WO2006046240A2 - System, method and device of generating a random value - Google Patents

System, method and device of generating a random value Download PDF

Info

Publication number
WO2006046240A2
WO2006046240A2 PCT/IL2005/001114 IL2005001114W WO2006046240A2 WO 2006046240 A2 WO2006046240 A2 WO 2006046240A2 IL 2005001114 W IL2005001114 W IL 2005001114W WO 2006046240 A2 WO2006046240 A2 WO 2006046240A2
Authority
WO
WIPO (PCT)
Prior art keywords
subset
bits
bit
output
value corresponding
Prior art date
Application number
PCT/IL2005/001114
Other languages
French (fr)
Other versions
WO2006046240A3 (en
Inventor
Shay Gueron
Original Assignee
Discretix Technologies Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Discretix Technologies Ltd. filed Critical Discretix Technologies Ltd.
Publication of WO2006046240A2 publication Critical patent/WO2006046240A2/en
Publication of WO2006046240A3 publication Critical patent/WO2006046240A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/582Pseudo-random number generators
    • G06F7/584Pseudo-random number generators using finite field arithmetic, e.g. using a linear feedback shift register

Definitions

  • the present invention relates to the field of random number generation.
  • a random number generator is a computational or physical device designed to generate a sequence of numbers that may be treated as random, e.g., an unpredictable sequence of statistically independent numbers. That is, knowledge of a previously generated number may not add knowledge regarding the next generated number.
  • RNG random number generator
  • One method of generating random values may rely on sampling an entropy source, as is known in the art, to generate a sequence of bits.
  • the entropy source may be based on a random natural process, the generated bits may be statistically biased or correlated. La order to improve the randomness of the generated bits, it may be desirable to apply an algorithm which may statistically reduce any bias or correlation between the input bits.
  • Some demonstrative embodiments of the present invention include a method, apparatus and system of generating a random number.
  • a device may include a distiller to receive a sequence of input: bits, and to distil an output bit based on a comparison between one or more bits of a first subset of a set of the input bits and one or more bits of a second subset of * the set.
  • the set may include, for example, the first and second subsets and a separation subset of one or more of the input bits to be discarded.
  • the number of bits in the first subset may be equal, for example, to the number of bits in the second subset.
  • the distiller may generate an output bit having a first value if the value corresponding to the first subset is bigger than the value corresponding to the s&cond subset; and a second value if the value corresponding to the first subset is smaller than the value corresponding to the second subset.
  • the distiller may generate a signal identifying the set as an invalid set if the value corresponding to the first subset is equal to the value corresponding to the second subset.
  • the distiller may compare one or more sequences of at lea_st one bit of the first subset to one or more sequences of at least one bit of the second, subset, respectively.
  • each pair of consecutive bits of the first subset may be separated, for example, by 2*d bits of the separation subset and one bit of the second subset; and/or each pair of consecutive bits of the second subset may be separated, for example, by 2*d bits of the separation subset and one bit of the first subset.
  • the distiller may compare the first subset to the second subset by comparing a value corresponding to a bit of the first subset to a value corresponding to a respective bit of the second set. The distiller may also selectively generate an output bit having a value based on at least one of the value corresponding to the bit of the first subset and the value corresponding to the bit of the second set.
  • the distiller may determine a number of the input bits to be assigned to each of the first subset, the second subset, and/or the separation subset, e.g., based on a predetermined criterion corresponding to the output bits.
  • the criterion may correspond, for example, to a relation between a number of valid output bits distilled, and a number of sets of the input bits used for distilling the output bits.
  • the device may also include, for example, an estimator to estimate the relation.
  • the device may also include a controller to generate an oscillation length value based on a predetermined criterion corresponding to the output bits; a variable length oscillator to generate an oscillator signal having an oscillation frequency corresponding the oscillation length value; and/or a synchronizer to generate the input bits by sampling the oscillator signal.
  • the synchronizer may sample the oscillator signal in a first clock frequency, which may be different, for example, than a second clock frequency used by the controller.
  • FIG. 1 is a schematic diagram of a computing platform in accordance with some demonstrative embodiments of the present invention.
  • FIG. 2 is a schematic diagram of a random number generator in accordance wi th some demonstrative embodiments of the invention.
  • FIG. 3 is a schematic illustration of a circuitry configuration of a random number generator according to a demonstrative embodiment of the invention.
  • FIG. 4 is a schematic illustration of a variable length oscillator in accordance with some demonstrative embodiments of the invention.
  • FIG. 5 is a schematic illustration of a length selector in accordance with some demonstrative embodiments of the invention.
  • FIGs. 6 A and 6B are schematic illustrations of two collectors, respectively, in accordance with two different demonstrative embodiments of the invention.
  • Some embodiments of the invention may be implemented, for example, using a machine-readable medium or article which may store an instruction or a set of instructions that, if executed by a machine (for example, by a processor and/or by other suitable machines), cause the machine to perform a method and/or operations in accordance with embodiments of the invention.
  • a machine may include, for example, any suitable processing platform, computing platform, computing device, processing device, computing system, processing system, computer, processor, or the like, and may be implemented using any suitable combination of hardware and/or software.
  • the machine-readable medium or article may include, for example, any suitable type of memory unit, memory device, memory article, memory medium, storage device, storage article, storage medium and/or storage unit, for example, memory, removable or non-removable media, erasable or non-erasable media, writeable or re-writeable media, digital or analog media, hard disk, floppy disk, Compact Disk Read Only Memory (CD-ROM) 5 Compact Disk Recordable (CD-R), Compact Disk Rewriteable (CD-RW), optical disk, magnetic media, various types of Digital Versatile Disks (DVDs), a tape, a cassette, or the like.
  • the instructions may include any suitable type of code, for example, source code, compiled code, interpreted code, executable code, static code, dynamic code, or the like, and may be implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language, e.g., C, C++, Java, BASIC, Pascal, Fortran, Cobol, assembly language, machine code, or the like.
  • code for example, source code, compiled code, interpreted code, executable code, static code, dynamic code, or the like
  • suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language e.g., C, C++, Java, BASIC, Pascal, Fortran, Cobol, assembly language, machine code, or the like.
  • FIG. 1 schematically illustrates a computing platform 100 according to some demonstrative embodiments of the invention.
  • computing platform 100 may be a portable device.
  • portable devices include mobile telephones, laptop and notebook computers, personal digital assistants (PDA), memory cards, memory units, and the like.
  • PDA personal digital assistants
  • the computing platform may be a non-portable device, such as, for example, a desktop computer.
  • computing platform 100 may include a Random Number Generator (RNG) 102 to generate one or more output bits representing a value, e.g., a value intended to be substantially random, as described in detail below.
  • RNG Random Number Generator
  • platform 100 may optionally include a processor 104, a memory 106, an output unit 108, an input unit 110, a network connection 112, and/or any other suitable hardware components and/or software components.
  • processor 104 may include a Central Processing Unit (CPXJ), a Digital Signal Processor (DSP), a microprocessor, a host processor, a plurality of processors, a controller, a chip, a microchip, or any other suitable multi-purpose or specific processor or controller.
  • Input unit 110 may include, for example, a keyboard, a mouse, a touch-pad, or other suitable pointing device or input device.
  • Output unit 108 may include, for example, a Cathode Ray Tube (CRT) monitor, a Liquid Crystal Display (LCD) monitor, or other suitable monitor or display unit.
  • CTR Cathode Ray Tube
  • LCD Liquid Crystal Display
  • Memory 106 may include, for example, a Random Access Memory (RAM), a Read Only Memory (ROM) 5 a Dynamic RAM (DRAM), a Synchronous DRAM (SD-RAM), a Flash memory, a volatile memory, a non-volatile ' memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or other suitable memory units or storage units.
  • Network connection 112 may be adapted to interact with a communication network, for example, a local area network (LAN), wide area network (WAN), or a global communication network, for example, the Internet.
  • the communication network may include a wireless communication network sizch as, for example, a wireless LAN (WLAN) communication network.
  • WLAN wireless LAN
  • the communication network may include a cellular communication network, with platform 100 being, for example, a base station, a mobile station, or a cellular handset.
  • the cellular communication network may be a 3 rd Generation Partnership Project (3GPP), such as, for example, Frequency Domain Duplexing (FDD), Global System for Mobile communications (GSM), Wideband Code Division Multiple Access (WCDMA) cellular communication network and the like.
  • 3GPP 3 rd Generation Partnership Project
  • FDD Frequency Domain Duplexing
  • GSM Global System for Mobile communications
  • WCDMA Wideband Code Division Multiple Access
  • the output bits generated by RNG 102 may be provided to processor 104, memory 106, output 108, and/or network connection 112.
  • processor 104 may process one or more of the output bits generated by RNG 102, e.g., as part of a decryption and/or encryption operation, as are known in the art.
  • one or more of the output bits of RNG 102 may be stored by memory 106.
  • Fig. 2 schematically illustrates a random number generator 200 according to some demonstrative embodiments of the invention.
  • random number generator 200 may perform the functionality of RNG 102 (Fig. 1).
  • RNG 200 may include two independent clock domains, e.g., clock domain 210 and clock domain 220.
