The disclosure relates to random number generation, and in particular, to an entropy generator and a method of generating enhanced entropy using truly random static entropy.
Random numbers are widely used in the fields of information security and statistical sampling. Random numbers generation is generation of a sequence of unpredicted and independent numbers conforming to a specified distribution. A pseudo-random number generator generates the sequence of numbers using an entropy input, known as a seed. An insufficient random seed may lead to an insufficient random sequence. Therefore, choosing a sufficient random seed is important to generate a random sequence, ensuring secure data in information security applications and accurate sampling results in statistical sampling applications.
According to an embodiment of the invention, an entropy generator includes a physically unclonable function, a dynamic entropy source and an entropy enhancement engine. The physically unclonable function is used to provide a truly random static entropy. The dynamic entropy source is used to generate a dynamic entropy. The entropy enhancement engine is coupled to the physically unclonable function and the dynamic entropy source, and is used to generate an enhanced entropy according to the truly random static entropy and the dynamic entropy. The truly random static entropy has a hamming weight of substantially 50%, an expected hamming distance of substantially 50% and a min-entropy of substantially 1. The expected hamming distance is an expected value of a hamming distance between the truly random static entropy and another truly random static entropy provided by the physically unclonable function.
According to another embodiment of the invention, a method of generating an enhanced entropy for use in a device includes: a physically unclonable function providing a truly random static entropy; a dynamic entropy source generating a dynamic entropy; and an entropy enhancement engine generating an enhanced entropy according to the truly random static entropy and the dynamic entropy. The truly random static entropy has a hamming weight of substantially 50%, an expected hamming distance of substantially 50% and a min-entropy of substantially 1. The expected hamming distance is an expected value of a hamming distance between the truly random static entropy and another truly random static entropy provided by the physically unclonable function
These and other objectives of the present invention will no doubt become obvious to those of ordinary skill in the art after reading the following detailed description of the preferred embodiment that is illustrated in the various figures and drawings.
As used herein, the term “truly random” or “true random” refers to a bit stream that has a hamming weight of substantially 50%, an expected hamming distance of substantially 50% and a minimum entropy (min-entropy) of substantially 1. The hamming weight measures an expected value of non-zero symbols in the bit stream in a percentage form. The min-entropy is a lower bound of entropy of the bit stream, measuring unpredictability of the bit stream. The expected hamming distance is an expected value of a hamming distance between a truly random static entropy and another truly random static entropy provided by a physically unclonable function (PUF). It is to be noted that the truly static entropy and the another truly random static entropy are derived from the same PUF.
The entropy generator 1 may contain a static entropy source 10, dynamic entropy sources 12(1) to 12(N) and an entropy enhancement engine 14. The static entropy source 10 and the dynamic entropy sources 12(1) to 12(N) may be coupled to the entropy enhancement engine 14, N being a positive integer. For example, N is 2 for two dynamic entropy sources 121 and 122 in the entropy generator 1. While one static entropy source 10 and a plurality of dynamic entropy sources 12(1) to 12(N) are used in the embodiment, adopting two or more static entropy sources 10 and/or one dynamic entropy source 121 in the entropy generator 1 is also within the scope of the invention.
The static entropy source 10 may provide a truly random static entropy Es. The dynamic entropy sources 12(1) to 12(N) may generate dynamic entropies Ed(1) to Ed(N), respectively. The entropy enhancement engine 14 may generate the enhanced entropy Eout according to the truly random static entropy Es and the dynamic entropies Ed(1) to Ed(N). Specifically, the entropy enhancement engine 14 may mix the truly random static entropy Es and the dynamic entropies Ed(1) to Ed(N) in a bitwise manner to generate the enhanced entropy Eout. For example, each of the truly random static entropy Es and the dynamic entropies Ed(1) to Ed(N) may be 16 bits in length, and the entropy enhancement engine 14 may perform an XOR operation on corresponding bits of the truly random static entropy Es and the dynamic entropies Ed(1) to Ed(N) to generate a corresponding bit in the enhanced entropy Eout, thereby producing a 16-bit enhanced entropy Eout. The entropy enhancement engine 14 may include an XOR gate or a processor employing a data encryption standard (DES) algorithm, an advanced encryption standard (AES) algorithm or a hash function to perform mixing. In some embodiments, the entropy enhancement engine 14 may further include a pseudorandom number generator. The pseudorandom number generator may be a linear feedback shift register and may be seeded by the mixing output of the XOR gate or the processor to generate the truly random static entropy Es.
