paper ic truly random number generators based on regular
TRANSCRIPT
NOLTA, IEICE
Paper
IC truly random number
generators based on
regular & chaotic sampling of
chaotic waveforms
Salih Ergun 1a), Ulkuhan Guler 1 , and Kunihiro Asada 2
1 TUBITAK-National Research Institute of Electronics and Cryptology
PO Box 74, 41470, Gebze, Kocaeli, Turkey
2 University of Tokyo, VLSI Design and Education Center
7-3-1 Hongo, Bunkyo-ku, Tokyo 113, Japan
Abstract: Two random number generation methods based on regular and chaotic sampling
of chaotic waveforms are introduced. IC truly random number generators based on these
methods are also presented. Simulation and experimental results, verifying the feasibilities
and correct operations of the circuits, are given. Numerical models for the proposed TRNG
designs have been developed leading the realization of the random number generator circuits.
Moreover, a feedback strategy including offset and frequency compensation circuits have been
developed in order to maximize the statistical quality of the output sequence and to be robust
against external interference, parameter variations and attacks. Prototype chips have been
fabricated by using HHNEC’s 0.25µm eFlash process with a supply voltage of 2.5V, which
feature throughput in the order of a few Mbps and fulfill the NIST-800-22 statistical test suites
for randomness without post-processing.
Key Words: random number generator, double-scroll chaotic oscillator, truly random
1. IntroductionNowadays, because of the increasing demand of electronic official & financial transactions and digital
signature applications, the need for information secrecy has raised. In this manner, random number
generators (RNGs) which have been used for only military cryptographic applications in the past got
expanding usage for a typical digital communication equipment.
A random binary sequence could be considered as the result of the flips of fair coin with sides
labeled as 1 and 0. Furthermore, each flip has a probability of exactly 12 of producing a 1 or 0 and are
independent of each other. It should be noted that, the use of unbiased coins for security purposes is
impractical.
Generators that produce random sequences (RNGs) can be classified into two types: truly random
number generators (TRNGs) and pseudo-random number generators (PRNGs). TRNGs take advan-
246[Received: March 26, 2010. Revised: September 19, 2010. Published: April 1, 2011.] [DOI: 10.1587/nolta.2.246]Nonlinear Theory and Its Applications, IEICE, vol. 2, no. 2, pp. 246N261 ©IEICE 2011
tage of nondeterministic entropy sources which truly produce random numbers. TRNG output may
be either directly used as random number sequence or fed into a PRNG.
Almost all cryptographic systems require unpredictable values, therefore RNG is a fundamental
component for cryptographic mechanisms. Generation of public/private key-pairs for asymmetric
algorithms and keys for symmetric and hybrid crypto systems require random numbers. The one-
time pad, challenges, nonces, padding bytes and blinding values are created by using truly random
number generators (TRNGs) [1].
Pseudo-random number generators (PRNGs) generate bits in a deterministic manner. In order to
appear to be generated by a TRNG, the pseudo-random sequences must be seeded from a shorter truly
random sequence [2]. Random numbers are also used during the authentication procedure between
two crypto equipments and initial value randomization of a crypto module that realizes an algorithm.
Even if RNG design is known, any useful prediction about the output can not be made. To fulfill the
requirements for secrecy of one-time pad, key generation and any other cryptographic applications,
the RNG must satisfy the following properties: The output bit stream of the RNG must pass all
the statistical tests of randomness; the next random bit must be unpredictable; the same output
bit stream of the RNG must not be able to reproduced [3]. The best way to generate truly random
numbers is to exploit the natural randomness of the real world by finding a random event that happens
regularly [3]. Examples of such usable event include elapsed time during radioactive decay, thermal
and shot noise, oscillator jitter and the amount of charge of a capacitor [2].
There are few integrated circuit (IC) RNG designs reported in the literature; however fundamentally
four different techniques were mentioned for generating random numbers: amplification of a noise
source [4, 6] jittered oscillator sampling [1, 5, 6], discrete-time chaotic maps [7–9] and continuous-time
chaotic oscillators [10, 11, 30, 31].
External interference is a major concern in RNG design since interfered and random signals have
comparable levels. To solve this problem in [6], a RNG which mixes three of the four mentioned RNG
techniques except for the continuous-time chaos method is presented without employing any special
circuitry. It is difficult to analyze and model a generator and verify its correct operation due to the
mixing of different techniques.
In spite of the fact that, the use of discrete-time chaotic maps in the realization of RNG is well-
known for some time, it was only recently shown that continuous-time chaotic oscillators can be used
to realize RNGs also. In particular, preliminary results of RNGs using a continuous-time chaotic
oscillator have been reported in [30, 31]. In this paper we recall these RNGs and further introduce the
designs of two IC TRNGs, based on regular and chaotic sampling of chaotic waveforms. Presented
TRNGs offer some considerable advantages over the existing ones.
On the contrary to previous RNGs [10, 11, 30, 31] where deterministic chaos itself was pointed out
as the source of randomness, this work analyzes the effect of noise generated by circuit components
to address security issue. Note that, inclusion of noise which is a nondeterministic entropy source,
qualifies presented chaos based generators to be used as a truly random source.
In comparison with the previous designs [10, 11, 29, 30], TRNGs introduced in this paper are en-
hanced architectures which allow for a feedback method [4, 9] based on mono-bit and runs tests of
FIPS-140-2 test suite [13] to maximize the statistical qualities of the output sequences and to be ro-
bust against external interference, parameter variations of the fabrication process and attacks aimed
to force generator outputs.
