater than 50%  Could be caused by over-sampling relative to noise bandwidth  For once, aliasing is good! fs/2 log(|v|) f Over-sampled Low-Pass Filter (LPF) magnitude response
Actel Corporation © 2009 6 Model of RBG Raw Entropy Source RBG Model with Bias and 1st-order Correlation defects  S a1 z-1 - + + Random DC Bias, s0 2 White Gaussian Noise, s1 2 x0 x1 x2 quantizer Raw Random Bits  Markov model approximation: state vector propagation xn+1 = A  xn + B  un covariance matrix propagation Pn+1 = A  Pn  AT + Qn  With stationary input noise, the variance and the covariance of adjacent samples are, respectively: limit : Var(x1) = Var(x2) = rxx[0] = s1 2 + s0 2 Cov(x1,x2) = rxx[1] = s1 2 + s0 2 A = 1 0 0 a1T 1-a1T 0 0 1 0 Transition Matrix 1 0 B = 0 a1T 0 0 Input Mapping Matrix s0 2 0 0 Qn = 0 a1Ts1 2 0 0 0 0 Covariance of input vector for n=0 only, otherwise 0 n   1 2 - a1T 2 - a1T 1 - a1T T sampler Low Pass Filter where rxx[k] is the autocorrelation for shift = k
Actel Corporation © 2009 7 Ideal FPGA RBG Health Monitor Characteristics  Low gate-count and SRAM requirements  Operates on the same clock as the raw-bit sampler  Parallelizable; low algorithmic complexity; high speed  Detects low entropy without fail (low false negatives)  Both bias and correlation type defects should be reliably detected  Not too many false alarms (low false positives)  However, every sequence of random bits has a finite probability  Including those that look like generator failures  As such, some false alarms may be inevitable  More frequent if small test-block sizes are used, and if tighter limits are chosen to minimize false negatives  Beware that discarding too many failed blocks may also bias the results  Availability of environmental monitors  Mixed-signal FPGAs (e.g., Actel’s Fusion series) have on-chip voltage and temperature monitors and an on-chip R-C oscillator that can be used for environmental monitoring
Actel Corporation © 2009 8 RBG Health Monitor Options (slide 1/2)  Block Test  NIST FIPS 140-3 (paragraph 4.9.2) requires continuously comparing adjacent blocks of bits1 and, if identical, rejecting the 2nd block  FIPS 140-3 also requires an “Entropy Source Test”  Frequency Test (a.k.a.: Monobit Test)2,3  Count “ones” as a percentage of total bits in a block  Variations:  Sliding window vs. non-overlapping blocks (FIR filter)  Exponentially decaying response window (IIR filter)  Measures DC bias directly  Serial Test (a.k.a. Two-bit Test)3  Checks the frequency of two-bit overlapping sequences  Tests for bias and some correlations
Actel Corporation © 2009 9 RBG Health Monitor Options (slide 2/2)  Poker Test2,3  Checks the frequency of m-bit non-overlapping sequences  m is a parameter; for FIPS 140-1 m = 4  Runs Test2,3  Checks the frequency of runs of ones or zeroes of various lengths  The length of the runs is a parameter; for FIPS 140-1, 1  i  6, with runs greater than 6 counted same as 6; zeroes and ones counted separately  Long Run Test2  Reports the longest run of ones or zeroes in the sample block  Autocorrelation Test3  Compares bits stream to shifted version of itself  Number of shifts is a parameter  Detects bias and most correlations, if several shifts are considered  Can also detect sine-wave interference
Actel Corporation © 2009 10  For Linear Time-Invariant (LTI) signals, the Wiener–Khinchin theorem relates the power spectrum Sxx to the autocorrelation rxx using the Discrete-time Fourier transform (DTFT) pair, Sxx(f) = S rxx[k]e-j2pkf rxx[k] = T  Sxx ( f )  ej2pfkT df where the autocorrelation is defined in terms of the expectation: rxx[k] = E[ x[n]x*[n – k]]  Since in our model the input is white, its power spectrum Wxx(f) is constant over frequency. The output spectrum can be calculated from the filter transfer function & its conjugate:  Sxx(f) = WxxT(f)T*(f)  So, now we have another way to compute the autocorrelation from our stationary noise, using filter transfer functions Autocorrelation from Transfer Functions k = -  1 2T 1 2T - T
Actel Corporation © 2009 11 Autocorrelation Analysis Results  Autocorrelation provides a useful measure of data flaws  An upper-bound on entropy can be estimated by comparing the power represented in rxx[0] vs. that in |rxx[k0]|  For a correlation defect: Slope depends upon filter BW Quantizer de- correlates signal Noise floor set by # samples • No bias added • 1M samples A bias would raise the floor  The entropy is close to the value of 1 - rxx[k0]/rxx[0] for all values of bias and shift  For a bias defect: • Single LPF pole at z=0.7 • Single-bit quantizer results are symmetric about p=0.5 1 -
Actel Corporation © 2009 12 FPGA Implementation of Autocorrelation Test  The implementation is relatively efficient  Just need an accumulator for each shift value desired  Don’t need too many; the set should include k=1 plus a few others  For most RBG bit rates, circuits (except storage) can be time-shared z-1 z-1 z-1 z-1  z-1 S XOR 1 2 -1 | x | left shift absolute value  N test threshold limit for shift k=1 fail k = 2 k = N x[n] x[n-1] x[n-N] zero between blocks k = 1 Since the input is only one bit, this is just an up-down counter Alternatively, use ± threshold detectors 1 Delay Line Accumlators and Threshold Detectors
Actel Corporation © 2009 13 Add’l Considerations Response Comments Data Window Function Non-overlapping Blocks Slowest Most tests already structured this way Statistical formulae available Easy to identify, quarantine, & discard bits Sliding Window (rectangular) Faster Higher storage requirements Sliding Window (exponentially decaying) Fastest Often more efficient to implement Bits never completely removed from results (infinite impulse response) Block Size Small Faster Less memory, but more false alarms Health Monitor Design Considerations Test Name Bias 1st-order Other Size Comments Block x med Req’d. Detects total failure Frequency x low Special case of poker test Serial x x low Similar to autocorrelation shift=1 Poker x x x med Statistic uses multiplier4 Runs x low Long Run x low Autocorrelation x x x med Best overall entropy estimator
Actel Corporation © 2009 14 Ideal FPGA RBG Conditioner Characteristics  Low gate-count and SRAM requirements  Operates on the same clock as the raw-bit sampler  Parallelizable; low algorithmic complexity; high speed  Removes all DC biases; removes all correlations  Output bits statistically indistinguishable from random bits  Should pass the Statistical Test Suite in NIST SP800-22  Entropy compression  Therefore, there are fewer output bits than input bits,  the max. ratio of outputs to inputs depending upon the entropy of the input bits  but, without throwing away too many bits (i.e. we want close to the max.)  A constant compression ratio is preferred for fixed-rate applications  Good mixing of the weak-entropy input bits with the internal conditioner state  Output bits should “contain” very nearly 100% entropy  According to Santha and Vazirani it is impossible to deterministically extract even one true random bit from a single weak random source5 (per information theory)  However, in practice, we can get computationally acceptable results  Cryptographically strong  Low information leakage; hard to determine internal conditioner state
Actel Corporation © 2009 15 Von Neumann Extractor - for Removing Bias  Removes the bias from a stationary and otherwise uncorrelated bit stream (i.e., bits are independent), using the mapping: 00  , 01  0, 10  1, 11   where  indicates that no bit is output for that input pair  The efficiency is defined as the number of output bits per input bit  The efficiency is fairly low:  ¼  p1*p0 (where p1 is the probability of a one and p0 is the probability of a zero)  It can be used as a test by measuring the actual ratio of output to input bits (i.e., measure the “efficiency”)  It approaches the upper limit of ¼ for input sequences with no bias  The frequency test seems simpler and more direct for measuring bias
