1. Introduction
The study of finding entropy sources is a traditional and essential topic, with attractive randomness in some applications such as key generation and issuing identifiers in the cryptographic field, for example. In practice, the physical inputs or characteristics of an I/O device on a computer, such as a keyboard or a computer mouse, are well-established sources. However, such inputs are not always ideal; for example, a human-related source such as the input from a keyboard would be affected by the user’s intention. Since the entropy source should be truly random, researchers have investigated and developed other methods using physical phenomena to overcome these drawbacks.
Researchers and developers have paid much attention to making random number generators (RNG) using digital circuits compact, so that they can be implemented together with other modules. There are two main types of circuits that can easily cause unstable signals. One of them is called metastability [
1], which is an intermediate state between high and low and is dealt with as a malfunction of a circuit in product development. However, it is known to have the ideal characteristics to act as an entropy source, and can be implemented with just a pair of NAND gates on a field programmable gate array (FPGA), for example. However, since some time is consumed to converge the vibration during metastability, a generator using metastability sometimes faces problems with efficiency.
The other circuit is an oscillation circuit, called a ring oscillator (RO), consisting of NOT gates that are aligned in a ring shape. Sunar et al. introduced an RNG using the ROs in [
2]. It was designed to mix the output of multiple RO circuits by using the XOR operation, the output of which is synchronized by an internal clock. Though the construction allows bits to be sampled faster than by using metastability, its randomness was required to be discussed further, since the randomness is easily affected by the number of NOT gates and RO circuits.
Wold et al. [
3] extended Sunar’s proposed RNG circuit in which the respective output of ROs is synchronized by delay flip flops (D-FFs). Since the D-FFs contribute to improving the randomness of RO-based generators, Wold’s construction is now widely adopted as an entropy source in various situations. Research on these RO-based generators has been approached from several viewpoints, such as randomness, security, and energy efficiency. The readers can refer to [
4,
5,
6,
7,
8,
9,
10,
11,
12] for further results about extensions of the RO-based generators and randomness evaluations, for example.
In this paper, the authors focus on Wold’s construction and discuss the distribution property of the generator. Furthermore, the relevance between the number of ROs and the quality of randomness is also considered. More precisely, the target concerning the distribution property is the transition probability of bits introduced in the Markov process. This differs from the elements of several famous statistical tests in the sense that the authors’ proposed method discusses the uniformity of a sequence from the relevance of bits at time t and , for instance. The authors think this approach contributes to a different aspect of a sequence, together with the currently proposed statistical test suites. In addition, in this paper the authors conduct the same test for generators set up with different numbers of ROs. As a result, it is found that there is a significant relationship between the number of ROs and the randomness property.
This paper is organized as follows:
Section 2 introduces the fundamentals related to this work, for example, details of the RO-based generator and statistical tests.
Section 3 and
Section 4 propose a test for an RNG designed using ROs, and give experimental observations for some generators with different numbers of ROs, respectively. Finally,
Section 5 concludes this paper.
2. Preliminaries
This paper focused on the probability test for an RO-based generator, as well as the relationship between the randomness property and the number of ROs. This section briefly reviews the idea of a true random number generator based on a ring oscillator, Markov process, and hypothesis testing.
2.1. True Random Number Generator Based on Ring Oscillator
This section briefly reviews the fundamentals of an RNG based on ring oscillators, and related works. An RNG is simply referred to as a generator in this paper.
2.1.1. Random Number Generator and Ring Oscillators
RNGs are typically classified into two main classes [
13]. One of them is the deterministic RNGs, called pseudorandom number generators (PRNGs). They work algorithmically with a given seed value. Another class is the non-deterministic RNGs, which often adopt some non-reproducible phenomena to generate an ideal random number sequence. Such an ideal sequence is called the true random number generator (TRNG), and many approaches using physical phenomena, called physical RNGs in what follows, have been proposed as a class of TRNG. However, not every RNG can be dealt with as a TRNG, even if it employs a physical phenomena. In this paper, the authors mainly work on evaluating a well-known physical RNG construction from the viewpoint of the unpredictability of sequences.