Moreover, numerical models for the proposed designs have been developed leading the realization
of the TRNG circuits. Prototype TRNGs have been designed and fabricated by using HHNEC’s
0.25µm eFlash process with a supply voltage of 2.5V which feature 867Kbps and 2516Kbps through-
put, respectively. The circuit areas of both TRNG ICs, excluding compensation circuits, are about
19400µm2 and their power consumptions are about 4.5mW . Numerical and experimental results
verifying the feasibility and the correct operation of the introduced TRNGs are presented such that
numerically generated binary sequences fulfill FIPS-140-2 test suite [13] while prototype TRNG ICs
fulfill the NIST-800-22 statistical test suite [14] without any further post-processing.
247
2. Continuous-time chaotic oscillatorRegarding on the evolution of the dynamical systems which can be expressed by nonlinear difference
or differential equations, chaotic systems are classified into two types discrete-time or continuous-time,
respectively. Except for discrete-time or continuous-time, another possible classification of the chaotic
oscillators is between autonomous or non-autonomous. The characteristic of non-autonomous chaotic
oscillators is identified as it is producing chaos when excited by a time-varying source. Although many
autonomous chaotic oscillators, which self-sustain chaos without need to excite, have been reported
in the literature [15], there are relatively few non-autonomous chaotic oscillators [16].
It should be noted that, it is possible to use an autonomous or a non-autonomous chaotic oscillator
as the core of the proposed random number generation methods. If a chaotic oscillator will be used
as the part of a practical application such as RNG, it is desired to choose one that can be integrated
on silicon. In comparison with RNGs based on discrete-time chaotic sources it is seen that RNGs
based on continuous-time chaos can be implemented using less complex and more robust circuits,
particularly due to the absence of successive sample-and-hold and multiplier stages.
On the other hand, although many chaotic oscillators exist in the literature, only a few of them are
suitable for monolithic implementation and capable of operating at high frequencies and low voltage
levels [17]. In this paper, we utilize a simple autonomous continuous-time chaotic oscillator as the
core of TRNGs, which realizes the double-scroll-like third-order chaotic equation and present high-
performance IC realization of it. The double-scroll attractor is considered as one of the most famous
autonomous continuous time circuits that exhibit chaos, many designs of which were proposed starting
from the use of a structure similar to the Double Scroll circuit of Matsumoto et al. [18].
2.1 Double-scroll chaotic attractor
The double-scroll attractor which is used as the core of the TRNGs is obtained from a simple model
given in [25], which is expressed by the Eq. (1). It should be noted that when the nonlinearity is
replaced by a continuous nonlinearity, the system is similar to the one given in [26].
x = −y
y = −z
z = a(−x+ y − z + sgn(x))
(1)
Given third-order chaotic equation is single-parameter-controlled where a is the only parameter
which contribute to the chaotic dynamics. The equations in 1 generate chaos for the single-parameter
a over a wide range (0.48 ≥ a ≥ 0.98) which points out that the non-ideal effect on the performance
of the chaotic system is not critical.
2.2 Circuit implementation
The chaotic oscillator circuit shown in Fig. 1, which is constructed as the core of the TRNGs, was
proposed in [19] but was not physically fabricated. It is noteworthy that, implementing the design
as an IC, not only show the feasibility of the proposed TRNGs, but also provide robustness against
external interference, tampering and attacks.
Fig. 1. Schematic Diagram of the double-scroll chaotic oscillator.
The chaotic oscillator circuit is capable of operating at a wide range of frequencies and at low
voltage levels due to using a current mode technique. Also it is easy to construct in the sense that it
does not involve analog multiplication, it uses only capacitors and MOS transistors. The introduced
implementation realizing the double-scroll attractor is composed of three cascaded Gm−C integrators
248
coupled with a robust nonlinearity of a two-transistor digital inverter that generates sgn(Vx). For
transconductance values of transconductors g1 = g2 = g3 = g and aC1 = C2 = C3 = C, routine
analysis of the circuit given in Fig. 1 yields the following state equations:
Vx = −f0VyVy = −f0VzVz = af0(−Vx + Vy − Vz + VRsgn(Vx))
(2)
Fig. 2. Observed chaotic waveform Vx.
Fig. 3. Experimental results of the chaotic attractor (Xaxis : Vx, Y axis :Vz).
where f0 = gC and VR is a reference voltage. Prototype ICs have been designed and fabricated by
using HHNEC’s 0.25µm eFlash process with a supply voltage of 2.5V. The transistors aspect ratios are
stated in Table I as (W : µm/L : µm) and the three on-chip Nwell capacitor values are: C1 = 11.3pF ,
C2 = C3 = C = 8.6pF for a = 0.761. Transconductance value g of a typical transconductor Gm
which consists of only two transistors such as P1 and N1 was obtained by using HspiceD simulation
and the model of HHNEC’s 0.25µm eFlash technology where g =Ioutput
Vinput= 540µ 1
Ω . Therefore the
center operation frequency of the chaotic oscillator: ω0 = f02π = 1
2πτ corresponding to time constant τ
where τ = Cg = 8.6p
540µ = 15.926nsec., is adjusted to ≈ 10MHz.
Transistor Aspect Ratio W/L
N1, N2, N3, N4, N5, N6, N7, N8, N10, N11, N12 16/4.4
P1, P2, P3, P4, P5, P6, P7, P8, P10, P11, P12 16/1
P9 6/0.25
N9 1.5/0.25
Table I. Transistor aspect ratios of the double-scroll attractor.
Feasibility and the correct operation of the chaotic oscillator has been experimentally verified and
the observed chaotic waveform Vx and the observed attractor (corresponding to Vx against Vy) are
shown in Fig. 2 and Fig. 3, respectively. It should be noted that, we were able to obtain experimentally
similar results to that of numerical analysis results given in [30, 31], both of which have the same
dynamics.
