jitter estimation with high accuracy for oscillator-based …...jitter estimation with high accuracy...

Jitter Estimation with High Accuracy forOscillator-Based TRNGs

Shaofeng Zhu, Hua Chen, Linmin Fan, Meihui Chen, Wei Xi, Dengguo Feng

TCA Laboratory, Institute of Software, Chinese Academy of Sciences

November 13, 2018

1 / 30

Outline

Introduction

Preliminaries: Signal Model, Entropy Evaluation, Jitter Estimation

Jitter Estimation with High Accuracy

Jitter Estimation on FPGA

Comparisons and Conclusion

2 / 30

Random Numbers and TRNGs

I Random Numbers• Applications in cryptography: secret keys, IVs, paddings, nonces, random masks for

countermeasure, etc..• Properties: good statistical properties, unpredictability.

I True Random Number Generators (TRNGs)• Digitization of random physical phenomenon (jitter, chaos, metastability, etc.) or

random events ( keystrokes, etc.).• Can generate random numbers with unpredictability.

3 / 30

Are the TRNGs secure for applications ?

To evaluate the TRNGsI Statistical Tests• NIST SP800-221, Diehard2, etc..• Only test the statistical properties, but not the unpredictability.

I Entropy Evaluation: to quantitatively measure the unpredictability.• Based on output sequence: NIST SP800-90B3.

When pseudo-randomness is mixed in the output sequence, overestimation of theentropy may happen.

• Based on the model of random signals of the TRNGs

1Andrew Rukhin et al. NIST SP800-22: A Statistical Test Suite for Random and Pseudorandom Number Generators for CryptographicApplications.

2George Marsaglia. “The Marsaglia random number CDROM including the DIEHARD battery of tests of randomness”. In: Diehard Tests (1995).3Meltem Sonmez Turan et al. NIST SP800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation.

4 / 30

Ring Oscillator-based TRNGsI Advantages

Easy to implement on logic device, resource-saving, etc..I Structure

Q

QSET

CLR

D

Oscillatory signal

Sampling signal

( )oS

( )sS

True random numbers

I Noises on logic devices• Uncorrelated random noise (mainly thermal noise)• Correlated random noise (mainly low-frequency flicker noise)

I Source of the RandomnessJitter: the STD4 of the periods, will be accumulated in the samplingintervalComponents: thermal jitter and flicker jitter

4standard deviation 5 / 30

Related Works on Jitter Estimation

I External estimation• Measuring equipments such as oscilloscopes.• Additional jitter from Input/Output circuits and pins

I Internal estimation–Valtchanov et al.5

• Counter-based jitter estimation–counting rising edges of So in fixed intervals.• Accumulated jitter ≈ the STD of the number of rising edges• Approximate estimation with quantization

I Improvement of Ma et al.6 (CHES’2014)• Count both the rising and falling edges of So• Actually reduces the quantization step size by half

5Boyan Valtchanov et al. “Modeling and observing the jitter in ring oscillators implemented in FPGAs”. In: DDECS. 2008.6Yuan Ma et al. “Entropy Evaluation for Oscillator-Based True Random Number Generators”. In: CHES. 2014.

6 / 30

Related Works on Jitter Estimation

I Fischer et al.7 (CHES’2014)• Based on Monte Carlo method• Estimation error is smaller than 5% in simulation.

� The above mentioned methods actually estimate the total jitter.I Haddad et al.8: jitter separating approach• To gain the ratio of thermal jitter in the total jitter• Also use a counter-based method to estimate the total jitter

7Viktor Fischer and David Lubicz. “Embedded Evaluation of Randomness in Oscillator Based Elementary TRNG”. In: CHES. 2014, postnote.8Patrick Haddad et al. “On the assumption of mutual independence of jitter realizations in P-TRNG stochastic models”. In: DATE. 2014,

postnote.

7 / 30

Motivation

I Overestimation of jitter will result in the overestimation of therandomness–serious problem!

I Error (quantization error) will be introduced in previous counter-basedjitter estimation methods. It will cause the overestimation of the jitter.

I Jitter estimation should be efficient when implemented on-line .

8 / 30

Introduction





9 / 30

Signal Model

I Notions in the signal model

oS

sTiSP 1iSP

sS

1oT okTojT... ...

W

• The edge intervals of So , To1· · ·Toj · · ·Tok has mean µo and standard deviation σo ;µo : half mean period of So ;σo : half period jitter of So , will be accumulated in Ts .

• Ts is stable.• The waiting time W ∼ U(0, µo)9, and is independent from the current Ts .

