DE102020206723A1 - Random number generator - Google Patents

Abstract

Random number generator with purely digital circuit elements, which comprises a matrix (M) of individual oscillator circuits (100), which have an even number of inputs (t, b, I, r), each with an output (o) of an adjacent oscillator Circuit (100) are connected, two (t, b; l, r) of the inputs being connected to a first exclusive-or gate (102, 104), and the outputs of the first exclusive-or gates (102, 104) are connected to inputs of a further exclusive-OR gate (106), the output signal of which forms an output signal (o) of the individual oscillator circuit (100), and to inputs (b, t, r, I) of the respective neighboring oscillator Circuits (100), the oscillator circuits (100) at the edges of the matrix (M) being connected to oscillator circuits (100) at the opposite edges of the matrix (M), and the output signal of one of the oscillators Circuits (Out) the signal output (out) of the Matri x (M).

Description

The present invention relates to a self-testable real random number generator based on a combination of individualized matrix field oscillators consisting of mutually influencing XOR mini-oscillators.

State of the art

Random numbers are used in many areas. These include areas such as cryptography, Monte Carlo calculation and simulation, games of chance, etc. A particularly important area is cryptography. Here random numbers are required, among other things, for keys for symmetric and asymmetric cryptography procedures, cryptographic query-response protocols, initialization vectors or random stuffing bits. Chip cards, for example, are a practical area of application in this area.

• - auf Rauschen basierende Zufallszahlengeneratoren (noise based RNGs)
• - Zufallszahlengeneratoren basierend auf einem frei laufenden Oszillator (free running oscillator RNGs)
• - Chaos-Zufallszahlengeneratoren (chaos RNGs)
• - Quanten-Zufallszahlengeneratoren (quantum RNGs)

Random numbers can be generated by random number generators. There are essentially two main types of random number generators (RNGs): deterministic (pseudo-random) RNGs (DRNG or PRNG) and nondeterministic random number generators (genuinely random, hardware) based on a physical process (physical true RNG - TRNG or PTRNG). The latter can be briefly referred to as real or physical random number generators. The main requirement of them is that they generate unpredictable and uncontrollable random numbers. Although there are very many constructions of physical random number generators and although research in this area continues, the current state of the art can be determined according to the scientific publication " Mario Stipcevic and Çetin Kaya Koç, True Random Number Generators, Open Problems in Mathematics and Computational Science, Springer International Publishing, Switzerland, pp. 275-316, 2014 ", Which reveals the closest prior art, roughly subdivide this area into the following four families:

• - Noise based random number generators (noise based RNGs)
• - Random number generators based on a free running oscillator (RNGs)
• - Chaos random number generators (chaos RNGs)
• - Quantum random number generators (quantum RNGs)

There is currently no standardization in this area. However, in industry there is currently the use of physical random number generators based on a free running oscillator (FRO), the randomness or entropy of which can be derived from electronic noise in logic circuits and which have not proven to be strictly uniformly random . However, this type of random number generator basically offers easier technical feasibility. A more recent development in this area are random number generators based on a combination of a linear feedback shift register (LFSR) and a free-running oscillator (FRO). They are called the Fibonacci ring oscillator (FIRO) and the Galois ring oscillator (GARO).

• V. Fischer, Random Number Generators for Cryptography - Design and Evaluation, Summer School on Design and Security of Cryptographic Algorithms and Devices, Sibenik, Croatia, June 2014 ;
• M. Dichtl, Fibonacci Ring Oscillators as True Random Number Generators - A Security Risk, IACR Cryptology ePrint Archive, 270, 2015 ;
• W. Killmann and W. Schindler, AIS20/AIS31 - A Proposal for: Functionality Classes for Random Number Generators, version 2.0, 2011 ;
• A. Rukhin et al., A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, NIST Special Publication 800-22, US Department of Commerce, National Institute of Standards and Technology, Gaithersburg, MD, April 2010 ;
• M. Dichtl, J.D. Golic, High-Speed True Random Number Generation with Logic Gates Only, Cryptographic Hardware and Embedded Systems - CHES 2007, Lecture Notes in Computer Science, vol 4727, Springer, Berlin, Heidelberg, pp 45-62, 2007 ;
• J. Balasch et al., Design and testing methodologies for true random number generators towards industry certification, 2018 IEEE 23rd European Test Symposium (ETS), Bremen, pp. 1-10, 2018 ;
• M. Sönmez Turan et al., Recommendation for the Entropy Sources Used for Random Bit Generation, NIST Special Publication 800-90B, Department of Commerce, National Institute of Standards and Technology, Gaithersburg, MD, January 2018 ;
• A. Schubert and W. Anheier, On Random Pattern Testability of Cryptographic VLSI Cores, Journal of Electronic Testing: Theory and Applications, Vol. 16, No. 3, Kluwer Academic Publishers, Netherlands, pp. 185-192, 2000 ;
• A. Schubert, Modellierung, Optimierung und Selbsttest von kryptographischen virtuellen Komponenten, Dissertation Universität Bremen, Fortschritt-Berichte VDI Reihe 10, Nr. 690, VDI Verlag GmbH, Düsseldorf, 2002 .

Further relevant state of the art can be found in the following scientific publications:

• V. Fischer, Random Number Generators for Cryptography - Design and Evaluation, Summer School on Design and Security of Cryptographic Algorithms and Devices, Sibenik, Croatia, June 2014 ;
• M. Dichtl, Fibonacci Ring Oscillators as True Random Number Generators - A Security Risk, IACR Cryptology ePrint Archive, 270, 2015 ;
• W. Killmann and W. Schindler, AIS20 / AIS31 - A Proposal for: Functionality Classes for Random Number Generators, version 2.0, 2011 ;
• A. Rukhin et al., A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, NIST Special Publication 800-22, US Department of Commerce, National Institute of Standards and Technology, Gaithersburg, MD, April 2010 ;
• M. Dichtl, JD Golic, High-Speed True Random Number Generation with Logic Gates Only, Cryptographic Hardware and Embedded Systems - CHES 2007, Lecture Notes in Computer Science, vol 4727, Springer, Berlin, Heidelberg, pp 45-62, 2007 ;
• J. Balasch et al., Design and testing methodologies for true random number generators towards industry certification, 2018 IEEE 23rd European Test Symposium (ETS), Bremen, pp. 1-10, 2018 ;
• M. Sönmez Turan et al., Recommendation for the Entropy Sources Used for Random Bit Generation, NIST Special Publication 800-90B, Department of Commerce, National Institute of Standards and Technology, Gaithersburg, MD, January 2018 ;
• A. Schubert and W. Anheier, On Random Pattern Testability of Cryptographic VLSI Cores, Journal of Electronic Testing: Theory and Applications, Vol. 16, No. 3, Kluwer Academic Publishers, Netherlands, pp. 185-192, 2000 ;
• A. Schubert, Modeling, Optimization and Self-Testing of Cryptographic Virtual Components, Dissertation University of Bremen, Progress Reports VDI Series 10, No. 690, VDI Verlag GmbH, Düsseldorf, 2002 .

In summary, one can say about FRO random number generators that they promise low costs and effort, but represent a solution with low entropy. They offer neither a very good nor a provable randomness. There is also a risk of FROs being coupled to the system clock or other logic circuitry on the chip, including nearby FROs. The implementation details of FROs often need to be adapted to the specific type, generation or technology of an FPGA or ASIC. Despite their interesting and innovative principle, Fibonacci ring oscillators and Galois ring oscillators only represent a partial solution to the problems of FROs. The problem of non-portability and the requirement of a sufficiently large noise for a reasonable random behavior, far from a pseudo-random behavior, remain exist. Another problem observed with this new type of ring oscillator is the risk of an unwanted standstill or the occurrence of periodic rather than chaotic oscillations. In general, the spread of real random number generators is still rather limited. This is probably also due to the fact that the price of good real commercial random number generators with high bit rates, such as real quantum random number generators, is quite high.

Starting from the prior art described, the object of the present invention is to create a random number generator which guarantees a robust, reliable, maximally genuinely random behavior and is constructed exclusively using known digital circuits. In this way, according to the invention, a cryptographic circuit for executing symmetrical and / or asymmetrical cryptography methods can be created for the first time, which is completely built up on a single integrated digital circuit, including a real random number generator with robust, reliable, approximately maximum real randomness (entropy).

According to the invention, this object is achieved in that the random number generator comprises a matrix of individual oscillator circuits that have an even number of inputs that are each connected to an output of an adjacent oscillator circuit, two of the inputs with a first exclusive or Gates are connected, and the outputs of the first exclusive-or gates are connected to inputs of a further exclusive-or gate, the output signal of which forms an output signal of the individual oscillator circuit, and is connected to inputs of the respective neighboring oscillator circuits, wherein the oscillator circuits at the edges of the matrix are correspondingly connected to oscillator circuits at the opposite edges of the matrix, and the output signal of one of the oscillator circuits forms the signal output of the matrix.

With this circuit arrangement it is possible for the first time by means of a novel combination of known digital individual circuits to generate an analog output signal with a genuinely random signal curve, which enables a robust and reliable extraction of almost a maximum of genuine randomness (entropy) by scanning. It is no longer necessary, as with previous real random number generators with high quality, to generate this real random analog output signal by means of analog circuits and / or other physical aids, such as radioactive decay.

The basic idea is to stay as close as possible to the idea of an oscillator-based random number generator with so-called matrix field oscillators, but a) the real random influence (real entropy) of unpredictable, intrinsic changes (instabilities) of delay times of circuit elements due to electronic noise to decisively increase or amplify the signal propagation and thus the states in a complex asynchronous circuit and thus significantly reduce the pseudo-random influence and b) use the positive properties of XOR logic modules in the form of so-called mini-oscillators as optimally as possible and c ) security and robustness against unwanted manipulation (attacks) through the selected complex circuit structure to increase significantly. The output signals of the XOR mini oscillators at the edges of the matrix field oscillators are not fed back directly as input signals, but rather serve as input signals for the XOR mini oscillators at the opposite edges of the respective matrix field oscillator. This measure serves to improve the statistical properties of the random number generator. The matrix field oscillators should not become too large in order to enable a combination of several matrix field oscillators.

• Hierbei ist es bevorzugt, dass das Ausgangssignal der einzelnen Oszillator-Schaltung noch über einen Signaleingang eines Multiplexers geführt ist, dessen Steuereingang mit einem ersten binären Steuersignal und dessen anderer Signaleingang mit einem weiteren binären Steuersignal verbunden ist, und dessen Ausgangssignal das Ausgangssignal der einzelnen Oszillator-Schaltung bildet, wobei das erste binäre Steuersignal zum Aktivieren und Deaktivieren der Matrix aus Oszillator-Schaltungen dient, und das weitere binäre Steuersignal zum sicheren Anlaufen der einzelnen Oszillator-Schaltungen dient.

Further preferred embodiments of the present invention emerge from the subclaims:

• It is preferred that the output signal of the individual oscillator circuit is also routed via a signal input of a multiplexer, the control input of which is connected to a first binary control signal and the other signal input of which is connected to a further binary control signal, and the output signal of which is the output signal of the individual oscillator Forms circuit, wherein the first binary control signal is used to activate and deactivate the matrix of oscillator circuits, and the further binary control signal is used to safely start the individual oscillator circuits.

In this way, the random number generator according to the invention can be switched on and off in a targeted manner and, at the same time, reliable oscillation of the individual oscillator circuits can be brought about.

It is further preferred to route the output signal of at least one of the individual oscillator circuits via an inverter. This improves both the randomness of the output signal and the reliability of the oscillation of the connected oscillator circuits.

It is further preferred that the matrix is two-dimensional, preferably square, and preferably comprises 6 × 6 individual oscillator circuits.

The present invention would also work with a one-dimensional matrix, but then reliable oscillation of the oscillators is no longer guaranteed and the random behavior could be manipulated by external influences. A more than two-dimensional design of the matrix leads to an extremely complicated circuit structure without any significant gain in manipulation resistance and randomness of the circuit behavior.