249
Chaotic oscillator circuit implemented as an IC offers some considerable advantages over the existing
ones. In comparison with the previous implementation of double-scroll attractor circuit [25] where ω0
was 372KHz, presented implementation offers much higher bandwidth. Circuit exhibiting double-
scroll chaos has chaotic motion over a wide range of parameters; hence it offers better robustness
against parameter variations in comparison with the previous designs [20, 29]. Additionally, on the
contrary to previous random number generation applications [11, 20, 29], chaotic oscillator circuit
utilized in this paper is an RC design and does not contain inductors; consequently core of the TRNG
is more secure against side channel attack.
Considering that, necessary conditions for exhibiting chaos in an autonomous system are at least
three energy storage components and one nonlinearity [21], double-scroll attractor circuit consists of
as few components as possible which is realized in IC by using MOS transistors and three grounded
capacitors. In conclusion, due to the absence of large blocks, the core chaotic circuit is a simple and
area efficient design, using low supply voltage. Indicated features make the usage of it suitable for
portable devices in a practical broadband TRNG application.
2.3 Entropy source of TRNGs
On the contrary to previous RNG designs [10, 11, 30, 31] where deterministic chaos itself was pointed
out as the source of randomness, this work analyzes the effect of noise on the chaotic trajectories and
addresses it as the nondeterministic entropy source of a chaos based RNG. Initial values of voltages
and currents of circuit components used to realize a chaotic system is definitely random. Starting
from a random initial condition chaotic trajectory, which also contains a nondeterministic component
that consist of thermal and shot noises generated by circuit components, alter exponentially.
In the first method which will be introduced in this paper, random numbers are generated by regular
sampling of chaotic waveform Vx (see Fig. 11 in Section 3.1), where in the second one beside Vx the
other chaotic waveform Vz is used to realize sampling clock (see Fig. 12 in Section 3.1). In order to
address security issues and unpredictability of the generators, effects of equivalent noises both on the
chaotic waveforms Vx and Vz are analyzed.
Fig. 4. Equivalent noise at node Vx, generated by circuit components.
Fig. 5. Equivalent noise at node Vz, generated by circuit components.
AC responses of the circuits which limit the frequency bandwidths (fC) of the nodes Vx and VZ
250
are obtained by using HspiceD simulation, where fC are determined as 42.4MHz and 32.3MHz, re-
spectively. Equivalent noise generated by RNG core at node Vx is shown in Fig. 4 which results
Vnoise(x) = 53mVrms noise voltage on Vx under given bandwidth, whereas corresponding results for
node Vz is given in Fig. 5 which indicates Vnoise(z) = 28.6mVrms noise voltage on Vz.
Instead of amplifying Vnoise(x) and Vnoise(z) which also limit the bandwidths, having a positive
Lyapunov exponent, make the chaotic system starting at Vx(0) ± 53mVrms and Vz(0) ± 28.6mVrms
end up with completely different outputs. Initial values of capacitor (C1, C2 and C3) voltages are
regarded to be random in the literature. The chaotic trajectory, which starts from a random initial
condition and contains a non-deterministic component consisting of Vnoise(x) and Vnoise(z), alters
exponentially.
Fig. 6. Transient analysis results which shows the effect of equivalent noiseon chaotic waveform Vx.
Fig. 7. Transient analysis results which shows the effect of equivalent noiseon chaotic waveform Vz.
The transient analysis results are depicted in Fig. 6 and Fig. 7, which show the effects of equivalent
noise voltages Vnoise(x) (−53mV ≤ Vnoise(x) ≤ +53mV ) and Vnoise(z) (−28.6mV ≤ Vnoise(z) ≤
+28.6mV ) on the chaotic waveforms Vx and Vz, respectively. As shown in Fig. 6, from τx ≈ 280ns on,
since Vnoise(x) is non-deterministic chaotic waveform Vx end up with completely different output and
hence bit stream generated by regular or chaotic sampling of Vx become non-deterministic. Similarly,
as given in Fig. 7 from τy ≈ 700ns on, since Vnoise(z) is non-deterministic beside Vx, chaotic waveform
Vz (used to determine sampling times) and hence bit stream generation become non-deterministic.
It should be noted that, Fig. 6 and Fig. 7 only show the effects of noises connected on to chaotic
waveforms at τ = 0, which actually affect the chaotic trajectory continuously. Inclusion of equivalent
noises Vnoise(x) and Vnoise(z) generated by circuit components, renders generated bit streams unpre-
dictable, thereby qualifying the proposed number generators to be used as a truly random sources. In
turn, such results would then mathematically help to prove unpredictability and true random behavior
of the chaos based RNGs.
3. Random number generation
Due to their dynamics & nonlinearity properties and sensitivity to initial conditions, having a positive
Lyapunov exponent [12], a noise-like power spectrum, and exhibiting very irregular and aperiodic
behaviors which make them unpredictable [22], chaotic systems lend themselves to be exploited for
random number generation.
251
In order to obtain random binary data from a continuous-time chaotic system, we introduce two
techniques, which rely on generating non-invertible binary data from the waveform of the continuous-
time chaotic oscillator. It should be noted that non-invertibility is a key feature for generating random
numbers [27].
The methods introduced in this paper for random number generation are grouped into two main
categories depending on the sampling times and sampled signal, namely, regular sampling of chaotic
waveform and chaotic sampling of chaotic waveform, both of which consider the distribution of sampled
chaotic waveforms. In these methods, binary random bits are generated from an autonomous (For
example, from the double scroll chaotic oscillator by the numerical integration of Eq. (1).) or a
non-autonomous chaotic oscillator by using:
• Regular samples of the state x, y, or z obtained at the rising edges of an external periodical
signal, that is at times t satisfying wt mod 2π = 0 where w is the frequency of the periodical
signal. This implemented technique corresponds to regular sampling of chaotic waveform.