A representative construction is to use digital circuits to obtain a sequence of digits including bits. There are several approaches such as using noises or the unstable behavior of logic gates. Among them, an oscillation circuit consisting of odd numbers of NOT gates, called a ring oscillator (RO), is widely adopted and studied. As shown in
Figure 1, an RO is a circuit that is composed of odd numbers of NOT gates connected in a ring shape.
Since it can be implemented as a logic circuit in an FPGA, a generator based on ROs is cheaper than one that uses external equipment to observe phenomena to obtain a sequence.
Though external equipment may possibly be interfered with or intermediated by an attacker and leak a sequence as a result, a circuit closed inside an FPGA has an advantage in this regard. In detail, without an adequate environment, data through a circuit are hard to eavesdrop directly. In addition, a generator consisting of a logic circuit is preferred in practical use since it can be embedded with other circuits into a chip.
The output of an RO oscillates due to the recursive input from the right edge NOT gate, as the name stands for. The frequency
is known to be given by Equation (
1), where
and
denote the propagation delay time of a NOT gate and the number of NOT gates, respectively.
It is noted that since the propagation delay time changes from high, say , and high to low, say , are the same if CMOS devices are used, we can assume and denote the propagation delay time by for simplicity.
Since an RO is not stable because of effects from the external environment, such as thermal noises, for example, the actual oscillation period has time difference
from the theoretical oscillation period
T, as shown in
Figure 2, where
.
Thus, the oscillation period of the RO is given by .
This instability is useful for sampling binary symbols, e.g., 0 and 1, and the circuit size can be scalable depending on the number of NOT gates. Therefore, many researchers have focused on ROs to develop a compact and ideal RNG, based on ROs.
2.1.2. Related Works
Sunar et al. introduced ROs to construct a TRNG in [
2]. It was designed to mix the output of the respective RO circuit by using the XOR operation, the output of which is synchronized by an internal clock, as shown in
Figure 3.
In [
2], Sunar et al. also discussed several properties, such as the ideal length of a ring, from the theoretical viewpoint.
Based on their construction, Wold et al. [
3] extended the circuit to be as shown in
Figure 4. Wold et al. successfully enhanced the randomness by inserting D-FFs between ROs and an XOR gate to sample the wave endowed by the ROs. They found that short ROs are better for improving randomness, since the difference in the wave frequency can be easily induced by the restriction of the length. In this paper, the authors mainly deal with Wold’s construction to investigate the randomness of continuous digits. In addition, the readers can refer to the results in [
4,
5,
6,
7,
8,
9,
10,
11,
12] concerning RO-based generators and evaluations for more information.
In a previous work [
14], the authors discussed the importance of an XOR gate in a generator based on ROs by approximating the periodicity and investigating the transition probabilities of 2-bit patterns. It was revealed that an XOR gate in an RO-based generator contributes to extending the period length, and the number of ROs is of relevance to the distribution property. In this paper, the authors extend this discussion to the statistical randomness evaluation by using the Markov process and hypothesis testing.
2.2. Markov Process
A Markov process is a stochastic extension of a finite automaton for which state transitions happen probabilistically. It has a memoryless property, which is to say that any additional information about the future behavior of the process cannot be obtained from the past processes in a random process. More precisely,
are random variables and
denotes the conditional probability of
X given
Y. Let
be the state space and let
be the transit probability from
to
for a positive integer
. The memoryless property, referred to as the Markov property, holds the equality as follows:
where
. Such a random process utilizing the Markov property is called a Markov process.
Based on the definition of the Markov process, a Markov chain is defined as a Markov process with discrete time and discrete state space. Thus, a Markov chain is a discrete sequence of states, denoted by
S, with random variables
such that the probability of any given state
only depends on the current state
, as shown in Equation (
2). The process diagram of the Markov chain is a directed graph describing the Markov process. For example, a simple two-state Markov chain can be illustrated as shown in
Figure 5.
2.3. Hypothesis Testing and Z-Test
Hypothesis testing is a method of testing whether claims or hypotheses concerning a population are likely to be true. There are two hypotheses: the null hypothesis and an alternative hypothesis. The null hypothesis is a statement about a population parameter, which is assumed to be true. In contradiction to the null hypothesis, the alternative hypothesis is a statement that says the value of the population parameter does not match the value in the null hypothesis.