It is also preferred that a further one of the oscillator circuits of the matrix is connected to a special further binary control signal at its multiplexer, which is set up in such a way that it is activated for a short period of time directly before the matrix is activated via the first binary control signal , and thus serves to safely start up the oscillator circuits of the matrix. In this way, a reliable start-up of the oscillators of the matrix can be ensured.

It is further preferred that only one further oscillator circuit in the matrix is provided with an inverter.

It has been shown that the provision of an inverter in the entire matrix improves the oscillation of all oscillators. Providing more inverters does not bring any greater gain, but increases the circuit complexity.

Furthermore, it is preferred according to the invention to connect the output signal of the matrix to a D flip-flop (first metastabilty FF stage), the output signal of which represents the sampled - possibly metastable - output signal of the matrix. Together with the second metastability FF stage, the desired digital output signal of the matrix can most easily be provided in this way, since the matrix itself, as described above, supplies an analog output signal exclusively from digital circuits despite its composition.

A violation of the setup and hold times of the first D flip-flop stage by the analog output signal of the matrix leads to a non-digital (metastable) "intermediate signal" after the first D flip-flop stage, see https: //de.wikipedia .org / wiki / metastability_ (digital_circuit). A purely digital and synchronized output signal is only obtained after the second D flip-flop stage.

It is also preferred if the random number generator according to the invention comprises several matrices of individual oscillator circuits, the sampled output signals of which are all connected to an input of an exclusive-or gate, the output of which supplies the random sequence.

The XOR combination of several individualized matrix field oscillators at the same time as digitization (and synchronization) has the advantage that the failure of a matrix field oscillator may also be intercepted.

In addition, the XOR combination of independent matrix field oscillators makes the random number generator more random and robust, since the entropy at the output of the XOR combination is greater than the individual entropies at the outputs of the matrix field oscillators (before the XOR combination).

It is also preferred if the output of the exclusive-or gate is connected to an input of the second D flip-flop stage (second metastability FF stage), the output of which supplies the digitized and synchronized random sequence.

It is also preferred if the individual matrices connected by the exclusive-OR gate are individualized in that in each of the matrices the relative positions of the oscillator circuits with the inverter, the signal output and the special additional binary control signal (location the excitation) are different from each other.

The individualization of the matrix field oscillators by choosing the location of the excitation, the inverter and the output make the matrix field oscillators independent of one another. In this way, the statistical properties of the random number generator can be further improved and the risk of coupling matrix field oscillators can be avoided. The use of an additional inverter in the matrix field serves to avoid the risk of an unwanted standstill or periodic oscillation of a matrix field oscillator.

It is also preferred to connect the output signal of an oscillator circuit of a matrix to a data input of a first D flip-flop whose output is connected to a data input of a second D flip-flop whose output is connected to a data input of a third D flip-flop, the output of which, like the output of the second D flip-flop, is connected to an input of an exclusive-or gate, the output of which indicates whether the oscillator circuit is oscillating. In this way, according to the invention, a control signal is provided about the correct oscillation of the respective matrices from oscillator circuits.

It is further preferred that the outputs of the exclusive-OR gates of different oscillator circuits of a matrix are each connected to an input of an OR gate, the output of which is connected to the reset input of a counter that counts up with a system clock Overflow provides a signal that the matrix is not oscillating properly.

In this way it is ensured that only real standstills of the oscillators of the matrices deliver a fault signal. Finally, an analog random output signal also means that the signal can be a constant zero or one over a longer period of time, since this signal sequence is unlikely but cannot be ruled out.

To monitor the entire random number generator according to the invention, it is preferred to connect the overflow signals of the counters of the matrices connected to the random number generator to an input of an AND gate whose output signal indicates a total failure of the random number generator. This total failure test has the task of quickly indicating a total failure of the random number generator and is adapted to the special structure according to the invention of the random number generator.

According to the invention, post-processing after digitization is not necessary in order to pass statistical tests. A waiting time (start-up time) is preferably introduced directly after the start of the random number generator before the first random values are output. During this time, the resulting data will be discarded. With this measure, the still existing pseudo-random influence on the random number generator is decisively reduced. Built-in oscillation health tests enable reliable statements to be made about the states of the matrix field oscillators. The evaluation of all oscillation tests leads to a simple, effective and quick test for the detection of a Total failure test (TOT) of the noise source. Furthermore, the random number generator can be brought into a state of rest in a targeted manner by means of a corresponding input signal.

• - Kombination von individualisierten Matrixfeld-Oszillatoren, die unabhängig voneinander sind, zu einem statistisch starken, robusten, echten Zufallszahlengenerator
• - bessere echte Zufallseigenschaften als andere bekannte vergleichbare Ansätze
• - keine zusätzliche (komplexe) Nachbearbeitung (post-processing) nach der Digitalisierung notwendig zur Erreichung der geforderten statistischen Eigenschaften
• - hervorragende Ergebnisse bei statistischen Tests (AIS-31-Testsuite, NIST statistische Testsuite/NIST 800-22, TestU01 statistischer Test von der Universität Montreal und Tests gemäß NIST SP800-90B) der Original-Zufallssequenz (raw random sequence) nach der Digitalisierung (alle Tests werden bestanden)
• - kostengünstiger und technologieunabhängiger Ansatz ohne analoge Komponenten, da sehr einfache Implementierbarkeit und Portierbarkeit des Zufallszahlengenerators bei alleiniger Verwendung von normaler digitaler Logik (geeignet für alle FPGAs und ASICs) mit begrenzten Ressourcen und keine Notwendigkeit von speziellen manuellen Interventionen (stattdessen automatische Synthese)
• - höhere Sicherheit durch die Implementierung des ganzen Zufallszahlengenerators in einen einzigen Chip und ggf. zusätzliche Integration eines kryptographischen Systems in demselben Chip, da Realisierung des Zufallszahlengenerators unter alleiniger Verwendung von normaler digitaler Logik (geeignet für alle FPGAs und ASICs) bei begrenzten Ressourcen
• - sehr hohe konstante Bitrate (mindestens 30 Mbit/s) im Vergleich mit vergleichbaren Zufallszahlengeneratoren (digitale Logik, Aufwand, Kosten) möglich
• - Vermeidung der Gefahr eines Stillstandes des Zufallszahlengenerators (stall) bzw. von periodischen Oszillationen durch Einsatz mindestens eines zusätzlichen Inverters in jedem der Matrixfeld-Oszillatoren
• - entscheidende Reduzierung des noch vorhandenen kleinen pseudozufälligen Einflusses auf die Ausgangssequenz nach der Digitalisierung durch eine Wartezeit (Verwerfen der anfallenden Daten während der Wartezeit) direkt nach Start vor Ausgabe des ersten Zufallswerts
• - weitgehende Temperaturunabhängigkeit des Zufallsprozesses
• - keine Gefahr der Kopplung von Matrixfeld-Oszillatoren im Vergleich zu FROs u.a. aufgrund der Individualisierung und der komplexen Struktur (Gatter-Rückkopplungspfade) der Matrixfeld-Oszillatoren (wesentlich komplexer als FROs)
• - große Sicherheit und Robustheit des Zufallszahlengenerators (bisher sind keine Attacken und/oder Schwächen bekannt), da deutlich kleinere Gefahr der Manipulation von Matrixfeld-Oszillatoren beispielsweise im Rahmen von aktiven Seitenkanalattacken im Vergleich zu FROs u.a. aufgrund der Individualisierung und der komplexen Struktur (Gatter-Rückkopplungspfade) der Matrixfeld-Oszillatoren (wesentlich komplexer als FROs)
• - einfacher, effektiver und schneller Totalausfall-Test basierend auf eingebauten Oszillationsprüfungen der Matrixfeld-Oszillatoren.

The present invention has the following advantages:

• - Combination of individualized matrix field oscillators, which are independent of each other, to a statistically strong, robust, real random number generator
• - better real random properties than other known comparable approaches
• - No additional (complex) post-processing after digitization necessary to achieve the required statistical properties
• - Excellent results in statistical tests (AIS-31 test suite, NIST statistical test suite / NIST 800-22, TestU01 statistical test from the University of Montreal and tests according to NIST SP800-90B) of the original random sequence (raw random sequence) after digitization ( all tests are passed)
• - Cost-effective and technology-independent approach without analog components, as the random number generator is very easy to implement and portability when using only normal digital logic (suitable for all FPGAs and ASICs) with limited resources and no need for special manual interventions (instead, automatic synthesis)
• - Higher security through the implementation of the entire random number generator in a single chip and, if necessary, additional integration of a cryptographic system in the same chip, since the random number generator is implemented using only normal digital logic (suitable for all FPGAs and ASICs) with limited resources
• - Very high constant bit rate (at least 30 Mbit / s) possible in comparison with comparable random number generators (digital logic, effort, costs)
• - Avoidance of the risk of the random number generator stalling or of periodic oscillations by using at least one additional inverter in each of the matrix field oscillators
• - Decisive reduction of the small pseudo-random influence that still exists on the output sequence after digitization through a waiting time (discarding the resulting data during the waiting time) directly after the start before the output of the first random value
• - extensive temperature independence of the random process
• - no risk of coupling matrix field oscillators in comparison to FROs due to the individualization and the complex structure (gate feedback paths) of the matrix field oscillators (much more complex than FROs)
• - Great security and robustness of the random number generator (no attacks and / or weaknesses are known to date), since the risk of manipulation of matrix field oscillators, for example in the context of active side-channel attacks, compared to FROs, among other things due to the individualization and the complex structure (gate- Feedback paths) of the matrix field oscillators (much more complex than FROs)
• - simple, effective and fast total failure test based on built-in oscillation tests of the matrix field oscillators.

1. A. Kombination mit kryptographischer Nachbearbeitung (cryptographic postprocessing) mit deterministischen RNG (DRNG) gemäß AIS20/31.
2. B. eingebettete On-line-Tests (initiale, regelmäßige und auf Anfrage) beispielsweise gemäß AIS20/31 und/oder NIST zusätzlich zu den schon vorhandenen Tests.
3. C. Erstellen eines stochastischen Modells gemäß AIS20/31
4. D. Veränderung der Größe der Matrixfeld-Oszillatoren
5. E. Veränderung der Dimension der Matrixfeld-Oszillatoren
6. F. veränderter Einsatz von Invertern in den Matrixfeld-Oszillatoren
7. G. Veränderung der Anzahl der zu kombinierenden Matrixfeld-Oszillatoren
8. H. Veränderung der Wartezeit (Anlaufzeit) nach Start des Zufallszahlengenerators vor Ausgabe des ersten Zufallswertes bei Verwerfen der vorherigen Werte
9. I. Einführung einer Neustart-Betriebsart für Hochsicherheitsanwendungen
10. J. Puffern von Zufallszahlen vor Ausgabe
11. K. Eventuelle (Verwendung nur in bestimmten Fällen bei 1. sehr seltenen Anwendungen des Ausführungsbeispiels mit extremen Anforderungen an die statistischen Eigenschaften oder bei 2. für sehr gute statistischen Eigenschaften nicht ausreichender Konfiguration des Zufallszahlengenerators (beispielsweise kleinere Anzahl von Matrixfeld-Oszillatoren oder kleinere Anzahl von XOR-Mini-Oszillatoren in den Matrixfeld-Oszillatoren als beim Ausführungsbeispiel) zusätzliche Nachbearbeitung (postprocessing) wie beispielsweise mit dem Von-Neumann-Verfahren

If necessary, the present invention can be further developed as follows:

1. A. Combination with cryptographic postprocessing with deterministic RNG (DRNG) according to AIS20 / 31.
2. B. Embedded on-line tests (initial, regular and on request) for example according to AIS20 / 31 and / or NIST in addition to the tests already available.
3. C. Creation of a stochastic model according to AIS20 / 31
4. D. Changing the size of the matrix field oscillators
5. E. Changing the dimension of the matrix field oscillators
6. F. Changed use of inverters in the matrix field oscillators
7. G. Changing the number of matrix field oscillators to be combined
8. H. Change in the waiting time (start-up time) after the start of the random number generator before outputting the first random value if the previous values are discarded
9. I. Introduction of a restart mode of operation for high security applications
10. J. Buffering random numbers before output
11. K. Possible (use only in certain cases in 1. very rare applications of the exemplary embodiment with extreme requirements on the statistical properties or in 2. for very good statistical properties insufficient configuration of the random number generator (for example smaller number of matrix field oscillators or smaller number of XOR mini-oscillators in the matrix field oscillators as in the exemplary embodiment) additional post-processing, for example with the Von Neumann method

• zu A.: Gewährleistung der Unvorhersehbarkeit von generierten Zahlen in Vorwärts und/oder Rückwärtsrichtung bei permanenten und temporären Ausfall der Rauschquelle (entropy source)
• zu B.: umfassende On-line-Test-Strategie (u.a. auch On-line-Test der statistischen Eigenschaften)
• zu C.: Entropie-Abschätzung, Erfüllen der Anforderungen von AIS20/31
• zu D, E, F, G, H: Anpassung an veränderte technische Gegebenheiten, d.h. z.B. an neue FPGA- oder ASIC-Technologiegenerationen, oder an neue Erkenntnisse hinsichtlich Schwächen bzw. Attacken
• zu I: Online-Test der echten Zufälligkeitseigenschaften
• zu J: Ergebnisse von Tests abwarten und ggf. mangelhafte Daten verwerfen.
• zu K.: Einsatz der Nachverarbeitung zur weiteren Verbesserung der statistischen Eigenschaften der vom Zufallszahlengenerator erzeugten Zufallsdaten (in den allermeisten Anwendungsfällen dieses Zufallszahlengenerators und insbesondere im Fall des Ausführungsbeispiels ist diese Nachbearbeitung nicht notwendig und nicht vorteilhaft bzw. wünschenswert u.a. wegen der Reduzierung der Datenbitrate).

These further developments can also enable the following advantages:

• Re A .: Guarantee of the unpredictability of generated numbers in forward and / or backward direction in the event of permanent and temporary failure of the noise source (entropy source)
• to B .: comprehensive on-line test strategy (including on-line test of statistical properties)
• to C .: Entropy estimation, fulfillment of the requirements of AIS20 / 31
• Re D, E, F, G, H: Adaptation to changed technical conditions, ie for example to new FPGA or ASIC technology generations, or to new findings regarding weaknesses or attacks
• to I: online test of the real randomness properties
• Re J: Wait for the results of tests and, if necessary, discard inadequate data.
• To K .: Use of post-processing to further improve the statistical properties of the random data generated by the random number generator (in the vast majority of applications of this random number generator and especially in the case of the exemplary embodiment, this post-processing is not necessary and not advantageous or desirable, among other things because of the reduction in the data bit rate).

• - Veränderung der Größe der zweidimensionalen, quadratischem Matrixfeld-Oszillatoren, d.h. andere Anzahl von XOR-Mini-Oszillatoren
• - Veränderung der Formen der Matrixfeld-Oszillatoren (kein Quadrat)
• - Veränderung der Verdrahtung der XOR-Mini-Oszillatoren, insbesondere an den Rändern der Matrixfeld-Oszillatoren
• - Veränderung der Dimension der Matrixfeld-Oszillatoren (eindimensionale oder mehrdimensionale (dreidimensionale, vierdimensionale, ...) Struktur durch entsprechende Veränderung der Anzahl der Eingänge der XOR-Mini-Oszillatoren und der zweidimensionalen Verdrahtung der XOR-Mini-Oszillatoren)
• - Veränderung der Logik-Struktur in den XOR-Mini-Oszillatoren (z.B. XOR-Gatter mit 4 Eingängen)
• - veränderter Einsatz von Invertern in den Matrixfeld-Oszillatoren
• - Veränderung der Anzahl der Matrixfeld-Oszillatoren
• - Veränderung der Individualisierung der Matrixfeld-Oszillatoren
• - Veränderung der Wartezeit (Anlaufzeit) nach Start des Zufallszahlengenerators vor Ausgabe des ersten Zufallswertes bei Verwerfen der vorherigen Werte
• - veränderter Totalausfall-Test bzw. andere Oszillationsprüfungen (z.B. andere Anzahl von Takten ohne Flanke der jeweils 6 Testsignale als Schwelle für die Meldung einer Nicht-Oszillation).

The following modifications of the present invention are possible:

• - Change in the size of the two-dimensional, square matrix field oscillators, ie a different number of XOR mini-oscillators
• - Modification of the shapes of the matrix field oscillators (no square)
• - Change in the wiring of the XOR mini oscillators, especially at the edges of the matrix field oscillators
• - Change in the dimensions of the matrix field oscillators (one-dimensional or multi-dimensional (three-dimensional, four-dimensional, ...) structure by changing the number of inputs of the XOR mini oscillators and the two-dimensional wiring of the XOR mini oscillators)
• - Change of the logic structure in the XOR mini oscillators (e.g. XOR gate with 4 inputs)
• - Changed use of inverters in the matrix field oscillators
• - Change in the number of matrix field oscillators
• - Change in the individualization of the matrix field oscillators
• - Change in the waiting time (start-up time) after starting the random number generator before outputting the first random value if the previous values are discarded
• - Modified total failure test or other oscillation tests (e.g. different number of cycles without edge of the 6 test signals as a threshold for reporting a non-oscillation).

There is a VHDL model of an exemplary embodiment of the random number generator according to the invention. Based on this VHDL model, a prototype of the exemplary embodiment of the random number generator is implemented on a SmartFusion evaluation board with the SmartFusion - FPGA A2F200M3F-FGG484 from Microsemi (Microchip Technology). There are further implementations of the prototype on an IGLOO-Nano-Starter-Kit-Board also from Microsemi, on a Cmod-S6-Board from Digilent with the Xilinx Spartan 6 LX4 FPGA (Spartan 6 XC6SLX4-2CPG196 FPGA) and on a Cmod- S7 board from Digilent with the Xilinx Spartan 7 FPGA (Spartan 7 XC7S25-1 CSGA225C FPGA).

The invention is described and explained in more detail below using an exemplary embodiment shown in the drawings.

• 1 einen erfindungsgemäßen XOR-Mini-Oszillator ohne Darstellung der Rückkopplung über Nachbar-Mini-Oszillatoren;
• 2 die erfindungsgemäße Verbindung zweier benachbarter XOR-Mini-Oszillatoren der 1;
• 3 den Aufbau eines erfindungsgemäßen Matrixfeld-Oszillators aus einer zweidimensionalen Matrix von XOR-Mini-Oszillatoren mit einer beispielhaften Individualisierung ohne Darstellung der Verbindungsleitungen an den Rändern;
• 4 den Matrixfeld-Oszillator der 3 mit Darstellung der Verbindungsleitungen an den Rändern (zum Zweck der Übersichtlichkeit sind hier die Signalbezeichnungen bei den einzelnen Oszillatoren weggelassen);
• 5 die Nummerierung der Elemente der Matrix eines Matrixfeld-Oszillators;
• 6 die Gesamtschaltung eines erfindungsgemäßen Zufallszahlengenerators aus den einzelnen vorbeschriebenen Elementen mit digitalisierter Rauschquelle (ohne Totalausfall-Test und Oszillationsprüfungen);
• 7 die erfindungsgemäß vorgeschlagene Schaltung für die Flankenerkennung zum Zweck der Oszillationsprüfung;
• 8 die Schaltung für die erfindungsgemäße Oszillationsprüfung;
• 9 die erfindungsgemäße Schaltung für den Totalausfall-Test;
• 10 das Ausgangssignal eines erfindungsgemäßen Matrixfeld-Oszillators im Zeit- (oberer Teil der Abbildung) und im Frequenzbereich (unterer Teil der Abbildung) falls der Matrixfeld-Oszillator deaktiviert ist;
• 11 das gleiche Ausgangssignal für den Fall der Aktivierung des Matrixfeld-Oszillators;
• 12 drei Kurven des Verlaufs der differenziellen Ausgangsspannung eines erfindungsgemäßen Matrixfeld-Oszillators nach drei verschiedenen Neustarts;
• 13 die Standardabweichung der differenziellen Ausgangsspannung des Matrixfeld-Oszillators nach 1000 verschiedenen Neustarts;
• 14 das arithmetische Mittel der differenziellen Ausgangsspannung des Matrixfeld-Oszillators nach 1000 verschiedenen Neustarts;
• 15 die Häufigkeitsverteilung von Byte-Werten bei einer vom Zufallszahlengenerator erzeugten Datenmenge, die bei 100.000 Neustarts mit jeweils 125-Byte- bzw. 1.000-Bit-Datenblöcken entstanden ist, ohne Wartezeit nach jedem Neustart;
• 16 die gleiche Häufigkeitsverteilung, wenn die Daten erst nach einer Wartezeit von 45 Mikrosekunden nach jedem Neustart aufgezeichnet werden.

Show it:

• 1 an XOR mini-oscillator according to the invention without showing the feedback via neighboring mini-oscillators;
• 2 the inventive connection of two adjacent XOR mini-oscillators 1 ;
• 3 the structure of a matrix field oscillator according to the invention from a two-dimensional matrix of XOR mini-oscillators with an exemplary individualization without showing the connecting lines at the edges;
• 4th the matrix field oscillator of the 3 with a representation of the connecting lines at the edges (for the sake of clarity, the signal designations for the individual oscillators have been omitted);
• 5 the numbering of the elements of the matrix of a matrix field oscillator;
• 6th the overall circuit of a random number generator according to the invention from the individual elements described above with a digitized noise source (without total failure test and oscillation tests);
• 7th the circuit proposed according to the invention for edge detection for the purpose of oscillation testing;
• 8th the circuit for the oscillation test according to the invention;
• 9 the circuit according to the invention for the total failure test;
• 10 the output signal of a matrix field oscillator according to the invention in the time (upper part of the figure) and in the frequency domain (lower part of the figure) if the matrix field oscillator is deactivated;
• 11th the same output signal in the event that the matrix field oscillator is activated;
• 12th three curves of the profile of the differential output voltage of a matrix field oscillator according to the invention after three different restarts;
• 13th the standard deviation of the differential output voltage of the matrix field oscillator after 1000 different restarts;
• 14th the arithmetic mean of the differential output voltage of the matrix field oscillator after 1000 different restarts;
• 15th the frequency distribution of byte values in the amount of data generated by the random number generator, which has arisen after 100,000 restarts with 125-byte or 1,000-bit data blocks each, without waiting time after each restart;
• 16 the same frequency distribution if the data is not recorded for 45 microseconds after each restart.

An essential part of the invention are so-called XOR mini-oscillators, which become so-called matrix field oscillators or matrices M. are interconnected. the 1 shows the structure of an XOR mini oscillator 100 .

• t (top): hier ist der Ausgang des in der Matrix oberhalb gelegenen Oszillators angeschlossen
• b (bottom): hier ist der Ausgang des in der Matrix unterhalb gelegenen Oszillators angeschlossen
• l (left): hier ist der Ausgang des in der Matrix links gelegenen Oszillators angeschlossen und
• r (right): hier ist der Ausgang des in der Matrix rechts von dem Oszillator 100 gelegenen Oszillators angeschlossen.

The oscillator shown here 100 is for use in a two-dimensional matrix M. intended. It therefore has four inputs to which the four output signals of each in the matrix M. neighboring oscillators are connected:

• t (top): the output of the oscillator located above in the matrix is connected here
• b (bottom): the output of the oscillator located below in the matrix is connected here
• l (left): the output of the oscillator on the left in the matrix is connected here and
• r (right): here is the output of the one in the matrix to the right of the oscillator 100 located oscillator connected.

