Evaluation of Random Number Generators on FPGAs A Major Qualifying Project Report: submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE in partial fulfillment of the requirements for the Degree of Bachelor of Science by _____________________________ Brian J Abcunas _____________________________ Sean P Coughlin _____________________________ Gary T Pedro _____________________________ David C Reisberg 1. Random Number Generator Approved:________________________ Professor Berk Sunar 2. Cryptography 3. Jitter ________________________ Professor William Martin 1 2 3 4 Table of Contents Background ............................................................................................................... 3 1.1 Random Number Generators .............................................................................. 3 1.1.1 Cryptography .............................................................................................. 4 1.1.2 Previous Random Number Generators ....................................................... 5 1.1.2.1 Pseudo Random Number Generators ...................................................... 5 1.1.2.2 True Hardware Random Number Generators ......................................... 6 1.2 Jitter..................................................................................................................... 6 1.2.1 Makeup of Jitter .......................................................................................... 7 1.2.2 Characteristics of Jitter ............................................................................... 8 Design Implementation............................................................................................. 9 2.1 Hardware Environment ....................................................................................... 9 2.1.1 Interface ...................................................................................................... 9 2.1.2 Design Flow .............................................................................................. 10 2.2 Software Environment ...................................................................................... 11 2.2.1 C Code Improvements .............................................................................. 11 2.3 Circuit Description ............................................................................................ 12 2.3.1 Design of the Ring .................................................................................... 12 2.3.2 Design Modifications ................................................................................ 13 2.4 Ways to Measure Jitter...................................................................................... 16 2.4.1 Ideal Methods............................................................................................ 16 2.4.1.1 Bit-Error-Rate-Testers .......................................................................... 16 2.4.1.2 Jitter Analyzers ..................................................................................... 17 2.4.2 Methods We Used ..................................................................................... 17 2.4.2.1 Matlab Analysis .................................................................................... 17 2.4.2.2 Histograms ............................................................................................ 18 2.4.2.3 Infinite Persistence ................................................................................ 19 Analysis .................................................................................................................... 19 3.1 Data Analysis .................................................................................................... 19 3.1.1 MATLAB Analysis ................................................................................... 19 3.1.2 Histograms ................................................................................................ 20 3.1.2.1 Jitter Width............................................................................................ 21 3.1.2.2 Long-term Jitter .................................................................................... 22 3.1.3 Infinite Persistence .................................................................................... 23 3.1.4 EZJIT ........................................................................................................ 24 3.1.5 Pulse Generator ......................................................................................... 25 3.2 Theoretical Analysis ......................................................................................... 26 3.2.1 Relatively Prime Period Lengths .............................................................. 26 3.2.1.1 Bin Setup ............................................................................................... 26 3.2.2 Rings of the Same Length ......................................................................... 27 3.2.2.1 Confidence Intervals ............................................................................. 28 3.2.2.2 Expected Value of n .............................................................................. 31 3.2.3 Layering with Phase Shift ......................................................................... 33 Conclusion ............................................................................................................... 38 2 1 Background 1.1 Random Number Generators Random numbers generators are the key to modern cryptography .The general definition of a random number generator is that it generates sequences that are random, unpredictable in nature, and that cannot be reproduced. Creating a secure cryptographic key to ensure confidentiality and integrity of information depends on the randomness of the numbers used to generate the key. Digital signatures are being used to insure that signatures cannot be faked, to insure this, the randomness of the numbers has a direct impact on the security of the signature. Today cryptosystems use long strings of bits to insure their security; common lengths of these strings include 56, 128, and 164 bits. Breaking these frequently used algorithms by trying the possible combinations of bits until the right one is found would take a long period of time and considerable computing power. For example there are 1016 possible combinations for 56 bits and 1049 possible combinations for 164 bits. If someone tried processing one combination every millisecond it would still take them a significantly long period of time. However if even just one bit of a key can be predicted from another bit, the time to process a decryption would be cut in half. Because a decryption on average will find the correct key in n/2 attempts where n is the key length, that one predictable bit can cut the effective security of the key by seventy five percent. This example illustrates why random numbers are so important in ensuring modern cryptography. 