Word file - Worcester Polytechnic Institute

advertisement
Evaluation of Random Number Generators on FPGAs
A Major Qualifying Project Report:
submitted to the Faculty
of the
WORCESTER POLYTECHNIC INSTITUTE
in partial fulfillment of the requirements for the
Degree of Bachelor of Science
by
_____________________________
Brian J Abcunas
_____________________________
Sean P Coughlin
_____________________________
Gary T Pedro
_____________________________
David C Reisberg
1. Random Number Generator
Approved:________________________
Professor Berk Sunar
2. Cryptography
3. Jitter
________________________
Professor William Martin
1
2
3
4
Table of Contents
Background ............................................................................................................... 3
1.1
Random Number Generators .............................................................................. 3
1.1.1
Cryptography .............................................................................................. 4
1.1.2
Previous Random Number Generators ....................................................... 5
1.1.2.1 Pseudo Random Number Generators ...................................................... 5
1.1.2.2 True Hardware Random Number Generators ......................................... 6
1.2
Jitter..................................................................................................................... 6
1.2.1
Makeup of Jitter .......................................................................................... 7
1.2.2
Characteristics of Jitter ............................................................................... 8
Design Implementation............................................................................................. 9
2.1
Hardware Environment ....................................................................................... 9
2.1.1
Interface ...................................................................................................... 9
2.1.2
Design Flow .............................................................................................. 10
2.2
Software Environment ...................................................................................... 11
2.2.1
C Code Improvements .............................................................................. 11
2.3
Circuit Description ............................................................................................ 12
2.3.1
Design of the Ring .................................................................................... 12
2.3.2
Design Modifications ................................................................................ 13
2.4
Ways to Measure Jitter...................................................................................... 16
2.4.1
Ideal Methods............................................................................................ 16
2.4.1.1 Bit-Error-Rate-Testers .......................................................................... 16
2.4.1.2 Jitter Analyzers ..................................................................................... 17
2.4.2
Methods We Used ..................................................................................... 17
2.4.2.1 Matlab Analysis .................................................................................... 17
2.4.2.2 Histograms ............................................................................................ 18
2.4.2.3 Infinite Persistence ................................................................................ 19
Analysis .................................................................................................................... 19
3.1
Data Analysis .................................................................................................... 19
3.1.1
MATLAB Analysis ................................................................................... 19
3.1.2
Histograms ................................................................................................ 20
3.1.2.1 Jitter Width............................................................................................ 21
3.1.2.2 Long-term Jitter .................................................................................... 22
3.1.3
Infinite Persistence .................................................................................... 23
3.1.4
EZJIT ........................................................................................................ 24
3.1.5
Pulse Generator ......................................................................................... 25
3.2
Theoretical Analysis ......................................................................................... 26
3.2.1
Relatively Prime Period Lengths .............................................................. 26
3.2.1.1 Bin Setup ............................................................................................... 26
3.2.2
Rings of the Same Length ......................................................................... 27
3.2.2.1 Confidence Intervals ............................................................................. 28
3.2.2.2 Expected Value of n .............................................................................. 31
3.2.3
Layering with Phase Shift ......................................................................... 33
Conclusion ............................................................................................................... 38
2
1 Background
1.1 Random Number Generators
Random numbers generators are the key to modern cryptography .The general
definition of a random number generator is that it generates sequences that are random,
unpredictable in nature, and that cannot be reproduced. Creating a secure cryptographic
key to ensure confidentiality and integrity of information depends on the randomness of
the numbers used to generate the key.
Digital signatures are being used to insure that signatures cannot be faked, to
insure this, the randomness of the numbers has a direct impact on the security of the
signature. Today cryptosystems use long strings of bits to insure their security; common
lengths of these strings include 56, 128, and 164 bits. Breaking these frequently used
algorithms by trying the possible combinations of bits until the right one is found would
take a long period of time and considerable computing power. For example there are 1016
possible combinations for 56 bits and 1049 possible combinations for 164 bits. If someone
tried processing one combination every millisecond it would still take them a
significantly long period of time. However if even just one bit of a key can be predicted
from another bit, the time to process a decryption would be cut in half. Because a
decryption on average will find the correct key in n/2 attempts where n is the key length,
that one predictable bit can cut the effective security of the key by seventy five percent.
This example illustrates why random numbers are so important in ensuring modern
cryptography.
3
1.1.1 Cryptography
Cryptography has become a necessary part of the world today due to the mass
amounts of information being transferred at all times. Cryptography becomes especially
important for the assurance that this information remains intact, as well as authentic, and
confidential when being moved. This is why modern cryptography has moved towards
the use of random number generators to ensure security and privacy.
Cryptosystems, also known as cipher-systems, are methods of disguising or
encrypting a message so that only the intended recipients can decrypt it. Cryptography is
the art of creating or employing cryptosystems, while cryptanalysis is the opposite of
cryptography; it is the breaking of cryptosystems. Cryptology is the study of both
cryptography and cryptanalysis. Today cryptosystems are being used for many different
purposes. The most common purposes include confidentiality, integrity, and
authentication.
Confidentiality is the area that is most commonly thought of when cryptography
is mentioned. It is the element of cryptography that deals with taking a given message,
combining it with a cryptographic key, and returning encrypted text. Ideally, the plain
text information cannot be obtained from the ciphered text without knowing the
cryptographic key. Integrity is similar to confidentiality in that it uses cryptographic keys.
