# A Survey of AIS-20/31 Compliant TRNG Cores Suitable for FPGA Devices

Oto PEŤURA, Ugo MUREDDU, Nathalie BOCHARD, Viktor FISCHER, Lilian BOSSUET

Univ Lyon, UJM-Saint-Etienne, CNRS Laboratoire Hubert Curien UMR 5516 F-42023, SAINT-ETIENNE, France

oto.petura@univ-st-etienne.fr

FPL 2016, Lausanne, Switzerland, August 2016







A Survey of AIS-20/31 Compliant TRNG Cores Suitable for FPGA Devices

# Outline



# Methodology







# Goals of the TRNG evaluation

Fair comparison of different TRNG principles in terms of:

- feasibility and reproducibility
- area (cost)
- speed (bitrate)
- power consumption
- entropy



# Selected TRNG principles

#### Based on the selection criteria:

- ► AIS-31 compliance
- Feasibility in FPGAs

The next TRNGs were selected and implemented:

- Elementary oscillator based TRNG (ELO-TRNG)
- Coherent sampling oscillator based TRNG (COSO-TRNG)
- Multiple ring oscillator based TRNG (MURO-TRNG)
- Phase locked loop based TRNG (PLL-TRNG)
- Transient effect ring oscillator based TRNG (TERO-TRNG)
- Self timed ring based TRNG (STR-TRNG)



# Outline



#### 2 Methodology





# Methodology to achieve a fair comparison

- Unified external interface
  - (as simple as possible)
- Reduced complexity of the design (just the TRNG core, no post-processing)
- All designs implemented in all the devices

   (Xilinx Spartan 6 FPGA, Altera Cyclone V FPGA, Microsemi SmartFusion2 FPGA)
- Statistical properties (entropy) evaluated using the procedure B of the AIS-20/31 statistical test suite



# Hardware configuration

# DUT

- FPGA module with the RNG core
- Simple serial data interface
- Two LVDS lines (data, clock/strobe)



## Acquisition card

- Evariste motherboard and Cyclone III FPGA module
- Can store up to 4 MB of continuous data at 0 400 Mbits/s



# Power consumption measurement strategy

# A reference design is used to measure the power consumption of an FPGA with no logic inside (about 4 mW)





# Power consumption measurement strategy

The power consumption of the TRNG core is computed by subtracting the consumption of the 'empty' project from the total power consumption

The multiplexers are used to eliminate an impact of output drivers on the power consumption measurement.





# Evaluated parameters

## Area

in terms of LUTs and registers

- Net power consumption
- Output bit rate

## Entropy

evaluated using test T8 of the AIS-20/31 test suite

#### Newly defined parameters:

Energy efficiency

number of bits generated consuming one  $\mu$ Ws of energy

- Entropy & bit rate product
  - bit rate with full entropy



# Outline











# ERO-TRNG core<sup>1</sup>



| Family        | Ν | К                   | Area      | Power cons. | Bit rate  | Entropy |
|---------------|---|---------------------|-----------|-------------|-----------|---------|
|               |   | [·10 <sup>3</sup> ] | (LUT/L&R) | [mW]        | [Mbits/s] | per bit |
| Spartan 6     | 3 | 80                  | 46/19     | 2.16        | 0.0042    | 0.999   |
| Cyclone V     | 5 | 135                 | 34/20     | 3.24        | 0.0027    | 0.990   |
| SmartFusion 2 | 5 | 20                  | 45/19     | 4           | 0.014     | 0.980   |

O. PEŤUBA



#### 12/28

<sup>&</sup>lt;sup>1</sup> M. Baudet, D. Lubicz, J. Micolond, and A. Tassiaux, "On the security of oscillator-based random number generators," Journal of Cryotology, vol. 24, no. 2, pp. 398–425, 2011.