Actel Corporation © 2009 16 Improved Efficiency Bias Removal  Elias6 generalized the Von Neumann Extractor for input n- tuples with n  2, with improved efficiency for large n  As n approaches , the efficiency approaches the entropy limit  for example, a 6-tuple version, with an efficiency of 11/24 vs.  ¼ (= 6/24) for the Von Neumann 2-tuple version: 000000  001000 01 010000 10 011000 010 100000 11 101000 110 110000 111 111000 1111 000001 0 001001 00 010001 11 011001 0011 100001 011 101001 1001 110001 1100 111001 101 000010 1 001010 01 010010 000 011010 0100 100010 100 101010 1010 110010 1101 111010 110 000011  001011 01 010011 0000 011011 1 100011 0110 101011 11 110011 010 111011 01 000100 00 001100 10 010100 001 011100 0101 100100 101 101100 1011 110100 1110 111100 111 000101 0 001101 10 010101 0001 011101 00 100101 0111 101101 000 110101 011 111101 10 000110 1 001110 11 010110 0010 011110 01 100110 1000 101110 001 110110 100 111110 11 000111 00 001111  010111 0 011111 0 100111 10 101111 1 110111 00 111111  where  means no bits are output for that input 6-tuple  Peres7 showed that a similar efficiency can be obtained by iterating the Von Neumann Extractor on the bits it discards
Actel Corporation © 2009 17 Improving the Bias  Exclusive-OR8  XOR’ing independent bits with an already small bias results in a bit with a substantially lower bias. (E  Expectation): If E(X1)=E(X2)=E(Xn)=, Then E(X1X2…Xn) = ½ + (-2)n-1( - ½)n  Good building block for compressors  Not that good at removing correlation  If significant correlation is present in the input bits due to a Markov process, then there may still remain a significant bias in output  Very inexpensive implementations
Actel Corporation © 2009 18 Removing Correlation  Samuelson-Pratt6 mapping  Removes the correlation from a first-order stationary, ergodic, two- state Markov process using the mapping: 00  , 01 , 10  0, 11  1 where  indicates that no bit is output for that input pair  One can remove both first-order correlations and biases by applying the Samuelson-Pratt mapping followed by the Von Neumann Extractor  But, the efficiency is low:  1/8 output bit per input bit  Can be used as a test by measuring the ratio of output to input bits  Elias6 generalized the Samuelson-Pratt mapping for larger n- tuples and for higher-order Markov processes, with improved efficiency  Blum9 also considered higher-order Markov processes  More recent advances in information theory have connected randomness extractors to psuedo-random bit generators and error-correcting codes10,11
Actel Corporation © 2009 19 Ad Hoc Conditioner Approaches Type Statistical Quality Block/ Stream Good Mixing Compr ession Crypto. Strength FPGA Complexity Comments Exclusive-OR (XOR) poor stream possible yes very low very low flexible Linear Feedback Shift Register (LFSR) fair stream yes yes low low Several may be chained Cyclic Redundancy Check (CRC) fair block yes yes low low Message Digest excellent block yes yes high very high Deterministic Random Bit Generator excellent ? yes yes high very high For good quality DRBGs (e.g., Blum-Blum- Shub) Block Cipher excellent block yes yes high very high Can be configured as a hash Stream Cipher excellent stream no no good fairly low additive cipher
Actel Corporation © 2009 20 A Proposal for a New Ad Hoc Conditioner 31-bit LFSR Dec-by-2 Shift Reg. 1st-stage Conditioner Multi-mode 32-bit LFSR Multi-mode 32-bit LFSR Conditioner 2nd-stage Conditioner Conditioned Bits Raw Bits 8 Modes Total 4 sets of coef. x XOR & XNOR modes Multi-mode 32-bit LFSR
Actel Corporation © 2009 21 Simplified Example State Trajectory 17 22 11 27 19 23 21 20 10 5 28 14 7 29 16 8 4 2 1 30 15 25 18 9 26 13 24 12 6 3 31 0 1 14 10 8 9 20 7 19 25 28 3 17 24 1 16 5 18 4 15 23 27 29 30 2 12 11 21 26 0 13 22 6 0 31  Example shown is for a 5-bit LFSR (31 + 1 states), with two modes  The Output is the LSB of the current state  Each LFSR state sequence is fairly random  Connections between them are well mixed  Now Imagine…  For a 32-bit Multi-mode LFSR with 2 input bits and 8 LFSR modes  A full mesh of 8 such sequences  Each with over 4 billion states
Actel Corporation © 2009 22 Conditioner Results Type Statistical Quality Block/ Stream Good Mixing Compr ession Crypto. Strength FPGA Complexity Comments Multi-Mode LFSR excellent stream yes yes good (?) low Best of: Stream Cipher, LFSR, & XOR  MATLAB simulations  Passes all NIST Statistical Test Suite tests12 (post conditioner)  Even for a raw bit stream with fairly severe defects  1st-order filter with pole at z=-0.8 and zero at z=-1 (3dB BW  0.93fs/2)  DC Bias (pre quantizer) of 0.2  s2, where s2 is the std. dev. of raw source  Combined with a Sine wave interferer with amplitude ±0.3  s2 and frequency of 10 sample periods  Hardware tests – Actel Fusion FPGA  Harvested randomness from Fusion FPGA analog front end  Estimated input entropy greater than 0.9 bits per bit, 160M bit sample  Passes all NIST Statistical Test Suite tests12 (post conditioner)  The conditioner uses only about 300 tiles (approx. 120 LE’s) and can operate at 90MHz (with 45Mbps at the output)
Actel Corporation © 2009 23 Conclusion  Several candidates for a source entropy test were considered for FPGA implementation  Standard bit-level tests plus autocorrelation test  An error model and several analysis methods were presented  Recursive filter model, with results for a 1st order Markov process  Stationary model approach using the Weiner-Khinchin theorem  With simulation results compared to analytical model  A brief survey of classical randomness extractors  Von Neumann, Elias, and etc. (with footnotes)  A summary of common ad hoc conditioners  LFSR, CRC, hash algorithms, stream ciphers, and etc.  Including an assessment of performance and cost  A novel ad hoc conditioner was proposed  Simulation and actual FPGA hardware results presented
Actel Corporation © 2009 24 Footnotes 1. with a block size greater than 63 for FIPS 140-3; note that this was 15 in FIPS 140-1 2. NIST FIPS 140-1 specified that the monobit, poker, runs, and long run tests be performed on a 20,000-bit block of [conditioned] data upon demand for security levels 3 and 4, and at power-up (level 4). It provided test parameters and limits. 3. These five tests are described, along with the statistic used for each, in Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996, section 5.4.4 (http://www.cacr.math.uwaterloo.ca/hac/) 4. The statistic relies upon the sum of the squares of the frequencies. (Limits for the other tests can be precomputed.) The use of a multiplier can be avoided by keeping track of the square instead of the raw count. This can be done efficiently by incrementing by increasing odd numbers instead by ones, noting that: n2 + (2n + 1) = (n + 1)2 5. under fairly reasonable assumptions of the source characteristics. See M. Santha and U. V. Vazirani. Generating quasi-random sequences from semi-random sources. Journal of Computer and System Sciences, 33:75–87, 1986. 6. Peter Elias, The Efficient Construction of an Unbiased Random Sequence, Annals of Mathematical Statistics, 1972, Vol. 43, No. 3, pages 865-870 7. Yuval Peres, Iterating Von Neumann’s Procedure for Extracting Bits, Annals of Statistics 1992, Vol. 29, No. 1, pages 590-597 8. Robert B. Davies, Exclusive OR (XOR) and hardware random number generators (2002) 9. M. Blum. Independent unbiased coin flips from a correlated biased source: a finite Markov chain. Combinatorica, 6(2):97–108, 1986 10. R. Shaltiel. Recent developments in explicit constructions of extractors, Bull. Europ. Assoc. for Theor. Comput. Sci., vol. 77, pp. 67–95, June 2002 11. L. Trevisan, “Extractors and pseudorandom generators,” J. ACM, pp. 860–879, 2001. 12. 100% of the NIST STS tests pass using the default parameters. For the MATLAB simulations 400 blocks of 2Mbits were used; for the hardware tests, 300 blocks of 500Kbits. The FFT test showed P-values skewed towards the high side in both cases, with all other tests having flat P-value distributions as expected. Note that the STS built-in Blum-Blum-Shub DRBG gives similar skewed results on the FFT test.