It can be verified by the attachment of a binary string unique to the information. This
binary string is signed using a cryptographic key, this resulting string is called a message
digest. The recipient of the information can then verify the integrity of the message by
decrypting the message digest using the sender’s public key to uncover the original
message digest. Then by generating the message digest of the information using the same
algorithm as the sender, the recipient can verify that the information has not been
4
tampered with during transit. Authentication is determining the identity of the entity you
are communicating with, be it a person, a company, or a machine. An example of
authentication involves a challenge and response, when a request for a communication is
initiated; a challenge is issued to the requester, consisting of a random number. The
requesting party then encrypts this random data with a password and returns it to the
challenger. The challenger then retrieves the requester’s password from a database,
encrypts the same random data with it and compares the results. If the results match, the
requesting party has been authenticated without ever transmitting a password.
The importance of cryptography in the world today can't be overstated. Which is
what makes the possibility of a true random number generator just as important because
of the security is could ensure.
[RSA Laboratories]
1.1.2 Previous Random Number Generators
There have been two types of random number generators that were typically used,
pseudo random number generators and hardware number generators. Pseudo random
number generators were more commonly used because they were assumed to be good
enough to ensure security, but with today’s advanced computers it has become necessary
to use true random number generators to guarantee confidentiality.
1.1.2.1 Pseudo Random Number Generators
The most common way of attempting to generate random numbers is by using a
software algorithm. This group of random number generators is known as pseudo-random
number generators because they all require a ‘seed’ or starting value and eventually the
values that are generated will begin to repeat. Typical seed values are generated through
5
the use of an algorithm using computer processes, interrupts, idle mouse movements, and
system time as inputs. The difficulty begins when creating an algorithm that starts with a
secret seed value that has a period of sufficient length. Despite these drawbacks pseudorandom number generators are very widely used. They are available for almost every
computer platform, they are simple to operate, and they require no additional hardware or
configuration. While pseudo-random number generators are adequate for noncryptographic applications, they are not secure due to the current available computing
power.
1.1.2.2 True Hardware Random Number Generators
In contrast to pseudo-random number generators, hardware random number
generators can produce truly random numbers. Hardware random number generators
typically operate by extracting data from a thermal noise source, or air turbulence from a
sealed disk drive, which is dedicated for that purpose. A new approach involves splitting
a stream of photons on a beam splitter to generate a quantum mechanical source of
randomness. Because they rely on naturally occurring noise for their source, hardware
random number generators do not rely on a repeatable algorithm. This however, does not
mean that every hardware random number generator is a true random number generator.
If the source of the randomness is deterministic in any way, it will not be able to produce
truly random numbers.
1.2 Jitter
Jitter is a companion of all electrical systems that use voltage transitions to
represent timing information. A simple definition of jitter is "The short-term variations of
a digital signal's significant instants from their ideal positions in time". A complex
6
definition of jitter is given as "The deviation from the ideal timing of an event. The
reference event is the differential zero crossing for electrical events and the nominal
receiver threshold power level for optical systems. Jitter is composed of both
deterministic and Gaussian (random) content". Jitter has become a way of generating
random numbers using signals that have naturally occurring noise. This makes jitter a
hardware random number generator, it can be created using many different signal
sources. Jitter is only theoretically described, and predictions can only be experimentally
verified, which is why it is hard to say if jitter can create true random numbers or not.
[Understanding Jitter]
1.2.1 Makeup of Jitter
The makeup of jitter consists of two components, deterministic and random jitter.
The importance of being able to distinguish between the two is seen when realizing the
importance of true random number generators versus pseudo random number generators.
Deterministic Jitter is always bounded in amplitude and has specific causes. Some
examples of deterministic jitter include duty cycle distortion, data dependent, sinusoidal,
and uncorrelated. Deterministic jitter is jitter that is repeatable and predictable. Because
of this, the peak-to-peak value of this jitter is bounded, and the bounds can usually be
observed or predicted with high confidence based on a reasonably low number of
observations. Usually deterministic jitter is caused by cross talk, simultaneously
switching outputs, and other regularly occurring interference signals. Cross talk occurs
when a line is affected by the magnetic field from a driver line. Simultaneous switching
outputs is caused by several output pins switching to the same state, causing a current
7
spike to occur on the Vcc and GND planes, these spikes can cause the threshold voltage
point to shift, resulting in jitter.
Random jitter is typically characterized by a Gaussian distribution, and will
continue to grow with time, which is why it is considered to be unbounded. Random jitter
is timing noise that cannot be predicted, because it has no discernable pattern. A classic
example of random noise is the sound that is heard when a radio receiver is tuned to an
inactive carrier frequency. Random jitter comes from thermal vibrations of
semiconductor crystal structures, material boundaries having less than perfect valence
electron mapping due to semi-regular doping density and process anomalies, thermal
vibrations of conductor atoms, and many other minor contributors. Like all physical
phenomena, the edge deviation, which occurs in electronic signals, will contain some
level of randomness. Random jitter is unbounded and therefore directly affects long-term
reliability. For the production of random numbers it is important to be able to
characterize and separate jitter, so as to insure the use of the random part of jitter instead
of the deterministic part.
[Understanding and characterizing timing jitter]
1.2.2 Characteristics of Jitter
Jitter is formed by the slight movement of a transmission signal in time or phase
that can introduce errors and loss of synchronization. More jitter will be encountered with
longer cables, cables with higher attenuation, and signals at higher data rates. Also, called
phase jitter, timing distortion, or intersymbol interference. Phase jitter is usually smaller,
but more rapid and random, but may be considered cyclic.