The static entropy source 10 may be a physically unclonable function (PUF), a non-volatile memory, or a fixed logic containing a plurality of truly random static entropy bits. For example, the physically unclonable function may be a 32-bit by 32-bit memory cells containing an entropy bit pool, and each row, column or diagonal line of the memory cells may contain truly random entropy bits. The entropy bit pool may include a plurality of entropy bits fixed in values and unique to each device employing the entropy generator 1. The physically unclonable function may output the truly random static entropy Es according to a predetermined selecting algorithm. For example, the physically unclonable function may select entropy bits from rows of cells in a predetermined row order to serve as the truly random static entropy Es. In some embodiments, the static entropy source 10 may be a pseudo random number generator (PRNG)(known as deterministic random bit generator(DRBG)) generating the truly random static entropy Es.
The dynamic entropy sources 12(1) to 12(N) may generate the respective dynamic entropies Ed(1) to Ed(N) in real time.
The first oscillator 20 may generate a first oscillation signal OSC1 oscillating in a first frequency. The second oscillator 22 may generate a second oscillation signal OSC2 oscillating in a second frequency. The combining circuit 24 may combine the first oscillation signal OSC1 and the second oscillation signal OSC2 to generate a dynamic entropy Ed(n). The first oscillator 20 and the second oscillator 22 may be ring oscillators.
In some embodiments, the flip-flop 240 may sample the first oscillation signal OSC1 using the second oscillation signal OSC2, so as to generate the dynamic entropy Ed(n). In some embodiments, the first frequency and the second frequency are different, and each of the first frequency and the second frequency may be a multiple of prime numbers, misaligning level transitions of the first oscillation signal OSC1 and the second oscillation signal OSC2. For example, the first frequency may be 3 MHz and the second frequency may be 5 MHz. Since one prime number may not be fully divided by another prime number, the flip-flop 240 may sequentially generate the dynamic entropy Ed(n). In other embodiments, the first frequency and the second frequency are substantially equal, e.g., the first frequency and the second frequency may both be 3 MHz. Since the devices, the routing and the voltage and operating temperature environment of the first oscillator 20 and the second oscillator 22 may not be fully identical, the first oscillation signal OSC1 and the second oscillation signal OSC2 may continuously race with each other to arrive the flip-flop 240, thereby sequentially generating an arbitrary “0” or logic level “1” as the dynamic entropy Ed(n).
The first oscillator 20 and the second oscillator 22 may be implemented by the ring oscillator 3 in
The NAND gate 30 may receive an enabling signal EN to control activation of the ring oscillator 3 and output a NAND output. When the enabling signal EN is set at the logic level “0”, the ring oscillator 3 is deactivated from generating an oscillation signal OSC. When the enabling signal EN is set at the logic level “1”, the ring oscillator 3 is activated to generate the oscillation signal OSC. The frequency of the oscillation signal OSC may be determined by the total gate delay of the inverters 32(1) to 32(M). An increase in the total number of the inverters 32(1) to 32(M) may increase the total gate delay, reducing the frequency of the oscillation signal OSC.
The initial entropy source 50 may generate an initial entropy Eini. The initial entropy Eini may a bit stream including a sequence of entropy bits Eini(1) to Eini(P) sequential in time, P being a positive integer, e.g., P may be 4. The initial entropy source 50 may be implemented by the first oscillator 20, the second oscillator 22 and the combining circuit 24 in
The accumulation circuit 52 may combine the entropy bits Eini(1) to Eini(P) into a bit in the dynamic entropy Ed(n). The accumulation circuit 52 may include an XOR gate 520 coupled to the initial entropy source 50. The XOR gate 520 may acquire the entropy bits Eini(1) to Eini(P) over a predetermined period of time, e.g., 4 clock cycles, and perform an XOR operation on the entropy bits Eini(1) to Eini(P) to generate the bit in the dynamic entropy Ed(n). That is, the accumulation circuit 52 may generate one bit every predetermined period of time. In this manner, the dynamic entropy source 12(n) in
The initial entropy source 60 may include the first oscillator 20, the second oscillator 22 and the XOR gate 440. The configuration and operation of the first oscillator 20, the second oscillator 22 and the XOR gate 440 are similar to those in
The XOR gate 620 may sum an entropy bit in the random signal Sr and an accumulated entropy Eac to generate a new accumulated entropy Eac′. The accumulated entropy Eac may include accumulated entropy bits over the predetermined period of time. The multiplexer 624 may receive a selection signal sel from the selection circuit 626 to select one from the random signal Sr and the new accumulated entropy Eac′ to generate a multiplexer output signal. In some embodiments, when the selection signal sel is set at the logic level “0”, the multiplexer 624 may select the new accumulated entropy Eac′ as the multiplexer output signal; and when the selection signal sel is set at the logic level “1”, the multiplexer 624 may select the random signal Sr as the multiplexer output signal. The flip-flop 240 may sample the multiplexer output signal to generate the accumulated entropy Eac.