9Wolfgang Killmann and Werner Schindler. “A Design for a Physical RNG with Robust Entropy Estimators”. In: CHES 2008.

10 / 30

Signal ModelI Normalization• Ts→ ts = Tsµo ,Toj→ toj =

Tojµo

,σo→σ= σoµo , µo→1,W→w =Wµo

.• The µo can be measured from the frequency of So .

I Equivalent signal model

oS

1okt

st

1 1ot

iSP 1iSP

...

w

...1ojt

sS

• Edge interval toj is stable, to1 = · · · = toj = · · · = 1.• ts has mean value µs and standard deviation σs ;σs : total jitter=(thermal+flicker) jitter, σ

2s = (σ

ths )

2 + (σfls )2.

• w ∼ U(0, 1) and is independent from the current ts .11 / 30

Entropy Evaluation

I Assumptions1. Only the uncorrelated thermal noise is taken into account.2. Edge intervals To1 · · ·Toj · · ·Tok ∼ N(µo , σ2o)3. ts ∼ N(µs , (σths )2)

I Lower bound of the entropy, contributed by the thermal noise10

Hmin = 1−4

π2 ln(2)e−π

2(σths )2

. (1)

I Hmin is determined by σths , precisely estimating σths is important!

10Mathieu Baudet et al. “On the Security of Oscillator-Based Random Number Generators”. In: J. Cryptology (2011).

12 / 30

Jitter Estimation

I Jitter in ts maybe too small to be measured.I Take a longer measuring interval tm, the thermal jitter is “sqrt”

accumulated with the interval size.I Estimation for the σths

1. Separating

σthm = rthσm, σths =

√tstmσthm . (2)

2. Approximating: tm is short enough so that the σthm dominates over the σ

flm

σthm ≈ σm, σths ≈√

tstmσm. (3)

I The total jitter σm should be estimated first.

13 / 30

Introduction





14 / 30

Error Investigation

Counter-based jitter method of Ma et al.

I Edge-countingX : the number of the rising and falling edges of So in tm

I ApproximationVar(tm) ≈ Var(X ). (4)

Vs. tm, X is easy to measure on the chip.

I Estimationσm =

√Var(tm) ≈

√Var(X ). (5)

15 / 30

Error Investigation

oS

1okt

st

1 1ot

iSP 1iSP

...

w

...1ojt

sS

I Source of error

X = btm − w + 1cq=1.(q : quantization step) (6)

1. waiting time factor:(−w + 1) 2. the quantization

16 / 30

Error InvestigationI Evaluation of the errors• Errors of the approximation (4): abs error ea=Var(X )−Var(tm), rel error er = |ea|Var(tm)• Error level of Ma’s method: em = 12er

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1m0

0.05

0.1

0.15

0.2

0.25

0.3

ea

fm

=0

fm

=0.1,0.9

fm

=0.2,0.8

fm

=0.3,0.7

fm

=0.4,0.6

fm

=0.5

(a) Absolute error ea

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.2 1.3 1.4 1.5m0

10

20

30

40

50

60

70

80

90

100

em

(%)

fm

=0

fm

=0.1,0.9

fm

=0.2,0.8

fm

=0.3,0.7

fm

=0.4,0.6

fm

=0.5

(b) Error level em

17 / 30

To Correct the Error

I Sheppard’s Correction11

For a random variable v with continuous distribution, its roundingquantized value vq = [v ]q. The quantization error eq = v − vq willapproximately follow U(−q/2, q/2) and be independent from v .

E(v) = E(vq),E(v2) = E(v2q )− q2/12. (7)

11William Fleetwood Sheppard. “On the Calculation of the most Probable Values of Frequency-Constants for Data arranged according toEquidistant Division of a Scale”. In: Proceedings of the London Mathematical Society (1897).

18 / 30

Analysis and Correction

In the jitter estimation case,

I Var(X ) and Var(tm)

X = btm − w + 1cq=1 = [tm − w + 0.5]q=1. (8)

eq = (tm − w + 0.5− X ) ∼ U(−0.5, 0.5) (9)

w and eq are approximately independent from tm

Var(X ) = Var(tm − w + 0.5− eq) ≈ Var(tm) + Var(w) + Var(eq). (10)

The deviation between Var(tm) and Var(X ) is indeed caused by w and eq.

