Patent Grant
7502468
This disclosure pertains to the generation of random numbers. More particularly, this disclosure pertains to a method and system for generating a cryptographically random number stream.
Many people and organizations have come to rely heavily on electronic data. Consequently, many such people and organizations, as well as those they serve, have come to attach great importance to the information security of their electronic data. Many information security systems require that one or more cryptographically random number streams be provided for generating keys and other purposes. A stream of numbers is cryptographically random if at any point in the stream the history of prior numbers provides negligible assistance in predicting any subsequent number of the stream.
While cryptographically random number streams of numbers are conceptually simple, it has proved very difficult to generate such streams in an industrially useful fashion. For example, a stream of coin flips is cryptographically random, but coin flipping cannot be used to provide industrially useful number streams.
To get around the difficulty of generating cryptographically random number streams, one prior art approach involves providing a cryptographically random number as a seed to a pseudo random number stream. Such a seed can be obtained in many ways, a common one of which is sampling noise from a complex process that is very difficult to accurately model: for example, the thermal noise across a semiconductor diode or resistor. However, pseudo random number streams are algorithmic and thus predictable if the algorithm and seed are known. The effectiveness of this approach to information security is limited by its reliance upon such streams.
What is needed to provide greater security of electronic data is an industrially useful method and system for generating cryptographically random number streams. This disclosure provides such a method and system. These and other advantages, as well as additional inventive features, will be apparent from the present disclosure.
For a more complete understanding of the present disclosure, and the advantages thereof, reference is now made to the following brief descriptions taken in conjunction with the accompanying drawings, in which like reference numerals indicate like features.
Other aspects, objectives and advantages of the invention will become more apparent from the remainder of the detailed description when taken in conjunction with the accompanying drawings.
As shown, the module includes two linear feedback shift registers 110 and 112 having different taps 114-120. Each register 110 and 112 outputs one of the two statistically random number streams 106 and 108.
Preferably, the linear feedback shift registers 110, 112, and 122 are frequency-aligned; even more preferably, the linear feedback shift registers 110, 112, and 122 are 1:1 frequency-aligned and therefore operate on a single clock and respectively output bits 106, 108, and 124 in the same clock cycle. Within the same clock cycle, the oscillator 104 selects between the output bits 106 and 108, outputting a bit 100 identical to the selected bit. Consequently, the bit stream 100 is cryptographically random and can be output at a rate of one bit per clock cycle. Preferably also within the same clock cycle, the output of linear feedback shift register 122 is XORed with the output 100 of the oscillator 104, producing output bit 126. Consequently, the bit stream 126 is also cryptographically random.
The described system can optionally be employed in a fashion such that one or more of the cryptographically random number streams are utilized at a rate below 100%. A portion of the numbers or bits output will be “wasted” or “dropped on the floor” rather than being used as part of a final output stream. Accordingly, such a final output number stream will present an incomplete history of the earlier output stream generated by the system. As an example, this variation can be implemented to provide an historically incomplete final output stream for TCP and SSL encryption.
Returning to
The average frequency of the oscillator 104 is preferably different from the clock frequency governing the linear feedback shift registers 110 and 112. Still more preferably, the frequency of the oscillator 104 is less than ½ of the clock frequency governing the linear feedback shift registers 110 and 112. Even more preferably, the frequency of the oscillator 104 is within the range of 1/64 and ½ of the clock frequency governing the linear feedback shift registers 110 and 112.
The timing and pattern of selecting a current number from one of the statistically random number streams 106 and 108 can affect the cryptographically random number stream 100 resulting. Hence, also within the scope of the claimed invention, as will be understood by those having skill in the art, occurrence of selections from the oscillator 104 may be periodic with fixed or varying period, such period may or may not be in frequency alignment with the statistically random number streams 106 and 108, or may be aperiodic.
Returning to
In other embodiments, the linear feedback shift registers 110, 112, and 122 may have different width; number and placement of taps 114-120, 128 and 130; and characteristic polynomial. Furthermore, the widths, number and placement of taps 114-120, and characteristic polynomials of the two module linear feedback shift registers 110 and 112 need not be identical.
For illustration purposes, a simple embodiment of the present disclosure is now described. In more preferred embodiments, the linear feedback shift registers would be wider and would have irreducible characteristic polynomials.