  • Clock domains 210 and 220 may correspond to two clocks, e.g., corresponding to two separate clock crystals.
  • clock domain 210 may correspond to a real-time clock
  • clock domain 220 may correspond to a system clock associated with a processor, e.g., processor 104 of Fig. 1.
  • clock domains 210 and 220 may be asynchronous.
  • RNG 200 may include an entropy source (ES) 222 to generate a sequence of input bits 221, and a distiller 224 to selectively distil output bits 225 based on input bits 221, e.g., as described in detail below.
  • distiller 224 may receive input bits 221, and distil an output bit based on a comparison between one or more bits of a first subset of a set of input bits 221 and one or more bits of a second subset of the set.
  • the set may include, for example, the first and second subsets and a separation subset of one or more of input bits 221 to be discarded, e.g., as described below.
  • distiller 224 may distill each one of output bits 225 based on corresponding sets of input bits 221, each set including at least three bits, e.g., wherein one or more of the bits are assigned to the first subset, one or more of the bits are assigned to the second subset, and one or more of the bits are to be discarded.
  • each set may include 2n+w bits, wherein each one of the first and second subsets includes n bits, and the discarded subset includes w bits, e.g., as described below.
  • ES 222 and/or distiller 224 may operate in clock domain 220, e.g., as described in detail below.
  • RNG 200 may also include a quality estimator (QE) 228 associated with distiller 224.
  • QE 228 may monitor the operation of distiller 224 and provide feedback, e.g., for self- correction of the operation of distiller 224, as described in detail below.
  • distiller 224 may generate a validity signal 227 indicating whether an output bit 225 corresponding to bit 227 is valid, e.g., as described belo-w.
  • Quality estimator 228 may utilize validity signal 227 to check, for example, whether ES 222 is operating within reference conditions.
  • QE 228 may estimate a relation between the number of valid output bits 225, and/or the number of invalid output bits 225; and the number of sets of input bits 221 used to produce the output bits.
  • QE 228 may produce an estimation signal 229, which may be used to adjust the behavior of distiller 224, e.g., as described in detail below.
  • ES 222 may include any suitable entropy source as is known in tbte art and may be implemented using digital or analog circuitry.
  • ES 222 may include an oscillator, e.g., as described below.
  • RNG 200 may optionally include a life detector 223 associated with ES 222, e.g., to receive and/or monitor bits 221, for example, to check that the oscillator is operating within prescribed bounds, e.g., not producing a constant output in generated bitstream 221.
  • RNG 200 may also include a collector 226 to collect the output bits 225 from the distiller 224.
  • Collector 226 may operate, for example, in clock domain 220.
  • Collector 226 may include, for example, a shift register (not shown), e.g., as is known in the art.
  • the shift register may include, for example, a linear feedback shift register (LFSR), a feedback with carry shift register (FCSR), a Galois shift register (GSR), or the like.
  • LFSR linear feedback shift register
  • FCSR feedback with carry shift register
  • GSR Galois shift register
  • Collector 226 may generate, for example, a signal 230 representing a value ("the RNG output"), e.g., based on the output of the shift register, as explained in detail below with reference to Figs. 6 A and 6B.
  • RNG 200 may also include an entropy source controller (ESC) 214, which may be able to modify the behavior of ES 222.
  • ESC 214 may be able to change the oscillation frequency of the oscillator, e.g., as described in detail below with reference to Fig. 4.
  • RNG 200 may further include a secondary entropy source (SES) 212 to generate a sequence of bits to provide input for the operation of ESC 214.
  • SES secondary entropy source
  • RNG 200 may optionally include a life detector 213 associated with SES 212, and/or a quality estimator 218 associated with ESC 214.
  • life detector 213 and/or quality estimator 218 may monitor the operation of SES 212 and/or ESC 214, respectively, and may produce an error signal if operation falls outside of prescribed bounds.
  • RNG 200 may be designed without one or more of SES 212, ESC 214, life detector 213, and/or QE 218, if appropriate.
  • SES 212, ESC 214, life detector 213, and/or QE 218 may operate in clock: domain 210.
  • RNG 300 may perform the functionality of one or more components of RNG 200 of Fig. 2.
  • RNG 300 may include a first clock domain 310 (210) and a second clock domain 320 (220).
  • the first clock domain may include, for example, a secondary entropy source 312 (212), a life detector 313 (213), an entropy source controller 314 (214), and/or a quality estimator 318 (218).
  • the second clock domain may include, for example, an entropy source 322 (222), a life detector 323 (223), a distiller 324 (224), and/or a quality estimator 328 (228).
  • secondary entropy source (SES) 312 may include a ring oscillator 332, a clock divider 334, and/or a synchronizer 336.
  • Ring oscillator 332 may include, for example, a free running ring oscillator, e.g., as is known in the art, able to generate an oscillation signal 333.
  • Clock divider 334 may divide the frequency of signal 333, e.g., to produce a clock 335, e.g., a random and/or unstable clock, denoted RCLK.
  • clock divider 334 may include a toggle-flip-flop (T-FF) divider having a serial chain of toggle flip-flops, e.g., as is known in the art.
  • Synchronizer 336 may include, for example, a 3 D-FF synchronizer, having three digital flip-flops, as is known in the art.
  • synchronizer 336 may operate on an input bitstream, e.g., of a system clock 337, denoted SCLK.
  • SCLK system clock 337
  • synchronizer 336 may sample SCLK 337 according to RCLK 335, to produce an output bitstream 338. It will be appreciated that the sequence of bits generated by SES
  • 312 in bitstream 318 may be hard, to predict due to the difference between clock domains 335 and 337.
  • SES 312 may be optionally associated with life detector 313, which may monitor SES 312, e.g., by checking that SES 312 is not producing constant output.
  • life detector 313 may monitor SES 312, e.g., by checking that SES 312 is not producing constant output.
  • life detector 313 may include one or more flip counters to count the number of flips in bitstream 318, e.g., within a given sequence of clock cycles. If the number of flips is outside of prescribed upper or lower bounds, life detector 313 may generate, for example, a warning signal 391.
  • ESC 314 may include a distiller 342 to distill one or more output bits 343 based on bitstream 338; and a length selector module 344 to produce a length selection signal 348 based on output bits 343, e.g., as described below.
  • length selection signal 348 may be used control the oscillation frequency of an oscillator in ES 322, as explained in detail below with reference to Fig. 4.
  • distiller 342 may implement any suitable distilling method or algorithm designed to reduce bit bias and/or correlation, as is known in the art.
  • distiller 342 may implement the von Neumann algorithm, as is known in the art, to compare pairs of consecutive input bits, output the first bit of the pair if they are different, and discard both bits of the pair if they are the same.
  • distiller 342 may produce a validity signal 345 based on the comparisons of bits from bitstream 338, e.g., to indicate to length selector 344 whether output bits 343 may be used.
  • validity signal 345 may be provided to quality estimator 31 8.
  • distiller 342 may implement any other distilling method, e.g., the distilling method implemented by distiller 324, as described in detail below.
  • validity signal 345 may be utilized by quality estimator 318 to check that SES 312 is operating within prescribed operational bounds.
  • estimator 318 may estimate a relation between the number of valid and/or invalid output bits 343 produced by distiller 342 and the number of input bits 338 produced by SES 312.
  • Estimator 318 may then compare the estimated relation to a predetermined limit value.
  • quality estimator 318 may generate a warning signal 392, e.g., if the estimated relation is smaller than the limit value.
  • Warning signal 392 may be combined, for example, with warning signal 391, e.g., using a logical OR gate, to produce an error signal 393, e.g., if at least one of detector 313 and estimator 318 produce a warning.
  • length selector 344 may include any suitable circuitry and/or software able to generate length selection signal 348, e.g., based on the values of bits 343 and/or bits 345, e.g., as described below.
  • Fig. 5. schematically illustrates a length selector 500 in accordance with some demonstrative embodiments of the invention.
  • Length selector 500 may include, for example, a first register 502, e.g., a shift register, to store the values of one or more of bits 343.
  • register 502 may only store bits 343 which are indicated by corresponding bits 345 as being valid.
  • Register 502 may operate, for example, according to clock domain 310.
  • Length selector 500 may also include a second register 506 able to retrieve from register 502 one or more bits 504.
  • Register 506 may operate, for example, according to clock domain 320.
  • Register 506 may generate a length selection signal 508 based on one or more bits stored in register 506.
  • length selection signal 508 may include three of the bits stored in register 506, e.g., representing a value between zero and seven.
  • signal 508 may include any other number of bits.
  • the value of length selection- signal 508 may be used, for example, to determine an oscillation length of a variable length oscillator of ES 322 (Fig. 3).
  • ES 322 may include a variable length ring oscillator (VLO) 350, and a. synchronizer 356.
  • VLO variable length ring oscillator
  • ES 322 and components thereof may operate in system clock: domain 320, which may be different from the clock domain 310 used by ESC 314.
  • VLO 350 may receive length selection signal 348 produced by length selector module 344 of ESC 314. As described below with reference to Fig. 4, VLO 350 may generate arx oscillation signal 352 having an oscillation frequency corresponding to the value of signal 348. Synchronizer 356 may generate a bitstream 321 based on signal 352. For* example, synchronizer 356 may include a 3 D-FF synchronizer, as is known in the art., to generate bitstream 321 based on signal 352 and SCLK 337.
  • RNG 300 may optionally include a life detector 323 to monitor the operation of ES 322, e.g., in analogy to life detector 313. Life detector 323 may be able to generate a warning signal 394, e.g., to indicate that bitstream 321 contains constant bits.
  • distiller 324 may produce one or more output bits 325 and a corresponding validity signal 327 based on one or more sets of consecutive bits from bitstream 321, e.g., as explained in detail below.
  • estimator may determine a relation between the valid and/or invalid bits generated by distiller 324, and a number of bits received by distiller 324.