• Samples of the state x, y, or z from the one-dimensional section obtained at the status transition
determined by a linear combination of system states. (f(x, y, z) defined as f(x, y, z) = sThreshold
with df(x, y, z) /dt > 0 or df(x, y, z)/dt < 0 where sThreshold is a threshold value.) This method
corresponds to chaotic sampling of chaotic waveform where the exploited one-dimensional
section is called Poincare section [12].
In the event of using a non-autonomous chaotic oscillator as the core of the RNG design [20], where
an external signal is readily available in the system:
• One-dimensional section of one of the states, obtained at the rising edges of the external periodi-
cal pulse signal (at times t satisfying wt mod 2π = t0 where w is the frequency of the pulse signal
and 0 ≤ t0 ≤ 1) used to drive the non-autonomous chaotic oscillator, can be also exploited to ob-
tain binary random bits. This technique corresponds to regular sampling of chaotic waveform
while one-dimensional section mentioned above is called stroboscobic Poincare section [12].
Note that, although 3−dimensional trajectories in the x−y−z (or n−dimensional trajectories in
the x1−x2− ...−xn) plane may be invertible, one may obtain a non-invertible section by considering
only the values corresponding to one of the states, say x.
We don’t know much about an irregular signal used to generate random number but its distribution.
At first, x values have been numerically generated from all of the sections used in methods mentioned
above and the distribution of sampled values have been examined to determine appropriate sections
where the distributions look like random signal. Although, we could not find sections of which x
values have a single normal or χ2 distribution [2] for different set of parameters, we determined various
sections where the distribution of x has at least two regions. For appropriate set of parameters, the
two-regional distribution of the state x seems like the given Fig. 8.
Fig. 8. A sample distribution of x having two-regions.
Distribution of x having two regions, suggests us to generate random binary data from regional x
values for regional thresholds. Following this direction, we have generated the binary data S(top)i and
S(bottom)i from the 1-dimensional sections according to the following equation:
S(top)i = sgn(xi − qtop) when xi ≥ qmiddle
S(bottom)i = sgn(xi − qbottom) when xi < qmiddle(3)
252
where sgn(.) is the signum function, xi’s are the values of x obtained from one of the above
defined sections, qtop and qbottom are appropriately chosen thresholds for top and bottom distributions,
respectively and qmiddle is the boundary between the distributions. To be able to choose the thresholds
appropriately, we examined distributions of Stop and Sbottom. For the proposed methods, qtop and
qbottom were determined as the medians of the top and bottom distributions as shown in Fig. 8.
It should be noted that, generation of the binary sequence thus obtained does not so much dependent
on qmiddle value, because for this boundary value, distribution density of x is minimum. However,
distribution density of x for threshold values (qtop, qbottom) is maximum, therefore the binary sequence
obtained for inaccurate thresholds may be biased. In order to remove the unknown bias in this
sequence, the well-known Von Neumann’s de-skewing technique [28] can be employed. This technique
consists of converting the bit pair 01 into the output 0, 10 into the output 1 and of discarding bit
pairs 00 and 11. However, this technique decreases throughput because of generating approximately
1 bit from 4 bits.
As an alternative to the Von Neumann processing, XOR (⊗
: exclusive-or) corrector was exploited
to generate the output bit stream from two regions. The potential problem with the exclusive-or
method is that a small amount of correlation between the input bits will add significant bias to the
output [3]. The correlation coefficients, between the generated bit streams Stop and Sbottom obtained
from the above defined sections are calculated very close to 0 which indicates that the generated
bit streams are independent. This was, in fact, expected as the chaotic systems are characterized
by having a positive Lyapunov exponent, and the auto-correlation of the chaotic time-series vanish
abruptly [23]. According to this result, we have generated the new binary output S(xor)i by using the
given Eq. (4):
S(xor)i = S(top)i
⊗S(bottom)i (4)
It is noteworthy that, the XOR corrector is not a sophisticated post-processor [8] but a minor
operation which sensibly combines the top and the bottom streams generated from two regions which
were separated according to distribution of the underlying chaotic signal. The mean value ψ of the
binary sequence Sxor thus obtained, can be calculated by the given Eq. (5):
ψ = 12 − 2(µ− 1
2 )(ν −12)−
12ρ (5)
where µ is the mean value of Stop, ν is the mean value of Sbottom and ρ is the correlation coefficient
between the bit streams Stop and Sbottom. Therefore, closer values of µ and ν to 12 result in even more
closer value of ψ to 12 and that provides unbiased random bit stream out. In practice, the existence
of the positive Lyapunov exponent guarantees that chaotic trajectories and hence the generated bit
pairs both S(top)i − S(bottom)i and S(xor)i − S(xor)i+1 remain uncorrelated [24].
Using the above procedure, unbiased and uncorrelated bit sequences S′xors have been obtained for
the proposed methods, from regional x values calculated by the numerical integration of Eq. (1). Then
these bit sequences are subjected to the four tests (monobit, poker, runs and long-run) of FIPS-140-2
test suite.
As a result, it has been numerically verified that binary sequences S′xors, generated by the proposed
methods passed the four basic tests of FIPS-140-2 test suite without post processing for the appro-
priate threshold values. Finally, we have also experimentally verified that the bit streams, obtained
from the chip implementation of the circuits in the same way, passed the full NIST-800-22 test suite
without any further post-processing. Experimental results, verifying the feasibility of the circuits, are
given.