Jitter has always degraded electrical systems, and has been used to define and
8
identify or measure for compliance standards and design specifications. However it has
now been found to have a very useful characteristic, and that is the random numbers
which can be drawn from it. Now jitter can be used to help with cryptography and the
transfer of important information.
2 Design Implementation
2.1 Hardware Environment
The hardware environment for our project was centered around a Xilinx
reconfigurable Field Programmable Gate Array device which was connected directly into
the PCI bus of the host computer. Our hardware designs were then put onto the device
and were able to interface with it through the PC as well as examine waveforms and
outputs directly off the board using an oscilloscope.
2.1.1 Interface
The Ballynuey board which houses the Xilinx board was connected directly into
the PCI bus of the computer, so all access to the board was done through the computer
and not with an external programming device. The board came with hardware
components that could be used to set up registers to access, create FIFOs or other
structures for data extraction, and easily interface it all with the PC.
These hardware components came in the form of VHDL modules. These
components were already integrated into the design from the previous year’s project, so
this interface was already working correctly when we started the project. We did not
change any of the interface components in the design since they already worked
correctly. Only the oscillator rings and enables were modified by our designs. The
9
interfaces allowed data to be pulled from the chip using software on the computer which
will be discussed n the software section.
2.1.2 Design Flow
The design flow for getting our hardware designs onto the board came had three
steps. First the VHDL code was created, then compiled for the specific device, and
optimized for performance by the Xilinx tools.
We used ModelSim for editing and simulating our VHDL modules. We were able
to edit code, access libraries of functions, and then simulate modules to ensure that they
were behaving correctly. The code we constructed did not require much simulation since
simulation of the ring oscillation was not possible in ModelSim, but it was used for cases
of debugging certain sections of code.
Once the VHDL files were created, the FPGA compiler tool was used to compile
our modules together into an entity and create a netlist. This compiler also performed
some optimizations of the components to increase performance. Since we sometimes did
not want this to happen in our design, steps had to be taken so that components were not
optimized out. We used attributes on certain components to retain them.
The final step was using Xilinx Design Manager to finalize the design. The design
manager allowed us to do timing analysises, edit the floorplan of the chips, and edit user
constraints. This gave us maximum control over how our designs were implemented,
right down to the bit by bit layout. The final product of the Design Manager was a BIT
file which could then be physically loaded onto the chip and program it. This BIT file
was then transferred to the host computer so that it could be loaded onto the board.
10
The specifics of these programs can be found in the Appendix. These details
include an explanation of options used and why, as well as a more detailed explanation of
the flow.
2.2 Software Environment
The PC software environment consisted of a user level C program that interfaced
with the Xilinx chip. The program implemented a class of functions provided by
Ballynuey to interface with the hardware modules on the board. These functions allowed
the programmer to load and unload BIT files, close and open the board, and easily access
the registers that had been set up to transfer data between the board and PC. Once again,
the previous year’s project already had a the C program working, but it did not work well
for the purposes of our MQP, so we made several modifications.
2.2.1 C Code Improvements
The previous year had used only one or two bit files to program the chip since
their task was to create a RNG, which only required one entity with several rings in it.
We wanted to look at rings of several lengths, but we needed them isolated. Therefore,
we had several BIT files, each of which had only one ring on it, and needed a better way
to easily load the files. Also, there was no way to load a different BIT file without ending
the program and restarting it which took time and was very annoying.
We set up a menu in the program so that the user could simply choose the
required BIT file from the menu and it would load. We also added an unload function so
that a new BIT file could be loaded without exiting the C program and restarting it. These
changes took some time to implement but saved us an immeasurable amount of time later
on with its ease of use.
11
We eliminated parts of the code that were no longer needed such as ring enables
and optimized it as best we could. The functions that extracted the bit streams from the
RNG were retained in case they were needed at a later date.
2.3 Circuit Description
The design we used to create our source of jitter was an oscillator ring made up of
an odd number of inverters. A tap was put on one of the nodes of the ring and connected
to an external output pin so it could be examined on an oscilloscope. The output of this
ring was a square wave with a period that was dependent on the number of inverters in
the ring.
2.3.1 Design of the Ring
The inverters in the ring were created using Look-Up Tables (LUT) in our VHDL
code. Building them this way gave us a more realistic inverter with a greater propagation
delay. While the delay, approx 1- 2 nanoseconds, was still quite small, this slight increase
allowed us to build rings of a certain period without using hundreds of inverters.
Previous work with this design used rings with very small numbers of inverters in
order to place many rings on the chip. These rings had a range of 3 to 15 inverters in
them. We examined rings with these amounts of inverters and found that they did not
create a stable square wave. Rather, they were rounded off and not good for accurate
measurements.
We wanted to get waves that had a definite square shape so that we could more
easily measure the jitter at the edges. With this in mind, we examined rings with greater
numbers of inverters and thus larger periods. A stable wave was formed around 21 – 27
inverters, so we chose 25 inverters as a minimum number to have. Waves with less
12
inverters were not considered stable enough to provide the measurements we were
looking for. The rings used in our project would all have this number of inverters or
more.
An idea that was suggested to us by General Dynamics was to use rings that were
relatively prime. The theory behind this was that when these rings were layered together,
relatively prime numbers would have less of a chance of overlapping each other so more
space would be covered. Using this theory and the ring size information we had found
earlier, we came up with ring sizes to use for all of our tests: 25, 41, 57, 67, 83, and 101.
These sizes refer to the number of inverters in the rings, not the actual periods. It was not
feasible to create waves with exact integer periods, so the best estimate we could do was
choose the periods since they were linearly connected to the periods.