3 1.1.1 Cryptography Cryptography has become a necessary part of the world today due to the mass amounts of information being transferred at all times. Cryptography becomes especially important for the assurance that this information remains intact, as well as authentic, and confidential when being moved. This is why modern cryptography has moved towards the use of random number generators to ensure security and privacy. Cryptosystems, also known as cipher-systems, are methods of disguising or encrypting a message so that only the intended recipients can decrypt it. Cryptography is the art of creating or employing cryptosystems, while cryptanalysis is the opposite of cryptography; it is the breaking of cryptosystems. Cryptology is the study of both cryptography and cryptanalysis. Today cryptosystems are being used for many different purposes. The most common purposes include confidentiality, integrity, and authentication. Confidentiality is the area that is most commonly thought of when cryptography is mentioned. It is the element of cryptography that deals with taking a given message, combining it with a cryptographic key, and returning encrypted text. Ideally, the plain text information cannot be obtained from the ciphered text without knowing the cryptographic key. Integrity is similar to confidentiality in that it uses cryptographic keys. It can be verified by the attachment of a binary string unique to the information. This binary string is signed using a cryptographic key, this resulting string is called a message digest. The recipient of the information can then verify the integrity of the message by decrypting the message digest using the sender’s public key to uncover the original message digest. Then by generating the message digest of the information using the same algorithm as the sender, the recipient can verify that the information has not been 4 tampered with during transit. Authentication is determining the identity of the entity you are communicating with, be it a person, a company, or a machine. An example of authentication involves a challenge and response, when a request for a communication is initiated; a challenge is issued to the requester, consisting of a random number. The requesting party then encrypts this random data with a password and returns it to the challenger. The challenger then retrieves the requester’s password from a database, encrypts the same random data with it and compares the results. If the results match, the requesting party has been authenticated without ever transmitting a password. The importance of cryptography in the world today can't be overstated. Which is what makes the possibility of a true random number generator just as important because of the security is could ensure. [RSA Laboratories] 1.1.2 Previous Random Number Generators There have been two types of random number generators that were typically used, pseudo random number generators and hardware number generators. Pseudo random number generators were more commonly used because they were assumed to be good enough to ensure security, but with today’s advanced computers it has become necessary to use true random number generators to guarantee confidentiality. 1.1.2.1 Pseudo Random Number Generators The most common way of attempting to generate random numbers is by using a software algorithm. This group of random number generators is known as pseudo-random number generators because they all require a ‘seed’ or starting value and eventually the values that are generated will begin to repeat. Typical seed values are generated through 5 the use of an algorithm using computer processes, interrupts, idle mouse movements, and system time as inputs. The difficulty begins when creating an algorithm that starts with a secret seed value that has a period of sufficient length. Despite these drawbacks pseudorandom number generators are very widely used. They are available for almost every computer platform, they are simple to operate, and they require no additional hardware or configuration. While pseudo-random number generators are adequate for noncryptographic applications, they are not secure due to the current available computing power. 1.1.2.2 True Hardware Random Number Generators In contrast to pseudo-random number generators, hardware random number generators can produce truly random numbers. Hardware random number generators typically operate by extracting data from a thermal noise source, or air turbulence from a sealed disk drive, which is dedicated for that purpose. A new approach involves splitting a stream of photons on a beam splitter to generate a quantum mechanical source of randomness. Because they rely on naturally occurring noise for their source, hardware random number generators do not rely on a repeatable algorithm. This however, does not mean that every hardware random number generator is a true random number generator. If the source of the randomness is deterministic in any way, it will not be able to produce truly random numbers. 1.2 Jitter Jitter is a companion of all electrical systems that use voltage transitions to represent timing information. A simple definition of jitter is "The short-term variations of a digital signal's significant instants from their ideal positions in time". A complex 6 definition of jitter is given as "The deviation from the ideal timing of an event. The reference event is the differential zero crossing for electrical events and the nominal receiver threshold power level for optical systems. Jitter is composed of both deterministic and Gaussian (random) content". Jitter has become a way of generating random numbers using signals that have naturally occurring noise. This makes jitter a hardware random number generator, it can be created using many different signal sources. Jitter is only theoretically described, and predictions can only be experimentally verified, which is why it is hard to say if jitter can create true random numbers or not. [Understanding Jitter] 1.2.1 Makeup of Jitter The makeup of jitter consists of two components, deterministic and random jitter. The importance of being able to distinguish between the two is seen when realizing the importance of true random number generators versus pseudo random number generators. Deterministic Jitter is always bounded in amplitude and has specific causes. Some examples of deterministic jitter include duty cycle distortion, data dependent, sinusoidal, and uncorrelated. Deterministic jitter is jitter that is repeatable and predictable. Because of this, the peak-to-peak value of this jitter is bounded, and the bounds can usually be observed or predicted with high confidence based on a reasonably low number of observations. Usually deterministic jitter is caused by cross talk, simultaneously switching outputs, and other regularly occurring