91³Ô¹ÏÍø

True Random Number Generators for Heightened Security in Any SoC

Dana Neustadter, Sr. Product Marketing Manager, Synopsys

Introduction

The proliferation of connected devices and the evolving nature of attacks, breaches, and malware make the need for security in products and ecosystems more important than ever. True random numbers are at the heart of any secure system and their quality contributes to the security strength of designs. Many cryptographic operations require a source of random numbers, such as the creation of cipher keys and initial values for counters and protocol parameters. Weak or predictable random numbers open the door for attacks that can compromise keys, intercept data, and ultimately hack devices and their communication.

Designing True Random Number Generators (TRNGs) that provide consistently high-quality entropy across processes, temperature, voltage, and frequency variations is very complex. To help ensure the highest quality, international standards bodies have developed criteria to substantiate the truly random nature of TRNGs in a verifiable and statistically rigorous manner.

The article highlights the importance of TRNGs, describes their main components and characteristics, lists the specifications they need to adhere to, and provides a high-level introduction to Synopsys¡¯ DesignWare TRNG Security IP.

What is a TRNG and Why is It Important?

A TRNG is a function or device based on an unpredictable physical phenomenon, called an entropy source, that is designed to generate non-deterministic data (e.g., a succession of numbers) to seed security algorithms.

Connected devices are becoming part of everyday life and we expect them to operate correctly while protecting business and personal information. TRNGs are at the base of securing these devices as they are used to create and protect secrets and other sensitive information. They are part of a ¡°chain of trust¡± that needs to be established starting with the SoC, moving to the application layers and communication to the cloud. A chain of trust is only as strong as its weakest link.

Predictable random number generators (RNGs) open doors to many possible attacks that can hack devices and compromise data. To be effective, random numbers must be unpredictable, statistically independent (unrelated to any previously generated random numbers), uniformly distributed (equal probability for any number to be generated) and protected (Figure 1).

 

Figure 1: True random numbers are crucial for security

True random numbers are used for applications such as gaming, gambling, and in cryptography, where randomness is critically important. For example, many cryptographic algorithms and security protocols depend on keys and their strength is defined by the number of key bits that an attacker needs to determine before breaking a system. If keys are compromised, the security strength of the whole system is compromised. 

True random numbers are required in a variety of security scenarios:

  • Key generation for various algorithms (symmetric, asymmetric, MACs) and protocols (SSL/TLH, SSH, WiFi, LTE, IPsec, etc.)
  • Chip manufacturing (seeding device unique and platform keys)
  • Initial values (for encryption and MAC algorithms, TCP packet values, etc.)
  • Nonce generation and initial counter values for various cryptographic functions
  • Challenges used for protocol authentication exchanges
  • Randomization input for side channel countermeasure solutions for protecting against physical attacks

Standards for TRNGs

Several standards and certification associations are driving specifications and validation methods for TRNGs to define the guidelines for design and certification of truly random solutions. 

The US National Institute of Standards and Technology (NIST) agency has developed a set of NIST SP 800-90A/B/c standards (¡°c¡± is still in draft stage) to define the statistical-analysis criteria that an RNG must meet before being considered random enough for cryptographic applications. The German standards body, Bundesamt f¨¹r Sicherheit in der Informationstechnik (BSI), has long had a separate set of RNG standards (AIS 20/31). 

Both standards serve to weed out seemingly random generators that may appear to work but may have statistical flaws that could undermine the security of the system. However, while these standards give some high-level architecture guidelines, they do not specifically describe how to create a TRNG; only how to verify whether it works. The implementation details are left to the creativity of the designers, and therefore permits many alternative approaches. In all cases though, the TRNGs must meet the four criteria previously mentioned: they must be unpredictable, uniform, independent, and undiscoverable. 

 

Figure 2: RNG Standards ¨C NIST & BSI

In addition to the NIST SP 800-90A/B/c and BIS AIS 20-31 conformance tests, NIST has released a statistical test suite for random and pseudo-random number generators for cryptographic applications called NIST SP800-20. However, these tests are not sufficient to detect some weaknesses in random number generators and thus other tests have been designed to augment the randomization testing for TRNGs, including the Diehard and Dieharder suites. 

Certifications such as the US Federal Information Processing Standard (FIPS) 140-2 and recently released 140-3, Common Criteria (CC), and the Chinese Office of State Commercial Cryptography Administration (OSCCA), are meant to ensure that final products are fully compliant with the requirements stated in specifications. Specialized labs review the TRNG architecture, evaluate the randomness generation properties, test, and validate that the products are indeed proven for compliance.