2.3.2 Design Modifications
Once we agreed on this initial design, we implemented it and began taking
measurements. However, once we started new problems arose that needed to be
addressed, and we became aware of areas that needed improvement.
One area that we believed needed modification was the construction of the rings
themselves. The previous ring design was actually not made up of purely inverters. A
NAND gate was substituted for one inverter to be a ring enable so that the ring could be
disabled. This was used the previous year so that rings could be turned on and off in order
to try different combinations. However, we wanted to analyze the characteristics of a ring
of purely inverters, so we did not like an extra gate with a different gate delay in the
middle of the ring. We also had no need to disbale or enable rings.
13
We fixed this problem by taking out the NAND gate and replacing it with an
inverter. The synthesis tool at first did not allow this design since there was no input
connected to the ring, but we were able to manipulate it so that it remained. The details of
this process can be found in Appendix XXXXX. We now had a pure inverter ring to take
measurements from.
The next problem we had involved the layout of the gates on the chip, or the
floorplan of the chip. When Xilinx Design Manager arranged the gates on the chip, it
placed them arbitrarily. Whenever a new chip was created with a 25-inverter ring, it
would not always be located in the same place on the chip or with the same distances
between inverters. The distances between each inverter affected the period of the ring
since there was more of a delay to travel a longer distance. Thus, each time we made a
new chip with a 25-inverter ring, it would have a different period. This was not good for
keeping measurements uniform or trying to layer rings together, since you could never be
sure what the period was. We needed a way to be sure each ring had a constant period.
The resolution to this was to find a way to place each ring in the same place on
the board and have the inverters be equidistant in the chain. We were able to specify the
location of each inverter in the constraints file for the design. We placed the chin in a
straight line with the last inverter looping back to the first. Each inverter was equidistant
from the next in line. By applying this to all rings, we now had the constant periods we
needed.
An added result of this floorplanning was that the linear relationship between the
number of inverters and the period became more linear. The floorplanning made the rings
14
more uniform and eliminated as much possible error as possible. The graph below shows
this change.
Figure 1 Ring Period Trends
The graph at the top shows the plot using periods from rings that had not been
floorplanned. You can see that the 57 and 67 inverter rings are not close to the line of
best fit. There is some error there caused by the placement of the rings.
The bottom graph shows the floorplanned rings. Each point is almost perfectly on
the line showing the nice, linear relationship. We used this line to determine an equation
relating the number of inverters and the period length.
T = 1.7708 x N - .109
(1)
15
T is the period and N is the number of inverters in the ring. With this equation, we
now had a way to predict periods given a number of rings and vice versa. This could be a
very useful tool in future designs since the designer could calculate a ring to suit any
need.
2.4 Ways to Measure Jitter
2.4.1 Ideal Methods
Many methods are available for measuring jitter. Several of these methods consist
of using costly equipment and resources that were unavailable to us during this project.
Two of these methods are bit-error-rate testers and Jitter analyzers. When compared to
our most useful method, the real-time oscilloscope, it is apparent that the two unavailable
methods have a much higher data rate, and therefore, could measure jitter with much
greater precision.
Figure 2 Data Rates of Jitter Analysis Methods
2.4.1.1 Bit-Error-Rate-Testers
The BER tester uses a simple method to measure jitter. A pseudo-random bit
sequence is sent by the tester to the system being tested. The tester then receives the new
combined signal and compares it to the original pseudo-random sequence. This method
16
makes it possible to obtain an exact bit-error-rate measurement, since the tester can be
sampled at rates as high as 40 gigabits/second.
As precise as this method is, its one drawback is the time required to obtain
results. A BER test can take several hours. An alternative to the BER test, which keeps
much of its desired precision, is known as the BERT scan. The BERT scan utilizes
statistical methods to achieve similar results while using less computation cycles.
2.4.1.2 Jitter Analyzers
Jitter analyzers are more useful than BER testers in helping uncover a specific
source of jitter. They operate by detecting the edges of a signal and measuring the
differences between them. This data is then used to create histograms and frequency plots
that help track down sources of jitter. Although a jitter analyzer has a lower maximum
data rate when compared to the BER tester, it is able to predict BER data in less time than
using a BER tester. Data can be calculated so quickly that jitter analyzers can be installed
directly into test systems for real-time jitter analysis.
2.4.2 Methods We Used
Since we did not have the equipment to measure jitter using a BER tester or a
jitter analyzer, we were forced to use different methods to measure and characterize jitter.
Four different methods were used. Some methods were more successful than others.
These methods were MATLAB analysis, histograms, infinite persistence, and n-cycle
measurements.
2.4.2.1 Matlab Analysis
One form of jitter that we sought out to measure was N-cycle jitter. N-cycle jitter
is jitter that is measured when one period is compared to the period preceding or
17
following it. Unfortunately, the oscilloscope operates at a speed that is much too high to
measure a large number of individual periods. The oscilloscope did, however, allow us to
export large amounts of data to be analyzed by outside means. This data was very useful
for N-cycle jitter analysis because the data is consecutive, comparable to slowing down
the oscilloscope’s data rate and reading the results. This data was ready to be imported
into MATLAB.
The MATLAB analysis method was very easy to implement. We used simple yvalue data from the scope, knowing that each sample was the same distance away from
the next one. After importing the data into MATLAB, setting a voltage threshold made it
able to clearly measure the number of samples of each period. The threshold created a
signal that was either high or low, with no values in between. Formatting our signal this
way allowed us to standardize our periods, while leaving the edges untouched so they
could be measured. We then measured and recorded the length, in samples, of each
period within the signal. We recorded the lengths of 25 consecutive periods for each set
of inverters. After recording these period lengths, it was then possible to compare them to
determine a jitter width, which we measured by comparing the smallest period and the
largest period. Multiplying that range by the oscilloscope’s sampling rate provided us
with a jitter with in nanoseconds.