  • estimator 328 may estimate a relation between the number of valid and/or invalid bits generated by distiller 324anni and a time period during which the bit were generated by distiller 324.
  • Estimator 328 may generate, for example, a signal 329 having a value corresponding to the IOC of bits 325, e.g., as described below.
  • Estimator 328 may optionally generate an error signal 395, e.g., if the criterion is not satisfied, e.g., if the relation is smaller than a limit value.
  • a warning value 396 may be generated based on signal 394 and/or signal 395.
  • VLO 400 may perform the functionality of VLO 350 (Fig. 3).
  • VLO 400 may be controlled by a length selector module 402, e.g. , such as the length selector 344 described above with, reference to Fig. 3.
  • a ring oscillator may include a chain, e.g., of an odd number of serially connected inverters.
  • the length of the chain i.e., the number of inverters, may determine the oscillation frequency of an output oscillation signal. For example, a longer chain may result in a lower oscillation frequency, and a shorter chain may result in a higher oscillation frequency. However, for a given chain lengthi, the oscillation frequency may be fixed.
  • VLO 400 may include a first chain 410 having an odd number M of serially connected inverters, and at least one additional chain having an even number m of serially connecter d inverters.
  • the additional inverter chains e.g., chain 411 of length ml, chain 412 of length m2, and chain 413 of length m3, may be selectively combined with the first chain 410, e.g., to create a combined chain having an odd number of serially connected inverters.
  • VLO 400 may include k multiplexers, one for eacJh.
  • length, selector 402 may produce a length signal 430 having k output bits to control the k multiplexers.
  • length signal 430 may include three bits, e.g., bits 431, 432, and 433, to control multiplexers 421, 422, and 423, respectively.
  • the three bits of signal 430 may represent one of eight possible numbers, e.g., between one and seven. For example, eight possible combinations resulting in eight different chain, lengths are summarized in the following table:
  • the choice of m3 2*m2 - 4*ml, e.g., as in Table 1, may generate an arithmetic sequence of chain lengths, which may imply that the chain length is an increasing function of the 3 -bit lengtti selector values.
  • the range oi length selector module 402 may be limited by minimum and maximum values 440.
  • the MIN and MAX values 440 may take integer values from a range corresponding to the numbesx of multiplexers in VLO 40O.
  • MIN/MAX may take integer values in [0,7], with MIN ⁇ MAX.
  • MIN/MAX values 440 may be control, led, e.g., by quality estimator 328 (Fig 3).
  • variable length capability of VLO 400 may enable a range of different oscillation frequencies, which may contribute to instability and hence to entropy rate of the sampled output of the VLO, e.g., signal 352.
  • Figs. 2 and 3 schematically illustrate, among other components, distiller 224 (324) and quality estimator 228 (328).
  • distiller 224 324)
  • quality estimator 228 328
  • reference numbers may correspond to those of Fig. 2, but it will be appreciated that the following description may equally apply to corresponding components depicted in Fig. 3.
  • distiller 224 may operate on sets of consecutive bits from bitstream 221, e.g., to produce the output bits 225.
  • distiller 224 may process a set of input bits having three subsets, including a first subset of n bits, denoted, X, a second subset of n bits, denoted Y, and a separation subset of w bits to be discarded.
  • the 2n+w bits may be stored before processing, e.g., within a buffer.
  • Distiller 324 may then compare the value of X to the value of Y, and selectively generate the output bit, e.g., if it is determined that X is different than Y.
  • the comparison between the subsets X and Y may be performed "on the fly", for example, by comparing; one or more of the n bits of the subset X to one or more corresponding bits of the subset Y, e.g., as described below.
  • the distiller parameters n and w are chosen such that the subsets X and Y may include independent samples from the bitstream 221 for evaluation.
  • the discarded subset of w bits may provide the necessary separation to ensure that XT and Y are independent samples.
  • the choice of n and w may determine the throughput of distiller 224, as described in detail below. Too small values may deteriorate the quality of the output.
  • output bits 225 generated by distiller 224 may be treated as being substantially independent identically distributed (i.i.d.), e.g., if the values of n and/or w are selected as follows:
  • Lemma 1 Let n > 1 be a positive integer, and let A ( ⁇ ) be the set of all 2 n possible n-bit sequences. Assume that some order, e.g., lexicographic, is defined on A. Let ⁇ be a probability distribution over A (n ⁇ Define the Index of Coincidence (IOC), of ⁇ (which is a characteristic of ⁇ ), by:
  • Prob (X > Y) Prob (X ⁇ Y).
  • b. Define the functions BIT (X, Y) and Valid (X, Y) as follows:
  • Lemma 1 may be equivalent to the von Neumann transformation to eliminate bias from a bitstream.
  • the von Neumann transformation as it is known in the art, may evaluate bits in pairs, discard the pair if they are equal, and output the first bit of the pair if they are different.
  • w which may result in independent sets X and Y may depend, e.g., on the mixing time of the underlying Markov chain of Lemma 1 , and may be assessed experimentally. It will be appreciated by those with skill in the art that, although the mixing time of a Markov chain may be arbitrarily long in theory, depending on the spectral gap of the transition matrix of the chain, the correlations between separated states of the chain may decrease exponentially.
  • distiller 224 may compare the subsets X and Y based on the order defined on A and may output a pair of bits, e.g., [BIT (X 5 Y) , Valid (X, Y)] corresponding to bits of output bits 225 and validity signal 227, respectively, e.g., in accordance with Equation set 1.
  • the invalid bit may be suppressed by distiller 224, e.g., and not provided as an output; and/or ignored by collector 226 (Fig. 2).
  • an additional distiller (not sttown) may be applied to the suppressed bit, e.g., to increase the overall throughput of the distilling process.
  • the suppressed bits may be utilized by QE 228, e.g., to monitor the behavior of ES 222.
  • the estimate 229 may be used to modify the distiller 224, e.g., by changing the values of n and/or w, e.g., to recover from anomalous conditions.
  • the IOC estimate 229 may control the length selector module of ESC 214, e.g., by determining the MIMTMAX values.
  • distiller 224 may distill the output bits according to the following pseudo-code algorithm, which may enable processing the 2n+w bits "on the fly":
  • VALID l-X_equal_Y end OUTPUT: BIT, VALID
  • the input bitstream 221 may be read serially.
  • bit b ⁇ may assigned to X 1 of subset X
  • the next d bits may be discarded as part of the separation subset
  • bit b 2+d may be assigned to yi of set Y.
  • consecutive bits of subset X xnay be separated by 2d bits of the separation subset and a bit of subset Y.
  • consecutive bits of subset Y may be separated by 2d bits of the separation subset and a bit of subset X.
  • An iterative procedure may be applied to the values Of X 1 and yj and repeated n times, processing altogether 2n+w bits.
  • all values of BIT, including invalid bits may be used for propagating a counter in quality estimator 228, e.g., ELAPSED_CLOCKS.
  • the throughput of RNG 200 (300) may be determined by the following parameters:
  • throughput may be calculated as follows:
  • ths distiller parameters n and/or w may be controlled and modified as necessary, e.g., in response to estimation signal 229 (329).
  • the value of IOC as defined in Lemma 1 above, may be a result of physical properties of ES 222 (322).
  • the parameters of the physical implementation may need to be optimized, e.g., by trial-and-error experimentation.
  • a 1 Mbit/sec througtiput may be reached with a conservative estimate of IOC ⁇ 0.5.
  • the throughput may be indirectly dependent, for example, on the average VLO frequency, denoted c 0 .
  • it may be desirable to have c « c 0 .
  • the distiller parameters n and/or w may be increased, e.g., in order to compensate for an Increase the IOC, which may result, for example, from an over- sampling rate.
  • This bias may be corrected by applying Distiller (1) to the bit stream, twice.
  • the throughput of (Distiller(l)) 2 may be calculated according to the following equation:
  • the output bits may be i.i.d, and the throughput may be calculated according to the following equation:
  • FIGs. 6A and 6B schematically illustrate collectors 600 and 602, respectively, in accordance with two respective demonstrative embodiments of the invention.
  • collector 600 and/or 602 may perform the functionality of collector 226 (Fig. 2), e.g., the output of collectors 600 and 602 may correspond to output 230 (Fig. 2).
  • collector 600 may include a linear feedback shift register (LFSR) 610, and collector 602 may include a Galois shift register (GSR) 611.
  • LFSR linear feedback shift register
  • GSR Galois shift register
  • Each one of collectors 600 and 602 may receive an input bitstream 605, e.g., including substantially random bits output from distiller 224 (Fig. 2).
  • Collector 600 may produce an output signal 630, e.g., based on the action of shift register 610.
  • Collector 602 may produce an output signal 631, e.g., based on the action of shift register 611.
  • a primitive polynomial of order 31, e.g., p(x) above may guarantee a long cycle of 2 31 different output values in signal 630 even in the case of a fixed input.
  • output bits 630 may be linear functions of input bits 625.
  • LFSR 610 may transfer any possible remaining correlations between input bits 625 to a longer term correlation, which may be harder to predict.
  • LFSR 610 may store 31 bits, e.g., denoted ro, .., r 30 .
  • LSFR 610 may output one bit to output signal 610 at each step of the cycle, e.g., based on the current internal state of the register and the next input bit from bitstream 625.
  • LFSR 610 may perform the following pseudo-code algorithm, e.g., based on the prir ⁇ itive polynomial p(x):
  • GSR 611 may output a plurality of bits, e.g., an 8-bit byte, to output signal 631.
  • GSR 611 may perform the following pseudo ⁇ code algorithm to achieve the same recursion as described above, e.g., based on p(x):
  • Embodiments of the present invention may be implemented by software, by hardware, or by any combination of software and/or hardware as may be suitable for specific applications or in accordance with specific design requirements.
  • Embodiments of the present invention may include units and sub-units, which may be separate of each other or combined together, in whole or in part, and may be implemented using specific, multi-purpose or general processors, or devices as are known in the art.
  • Some embodiments of the present invention may include buffers, registers, storage units and/or memory units, for temporary or long-term storage of data and/or in order to facilitate the operation of a specific embodiment.