The update circuit 628 may update the dynamic entropy Ed(n) according to the accumulated entropy Eac at the first clock cycle of the predetermined period of time. In some embodiments, the update circuit 628 may be a switch selecting between the accumulated entropy Eac and the dynamic entropy Ed(n) according to the selection signal sel to generate the dynamic entropy Ed(n). When the selection signal sel is set at the logic level “1”, the update circuit 628 may select the accumulated entropy Eac to update the dynamic entropy Ed(n), and when the selection signal sel is set at the logic level “0”, the update circuit 628 may maintain the voltage level in the dynamic entropy Ed(n) without updating. In this fashion, the update circuit 628 may update the dynamic entropy Ed(n) once every predetermined period of time.
The counter 624 may be enabled by the enabling signal EN, and may be a ring counter updating a counting signal cnt upon each clock pulse of the clock signal CLK. The counting signal cnt may count the predetermined period of time. The selection circuit 626 may generate the selection signal sel according to the counting signal cnt. Upon the first clock cycle of the predetermined period of time, the selection circuit 626 may set the selection signal sel to be the logic level “1”, so as to reset the accumulated entropy Eac and update the dynamic entropy Ed(n). The dynamic entropy source 12(n) in
At Time t0, the counting signal cnt starts at a data state “0”, the selection signal sel is set to the logic level “1” to select the random signal Sr as the multiplexer output signal. At Time t1, the counting signal cnt proceeds to a data state “1”, the random signal Sr has the first data “a”, “a” being the sum of the values of the first oscillation signal OSC1 and the second oscillation signal OSC2 at Time t1, the flip-flop 240 samples the first data “a” in the multiplexer output signal to update the accumulated entropy Eac, and then the selection signal sel is set to the logic level “0” to select the new accumulated entropy Eac′ as the multiplexer output signal. At Time t2, the counting signal cnt proceeds to a data state “2”, the new accumulated entropy Eac′ has second data “a+b”, “b” being the sum of the values of the first oscillation signal OSC1 and the second oscillation signal OSC2 at Time t2, the flip-flop 240 samples the second data “a+b” in the multiplexer output signal to update the accumulated entropy Eac, and then the selection signal sel remains at the logic level “0” to select the new accumulated entropy Eac′ as the multiplexer output signal. At Time t3, the counting signal cnt proceeds to a data state “3”, the new accumulated entropy Eac′ has third data “a+b+c”, “c” being the sum of the values of the first oscillation signal OSC1 and the second oscillation signal OSC2 at Time t3, the flip-flop 240 samples the third data “a+b+c” in the multiplexer output signal to update the accumulated entropy Eac, and then the selection signal sel remains at the logic level “0” to select the new accumulated entropy Eac′ as the multiplexer output signal. At Time t4, the counting signal cnt recirculates to the data state “0”, the new accumulated entropy Eac′ has fourth data “a+b+c+d”, “d” being the sum of the values of the first oscillation signal OSC1 and the second oscillation signal OSC2 at Time t4, the flip-flop 240 samples the fourth data “a+b+c+d” in the multiplexer output signal to update the accumulated entropy Eac, and then the selection signal sel is set to the logic level “0” to select the random signal Sr as the multiplexer output signal. At Time t5, the counting signal cnt proceeds to the data state “1”, the random signal Sr has fifth data “e”, the flip-flop 240 samples the fifth data “e” in the multiplexer output signal to update the accumulated entropy Eac, and then the selection signal sel is set to the logic level “0” to select the new accumulated entropy Eac′ as the multiplexer output signal.
The entropy generator 1 employs the truly random static entropy Es and the dynamic entropies Ed(1) to Ed(N) to provide true randomness and dynamic randomness of the enhanced entropy Eout, thereby delivering data security to devices using the entropy generator 1.
The details of the method 800 have been explained in the preceding paragraphs, and will not be repeated here. The method 800 employs the truly random static entropy Es and the dynamic entropies Ed(n) to provide true randomness and dynamic randomness of the enhanced entropy Eout, thereby delivering data security to a secure device.
Those skilled in the art will readily observe that numerous modifications and alterations of the device and method may be made while retaining the teachings of the invention. Accordingly, the above disclosure should be construed as limited only by the metes and bounds of the appended claims.
This application is a continuation-in-part of U.S. application Ser. No. 16/858,710, filed on Apr. 27, 2020, which claims the benefit of U.S. Provisional Application No. 62/878,725, filed on Jul. 25, 2019. The contents of these applications are incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
62878725 | Jul 2019 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 16858710 | Apr 2020 | US |
Child | 18211235 | US |