interference signals. Cross talk occurs when a line is affected by the magnetic field from a driver line. Simultaneous switching outputs is caused by several output pins switching to the same state, causing a current 7 spike to occur on the Vcc and GND planes, these spikes can cause the threshold voltage point to shift, resulting in jitter. Random jitter is typically characterized by a Gaussian distribution, and will continue to grow with time, which is why it is considered to be unbounded. Random jitter is timing noise that cannot be predicted, because it has no discernable pattern. A classic example of random noise is the sound that is heard when a radio receiver is tuned to an inactive carrier frequency. Random jitter comes from thermal vibrations of semiconductor crystal structures, material boundaries having less than perfect valence electron mapping due to semi-regular doping density and process anomalies, thermal vibrations of conductor atoms, and many other minor contributors. Like all physical phenomena, the edge deviation, which occurs in electronic signals, will contain some level of randomness. Random jitter is unbounded and therefore directly affects long-term reliability. For the production of random numbers it is important to be able to characterize and separate jitter, so as to insure the use of the random part of jitter instead of the deterministic part. [Understanding and characterizing timing jitter] 1.2.2 Characteristics of Jitter Jitter is formed by the slight movement of a transmission signal in time or phase that can introduce errors and loss of synchronization. More jitter will be encountered with longer cables, cables with higher attenuation, and signals at higher data rates. Also, called phase jitter, timing distortion, or intersymbol interference. Phase jitter is usually smaller, but more rapid and random, but may be considered cyclic. Jitter has always degraded electrical systems, and has been used to define and 8 identify or measure for compliance standards and design specifications. However it has now been found to have a very useful characteristic, and that is the random numbers which can be drawn from it. Now jitter can be used to help with cryptography and the transfer of important information. 2 Design Implementation 2.1 Hardware Environment The hardware environment for our project was centered around a Xilinx reconfigurable Field Programmable Gate Array device which was connected directly into the PCI bus of the host computer. Our hardware designs were then put onto the device and were able to interface with it through the PC as well as examine waveforms and outputs directly off the board using an oscilloscope. 2.1.1 Interface The Ballynuey board which houses the Xilinx board was connected directly into the PCI bus of the computer, so all access to the board was done through the computer and not with an external programming device. The board came with hardware components that could be used to set up registers to access, create FIFOs or other structures for data extraction, and easily interface it all with the PC. These hardware components came in the form of VHDL modules. These components were already integrated into the design from the previous year’s project, so this interface was already working correctly when we started the project. We did not change any of the interface components in the design since they already worked correctly. Only the oscillator rings and enables were modified by our designs. The 9 interfaces allowed data to be pulled from the chip using software on the computer which will be discussed n the software section. 2.1.2 Design Flow The design flow for getting our hardware designs onto the board came had three steps. First the VHDL code was created, then compiled for the specific device, and optimized for performance by the Xilinx tools. We used ModelSim for editing and simulating our VHDL modules. We were able to edit code, access libraries of functions, and then simulate modules to ensure that they were behaving correctly. The code we constructed did not require much simulation since simulation of the ring oscillation was not possible in ModelSim, but it was used for cases of debugging certain sections of code. Once the VHDL files were created, the FPGA compiler tool was used to compile our modules together into an entity and create a netlist. This compiler also performed some optimizations of the components to increase performance. Since we sometimes did not want this to happen in our design, steps had to be taken so that components were not optimized out. We used attributes on certain components to retain them. The final step was using Xilinx Design Manager to finalize the design. The design manager allowed us to do timing analysises, edit the floorplan of the chips, and edit user constraints. This gave us maximum control over how our designs were implemented, right down to the bit by bit layout. The final product of the Design Manager was a BIT file which could then be physically loaded onto the chip and program it. This BIT file was then transferred to the host computer so that it could be loaded onto the board. 10 The specifics of these programs can be found in the Appendix. These details include an explanation of options used and why, as well as a more detailed explanation of the flow. 2.2 Software Environment The PC software environment consisted of a user level C program that interfaced with the Xilinx chip. The program implemented a class of functions provided by Ballynuey to interface with the hardware modules on the board. These functions allowed the programmer to load and unload BIT files, close and open the board, and easily access the registers that had been set up to transfer data between the board and PC. Once again, the previous year’s project already had a the C program working, but it did not work well for the purposes of our MQP, so we made several modifications. 