Recommended

Lecture10.ppt
Lecture10.pptLecture10.ppt
Lecture10.ppt
thiru17270
 
Vlsi Design of Low Transition Low Power Test Pattern Generator Using Fault Co...
Vlsi Design of Low Transition Low Power Test Pattern Generator Using Fault Co...Vlsi Design of Low Transition Low Power Test Pattern Generator Using Fault Co...
Vlsi Design of Low Transition Low Power Test Pattern Generator Using Fault Co...
iosrjce
 
H010613642
H010613642H010613642
H010613642
IOSR Journals
 
Sub157
Sub157Sub157
Sub157
International Journal of Science and Research (IJSR)
 
1999 si pi_dws_training_course
1999 si pi_dws_training_course1999 si pi_dws_training_course
1999 si pi_dws_training_course
Piero Belforte
 
Noise Immune and Area Optimized Serial Interface for FPGA based Industrial In...
Noise Immune and Area Optimized Serial Interface for FPGA based Industrial In...Noise Immune and Area Optimized Serial Interface for FPGA based Industrial In...
Noise Immune and Area Optimized Serial Interface for FPGA based Industrial In...
International Journal of Science and Research (IJSR)
 
SYM Technology RF Spectrum Performance Analysis
SYM Technology RF Spectrum Performance AnalysisSYM Technology RF Spectrum Performance Analysis
SYM Technology RF Spectrum Performance Analysis
Todd Masters
 
Automotive Ethernet: Physical Layer Compliance Testing Webinar Slides
Automotive Ethernet: Physical Layer Compliance Testing Webinar SlidesAutomotive Ethernet: Physical Layer Compliance Testing Webinar Slides
Automotive Ethernet: Physical Layer Compliance Testing Webinar Slides
teledynelecroy
 

Recommended

Lecture10.ppt
Lecture10.pptLecture10.ppt
Lecture10.ppt
thiru17270
 
Vlsi Design of Low Transition Low Power Test Pattern Generator Using Fault Co...
Vlsi Design of Low Transition Low Power Test Pattern Generator Using Fault Co...Vlsi Design of Low Transition Low Power Test Pattern Generator Using Fault Co...
Vlsi Design of Low Transition Low Power Test Pattern Generator Using Fault Co...
iosrjce
 