• Die Eingänge t und b sind mit dem Exklusiv-Oder-Gatter 102 verbunden, die Eingänge I und r sind mit dem Exklusiv-Oder-Gatter 104 verbunden. Die Ausgänge der beiden Gatter 102, 104 sind wiederum mit den beiden Eingängen eines weiteren nachgeschalteten Exklusiv-Oder-Gatters 106 verbunden. Dessen Ausgang ist mit einem Eingang eines Multiplexeres 108 verbunden. Der Multiplexer 108 verfügt über zwei Eingänge, die mittels des Signals s[1] umgeschaltet werden können. Damit kann der Oszillator ein- und ausgeschaltet werden, indem zum Einschalten das Signal s[1] so belegt wird, dass der Multiplexer 108 den Eingang durchschaltet, an dem das Exklusiv-Oder-Gatter 106 angeschlossen ist. Im ausgeschalteten Zustand wird der Eingang durchgeschaltet, an dem das Signal s[0] liegt. Dieses Signal ist üblicherweise auf 0 gesetzt, lediglich bei einem speziellen Oszillator in der Matrix M, dem Oszillator „Start“, der als Ort der Anregung für die Oszillatoren der Matrix M dient, wird dieses Signal zum sicheren Anlaufen des Oszillators während des Einschaltvorgangs kurzfristig auf 1 gesetzt, bevor dann der Multiplexer 108 auf den Eingang umgeschaltet wird, der mit dem Ausgang des Exklusiv-Oder-Gatters 106 verbunden ist.

Two of the inputs are connected to an exclusive-or gate:

• The inputs t and b are with the exclusive-or gate 102 connected, the inputs I and r are connected to the exclusive-or gate 104 tied together. The outputs of the two gates 102 , 104 are in turn connected to the two inputs of a further downstream exclusive-or gate 106 tied together. Its output is with an input of a multiplexer 108 tied together. The multiplexer 108 has two inputs that can be switched using the s [1] signal. This enables the oscillator to be switched on and off by assigning signal s [1] so that the multiplexer is switched on 108 switches through the input at which the exclusive-or gate 106 connected. When switched off, the input to which the signal s [0] is applied is switched through. This signal is usually set to 0, only for a special oscillator in the matrix M. , the oscillator "Start", which acts as a place of excitation for the oscillators of the matrix M. is used, this signal is set to 1 for a safe start-up of the oscillator during the switch-on process, before the multiplexer then 108 the input is switched to that with the output of the exclusive-OR gate 106 connected is.

In the normal case, the output of the multiplex represents 108 the output of the oscillator 100 There is only an inverter in the matrix for a special oscillator 110 between the output of the multiplex 108 and the final output o (out) switched.

To ensure the statistical properties and portability of the random number generator, the logic structure of this circuit should be strictly adhered to. The dashed inverter 110 is optional, meaning it is as part of the customization of a matrix field oscillator M. at the output of only one XOR mini oscillator 100 a matrix field oscillator M. implemented. It is used to avoid the risk of an unwanted standstill or periodic oscillations of a matrix field oscillator M. .

The basic considerations for choosing this basic structure are explained below. The oscillator behavior when connecting several XOR mini oscillators 100 becomes clear from the following considerations. There are two XOR mini oscillators 100 connected with each other. the 2 shows two adjacent XOR mini-oscillators 100 . With s [1: 0] = 10, the path marked with the letters A to F represents a feedback path. With certain values of the inputs, this feedback path forms an inverter functionality that is similar to a feedback inverter to an oscillator behavior leads. Table 1 shows the value combinations of the inputs for which the feedback path has an inverter functionality. It should be noted that with half of all possible value combinations (32 of 64) an inverter functionality of the feedback path and thus an oscillator behavior occurs. It should also be noted that in the exemplary embodiment not just two but 36 XOR mini-oscillators 100 to a so-called matrix field oscillator M. are interconnected. They are linked together so that every XOR mini-oscillator 100 four neighboring XOR mini-oscillators 100 Has. Ie every XOR mini oscillator 100 basically has four possibilities to form a feedback path and to generate oscillator signals. Table 1: Value combinations of the inputs of two adjacent XOR mini-oscillators 100 with an inverter functionality in the feedback path r _{(i + 1, k)} l _{(i + 1, k)} b _{(i + 1, k)} r _{(i, k) \} l _{(i, k)} t _{(i, k)} Inverter functionality of the XOR mini oscillator 0 0 0 0 0 1 I. 0 0 0 0 1 0 I. 0 0 0 1 0 0 I. 0 0 0 1 1 1 I. 0 1 1 0 0 1 I. 0 1 1 0 1 0 I. 0 1 1 1 0 0 I. 0 1 1 1 1 1 I. 1 0 1 0 0 1 I. 1 0 1 0 1 0 I. 1 0 1 1 0 0 I. 1 0 1 1 1 1 I. 1 1 0 0 0 1 I. 1 1 0 0 1 0 I. 1 1 0 1 0 0 I. 1 1 0 1 1 1 I. 0 0 1 0 0 0 II 0 1 0 0 0 0 II 1 0 0 0 0 0 II 1 1 1 0 0 0 II 0 0 1 0 1 1 II 0 1 0 0 1 1 II 1 0 0 0 1 1 II 1 1 1 0 1 1 II 0 0 1 1 0 1 II 0 1 0 1 0 1 II 1 0 0 1 0 1 II 1 1 1 1 0 1 II 0 0 1 1 1 0 II 0 1 0 1 1 0 II 1 0 0 1 1 0 II 1 1 1 1 1 0 II

Another interesting basic consideration is the basic properties of the XOR operation y = x ⊕ z with regard to weighted and unweighted random sequences. If both input variables x and z are statistically independent and the probabilities P (x = 1), P (z = 1) and P (y = 1) _{are denoted as P x} , P _z and P _y , then the output probability is P. _{y of} the XOR operation: $${\mathrm{P.}}_y=\left(1-{\mathrm{P.}}_x\right){\mathrm{P.}}_z+{\mathrm{P.}}_x\left(1-{\mathrm{P.}}_z\right)$$

Equation (1) can be transformed as follows: $$\frac{1}{2}-{\mathrm{P.}}_y=2\left(\frac{1}{2}-{\mathrm{P.}}_x\right)\left(\frac{1}{2}-{\mathrm{P.}}_z\right)$$

The absolute amount of the difference between the signal probability and the ideal probability of 0.5 is a measure of the similarity of a binary variable to an ideal binary random variable: $$\left|\frac{1}{2}-{\mathrm{P.}}_y\right|=2\left|\left(\frac{1}{2}-{\mathrm{P.}}_x\right)\left(\frac{1}{2}-{\mathrm{P.}}_z\right)\right|.$$

für 0 < a < 1 und a ≠ 0,5 ist, kann die folgende Ungleichung hergeleitet werden. $$0<\left|\frac{1}{2}-P_y\right|<\left|\frac{1}{2}-P_x\right|,\left|\frac{1}{2}-P_z\right|\text{ f}\ddot{\text{u}}\text{r }0<P_x,P_z<1\text{ und }{P}_x,P_z\ne \mathrm{0,5.}$$

There $0<2\left|\frac{1}{2}-\mathrm{\alpha }\right|<1$

for 0 <a <1 and a ≠ 0.5, the following inequality can be derived. $$0<\left|\frac{1}{2}-{\mathrm{P.}}_y\right|<\left|\frac{1}{2}-{\mathrm{P.}}_x\right|,\left|\frac{1}{2}-{\mathrm{P.}}_z\right|\text{f}\ddot{\text{u}}\text{<figure-callout id="0" label="r" filenames="DE102020206723A1\_0009.png,DE102020206723A1\_0010.png" state="{{state}}">r</figure-callout>}0<{\mathrm{P.}}_x,{\mathrm{P.}}_z<1\text{and}{\mathrm{P.}}_x,{\mathrm{P.}}_z\ne \mathrm{0.5.}$$

In this case, a sequence at the output of the XOR operation is more similar to a non-weighted (pseudo) random sequence than the two input sequences. In this context, the XOR operation has the property of increasing the degree of randomness. A circuit of a multiplicity of linked XOR gates reinforces these described properties.

In the special case P _x = 0.5, according to the equation: $${\mathrm{P.}}_y=\frac{1}{2}{\mathrm{<figure-callout\; id="1"\; label="P.\; z\; +"\; filenames="DE102020206723A1\_0009.png,DE102020206723A1\_0010.png"\; state="\{\{state\}\}">P.</figure-callout>}}_z+\frac{1}{2}\left(1-{\mathrm{P.}}_z\right)=\frac{1}{2}$$

For the XOR operation, this special case implies that with a (pseudo-) random input variable with the signal probability 0.5, the output variable is also (pseudo-) random with the signal probability 0.5 and independent of the second input variable. If both input variables x and z are (pseudo-) random with P _x = P _z = 0.5 and statistically independent of each other, the output variable is also (pseudo-) random with P _y = 0.5 and both from one and the other the other input is statistically independent.

The functionalities and properties described in these two basic considerations do not appear in their pure form in reality. In the asynchronous circuit of the matrix field oscillators M. if they mix, undefined intermediate states are formed (metastability) and analogous behavior occurs, including chaotic oscillations at the outputs of the matrix field oscillators M. , on. This analog behavior has both pseudo and genuinely random properties. The really random part of the behavior is essentially caused and determined by the unpredictable changes in the delay times of the circuit elements, which are influenced by the electronic noise. In order to increase this genuinely random influence over the long term compared to the pseudo-random influence, according to the invention the number of connections and thus also the feedback (oscillator behavior) are increased as efficiently as possible. Due to the complex feedback structures, small random variations spread quickly over the entire matrix field oscillator M. and that makes extracting randomness by sampling easier.

The influence of the genuinely random electronic noise is considerably increased by the selected circuit structure. This is the third basic consideration. All three basic considerations lead to the circuit of the matrix field oscillators M. consisting of an array of mutually influencing XOR mini-oscillators 100 . A matrix field oscillator M. (asynchronous switching) in the in 3 The illustrated embodiment consists of a two-dimensional 6 x 6 field of XOR mini-oscillators 100 whose output signal is the neighboring mini-oscillators 100 serves as an input signal in all four directions.

The output signal o of each XOR mini-oscillator 100 is connected to the corresponding inputs of the four neighboring mini-oscillators 100 created. The output signals of the XOR mini oscillators 100 at the edges of the matrix field oscillators M. are not fed back directly as input signals, but serve as input signals for the XOR mini-oscillators 100 at the opposite edges of the respective matrix field oscillator M. (please refer 4th ).

5 shows the numbering of the elements in a matrix field oscillator in form (row, column). Table 2: exemplary customization of the matrix field oscillators Matrix field oscillator begin Inv Out 0 (0.2) (4.5) (1.5) 1 (1.3) (2.0) (3.1) 2 (2.4) (5.2) (5.4) 3 (3.5) (5.1) (0.1) 4th (4.5) (2.1) (3.4) 5 (4.3) (1.5) (2.0) 6th (5.2) (1.3) (1.2) 7th (4.0) (5.4) (5.1) 8th (2.1) (3.5) (4.2)

To ensure the individuality and independence of the matrix field oscillators M. When choosing the location of the excitation (Start), the additional inverter (Inv) and the output (Out), care must be taken that they are in a single matrix field oscillator M. and as a 3-way combination in all matrix field oscillators M. of the random number generator. The same oscillator should never serve as a place of excitation (start), as an oscillator with an additional inverter (Inv) or as an output oscillator (Out). Rather, these tasks should be performed by separate oscillators. The customization of the matrix field oscillators M. Table 2 shows the exemplary embodiment.

The purely asynchronous matrix field oscillator M. is deactivated when the control inputs of the XOR mini oscillators 100 all s [1: 0] = 00. In this case all outputs are o the XOR mini-oscillators 100 continuously equal to logic zero (0). The only exception is the XOR mini oscillator Inv with the additional inverter 110 at the exit. Here the output is a constant logical one (1). The matrix field oscillator M. is activated by the control inputs of the XOR mini oscillators 100 all s [1: 0] = 10 are set. The only exception is the XOR mini oscillator Start. Here the control input is set briefly to s [1: 0] = 01 to activate the matrix field oscillator M. to be stimulated directly with an output value of logic one (1). After the excitation has taken place, this control input is also set to s [1: 0] = 10. Indirect excitation is also provided by the XOR mini oscillator Inv with the additional inverter 110 instead of. The output of the XOR mini-oscillator Out is also the output of the matrix field oscillator M. represent.