Hypothesis testing is conducted by following the steps summarized below.
State a null hypothesis and alternative hypothesis;
Select a random sample from the population;
Set a significance level and perform an appropriate statistical test;
Decide whether the null hypothesis is valid or not.
The significance level is a criterion to decide the value stated in the null hypothesis. The decision often comes from the outcome of the statistical test, using the p-value, which is the probability of obtaining a sample result under the null hypothesis, which is then compared to the significance level.
A Z-test is a hypothesis test in which the Z-score, also called the Z-statistic, follows a normal distribution. It determines whether the mean of random variables
is equal to a mean
when the variances of
are known. It is noted that the test is considered to be accurate if
follows the normal distribution, or to be approximately accurate if
n is sufficiently large (for example,
). The test is conducted by assuming that the Z-score follows the standard normal distribution. It is calculated by
where
and
denote the standard deviation.
3. A Test Method and Evaluation Process
This section introduces the details of the test and its evaluation process.
3.1. Background of the Proposed Test
Typically, a sequence generated by PRNGs or TRNGs is evaluated by statistical tests such as TestU01 [
15] and NIST SP 800-22 [
16]. These are packages of several statistical tests, and users can smoothly check the statistical randomness by running them. For example, the distribution property of a sequence is evaluated by counting the number of bits or comparing a bit pattern with a template. These evaluations are an inseparable part of the distribution property. However, the authors feel that these evaluations cannot fully cover the features of the property.
In this context, the authors introduce the transition probability by considering the Markov process for an RO-based generator from previous research [
14]. It is noted that the readers can refer to [
4], as a work related to this paper. In brief, this paper focuses on the 2-bit patterns and deals with them in the state
, with transition probabilities between each other, where each pattern is derived by splitting a sequence of bits from the beginning without any duplication of the index. Furthermore, the authors extend the discussion of this approach to investigate the properties of an RO-based generator in the following sections.
3.2. Design of a Test
This section briefly introduces the assumptions and process of the test, including evaluation.
3.2.1. Assumptions
In this paper, a 100 MHz clock is used to sample a bit to generate a sequence with an RO-based generator. The state considered in the Markov process is a 2-bit pattern. Therefore, the time space is a discrete set .
An RO-based generator is implemented on an FPGA as a combination of lookup tables (LUT) and D-FFs. Hence, both NOT and XOR gates can be expressed by LUTs. Since the wire length causes a difference in RO circuits, this paper intentionally arranges each element so that they can be in the same condition.
3.2.2. Process of the Test and Evaluation
The test conducted in the next section is composed of three steps, as follows:
First, the assumption of the null hypothesis is clear from the fact that the ideal distribution of 2 bits is the uniform distribution, having an apparent probability of . Since one of the motivations in this work is to investigate the uniformity of transition probabilities from every pattern, the authors propose sampling a sequence of length 1K bits 1000 times to obtain a p-value. By repeating the collection of p-values 1000 times, the authors decide whether the null hypothesis is approved or not.
In addition, the authors’ other motivation is to reveal the relationship between the randomness of sequences and the number of ROs in a generator. Several experimental results for different numbers of ROs are introduced in the next section. It is noted that the authors use the Z-test in the following experiments since the number of samples is large (1000 samples). However, a t-test should be utilized when the readers need more strict and practical evaluation.
4. Experimental Results and Considerations
In this section, the authors show the experimental results of the proposed method. For simplicity, the null hypothesis
and alternative hypothesis
throughout the experiment are
and
, respectively, where
denotes the mean of transition probabilities. The FPGA board used to implement the RO-based generator was a Nexys A7-100T Artix-7 series [
17], with every RO circuit being composed of only three NOT gates.
4.1. Observation
First, let us begin by briefly confirming whether the probability distribution follows the normal distribution.
Figure 6,
Figure 7 and
Figure 8 shows the histograms of transition probabilities when the numbers of ROs are 2, 10, and 20.
By observing the figures, it is apparent that the probability distribution follows the normal distribution as the expectation gradually closes to 0.25, depending on the increment in the number of ROs. Thus, the proposed method can be considered applicable to an RO-based generator.
4.2. Comparison of p-Values and Considerations
Based on the previous observation, the authors conducted a Z-test and compared the p-values obtained throughout the experiment. It is noted that the significance level is set to to validate the hypothesis more strictly.