2.2.1 C Code Improvements The previous year had used only one or two bit files to program the chip since their task was to create a RNG, which only required one entity with several rings in it. We wanted to look at rings of several lengths, but we needed them isolated. Therefore, we had several BIT files, each of which had only one ring on it, and needed a better way to easily load the files. Also, there was no way to load a different BIT file without ending the program and restarting it which took time and was very annoying. We set up a menu in the program so that the user could simply choose the required BIT file from the menu and it would load. We also added an unload function so that a new BIT file could be loaded without exiting the C program and restarting it. These changes took some time to implement but saved us an immeasurable amount of time later on with its ease of use. 11 We eliminated parts of the code that were no longer needed such as ring enables and optimized it as best we could. The functions that extracted the bit streams from the RNG were retained in case they were needed at a later date. 2.3 Circuit Description The design we used to create our source of jitter was an oscillator ring made up of an odd number of inverters. A tap was put on one of the nodes of the ring and connected to an external output pin so it could be examined on an oscilloscope. The output of this ring was a square wave with a period that was dependent on the number of inverters in the ring. 2.3.1 Design of the Ring The inverters in the ring were created using Look-Up Tables (LUT) in our VHDL code. Building them this way gave us a more realistic inverter with a greater propagation delay. While the delay, approx 1- 2 nanoseconds, was still quite small, this slight increase allowed us to build rings of a certain period without using hundreds of inverters. Previous work with this design used rings with very small numbers of inverters in order to place many rings on the chip. These rings had a range of 3 to 15 inverters in them. We examined rings with these amounts of inverters and found that they did not create a stable square wave. Rather, they were rounded off and not good for accurate measurements. We wanted to get waves that had a definite square shape so that we could more easily measure the jitter at the edges. With this in mind, we examined rings with greater numbers of inverters and thus larger periods. A stable wave was formed around 21 – 27 inverters, so we chose 25 inverters as a minimum number to have. Waves with less 12 inverters were not considered stable enough to provide the measurements we were looking for. The rings used in our project would all have this number of inverters or more. An idea that was suggested to us by General Dynamics was to use rings that were relatively prime. The theory behind this was that when these rings were layered together, relatively prime numbers would have less of a chance of overlapping each other so more space would be covered. Using this theory and the ring size information we had found earlier, we came up with ring sizes to use for all of our tests: 25, 41, 57, 67, 83, and 101. These sizes refer to the number of inverters in the rings, not the actual periods. It was not feasible to create waves with exact integer periods, so the best estimate we could do was choose the periods since they were linearly connected to the periods. 2.3.2 Design Modifications Once we agreed on this initial design, we implemented it and began taking measurements. However, once we started new problems arose that needed to be addressed, and we became aware of areas that needed improvement. One area that we believed needed modification was the construction of the rings themselves. The previous ring design was actually not made up of purely inverters. A NAND gate was substituted for one inverter to be a ring enable so that the ring could be disabled. This was used the previous year so that rings could be turned on and off in order to try different combinations. However, we wanted to analyze the characteristics of a ring of purely inverters, so we did not like an extra gate with a different gate delay in the middle of the ring. We also had no need to disbale or enable rings. 13 We fixed this problem by taking out the NAND gate and replacing it with an inverter. The synthesis tool at first did not allow this design since there was no input connected to the ring, but we were able to manipulate it so that it remained. The details of this process can be found in Appendix XXXXX. We now had a pure inverter ring to take measurements from. The next problem we had involved the layout of the gates on the chip, or the floorplan of the chip. When Xilinx Design Manager arranged the gates on the chip, it placed them arbitrarily. Whenever a new chip was created with a 25-inverter ring, it would not always be located in the same place on the chip or with the same distances between inverters. The distances between each inverter affected the period of the ring since there was more of a delay to travel a longer distance. Thus, each time we made a new chip with a 25-inverter ring, it would have a different period. This was not good for keeping measurements uniform or trying to layer rings together, since you could never be sure what the period was. We needed a way to be sure each ring had a constant period. The resolution to this was to find a way to place each ring in the same place on the board and have the inverters be equidistant in the chain. We were able to specify the location of each inverter in the constraints file for the design. We placed the chin in a straight line with the last inverter looping back to the first. Each inverter was equidistant from the next in line. By applying this to all rings, we now had the constant periods we needed. An added result of this floorplanning was that the linear relationship between the number of inverters and the period became more linear. The floorplanning made the rings 14 more uniform and eliminated as much possible error as possible. The graph below shows this change. Figure 1 Ring Period Trends The graph at the top shows the plot using periods from rings that had not been floorplanned. You can see that the 57 and 67 inverter rings are not close to the line of best fit. There is some error there caused by the placement of the rings. The bottom graph shows the floorplanned rings. Each point is almost perfectly on the line showing the nice, linear relationship. We used this line to determine an equation relating the number of inverters and the period length. T = 1.7708 x N - .109 (1) 15 T is the period and N is the number of inverters in the ring. With this equation, we now had a way to predict periods given a number of rings and vice versa. This could be a very useful tool in future designs since the designer could calculate a ring to suit any need. 2.4 Ways to Measure Jitter 2.4.1 Ideal Methods Many methods are available for measuring jitter. Several of these methods consist of using costly equipment and resources that were unavailable to us during this project. Two of these methods are bit-error-rate testers and Jitter analyzers. When compared to our most useful method, the real-time oscilloscope, it is apparent that the two unavailable methods have a much higher data rate, and therefore, could measure jitter with much greater precision. Figure 2 Data Rates of Jitter Analysis Methods 2.4.1.1 Bit-Error-Rate-Testers The BER tester uses a simple method to measure jitter. A pseudo-random bit sequence is sent by the tester to the system being tested. The tester then receives the new combined signal and compares it to the original pseudo-random sequence. This method 16 makes it possible to obtain an exact bit-error-rate measurement, since the tester can be sampled at rates as high as 40 gigabits/second. As precise as this method is, its one drawback is the time required to obtain results. A BER test can take several hours. An alternative to the BER test, which keeps much of its desired precision, is known as the BERT scan. The BERT scan utilizes statistical methods to achieve similar results while using less computation cycles. 