Abstract

Embodiments of the present invention provide a method, apparatus and system of generating a random number. The method, according to some demonstrative embodiments of the invention, may include receiving a sequence of input bits, and distilling an output bit based on a comparison between one or more bits of a first subset of a set of said input bits and one or more bits of a second subset of said set, said set including said first and second subsets and a separation subset of one or more of said input bits to be discarded. Other embodiments are described and claimed.

Description

SYSTEM,METHODANDDEVICEOFGENERATINGARANDOMVALUE
CROSSREFERENCEDATA
[001] This application claims priority from United States Provisional Application No. 60/621,679, filed October 26, 2004, the entire disclosure of which is incorporated herein by reference.
FIELD OF THE INVENTION
[002] The present invention relates to the field of random number generation. BACKGROUND OF THE INVENTION
[003] A random number generator (RNG) is a computational or physical device designed to generate a sequence of numbers that may be treated as random, e.g., an unpredictable sequence of statistically independent numbers. That is, knowledge of a previously generated number may not add knowledge regarding the next generated number. A source of unpredictable random values may de desirable for diverse applications, for example, in the fields of cryptography, computer simulations, statistical sampling, etc.
[004] One method of generating random values may rely on sampling an entropy source, as is known in the art, to generate a sequence of bits. However, although the entropy source may be based on a random natural process, the generated bits may be statistically biased or correlated. La order to improve the randomness of the generated bits, it may be desirable to apply an algorithm which may statistically reduce any bias or correlation between the input bits.
SUMMARY OF SOME DEMONSTRATIVE EMBODIMENTS OF THE INVENTION
[005] Some demonstrative embodiments of the present invention include a method, apparatus and system of generating a random number.
[006] A device, according to some demonstrati-ve embodiments of the invention, may include a distiller to receive a sequence of input: bits, and to distil an output bit based on a comparison between one or more bits of a first subset of a set of the input bits and one or more bits of a second subset of* the set. The set may include, for example, the first and second subsets and a separation subset of one or more of the input bits to be discarded. The number of bits in the first subset may be equal, for example, to the number of bits in the second subset.
[007] According to some demonstrative embodiments of the invention, the distiller may generate an output bit having a first value if the value corresponding to the first subset is bigger than the value corresponding to the s&cond subset; and a second value if the value corresponding to the first subset is smaller than the value corresponding to the second subset.
[008] According to some demonstrative embodiments of the invention, the distiller may generate a signal identifying the set as an invalid set if the value corresponding to the first subset is equal to the value corresponding to the second subset.
[009] According to some demonstrative embodiments of the invention, the distiller may compare one or more sequences of at lea_st one bit of the first subset to one or more sequences of at least one bit of the second, subset, respectively.
[0010] According to some demonstrative embodiments of the invention, the set may include a sequence of 2*n+w input bits, w=cϊ*n, wherein d, n, and w are positive integers; each of the first and second subsets may include n bits of the sequence; and the separation subset may include w bits of the sequence.
[0011] According to some demonstrative embodiments of the invention, each pair of consecutive bits of the first subset may be separated, for example, by 2*d bits of the separation subset and one bit of the second subset; and/or each pair of consecutive bits of the second subset may be separated, for example, by 2*d bits of the separation subset and one bit of the first subset. [OO 12] According to some demonstrative embodiments of the invention, the distiller may compare the first subset to the second subset by comparing a value corresponding to a bit of the first subset to a value corresponding to a respective bit of the second set. The distiller may also selectively generate an output bit having a value based on at least one of the value corresponding to the bit of the first subset and the value corresponding to the bit of the second set.
[OO 13] According to some demonstrative embodiments of the invention, the distiller may determine a number of the input bits to be assigned to each of the first subset, the second subset, and/or the separation subset, e.g., based on a predetermined criterion corresponding to the output bits. The criterion may correspond, for example, to a relation between a number of valid output bits distilled, and a number of sets of the input bits used for distilling the output bits. The device may also include, for example, an estimator to estimate the relation.
£0014] According to some demonstrative embodiments of the invention, the device may also include a controller to generate an oscillation length value based on a predetermined criterion corresponding to the output bits; a variable length oscillator to generate an oscillator signal having an oscillation frequency corresponding the oscillation length value; and/or a synchronizer to generate the input bits by sampling the oscillator signal.
[0015] According to some demonstrative embodiments of the invention, the synchronizer may sample the oscillator signal in a first clock frequency, which may be different, for example, than a second clock frequency used by the controller.
BRIEF DESCRIPTION OF THE DRAWINGS
[0016] The subject matter regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of operation, together with objects, features and advantages thereof, may best be understood by reference to the following detailed description when read with the accompanied drawings in which:
[0017] Fig. 1 is a schematic diagram of a computing platform in accordance with some demonstrative embodiments of the present invention;
[0018] Fig. 2 is a schematic diagram of a random number generator in accordance wi th some demonstrative embodiments of the invention;
[0019] Fig. 3 is a schematic illustration of a circuitry configuration of a random number generator according to a demonstrative embodiment of the invention;
[O020] Fig. 4 is a schematic illustration of a variable length oscillator in accordance with some demonstrative embodiments of the invention;
[O 021] Fig. 5 is a schematic illustration of a length selector in accordance with some demonstrative embodiments of the invention; and.
[O022] Figs. 6 A and 6B are schematic illustrations of two collectors, respectively, in accordance with two different demonstrative embodiments of the invention.
[O023] It will be appreciated that for simplicity and clarity of illustration, elements shown in the drawings have not necessarily been drawn accurately or to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity or several physical components included in one functional block or element. Further, where considered appropriate, reference numerals may be repeated among the drawings to indicate corresponding or analogous elements. Moreover, some of the blocks depicted in the drawings may be combined into a single function. DETAILED DESCRIPTION OF THE INVENTION
[0024] In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it will be understood by those of ordinary skill in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components and circuits may not have been described in detail so as not to obscure the present invention.
[0025] Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as "processing," "computing," "calculating," "determining," or the like, refer to the action and/or processes of a computer or computing system, or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities within the computing system's registers and/or memories into other data similarly represented as physical quantities within the computing system's memories, registers or other such information storage, transmission or display devices. In addition, the term "plurality" may be used throughout the specification to describe two or more components, devices, elements, parameters and the like.
[0026] Some embodiments of the invention may be implemented, for example, using a machine-readable medium or article which may store an instruction or a set of instructions that, if executed by a machine (for example, by a processor and/or by other suitable machines), cause the machine to perform a method and/or operations in accordance with embodiments of the invention. Such a machine may include, for example, any suitable processing platform, computing platform, computing device, processing device, computing system, processing system, computer, processor, or the like, and may be implemented using any suitable combination of hardware and/or software. The machine-readable medium or article may include, for example, any suitable type of memory unit, memory device, memory article, memory medium, storage device, storage article, storage medium and/or storage unit, for example, memory, removable or non-removable media, erasable or non-erasable media, writeable or re-writeable media, digital or analog media, hard disk, floppy disk, Compact Disk Read Only Memory (CD-ROM)5 Compact Disk Recordable (CD-R), Compact Disk Rewriteable (CD-RW), optical disk, magnetic media, various types of Digital Versatile Disks (DVDs), a tape, a cassette, or the like. The instructions may include any suitable type of code, for example, source code, compiled code, interpreted code, executable code, static code, dynamic code, or the like, and may be implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language, e.g., C, C++, Java, BASIC, Pascal, Fortran, Cobol, assembly language, machine code, or the like.
[0027] Reference is now made to Fig. 1, which schematically illustrates a computing platform 100 according to some demonstrative embodiments of the invention.
[0028] Although the present invention is not limited in this respect, computing platform 100 may be a portable device. Non-limiting examples of such portable devices include mobile telephones, laptop and notebook computers, personal digital assistants (PDA), memory cards, memory units, and the like. Alternatively, the computing platform may be a non-portable device, such as, for example, a desktop computer.
[0029] According to some demonstrative embodiments of the invention, computing platform 100 may include a Random Number Generator (RNG) 102 to generate one or more output bits representing a value, e.g., a value intended to be substantially random, as described in detail below.
[0030] hi some demonstrative embodiments of the invention, platform 100 may optionally include a processor 104, a memory 106, an output unit 108, an input unit 110, a network connection 112, and/or any other suitable hardware components and/or software components.