H010613642
H010613642H010613642
H010613642
IOSR Journals
 
Sub157
Sub157Sub157
Sub157
International Journal of Science and Research (IJSR)
 
1999 si pi_dws_training_course
1999 si pi_dws_training_course1999 si pi_dws_training_course
1999 si pi_dws_training_course
Piero Belforte
 
Noise Immune and Area Optimized Serial Interface for FPGA based Industrial In...
Noise Immune and Area Optimized Serial Interface for FPGA based Industrial In...Noise Immune and Area Optimized Serial Interface for FPGA based Industrial In...
Noise Immune and Area Optimized Serial Interface for FPGA based Industrial In...
International Journal of Science and Research (IJSR)
 
SYM Technology RF Spectrum Performance Analysis
SYM Technology RF Spectrum Performance AnalysisSYM Technology RF Spectrum Performance Analysis
SYM Technology RF Spectrum Performance Analysis
Todd Masters
 
Automotive Ethernet: Physical Layer Compliance Testing Webinar Slides
Automotive Ethernet: Physical Layer Compliance Testing Webinar SlidesAutomotive Ethernet: Physical Layer Compliance Testing Webinar Slides
Automotive Ethernet: Physical Layer Compliance Testing Webinar Slides
teledynelecroy
 
ECE.pptx
ECE.pptxECE.pptx
ECE.pptx
vikas678348
 
Spectral Analysis of Sample Rate Converter
Spectral Analysis of Sample Rate ConverterSpectral Analysis of Sample Rate Converter
Spectral Analysis of Sample Rate Converter
CSCJournals
 
Clock Generator/Jitter Cleaner with Integrated VCOs
Clock Generator/Jitter Cleaner with Integrated VCOsClock Generator/Jitter Cleaner with Integrated VCOs
Clock Generator/Jitter Cleaner with Integrated VCOs
Premier Farnell
 
Usb Controlled Function Generator
Usb Controlled Function GeneratorUsb Controlled Function Generator
Usb Controlled Function Generator
Kent Schonert
 
Design of Loop Filter Using CMOS
Design of Loop Filter Using CMOSDesign of Loop Filter Using CMOS
Design of Loop Filter Using CMOS
International Journal of Science and Research (IJSR)
 
VLSI TESTING.ppt
VLSI TESTING.pptVLSI TESTING.ppt
VLSI TESTING.ppt
JashwanthReddy26
 
Project_Kaveh & Mohammad
Project_Kaveh & MohammadProject_Kaveh & Mohammad
Project_Kaveh & Mohammad
Kaveh Dehno
 
Vibration Measurements In Wind Power Turbines
Vibration Measurements In Wind Power TurbinesVibration Measurements In Wind Power Turbines
Vibration Measurements In Wind Power Turbines
alexzio
 
Library Characterization Flow
Library Characterization FlowLibrary Characterization Flow
Library Characterization Flow
Satish Grandhi
 
ACTAS 2016
ACTAS 2016ACTAS 2016
ACTAS 2016
Patrick Krey
 
Efficient signal acquisition in multi channel neural systems
Efficient signal acquisition in multi channel neural systemsEfficient signal acquisition in multi channel neural systems
Efficient signal acquisition in multi channel neural systems
Ashwath Krishnan
 
DickeyS_presentation_2015_3_26_2_1
DickeyS_presentation_2015_3_26_2_1DickeyS_presentation_2015_3_26_2_1
DickeyS_presentation_2015_3_26_2_1
Sergey Dickey
 
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
Kevin Mathew
 
IRJET- Performance Analysis of Clock and Data Recovery Circuits using Multile...
IRJET- Performance Analysis of Clock and Data Recovery Circuits using Multile...IRJET- Performance Analysis of Clock and Data Recovery Circuits using Multile...
IRJET- Performance Analysis of Clock and Data Recovery Circuits using Multile...
IRJET Journal
 
Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...
Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...
Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...
IJMTST Journal
 
Thesis
ThesisThesis
Thesis
Nachiket Kansara
 
Scaling Down Instrumentation Deploying Analog Mixed Signal Technology
Scaling Down Instrumentation Deploying Analog Mixed Signal TechnologyScaling Down Instrumentation Deploying Analog Mixed Signal Technology
Scaling Down Instrumentation Deploying Analog Mixed Signal Technology
Shivaprasad Tilekar
 
Digital Implementation of Costas Loop with Carrier Recovery
Digital Implementation of Costas Loop with Carrier RecoveryDigital Implementation of Costas Loop with Carrier Recovery
Digital Implementation of Costas Loop with Carrier Recovery
IJERD Editor
 
Optimal+ GSA 2014
Optimal+ GSA 2014Optimal+ GSA 2014
Optimal+ GSA 2014
OptimalPlus
 
Your Ultimate Guide to Designing Analog Filters - Welcome to OXELTECH.pdf
Your Ultimate Guide to Designing Analog Filters - Welcome to OXELTECH.pdfYour Ultimate Guide to Designing Analog Filters - Welcome to OXELTECH.pdf
Your Ultimate Guide to Designing Analog Filters - Welcome to OXELTECH.pdf
aud Scarlet
 
aphy.pptx
aphy.pptxaphy.pptx
aphy.pptx
HiraAshfaqSubhan
 
Gantt.pptx
Gantt.pptxGantt.pptx
Gantt.pptx
HiraAshfaqSubhan
 

More Related Content

Similar to 2009-06-30.ppt

Usb Controlled Function Generator
Usb Controlled Function GeneratorUsb Controlled Function Generator
Usb Controlled Function Generator
Kent Schonert
 
Design of Loop Filter Using CMOS
Design of Loop Filter Using CMOSDesign of Loop Filter Using CMOS
Design of Loop Filter Using CMOS
International Journal of Science and Research (IJSR)
 
Project_Kaveh & Mohammad
Project_Kaveh & MohammadProject_Kaveh & Mohammad
Project_Kaveh & Mohammad
Kaveh Dehno
 
DickeyS_presentation_2015_3_26_2_1
DickeyS_presentation_2015_3_26_2_1DickeyS_presentation_2015_3_26_2_1
DickeyS_presentation_2015_3_26_2_1
Sergey Dickey
 
Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...
Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...
Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...
IJMTST Journal
 
Digital Implementation of Costas Loop with Carrier Recovery
Digital Implementation of Costas Loop with Carrier RecoveryDigital Implementation of Costas Loop with Carrier Recovery
Digital Implementation of Costas Loop with Carrier Recovery
IJERD Editor
 

Similar to 2009-06-30.ppt (20)

ECE.pptx
ECE.pptxECE.pptx
ECE.pptx
 
Spectral Analysis of Sample Rate Converter
Spectral Analysis of Sample Rate ConverterSpectral Analysis of Sample Rate Converter
Spectral Analysis of Sample Rate Converter
 
Clock Generator/Jitter Cleaner with Integrated VCOs
Clock Generator/Jitter Cleaner with Integrated VCOsClock Generator/Jitter Cleaner with Integrated VCOs
Clock Generator/Jitter Cleaner with Integrated VCOs
 
Usb Controlled Function Generator
Usb Controlled Function GeneratorUsb Controlled Function Generator
Usb Controlled Function Generator
 
Design of Loop Filter Using CMOS
Design of Loop Filter Using CMOSDesign of Loop Filter Using CMOS
Design of Loop Filter Using CMOS
 
VLSI TESTING.ppt
VLSI TESTING.pptVLSI TESTING.ppt
VLSI TESTING.ppt
 
Project_Kaveh & Mohammad
Project_Kaveh & MohammadProject_Kaveh & Mohammad
Project_Kaveh & Mohammad
 
Vibration Measurements In Wind Power Turbines
Vibration Measurements In Wind Power TurbinesVibration Measurements In Wind Power Turbines
Vibration Measurements In Wind Power Turbines
 
Library Characterization Flow
Library Characterization FlowLibrary Characterization Flow
Library Characterization Flow
 
ACTAS 2016
ACTAS 2016ACTAS 2016
ACTAS 2016
 
Efficient signal acquisition in multi channel neural systems
Efficient signal acquisition in multi channel neural systemsEfficient signal acquisition in multi channel neural systems
Efficient signal acquisition in multi channel neural systems
 
DickeyS_presentation_2015_3_26_2_1
DickeyS_presentation_2015_3_26_2_1DickeyS_presentation_2015_3_26_2_1
DickeyS_presentation_2015_3_26_2_1
 
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
 
IRJET- Performance Analysis of Clock and Data Recovery Circuits using Multile...
IRJET- Performance Analysis of Clock and Data Recovery Circuits using Multile...IRJET- Performance Analysis of Clock and Data Recovery Circuits using Multile...
IRJET- Performance Analysis of Clock and Data Recovery Circuits using Multile...
 
Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...
Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...
Data Volume Compression Using BIST to get Low-Power Pseudorandom Test Pattern...
 
Thesis
ThesisThesis
Thesis
 
Scaling Down Instrumentation Deploying Analog Mixed Signal Technology
Scaling Down Instrumentation Deploying Analog Mixed Signal TechnologyScaling Down Instrumentation Deploying Analog Mixed Signal Technology
Scaling Down Instrumentation Deploying Analog Mixed Signal Technology
 
Digital Implementation of Costas Loop with Carrier Recovery
Digital Implementation of Costas Loop with Carrier RecoveryDigital Implementation of Costas Loop with Carrier Recovery
Digital Implementation of Costas Loop with Carrier Recovery
 
Optimal+ GSA 2014
Optimal+ GSA 2014Optimal+ GSA 2014
Optimal+ GSA 2014
 
Your Ultimate Guide to Designing Analog Filters - Welcome to OXELTECH.pdf
Your Ultimate Guide to Designing Analog Filters - Welcome to OXELTECH.pdfYour Ultimate Guide to Designing Analog Filters - Welcome to OXELTECH.pdf
Your Ultimate Guide to Designing Analog Filters - Welcome to OXELTECH.pdf
 

More from HiraAshfaqSubhan

aphy.pptx
aphy.pptxaphy.pptx
aphy.pptx
HiraAshfaqSubhan
 
Gantt.pptx
Gantt.pptxGantt.pptx
Gantt.pptx
HiraAshfaqSubhan
 
rytew.ppt
rytew.pptrytew.ppt
rytew.ppt
HiraAshfaqSubhan
 
xxx.ppt
xxx.pptxxx.ppt
xxx.ppt
HiraAshfaqSubhan
 
PPT MAATEN.ppt
PPT MAATEN.pptPPT MAATEN.ppt
PPT MAATEN.ppt
HiraAshfaqSubhan
 
128-ch2.pptx
128-ch2.pptx128-ch2.pptx
128-ch2.pptx
HiraAshfaqSubhan
 

More from HiraAshfaqSubhan (6)

aphy.pptx
aphy.pptxaphy.pptx
aphy.pptx
 
Gantt.pptx
Gantt.pptxGantt.pptx
Gantt.pptx
 
rytew.ppt
rytew.pptrytew.ppt
rytew.ppt
 
xxx.ppt
xxx.pptxxx.ppt
xxx.ppt
 
PPT MAATEN.ppt
PPT MAATEN.pptPPT MAATEN.ppt
PPT MAATEN.ppt
 
128-ch2.pptx
128-ch2.pptx128-ch2.pptx
128-ch2.pptx
 

Recently uploaded

The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
dollysharma2066
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
dlhescort
 
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLWhitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Damini Dixit
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Sheetaleventcompany
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
lizamodels9
 

Recently uploaded (20)

The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLWhitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 