2.4.1.2 Jitter Analyzers Jitter analyzers are more useful than BER testers in helping uncover a specific source of jitter. They operate by detecting the edges of a signal and measuring the differences between them. This data is then used to create histograms and frequency plots that help track down sources of jitter. Although a jitter analyzer has a lower maximum data rate when compared to the BER tester, it is able to predict BER data in less time than using a BER tester. Data can be calculated so quickly that jitter analyzers can be installed directly into test systems for real-time jitter analysis. 2.4.2 Methods We Used Since we did not have the equipment to measure jitter using a BER tester or a jitter analyzer, we were forced to use different methods to measure and characterize jitter. Four different methods were used. Some methods were more successful than others. These methods were MATLAB analysis, histograms, infinite persistence, and n-cycle measurements. 2.4.2.1 Matlab Analysis One form of jitter that we sought out to measure was N-cycle jitter. N-cycle jitter is jitter that is measured when one period is compared to the period preceding or 17 following it. Unfortunately, the oscilloscope operates at a speed that is much too high to measure a large number of individual periods. The oscilloscope did, however, allow us to export large amounts of data to be analyzed by outside means. This data was very useful for N-cycle jitter analysis because the data is consecutive, comparable to slowing down the oscilloscope’s data rate and reading the results. This data was ready to be imported into MATLAB. The MATLAB analysis method was very easy to implement. We used simple yvalue data from the scope, knowing that each sample was the same distance away from the next one. After importing the data into MATLAB, setting a voltage threshold made it able to clearly measure the number of samples of each period. The threshold created a signal that was either high or low, with no values in between. Formatting our signal this way allowed us to standardize our periods, while leaving the edges untouched so they could be measured. We then measured and recorded the length, in samples, of each period within the signal. We recorded the lengths of 25 consecutive periods for each set of inverters. After recording these period lengths, it was then possible to compare them to determine a jitter width, which we measured by comparing the smallest period and the largest period. Multiplying that range by the oscilloscope’s sampling rate provided us with a jitter with in nanoseconds. 2.4.2.2 Histograms As we became more familiar with the oscilloscope, we realized some of the advanced features it had to offer. One major feature of it was its ability to create histograms. We set up the histogram on a set point on either the rising or falling edge of our signal, and let the signal run. Each time the same point in each new period occurred, 18 its position compared with the position set for the histogram was recorded and added to the graph, which is shown underneath the signal. After allowing the signal to run for some time, it was easy to see the distribution that the jitter created. Along with the plot created by the oscilloscope, the scope provided us with a statistical analysis of the newly formed data. The amount of data within 1,2, and 3 standard deviations was given, which greatly helped us to see what kind of distribution the jitter was creating. 2.4.2.3 Infinite Persistence As well as standard histogram graphs, we used the oscilloscope in infinite persistence mode to view the jitter in a different way. Infinite persistence mode is useful in this application when the signal is triggered on an edge of the signal. When set to infinite persistence mode and allowed to run, the screen retains the varying results of each period that would normally quickly disappear in normal operation. Since each result is displayed, a wide signal is shown on either the rising or falling edge of the signal, showing the jitter contained in the signal. When combining this display with the measurement cursors of the scope, it is possible to measure the jitter of the signal. 3 Analysis 3.1 Data Analysis 3.1.1 MATLAB Analysis The data collected by the MATLAB analysis method proved not to yield many useful results. The amount of data exported by the oscilloscope was not sufficient enough to provide a wide and consistent range of periods. The period range in the table is the difference between the smallest and largest period in each set of periods for the corresponding number of inverters. As the table shows, the period range varied from 4 to 19 11 samples, with no distinguishable pattern between rings. The period range was then multiplied by the number of samples per period to calculate an equivalent jitter width, measured in nanoseconds. Again, due to an insufficient amount of data, there are major differences between some of the rings; although it is promising that several rings show a similar jitter width close to 0.5 nanoseconds. This shows some hope that the jitter in each ring is somewhat consistent, but does not give many other helpful conclusions. Some of our other methods proved to be much more successful. Table 1 MATLAB Results for Selected Rings Number of Inverters 25 Period Range (in samples) 4 Equivalent Jitter Width (ns) 0.501 41 5 1.379 57 11 0.502 67 4 0.503 83 5 0.628 101 6 0.502 3.1.2 Histograms Histograms proved to be our most useful form of measuring the width of a jitter. They contributed not only the actually width of the jitter, but also showed that there was some non-deterministic components to the jitter that we were measuring. In order for the measurement to be random, the distribution of the wave crossing a certain threshold has to follow a Gaussian distribution. The threshold we chose was 2V because it was in the middle of all the rising and falling edges. In order for a histogram to be Gaussian 68% of the data must fall within one sigma, 95% must fall within two sigma and 99.7% within three sigma. Evidence for a deterministic jitter could include bimodal distributions or 20 heavily skewed histograms. The measurements we took on all six rings proved to be random because they all were within .5% of all three requirements. This slight discrepancy is expected since the histogram will change slightly every time you sample. Below is an example of a histogram measurement. Figure 3 Rising Edge Histogram of a 83 Inverter Ring 3.1.2.1 Jitter Width The histograms provide us with a mean and a standard deviation. The mean is not the important piece of information since it depends on which cycle of the wave