[0031] According to some demonstrative embodiments of the invention, processor 104 may include a Central Processing Unit (CPXJ), a Digital Signal Processor (DSP), a microprocessor, a host processor, a plurality of processors, a controller, a chip, a microchip, or any other suitable multi-purpose or specific processor or controller. Input unit 110 may include, for example, a keyboard, a mouse, a touch-pad, or other suitable pointing device or input device. Output unit 108 may include, for example, a Cathode Ray Tube (CRT) monitor, a Liquid Crystal Display (LCD) monitor, or other suitable monitor or display unit. Memory 106 may include, for example, a Random Access Memory (RAM), a Read Only Memory (ROM)5 a Dynamic RAM (DRAM), a Synchronous DRAM (SD-RAM), a Flash memory, a volatile memory, a non-volatile ' memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or other suitable memory units or storage units. Network connection 112 may be adapted to interact with a communication network, for example, a local area network (LAN), wide area network (WAN), or a global communication network, for example, the Internet. According to some embodiments the communication network may include a wireless communication network sizch as, for example, a wireless LAN (WLAN) communication network. Although the scope of the present invention is not limited in this respect, the communication network may include a cellular communication network, with platform 100 being, for example, a base station, a mobile station, or a cellular handset. The cellular communication network, according to some embodiments of the invention, may be a 3rd Generation Partnership Project (3GPP), such as, for example, Frequency Domain Duplexing (FDD), Global System for Mobile communications (GSM), Wideband Code Division Multiple Access (WCDMA) cellular communication network and the like.
[0032] According to some demonstrative embodiments of the invention, the output bits generated by RNG 102 may be provided to processor 104, memory 106, output 108, and/or network connection 112. For example, processor 104 may process one or more of the output bits generated by RNG 102, e.g., as part of a decryption and/or encryption operation, as are known in the art. Additionally or alternatively, one or more of the output bits of RNG 102 may be stored by memory 106.
[0033] Reference is now made to Fig. 2, which schematically illustrates a random number generator 200 according to some demonstrative embodiments of the invention. Although the invention is not limited in this respect, random number generator 200 may perform the functionality of RNG 102 (Fig. 1).
[0034] According to some demonstrative embodiments of the invention, RNG 200 may include two independent clock domains, e.g., clock domain 210 and clock domain 220. Clock domains 210 and 220 may correspond to two clocks, e.g., corresponding to two separate clock crystals. For example, clock domain 210 may correspond to a real-time clock and clock domain 220 may correspond to a system clock associated with a processor, e.g., processor 104 of Fig. 1. In accordance with some non-limiting embodiments of the invention, clock domains 210 and 220 may be asynchronous. [0035] According to some demonstrative embodiments of the invention, RNG 200 may include an entropy source (ES) 222 to generate a sequence of input bits 221, and a distiller 224 to selectively distil output bits 225 based on input bits 221, e.g., as described in detail below. For example, distiller 224 may receive input bits 221, and distil an output bit based on a comparison between one or more bits of a first subset of a set of input bits 221 and one or more bits of a second subset of the set. The set may include, for example, the first and second subsets and a separation subset of one or more of input bits 221 to be discarded, e.g., as described below. Thus, for example, in one non-limiting embodiment, distiller 224 may distill each one of output bits 225 based on corresponding sets of input bits 221, each set including at least three bits, e.g., wherein one or more of the bits are assigned to the first subset, one or more of the bits are assigned to the second subset, and one or more of the bits are to be discarded. For example, each set may include 2n+w bits, wherein each one of the first and second subsets includes n bits, and the discarded subset includes w bits, e.g., as described below.
[0036] In some demonstrative embodiments of the invention, ES 222 and/or distiller 224 may operate in clock domain 220, e.g., as described in detail below.
[0037] According to some demonstrative embodiments of the invention, RNG 200 may also include a quality estimator (QE) 228 associated with distiller 224. QE 228 may monitor the operation of distiller 224 and provide feedback, e.g., for self- correction of the operation of distiller 224, as described in detail below.
[0038] According to some demonstrative embodiments of the invention, distiller 224 may generate a validity signal 227 indicating whether an output bit 225 corresponding to bit 227 is valid, e.g., as described belo-w. Quality estimator 228 may utilize validity signal 227 to check, for example, whether ES 222 is operating within reference conditions. For example, QE 228 may estimate a relation between the number of valid output bits 225, and/or the number of invalid output bits 225; and the number of sets of input bits 221 used to produce the output bits. Although the invention is not limited in this respect, QE 228 may produce an estimation signal 229, which may be used to adjust the behavior of distiller 224, e.g., as described in detail below.
[0039] Although the invention is not limited in this respect, ES 222 may include any suitable entropy source as is known in tbte art and may be implemented using digital or analog circuitry. For example, ES 222 may include an oscillator, e.g., as described below. RNG 200 may optionally include a life detector 223 associated with ES 222, e.g., to receive and/or monitor bits 221, for example, to check that the oscillator is operating within prescribed bounds, e.g., not producing a constant output in generated bitstream 221.
[0040] According to some demonstrative embodiments of the invention, RNG 200 may also include a collector 226 to collect the output bits 225 from the distiller 224. Collector 226 may operate, for example, in clock domain 220. Collector 226 may include, for example, a shift register (not shown), e.g., as is known in the art. The shift register may include, for example, a linear feedback shift register (LFSR), a feedback with carry shift register (FCSR), a Galois shift register (GSR), or the like. Collector 226 may generate, for example, a signal 230 representing a value ("the RNG output"), e.g., based on the output of the shift register, as explained in detail below with reference to Figs. 6 A and 6B.
[0041] According to some demonstrative embodiments of the invention, RNG 200 may also include an entropy source controller (ESC) 214, which may be able to modify the behavior of ES 222. For example, in the case where ES 222 includes an oscillator, ESC 214 may be able to change the oscillation frequency of the oscillator, e.g., as described in detail below with reference to Fig. 4. RNG 200 may further include a secondary entropy source (SES) 212 to generate a sequence of bits to provide input for the operation of ESC 214. In some demonstrative embodiments of the invention, RNG 200 may optionally include a life detector 213 associated with SES 212, and/or a quality estimator 218 associated with ESC 214. Although the invention is not limited in this respect, life detector 213 and/or quality estimator 218 may monitor the operation of SES 212 and/or ESC 214, respectively, and may produce an error signal if operation falls outside of prescribed bounds. In alternative demonstrative embodiments of the invention, RNG 200 may be designed without one or more of SES 212, ESC 214, life detector 213, and/or QE 218, if appropriate. In some demonstrative embodiments of the invention, SES 212, ESC 214, life detector 213, and/or QE 218 may operate in clock: domain 210.
[0042] Reference is made to Fig. 3, which schematically illustrates a circuitry configuration of a random number generator 300 according to one demonstrative embodiment of the invention. Although the invention is not limited in this respect, one or more components of RNG 300 may perform the functionality of one or more components of RNG 200 of Fig. 2. For example, RNG 300 may include a first clock domain 310 (210) and a second clock domain 320 (220). The first clock domain may include, for example, a secondary entropy source 312 (212), a life detector 313 (213), an entropy source controller 314 (214), and/or a quality estimator 318 (218). The second clock domain may include, for example, an entropy source 322 (222), a life detector 323 (223), a distiller 324 (224), and/or a quality estimator 328 (228).
[0043] Although the invention is not limited in this respect, secondary entropy source (SES) 312 may include a ring oscillator 332, a clock divider 334, and/or a synchronizer 336. Ring oscillator 332 may include, for example, a free running ring oscillator, e.g., as is known in the art, able to generate an oscillation signal 333. Clock divider 334 may divide the frequency of signal 333, e.g., to produce a clock 335, e.g., a random and/or unstable clock, denoted RCLK. For example, clock divider 334 may include a toggle-flip-flop (T-FF) divider having a serial chain of toggle flip-flops, e.g., as is known in the art. Synchronizer 336 may include, for example, a 3 D-FF synchronizer, having three digital flip-flops, as is known in the art. According to some demonstrative embodiments of the invention, synchronizer 336 may operate on an input bitstream, e.g., of a system clock 337, denoted SCLK. For example, synchronizer 336 may sample SCLK 337 according to RCLK 335, to produce an output bitstream 338. It will be appreciated that the sequence of bits generated by SES
312 in bitstream 318 may be hard, to predict due to the difference between clock domains 335 and 337.
[0044] In some demonstrative embodiments of the invention, SES 312 may be optionally associated with life detector 313, which may monitor SES 312, e.g., by checking that SES 312 is not producing constant output. For example, life detector
313 may include one or more flip counters to count the number of flips in bitstream 318, e.g., within a given sequence of clock cycles. If the number of flips is outside of prescribed upper or lower bounds, life detector 313 may generate, for example, a warning signal 391.
[0045] According to some demonstrative embodiments of the invention, ESC 314 may include a distiller 342 to distill one or more output bits 343 based on bitstream 338; and a length selector module 344 to produce a length selection signal 348 based on output bits 343, e.g., as described below. For example, length selection signal 348 may be used control the oscillation frequency of an oscillator in ES 322, as explained in detail below with reference to Fig. 4.
[0046] Although the invention is not limited in this respect, distiller 342 may implement any suitable distilling method or algorithm designed to reduce bit bias and/or correlation, as is known in the art. For example, distiller 342 may implement the von Neumann algorithm, as is known in the art, to compare pairs of consecutive input bits, output the first bit of the pair if they are different, and discard both bits of the pair if they are the same. In addition, distiller 342 may produce a validity signal 345 based on the comparisons of bits from bitstream 338, e.g., to indicate to length selector 344 whether output bits 343 may be used. In addition, validity signal 345 may be provided to quality estimator 31 8. In other demonstrative embodiments of the invention, distiller 342 may implement any other distilling method, e.g., the distilling method implemented by distiller 324, as described in detail below.