The simple embodiment includes two linear feedback shift registers which are 5 bits wide with taps at 0 and 1 and initial fills of 10111 and 11100, respectively. The two 5-bit linear feedback shift registers output bits into an oscillator which operates at a frequency which varies in response to physically unpredictable events. The oscillator selects between the two output bits based on its state during a given clock cycle and outputs that bit as an input of an XOR operator.
The simple embodiment also includes a third linear feedback shift register which is 7 bits wide with taps at bits 0 and 2 and an initial fill of 0110101. The third linear feedback shift register's output provides the other input bit to the XOR operator. The output of the XOR operator is then the output of the simple embodiment.
The following table shows the operational values for components of the simple embodiment for 24 clock cycles:
Generally, linear feedback shift registers can be implemented in software or hardware. Although a software model of the oscillator, by definition causes it to lose its desired physical unpredictability, there are methods accepted in the art as suitable though not ideal practices for modeling the properties the oscillator requires. Such accepted practices include using the entropy created by the keyboard, mouse, interrupts and disk drive behavior in a variety of operating systems. Consequently, the present disclosure provides for embodiments of the present invention implemented in software, hardware, or a combination of the two. Field programmable gate arrays are a potential means of implementing the present invention as a combination of hardware and software.
A brief description of contextual terminology follows:
The term “frequency-aligned,” as used herein, means that the ratio between the frequencies can be expressed as a ratio of integers. Some examples of ratios between the periods of frequency-aligned streams include e.g. 1:1, 1:2, 2:1, 2:3, 3:2, 1:3, 3:1, etc.
The term “linear feedback shift register,” as used herein, means any of a well-known class of devices for outputting a bit stream. A linear feedback shift register includes a register which contains a bit pattern called a fill. In each clock cycle, a linear feedback shift register performs the following four steps:
The fixed bit positions of Step 2 are the taps of the linear feedback shift register. While any linear function will be sufficient, a commonly used linear function of Step 2 is to XOR the bits at the taps. In general, a linear feedback shift register with a w-bit register and taps corresponding to an irreducible polynomial in the Galois Field GF(2w) produces an output stream which is statistically random and does not repeat until the entire Galois Field has been exhausted.
The term “oscillator,” as used herein, means a device which varies between at least two states at a frequency which varies based on physically unpredictable events. For example, such an oscillator could be highly sensitive to minute changes in temperature or voltage. Such an oscillator will vary between its at least two states erratically, providing physical unpredictability which forms a basis for cryptographic randomness. An example of such an oscillator is any common silicon oscillator which operates in free-running unlocked or unreferenced mode.
The term “physically unpredictable,” as used herein, means physical processes which the current state of the art is incapable of accurately predictively modeling. Some examples of physically unpredictable events include thermal noise created across a semiconductor diode or resistor, the interval between the emission of particles during radioactive decay, and the flipping of a fair coin.
The term “statistically random,” as used herein, means the subject stream has uniform statistical properties. For example, if digits in the stream range from 0 to 9, then each digit should appear equally: 10% of the time. In addition, each two-digit set of digits, i.e., 00, 01, 02, etc., should appear equally often: 1% of the time. Similarly, each three-digit set of digits, i.e., 000, 001, 002, etc., should appear equally often: 0.1% of the time. And so forth.
Statistically random number streams can be, but are not necessarily cryptographically random number streams. For example, by definition, a linear feedback shift register outputs a statistically random number stream, but if one knows a set of consecutive numbers output from the register equal to the register's width and also knows the number and location of the register's taps, then one can predict the register's entire output stream.
The term “XOR,” as used herein, means the well known function defined by the following truth table:
It is well-known that the XOR of a statistically random number stream and an independent cryptographically random number stream is both statistically and cryptographically random.
All references, including publications, patent applications, and patents, cited herein are hereby incorporated by reference to the same extent as if each reference were individually and specifically indicated to be incorporated by reference and were set forth in its entirety herein.