3.1 Experimental results
Generating binary random bits using a double-scroll chaotic oscillator is already known from prior art
document [10]. The problem to be solved by this paper is regarded as to provide alternative imple-
mentations suitable for a double-scroll chaotic oscillator. Note that, key feature of the double-scroll
chaotic oscillator utilized as the core of TRNGs is having distributions with two regions. Furthermore,
253
solutions have some other technical advantages. For instance, although the proposed TRNG circuits
are capable of passing randomness tests without compensation circuits, they allow for the feedback
method using the mono-bit and runs tests of FIPS-140-2 test suite for bias and correlation removal
as will be described.
Fig. 9. Layout of the proposed TRNGs.
Fig. 10. Die photo of the IC TRNGs.
In order to verify the feasibility and the correct operation of the proposed TRNGs, prototype
integrated circuits have been designed and fabricated as shown in Fig. 9 and Fig. 10, respectively.
According to the procedures explained in Section 3 random bits have been generated by using both
methods from non-invertible maps where only the chaotic waveform Vx, which corresponds to the
variable x, is sampled. In order to implement these procedures, circuits block diagrams of which are
depicted in Fig. 11 and Fig. 12 are used.
Fig. 11. Regional random number generation based on regular sampling ofchaotic waveform.
An FPGA based hardware was designed, due to its flexibility while prototyping, to upload the binary
data to the computer. Designed hardware has a PCI-e interface where the maximum data storage
rate is 240 Mbps. In the given block diagrams, compensation circuits including digital to analog
converters (DACs) are the off-chip elements. Offset compensation for Vtop and Vbottom thresholds,
frequency compensation and exclusive-or operation are also implemented inside the FPGA. It should
be noted that, FPGA implemented circuits and DACs can also be implemented in ICs and fully
integrated TRNGs will provide more robustness against external attacks.
In the ICs, comparators shown in the block diagrams are implemented by using a simple structure
consists of ten transistors. The thresholds of these comparators are off-chip controlled allowing possible
254
Fig. 12. Regional random number generation based on chaotic sampling ofchaotic waveform.
tuning of their values. Voltage levels applied to Vtop, Vmiddle and Vbottom nodes are used to realize the
thresholds in Eq. (3) where Vtop and Vbottom are generated by two 12-bit voltage-mode DACs. The
voltage reference of the DACs are 2.4V which allow to adjust each thresholds in 0, 586 mV steps. In
implementation Eq. (3) and Eq. (4) transforms into:
S(top)i = sgn(Vxi − Vtop) when Vxi ≥ Vmiddle
S(bottom)i = sgn(Vxi − Vbottom) when Vxi < Vmiddle
S(xor)i = S(top)i
⊗S(bottom)i
(6)
Offset compensations of Vtop and Vbottom thresholds are realized by implementing monobit test of
FIPS-140-2 test suite for Stop and Sbottom binary sequences. For each sequence, bit streams of length
20000 bits are acquired, if the number of 0′s > 10275 then corresponding threshold is decreased and
if the number of 0′s < 9725 then corresponding threshold is increased.
We don’t know much about an irregular signal used to generate random number but its frequency
spectrum which allows us to determine its appropriate sampling frequency. To adjust this frequency
for Vx, a pre-scaler is implemented inside the FPGA which is used to divide the frequency of Vp(t) or
the output of Vz comparator into its pre-scaler value.
Fig. 13. Autocorrelation function of a band-limited noise signal.
In Fig. 13, absolute values of autocorrelation function of a band-limited noise signal, which has a flat
power spectral density up to B, is depicted. As shown in the given figure, average correlation decreases
as the sampling period τ increases while sampled signals become uncorrelated for fsampling = 2B/k,
where k is a positive integer.
This result guide us that, appropriate sampling frequency for regular sampling method should be
2B/k while appropriate center frequency of sampling for chaotic sampling method should be around
this value. Following this direction, in order to determine sampling frequency and set the initial value
of the pre-scaler appropriately, the frequency spectrum of Vx illustrated in Fig. 14 is examined in a
prototype IC.
As shown in the given figure chaotic signal Vx has a noise-like power spectrum. The center frequency
of the chaotic oscillator is indicated by the solid marker set at 11.6MHZ. Up to the dashed marker set
at 2.6MHz, the region in which the power spectrum is flat, chaotic signal Vx contains all frequencies
in equal amounts and power spectral density is at its maximum. Hence, without loss of generality,
Vx(t) and Vx(t+ t0) can be considered as uncorrelated for all t0 6= 0 and Vx can be sampled up to 2B
as a random source, where B is indicated by the dashed marker. Finally, initial value of the pre-scaler
is determined by dividing the frequency of Vp(t) or the output of Vz comparator into 2B.
Frequency compensation loops are implemented by applying runs test of FIPS-140-2 test suite for
Sxor binary sequences. If 3 Sxor bit streams of length 20000 bits which are acquired in sequence fail
255
Fig. 14. Frequency spectrum of Vx.
in runs test, which indicates over sampling of Vx, then sampling frequency of Vx is scaled down by
increasing the pre-scaler value. After offset & frequency compensation and exclusive-or operation, in
order to ensure that the proposed TRNG circuits are capable of passing randomness tests without
compensation, the candidate random numbers are acquired for the appropriate threshold and pre-
scaler values with compensations deactivated and are uploaded to the computer through the PCI-e
interface.