you sample. We used the standard deviation to give us the width of the jitter. Since 95% of the data fell within two sigma of the mean, we chose four sigma as our width; two on either side of the mean. Below is a table of the rising edge and falling edge jitter widths for all six rings we used. 21 Table 2 Jitter Widths # of Inverters Rising Edge Falling Edge 25 0.2827 0.3574 41 0.3146 0.346 57 0.3888 0.2914 67 0.3393 0.3374 83 0.4471 0.3666 101 0.456 0.4147 As can be seen in the table, there isn’t a significant increase in the jitter widths with the increase of inverters. We are not only concerned with the width of the jitter alone, but also the amount of the period the jitter takes up. Below is a graph of the percentages of the period the jitter takes up. 1.6 1.4 1.2 1 0.8 0.6 0.4 0.2 0 25 41 57 67 83 101 Figure 4 Jitter Width as % of Period As you can see, the percentage drops significantly. If we were to sample just the one ring with a 101 inverter, the chance of us sampling on jitter is very small. This will suggest that there is a maximum numbers of inverters that we should use. 3.1.2.2 Long-term Jitter There are two types of long term jitter that we were concerned with. The first is the effect of letting the wave run for an extended period of time. We let a ring of 101 22 inverters run for a half hour and checked it periodically to see if the jitter width was affected any. Below is a table of the jitter widths over time. Table 3 The Affect of Time on Jitter Minutes 2 4 8 16 32 Jitter Width (ns) 0.4407 0.4407 0.4402 0.4439 0.4472 The jitter changes very slightly even up to 32 minutes. So one can conclude that letting the wave run for an extended period of time will not change the jitter any. The other form of long-term jitter we were concerned with was the jitter width of a period n-cycles away. We wanted to see if the width followed a pattern. Table 4 N-Cycle Jitter 45 40 35 30 25 20 15 10 5 0 1 50 200 400 1000 The jitter appeared to be following a linear pattern until around 300 periods away. As can be seen it dropped off there only to jump back up 500 periods later. This occurred in all six rings. We are not sure the cause of this and did not have sufficient time to investigate further. 3.1.3 Infinite Persistence In order to determine the best and worst case scenarios for the length of the jitter, we used the oscilloscope and the infinite persistence mode. By using the infinite 23 persistence mode, we could see and measure how the wave moved over time. The compiling of all the different voltage levels the wave passed by, we were able to see what the smallest amount of jitter could possibly be. Below is an example of infinite persistence, as a possible measurement technique for the jitter length. In this measurement, we found the length of the jitter to be approximately 5.2 nano seconds, but as we found, this was not a very accurate reading of the jitter, in fact it is much higher than we actually found the jitter to be. So this led us to believe that this was not the best method for measuring the length of jitter. Figure 5 Infinite Persistence of a 101 Inverter Ring 3.1.4 EZJIT Using the EZJIT program loaned to us, we were able to get Fast Fourier Transforms (FFT) of our waves and find out the main sources of the noise in the jitter. 24 We used many different techniques with EZJIT, including N-Cycle, Cycle to Cycle, and TIE methods. An example of a 10-Cycle measurement we took, is shown below, as the pink line at the bottom of the scope’s screen. As is shown, the FFT measured two large peaks that were in the 119 kilo Hertz range, and the 236 kilo Hertz range. Figure 6 10 Cycle Measurement 3.1.5 Pulse Generator Using the pulse generator, we were able to try and create square waves similar to the ones we were making in the circuit, so as to get a more exact square wave. This also meant that we were able to determine the true source of the jitter. We attempted a few different experiments using these square waves to test the jitter results we had previously obtained. One was to test for jitter in a square wave straight from the pulse generator; another was to test the jitter of the square wave that had been sent from the pulse 25 generator through the board in an input pin and back out an output pin. Lastly we took the square wave and put it through the board, but this time we put it into a ring and then took it’s output, we intended to try and just put it through a line of inverters, but we were unable to implement this idea, so we took the results of the wave through the ring. 3.2 Theoretical Analysis 3.2.1 Relatively Prime Period Lengths After running into the phase drift problem we attempted to take advantage of the different period lengths. The plan was to choose many rings of different length and XOR them leaving only 0’s and jitter. With this method we could utilize enough rings to completely fill the period with jitter, thus making sampling of the wave completely nondeterministic. In order to improve efficiency of each ring, we would have to choose rings that were relatively prime to each other. If the rings were multiples of each other or had many similar factors the jitters would over lap in many places which would not improve the entropy. The idea is to have as few overlaps as possible, so relatively prime rings would work the best. 3.2.1.1 Bin Setup The easiest way to think of filling the spectrum with jitter is to break the period up into n bins of equal length. Each bin will be as wide as the average jitter for the ring. We then want to use enough rings to fill each bin with jitter. To do this we consider r rings of period lengths ti..tr respectively. Each bin will be assigned an integer value n. To be sure we have hit each bin we need to know the starting point of each ring, call it si. So to hit each bin greater than the last starting point, for all n max( si ) , there must be a solution k to the equation 26 n k * ti si for some i=1...r (1) To see if this is possible consider a possible starting point ui si mod ti (2) We want to see if we can construct a series of n’s that will not be hit by a ring. The Chinese remainder theorem says there is a solution n to n u1 mod t1 n u2 mod t2 n ui mod ti Since ui is not a starting point of any of the rings, all multiples of ti added to ui will be missed. So there will be an infinite number of bins missed, namely all n’s that satisfy the above equations. Another problem with using this idea is that the rings do not have a definite period. The periods change randomly and follow a normal distribution. Therefore we cannot assume that there will be a solution k to equation (1). The period may only partially fall into a bin and therefore not completely fill it. This only adds to the Chinese remainder theorem problem. So we were forced to consider another option. 