[0047] Although the invention is not limited in this respect, validity signal 345 may be utilized by quality estimator 318 to check that SES 312 is operating within prescribed operational bounds. For example, estimator 318 may estimate a relation between the number of valid and/or invalid output bits 343 produced by distiller 342 and the number of input bits 338 produced by SES 312. Estimator 318 may then compare the estimated relation to a predetermined limit value. According to some demonstrative embodiments of the invention, quality estimator 318 may generate a warning signal 392, e.g., if the estimated relation is smaller than the limit value. Warning signal 392 may be combined, for example, with warning signal 391, e.g., using a logical OR gate, to produce an error signal 393, e.g., if at least one of detector 313 and estimator 318 produce a warning.
[0048] According to some demonstrative embodiments of the invention, length selector 344 may include any suitable circuitry and/or software able to generate length selection signal 348, e.g., based on the values of bits 343 and/or bits 345, e.g., as described below.
[0049] Reference is made to Fig. 5., which schematically illustrates a length selector 500 in accordance with some demonstrative embodiments of the invention.
[0050] Length selector 500 may include, for example, a first register 502, e.g., a shift register, to store the values of one or more of bits 343. For example, register 502 may only store bits 343 which are indicated by corresponding bits 345 as being valid. Register 502 may operate, for example, according to clock domain 310.
[0051] Length selector 500 may also include a second register 506 able to retrieve from register 502 one or more bits 504. Register 506 may operate, for example, according to clock domain 320. Register 506 may generate a length selection signal 508 based on one or more bits stored in register 506. In one non-limiting example length selection signal 508 may include three of the bits stored in register 506, e.g., representing a value between zero and seven. In other examples, signal 508 may include any other number of bits. As described below, the value of length selection- signal 508 may be used, for example, to determine an oscillation length of a variable length oscillator of ES 322 (Fig. 3).
[0052] Referring back to Fig. 3, according to some demonstrative embodiments of the invention, ES 322 may include a variable length ring oscillator (VLO) 350, and a. synchronizer 356. ES 322 and components thereof may operate in system clock: domain 320, which may be different from the clock domain 310 used by ESC 314.
[0053] In accordance with demonstrative embodiments of the invention, VLO 350 may receive length selection signal 348 produced by length selector module 344 of ESC 314. As described below with reference to Fig. 4, VLO 350 may generate arx oscillation signal 352 having an oscillation frequency corresponding to the value of signal 348. Synchronizer 356 may generate a bitstream 321 based on signal 352. For* example, synchronizer 356 may include a 3 D-FF synchronizer, as is known in the art., to generate bitstream 321 based on signal 352 and SCLK 337.
[0054] Although the invention is not limited in this respect, RNG 300 may optionally include a life detector 323 to monitor the operation of ES 322, e.g., in analogy to life detector 313. Life detector 323 may be able to generate a warning signal 394, e.g., to indicate that bitstream 321 contains constant bits.
[0055] In accordance with some demonstrative embodiments of the invention;, distiller 324 may produce one or more output bits 325 and a corresponding validity signal 327 based on one or more sets of consecutive bits from bitstream 321, e.g., as explained in detail below. Estimator 328 may monitor the operation of distiller 324= e.g., based on any suitable criterion. In one example, estimator may determine a relation between the valid and/or invalid bits generated by distiller 324, and a number of bits received by distiller 324. In another example, estimator 328 may estimate a relation between the number of valid and/or invalid bits generated by distiller 324 „ and a time period during which the bit were generated by distiller 324. Estimator 328 may generate, for example, a signal 329 having a value corresponding to the IOC of bits 325, e.g., as described below.
[0056] Estimator 328 may optionally generate an error signal 395, e.g., if the criterion is not satisfied, e.g., if the relation is smaller than a limit value. A warning value 396 may be generated based on signal 394 and/or signal 395.
[0057] Reference is made to Fig. 4, which schematically illustrates a variable lengtti ring oscillator (VLO) 400 according to some demonstrative embodiments of the invention. Although the invention is not limited in this respect, VLO 400 may perform the functionality of VLO 350 (Fig. 3). VLO 400 may be controlled by a length selector module 402, e.g. , such as the length selector 344 described above with, reference to Fig. 3.
[0058] It will be appreciated that a ring oscillator may include a chain, e.g., of an odd number of serially connected inverters. The length of the chain, i.e., the number of inverters, may determine the oscillation frequency of an output oscillation signal. For example, a longer chain may result in a lower oscillation frequency, and a shorter chain may result in a higher oscillation frequency. However, for a given chain lengthi, the oscillation frequency may be fixed.
[0059] According to some demonstrative embodiments of the invention, VLO 400 may include a first chain 410 having an odd number M of serially connected inverters, and at least one additional chain having an even number m of serially connecter d inverters. The additional inverter chains, e.g., chain 411 of length ml, chain 412 of length m2, and chain 413 of length m3, may be selectively combined with the first chain 410, e.g., to create a combined chain having an odd number of serially connected inverters. For example, VLO 400 may include k multiplexers, one for eacJh. of the additional inverter-chains, e.g., multiplexers 421, 422, and 423 associated with chains 411, 412, and 413 respectively, to control the length of the combined chain of inverters. This configuration may enable, for example, selectively implementing 2k different chain lengths. [0060] According to some demonstrative embodiments of the invention, length, selector 402 may produce a length signal 430 having k output bits to control the k multiplexers. For example, length signal 430 may include three bits, e.g., bits 431, 432, and 433, to control multiplexers 421, 422, and 423, respectively. The three bits of signal 430 may represent one of eight possible numbers, e.g., between one and seven. For example, eight possible combinations resulting in eight different chain, lengths are summarized in the following table:
Table 1
Figure imgf000015_0001
[0061] Although the invention is not limited in this respect, the choice of m3 = 2*m2 - 4*ml, e.g., as in Table 1, may generate an arithmetic sequence of chain lengths, which may imply that the chain length is an increasing function of the 3 -bit lengtti selector values.
[0062] According to some demonstrative embodiments of the invention, the range oi length selector module 402 may be limited by minimum and maximum values 440. For example, in the case where increasing length selector bits correspond to increasing chain lengths, e.g., as with the choice of m3 = 2*m2 = 4*ml shown in Table I5 MIN/MAX values 440 may be used to mask the length selector register.
[0063] In accordance with demonstrative embodiments of the invention, the MIN and MAX values 440 may take integer values from a range corresponding to the numbesx of multiplexers in VLO 40O. For example, in the case of three multiplexers, MIN/MAX may take integer values in [0,7], with MIN < MAX. The choice of MIN = MAX may reduce VLO 400 to function similar to a fixed length oscillator. Although the invention is not limited in this respect, MIN/MAX values 440 may be control, led, e.g., by quality estimator 328 (Fig 3).
[0064] In accordance with some demonstrative embodiments of the invention, the variable length capability of VLO 400 may enable a range of different oscillation frequencies, which may contribute to instability and hence to entropy rate of the sampled output of the VLO, e.g., signal 352.
[0065] Reference is made again to Figs. 2 and 3, which schematically illustrate, among other components, distiller 224 (324) and quality estimator 228 (328). For clarity description, reference numbers may correspond to those of Fig. 2, but it will be appreciated that the following description may equally apply to corresponding components depicted in Fig. 3.
[0066] According to some demonstrative embodiments of the invention, distiller 224 may operate on sets of consecutive bits from bitstream 221, e.g., to produce the output bits 225. For example, to produce an output bit, distiller 224 may process a set of input bits having three subsets, including a first subset of n bits, denoted, X, a second subset of n bits, denoted Y, and a separation subset of w bits to be discarded.
[0067] In one demonstrative embodiment of the invention, the 2n+w bits may be stored before processing, e.g., within a buffer. Distiller 324 may then compare the value of X to the value of Y, and selectively generate the output bit, e.g., if it is determined that X is different than Y.
[0068] In other demonstrative embodiments of the invention, the comparison between the subsets X and Y may be performed "on the fly", for example, by comparing; one or more of the n bits of the subset X to one or more corresponding bits of the subset Y, e.g., as described below.
[0069] Although the invention is not limited in this respect, it may be desired that the distiller parameters n and w are chosen such that the subsets X and Y may include independent samples from the bitstream 221 for evaluation. For example, the discarded subset of w bits may provide the necessary separation to ensure that XT and Y are independent samples. In addition, the choice of n and w may determine the throughput of distiller 224, as described in detail below. Too small values may deteriorate the quality of the output. [0070] According to some non-limiting demonstrative embodiments of the invention, output bits 225 generated by distiller 224 may be treated as being substantially independent identically distributed (i.i.d.), e.g., if the values of n and/or w are selected as follows:
Lemma 1: Let n > 1 be a positive integer, and let A(π) be the set of all 2n possible n-bit sequences. Assume that some order, e.g., lexicographic, is defined on A. Let Ω be a probability distribution over A(n\ Define the Index of Coincidence (IOC), of Ω (which is a characteristic of Ω), by:
IOC - ∑j (Prob Q))2 J K)..2n-1 where j denotes the j-th. state of a Markov chain having 2n states.
Then: a. If X and Y are two independent samples from A(n\ then:
Prob (X > Y) = Prob (X < Y). b. Define the functions BIT (X, Y) and Valid (X, Y) as follows:
BIT (X, Y) = 1 , Valid (X5 Y) - 1 if X > Y
BIT (X, Y) - 0, Valid (X, Y) = I if X < Y (1)
BIT (X5 Y) = O3 Valid (X5 Y) - 0 if X = Y
Then: i. The function BIT (X5 Y) if VALID (X5 Y) = 1 returns an unbiased bit. ii. Prob (VALID (X5 Υ) = 0) = IOC.
[0071] It will be appreciated by those with skill in the art that in the case of n = 1, Lemma 1 may be equivalent to the von Neumann transformation to eliminate bias from a bitstream. The von Neumann transformation, as it is known in the art, may evaluate bits in pairs, discard the pair if they are equal, and output the first bit of the pair if they are different.
[0072] It will be appreciated by those with skill in the art, that if the bits in bit- sequence 221 have a dependence history of N bits, where N > n, then distilling according to the approach outlined by Lemma 1 may not produce i.i.d. bits. For example, the value n = 1, corresponding to the von Neumann transformation, may be insufficient.