2.4.2.2 Histograms
As we became more familiar with the oscilloscope, we realized some of the
advanced features it had to offer. One major feature of it was its ability to create
histograms. We set up the histogram on a set point on either the rising or falling edge of
our signal, and let the signal run. Each time the same point in each new period occurred,
18
its position compared with the position set for the histogram was recorded and added to
the graph, which is shown underneath the signal. After allowing the signal to run for
some time, it was easy to see the distribution that the jitter created. Along with the plot
created by the oscilloscope, the scope provided us with a statistical analysis of the newly
formed data. The amount of data within 1,2, and 3 standard deviations was given, which
greatly helped us to see what kind of distribution the jitter was creating.
2.4.2.3 Infinite Persistence
As well as standard histogram graphs, we used the oscilloscope in infinite
persistence mode to view the jitter in a different way. Infinite persistence mode is useful
in this application when the signal is triggered on an edge of the signal. When set to
infinite persistence mode and allowed to run, the screen retains the varying results of
each period that would normally quickly disappear in normal operation. Since each result
is displayed, a wide signal is shown on either the rising or falling edge of the signal,
showing the jitter contained in the signal. When combining this display with the
measurement cursors of the scope, it is possible to measure the jitter of the signal.
3 Analysis
3.1 Data Analysis
3.1.1 MATLAB Analysis
The data collected by the MATLAB analysis method proved not to yield many
useful results. The amount of data exported by the oscilloscope was not sufficient enough
to provide a wide and consistent range of periods. The period range in the table is the
difference between the smallest and largest period in each set of periods for the
corresponding number of inverters. As the table shows, the period range varied from 4 to
19
11 samples, with no distinguishable pattern between rings. The period range was then
multiplied by the number of samples per period to calculate an equivalent jitter width,
measured in nanoseconds. Again, due to an insufficient amount of data, there are major
differences between some of the rings; although it is promising that several rings show a
similar jitter width close to 0.5 nanoseconds. This shows some hope that the jitter in each
ring is somewhat consistent, but does not give many other helpful conclusions. Some of
our other methods proved to be much more successful.
Table 1 MATLAB Results for Selected Rings
Number of Inverters
25
Period Range
(in samples)
4
Equivalent Jitter Width
(ns)
0.501
41
5
1.379
57
11
0.502
67
4
0.503
83
5
0.628
101
6
0.502
3.1.2 Histograms
Histograms proved to be our most useful form of measuring the width of a jitter.
They contributed not only the actually width of the jitter, but also showed that there was
some non-deterministic components to the jitter that we were measuring. In order for the
measurement to be random, the distribution of the wave crossing a certain threshold has
to follow a Gaussian distribution. The threshold we chose was 2V because it was in the
middle of all the rising and falling edges. In order for a histogram to be Gaussian 68% of
the data must fall within one sigma, 95% must fall within two sigma and 99.7% within
three sigma. Evidence for a deterministic jitter could include bimodal distributions or
20
heavily skewed histograms. The measurements we took on all six rings proved to be
random because they all were within .5% of all three requirements. This slight
discrepancy is expected since the histogram will change slightly every time you sample.
Below is an example of a histogram measurement.
Figure 3 Rising Edge Histogram of a 83 Inverter Ring
3.1.2.1 Jitter Width
The histograms provide us with a mean and a standard deviation. The mean is not
the important piece of information since it depends on which cycle of the wave you
sample. We used the standard deviation to give us the width of the jitter. Since 95% of
the data fell within two sigma of the mean, we chose four sigma as our width; two on
either side of the mean. Below is a table of the rising edge and falling edge jitter widths
for all six rings we used.
21
Table 2 Jitter Widths
# of Inverters Rising Edge Falling Edge
25
0.2827
0.3574
41
0.3146
0.346
57
0.3888
0.2914
67
0.3393
0.3374
83
0.4471
0.3666
101
0.456
0.4147
As can be seen in the table, there isn’t a significant increase in the jitter widths with the
increase of inverters. We are not only concerned with the width of the jitter alone, but
also the amount of the period the jitter takes up. Below is a graph of the percentages of
the period the jitter takes up.
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0
25
41
57
67
83
101
Figure 4 Jitter Width as % of Period
As you can see, the percentage drops significantly. If we were to sample just the one ring
with a 101 inverter, the chance of us sampling on jitter is very small. This will suggest
that there is a maximum numbers of inverters that we should use.
3.1.2.2 Long-term Jitter
There are two types of long term jitter that we were concerned with. The first is
the effect of letting the wave run for an extended period of time. We let a ring of 101
22
inverters run for a half hour and checked it periodically to see if the jitter width was
affected any. Below is a table of the jitter widths over time.
Table 3 The Affect of Time on Jitter
Minutes
2
4
8
16
32
Jitter Width (ns)
0.4407
0.4407
0.4402
0.4439
0.4472
The jitter changes very slightly even up to 32 minutes. So one can conclude that letting
the wave run for an extended period of time will not change the jitter any.
The other form of long-term jitter we were concerned with was the jitter width of
a period n-cycles away. We wanted to see if the width followed a pattern.