3.2.2 Rings of the Same Length Our next idea stemmed from two of our previous problems. These two problems are the phase shift and the nondeterministic period length. Since these two occurrences could not be predicted accurately, we decided to use their randomness to fill the bins by using many rings of the same length. The set up for this method is the same as the previous attempt with n bins of equal length. The idea is to use enough rings to be a certain percentage confident that all the bins will be hit randomly at least once. Since 27 both the period lengths and the starting points are random the jitter can land anywhere within the set of bins. 3.2.2.1 Confidence Intervals An easy way to consider this is as a sampling problem with replacement. We will attempt to find the probability that the bins were filled in n samples or less. We aren’t concerned with hitting the same bins multiple times as long as we hit all the bins at least once. That way when we sample, the entire period will be jitter. To get these confidence intervals we needed to form a cumulative distribution function (cdf). Once we obtain a cdf for the probability of hitting all bins, we need to find the minimum number n at which P ( N n) CI (3) where CI is the specific confidence interval we are looking for. To find the cdf we use inclusion-exclusion. Consider an alphabet A={1,2,..,m} where m is the number of bins Let the universe U=An (4) all the possible combinations of A, ie {1, 11, 112, …}, where n is the number of samples taken. Therefore the cardinality of U mn (5) Define G as all the combinations where every bin is sampled at least once. So we want to find P ( N n) G (6) U 28 Since we already found U , we just need to find G . Let Bk be all the sets of samples where at least k bins were missed. To find G we need to look at the universe and subtract all occurrences where at least one bin was missed. In doing this samples will be over-counted and will have to be subtracted until all the bad sets are counted only once. So G U Bk Bk (1)m 1 k 1 k 2 B k m 1 k (7) For each sample in Bk there are m-k different possibilities to choose. So for n samples there are (m-k)n different options. Thus Bk=(m-k)n (8) For each Bk, there are (m choose k) different combinations of the bins that are missed. Since the number of different possibilities is independent of which bins are missing we can just multiply the number of arrangements by the number of possibilities. Substituting equation (5) and (8) gives m m m n (1) (9) G mn (m 1) n (m 2) n (1) m 1 1 2 m 1 Note m mn (m 0) n (10) 0 Combine the summation to get m (m k ) n (11) G (1) k k 0 m k m To simplify Let m-k=i 29 m m G (1) m i i n (12) i 0 i Substituting equations (11) and (5) into (6) gives m P ( N n) (1) m n i i (13) n m i i 0 m In order to find the confidence intervals, plug in different n’s until P(N<n) is equal to the confidence interval you are looking for. Below is a list of confidence intervals starting at 50% and incrementing by 5% up to 99%. Three of the rings we used are shown in the table, the lowest, the highest and the middle ring. The number of bins m was computed by dividing the average period for the ring by the average length of jitter. For example the number of bins for the 101 inverter ring is 178.7/.8708=205. We used as an approximation m=200. Table 5 Confidence Intervals for 101, 57 25 Inverters % confidence # rings 101 # rings 57 # rings 25 50% 1135 807 323 55% 1162 828 333 60% 65% 1193 1227 852 877 344 357 70% 75% 1265 1307 905 937 369 383 80% 85% 1360 1422 975 1022 400 423 90% 95% 1507 1650 1086 1194 453 502 99% # bins 1975 200 1440 150 616 70 30 2500 2000 101 1500 57 1000 25 500 0 50% 60% 70% 80% 90% 99% Figure 7 Graph of Table 1 As you can see, in order to get a 99% confidence that all the bins are filled for the ring with 101 inverters, you need approximately 2000 rings. As can be seen by looking at the table, the necessary number of rings for 99% confidence is about ten times the number of bins m. 3.2.2.2 Expected Value of n Now that we have a way to find confidence intervals, it is also useful to find an equation for the expected value. The expected value is a weighted average of all possible outcomes. The standard formula for the expected value is Ex n * p(n) (14) n Since equation (13) only gives the probability that N<n, we need to subtract the probability that n occurred previously. So P(N=n)=P(N<n)-P(N<n-1) (15) Substituting (13) into (15) gives 31 m m m i m n ( 1 ) i (1) m i i n 1 i i 0 i (16) P ( N n) i 0 n n 1 m m m Combining the fraction yields m m m m m n 1 (1) m i i n m n (1) m i i n 1 i 0 i 0 i i (17) P ( N n) n n 1 mm Note mn=m*mn-1 m m m m m n 1 (1) m i ii n 1 mmn 1 (1) m i i n 1 i 0 i 0 i i (18) P ( N n) n n 1 mm Simplifying gives m P ( N n) (1) m i i 0 m n 1 i (i m) i (19) mn Since we are looking for the expected value, we need to substitute (19) into (14) m En n (1) m i i 0 n m 1 m n 1 i (i m) i (20) mn Note that P(N=m-1)=0 since you need at least m samples to hit all the bins. Substituting n=m into (19) does not give us P(N=m-1)=0 so we need to add this term to equation (20). So the expected value is m (1) En m i 0 m m i i m m m i m n n m 1 (1) i 0 m i m n 1 i (i m) i (21) mn In order to compute the expected value accurately, it is necessary to go to a very large n. We chose n to be the number of bins necessary to achieve a 99% confidence 32 interval. In order to compute this number many calculations are necessary. Unfortunately we do not have a program capable of handling such a large calculation. So as an approximation for the expected value, we will just look at the 50% confidence interval. Below is a graph showing the expected values for all six rings we used using this approximation. Table 6 Approximation of Expected Values # Inverters # bins 25 41 57 67 83 101 E(x) 69 110 150 175 180 200 323 557 807 968 1001 1135 As you can see the expected values are extremely high. Due to its size it may be impossible to fit all the rings necessary to cover the spectrum with jitter onto the chip. Instead of trying to get a more uniform wave by adding inverters, it may be more beneficial to use as few inverters as possible so as to be able to fit all the rings onto one chip. 3.2.3 Layering with Phase Shift One of the original ideas we had was to XOR two rings of the same length and since they had the same period, the XOR function would cancel out the similar high and low parts of the wave and leave only the jitter. After this was done, we could layer several of these rings so that we filled a period with jitter. As explained earlier, we found this idea to be impossible to do for two reasons. First, we could not synchronize the starting positions of the two different rings so they could be out of phase from the start. Second, even though they had the same number of inverters and theoretically would have the same period, this was physically untrue. No matter how well we floor planned the two 33 rings to be identical, the periods were always slightly off and caused the waves to drift past each