# **ERO-TRNG** core



- Easy to implement no placement or routing constraints needed
- Very good reproducibility
- Based on the jitter size, the K value might be very high, the size of the counter (≤ 20 bits) can affect scalability



# COSO-TRNG core<sup>1</sup>



| Family        | Ν  | RO freq. | Area      | Power cons. | Bit rate  | Entropy |
|---------------|----|----------|-----------|-------------|-----------|---------|
|               |    | [MHz]    | (LUT/L&R) | [mW]        | [Mbits/s] | per bit |
| Spartan 6     | 8  | 144.5    | 18/3      | 1.22        | 0.54      | 0.999   |
| Cyclone V     | 6  | 315.5    | 13/3      | 0.9         | 1.44      | 0.999   |
| SmartFusion 2 | 10 | 185.2    | 23/3      | 1.94        | 0.328     | 0.999   |

14/28



<sup>&</sup>lt;sup>1</sup> P. Kohlbrenner and K. Gaj, "An embedded true random number generator for FPGAs," in Proceedings of the 2004 ACM/SIGDA 12th international symposium on Field programmable gate arrays. ACM, 2004, pp. 71–78.

# COSO-TRNG core



- The difference in periods has to be very small difficult to achieve
- Disadvantage: Finding a suitable configuration requires long time (several hours) and the same configuration is not guaranteed to work on another device
- Placement and routing constraints are required



# MURO-TRNG core<sup>1</sup>

| Family        | Area      | Power cons. | Bit rate  | Entropy |
|---------------|-----------|-------------|-----------|---------|
|               | (LUT/L&R) | [mW]        | [Mbits/s] | per bit |
| Spartan 6     | 521/131   | 54.72       | 2.57      | 0.999   |
| Cyclone V     | 525/130   | 34.93       | 2.2       | 0.999   |
| SmartFusion 2 | 545/130   | 66.41       | 3.62      | 0.999   |

m = 120K = 100







#### 16/28

# MURO-TRNG core

- The generator requires a large number of identical rings to be implemented
- The rings might lock which is extremely hard to detect given their number
- No need of manual place and route





# PLL-TRNG core<sup>1</sup>



| Family        | clk <sub>jit</sub> | clk <sub>ref</sub> | Area      | Power cons. | Bit rate  | Entropy |
|---------------|--------------------|--------------------|-----------|-------------|-----------|---------|
|               | [MHz]              | [MHz]              | (LUT/L&R) | [mW]        | [Mbits/s] | per bit |
| Spartan 6     | 435.3              | 485.7              | 34/14     | 10.6        | 0.44      | 0.431   |
| Cyclone V     | 213.8              | 255.6              | 24/14     | 23          | 0.6       | 0.592   |
| SmartFusion 2 | 90.4               | 163.6              | 30/15     | 19.7        | 0.37      | 0.340   |

<sup>1</sup>V. Fischer and M. Drutarovsky, "True random number generator embedded in reconfigurable hardware," in Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002), ser. LNCS, vol. 2523, Redwood Shores, CA, USA. Springer Verlag, 2002, pp. 415–430.



# **PLL-TRNG** core



- The PLL setup is not straightforward for some families (Spartan 6: PLL outputs go to different clock domains)
- Once the PLLs are setup, the results are reproducible within the same device family (type of the device)
- PLLs are very well isolated from the rest of the device



# TERO-TRNG core<sup>1</sup>



| Family        | Area      | Power cons. | Bit rate  | Entropy |
|---------------|-----------|-------------|-----------|---------|
|               | (LUT/L&R) | [mW]        | [Mbits/s] | per bit |
| Spartan 6     | 39/12     | 3.312       | 0.625     | 0.999   |
| Cyclone V     | 46/12     | 9.36        | 1         | 0.987   |
| SmartFusion 2 | 46/12     | 1.23        | 1         | 0.999   |

<sup>1</sup> M. Varchola and M. Drutarovsky, "New high entropy element for FPGA based true random number generators," in Cyptographic Hardware and Embedded Systems, CHES 2010. Springer, 2010, pp. 351-365. O. PEŤUBA



# **TERO-TRNG** core



- The placement and routing constraints must be enforced in the TERO loop design
- The two TERO branches must be well unbalanced to get between 100 and 200 oscillations
- Difficult to obtain repeatable results on different devices



# STR-TRNG core<sup>1</sup>

| Family        | Area      | Power cons. | Bit rate  | Entropy |  |
|---------------|-----------|-------------|-----------|---------|--|
|               | (LUT/L&R) | [mW]        | [Mbits/s] | per bit |  |
| Spartan 6     | 346/256   | 65.9        | 154       | 0.998   |  |
| Cyclone V     | 352/256   | 49.4        | 245       | 0.999   |  |
| SmartFusion 2 | 350/256   | 82.52       | 188       | 0.999   |  |

L = 255



<sup>&</sup>lt;sup>1</sup> A. Cherkaoui, V. Fischer, A. Aubert, and L. Fesquet, "A self-timed ring based true random number generator," in IEEE International Symposium on Asynchronous Circuits and Systems (ASYNC 2013), 2013, pp. 99–106.