Compensation circuits may be considered as quite complex and another way of randomness extrac-
tion mechanism such as applying postprocessing techniques [2] may be also recommended to improve
the statistical properties of the TRNG output. However, most of the postprocessing techniques are
blindly applied to raw sequence without considering its underlying source where the only guarantee
of the correct behavior is the high entropy of the source. In this paper, distribution and frequency
spectrum of underlying entropy source are sensibly examined and de-skewing & de-correlating of the
proposed TRNG designs were accomplished by employing properly constructed compensation circuits
instead of post-processing techniques, the ability of which to extract the full entropy of the source
has not been explicitly proven.
3.1.1 Regular sampling of chaotic waveform
As shown in the the block diagram depicted in Fig. 11, random binary sequence SRSC is generated
by sampling and storing the output of the comparators at the rising edge of the external periodical
square-wave generator Vp(t). According to the procedure explained in Section 3, initially distribution
of the chaotic waveform Vx is examined where the resultant distribution of Vx obtained at the rising
edge of Vp(t) is shown in Fig. 15.
Fig. 15. Histogram of Vx obtained at the rising edge of Vp(t).
To be able to determine initial values of the thresholds appropriately, similarly to numerical bit
generation, top and bottom distributions are examined. Then, initial values of Vtop and Vbottom are
determined as 1.35V and 0.95V , respectively while Vmiddle is determined as 1.15V .
256
As described by using Fig. 13, Vx(t) and Vx(t+t0) can be considered as uncorrelated for fsampling =1t0
= 5.2MHzk which show us the appropriate initial value of the pre-scaler as 30, while the frequency
of Vp(t) is 156MHz. After pre-scaler and threshold values become stable at appropriate values, bit
stream of length 220 MBits is acquired according to Eq. (6) without offset & frequency compensation.
Pre-scaler value, initial value of which was determined as 30, became stable at 90. If necessary,
sampling frequency can be scaled up externally through the PCI-e interface. Acquired bit stream is
uploaded to the computer and subjected to NIST 800-22 test suite.
As a result, we have experimentally verified that, bit sequence SRSC , passed the tests of full NIST
800-22 test suite without post processing. Results for the uniformity of P-values and the proportion
of passing sequences of the TRNG circuit based on regular sampling of chaotic waveform are given in
Table II where P-value (0 ≤ P − value ≤ 1) is a real number estimating the probability that a perfect
RNG would have produced a sequence less random than the given sequence. It is reported that, for
a sample size of 223× 1MBits, the minimum pass rate for each statistical test with the exception of
the random excursion (variant) test is approximately 0.970011.
When the center frequency of the chaotic oscillator is ≈ 10MHz throughput data rate of SRSC
effectively becomes (156MHz/902 ) 867Kbps, (recall that pre-scaler value: 90) because of dividing Vx
into two regions according to distribution. Throughput data rate of SRSC can be generalized as
fRSC = 867000ττnew
where τnew = Cnew
gnew.
STATISTICAL SRSC Bit Sequence
TESTS P − V alue Proportion
Frequency 0.231847 0.9865
Block Frequency 0.001941 0.9641
Cumulative Sums 0.441481 0.9865
Runs 0.502426 0.9776
Longest Run 0.458513 0.9955
Rank 0.853653 1.0000
FFT 0.318393 0.9865
Nonperiodic Templates 0.945849 1.0000
Overlapping Templates 0.875539 0.9865
Universal 0.983229 0.9821
Apen 0.016560 0.9865
Random Excursions 0.297391 1.0000
Random Excursions Variant 0.820696 1.0000
Serial 0.493502 0.9865
Linear Complexity 0.689019 0.9910
Table II. Results of the NIST-800-22 test suite for TRNG based on regularsampling of chaotic waveform method.
3.1.2 Chaotic sampling of chaotic waveform
The same road map explained in Section 3 is also followed for the second TRNG which is based on
chaotic sampling of chaotic waveform. As shown in the the block diagram given in Fig. 12, to obtain
x values in the Poincare section defined as z(t) = 0 with dzdt > 0, the voltage Vz, which corresponds to
the variable z is compared with 1.15V and on the rising edge of this comparator, output bit stream of
the other comparators are sampled and stored in binary format. After exclusive-or operation, random
binary sequence SCSC which is generated by using Eq. (6) is uploaded to the computer through the
PCI-e interface.
According to the procedure applied in numerical random number generation we examine the dis-
tribution of Vx. As a result, an oscilloscope snapshot which shows the distribution of Vx obtained at
Vz(t) = 1.15V with dVz
dt > 0 is depicted in Fig. 16.
To be able to determine the thresholds appropriately, as explained in Section 3, we examine top
and bottom distributions. Then, Vtop and Vbottom are determined as 1.35V and 0.99V , respectively
while Vmiddle is determined as 1.15V .
It has been experimentally verified by the frequency compensation that, bit sequence SCSC gener-
ated by sampling the output of Vx comparators on the second rising edges of Vz comparator, passed
257
Fig. 16. Histogram of Vx obtained at Vz(t) = 1.15V with dVz
dt > 0.
the tests of full NIST 800-22 test suite. After pre-scaler and threshold values become stable, SCSC bit
stream of length 105MBytes is acquired for the appropriate threshold values with offset and frequency
compensations deactivated, uploaded to the computer through the PCI interface and subjected to test
suite of NIST-800-22.
In conclusion, we have experimentally verified that, bit sequence SCSC generated on the second
rising edges, passed the tests of NIST 800-22 test suite without any further post processing. Test
results, which correspond to the P-values and the pass proportions of the TRNG circuit are given in
Table III where it is reported that, for a sample size of 146×1MBits, the minimum pass rate for each
statistical test with the exception of the random excursion (variant) test is approximately 0.965296.
As a result throughput data rate of SCSC , effectively becomes 2516Kbps while the main frequency
of the chaotic oscillator is ≈ 10MHz. Similarly to previous TRNG, formula: fCSC = 2516000ττnew
can
generalize the throughput rate of SCSC for a new τ value.