2009-06-30.ppt

  • 1. Actel Corporation © 2009 Conditioner and Health Monitor for Use in Conjunction with a Non-Deterministic Random Bit Generator G. Richard Newell Senior Principal Product Architect Actel Corporation for CryptArchi 2009 Hardware testing performed by James Vorgert Actel Area Technical Manager
  • 2. Actel Corporation © 2009 2 Generic Random Bit Generator Architecture Non-Deterministic Random Bit Generator (NRBG) Raw Entropy Source Conditioner Deterministic Random Bit Generator (DRBG) Full entropy conditioned bits [re-]seed input Output Potentially much larger quantity of pseudo-random bits Raw bits (biased) Health Monitor Re-seeding DRBG provides “prediction resistance” Cryptographic design of the DRBG provides “backtracking resistance” & low information leakage
  • 3. Actel Corporation © 2009 3 NRBG blocks  Raw Entropy Source  Uses random physical process to generate raw bits  Raw bits likely have biases and correlations  Plus, some susceptibility to environment such as supply voltages & temperature  Due to finite gains and bandwidths, mis-matching of components, materials, etc.  Thus, raw output bits contains less than 1 bit of entropy each  But, more than some design minimum  Health Monitor  Ensures raw entropy source is performing to specification  Entropy generation hasn’t dropped too close to zero  Environmental monitors (if available) ensure valid operational conditions  Conditioner  Compresses entropy of raw bits so output bits have full entropy  Removes any biases and correlations (referred to as “deskewing”)  Output bits should pass statistical tests for randomness  e.g., NIST Statistical Test Suite (SP800-22)
  • 4. Actel Corporation © 2009 4 FPGA-friendly Health Monitors and Conditioners  This paper presents FPGA-friendly Health Monitors and Conditioners  Partly survey  Plus some observations and a few new practical proposals  It does not address:  The physical raw bit source  Many other Cryptarchi papers on this subject  The cryptographically strong Deterministic RBG which follows the conditioner  See NIST SP800-90 for approved DRBG algorithms Non-Deterministic Random Bit Generator (NRBG) Raw Entropy Source Conditioner Deterministic Random Bit Generator (DRBG) [re-]seed input Output Health Monitor Focus of this paper
  • 5. Actel Corporation © 2009 5 Common Defects in Raw Bits  DC Biases  The probability of a bit being “1” is above or below 50%  For example, due to electrical offsets, the raw bit generator returns 49% ones and 51% zeroes for large sample sizes  Time Correlations  The expected value of a bit depends upon the prior state of the system  The current output bit is [anti-]correlated with past outputs  Possibly characterized as a first- or higher-order Markov chain  For example:  Due to bandwidth limitations (high frequencies under-represented), the probability of a bit matching the preceding bit is greater than 50%  Could be caused by over-sampling relative to noise bandwidth  For once, aliasing is good! fs/2 log(|v|) f Over-sampled Low-Pass Filter (LPF) magnitude response
  • 6. Actel Corporation © 2009 6 Model of RBG Raw Entropy Source RBG Model with Bias and 1st-order Correlation defects  S a1 z-1 - + + Random DC Bias, s0 2 White Gaussian Noise, s1 2 x0 x1 x2 quantizer Raw Random Bits  Markov model approximation: state vector propagation xn+1 = A  xn + B  un covariance matrix propagation Pn+1 = A  Pn  AT + Qn  With stationary input noise, the variance and the covariance of adjacent samples are, respectively: limit : Var(x1) = Var(x2) = rxx[0] = s1 2 + s0 2 Cov(x1,x2) = rxx[1] = s1 2 + s0 2 A = 1 0 0 a1T 1-a1T 0 0 1 0 Transition Matrix 1 0 B = 0 a1T 0 0 Input Mapping Matrix s0 2 0 0 Qn = 0 a1Ts1 2 0 0 0 0 Covariance of input vector for n=0 only, otherwise 0 n   1 2 - a1T 2 - a1T 1 - a1T T sampler Low Pass Filter where rxx[k] is the autocorrelation for shift = k
  • 7. Actel Corporation © 2009 7 Ideal FPGA RBG Health Monitor Characteristics  Low gate-count and SRAM requirements  Operates on the same clock as the raw-bit sampler  Parallelizable; low algorithmic complexity; high speed  Detects low entropy without fail (low false negatives)  Both bias and correlation type defects should be reliably detected  Not too many false alarms (low false positives)  However, every sequence of random bits has a finite probability  Including those that look like generator failures  As such, some false alarms may be inevitable  More frequent if small test-block sizes are used, and if tighter limits are chosen to minimize false negatives  Beware that discarding too many failed blocks may also bias the results  Availability of environmental monitors  Mixed-signal FPGAs (e.g., Actel’s Fusion series) have on-chip voltage and temperature monitors and an on-chip R-C oscillator that can be used for environmental monitoring
  • 8. Actel Corporation © 2009 8 RBG Health Monitor Options (slide 1/2)  Block Test  NIST FIPS 140-3 (paragraph 4.9.2) requires continuously comparing adjacent blocks of bits1 and, if identical, rejecting the 2nd block  FIPS 140-3 also requires an “Entropy Source Test”  Frequency Test (a.k.a.: Monobit Test)2,3  Count “ones” as a percentage of total bits in a block  Variations:  Sliding window vs. non-overlapping blocks (FIR filter)  Exponentially decaying response window (IIR filter)  Measures DC bias directly  Serial Test (a.k.a. Two-bit Test)3  Checks the frequency of two-bit overlapping sequences  Tests for bias and some correlations
  • 9. Actel Corporation © 2009 9 RBG Health Monitor Options (slide 2/2)  Poker Test2,3  Checks the frequency of m-bit non-overlapping sequences  m is a parameter; for FIPS 140-1 m = 4  Runs Test2,3  Checks the frequency of runs of ones or zeroes of various lengths  The length of the runs is a parameter; for FIPS 140-1, 1  i  6, with runs greater than 6 counted same as 6; zeroes and ones counted separately  Long Run Test2  Reports the longest run of ones or zeroes in the sample block  Autocorrelation Test3  Compares bits stream to shifted version of itself  Number of shifts is a parameter  Detects bias and most correlations, if several shifts are considered  Can also detect sine-wave interference