Table 1 shows the comparisons of
p-values obtained by testing sequences generated with
l number of ROs, where
. The element highlighted in red denotes the cases in which the
p-value is less than
, and the blue ones the elements greater than or equal to
, respectively. As seen from the table, the null hypothesis tended to be accepted when
. Additionally, compared to the other transitions, the null hypotheses for the specific transitions, such as 01 to 01 and 11 to 11 for
, are found to be rejected frequently. To check these assumptions further, the authors conducted additional experiments, as given in the next section.
4.3. Post Evaluations for Consideration
The following two characteristics are found throughout the above comparison; thus, the authors carried out further experiments to confirm the likelihood.
- -
The null hypothesis is accepted when ;
- -
The null hypothesis concerning the transition probabilities from 01 to 01 and from 11 to 11 are often rejected.
The first assumption shows that the mean of transition probabilities is when , which is assumed to be an ideal result for the authors. On the other hand, the second points out that the specific transitions do not happen uniformly.
The authors conduct additional experiments from different viewpoints, as described below, to confirm these assumptions.
The experimental results in terms of transition probabilities for each state are introduced in
Figure 9,
Figure 10,
Figure 11 and
Figure 12. The horizontal and vertical axes reflect the number of ROs and the number of sequences of length 1 Mbits for which transition probabilities were able to pass the hypothesis test. As seen from the graphs, the number of sequences will gradually become flat for
. However,
Figure 10 and
Figure 12 also show that the transitions from 01 to 01 and from 11 to 11 are relatively low compared with the other transitions.
In the same way, experiments were conducted with the RO-based generator consisting of seven NOT gates. The results are shown in
Figure 13,
Figure 14,
Figure 15 and
Figure 16. Comparing the figures in
Figure 9,
Figure 10,
Figure 11,
Figure 12,
Figure 13,
Figure 14,
Figure 15 and
Figure 16, the readers can find similar characteristics in both graphs, and the assumptions mentioned above are considered to be true.
5. Conclusions
This paper focused on an RO-based generator originally proposed by Wold et al.; in addition, the authors proposed a statistical test regarding the state transition probabilities of 2 bits for the generator. The purpose of such a test is to check the uniformity of the respective transition patterns, such as and 11. This statistical test was applied for RO-based generators consisting of different numbers of ROs. As a result, it was found that the randomness of an RO-based generator depends on the number l of ROs, and the result shows that l should be larger than 10.
Therefore, the authors successfully evaluated the randomness of RO-based generators numerically, and we can conclude from this study that the circuit of RO-based generators becomes complex depending on the increment in ROs. In addition, it tells us that the users have to recognize the bias hidden in the transition probabilities, especially for practical use.
However, since this paper only focused on the 2-bit case and did not formulate the experimental results, the authors would like to utilize larger bit patterns and different boards to explore the characteristic equation in future works.
Author Contributions
Conceptualization, Y.K. and M.A.A.; Data curation, Y.K. and R.S.; Formal analysis, Y.K., R.S., T.K. and Y.N.; Funding acquisition, Y.K. and Y.N.; Investigation, Y.K., R.S., M.A.A. and T.K.; Methodology, Y.K. and M.A.A.; Project administration, Y.K.; Resources, T.K. and Y.N.; Software, R.S., T.K. and Y.N.; Supervision, Y.N.; Validation, Y.K. and R.S.; Visualization, R.S.; Writing—original draft, Y.K.; Writing—review and editing, Y.K., R.S., M.A.A., T.K. and Y.N. All authors have read and agreed to the published version of the manuscript.
Funding
This work was partially supported by the JSPS KAKENHI Grant-in-Aid for Research Activity Start-up (20K23327) and the Grant-in-Aid for Challenging Research (Pioneering) (20K20484).
Conflicts of Interest
The authors declare no conflict of interest.