STATISTICAL SCSC Bit Sequence
TESTS P − V alue Proportion
Frequency 0.285628 0.9863
Block Frequency 0.223755 0.9726
Cumulative Sums 0.681642 0.9863
Runs 0.696376 1.0000
Longest Run 0.881013 1.0000
Rank 0.781926 1.0000
FFT 0.622249 0.9863
Nonperiodic Templates 0.911413 1.0000
Overlapping Templates 0.015444 0.9863
Universal 0.112519 0.9795
Apen 0.005586 0.9726
Random Excursions 0.534146 1.0000
Random Excursions Variant 0.764655 1.0000
Serial 0.681642 0.9932
Linear Complexity 0.424193 0.9863
Table III. Results of the NIST-800-22 test suite for TRNG based on chaoticsampling of chaotic waveform method.
The effect of offset compensation for Stop in SCSC binary sequence, which is both similar to one for
Sbottom and those of SRSC binary sequence, is shown in Fig. 17. In spite of the fact that, initial values
of the thresholds are not adjusted appropriately, they reach and become stable at the medians of top
and bottom distributions and provide binary sequences with mean values very close to 12 thanks to
compensation.
To fulfill the requirements for secrecy of cryptographic applications, binary sequences need to satisfy
strict randomness criteria, such as being unpredictable, unbiased, independent of each other, and
identically distributed. Due to the impossibility of giving a hard proof of a binary sequence on its
true randomness, certain kinds of weaknesses in terms of usage for cryptography should be detected
using tests described here. After FPGA finishes performing the monobit and runs tests of FIPS-140-2
test suite, binary sequences assumed to be random are uploaded to the computer, the test results are
258
Fig. 17. The effect of offset compensation for Vtop.
read over the FPGA externally through the PCI-e interface and evaluated. If the results of these tests
are positive, the corresponding binary sequences uploaded to the computer should be transferred
to the “Random Number Pool” in the memory for applications in cryptography while any failing
candidate random sequences should not be.
In order to compare throughput rates of TRNGs introduced in this paper with the previous de-
sign [10] based on the same double-scroll chaotic system, binary sequences are generated by us-
ing numerical models. We have numerically verified that, the throughput data rate of the RNG
method given in [10] is 1634 bits per 100000 unit normalized time while the throughput data rate
of SCSC is 7719 bits per 100000 unit normalized time, thus offers approximately fivefold rate ex-
pansion. Furthermore bit sequence obtained from the RNG method given in [10] can pass the
full test suite of Diehard with only Von Neumann processing and the sample bit sequence given at
http://www.esat.kuleuven.ac.be/∼mey/Ds2RbG/Ds2 -RbG.html fails in Block-frequency, Runs and
Apen tests of NIST 800-22 test suite.
In the proposed TRNGs, as described by generalized formulas, ω0 basically determines theoretical
limits of the throughput rates, which result in the TRNG outputs in the order of a few Mbps for
ω0 ≈ 10MHz. However note that, chaotic circuits operating at much higher frequencies are reported
in the literature. For instance, cadence simulation results of a chaotic circuit operating around 5.3GHz
is presented in [29] which offers in throughput in the order of a few hundred Mbps. We can deduce
that, such data rates which is substantially higher than the throughput of RNGs available in the
literature, may render proposed TRNGs exploiting continuous-time chaos attractive.
On the contrary to the other chaos based RNGs reported in [10, 11, 29], both TRNG designs pro-
posed in this paper avoid the needs of any post-processing which significantly decreases the through-
put. Another disadvantage of the previous designs [10, 11, 29] is the disability to realize necessary offset
compensation, which derives from the fact that instead of raw bit sequences, processed sequences can
pass the statistical tests thanks to post-processing techniques.
As a result, in comparison with the previous RNGs [10, 11, 29], both IC TRNGs introduced in this
paper are enhanced architectures which feature much higher throughput rates, allow for compensation
thus provide more robustness against external interference, parameter variations and tampering and
fulfill the NIST-800-22 statistical test suite without further post-processing.
4. ConclusionsTwo methods for random number generation based on a continuous-time chaotic oscillator are intro-
duced. We have also presented the designs of IC TRNGs based on these methods. The effect of noises
on the chaotic trajectories are also analyzed, inclusion of which qualify the proposed chaos based
generators to be used as a truly random source. Moreover, numerical models for the proposed designs
have been developed leading the realization of TRNG circuits. Numerical and experimental results
presented in this paper not only verify the feasibilities and the correct operations of the proposed
circuits, but also encourage their use for applications in cryptography as well. In comparison with
TRNGs based on the other common techniques, it is seen that TRNGs based on continuous-time
chaotic oscillators can offer much higher data rates without post-processing.
259
References
[1] B. Jun and P. Kocher, “The Intel random number generator,” Cryptography Research, Inc.
white paper prepared for Inter Corp. http://www.cryptography.com/ resources/whitepapers/
IntelRNG.pdf, April 1999.
[2] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptology, CRC Press,
1996.
[3] B. Schneier, Applied Cryptography, 2nd edn., John Wiley & Sons, 1996.
[4] M. Bucci, L. Germani, R. Luzzi, P. Tommasino, A. Trifiletti, and M. Varanonuovo, “A high-
speed IC random-number source for SmartCard microcontrollers,” IEEE Trans. Circ. Syst. I,
vol. 50, no. 11, pp. 1373–1380, November 2003.
[5] M. Bucci, L. Germani, R. Luzzi, A. Trifiletti, and M. Varanonuovo, “A high speed oscillator-
based truly random number source for cryptographic applications on a SmartCard IC,” IEEE
Trans. Comput., vol. 52, pp. 403–409, April 2003.