Table 4 N-Cycle Jitter
45
40
35
30
25
20
15
10
5
0
1
50
200
400
1000
The jitter appeared to be following a linear pattern until around 300 periods away. As
can be seen it dropped off there only to jump back up 500 periods later. This occurred in
all six rings. We are not sure the cause of this and did not have sufficient time to
investigate further.
3.1.3 Infinite Persistence
In order to determine the best and worst case scenarios for the length of the jitter,
we used the oscilloscope and the infinite persistence mode. By using the infinite
23
persistence mode, we could see and measure how the wave moved over time. The
compiling of all the different voltage levels the wave passed by, we were able to see what
the smallest amount of jitter could possibly be. Below is an example of infinite
persistence, as a possible measurement technique for the jitter length. In this
measurement, we found the length of the jitter to be approximately 5.2 nano seconds, but
as we found, this was not a very accurate reading of the jitter, in fact it is much higher
than we actually found the jitter to be. So this led us to believe that this was not the best
method for measuring the length of jitter.
Figure 5 Infinite Persistence of a 101 Inverter Ring
3.1.4 EZJIT
Using the EZJIT program loaned to us, we were able to get Fast Fourier
Transforms (FFT) of our waves and find out the main sources of the noise in the jitter.
24
We used many different techniques with EZJIT, including N-Cycle, Cycle to Cycle, and
TIE methods. An example of a 10-Cycle measurement we took, is shown below, as the
pink line at the bottom of the scope’s screen. As is shown, the FFT measured two large
peaks that were in the 119 kilo Hertz range, and the 236 kilo Hertz range.
Figure 6 10 Cycle Measurement
3.1.5 Pulse Generator
Using the pulse generator, we were able to try and create square waves similar to
the ones we were making in the circuit, so as to get a more exact square wave. This also
meant that we were able to determine the true source of the jitter. We attempted a few
different experiments using these square waves to test the jitter results we had previously
obtained. One was to test for jitter in a square wave straight from the pulse generator;
another was to test the jitter of the square wave that had been sent from the pulse
25
generator through the board in an input pin and back out an output pin. Lastly we took the
square wave and put it through the board, but this time we put it into a ring and then took
it’s output, we intended to try and just put it through a line of inverters, but we were
unable to implement this idea, so we took the results of the wave through the ring.
3.2 Theoretical Analysis
3.2.1 Relatively Prime Period Lengths
After running into the phase drift problem we attempted to take advantage of the
different period lengths. The plan was to choose many rings of different length and XOR
them leaving only 0’s and jitter. With this method we could utilize enough rings to
completely fill the period with jitter, thus making sampling of the wave completely
nondeterministic. In order to improve efficiency of each ring, we would have to choose
rings that were relatively prime to each other. If the rings were multiples of each other or
had many similar factors the jitters would over lap in many places which would not
improve the entropy. The idea is to have as few overlaps as possible, so relatively prime
rings would work the best.
3.2.1.1 Bin Setup
The easiest way to think of filling the spectrum with jitter is to break the period up
into n bins of equal length. Each bin will be as wide as the average jitter for the ring. We
then want to use enough rings to fill each bin with jitter. To do this we consider r rings
of period lengths ti..tr respectively. Each bin will be assigned an integer value n. To be
sure we have hit each bin we need to know the starting point of each ring, call it si. So to
hit each bin greater than the last starting point, for all n  max( si ) , there must be a
solution k to the equation
26
n  k * ti  si for some i=1...r (1)
To see if this is possible consider a possible starting point
ui  si mod ti (2)
We want to see if we can construct a series of n’s that will not be hit by a ring. The
Chinese remainder theorem says there is a solution n to
n  u1 mod t1
n  u2 mod t2

n  ui mod ti
Since ui is not a starting point of any of the rings, all multiples of ti added to ui will be
missed. So there will be an infinite number of bins missed, namely all n’s that satisfy the
above equations.
Another problem with using this idea is that the rings do not have a definite
period. The periods change randomly and follow a normal distribution. Therefore we
cannot assume that there will be a solution k to equation (1). The period may only
partially fall into a bin and therefore not completely fill it. This only adds to the Chinese
remainder theorem problem. So we were forced to consider another option.
3.2.2 Rings of the Same Length
Our next idea stemmed from two of our previous problems. These two problems
are the phase shift and the nondeterministic period length. Since these two occurrences
could not be predicted accurately, we decided to use their randomness to fill the bins by
using many rings of the same length. The set up for this method is the same as the
previous attempt with n bins of equal length. The idea is to use enough rings to be a
certain percentage confident that all the bins will be hit randomly at least once. Since
27
both the period lengths and the starting points are random the jitter can land anywhere
within the set of bins.
3.2.2.1 Confidence Intervals
An easy way to consider this is as a sampling problem with replacement. We will
attempt to find the probability that the bins were filled in n samples or less. We aren’t
concerned with hitting the same bins multiple times as long as we hit all the bins at least
once. That way when we sample, the entire period will be jitter. To get these confidence
intervals we needed to form a cumulative distribution function (cdf). Once we obtain a
cdf for the probability of hitting all bins, we need to find the minimum number n at which
P ( N  n)  CI (3)
where CI is the specific confidence interval we are looking for.
To find the cdf we use inclusion-exclusion. Consider an alphabet
A={1,2,..,m} where m is the number of bins
Let the universe
U=An (4)
all the possible combinations of A, ie {1, 11, 112, …}, where n is the number of samples
taken. Therefore the cardinality of
U  mn (5)
Define G as all the combinations where every bin is sampled at least once. So we want to
find
P ( N  n) 
G
(6)
U
28
Since we already found U , we just need to find G . Let Bk be all the sets of samples
where at least k bins were missed. To find G we need to look at the universe and
subtract all occurrences where at least one bin was missed. In doing this samples will be
over-counted and will have to be subtracted until all the bad sets are counted only once.