The use of the terms “a” and “an” and “the” and similar referents in the context of describing embodiments of the invention (especially in the context of the following claims) are to be construed to cover both the singular and the plural, unless otherwise indicated herein or clearly contradicted by context. The terms “comprising,” “having,” “including,” and “containing” are to be construed as open-ended terms (i.e., meaning “including, but not limited to,”) unless otherwise noted. Recitation of ranges of values herein are merely intended to serve as a shorthand method of referring individually to each separate value falling within the range, unless otherwise indicated herein, and each separate value is incorporated into the specification as if it were individually recited herein. All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (e.g., “such as”) provided herein, is intended merely to better illuminate embodiments of the invention and does not pose a limitation on the scope of the invention unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the invention.
Preferred embodiments of this invention are described herein, including the best mode known to the inventors for carrying out the invention. Variations of those preferred embodiments may become apparent to those of ordinary skill in the art upon reading the foregoing description. The inventors expect skilled artisans to employ such variations as appropriate, and the inventors intend for the invention to be practiced within the scope of the claims otherwise than as specifically described herein. For example, the non-module linear feedback shift register can be made different length than the module linear feedback shift registers in order to extend the cycle length of statistically random numbers, which could be helpful if the oscillator becomes stuck in one state. In another example, the module linear feedback shift registers can be of different length. In yet another example, each of the two statistically random number streams providing input to the oscillator outputs more than one number at a time. In a further example, a plurality of non-module linear feedback shift registers are XORed with the output of the oscillator in a cascading configuration. In a still further example, the module, which produces two statistically random number streams, logically includes two otherwise independent sources of the statistically random number streams. In an even further example, the module includes a number of operably configured sources of number streams which ultimately produce at least two statistically random number streams. In yet a still further example, the oscillator which varies between at least three states. Accordingly, this invention includes all modifications and equivalents of the subject matter recited in the claims appended hereto as permitted by applicable law. Moreover, any combination of the above-described elements in all possible variations thereof is encompassed by the invention unless otherwise indicated herein or otherwise clearly contradicted by context.
This patent application claims the benefit of U.S. Provisional Patent Application No. 60/499,567, entitled, “Method and Apparatus for Random Number Generation,” and filed Sep. 2, 2003.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4573024 | Carlqvist | Feb 1986 | A |
| 4905176 | Schulz | Feb 1990 | A |
| 5404402 | Sprunk | Apr 1995 | A |
| 5493612 | Klund et al. | Feb 1996 | A |
| 5566099 | Shimada | Oct 1996 | A |
| 5570307 | Takahashi | Oct 1996 | A |
| 5706218 | Hoffman | Jan 1998 | A |
| 5781458 | Gilley | Jul 1998 | A |
| 5961577 | Soenen et al. | Oct 1999 | A |
| 5963104 | Buer | Oct 1999 | A |
| 5966313 | Sakamoto | Oct 1999 | A |
| 6061702 | Hoffman | May 2000 | A |
| 6067359 | Shimada | May 2000 | A |
| 6215874 | Borza et al. | Apr 2001 | B1 |
| 6263082 | Ishimoto et al. | Jul 2001 | B1 |
| 6480072 | Walsh et al. | Nov 2002 | B1 |
| 6542014 | Saito | Apr 2003 | B1 |
| 6571263 | Nagai | May 2003 | B1 |
| 6587562 | Jansen et al. | Jul 2003 | B1 |
| 6754345 | Ishimoto et al. | Jun 2004 | B2 |
| 6826494 | Yamane et al. | Nov 2004 | B2 |
| 6862605 | Wilber | Mar 2005 | B2 |
| 7117233 | Dichtl | Oct 2006 | B2 |
| 7139397 | Messina et al. | Nov 2006 | B2 |
| 7236594 | Van Veldhoven et al. | Jun 2007 | B2 |
| 7308104 | Kim et al. | Dec 2007 | B1 |
| 20010033663 | Ishimoto et al. | Oct 2001 | A1 |
| 20030005321 | Fujioka | Jan 2003 | A1 |
| 20040006580 | Miller, Jr. | Jan 2004 | A1 |
| 20040096060 | Henry et al. | May 2004 | A1 |
| 20040208322 | Ozluturk | Oct 2004 | A1 |
| Number | Date | Country | |
|---|---|---|---|
| 20050110399 A1 | May 2005 | US |
| Number | Date | Country | |
|---|---|---|---|
| 60499567 | Sep 2003 | US |