19 / 30


I New approximation for Var(tm)

Var(tm) ≈ Var(X )− Var(w)− Var(eq) ≈ Var(X )− 1/6. (11)

I New estimation for σm

σm ≈√

Var(X )− 1/6. (12)

20 / 30


I Evaluation of the errors• Errors of new approxiamtion (11): ea=Var(X )−16−Var(tm), er =

|ea|Var(tm)

• Error level of our method : em = 12er

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 m-0.2

-0.15

-0.1

-0.05

0

0.05

0.1

0.15

0.2

0.25

0.3 e

a f

m

=0

fm

=0.1,0.9

fm

=0.2,0.8

fm

=0.3,0.7

fm

=0.4,0.6

fm

=0.5

(a) Absolute error ea

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 m0

5

10

15

20

25

30

em

(%)

fm

=0

fm

=0.1,0.9

fm

=0.2,0.8

fm

=0.3,0.7

fm

=0.4,0.6

fm

=0.5

1

(b) Error level em

21 / 30

Theoretical Error AnalysisI Upper bound of the errors

(ea)max ≈1

π2e−2π

2σ2m , (em)max ≈1

2π2σ2me−2π

2σ2m (13)

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 m-0.2

-0.15

-0.1

-0.05

0

0.05

0.1

0.15

0.2

0.25

0.3

ea

fm

=0

fm

=0.1,0.9

fm

=0.2,0.8

fm

=0.3,0.7

fm

=0.4,0.6

fm

=0.5

(ea)max

(a) Theoretical absolute error ea

0 0.2 0.4 0.6 0.8 1 m0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

em

(%)

X: 0.4141Y: 1

(b) Theoretical error level em

22 / 30

An Efficient Calculation of Var(X )I Ordinary Calculation

Var(X ) =

∑Ni=1 x

2i

N− (

∑Ni=1 xiN

)2, (14)

needs N + 1 multiplications, N is the sample size.I In modern logic devices, σm is usually very small, so the counting results

x1, · · · , xN will vary slightly around x̄ .I The sample space of X is small too.SX = {pi |pi = bx̄c − I + i ; 1 ≤ i ≤ 2I ; 5 ≤ I � N} can cover most of thecounting results.

I New calculation1. Count x1, · · · , xN on p1, · · · , p2I , record with c1, · · · , c2I2. Calculate

Var(X ) =

∑2Ii=1 ci · (pi − x̄)2

N. (15)

Only 4I (� N + 1) multiplications are needed.23 / 30

Introduction





24 / 30

Off-line EstimationI Steps:

1. Count the edges of the oscillatory signal in intervals with different sizes (Tm s)2. Estimate the total jitter σm with the proposed method.

3. Separate the jitter: fit σ2m-Tm by σ2m = aT

2m + bTm, σ

thm = rthσm =

√b

b+aTmσm

I Setups: 3-inverters RO on Altera Cyclone IV FPGA with 305MHz,Tm : 0.8µs → 5.4µs

I Results:

0 1 2 3 4 5 5.5Measuring Interval Tm ( s)

0

0.25

0.5

0.75

1

1.25

1.5

1.75

2

2.25

2.5

2.75

m2

fitted: 0.0732Tm2 +0.087Tm

m2

(a) Total jitter

0 1 2 3 4 5Measuring Interval Tm ( s)

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5

( mth)2

linear fitted

( mth)2

(b) Thermal jitter25 / 30

On-line Estimation

I Vs. Off-line Estimation: size of Tm is fixed.I Steps

1. Pre-calculate rth =√

bb+aTm

, configure it in the circuit.

2. Estimate σm with the proposed method on the line.3. Calculate σthm = rthσm on the line.

I Circuit model diagram for On-line estimation

Q

QSET

CLR

D

Edge Counter

oS

sS

mS

TRNG output

XFrequency

divider ( )Var *

( )Var X1( )6

* -ms

thŕ

thms

26 / 30

Introduction





27 / 30

Comparisons

Figure: Comparisons of different methods

Methods Error Level Requirement for 𝜎𝑚 Theoretically

confirmed

Ma’s in CHES2014 10% 0.92 no

Fischer’s in CHES2014 5% Undefined no

Ours 1% 0.4141 yes

I Advantages: high accurate, theoretically confirmed error, fast assessment.

28 / 30

Summary and Future Work

I Summary• We correct the error in the counter-based methods.• The error level of our estimation can be lower than 1%• Efficiency is an additional advantage of our method.

I Future workFurther decrease the requirement for σm and estimate it in a shorterinterval, in order to reduce the ratio of the flicker jitter in the total jitter.Then the jitter separating approach is no longer necessary

29 / 30

Thanks for your attention!

30 / 30

OutlineIntroductionPreliminaries: Signal Model, Entropy Evaluation, Jitter EstimationJitter Estimation with High AccuracyJitter Estimation on FPGAComparisons and Conclusion

jitter estimation with high accuracy for oscillator-based …...jitter estimation with high accuracy...

Documents