[6] C.S. Petrie and J.A. Connelly, “A noise-based IC random number generator for applications in
cryptography,” IEEE Trans. Circ. Syst. I, vol. 47, no. 5, pp. 615–621, May 2000.
[7] T. Stojanovski, and L. Kocarev, “Chaos-based random number generators-Part I: analysis,”
IEEE Trans. Circ. Syst. I, vol. 48, no. 3, pp. 281–288, March 2001.
[8] S. Callegari, R. Rovatti, and G. Setti, “Embeddable ADC-based true random number generator
for cryptographic applications exploiting nonlinear signal processing and chaos,” IEEE Trans.
on Signal Processing, vol. 53, no. 2, pp. 793–805, February 2005.
[9] T. Addabbo, M. Alioto, A. Fort, S. Rocchi, and V. Vignoli, “A feedback strategy to improve
the entropy of a chaos-based random bit generator,” IEEE Trans. Circ. Syst. I, vol. 53, no. 2,
pp. 326–337, February 2006.
[10] M.E. Yalcin, J.A.K. Suykens, and J. Vandewalle, “True random bit generation from a double
scroll attractor,” IEEE Trans. Circ. Syst. I, vol. 51, no. 7, pp. 1395–1404, 2004.
[11] S. Ergun and S. Ozoguz, “Truly random number generators based on a non-autonomous chaotic
oscillator,” Int. J. Electron. Commun., vol. 61, pp. 235–242, 2007.
[12] F. John, J.E. Marsden, and L. Sirovich, “Applied mathematical sciences,” Ithaca, vol. 42, pp. 22–
32, Fall 1985.
[13] National Institute of Standard and Technology, Security Requirements for Cryptographic Mod-
ules, NIST, Boulder, CO, January 1994.
[14] National Institute of Standard and Technology, “A statistical test suite for random and
pseudo random number generators for cryptographic applications,” NIST 800-22, Available
at http://csrc.nist.gov/rng/SP800-22b.pdf, May 2001.
[15] A.S. Elwakil and M.P. Kennedy, “Construction of classes of circuit independent chaotic oscilla-
tors using passive-only nonlinear devices,” IEEE Trans. Circ. Syst. I, 2001, vol. 48, pp. 289–307.
[16] A. Azzouz, R. Duhr, and M. Hasler, “Transition to chaos in a simple non-linear circuit driven
by a sinusoidal voltage source,” IEEE Trans. Circ. Syst. I, vol. 30, pp. 913–914, 1983.
[17] M. Delgado-Restituto and A. Rodriguez-Vazquez, “Integrated chaos generators,” Proc. of IEEE,
vol. 90, no. 5, pp. 747–767, May 2002.
[18] T. Matsumoto, L.O. Chua, and G.M. Komuro, “The double scroll,” IEEE Trans. Circ. Syst. I,
vol. CS-32, pp. 798–818, August 1985.
[19] A.G. Radwan, A.M. Soliman, and A.-L. El-Sedeek, “MOS realization of the double-scroll-like
chaotic equation,” IEEE Trans. Circ. Syst. I, vol. 50, no. 2, pp. 285–288, February 2003.
[20] S. Ergun and S. Ozoguz, “Truly random number generators based on non-autonomous
continuous-time chaos,” Int. J. Circ. Theor. Appl., pp. 1–24, 2008.
[21] M.W. Hirsch and S. Smale, Differential Equations, Dynamical Systems and Linear Algebra,
Academic, New York, 1974.
[22] R. Devaney, An Introduction to Chaotic Dynamical Systems, 2nd ed. reading, Addison-Wesley,
MA, 1989.
260
[23] L. Young, “Entropy, Lyapunov exponents and Hausdorff dimension in diffrentiable dynamical
systems,” IEEE Trans. Circ. Syst. I, vol. 30, pp. 599–607, August 1983.
[24] A. Abel and W. Schwarz, “Chaos communications-principles, schemes, and system analysis,”
Proc. of IEEE, vol. 90, no. 5, pp. 691–710, May 2002.
[25] A.S. Elwakil, K.N. Salama, and M.P. Kennedy, “An equation for generating chaos and its
monolithic implementation,” Int. J. Bifurcation Chaos, vol. 12, no. 12, pp. 2885–2896, 2002.
[26] L.O. Chua, C.W. Wu, A. Huang, and G.Zhong, “A universal circuit for studying and generating
chaos-PartII: strange attractors,” IEEE Trans. Circ. Syst. I, vol. 40, pp. 745–761, October 1993.
[27] A. Shamir, “On the generation of cryptographically strong pseudorandom sequences,” ACM
Transactions on Computer systems, vol. 1, no. 1, pp. 38–44, 1983.
[28] J. Von Neumann, “Various techniques used in connection with random digits,” in National
Bureau of Standards, vol. 12, pp. 36–38, 1951.
[29] S. Ozoguz, A. S. Elwakil, and S. Ergun, “Cross-coupled chaotic oscillators and application to
random bit generation,” IEE Proc. Circ. Devices Syst., vol. 153, no. 5, pp. 506–510, October
2006.
[30] S. Ergun and S. Ozoguz, “Truly random number generators based on a double-scroll attractor,”
Proc. MWSCAS 2006, IEEE Int. Midwest Symposium on Circ. Syst., pp. 322–326, August 2006.
[31] S. Ergun and S. Ozoguz, “Compensated true random number generator based on a double-
scroll attractor,” Proc. Int. Symposium on Nonlinear Theory and its Applications (NOLTA
’06), pp. 391–394, September 2006.
261