other. Although this original idea failed, it led to us developing a new idea based on the same philosophy. Our idea was simple. We needed two rings with identical periods that we knew would start in phase, so why not use the same ring. One ring would obviously have the same exact period as itself and always start in phase, but we needed a way to somehow make it so that we could XOR the ring with itself and get useful results. Our second idea was to insert a delay in the ring output in order to cause a small phase shift. We could then XOR this phase-shifted ring with itself, thus getting the jitter isolated in the small phase shift of the rings. We then took it a step further and figured that if we could do this once, why not do it for the whole period of the wave. If we could phase shift the wave for the whole period, the entire period would be filled with jitter. And since there would be no drifting due to mismatched periods, it would never falter or get out of sync. We now went about trying to implement this design. Our first idea was to simply add a buffer to the output wire leaving the ring. A basic diagram of this idea is shown below in Figure XXX. In this way, we would have the ring itself, and then a chain of buffers with wires coming out in between each buffer going to be XOR’d together. The buffers would provide the delay that we needed without changing the wave. 34 Figure 8 Phase Shift First Design This design seemed perfect but we could not implement it. The Synopsis tool optimized the buffer chain out of our design no matter what option we tried to leave it in. The tool saw the chain as pointless because it did not affect the signal at all, and could not understand the use of it as a delay going into the XOR. It thus eliminated the chain and the XOR gate since it only saw the XORing of a signal with itself. Our idea was still good but we needed another way to implement it. Once again our next idea was a very simple one. We had been trying to bring in an external chain to provide our delay, but we already had a chain of items causing a delay in the design: the ring itself. The chain of inverters were already creating delays, all we had to do was utilize it. This design is shown below in Figure XXX. We connected output wires to nodes in the ring itself instead of a buffer chain, and then sent them out of the board to examine. We did not hook them up to an inverter at first since we wanted to examine the waves individually to see the delay and if our idea actually worked. 35 Figure 9 Phase Shift Second Design Our implementation was successful. We brought three waves out from the board to examine on the oscilloscope. A picture of the three output waves with infinite persistence turned on to show their cumulative jitter is shown below in Figure XXX. The three waves had identical periods and were slightly out of phase. There was no drift at all among the waves. One aspect we noticed was that since these were inverters, not buffers, one of the waves was inverted. At first we thought this would be a problem, but then decided it was fine. Even though the wave was inverted, the jitter was still in the same location, only it was rising instead of falling, or vice versa. 36 Figure 10 Phase Shift Display with Infinite Persistence Overall, we saw what we expected to see and proved that our theory could work. With enough outputs and oscilloscope hookups, we could have had enough phase shifted waves so that the entire period was filled with jitter. We could then use the XOR to combine all the rings, and have a final wave that could be sampled at any frequency and be assured that it was sampling jitter. Due to time constraints however, we were never able to examine the XOR result of the rings. We only had time to show the concept worked, and that it would be possible to phase shift a ring with itself. The advantages of this design would be that it only needed one ring to function. Many of the other ideas we looked at to fill a spectrum with jitter needed hundreds of rings, so space wise this would be a much better method. It is also a very stable design, not like some of the other designs that are based on probabilities and confidence intervals. This method was straightforward and predictable. 37 Some disadvantages would be that the phase shift would cause the jitter to repeat itself during every half period. Therefore, if the sampling frequency of a system was greater than twice the frequency of the ring, it could possibly sample the same jitter twice, which would not be advantageous. Also, we were not able to test the XOR output, so we have no proof of a method to combine all these phase-shifted signals into one signal that we could sample. Despite any disadvantage, we believe this design has a lot of potential and should be highly considered by future groups for more testing and analysis. The possibility of creating a true random number generator with only one ring is high enough a reward to try, especially with the positive results were able to attain. With more testing and work, we believe this design will be best suited for a random number generator. 4 Conclusion We began this project with the intent of proving whether it is possible to develop a true random number generator using reconfigurable logic platforms. Our data suggests that since the jitter followed a Gaussian distribution, it is possible to create a random number generator. While we have no way of proving the entropy of a the source, we believe these measurements give a good indication of the non-deterministic nature of the jitter. We also showed that the major source of the jitter is from external sources in the computer, not the ring itself. We believe that the idea that the ring was creating the jitter is not accurate, and that a sponge analogy is much better, where the ring is thought to be a sponge absorbing the jitter from sources around it. A more in depth analysis of what these 38 sources are and how they contribute to the jitter is necessary to gain a full understanding of the jitter and perhaps begin to measure its actual entropy. We have discovered two possible ways to manipulate the jitter to make a RNG. Using rings of the same length it is possible to fill a period with jitter; however it requires a large number of rings. If one were to take this path, we would suggest using a ring of around 41 inverters so as not to need too many rings on one chip. The other possibility would be to use the phase shift design. Since we were restricted on time we have not had the chance of fully exploring this idea, but since it would work using only one ring, we believe it is the concept most worth researching further because of its possibilities. In closing, we believe that a true random number generator is feasible on reconfigurable logic because the source being used is non-deterministic and methods exist to ensure that this source can be sampled confidently. 39