The control signals of the individual XOR mini oscillators 100 are determined by the two input signals enable and start (see table 3). These two input signals take place when the matrix field oscillator is activated M. starting from logic zero (0) at the same time the value logic one (1). During the enable input signal this value for the duration of the activation of the matrix field oscillator M. remains, the start input signal goes back relatively shortly thereafter to the output value logic zero (0). Setting the input signal enable to 0 turns the matrix field oscillators M. deactivated (idle state). Table 3: Control signals of the XOR mini oscillators 100 Enable begin s [1: 0] Start s [1: 0] 0 0 00 00 0 1 00 00 1 0 10 10 1 1 10 01

In the exemplary embodiment, there are six positions in the matrix field oscillator M. the output signals are output as test signals. They serve as the basis for the oscillation test of the respective matrix field oscillator M. . Two of the six test signals correspond to the output signals of the XOR mini oscillators Out and Start and are therefore dependent on the individualization of the respective matrix field oscillator M. . The four other test signals probe at fixed locations on the matrix field oscillators M. the output signals (see following table). Table 4: Test signals in the matrix field oscillators M Test signal Output signal of the XOR mini oscillator test [0] (Row _out , column _Out ), e.g. (1,5) test [1] (Row _start , column _start ), e.g. (0,2) test [2] (1.1) test [3] (0.5) test [4] (3.2) test [5] (4.4)

The random number generator in the exemplary embodiment contains as a noise source 9 asynchronous matrix field oscillators M. . The analog output signals of the 9 matrix field oscillators M. are in the in 6th digitized circuit shown and synchronized to the clock of the subsequent synchronous circuit. The two input signals system clock (clk) and asynchronous active-low reset (res_a_n) are sent to the corresponding inputs of the D flip-flops 200 created.

When changing from the asynchronous to the synchronous circuit are in the digitizer 20th two so-called metastability flip-flop stages (R _A : asynchronous active-low reset; R _S : synchronous active high reset) required for digitization. As part of this digitization circuit 20th the generated analog output signals (so-called raw random signals) of the 9 matrix field oscillators M. when the enable signal is activated by the first metastability flip-flop stage (9 D flip-flops 200 ) scanned with the XOR combination 210 merged and after the second metastability flip-flop stage (1 D flip-flop 220 ) as a digital signal or as an original random sequence (so-called raw random sequence). The XOR combination 210 compresses the sampled output signals from 9 independent matrix field oscillators M. to a signal. This leads to the real entropy at the output of the XOR combination 210 greater than the individual real entropies at the outputs of the matrix field oscillators M. (before the XOR combination) is. The complex high-frequency output signals (chaotic oscillations) of the matrix field oscillators M. can cause frequent metastability effects in the first metastability flip-flop stage and lead to metastable signals after this first stage. Only after the second metastability flip-flop stage is a purely digital random sequence continuously output with a very low bias. Here several copies of the same physical noise source (here matrix field oscillators), whose sampling bits are XOR-combined, are considered as a single noise source.

Additional post-processing of the output sequence after digitization is not necessary due to the excellent statistical properties of the sequence. However, immediately after activating the 9 matrix field oscillators M. and the digitizer 20th waited a certain time (45 microseconds in this embodiment) before the output of the first random bits by the random number generator and the random bits occurring during the waiting time (start-up time) are discarded in order to minimize the pseudo-random influence on the output sequence to an insignificant level. For this purpose, the circuit according to the invention is preferably also around a module 230 to implement the waiting time (start-up time) of 45 µs added. The module 230 to realize the waiting time (start-up time) of 45 µs is above the digitizer in 6th arranged. It is based on a corresponding counter and after the waiting time (45 µs) has elapsed after the random number generator has started (requirement: enable is 1 and the asynchronous active-low reset is not activated), it uses the output signal out_valid = 1 to indicate that the start-up time is over and the bits of the original random sequence at the output out are valid. Before that, out_valid = 0, ie the bits of the output sequence at the output out should be discarded.

In addition to the activation of the noise source already described using the two input signals enable and start, the digitizer 20th activate by setting the input signal enable to 1 (condition: no activation of the asynchronous active-low reset) and deactivate by setting the input signal enable to 0 (idle state).

The following are the oscillation test circuits 30th and total failure test 40 described. As a preliminary remark, it should be noted here that incorrect behavior of the matrix field oscillators M. in the form of generating a periodic test sequence such as 10101 ... 01 is neither known nor plausible, since periodic oscillations, among other things, due to the use of the additional inverter 110 in each of the matrix field oscillators M. be prevented. This case will therefore not be considered further in the following.

The partial circuit edge detection 300 (clk: system clock; res_a_n, R _A : asynchronous active-low reset; R _S : synchronous active high reset) in 7th detects changes in a digitized test signal.

For this purpose, each of the 6 test signals is used by a matrix field oscillator M. (for the selection of these test signals, see Table 4) each with a first D flip-flop 310 fed for scanning. The output of this D flip-flop 310 becomes the input of another D flip-flop 320 fed. These two D flip-flops 310 and 320 serve as metastability flip-flops for digitizing and synchronizing the respective test signal. The output of the D flip-flop 320 becomes on the one hand the D input of another D flip-flop 330 which is used for the time delay required for edge detection, and the input of the D flip-flop is used to detect the edge 330 (this corresponds to the output of the D flip-flop 320 ) on the one hand and the output of the D flip-flop 330 each to the input of an exclusive-or gate 340 fed. Its output signal "edge" indicates the presence of an edge in the digitized output signal test.

These "edge" output signals then serve as input signals for the oscillation test 30th .

8th shows the oscillation test circuit 30 (clk: system clock; res_a_n: asynchronous active-low reset; res_s: synchronous active-high reset). Here 6 instances of the circuit evaluate edge detection 300 each of the 6 test signals of a matrix field oscillator M. the end. if 100 Clocks none of the 6 digitized test signals has an edge, this is shown by the output signal of the counter or the oscillation test circuit 30th with noedge = 1. This is a very clear indication that the corresponding matrix field oscillator M. no longer oscillates. With noedge = 0 it is indicated that the matrix field oscillator M. oscillated (built-in oscillation health test).

Accordingly, the in 8th Circuit shown oscillation test 30th 6 edge detection circuits 300 (0 to 5), their respective output signals "edge" to an OR gate 32 are supplied. The output of this OR gate 32 is the reset input res_s of a counter 34 fed. The counter is incremented with the system clock, ie the system clock is on the counter input of the counter. If the counter overflows, ie no edge has occurred during as many system clocks as the counter can count, the counter overflow goes to logic 1 and is signaled as "noedge", i.e. an oscillation fault in the corresponding matrix field oscillator M. displayed. The counter can, for example, be a decimal counter 100 Count the number of cycles until it overflows; a power of two is recommended for a binary counter, for example 128. The overflow signals of the counter 34 “Noedge” then become a total failure test for the overall monitoring of the random number generator according to the invention of a circuit 40 fed.

The circuit total failure test 40 in 9 (clk: system clock; res_a_n: asynchronous active-low reset) outputs the signal tot = 1, ie a total failure has occurred when the oscillation tests 30th of all 9 matrix field oscillators M. show no oscillation (noedge = 1). The oscillation test 30th and the total failure test are operated continuously (condition: enable = 1 and no activation of the asynchronous active low reset). They are designed in such a way that a total failure on the one hand is indicated relatively quickly and a false alarm on the other hand is extremely unlikely.

Accordingly, all outputs “noedge” of the 9 oscillation test circuits 0 to 8 become an AND gate 42 fed. Its output results in the signal “dead” for the total failure of the random number generator according to the invention.

The following is a description of the experimental evidence that the random number generator according to the invention not only works, but also delivers genuinely random and non-pseudo-random bit sequences of high entropy.

The following are the properties of a true random number generator according to the invention based on a combination of individualized matrix field oscillators M. consisting of mutually influencing XOR mini-oscillators 100 within the scope of the exemplary embodiment described (9 individualized matrix field oscillators M. (Noise source) each consisting of a two-dimensional 6 x 6 field of XOR mini-oscillators 100 including a corresponding digitizer 20th and total failure test 40 ) investigated. This is done using an implementation of the exemplary embodiment of the random number generator on a SmartFusion evaluation board with the SmartFusion FPGA A2F200M3FFGG484 from Microsemi based on a VHDL model. It should be noted that the SmartFusion FPGA technology is based on the ProASIC3 FPGA Flash architecture. During the investigation, only the pure FPGA (FPGA fabric) is used without the processor also present in the SOC FPGA. The most important goal of this investigation is to determine to what extent the randomness generated by the random number generator is real. This is done in section 1.1 the behavior of a single matrix field oscillator 100 and examined in section 1.2 the behavior of the entire random number generator. Appendices A, B and C also contain brief analyzes of implementations of the above-described exemplary embodiment of the random number generator according to the invention on an IGLOO-FPGA (Microsemi), a Spartan-6-FPGA (Xilinx) and a Spartan-7-FPGA (Xilinx) shown. Appendix D is followed by a brief analysis of a “Frequency Injection Attack”. Appendix E lists some features (resource and power consumption) of implementations of the exemplary embodiment of the random number generator according to the invention. Finally, Appendix F shows the results of a long-term oscillation test of the four implementations of the exemplary embodiment of the random number generator according to the invention.

1.1 Investigation of a matrix field oscillator M.

To get a first impression of the behavior of the matrix field oscillators contained in the random number generator M. The first example is the output signal (standard output) of the matrix field oscillator 0 of the random number generator according to the invention in the time and frequency domains (Spectrum) recorded with an oscilloscope. the 10 respectively. 11th shows the output signal of the matrix field oscillator 0 in the time (upper part of the figure) and in the frequency domain (lower part of the figure) if the matrix field oscillator 0 is deactivated ( 10 ) or activated ( 11th ) is.

When comparing the two spectral representations in the 10 and 11th it can be seen that the distance between the noise of the deactivated and activated matrix field oscillator 0 is approx. 20 dB. The obvious presence of noise with the matrix field oscillator activated M. unfortunately does not help with the question of how large the proportion of real randomness is in the noise.

In the following, a restart approach is followed in order to evaluate and analyze the extent of the true randomness generated by an oscillator.

In this way it is practically possible to distinguish between true randomness and pseudo-randomness.

This approach is based on repeating the experiments starting from identical starting conditions, i.e. starting the oscillator starting from the same starting states of all logic gates. Pseudo-randomness is deterministic and thus shows identical behavior each time the experiment is repeated. On the other hand, true randomness behaves differently with each repetition, despite identical starting conditions. To an insignificant extent, true randomness can also be included in the start conditions, which ideally are not identical.

The restart measurements were made using the above-mentioned FPGA technology. In every experiment, the inactive state (output equal to 0) serves as the initial state of the matrix field oscillator 0, so that the initial conditions are essentially identical. Instead of a standard output, 0 LVDS outputs were selected for the output of the matrix field oscillator and corresponding output voltages were measured differentially in order to increase the accuracy of the measurement. In 12th three of a total of 1000 measured curves of the differential output voltage of the matrix field oscillator 0 are shown after various restarts.

It can be clearly seen that the courses of the three curves differ from one another. While they are identical or at least similar at the beginning, they differ in the course of the presentation of the 12th always more. The amount of randomness in the recorded curves relevant to the extraction of entropy by sampling can be measured by the standard deviation of the output voltage as a function of time. That is, if the standard deviation is relatively large, then extracting a bit of true randomness by sampling is relatively easy and reliable. On the other hand, if the standard deviation is relatively small, then the extracted random bit is heavily weighted and this bias will be highly implementation-dependent. Accordingly, the standard deviation and the arithmetic mean of the differential output voltage of the matrix field oscillator 0 were calculated as functions of time (duration 140 ns) for the 1000 curves. The results are in the 13th and 14th shown.