TRNG 91³Ô¹ÏÍø

True randomness is very difficult to achieve. A properly constructed TRNG needs to harvest entropy from some form of random process (like the noise produced by current flowing in a transistor, or the time between radioactive decay events), and then condition the entropy signal to remove bias and whiten the spectrum of the resulting sequence of outputs. This process must be controlled for factors such as operating temperature, aging, susceptibility to electronic noise and upset, voltage variation, and operating frequency range. Without controlling these factors, the TRNG circuit could potentially be modified by outsiders attempting to influence its operation.

One example of an RNG architecture is to seed a cryptographic quality pseudorandom number generator (PRNG) with an unknown seed value and then use the PRNG for a period of time or to produce a quantity of random data. The PRNG will then be re-seeded and used again for a while, and so on. The seed for the PRNG should be a secret, random input derived from an ¡°entropy source¡± such as a high-quality TRNG.  

Synopsys has developed standards-compliant and certification-ready TRNGs that are applicable to any digital semiconductor device and are highly portable across any ASIC and most FPGA process technologies. The TRNGs have been widely deployed down to 5nm processes, are customer configurable, and support a variety of attractive features including wide system clock dynamic range, redundant and selectable number of internal seed generators, automatic and manual reseeding, output streams for side channel countermeasures, and various interfaces (memory mapped, serial and nonce which is suitable for HDCP 2.3 content protection modules):

  • The DesignWare? True Random Number Generator Core is classified as a Non-Deterministic Random Bit Generator (NRBG). The core contains an entropy source and whitening circuit that generates a uniformly distributed random sequence of bits. The output of the DesignWare TRNG can be used directly or to seed/reseed a NIST SP 800-90A approved Deterministic Random Bit Generator (DRBG), depending on the application. The random data generated by the DesignWare TRNG is intended to be statistically equivalent to a uniformly distributed noise. The circuit includes a seed generator that creates a non-deterministic random value to seed a PRNG.

 

Figure 3: DesignWare TRNG block diagram

  • The DesignWare True Random Number Generator Core for NIST SP 800-90c is fully compliant with NIST SPA800-90A/B/c and BSI AIS 20/31 specifications. It generates random numbers that are statistically equivalent to a uniformly distributed data stream. The core includes a NIST SP800-90B approved conditioning circuit with a compliant noise source and a NIST SP800-90A approved DRBG. The core supports high performance operations (3.2 Gbps at 500MHz) for generating random numbers that are intended to be statistically equivalent to a uniformly distributed data stream. When implemented in silicon, the DesignWare TRNG can meet the highest commercial and government standards and can support end-product certifications including FIPS 140-2 / 140-3, Common Criteria and OSCCA. 

The core has the option to include up to 8 virtual TRNGs which provides the ability to access random numbers securely between multiple users such as in a multi-core processor system. The IP also supports background raw noise collection to generate new entropy in the background and store it for the next seeding operation, thereby eliminating the wait time for the next reseeding.

 

Figure 4: DesignWare TRNG NIST SP800-90c block diagram

 

Conclusion

Connected devices and their communication need to be secured against evolving threats and attacks to protect ecosystems and valuable personal and business information. High quality TRNGs are a fundamental technology required to build a chain of trust in systems as many cryptographic algorithms for encryption/authentication and security protocols depend on true random numbers for generation of keys, challenges, initial values, and nonces. The overall security strength in systems and applications depends on the quality of the source of entropy that TRNGs provide. Flaws in random number generators can be used by attackers to compromise devices that are otherwise algorithmically secure. Synopsys has developed efficient TRNGs that are compliant with the NIST and AIS standards and can be certified in final products for certifications such FIPS 140-2 / 140-3, Common Criteria (CC), and China¡¯s OSCCA.

In addition to TRNGs, Synopsys provides a broad portfolio of highly integrated security IP solutions that use a common set of standards-based building blocks and security concepts to enable the most efficient silicon design and highest levels of security for a range of products in the mobile, automotive, digital home, IoT, and cloud computing markets.

Synopsys¡¯ highly configurable security IP solutions include hardware secure modules with Root of Trust, content protection, cryptography, and security protocol accelerators for integration into SoCs. These integrated solutions enable the heart of many security standards, supporting confidentiality, data integrity, user/system authentication, non-repudiation, and positive authorization. Combined, Synopsys¡¯ security IP solutions help prevent a wide range of evolving threats in connected devices such as theft, tampering, side channels attacks, malware and data breaches.

 

For more information: DesignWare True Random Number Generators