True Random Number Generators for Heightened Security in Any SoC

Introduction

The proliferation of connected devices and the evolving nature of attacks, breaches, and malware make the need for security in products and ecosystems more important than ever. True random numbers are at the heart of any secure system and their quality contributes to the security strength of designs. Many cryptographic operations require a source of random numbers, such as the creation of cipher keys and initial values for counters and protocol parameters. Weak or predictable random numbers open the door for attacks that can compromise keys, intercept data, and ultimately hack devices and their communication.

Designing True Random Number Generators (TRNGs) that provide consistently high-quality entropy across processes, temperature, voltage, and frequency variations is very complex. To help ensure the highest quality, international standards bodies have developed criteria to substantiate the truly random nature of TRNGs in a verifiable and statistically rigorous manner.

The article highlights the importance of TRNGs, describes their main components and characteristics, lists the specifications they need to adhere to, and provides a high-level introduction to Synopsys’ DesignWare TRNG Security IP.

What is a TRNG and Why is It Important?

A TRNG is a function or device based on an unpredictable physical phenomenon, called an entropy source, that is designed to generate non-deterministic data (e.g., a succession of numbers) to seed security algorithms.

Connected devices are becoming part of everyday life and we expect them to operate correctly while protecting business and personal information. TRNGs are at the base of securing these devices as they are used to create and protect secrets and other sensitive information. They are part of a “chain of trust” that needs to be established starting with the SoC, moving to the application layers and communication to the cloud. A chain of trust is only as strong as its weakest link.

Predictable random number generators (RNGs) open doors to many possible attacks that can hack devices and compromise data. To be effective, random numbers must be unpredictable, statistically independent (unrelated to any previously generated random numbers), uniformly distributed (equal probability for any number to be generated) and protected (Figure 1).

Figure 1: True random numbers are crucial for security

Standards for TRNGs

Several standards and certification associations are driving specifications and validation methods for TRNGs to define the guidelines for design and certification of truly random solutions. 

The US National Institute of Standards and Technology (NIST) agency has developed a set of NIST SP 800-90A/B/c standards (“c” is still in draft stage) to define the statistical-analysis criteria that an RNG must meet before being considered random enough for cryptographic applications. The German standards body, Bundesamt für Sicherheit in der Informationstechnik (BSI), has long had a separate set of RNG standards (AIS 20/31). 

Both standards serve to weed out seemingly random generators that may appear to work but may have statistical flaws that could undermine the security of the system. However, while these standards give some high-level architecture guidelines, they do not specifically describe how to create a TRNG; only how to verify whether it works. The implementation details are left to the creativity of the designers, and therefore permits many alternative approaches. In all cases though, the TRNGs must meet the four criteria previously mentioned: they must be unpredictable, uniform, independent, and undiscoverable. 

TRNG Solutions

True randomness is very difficult to achieve. A properly constructed TRNG needs to harvest entropy from some form of random process (like the noise produced by current flowing in a transistor, or the time between radioactive decay events), and then condition the entropy signal to remove bias and whiten the spectrum of the resulting sequence of outputs. This process must be controlled for factors such as operating temperature, aging, susceptibility to electronic noise and upset, voltage variation, and operating frequency range. Without controlling these factors, the TRNG circuit could potentially be modified by outsiders attempting to influence its operation.

One example of an RNG architecture is to seed a cryptographic quality pseudorandom number generator (PRNG) with an unknown seed value and then use the PRNG for a period of time or to produce a quantity of random data. The PRNG will then be re-seeded and used again for a while, and so on. The seed for the PRNG should be a secret, random input derived from an “entropy source” such as a high-quality TRNG.  

Synopsys has developed standards-compliant and certification-ready TRNGs that are applicable to any digital semiconductor device and are highly portable across any ASIC and most FPGA process technologies. The TRNGs have been widely deployed down to 5nm processes, are customer configurable, and support a variety of attractive features including wide system clock dynamic range, redundant and selectable number of internal seed generators, automatic and manual reseeding, output streams for side channel countermeasures, and various interfaces (memory mapped, serial and nonce which is suitable for HDCP 2.3 content protection modules):

• The DesignWare® True Random Number Generator Core is classified as a Non-Deterministic Random Bit Generator (NRBG). The core contains an entropy source and whitening circuit that generates a uniformly distributed random sequence of bits. The output of the DesignWare TRNG can be used directly or to seed/reseed a NIST SP 800-90A approved Deterministic Random Bit Generator (DRBG), depending on the application. The random data generated by the DesignWare TRNG is intended to be statistically equivalent to a uniformly distributed noise. The circuit includes a seed generator that creates a non-deterministic random value to seed a PRNG.