[0073] Although the invention is not limited in this respect, a value of w which may result in independent sets X and Y may depend, e.g., on the mixing time of the underlying Markov chain of Lemma 1 , and may be assessed experimentally. It will be appreciated by those with skill in the art that, although the mixing time of a Markov chain may be arbitrarily long in theory, depending on the spectral gap of the transition matrix of the chain, the correlations between separated states of the chain may decrease exponentially.
[0074] According to some demonstrative embodiments of the invention, distiller 224 may compare the subsets X and Y based on the order defined on A and may output a pair of bits, e.g., [BIT (X5 Y) , Valid (X, Y)] corresponding to bits of output bits 225 and validity signal 227, respectively, e.g., in accordance with Equation set 1. According to Lemma 1 (i), if Valid = 1 then BIT may be a statistically random, that is, i.i.d., bit which may be transmitted to collector 226. If Valid = 0, then BIT may be suppressed. For example, the invalid bit may be suppressed by distiller 224, e.g., and not provided as an output; and/or ignored by collector 226 (Fig. 2). According to Lemma 1 (if), the probability of Valid = 0 may be equal to the IOC, which may fciave a minimum value of 2"n, e.g., in the case of uniform distribution. Although the invention is not limited in this respect, is some embodiments an additional distiller (not sttown) may be applied to the suppressed bit, e.g., to increase the overall throughput of the distilling process.
[0075] In accordance with some demonstrative embodiments of the invention, the suppressed bits may be utilized by QE 228, e.g., to monitor the behavior of ES 222. For example, QE 228 may count the number of occurrences of Valid = 0 in validity signal 227, e.g., within N consecutive (X5Y) samples, to obtain an estimate 229 of the IOC, e.g., corresponding to the IOC definition by Lemma 1. For example, ϋxc IOC may be estimated by IOC = #{X=Y}/N. Any other suitable method may be used for estimating a value corresponding to the IOC. Observed values of the estimate 229 that significantly deviate from a reference IOC, e.g., as measured in laboratory conditions, or from previous values of IOC, may indicate that the ES 222 is not operating in its reference conditions. Although the invention is not limited in this respect, the estimate 229 may be used to modify the distiller 224, e.g., by changing the values of n and/or w, e.g., to recover from anomalous conditions. In addition, the IOC estimate 229 may control the length selector module of ESC 214, e.g., by determining the MIMTMAX values. [0076] Although the invention is not limited in this respect, distiller 224 may process a sequence of 2n+w bits, "which may represent a first subset of n bits, a second subset of n bits, and a third subset of w bits to be discarded, where w = n*d for some Integer d. For example, distiller 224 may distill the output bits according to the following pseudo-code algorithm, which may enable processing the 2n+w bits "on the fly":
Algorithm 1
INPUT: n, d, a bit stream STREAM = [b2 b2 b3 b4... b2n+n*d]
BIT = O
VALID = 0
X_equal_Y = 1 decision_made = O for k from 1 to n do xk = get_next_bit (STREAM) for j from 1 to d do discarded_bit = get_next_bit (STREAM) end yk = get_next_bit (STREAM)
X_equal_Y - X_equal_Y * ( 1- XOR (xk, yk) ) if ( (decision_made = 0) and (X_equal_Y = 0) ) then BIT - xk decision_made = 1 end
VALID = l-X_equal_Y end OUTPUT: BIT, VALID
[0077] Although the invention is not limited in this respect, distiller 224, implementing Algorithm. 1, may process 2n+w = 2n + n*d bits in n+w clock: cycles. The input bitstream 221 may be read serially. For example, bit b\ may assigned to X1 of subset X, the next d bits may be discarded as part of the separation subset, and bit b2+d may be assigned to yi of set Y. Thus, consecutive bits of subset X xnay be separated by 2d bits of the separation subset and a bit of subset Y. Similarly, consecutive bits of subset Y may be separated by 2d bits of the separation subset and a bit of subset X. An iterative procedure may be applied to the values Of X1 and yj and repeated n times, processing altogether 2n+w bits.
[0078] Although trie invention is not limited in this respect, BIT, as defined in Algorithm 1, may be a valid random bit only if VALID=I. According to some demonstrative embodiments of the invention, all values of BIT, including invalid bits, may be used for propagating a counter in quality estimator 228, e.g., ELAPSED_CLOCKS. In addition, a value VALID=O, e.g., in validity signal 227, may update an equality case counter, e.g., EQUAL, in quality estimator 228. Although the invention is not limited in this respect, after r rounds of Algorithm 1, i.e., after distiller 224 processes r*(2*n+d) bits from bitstream 221, quality estimator 228 may calculate IOC = EQUAL/ ELAPSED_CLOCKS as an estimate for the IOC, e.g., in estimation signal 229.
[0079] According to some demonstrative embodiments of the invention, the throughput of RNG 200 (300) may be determined by the following parameters:
1. Sampling clock frequency (system clock) SCLK.
2. Distiller parameters n, w.
3. The value of IOC (the probability that X=Y in the resulting bits distribution)
For example, throughput may be calculated as follows:
THROUGHPUT (SCLK,IOC,n,w)=SCLK * (1- IOC) / (2n+w) [bits per second] (2)
[0080] In accordance with demonstrative embodiments of the invention, ths distiller parameters n and/or w may be controlled and modified as necessary, e.g., in response to estimation signal 229 (329). However, the value of IOC, as defined in Lemma 1 above, may be a result of physical properties of ES 222 (322). Thus, to increase throughput, i.e., reduce IOC, the parameters of the physical implementation may need to be optimized, e.g., by trial-and-error experimentation.
[0081] For example the following parameters and resulting throughputs may be implemented according to some demonstrative embodiments of the invention:
THROUGHPUT (SCLK = 50Mhz, IOC, n=5, w=15) = 2*(1-IOC) Mbit/sec (3) THROUGHPUT (SCLK = 50Mhz, IOC, n=5, w=25) ~ 1.4*(1-IOC) Mbit/sec (4) [0082] Although the invention is not limited in this respect, it will be appreciated that a 1 Mbit/sec througtiput may be reached with a conservative estimate of IOC < 0.5. For example, robustness may depend on the sufficiency of the choice of n=5 (implying no more than five bits history correlation) and W=I 5 (implying ttiat good mixing may be achieved within three transitions of the Markov chain). The throughput may be indirectly dependent, for example, on the average VLO frequency, denoted c0. In accordance with non-limiting demonstrative embodiments of the invention, it may be desirable to have c « c0. In some non-limiting demonstrative embodiments, the distiller parameters n and/or w may be increased, e.g., in order to compensate for an Increase the IOC, which may result, for example, from an over- sampling rate.
[0083] The following example shows that, according to some non-limiting embodiments of the invention, using Distille^n^lj) may be more efficient trian using Distillerø), twice, recursively.
[0084] In the following example n=2 is assumed. Denote the probability distribution Ω over the set A(n) = {00,01,10,11} by p0, P1, p2, p3 where po+Pi+p2+ p3=l-
[0085] If Distiller(l) is used, and applied to independent samples of two bits, the resulting bits may b>e independent, but unbalanced: (if P1 Φ p2); Prob(bit=l) = P1 and Prob(bit=0) = p2.
[0086] This bias may be corrected by applying Distiller (1) to the bit stream, twice. The throughput of (Distiller(l))2 may be calculated according to the following equation:
Throughput (Distiller(l))2 = 1A pi*p2 / (pi+p_>) (5)
[0087] To compare, if Distiller(2) is used, and applied to independent 4-bit chunks, i.e., pairs of samples from Ω, the output bits may be i.i.d, and the throughput may be calculated according to the following equation:
Throughput (Distiller(2)) = 1Z4 ( 1 - ( p0 2 + P1 2+ p2 2+ ρ3 2) ) (6)
[0088] It will be appreciated by those skilled in the art that Throughput (Distiller(2)) > Throughput (Distiller(l))2 , and equality may occur, e.g., only when po= p3=0 , i.e., in the degenerate case. [0089] Reference is now made to Figs. 6A and 6B, which schematically illustrate collectors 600 and 602, respectively, in accordance with two respective demonstrative embodiments of the invention. Although the invention is not limited in this respect, collector 600 and/or 602 may perform the functionality of collector 226 (Fig. 2), e.g., the output of collectors 600 and 602 may correspond to output 230 (Fig. 2).
[0090] According to some non-limiting demonstrative embodiments of the invention, collector 600 may include a linear feedback shift register (LFSR) 610, and collector 602 may include a Galois shift register (GSR) 611. Each one of collectors 600 and 602 may receive an input bitstream 605, e.g., including substantially random bits output from distiller 224 (Fig. 2). Collector 600 may produce an output signal 630, e.g., based on the action of shift register 610. Collector 602 may produce an output signal 631, e.g., based on the action of shift register 611.
[0091] Referring to Fig. 6A, LFSR 610 may rely on a primitive recursive polynomial, e.g., p(x) = 1 + X13 + X31 of order 31, or any other suitable primitive polynomial as is known in the art. Although the invention is not limited in this respect, a primitive polynomial of order 31, e.g., p(x) above, may guarantee a long cycle of 231 different output values in signal 630 even in the case of a fixed input.. It will be appreciated that output bits 630 may be linear functions of input bits 625. Thus, LFSR 610 may transfer any possible remaining correlations between input bits 625 to a longer term correlation, which may be harder to predict.
[0092] According to some non-limiting demonstrative embodiments of the invention, LFSR 610 may store 31 bits, e.g., denoted ro, .., r30. LSFR 610 may output one bit to output signal 610 at each step of the cycle, e.g., based on the current internal state of the register and the next input bit from bitstream 625. For example, LFSR 610 may perform the following pseudo-code algorithm, e.g., based on the prirαitive polynomial p(x):
Algorithm 2
While (more bits are needed) For j from 30 downto 1 rj (i+l) = rH (i) end ro (i+l) = r30 (i) Λ r12 (i) A b(i). Output r30 (i) i++; end
[0093] Referring to Fig. 6B, GSR 611 may output a plurality of bits, e.g., an 8-bit byte, to output signal 631. For example, GSR 611 may perform the following pseudo¬ code algorithm to achieve the same recursion as described above, e.g., based on p(x):
Algorithm 3
While (more bits are needed) For j from 30 downto 1 r; 0+I) = Tj-1 (O end rI2 (i+l) Λ= r30 (i). ro (i+l) = r3O (i) Λ b(i). Output r30 (i)
end
[0094] Embodiments of the present invention may be implemented by software, by hardware, or by any combination of software and/or hardware as may be suitable for specific applications or in accordance with specific design requirements. Embodiments of the present invention may include units and sub-units, which may be separate of each other or combined together, in whole or in part, and may be implemented using specific, multi-purpose or general processors, or devices as are known in the art. Some embodiments of the present invention may include buffers, registers, storage units and/or memory units, for temporary or long-term storage of data and/or in order to facilitate the operation of a specific embodiment.
[0095] While certain features of the invention have been illustrated and described herein, many modifications, substitutions, changes, and equivalents may occur to those of ordinary skill in the art. It is, therefore, to be -understood that the appended claims are intended to cover all such modifications and changes as fall within the true spirit of the invention.