The results of the experimental restart approach show that the matrix field oscillator 0 generates true randomness. You can see in 13th and 14th that after about 25 ns the arithmetic mean and standard deviation reach relatively stable values. The relatively stable value for the standard deviation is approximately twice as large as the corresponding values for the Fibonacci and Galois ring oscillators. The structure of the matrix field oscillator M. thus enables a more robust and reliable entropy extraction by sampling than comparable oscillators. Because the structure is basically the same, the results are the same or similar for the other matrix field oscillators M. expected.

1.2 Investigation of the entire random number generator

1.2.1 Traditional statistical tests

For further analysis, the data output of the random number generator takes place via an SPI interface, as it enables the desired, relatively high data rate of 30 Mbit / s. The FT2232H mini module from FTDI is used for this. It provides this SPI interface. The implementation of the random number generator is adapted to this interface. The SPI interface enables data blocks up to a size of 65536 bytes to be read at a data rate of up to 30 Mbit / s. The data is transferred from the FT2232H mini module to a computer via USB. Although the random number generator is of course capable of continuous data output, due to the SPI interface used, data can only be are output in blocks. As a first step in the investigation, the basic statistical properties of the random number generator are checked with common statistical tests (AIS31 statistical test suite, NIST statistical test suite / NIST 800-22 and TestU01 statistical test from the University of Montreal). The statistical tests are applied to data that are recorded with a sequential data acquisition with 200 62,500 byte or. 500,000-bit data blocks (data rate 30 Mbit / s) are created. These are original random sequences after digitization (raw random sequence). The total amount of data generated by the random number generator at room temperature has a size of 100,000,000 bits (approx. 11.9 MB). The results of the statistical tests are shown in Table 5. Table 5: Results of the statistical tests of data generated by the random number generator at room temperature with sequential data acquisition with 200 62,500-byte or 500,000-bit data blocks (data rate 30 Mbit / s) Statistical tests (total amount of data: approx. 11.9 MB) AIS31 statistical test suite (1.3.1) NIST statistical test suite / NIST 800-22 (sts-2.1.2 with default parameters) TestU01 statistical test, University of Montreal (TestU01 1.2.3) T8 (entropy test) T0-T8 Alphabit test battery Rabbit test battery sequential data acquisition 8,0001030 passed passed passed passed

Table 5 shows that the random number generator passed all statistical tests carried out. The second column of Table 5 contains the result of the entropy test over one byte. It should be noted that the AlS31 test suite works with Shannon entropy estimation. The value for the Shannon entropy per byte in the second column of Table 5 is greater than the maximum value of 8 bits. This is due to rounding errors in the calculation by the AIS31 analysis tool. The entropy value in said column is greater than 7.976 bits of Shannon entropy per byte. This means that the Shannon entropy per bit is greater than 0.997 bits in this case. Thus, the corresponding requirements of AIS20 / 31 are met.

AIS20 / 31 requires that the AIS31 statistical test suite is passed under all relevant environmental conditions. The random number generator is therefore subjected to temperature tests in a specific temperature range. Here again, the sequential data acquisition is carried out with basically unchanged test conditions (except for temperature). This means that 200 62,500-byte or 500,000-bit data blocks are received at each of the different temperatures (from -25 ° C to +55 ° C in steps of 5 ° C). This again results in a total amount of data of 100,000,000 bits each (approx. 11.9 MB). Each of these total data sets is tested with the AIS31 statistical test suite. The results are shown in Table 6. Table 6: Results of the tests with the AlS31 statistical test suite of data generated by the random number generator at different temperatures with sequential data recording with 200 62,500-byte or 500,000-bit data blocks (data rate 30 Mbit / s) temperature AIS31 statistical test suite (1.3.1) T8 (entropy test) T0-T8 -25 ° C 7.9977650 passed -20 ° C 8.0013081 passed -15 ° C 8.0038099 passed -10 ° C 7.9966510 passed -5 ° C 7,9974596 passed 0 ° C 8.0026852 passed + 5 ° C 7.9979734 passed + 10 ° C 8.0001493 passed + 15 ° C 8.0041145 passed + 20 ° C 8.0005963 passed + 25 ° C 8.0031554 passed + 30 ° C 7.9968651 passed + 35 ° C 8,0007169 passed + 40 ° C 7.9954391 passed + 45 ° C 8.0044901 passed + 50 ° C 7.9989890 passed + 55 ° C 7.9956289 passed

The results of the investigations in Table 6 again show that the entropy values are always greater than 7.99 bit Shannon entropy per byte or 0.99875 bit Shannon entropy per bit and thus meet the requirements of AIS20 / 31. In several cases the values for the Shannon entropy per byte in the second column of Table 6 are greater than the maximum value of 8 bits. As mentioned before, this is due to rounding errors in the calculation by the AlS31 analysis tool. The third column of Table 6 shows that all tests of the AIS31 test suite were passed at all temperatures in the temperature range examined. This even applies to the low temperatures. It should be emphasized that the examined data are original random sequences after digitization (raw random sequences).

1.2.2 Statistical tests in the context of experimental restart investigations

Despite the results of Section 1.1, it cannot be ruled out that pseudorandomness that is still present negatively influences the entropy extraction by sampling. Another method of investigation is necessary to clarify whether the randomness generated by the entire random number generator is still subject to a significant pseudo-random influence after digitization. The approach for this new analysis method at the level of the total random number generator is derived from the experimental restart approach at the level of a matrix field oscillator M. from Section 1.1. Instead of the analog signals before digitization (raw random signals), the original random sequences after digitization (raw random sequence) are recorded for different lengths of time during restarts and analyzed using conventional statistical tests. The analysis is carried out by combining the various data sequences in the form of data blocks to form a total data volume, which is then checked with common statistical tests (AIS31 statistical test suite, NIST statistical test suite / NIST 800-22 and TestU01 statistical test from the University of Montreal). The basic idea is that the statistical tests must be passed even if the amount of data generated by restarting. This is because if there is a real random generation by the random number generator, the statistical properties of the data volume must be independent of whether they arise from sequential data acquisition or from data blocks with a series of restarts. On the other hand, inadequacies such as bias and statistical dependencies caused by possibly still existing pseudo-randomnesses are recognized by the very demanding and complex statistical tests in this approach. If several errors occur in the tests, there is a high probability that the pseudo-randomness has a significant influence on the original random sequences after digitization. In the error-free case, the influence of the pseudo randomness is negligibly small. This method has the advantage of being able to examine smaller data blocks over shorter time intervals, but also larger data blocks over longer time intervals.

This new approach promises a simple but comprehensive overview of whether the random number generator generates true randomness without a significant influence of pseudo randomness at the given data rate or not. To demonstrate the effective mode of operation, this new method is used twice for the random number generator, the first time without and the second time with a waiting time immediately after the restart, in which the random bits are discarded. Only after the waiting time are the random bits no longer suppressed, but output.

First, the new test method is applied to the random number generator without waiting after each restart. There are 100,000 restarts, each with 125-byte or. 1,000-bit data blocks (original random sequences directly after digitization (raw random sequence)) with a data rate of 30 Mbit / s each at room temperature.

The frequency distribution of byte values gives a first impression of the properties of the corresponding total data volume. She will be in 15th shown.

• - NIST statistical test suite/NIST 800-22 (sts-2.1.2): nicht bestanden (nicht bestandene Tests wie folgt)
  • Frequency
  • CumulativeSums
  • Runs
  • NonOverlappingTemplate
• - TestU01 statistischer Test, Unversität Montreal (TestU01 1.2.3):
  • Alphabit-Batterie: nicht bestanden (nicht bestandene Tests wie folgt)
    • MultinomialBitsOver (L = 2)
    • MultinomialBitsOver (L = 4)
    • MultinomialBitsOver (L = 8)
    • Hamminglndep (L = 16)
    • Hamminglndep (L = 32)
    • RandomWalk1 H (L = 64)
    • RandomWalk1 M (L = 64)
    • RandomWalk1 J (L = 64)
    • RandomWalk1 H (L = 320)
    • RandomWalk1 M (L = 320)
    • RandomWalk1 J (L = 320)
    • RandomWalk1 R (L = 320)
  • Rabbit-Batterie: nicht bestanden (nicht bestandene Tests wie folgt)
    • Fourier3
    • PeriodslnStrings
    • HammingWeight
    • Hamminglndep (L = 16)
    • Hamminglndep (L = 32)
    • Hamminglndep (L = 64)
    • AutoCor
    • Run of bits
    • Run of bits
    • RandomWalk1 H
    • RandomWalk1 M
    • RandomWalk1 J
    • RandomWalk1 H (L = 1024)
    • RandomWalk1 M (L = 1024)
    • RandomWalk1 J (L = 1024)
    • RandomWalk1 H (L = 10016)
    • RandomWalk1 M (L = 10016)
    • RandomWalk1 J (L = 10016)

The uneven frequency distribution of the byte values in 15th is obvious. The relative frequencies up to and including the black line L (byte value 0x3F) are essentially 0.40% each and then 0.38% and 0.39% respectively. Since the amount of data is composed of 100,000 1000-bit data blocks after 100,000 restarts, this indicates that there is still a pseudo-random influence on the random number generator. This pseudo-random influence can also be seen in the further statistical analysis of the above data volume. While the AIS31 statistical test suite surprisingly still passes all tests with this amount of data, this does not apply to the other two statistical tests used.

• - NIST statistical test suite / NIST 800-22 (sts-2.1.2): failed (failed tests as follows)
  • Frequency
  • CumulativeSums
  • Runs
  • NonOverlappingTemplate
• - TestU01 statistical test, University of Montreal (TestU01 1.2.3):
  • Alphabit battery: failed (failed tests as follows)
    • MultinomialBitsOver (L = 2)
    • MultinomialBitsOver (L = 4)
    • MultinomialBitsOver (L = 8)
    • Hamminglndep (L = 16)
    • Hamminglndep (L = 32)
    • RandomWalk1 H (L = 64)
    • RandomWalk1 M (L = 64)
    • RandomWalk1 J (L = 64)
    • RandomWalk1 H (L = 320)
    • RandomWalk1 M (L = 320)
    • RandomWalk1 J (L = 320)
    • RandomWalk1 R (L = 320)
  • Rabbit battery: failed (failed tests as follows)
    • Fourier3
    • PeriodslnStrings
    • HammingWeight
    • Hamminglndep (L = 16)
    • Hamminglndep (L = 32)
    • Hamminglndep (L = 64)
    • AutoCor
    • Run of bits
    • Run of bits
    • RandomWalk1 H.
    • RandomWalk1 M
    • RandomWalk1 J.
    • RandomWalk1 H (L = 1024)
    • RandomWalk1 M (L = 1024)
    • RandomWalk1 J (L = 1024)
    • RandomWalk1 H (L = 10016)
    • RandomWalk1 M (L = 10016)
    • RandomWalk1 J (L = 10016)

A solution to this problem can be obtained by considering the findings from Section 1.1. The longer you wait, the more random the state of the matrix field oscillators M. . In the second run, the new test method (restart method with data collected immediately after digitization) is applied to a random number generator under the same conditions as in the first experiment, which has a waiting time of 45 µs immediately after each restart. Random data is only output after the waiting time.