  • 10. Actel Corporation © 2009 10  For Linear Time-Invariant (LTI) signals, the Wiener–Khinchin theorem relates the power spectrum Sxx to the autocorrelation rxx using the Discrete-time Fourier transform (DTFT) pair, Sxx(f) = S rxx[k]e-j2pkf rxx[k] = T  Sxx ( f )  ej2pfkT df where the autocorrelation is defined in terms of the expectation: rxx[k] = E[ x[n]x*[n – k]]  Since in our model the input is white, its power spectrum Wxx(f) is constant over frequency. The output spectrum can be calculated from the filter transfer function & its conjugate:  Sxx(f) = WxxT(f)T*(f)  So, now we have another way to compute the autocorrelation from our stationary noise, using filter transfer functions Autocorrelation from Transfer Functions k = -  1 2T 1 2T - T
  • 11. Actel Corporation © 2009 11 Autocorrelation Analysis Results  Autocorrelation provides a useful measure of data flaws  An upper-bound on entropy can be estimated by comparing the power represented in rxx[0] vs. that in |rxx[k0]|  For a correlation defect: Slope depends upon filter BW Quantizer de- correlates signal Noise floor set by # samples • No bias added • 1M samples A bias would raise the floor  The entropy is close to the value of 1 - rxx[k0]/rxx[0] for all values of bias and shift  For a bias defect: • Single LPF pole at z=0.7 • Single-bit quantizer results are symmetric about p=0.5 1 -
  • 12. Actel Corporation © 2009 12 FPGA Implementation of Autocorrelation Test  The implementation is relatively efficient  Just need an accumulator for each shift value desired  Don’t need too many; the set should include k=1 plus a few others  For most RBG bit rates, circuits (except storage) can be time-shared z-1 z-1 z-1 z-1  z-1 S XOR 1 2 -1 | x | left shift absolute value  N test threshold limit for shift k=1 fail k = 2 k = N x[n] x[n-1] x[n-N] zero between blocks k = 1 Since the input is only one bit, this is just an up-down counter Alternatively, use ± threshold detectors 1 Delay Line Accumlators and Threshold Detectors
  • 13. Actel Corporation © 2009 13 Add’l Considerations Response Comments Data Window Function Non-overlapping Blocks Slowest Most tests already structured this way Statistical formulae available Easy to identify, quarantine, & discard bits Sliding Window (rectangular) Faster Higher storage requirements Sliding Window (exponentially decaying) Fastest Often more efficient to implement Bits never completely removed from results (infinite impulse response) Block Size Small Faster Less memory, but more false alarms Health Monitor Design Considerations Test Name Bias 1st-order Other Size Comments Block x med Req’d. Detects total failure Frequency x low Special case of poker test Serial x x low Similar to autocorrelation shift=1 Poker x x x med Statistic uses multiplier4 Runs x low Long Run x low Autocorrelation x x x med Best overall entropy estimator
  • 14. Actel Corporation © 2009 14 Ideal FPGA RBG Conditioner Characteristics  Low gate-count and SRAM requirements  Operates on the same clock as the raw-bit sampler  Parallelizable; low algorithmic complexity; high speed  Removes all DC biases; removes all correlations  Output bits statistically indistinguishable from random bits  Should pass the Statistical Test Suite in NIST SP800-22  Entropy compression  Therefore, there are fewer output bits than input bits,  the max. ratio of outputs to inputs depending upon the entropy of the input bits  but, without throwing away too many bits (i.e. we want close to the max.)  A constant compression ratio is preferred for fixed-rate applications  Good mixing of the weak-entropy input bits with the internal conditioner state  Output bits should “contain” very nearly 100% entropy  According to Santha and Vazirani it is impossible to deterministically extract even one true random bit from a single weak random source5 (per information theory)  However, in practice, we can get computationally acceptable results  Cryptographically strong  Low information leakage; hard to determine internal conditioner state
  • 15. Actel Corporation © 2009 15 Von Neumann Extractor - for Removing Bias  Removes the bias from a stationary and otherwise uncorrelated bit stream (i.e., bits are independent), using the mapping: 00  , 01  0, 10  1, 11   where  indicates that no bit is output for that input pair  The efficiency is defined as the number of output bits per input bit  The efficiency is fairly low:  ¼  p1*p0 (where p1 is the probability of a one and p0 is the probability of a zero)  It can be used as a test by measuring the actual ratio of output to input bits (i.e., measure the “efficiency”)  It approaches the upper limit of ¼ for input sequences with no bias  The frequency test seems simpler and more direct for measuring bias
  • 16. Actel Corporation © 2009 16 Improved Efficiency Bias Removal  Elias6 generalized the Von Neumann Extractor for input n- tuples with n  2, with improved efficiency for large n  As n approaches , the efficiency approaches the entropy limit  for example, a 6-tuple version, with an efficiency of 11/24 vs.  ¼ (= 6/24) for the Von Neumann 2-tuple version: 000000  001000 01 010000 10 011000 010 100000 11 101000 110 110000 111 111000 1111 000001 0 001001 00 010001 11 011001 0011 100001 011 101001 1001 110001 1100 111001 101 000010 1 001010 01 010010 000 011010 0100 100010 100 101010 1010 110010 1101 111010 110 000011  001011 01 010011 0000 011011 1 100011 0110 101011 11 110011 010 111011 01 000100 00 001100 10 010100 001 011100 0101 100100 101 101100 1011 110100 1110 111100 111 000101 0 001101 10 010101 0001 011101 00 100101 0111 101101 000 110101 011 111101 10 000110 1 001110 11 010110 0010 011110 01 100110 1000 101110 001 110110 100 111110 11 000111 00 001111  010111 0 011111 0 100111 10 101111 1 110111 00 111111  where  means no bits are output for that input 6-tuple  Peres7 showed that a similar efficiency can be obtained by iterating the Von Neumann Extractor on the bits it discards
  • 17. Actel Corporation © 2009 17 Improving the Bias  Exclusive-OR8  XOR’ing independent bits with an already small bias results in a bit with a substantially lower bias. (E  Expectation): If E(X1)=E(X2)=E(Xn)=, Then E(X1X2…Xn) = ½ + (-2)n-1( - ½)n  Good building block for compressors  Not that good at removing correlation  If significant correlation is present in the input bits due to a Markov process, then there may still remain a significant bias in output  Very inexpensive implementations