References
- Kleeman, L.; Cantoni, A. Metastable Behavior in Digital Systems. IEEE Des. Test Comput. 2008, 4, 4–19. [Google Scholar] [CrossRef]
- Sunar, B.; Martin, W.J.; Stinson, D.R. A Provably Secure True Random Number Generator with Built-In Tolerance to Active Attacks. IEEE Trans. Comput. 2007, 56, 109–119. [Google Scholar] [CrossRef]
- Wold, K.; Tan, C.H. Analysis and enhancement of random number generator in FPGA based on oscillator rings. In Proceedings of the 2008 International Conference on Reconfigurable Computing and FPGAs, Cancun, Mexico, 3–5 December 2008. [Google Scholar]
- Ryabko, B.Y.; Monarev, V.A. Using information theory approach to randomness testing. J. Stat. Plan. Inference 2005, 133, 95–110. [Google Scholar] [CrossRef] [Green Version]
- Marton, K.; Suciu, A.; Ignat, I. Randomness in Digital Cryptography: A Survey. Rom. J. Inf. Sci. Technol. 2010, 13, 219–240. [Google Scholar]
- Bochard, N.; Bernard, F.; Fischer, V.; Valtchanov, B. True-Randomness and Pseudo-Randomness in Ring Oscillator-Based True Random Number Generators. Int. J. Reconfig. Comput. 2010, 2010, 879281. [Google Scholar] [CrossRef] [Green Version]
- Tuncer, T.; Avaroğlu, E.; Türk, M.; Ozer, A.B. Implementation of Non-periodic Sampling True Random Number Generator on FPGA. J. Microelectron. Electron. Compon. Mater. 2014, 44, 296–302. [Google Scholar]
- Cao, Y.; Chang, C.-H.; Zheng, Y.; Zhao, X. An energy-efficient true random number generator based on current starved ring oscillators. In Proceedings of the 2017 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), Beijing, China, 19–20 October 2017. [Google Scholar] [CrossRef]
- Anandakumar, N.N.; Sanadhya, S.K.; Hashmi, M.S. FPGA-Based True Random Number Generation Using Programmable Delays in Oscillator-Rings. IEEE Trans. Circuits Syst. II Express Briefs 2020, 67, 570–574. [Google Scholar] [CrossRef]
- Lin, J.; Wang, Y.; Zhao, Z.; Hui, C.; Song, Z. A New Method of True Random Number Generation based on Galois Ring Oscillator with Event Sampling Architecture in FPGA. In Proceedings of the 2020 IEEE International Instrumentation and Measurement Technology Conference (I2MTC), Dubrovnik, Croatia, 25–28 May 2020. [Google Scholar] [CrossRef]
- Fujieda, N. On the Feasibility of TERO-Based True Random Number Generator on Xilinx FPGAs. In Proceedings of the 2020 30th International Conference on Field-Programmable Logic and Applications (FPL), Gothenburg, Sweden, 31 August–4 September 2020. [Google Scholar] [CrossRef]
- Choi, S.; Shin, Y.; Yoo, H. Analysis of Ring-Oscillator-based True Random Number Generator on FPGAs. In Proceedings of the 2021 International Conference on Electronics, Information, and Communication (ICEIC), Jeju, Korea, 31 January–3 February 2021. [Google Scholar] [CrossRef]
- Koç, Ç.K. Cryptographic Engineering; Springer: Boston, MA, USA, 2009. [Google Scholar]
- Sato, R.; Kodera, Y.; Ali, M.A.; Kusaka, T.; Nogami, Y.; Morelos-Zaragoza, R.H. Consideration for Affects of an XOR in a Random Number Generator Using Ring Oscillators. Entropy 2021, 23, 1168. [Google Scholar] [CrossRef] [PubMed]
- L’Ecuyer, P.; Simard, R. TestU01: AC library for empirical testing of random number generators. ACM Trans. Math. Softw. 2007, 33, 1–40. [Google Scholar] [CrossRef]
- Rukhin, A.; Soto, J.; Nechvatal, J.; Smid, M.; Barker, E.; Leigh, S.; Levenson, M.; Vangel, M.; Banks, D.; Heckert, N.; et al. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications; NIST Special Publication 800-22 Revision 1a; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2010. Available online: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf (accessed on 22 March 2022).
- Nexys A7 FPGA Board Reference Manual. Available online: https://reference.digilentinc.com/_media/reference/programmable-logic/nexys-a7/nexys-a7_rm.pdf (accessed on 22 March 2022).
| Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).