Claims

CLAIMS[O096] What is claimed is:
1. A device comprising: a distiller to receive a sequence of input bits, and to distil an output bit based on a comparison between one or more bits of a first subset of a set of said input bits and one or more bits of a second subset of said set, said set including said first and second subsets and a separation subset of one or more of said input bits to be discarded.
2. The device of claim 1, wherein said distiller is able to generate an output bit having a first value if the value corresponding to said first subset is bigger than the value corresponding to said second subset; and a second value if the value corresponding to said first subset is smaller than the value corresponding to said second subset.
3. The device of claim 1, wherein said distiller is able to generate a signal identifying said set as an invalid set if the value corresponding to said first subset is equal to the value corresponding to said second subset.
4. The device of claim 1, wherein said distiller is able to compare one or more sequences of at least one bit of said first subset to one or more sequences of at least one bit of said second subset, respectively.
5. The device of claim 1, wherein the number of bits in said first subset is equal to the number of bits in said second subset.
6. The device of claim 5, wherein: said set includes a sequence of 2*n+w iaput bits, w=d*n, wherein d, n, and w are positive integers; each of the first and second subsets includes n bits of said sequence; and the separation subset includes w bits of said sequence.
7. The device of claim 6, wherein each pair of* consecutive bits of said first subset are separated by 2*d bits of said separation subset and one bit of said second subset, and wherein each pair of consecutive bits of said second subset are separated by 2*d bits of said separation subset and one bit of said first subset.
8. The device of claim 6, wherein said distiller is able to compare said first subset to said second subset by comparing a value corresponding to a bit of said first subset to a value corresponding to a respective bit of said second set; and selectively generate an output bit having a value based on at least one of the value corresponding to the bit of said first subset and the value corresponding to the bit of said second set.
9. The device of claim 8, wherein said distiller is able to generate a signal identifying said set as an invalid set if the values of all bits of said first subset are equal to the values of all "bits of said second subset, respectively.
10. The device of claim 1, wherein said distiller is able to determine a number of said input bits to be assigned to each of said first subset, said second subset, and said separation subset based on a predetermined criterion corresponding to said output bits.
11. The device of claim 10, wherein said criterion corresponds to a relation between a number of valid output bits distilled, and a number of sets of said input bits used for distilling said output bits, said device comprising an estimator to estimate said relation.
12. The device of claim 10 comprising: a controller to generate an oscillation length value based on a predetermined criterion corresponding to said output bits; a variable length oscillator to generate an oscillator signal having an oscillation frequency corresponding said oscillation length value; and a synchronizer to generate said input bits by sampling said oscillator signal.
13. The device of claim 12, wherein said synchronizer samples said oscillator signal in a first clock frequency, which is different than a second clock frequency used by said controller.
14. The device of claim 12, wherein said criterion corresponds to a relation between a number of valid output bits distilled by said distiller, and a number of sets of said input bits used for distilling said output bits.
15. A method comprising: receiving a sequence of input bits, and distilling an output bit based on a comparison between one or more bits of a first subset of a set of said input bits and one or more bits of a second subset of said set, said set including said first and second subsets and a separation subset of one or more of said input bits to be discarded.
16. The method of claim 15 comprising: generating an output bit having a first value if the value corresponding to said first subset is bigger than the value corresponding to said second subset; and a second value if the value corresponding to said first subset is smaller than the value corresponding to said second subset.
17. The method of claim 15 comprising identifying said set as an invalid set if the value corresponding to said first subset is equal to the value corresponding to said second subset.
18. The method of claim 15 comprising comparing said first subset to said second subset by comparing one or more sequences of at least one bit of said first subset to one or more sequences of at least one bit of said second subset, respectively.
19. The method of claim 15, wherein the number of bits in said first subset is equal to the number of bits in said second subset.
20. The method of claim 19, wherein: said set includes a sequence of 2*n+w input bits, w=d*n, wherein d, ns and w are positive integers; each of the first and second subsets includes n bits of said sequence; and the separation subset includes w bits of said sequence.
21. The method of claim 20, wherein each pair of consecutive bits of said first subset are separated by 2*d bits of said separation subset and one bit of said. second subset, and wherein each pair of consecutive bits of said second subset are separated by 2*d bits of said separation subset and one bit of said first subset.
22. The method of claim 20 comprising: comparing said first subset to said second subset by comparing; a value corresponding to a bit of said first subset to a value corresponding to a respective bit of said second set; and selectively generating an output bit having a value based on at Least one of the value corresponding to the bit of said first subset and tiie value corresponding to the bit of said second set.
23. The method of claim 22 comprising identifying said set as an invalid set if the values of all bits of said first subset are equal to the values of all bits of said second subset, respectively.
24. The method of claim 15 comprising controllably assigning said plurality of input bits to said first subset, said second subset, and said separation subset based on a predetermined criterion corresponding to said output bits.
25. The method of claim 24, wherein said criterion corresponds to a. relation between a number of valid output bits, and a number of sets of said Input bits used for distilling said output bits.
26. The method of claim 24 comprising controllably generating said plurality of input bits based on a predetermined criterion corresponding to said output bits.
27. The method of claim 26, wherein controllably generating said bnput bits comprises controlling an oscillation frequency for generating said input bits based on said criterion.
28. The method of claim 27 comprising generating said input bits by sampling an oscillator signal in first clock frequency, which is different than a second clock frequency for controlling said oscillation frequency.
29. The method of claim 26, wherein said criterion corresponds to a relation between a number of valid output bits, and a number of sets of said input bits used for distilling said output bits.
PCT/IL2005/001114 2004-10-26 2005-10-26 System, method and device of generating a random value WO2006046240A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US62167904P 2004-10-26 2004-10-26
US60/621,679 2004-10-26

Publications (2)

Publication Number Publication Date
WO2006046240A2 true WO2006046240A2 (en) 2006-05-04
WO2006046240A3 WO2006046240A3 (en) 2009-05-07

Family

ID=36228167

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2005/001114 WO2006046240A2 (en) 2004-10-26 2005-10-26 System, method and device of generating a random value

Country Status (1)

Country Link
WO (1) WO2006046240A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220147317A1 (en) * 2019-01-29 2022-05-12 Robert Bosch Gmbh Data processing device and method for operating a data processing device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5757923A (en) * 1995-09-22 1998-05-26 Ut Automotive Dearborn, Inc. Method of generating secret identification numbers
US5781458A (en) * 1997-03-05 1998-07-14 Transcrypt International, Inc. Method and apparatus for generating truly random numbers
US6480072B1 (en) * 2000-04-18 2002-11-12 Advanced Micro Devices, Inc. Method and apparatus for generating random numbers

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5757923A (en) * 1995-09-22 1998-05-26 Ut Automotive Dearborn, Inc. Method of generating secret identification numbers
US5781458A (en) * 1997-03-05 1998-07-14 Transcrypt International, Inc. Method and apparatus for generating truly random numbers
US6480072B1 (en) * 2000-04-18 2002-11-12 Advanced Micro Devices, Inc. Method and apparatus for generating random numbers

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220147317A1 (en) * 2019-01-29 2022-05-12 Robert Bosch Gmbh Data processing device and method for operating a data processing device

Also Published As

Publication number Publication date
WO2006046240A3 (en) 2009-05-07

Similar Documents

Publication Publication Date Title
Lemire Fast random integer generation in an interval
JP3696209B2 (en) Seed generation circuit, random number generation circuit, semiconductor integrated circuit, IC card and information terminal device
US20060069706A1 (en) Random number generator and method for generating random numbers
Panda et al. Modified dual-CLCG method and its VLSI architecture for pseudorandom bit generation
Hu et al. A method of improving the properties of digital chaotic system
Garipcan et al. A TRNG using chaotic entropy pool as a post-processing technique: analysis, design and FPGA implementation
Alawida et al. A new hash function based on chaotic maps and deterministic finite state automata
Yang et al. A high speed pseudo-random bit generator driven by 2D-discrete hyperchaos
Yakut et al. Secure and efficient hybrid random number generator based on sponge constructions for cryptographic applications
Jin et al. A dynamically reconfigurable entropy source circuit for high-throughput true random number generator
Abutaha et al. Design of a pseudo-chaotic number generator as a random number generator
WO2006046240A2 (en) System, method and device of generating a random value
US8762439B2 (en) System and method for random number generation using asynchronous boundaries and phase locked loops
US11070354B2 (en) System and method for generating a symmetrically balanced output
US7171437B2 (en) Residue calculating unit immune to power analysis
Kim et al. High-speed division architecture for GF (2^ sup m^)
WO2023028859A1 (en) Physical unclonable function device and operation method therefor, and electronic device
Moghadam et al. Designing a random number generator with novel parallel LFSR substructure for key stream ciphers
Koshiba et al. A tradeoff paradigm shift in cryptographically-secure pseudorandom number generation based on discrete logarithm
Ying et al. Area optimization of MPRM circuits using approximate computing
Anchana et al. Design of PUF Based Chaotic Random Number Generator
Ponamala et al. Efficient VLSI Architecture for PRBG Using Modified Dual-CLCG
US20220236953A1 (en) Random number generation from sram cells
Piscopo Design of a true random number generator for post-quantum cryptography
Kim et al. Online test based on mutual information for true random number generators

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BW BY BZ CA CH CN CO CR CU CZ DK DM DZ EC EE EG ES FI GB GD GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV LY MD MG MK MN MW MX MZ NA NG NO NZ OM PG PH PL PT RO RU SC SD SG SK SL SM SY TJ TM TN TR TT TZ UG US UZ VC VN YU ZA ZM

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SZ TZ UG ZM ZW AM AZ BY KG MD RU TJ TM AT BE BG CH CY DE DK EE ES FI FR GB GR HU IE IS IT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW MR NE SN TD TG

NENP Non-entry into the national phase in:

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 05798246

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 05798246

Country of ref document: EP

Kind code of ref document: A2