  • 18. Actel Corporation © 2009 18 Removing Correlation  Samuelson-Pratt6 mapping  Removes the correlation from a first-order stationary, ergodic, two- state Markov process using the mapping: 00  , 01 , 10  0, 11  1 where  indicates that no bit is output for that input pair  One can remove both first-order correlations and biases by applying the Samuelson-Pratt mapping followed by the Von Neumann Extractor  But, the efficiency is low:  1/8 output bit per input bit  Can be used as a test by measuring the ratio of output to input bits  Elias6 generalized the Samuelson-Pratt mapping for larger n- tuples and for higher-order Markov processes, with improved efficiency  Blum9 also considered higher-order Markov processes  More recent advances in information theory have connected randomness extractors to psuedo-random bit generators and error-correcting codes10,11
  • 19. Actel Corporation © 2009 19 Ad Hoc Conditioner Approaches Type Statistical Quality Block/ Stream Good Mixing Compr ession Crypto. Strength FPGA Complexity Comments Exclusive-OR (XOR) poor stream possible yes very low very low flexible Linear Feedback Shift Register (LFSR) fair stream yes yes low low Several may be chained Cyclic Redundancy Check (CRC) fair block yes yes low low Message Digest excellent block yes yes high very high Deterministic Random Bit Generator excellent ? yes yes high very high For good quality DRBGs (e.g., Blum-Blum- Shub) Block Cipher excellent block yes yes high very high Can be configured as a hash Stream Cipher excellent stream no no good fairly low additive cipher
  • 20. Actel Corporation © 2009 20 A Proposal for a New Ad Hoc Conditioner 31-bit LFSR Dec-by-2 Shift Reg. 1st-stage Conditioner Multi-mode 32-bit LFSR Multi-mode 32-bit LFSR Conditioner 2nd-stage Conditioner Conditioned Bits Raw Bits 8 Modes Total 4 sets of coef. x XOR & XNOR modes Multi-mode 32-bit LFSR
  • 21. Actel Corporation © 2009 21 Simplified Example State Trajectory 17 22 11 27 19 23 21 20 10 5 28 14 7 29 16 8 4 2 1 30 15 25 18 9 26 13 24 12 6 3 31 0 1 14 10 8 9 20 7 19 25 28 3 17 24 1 16 5 18 4 15 23 27 29 30 2 12 11 21 26 0 13 22 6 0 31  Example shown is for a 5-bit LFSR (31 + 1 states), with two modes  The Output is the LSB of the current state  Each LFSR state sequence is fairly random  Connections between them are well mixed  Now Imagine…  For a 32-bit Multi-mode LFSR with 2 input bits and 8 LFSR modes  A full mesh of 8 such sequences  Each with over 4 billion states
  • 22. Actel Corporation © 2009 22 Conditioner Results Type Statistical Quality Block/ Stream Good Mixing Compr ession Crypto. Strength FPGA Complexity Comments Multi-Mode LFSR excellent stream yes yes good (?) low Best of: Stream Cipher, LFSR, & XOR  MATLAB simulations  Passes all NIST Statistical Test Suite tests12 (post conditioner)  Even for a raw bit stream with fairly severe defects  1st-order filter with pole at z=-0.8 and zero at z=-1 (3dB BW  0.93fs/2)  DC Bias (pre quantizer) of 0.2  s2, where s2 is the std. dev. of raw source  Combined with a Sine wave interferer with amplitude ±0.3  s2 and frequency of 10 sample periods  Hardware tests – Actel Fusion FPGA  Harvested randomness from Fusion FPGA analog front end  Estimated input entropy greater than 0.9 bits per bit, 160M bit sample  Passes all NIST Statistical Test Suite tests12 (post conditioner)  The conditioner uses only about 300 tiles (approx. 120 LE’s) and can operate at 90MHz (with 45Mbps at the output)
  • 23. Actel Corporation © 2009 23 Conclusion  Several candidates for a source entropy test were considered for FPGA implementation  Standard bit-level tests plus autocorrelation test  An error model and several analysis methods were presented  Recursive filter model, with results for a 1st order Markov process  Stationary model approach using the Weiner-Khinchin theorem  With simulation results compared to analytical model  A brief survey of classical randomness extractors  Von Neumann, Elias, and etc. (with footnotes)  A summary of common ad hoc conditioners  LFSR, CRC, hash algorithms, stream ciphers, and etc.  Including an assessment of performance and cost  A novel ad hoc conditioner was proposed  Simulation and actual FPGA hardware results presented
  • 24. Actel Corporation © 2009 24 Footnotes 1. with a block size greater than 63 for FIPS 140-3; note that this was 15 in FIPS 140-1 2. NIST FIPS 140-1 specified that the monobit, poker, runs, and long run tests be performed on a 20,000-bit block of [conditioned] data upon demand for security levels 3 and 4, and at power-up (level 4). It provided test parameters and limits. 3. These five tests are described, along with the statistic used for each, in Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996, section 5.4.4 (http://www.cacr.math.uwaterloo.ca/hac/) 4. The statistic relies upon the sum of the squares of the frequencies. (Limits for the other tests can be precomputed.) The use of a multiplier can be avoided by keeping track of the square instead of the raw count. This can be done efficiently by incrementing by increasing odd numbers instead by ones, noting that: n2 + (2n + 1) = (n + 1)2 5. under fairly reasonable assumptions of the source characteristics. See M. Santha and U. V. Vazirani. Generating quasi-random sequences from semi-random sources. Journal of Computer and System Sciences, 33:75–87, 1986. 6. Peter Elias, The Efficient Construction of an Unbiased Random Sequence, Annals of Mathematical Statistics, 1972, Vol. 43, No. 3, pages 865-870 7. Yuval Peres, Iterating Von Neumann’s Procedure for Extracting Bits, Annals of Statistics 1992, Vol. 29, No. 1, pages 590-597 8. Robert B. Davies, Exclusive OR (XOR) and hardware random number generators (2002) 9. M. Blum. Independent unbiased coin flips from a correlated biased source: a finite Markov chain. Combinatorica, 6(2):97–108, 1986 10. R. Shaltiel. Recent developments in explicit constructions of extractors, Bull. Europ. Assoc. for Theor. Comput. Sci., vol. 77, pp. 67–95, June 2002 11. L. Trevisan, “Extractors and pseudorandom generators,” J. ACM, pp. 860–879, 2001. 12. 100% of the NIST STS tests pass using the default parameters. For the MATLAB simulations 400 blocks of 2Mbits were used; for the hardware tests, 300 blocks of 500Kbits. The FFT test showed P-values skewed towards the high side in both cases, with all other tests having flat P-value distributions as expected. Note that the STS built-in Blum-Blum-Shub DRBG gives similar skewed results on the FFT test.