Now there is a changed frequency distribution of the byte values of the total amount of data, such as 16 shows before. The frequency distribution of the byte values is now much more even. There is now no more noticeable level with the byte value 0x3F (black line L). The relative frequencies are essentially 0.39% each. The pseudo-random influence on the random number generator was obviously significantly reduced by the introduction of the waiting time. The disappearance of a significant pseudo-random influence, i.e. the random number generator only generates pure real randomness, is also shown by the statistical analysis of further restart attempts with different data block sizes and the number of restarts at room temperature, at a data rate of 30 Mbit / s and also the same total amount of data in each case 100,000,000 bits (about 11.9 MB). Table 7: Results of the statistical tests of data generated by the random number generator under various restart conditions at room temperature with a waiting time of 45 µs after each restart Restart tests (total data volume: approx. 11.9 MB) AIS31 statistical test suite (1.3.1) NIST statistical test suite / NIST 800-22 (sts-2.1.2 with default parameters) TestU01 statistical test, University of Montreal (TestU01 1.2.3) T8 (entropy test) T0-T8 Alphabit test battery Rabbit test battery 100,000 restarts with 125-byte or 1,000-bit data blocks each 7.9996946 passed passed passed passed 10,000 restarts each with 1,250 byte or 10,000-bit data blocks 8.0004572 passed passed passed passed 1,000 restarts each with 12,500 byte or 100,000-bit data blocks 8.0002218 passed passed passed passed 200 restarts each with 62,500 byte or 500,000-bit blocks of data 8.0017385 passed passed passed passed

The results of these tests are shown in Table 7. The second column of Table 7 contains the results of the entropy test over one byte. In some cases, the values for the Shannon entropy per byte are greater than the maximum value of 8 bits due to rounding errors. The entropy values in said column are all greater than 7.976 bits of Shannon entropy per byte. In other words, the Shannon entropy per bit is greater than 0.997 bits in all cases. Thus, the corresponding requirements of AIS20 / 31 are met. The results of these extensive restart tests show that, in spite of the same initial conditions, this random number generator delivers data that meet the aforementioned statistical tests when restarting. This even applies to data that is composed of relatively small data blocks (1000 bit sequences) and with one very small large number of restarts (100,000) were generated. This is a clear proof that pure real randomness is generated by the random number generator. The only condition for this is that a waiting time (start-up time) of 45 µs is observed immediately after each restart before the first random value is output if the previous data is discarded. This lead time is taken into account in all investigations in this document that concern the total random number generator. The only exceptions are the examinations at the beginning of this section 1.2.2, which were explicitly carried out without waiting after each restart.

1.2.3 Tests according to NIST SP800-90B

The minimum entropy tests and restart tests of the relatively new NIST SP800-90B standard enable a final test of the properties of the random number generator. The minimum entropy tests consist of two paths: IID (independent and identically distributed) and non-IID. Based on the research results so far, the IID path will be followed in the following. This means that it is assumed that the entropy source independently generates identically distributed random numbers. First, the initial minimum entropy estimate (H _original ) is determined with the minimum entropy test, then the restart tests are carried out. The first 10 ⁶ bits of the original random sequences after digitization (raw random sequence) after a waiting time of 45 µs after the start according to the sequential data acquisition already described (see Section 1.2.1) serve as the data volume for the minimum entropy test. To generate the amount of data for the restart tests, 1000 restarts are carried out at room temperature. 1000 bits of the original random sequences are recorded after digitization (raw random sequence) after a waiting time of 45 µs after each restart. This also results in a data volume of 10 ⁶ bits on which the restart tests are applied. The results of the tests according to NIST SP800-90B are shown in Table 8. They show that the tests confirm the initial IID assumption. This also passes the restart tests for this assumption. The determined value for the minimum entropy per bit is still very high at 0.993767 bits, even after the restart tests. This value is very close to the maximum possible value of 1 bit, which occurs when there is an ideally uniform probability distribution. It should be noted at this point that NIST SP800-90B does not require a specified minimum value for the estimated minimum entropy to pass the test procedure if the restart tests are passed. Table 8: Results of the NIST SP800-90B tests of data generated by the random number generator at room temperature (data rate 30 Mbit / s) NIST SP800-90B Entropy Estimate - IID Path Reboot tests Testing IID path Initial minimum entropy per bit (H _original ) Reboot Tests (IID) Updated minimum entropy per bit (H) after restart tests passed 0.993767 passed 0.993767

According to the investigations with the AIS31 statistical test suite in section 1.2.1, the random number generator is also subjected to temperature tests in a certain temperature range as part of the NIST SP800-90B tests. The data acquisition is carried out here again with basically unchanged test conditions (except for temperature). This means that the previously described NIST SP800-90B tests are carried out at each of the different temperatures (from -25 ° C to +55 ° C in steps of 5 ° C). The results are shown in Table 9.

The results of the tests in Table 9 again show that the IID assumption is confirmed by all tests. It also passes all restart tests for this assumption. Table 9: Results of the NIST SP800-90B tests of data generated by the random number generator at different temperatures (data rate 30 Mbit / s) Temperatures Entropy Estimate - IID Path Reboot tests IID path Initial minimum entropy per bit (H _original ) Reboot Tests (IID) Updated minimum entropy per bit (H) after restart tests -25 ° C passed 0.994563 passed 0.994563 -20 ° C passed 0.996136 passed 0.995368 -15 ° C passed 0.995779 passed 0.995779 -10 ° C passed 0.994172 passed 0.994172 -5 ° C passed 0.995730 passed 0.992945 0 ° C passed 0.995696 passed 0.995653 + 5 ° C passed 0.994807 passed 0.994092 + 10 ° C passed 0.996234 passed 0.996122 + 15 ° C passed 0.995805 passed 0.994879 + 20 ° C passed 0.995250 passed 0.995250 + 25 ° C passed 0.995814 passed 0.995256 + 30 ° C passed 0.995569 passed 0.995569 + 35 ° C passed 0.996185 passed 0.996162 + 40 ° C passed 0.996139 passed 0.995664 + 45 ° C passed 0.994845 passed 0.994845 + 50 ° C passed 0.995552 passed 0.995466 + 55 ° C passed 0.994718 passed 0.994718

The minimum entropy per bit after the restart tests is always greater than 0.99 bit at all temperatures and is therefore very high. This even applies to the low temperatures. It should be emphasized again that the examined data are original random sequences after digitization (raw random sequences). From all these results it can be concluded that the random number generator according to the invention is confirmed here as a real entropy source of very high quality in the entire temperature range examined.

1.3. summary

The investigation results both at the level of the matrix field oscillator M. as well as at the level of the overall random number generator show that true randomness is generated. With the help of the comprehensive restart experiments, it was possible to show that the introduction of the waiting time (start-up time) after each restart before the first random value is output when the previous data is discarded can reduce the pseudo-random influence to an insignificant level. Furthermore it could be proven that the matrix field oscillator M. enables a significantly more robust and reliable entropy extraction by scanning than comparable oscillators such as Fibonacci and Galois ring oscillators. It should be emphasized that all restart experiments at the level of the entire random number generator are based on original random sequences directly after digitization (raw random sequences). This means that complex additional post-processing of the data after digitization is not necessary. It should also be noted that these restart examinations were carried out at a relatively high bit rate of 30 Mbit / s. These tests mean that the need for other, more elaborate ways of proving the true randomness generated by this random number generator is significantly reduced. This means that the analysis enables a clear proof of the real randomness without using the difficult, time-consuming, risky and possibly controversial evidence approach of the stochastic model (see AIS20 / 31). In summary, it can be stated that the random number generator according to the invention represents a real entropy source of very high quality in the entire temperature range examined.

Appendix A. Brief analysis based on an IGLOO FPGA from Microsemi

IGLOO nano starter kit board (AGLN-NANO-KIT) with the IGLOO-FPGA AGLN250V2-VQG100 from Microsemi

Table 10: Results of the statistical tests of data generated by the random number generator at room temperature with sequential data acquisition with 200 62,500-byte or 500,000-bit data blocks (data rate 30 Mbit / s) Statistical tests (total amount of data: approx. 11.9 MB) AIS31 statistical test suite (1.3.1) NIST statistical test suite / NIST 800-22 (sts-2.1.2 with default parameters) TestU01 statistical test, University of Montreal (TestU01 1.2.3) T8 (entropy test) T0-T8 Alphabit test battery Rabbit test battery sequential data acquisition 8.0025617 passed passed passed passed Table 11: Results of the NIST SP800-90B tests of data generated by the random number generator at room temperature (data rate 30 Mbit / s) NIST SP800-90B Entropy Estimate - IID Path Reboot tests Testing IID path Initial minimum entropy per bit (H _original ) Reboot Tests (IID) Updated minimum entropy per bit (H) after restart tests passed 0.994586 passed 0.994586

Appendix B. Brief analysis based on a Spartan-6 FPGA from Xilinx

Cmod S6 board from Digilent with the Xilinx Spartan 6 LX4 FPGA (Spartan 6 XC6SLX4-2CPG196 FPGA)

Table 12: Results of the statistical tests of data generated by the random number generator at room temperature with sequential data acquisition with 200 62,500-byte or 500,000-bit data blocks (data rate 30 Mbit / s) Statistical tests (total amount of data: approx. 11.9 MB) AIS31 statistical test suite (1.3.1) NIST statistical test suite / NIST 800-22 (sts-2.1.2 with default parameters) TestU01 statistical test, University of Montreal (TestU01 1.2.3) T8 (entropy test) T0-T8 Alphabit test battery Rabbit test battery sequential data acquisition 7.9999384 passed passed passed passed Table 13: Results of the NIST SP800-90B tests of data generated by the random number generator at room temperature (data rate 30 Mbit / s NIST SP800-90B Entropy Estimate - IID Path Reboot tests Testing IID path Initial minimum entropy per bit (H _original ) Reboot Tests (IID) Updated minimum entropy per bit (H) after restart tests passed 0.995052 passed 0.995052

Appendix C. Brief analysis based on a Spartan-7 FPGA from Xilinx

Cmod S7 Board from Digilent with the Xilinx Spartan 7 FPGA (Spartan 7 XC7S25-1CSGA225C FPGA)

Part I - Random number generator: 15 Mbit / s, IF (SPI): 15 Mbit / s

Table 14: Results of the statistical tests of data generated by the random number generator at room temperature with a sequential data acquisition with 200 62,500-byte or 500,000-bit data blocks Statistical tests (total amount of data: approx. 11.9 MB) AIS31 statistical test suite (1.3.1) NIST statistical test suite / NIST 800-22 (sts-2.1.2 with default parameters) TestU01 statistical test, University of Montreal (TestU01 1.2.3) T8 (entropy test) T0-T8 Alphabit test battery Rabbit test battery sequential data acquisition 7.9958925 passed passed passed passed Table 15: Results of NIST SP800-90B testing of data generated by the random number generator at room temperature NIST SP800-90B Entropy Estimate - IID Path Reboot tests Testing IID path Initial minimum entropy per bit (H _original ) Reboot Tests (IID) Updated minimum entropy per bit (H) after restart tests passed 0.995644 passed 0.994488

Part II - Random number generator: 30 Mbit / s, IF (SPI): 15 Mbit / s

Table 16: Results of the statistical tests of data generated by the random number generator at room temperature with a sequential data acquisition with 200 62,500-byte or 500,000-bit data blocks Statistical tests (total amount of data: approx. 11.9 MB) AIS31 statistical test suite (1.3.1) NIST statistical test suite / NIST 800-22 (sts-2.1.2 with default parameters) TestU01 statistical test, University of Montreal (TestU01 1.2.3) T8 (entropy test) T0-T8 Alphabit test battery Rabbit test battery sequential data acquisition 7.9995812 passed passed passed passed Table 17: Results of NIST SP800-90B testing of data generated by the random number generator at room temperature NIST SP800-90B Entropy Estimate - IID Path Reboot tests Testing IID path Initial minimum entropy per bit (H _original ) Reboot Tests (IID) Updated minimum entropy per bit (H) after restart tests passed 0.994730 passed 0.994730

Note: The limitation of the data rate of the interface (Serial Peripheral Interface - SPI) to 15 Mbit / s is due to the wiring of the Xilinx Spartan 7 FPGA on the Cmod S7 board (switching speed of the digital I / Os: maximum 25 MHz).