So
G  U   Bk   Bk    (1)m 1
k 1
k 2
B
k  m 1
k
(7)
For each sample in Bk there are m-k different possibilities to choose. So for n samples
there are (m-k)n different options. Thus
Bk=(m-k)n (8)
For each Bk, there are (m choose k) different combinations of the bins that are missed.
Since the number of different possibilities is independent of which bins are missing we
can just multiply the number of arrangements by the number of possibilities. Substituting
equation (5) and (8) gives
 m
 m
 m  n
(1) (9)
G  mn   (m  1) n   (m  2) n    (1) m 1 
1
 2
 m  1
Note
 m
mn   (m  0) n (10)
0
Combine the summation to get
 m 
(m  k ) n (11)
G   (1) k 
k 0
m  k 
m
To simplify Let m-k=i
29
m
 m
G   (1) m  i  i n (12)
i 0
i
Substituting equations (11) and (5) into (6) gives
m
P ( N  n) 
 (1)
 m n
 i
 i  (13)
n
m i
i 0
m
In order to find the confidence intervals, plug in different n’s until P(N<n) is
equal to the confidence interval you are looking for. Below is a list of confidence
intervals starting at 50% and incrementing by 5% up to 99%. Three of the rings we used
are shown in the table, the lowest, the highest and the middle ring. The number of bins m
was computed by dividing the average period for the ring by the average length of jitter.
For example the number of bins for the 101 inverter ring is 178.7/.8708=205. We used as
an approximation m=200.
Table 5 Confidence Intervals for 101, 57 25 Inverters
% confidence
# rings 101
# rings 57
# rings 25
50%
1135
807
323
55%
1162
828
333
60% 65%
1193 1227
852
877
344
357
70% 75%
1265 1307
905
937
369
383
80% 85%
1360 1422
975 1022
400
423
90% 95%
1507 1650
1086 1194
453
502
99% # bins
1975
200
1440
150
616
70
30
2500
2000
101
1500
57
1000
25
500
0
50% 60% 70% 80% 90% 99%
Figure 7 Graph of Table 1
As you can see, in order to get a 99% confidence that all the bins are filled for the ring
with 101 inverters, you need approximately 2000 rings. As can be seen by looking at the
table, the necessary number of rings for 99% confidence is about ten times the number of
bins m.
3.2.2.2 Expected Value of n
Now that we have a way to find confidence intervals, it is also useful to find an
equation for the expected value. The expected value is a weighted average of all possible
outcomes. The standard formula for the expected value is
Ex   n * p(n) (14)
n
Since equation (13) only gives the probability that N<n, we need to subtract the
probability that n occurred previously. So
P(N=n)=P(N<n)-P(N<n-1) (15)
Substituting (13) into (15) gives
31
m
 m
m i  m  n


(

1
)
i
(1) m  i  i n 1


i
   i 0
i
(16)
P ( N  n)  i  0
n
n 1
m
m
m
Combining the fraction yields
m
m
 m
 m
m n 1  (1) m  i  i n  m n  (1) m  i  i n 1
i 0
i 0
i
i
(17)
P ( N  n) 
n n 1
mm
Note mn=m*mn-1
m
m
 m
 m
m n 1  (1) m  i  ii n 1  mmn 1  (1) m  i  i n 1
i 0
i 0
i
i
(18)
P ( N  n) 
n n 1
mm
Simplifying gives
m
P ( N  n) 
 (1)
m i
i 0
 m  n 1
 i (i  m)
i
(19)
mn
Since we are looking for the expected value, we need to substitute (19) into (14)
m

En 
n
 (1)
m i
i 0
n  m 1
 m  n 1
 i (i  m)
i
(20)
mn
Note that P(N=m-1)=0 since you need at least m samples to hit all the bins. Substituting
n=m into (19) does not give us P(N=m-1)=0 so we need to add this term to equation (20).
So the expected value is
m
 (1)
En  m i  0
 m m
 i
i 
m
m
m i
m

n
n  m 1
 (1)
i 0
m i
 m  n 1
 i (i  m)
i
(21)
mn
In order to compute the expected value accurately, it is necessary to go to a very
large n. We chose n to be the number of bins necessary to achieve a 99% confidence
32
interval. In order to compute this number many calculations are necessary.
Unfortunately we do not have a program capable of handling such a large calculation. So
as an approximation for the expected value, we will just look at the 50% confidence
interval. Below is a graph showing the expected values for all six rings we used using
this approximation.
Table 6 Approximation of Expected Values
# Inverters # bins
25
41
57
67
83
101
E(x)
69
110
150
175
180
200
323
557
807
968
1001
1135
As you can see the expected values are extremely high. Due to its size it may be
impossible to fit all the rings necessary to cover the spectrum with jitter onto the chip.
Instead of trying to get a more uniform wave by adding inverters, it may be more
beneficial to use as few inverters as possible so as to be able to fit all the rings onto one
chip.
3.2.3 Layering with Phase Shift
One of the original ideas we had was to XOR two rings of the same length and
since they had the same period, the XOR function would cancel out the similar high and
low parts of the wave and leave only the jitter. After this was done, we could layer
several of these rings so that we filled a period with jitter. As explained earlier, we found
this idea to be impossible to do for two reasons. First, we could not synchronize the
starting positions of the two different rings so they could be out of phase from the start.