# STR-TRNG core

- The ring must have a huge number of cells
- Each cell must be initialized at the beginning and number of events must be verified continuously
- The topology is important manual placement needed





# Summary of implementation results

| TRNG type | FPGA          | Area      | Power cons. | Bit rate  | Efficiency | Entropy | Entropy * Bit rate | Feasib.   |
|-----------|---------------|-----------|-------------|-----------|------------|---------|--------------------|-----------|
|           | device        | (LUT/Reg) | [mW]        | [Mbits/s] | [bits/µWs] | per bit |                    | & Repeat. |
|           | Spartan 6     | 46/19     | 2.16        | 0.0042    | 1.94       | 0.999   | 0.004              |           |
| ERO       | Cyclone V     | 34/20     | 3.24        | 0.0027    | 0.83       | 0.990   | 0.003              | 5         |
|           | SmartFusion 2 | 45/19     | 4           | 0.014     | 3.5        | 0.980   | 0.013              |           |
|           | Spartan 6     | 18/3      | 1.22        | 0.54      | 442.6      | 0.999   | 0.539              |           |
| COSO      | Cyclone V     | 13/3      | 0.9         | 1.44      | 1 600      | 0.999   | 1.438              | 1         |
|           | SmartFusion 2 | 23/3      | 1.94        | 0.328     | 169        | 0.999   | 0.327              |           |
|           | Spartan 6     | 521/131   | 54.72       | 2.57      | 46.9       | 0.999   | 2.567              |           |
| MURO      | Cyclone V     | 525/130   | 34.93       | 2.2       | 62.9       | 0.999   | 2.197              | 4         |
|           | SmartFusion 2 | 545/130   | 66.41       | 3.62      | 54.5       | 0.999   | 3.616              |           |
|           | Spartan 6     | 34/14     | 10.6        | 0.44      | 41.5       | 0.981   | 0.431              |           |
| PLL       | Cyclone V     | 24/14     | 23          | 0.6       | 43.4       | 0.986   | 0.592              | 3         |
|           | SmartFusion 2 | 30/15     | 19.7        | 0.37      | 18.7       | 0.921   | 0.340              |           |
|           | Spartan 6     | 39/12     | 3.312       | 0.625     | 188.7      | 0.999   | 0.624              |           |
| TERO      | Cyclone V     | 46/12     | 9.36        | 1         | 106.8      | 0.987   | 0.985              | 1         |
|           | SmartFusion 2 | 46/12     | 1.23        | 1         | 813        | 0.999   | 0.999              |           |
|           | Spartan 6     | 346/256   | 65.9        | 154       | 2 343.2    | 0.998   | 154.121            |           |
| STR       | Cyclone V     | 352/256   | 49.4        | 245       | 4 959.1    | 0.999   | 244.755            | 2         |
|           | SmartFusion 2 | 350/256   | 82.52       | 188       | 2 286.7    | 0.999   | 188.522            |           |



# Outline



# 2 Methodology

Implementation results





# Conclusions

- All the presented TRNG cores are feasible in all major FPGA families
- COSO and TERO TRNGs are impractical in their current state (They both require per device placement and routing)
- Each TRNG has its pros and cons
- Presented implementations are not fully optimized (Final optimization is a question of the target application)
- Quality of the TRNG design depends not only on the principle used (Hardware used and implementation itself are very important too)
- VHDL source code is available at:

https://labh-curien.univ-st-etienne.fr/cryptarchi/HECTOR\_TRNG\_designs



## Acknowledgments

This work was performed in the framework of the project

# **HECIOR**

# Hardware Enabled Crypto and Randomness

The HECTOR project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement number 644052 starting from March 2015

#### www.hector-project.eu





# Thank you for your attention