Appendix D. Brief analysis of a “Frequency Injection Attack” based on an IGLOO-FPGA from Microsemi

IGLOO nano starter kit board (AGLN-NANO-KIT) with the IGLOO-FPGA AGLN250V2-VQG100 from Microsemi

Based on knowledge of the publication T. Markettos and SW Moore, The Frequency Injection Attack on Ring-Oscillator- Based True Random Number Generators, Cryptographic Hardware and Embedded Systems - CHES 2009, Lecture Notes in Computer Science, vol. 5747, Springer, Berlin, Heidelberg, pp 317-331, 2009 In this brief analysis, it was investigated for different frequencies whether feeding a sinusoidal interference voltage to the operating voltage of an IGLOO-FPGA with the implementation of the random number generator described in section 1 has a negative influence on the (real) random properties of the data generated by the generator . The results shown in Tables 18 and 19 show that this is not the case for the frequencies examined. Table 18: Results of the tests with the AlS31 statistical test suite of data generated by the random number generator at different frequencies of an interfering signal with sequential data recording with 200 62,500 byte or 500,000 bit data blocks (data rate 30 Mbit / s) Frequency of the to the 1.2 V VCC core voltage of the AIS31 statistical test suite (1.3.1) IGLOO-FPGAs fed sinusoidal 200 mVpp interference signal T8 (entropy test) T0-T8 1 MHz 7.9989505 passed 2 MHz 7.9978298 passed 5 MHz 8.0015176 passed 10 MHz 8.0027132 passed 15 MHz 8.0022397 passed 20 MHz 8.0017930 passed 25 MHz 7.9992265 passed 30 MHz 7.9997138 passed 35 MHz 7.9993854 passed 40 MHz 8,0006074 passed 45 MHz 7.9999514 passed 50 MHz 7.9989018 passed Table 19: Results of the NIST SP800-90B tests of data generated by the random number generator at different frequencies of an interfering signal (data rate 30 Mbit / s) Frequency of the Entropy Estimate - IID Path Reboot tests the 1.2 V VCC core voltage of the IGLOO FPGA fed in sinusoidal 200 mVpp interference signal IID path Initial minimum entropy per bit (H _original ) Reboot Tests (IID) Updated minimum entropy per bit (H) after restart tests 1 MHz passed 0.995566 passed 0.994442 2 MHz passed 0.994931 passed 0.994411 5 MHz passed 0.993913 passed 0.993913 10 MHz passed 0.993712 passed 0.993712 15 MHz passed 0.994215 passed 0.994215 20 MHz passed 0.995492 passed 0.995492 25 MHz passed 0.992802 passed 0.992802 30 MHz passed 0.994508 passed 0.994508 35 MHz passed 0.993971 passed 0.993971 40 MHz passed 0.995017 passed 0.995017 45 MHz passed 0.993962 passed 0.993962 50 MHz passed 0.994940 passed 0.993115

Appendix E. Features of the implementation of the exemplary embodiment (see Section 1) of the random number generator

Resource consumption

• Anzahl benötigter FPGA-Kernzellen (Core Cells): 2108

I. Example implementation of SmartFusion-FPGA A2F200M3F-FGG484 on the SmartFusion evaluation board from Microsemi:

• Number of required FPGA core cells: 2108

II. Example implementation Xilinx Spartan 7 FPGA (Spartan 7 XC7S25-1 CSGA225C FPGA) on the Cmod S7 board from Digilent
Number of FPGA LUTs required: 1218
Number of FPGA registers (flip-flops) required: 277

Power consumption:

• Leistungsverbrauch des FPGAs (Core) bei einem deaktivierten Zufallszahlengenerator (1,2 V Core-Spannung):

$${\text{P}}_{\text{off}}=\mathrm{3,768}\text{ mW}$$

Example implementation IGLOO-FPGA AGLN250V2-VQG100 on the IGLOO nano starter kit board (AGLN-NANO-KIT) from Microsemi:

• Power consumption of the FPGA (core) with a deactivated random number generator (1.2 V core voltage):

$${\text{P.}}_{\text{off}}=\mathrm{3,768}\text{mW}$$

Power consumption of the FPGA (core) with an activated random number generator (1.2 V core voltage): $${\text{P.}}_{\text{on}}=64.2\text{mW}$$

Appendix F. Long-term oscillation test of the implementations of the exemplary embodiment (see Section 1) of the random number generator

All 4 implementations of the exemplary embodiment (see section 1) of the random number generator according to the invention were subjected to a long-term oscillation test. It is checked whether one or more of the 9 matrix field oscillators stop temporarily or permanently or no longer oscillate for a month with continuous operation of the random number generator (no oscillation of the 6 digitized test signals for 100 cycles). If all 9 matrix field oscillators stop, there is a total failure. The results are shown in Table 20. Table 20: Results of the long-term oscillation test for 4 implementations of the exemplary embodiment of the random number generator implementation 1 month of continuous operation Number of matrix field oscillators (max. 9) with temporary or permanent standstill Total failure SmartFusion FPGA 0 no IGLOO FPGA 0 no Spartan 6 FPGA 0 no Spartan 7 FPGA 0 no

QUOTES INCLUDED IN THE DESCRIPTION

This list of the documents listed by the applicant was generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Non-patent literature cited

• Mario Stipcevic and Çetin Kaya Koç, True Random Number Generators, Open Problems in Mathematics and Computational Science, Springer International Publishing, Switzerland, pp. 275-316, 2014 [0003]
• V. Fischer, Random Number Generators for Cryptography - Design and Evaluation, Summer School on Design and Security of Cryptographic Algorithms and Devices, Sibenik, Croatia, June 2014 [0005]
• M. Dichtl, Fibonacci Ring Oscillators as True Random Number Generators - A Security Risk, IACR Cryptology ePrint Archive, 270, 2015 [0005]
• W. Killmann and W. Schindler, AIS20 / AIS31 - A Proposal for: Functionality Classes for Random Number Generators, version 2.0, 2011 [0005]
• A. Rukhin et al., A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, NIST Special Publication 800-22, US Department of Commerce, National Institute of Standards and Technology, Gaithersburg, MD, April 2010 [0005]
• M. Dichtl, J.D. Golic, High-Speed True Random Number Generation with Logic Gates Only, Cryptographic Hardware and Embedded Systems - CHES 2007, Lecture Notes in Computer Science, vol 4727, Springer, Berlin, Heidelberg, pp 45-62, 2007 [0005]
• J. Balasch et al., Design and testing methodologies for true random number generators towards industry certification, 2018 IEEE 23rd European Test Symposium (ETS), Bremen, pp. 1-10, 2018 [0005]
• M. Sönmez Turan et al., Recommendation for the Entropy Sources Used for Random Bit Generation, NIST Special Publication 800-90B, Department of Commerce, National Institute of Standards and Technology, Gaithersburg, MD, January 2018 [0005]
• A. Schubert and W. Anheier, On Random Pattern Testability of Cryptographic VLSI Cores, Journal of Electronic Testing: Theory and Applications, Vol. 16, No. 3, Kluwer Academic Publishers, Netherlands, pp. 185-192, 2000 [0005]
• A. Schubert, Modeling, Optimization and Self-Testing of Cryptographic Virtual Components, Dissertation University of Bremen, Progress Reports VDI Series 10, No. 690, VDI Verlag GmbH, Düsseldorf, 2002 [0005]
• T. Markettos and S. W. Moore, The Frequency Injection Attack on Ring-Oscillator- Based True Random Number Generators, Cryptographic Hardware and Embedded Systems - CHES 2009, Lecture Notes in Computer Science, vol. 5747, Springer, Berlin, Heidelberg, pp 317-331, 2009 [0100]

Claims (16)

Random number generator with purely digital circuit elements, characterized in that it comprises a matrix (M) of individual oscillator circuits (100) which have an even number of inputs (t, b, I, r), each with an output (o) an adjacent oscillator circuit (100) are connected, two (t, b; l, r) of the inputs being connected to a first exclusive-or gate (102, 104), and the outputs of the first exclusive-or Gates (102, 104) are connected to inputs of a further exclusive-OR gate (106), the output signal of which forms an output signal (o) of the individual oscillator circuit (100), and to inputs (b, t, r, I) of the respectively neighboring oscillator circuits (100) is connected, the oscillator circuits (100) at the edges of the matrix (M) being correspondingly connected to oscillator circuits (100) at the opposite edges of the matrix (M), and that Output signal of one of the oscillator circuits (Out) the S signal output (out) of the matrix (M). Random number generator according to Claim 1 , characterized in that the output signal of the individual oscillator circuit (100) is also fed via a signal input of a multiplexer (108), the control input of which has a first binary control signal (s [1]) applied to it, and the output signal of which is the output signal (o ) the individual oscillator circuit (100) forms, and the first binary control signal (s [1]) is used to activate and deactivate the matrix (M) of oscillator circuits. Random number generator according to Claim 2 , characterized in that the output signal (o) of at least one of the individual oscillator circuits (Inv) is passed via an inverter (110). Random number generator according to one of the Claims 1 until 3 , characterized in that the matrix (M) is two-dimensional, preferably square, and preferably comprises 6 x 6 individual oscillator circuits (100). Random number generator according to Claim 2 , characterized in that another of the oscillator circuits (start) of the matrix (M) is connected to a further binary control signal (s [0]) at its multiplexer (108), which is set up for a short period of time is activated directly before the activation of the matrix (M) via the first binary control signal (s [1]), and is used to safely start the oscillator circuits (100) of the matrix (M). Random number generator according to one of the Claims 1 until 5 , characterized in that only one further oscillator circuit (Inv) in the matrix (M) is provided with an inverter (110). Random number generator according to one of the Claims 1 until 6th , characterized in that the output signal (out) of the matrix (M) is connected to a D flip-flop (200), the output signal (Q) of which represents the sampled output signal of the matrix (M). Random number generator according to Claim 7 , characterized in that it comprises several matrices (M) of individual oscillator circuits (100), the sampled output signals of which are all connected to an input of an exclusive-or gate (210), the output of which supplies the random sequence. Random number generator according to Claim 8 , characterized in that the output of the exclusive-OR gate (210) is connected to an input of a further D flip-flop (220), the output of which supplies the synchronous digital random sequence. Random number generator according to Claim 8 or 9 , characterized in that the individual matrices (M) connected by the exclusive-or gate (210) are individualized in that in each of the matrices (M) the relative positions of the oscillator circuits with the inverter (Inv), the Signal output (Out) and the special additional binary control signal (s [0]) are different from one another. Random number generator according to one of the preceding claims, characterized in that a module (230) for generating a waiting time is provided, which comprises a counter and serves to output a signal after the waiting time has elapsed after the start of the random generator, which indicates that the on Output are valid and usable. Random number generator according to one of the preceding claims, characterized in that the output signal (o) of an oscillator circuit (100) of a matrix (M) is connected to a data input (D) of a first D flip-flop (310), the output (Q) of which with a data input (D) of a second D- Flip-flop (320) is connected, the output (Q) with a data input (D) of a third D flip-flop (330), the output (Q) as well as the output of the second D flip-flop (320) each with an input of an exclusive -Or gate (340) is connected, the output (edge) of which indicates whether the oscillator circuit (100) is oscillating. Random number generator according to Claim 12 , characterized in that the outputs (edge) of the exclusive-OR gates (340) of different oscillator circuits (100) of a matrix (M) are each connected to an input of an OR gate (32), the output of which is connected to the reset -Input of a counter (34) is connected, which counts up with a system clock, and whose overflow supplies a signal that the matrix (M) is not oscillating properly. Random number generator according to Claim 13 , characterized in that the overflow signals (noedge) of the counters (34) of the matrices (M) connected to the random number generator are each connected to an input of an AND gate (42) whose output signal indicates a total failure of the random number generator. Cryptographic circuit for executing symmetrical and / or asymmetrical cryptography methods, characterized in that it is constructed entirely in a single digital integrated circuit, including a true random number generator with robust, reliable, approximately maximum true randomness (entropy). Cryptographic circuit according to Claim 15 , characterized in that it uses a random number generator according to one of the Claims 1 until 14th includes.

Images