Second, even though they had the same number of inverters and theoretically would have
the same period, this was physically untrue. No matter how well we floor planned the two
33
rings to be identical, the periods were always slightly off and caused the waves to drift
past each other. Although this original idea failed, it led to us developing a new idea
based on the same philosophy.
Our idea was simple. We needed two rings with identical periods that we knew
would start in phase, so why not use the same ring. One ring would obviously have the
same exact period as itself and always start in phase, but we needed a way to somehow
make it so that we could XOR the ring with itself and get useful results.
Our second idea was to insert a delay in the ring output in order to cause a small
phase shift. We could then XOR this phase-shifted ring with itself, thus getting the jitter
isolated in the small phase shift of the rings. We then took it a step further and figured
that if we could do this once, why not do it for the whole period of the wave. If we could
phase shift the wave for the whole period, the entire period would be filled with jitter.
And since there would be no drifting due to mismatched periods, it would never falter or
get out of sync. We now went about trying to implement this design.
Our first idea was to simply add a buffer to the output wire leaving the ring. A
basic diagram of this idea is shown below in Figure XXX. In this way, we would have
the ring itself, and then a chain of buffers with wires coming out in between each buffer
going to be XOR’d together. The buffers would provide the delay that we needed without
changing the wave.
34
Figure 8 Phase Shift First Design
This design seemed perfect but we could not implement it. The Synopsis tool
optimized the buffer chain out of our design no matter what option we tried to leave it in.
The tool saw the chain as pointless because it did not affect the signal at all, and could
not understand the use of it as a delay going into the XOR. It thus eliminated the chain
and the XOR gate since it only saw the XORing of a signal with itself. Our idea was still
good but we needed another way to implement it.
Once again our next idea was a very simple one. We had been trying to bring in
an external chain to provide our delay, but we already had a chain of items causing a
delay in the design: the ring itself. The chain of inverters were already creating delays, all
we had to do was utilize it. This design is shown below in Figure XXX. We connected
output wires to nodes in the ring itself instead of a buffer chain, and then sent them out of
the board to examine. We did not hook them up to an inverter at first since we wanted to
examine the waves individually to see the delay and if our idea actually worked.
35
Figure 9 Phase Shift Second Design
Our implementation was successful. We brought three waves out from the board
to examine on the oscilloscope. A picture of the three output waves with infinite
persistence turned on to show their cumulative jitter is shown below in Figure XXX. The
three waves had identical periods and were slightly out of phase. There was no drift at all
among the waves. One aspect we noticed was that since these were inverters, not buffers,
one of the waves was inverted. At first we thought this would be a problem, but then
decided it was fine. Even though the wave was inverted, the jitter was still in the same
location, only it was rising instead of falling, or vice versa.
36
Figure 10 Phase Shift Display with Infinite Persistence
Overall, we saw what we expected to see and proved that our theory could work.
With enough outputs and oscilloscope hookups, we could have had enough phase shifted
waves so that the entire period was filled with jitter. We could then use the XOR to
combine all the rings, and have a final wave that could be sampled at any frequency and
be assured that it was sampling jitter. Due to time constraints however, we were never
able to examine the XOR result of the rings. We only had time to show the concept
worked, and that it would be possible to phase shift a ring with itself.
The advantages of this design would be that it only needed one ring to function.
Many of the other ideas we looked at to fill a spectrum with jitter needed hundreds of
rings, so space wise this would be a much better method. It is also a very stable design,
not like some of the other designs that are based on probabilities and confidence
intervals. This method was straightforward and predictable.
37
Some disadvantages would be that the phase shift would cause the jitter to repeat
itself during every half period. Therefore, if the sampling frequency of a system was
greater than twice the frequency of the ring, it could possibly sample the same jitter
twice, which would not be advantageous. Also, we were not able to test the XOR output,
so we have no proof of a method to combine all these phase-shifted signals into one
signal that we could sample.
Despite any disadvantage, we believe this design has a lot of potential and should
be highly considered by future groups for more testing and analysis. The possibility of
creating a true random number generator with only one ring is high enough a reward to
try, especially with the positive results were able to attain. With more testing and work,
we believe this design will be best suited for a random number generator.
4 Conclusion
We began this project with the intent of proving whether it is possible to develop
a true random number generator using reconfigurable logic platforms. Our data suggests
that since the jitter followed a Gaussian distribution, it is possible to create a random
number generator. While we have no way of proving the entropy of a the source, we
believe these measurements give a good indication of the non-deterministic nature of the
jitter. We also showed that the major source of the jitter is from external sources in the
computer, not the ring itself. We believe that the idea that the ring was creating the jitter
is not accurate, and that a sponge analogy is much better, where the ring is thought to be a
sponge absorbing the jitter from sources around it. A more in depth analysis of what these
38
sources are and how they contribute to the jitter is necessary to gain a full understanding
of the jitter and perhaps begin to measure its actual entropy.
We have discovered two possible ways to manipulate the jitter to make a RNG.
Using rings of the same length it is possible to fill a period with jitter; however it requires
a large number of rings. If one were to take this path, we would suggest using a ring of
around 41 inverters so as not to need too many rings on one chip. The other possibility
would be to use the phase shift design. Since we were restricted on time we have not had
the chance of fully exploring this idea, but since it would work using only one ring, we
believe it is the concept most worth researching further because of its possibilities.
In closing, we believe that a true random number generator is feasible on
reconfigurable logic because the source being used is non-deterministic and methods
exist to ensure that this source can be sampled confidently.
39
Download