Repository files navigation

A Tiny and Platform-Independent True Random Number Generator forany FPGA (and even ASICs).

• Introduction
• Top Entity, Integration and Interface
• Theory of Operation / Architecture
• Evaluation
• Hardware Utilization
• Simulation
• References

The neoTRNG aims to be a small andplatform-agnostic TRUE random number generator (TRNG) thatcan be synthesized forany target technology (FPGAs and even ASICs). It is based on simple free-runningring-oscillators, which are enhanced by aspecial technique in order to allow synthesis for any platform.Thephase noise that occurs when sampling free-running ring-oscillators is used as physical entropy source.

This project is a "spin-off" from theNEORV32 RISC-V Processor wherethe neoTRNG is implemented as default SoC module.

Key Features

• technology, vendor and platform/technology independent - can be synthesized forany platform
• tiny hardware footprint (less than 100 LUT4s/FFs for the standard configuration)
• high throughput (for a physical TRNG)
• fully open source with apermissive license
• full-digital design; single-file VHDL module without any dependencies
• very high operating frequency to ease timing closure
• easy to use / simple integration
• full documentation down to rtl level + evaluation

The whole design is implemented as a single VHDL filertl/neoTRNG.vhd thathas no dependencies at all (like special libraries, packages or submodules).

entityneoTRNGisgeneric (    NUM_CELLS     :naturalrange1to99:=3;-- number of ring-oscillator cells    NUM_INV_START :naturalrange3to99:=5;-- number of inverters in first cell, has to be odd    SIM_MODE      :boolean:=false-- enable simulation mode (no physical random if enabled!)  );port (    clk_i    :instd_ulogic;-- module clock    rstn_i   :instd_ulogic;-- module reset, low-active, async, optional    enable_i :instd_ulogic;-- module enable (high-active)    valid_o  :outstd_ulogic;-- data_o is valid when set (high for one cycle)    data_o   :outstd_ulogic_vector(7downto0)-- random data byte output  );endneoTRNG;

The neoTRNG uses a single clock domain driven by theclk_i signal. The module's reset signalrstn_iisoptional (tie to'1' if not used). Random data is obtained by using a simple data/valid interface:whenever a new valid random byte is available thevalid_o output will be high for exactly one cycle sothedata_o output can be sampled by the user logic.

Theenable_i signal is used to initialize and start the TRNG. Before the TRNG can be used this signalshould be kept low for at least several 100 clock cycles (depending on the configuration) to ensure thatall bits of the internal shift registers are cleared again. Whenenable_i is set andvalid_o becomesset for the first time the TRNG is operational. Disabling the TRNG also requiresenable_i being low forthe same amount of clock cycles. Whenenable_i gets low all ring-oscillators will be stopped reducingdynamic switching activity and power consumption.

Three generics are provided to configure the neoTRNG.NUM_CELLS defines the total number of entropycells.NUM_INV_START defines the number of inverters (= the length of the ring-oscillator) in the veryfirst cell. These two generics are further described in theArchitecture section below.The last genericSIM_MODE can be set to allowsimulating of the TRNG within a plain RTLsimulation.

The neoTRNG is based on a configurable number (NUM_CELLS) ofentropy cells. Each cellprovides a simple a ring-oscillator ("RO") that is built using an odd number of inverters. The oscillationfrequency of the RO is defined by the propagation delay of the elements within the ring. This frequency isnot static as it is subject to minimal fluctuations caused by thermal noise electronic shot noise. Thestate of the RO's last inverter is sampled into a flip flop by using a static clock (clk_i). As the RO'sfrequency chaotically varies over time the inherentphase noise of the sampled data is used as actualentropy source.

Each entropy cell generates a 1-bit stream of random data. The outputs of all cells are mixed using a wideXOR gate before the stream isde-biased by a simple randomness extractor. Several de-biasedbits are sampled / de-serialized by thesampling unit to provide byte-wide random number.The sampling unit also applies a simple post-processing in order to improve the spectral distribution ofthe random numbers.

Each entropy cell consists of a ring-oscillator that is build from an odd number ofinverting latches.The length of ring in the very first entropy cell is defined by theNUM_INV_START generic. Everyadditional entropy cell adds another 2 inverters to this initial chain length. Hence, each additionalentropy cell oscillates at a lower frequency then the one before.

Asynchronous elements like ring-oscillators are hard to implement in a platform-independent way as theyusually require the use of platform-/technology-specific primitives, attributes or synthesis settings. Inorder to provide a real target-agnostic architecture, which can be synthesized for any target technology,a special technique is applied: each inverter inside the RO is followed by alatch that provides aglobal reset and also an individual latch-enable to switch the latch to transparent mode.

The individual latch-enables are controlled by a long shift register that features a distinct FF for everysingle latch in the RO chain. When the TRNG is enabled, this shift register starts to fill with ones. Thus,the latches are individually enabled one-by-one making it impossible for the synthesis tool to trim anylogic/elements from the RO chain as the start-up states of each latch can (theoretically) be monitored byexternal logic. The enable shift register of all entropy cells are daisy-chained to continue this start-upprocedure across the entire entropy array.

The following image shows the simplified schematic of the very first entropy cell consisting of 5inverter-latch elements for the rings oscillator, 5 flip flops for the enable shift register and another 2flip flops for the synchronizer.

An image showing the FPGA the mapping result (generated by Intel Quartus Prime) of the very first entropycell can be seenhere.It shows that all latch+inverter elements of the ring-oscillator chain were successfully mapped to individualLUT4s.

As soon as the last bit of the entropy cell's daisy-chained enable shift register is set the de-biasingunit gets started. This unit implements a simple "John von Neumann Randomness Extractor" to de-bias theobtained random data stream. The extractor implements a 2-bit shift register that samples the XOR-edrandom bit from the entropy cell array. In every second cycle the extractor evaluates the two sampled bitsto check a non-overlapping pair of bits foredges.

Whenever an edge has been detected a "valid" signal is send to the following sampling unit. A rising-edge(01) emits a1 data bit and a falling-edge (10) emits a0 data bit. Hence, the de-biasing unitrequires at least two clock cycles to generate a single random bit. If no edge is detected (00 or11)the valid signal remains low and the sampling unit halts.

The sampling unit implements a 8-bit shift register to convert the serial de-biased bitstream into byte-widerandom numbers. Additionally, the sample unit provides a simple post processing to improve the spectraldistribution of the obtained random samples.

In order to generate one byte of random data the sampling unit reset its internal shift register to all-zeroand starts consuming in 64 bits of the de-biased random stream. The shift register is implemented aslinear-feedback shift register (LFSR) thatXORs the input stream with the last bit of the register to further scramble and mix the random bitstream.

The neoTRNG is evaluated as part of theNEORV32 processor, where theneoTRNG is available as standard SoC module. The processor was synthesized for an Intel Cyclone IVEP4CE22F17C6NFPGA running at 100MHz. For the evaluation the very smalldefault configuration has been used: three entropycells are implemented where the first one implements 5 inverters, the second one implements 9 inverters and thethird one implements 11 inverters. More complex configurations with more/larger entropy cells might provide"better" random quality.

NUM_CELLS     = 3NUM_INV_START = 5SIM_MODE      = false

For the simple histogram analysis 4MB of random bytes were sampled from the neoTRNG. The obtained byteswere accumulated according to their occurrence and sorted into bins where each bin represents one specificbyte pattern (1 byte = 8 bits = 256 different patterns). The resulting was then analyzed with regard toits statistical properties:

• arithmetic mean of all sampled random bytes
• average occurrence across all bit patterns
• min and max occurrences and deviation from the average occurrence

[NOTE] integer numbers onlyNumber of samples: 4194304Arithmetic mean:   127 (optimum would be 127)Histogram occurrenceAverage:      16384 (optimum would be 4194304/256 = 16384)Min:          16051 = average - 333 (deviation) at bin 183 (optimum deviation would be 0)Max:          16706 = average + 322 (deviation) at bin 144 (optimum deviation would be 0)Average dev.: +/- 96 (optimum would be 0)

$ ent entropy.binEntropy = 7.994306 bits per byte.Optimum compression would reduce the sizeof this 4194304 byte file by 0 percent.Chi square distribution for 4194304 samples is 16726.32, and randomlywould exceed this value less than 0.01 percent of the times.Arithmetic mean value of data bytes is 127.9417 (127.5 = random).Monte Carlo value for Pi is 3.132416851 (error 0.29 percent).Serial correlation coefficient is 0.000496 (totally uncorrelated = 0.0).

$ rngtest < entropy.binrngtest 5Copyright (c) 2004 by Henrique de Moraes HolschuhThis is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.rngtest: starting FIPS tests...rngtest: entropy source drainedrngtest: bits received from input: 33554432rngtest: FIPS 140-2 successes: 1676rngtest: FIPS 140-2 failures: 1rngtest: FIPS 140-2(2001-10-10) Monobit: 0rngtest: FIPS 140-2(2001-10-10) Poker: 0rngtest: FIPS 140-2(2001-10-10) Runs: 1rngtest: FIPS 140-2(2001-10-10) Long run: 0rngtest: FIPS 140-2(2001-10-10) Continuous run: 0rngtest: input channel speed: (min=138.214; avg=1557.190; max=2119.276)Mibits/srngtest: FIPS tests speed: (min=32.660; avg=106.337; max=111.541)Mibits/srngtest: Program run time: 330110 microseconds

The dieharder random number testsuite (wikipedia,homepage) by Robert G. Brown is a great toolsetto stress-test and characterize random number generators.

Mapping results for the neoTRNG implemented within the NEORV32 RISC-V Processor using the defaultconfiguration. Results generated for an Intel CycloneEP4CE22F17C6N FPGA running at 100MHz using IntelQuartus Prime.

Module Hierarchy                                      Logic Cells    Logic Registers------------------------------------------------------------------------------------neoTRNG:neoTRNG_inst                                      56 (27)            46 (19)  neoTRNG_cell:\entropy_source:0:neoTRNG_cell_inst         8  (8)             7  (7)  neoTRNG_cell:\entropy_source:1:neoTRNG_cell_inst        10 (10)             9  (9)  neoTRNG_cell:\entropy_source:2:neoTRNG_cell_inst        14 (14)            11 (11)

The neoTRNG's maximum generation rate is defined by two factors:

• A = 2: cycles required by the de-biasing logic to output one raw random bit
• B = 64: number of raw random bits required by the sampling unit to generate one random byte

Hence, the neoTRNG requiresat leastA * B = 2 * 64 = 128 clock cycles to emit one random byte.FPGA evaluation has shown that the actual sampling time is around 300 clock cycles. Thus, animplementation running at 100 MHz can generate approximately 330kB of random data per second.Higher generation rates can be achieved by running several neoTRNG instances in parallel.

Since the asynchronous ring-oscillators cannot be rtl-simulated (due to the combinatorial loops), theneoTRNG provides a dedicated simulation mode that is enabled by theSIM_MODE generic. When enabled,a "propagation delay" implemented as simple flip flop is added to the ring-oscillator's inverters.

Thesim folder provides a simple testbench for the neoTRNGusing the default configuration. The testbench will output the obtained random data bytes as decimalvalues to the simulator console. The testbench can be simulated with GHDL by using the provided script:

neoTRNG/sim$ sh ghdl.sh../rtl/neoTRNG.vhd:105:3:@0ms:(assertion note): [neoTRNG] The neoTRNG (v3.2) - A Tiny and Platform-Independent True Random Number Generator, https://github.com/stnolting/neoTRNG../rtl/neoTRNG.vhd:112:3:@0ms:(assertion warning): [neoTRNG] Simulation-mode enabled (NO TRUE/PHYSICAL RANDOM)!182101475799470100185246203220ghdl:info: simulation stopped by --stop-time @100us

The GHDL waveform data is stored tosim/neoTRNG_tb.ghw and can be viewed usinggtkwave:

neoTRNG/sim$ gtkwave neoTRNG_tb.ghw

A simple simulation run is executed by the project'sneoTRNG-sim GitHub action workflow.

• Kumar, Sandeep S., et al. "The butterfly PUF protecting IP on every FPGA." 2008 IEEE International Workshopon Hardware-Oriented Security and Trust. IEEE, 2008.
• Tuncer, Taner, et al. "Implementation of non-periodic sampling true random number generator on FPGA."Informacije Midem 44.4 (2014): 296-302.