Description
Random Number Generators (RNGs) and especially True Random Number Generators (TRNGs) play a crucial role in cryptography implementations: they are used to generate confidential keys, initialization vectors, nonces, and random masks in countermeasures against side channel attacks. Using similar principles, Physical Unclonable Functions (PUF) are used to generate fingerprints of electronic chips, which can be used as device-specific cryptographic keys and/or to protect the devices against counterfeiting.
Although the needs are already important and tend to grow because the cryptographic key sizes will continue to increase (in order to follow the improvement in computational power but also because of implementations of new post-quantum primitives), the implementation of TRNGs in logic devices such as FPGAs or ASICs with a proved level of security remains an active research area and a challenging technological topic.
The aim of this conference is to bring together some of the best European teams whether they come from the academic world, industry or administrations in order to have a meeting of minds on the main stakes for research, to boost collaborative projects, and allow researchers to have a global and shared vision of what is done and of the strategic directions to follow.
Scientific committee
Practical infos
Program for Wednesday, November 20
-
09:00 - 09:25
David Lubicz, Introduction
-
09:30 - 10:25
Werner Schindler, BSI
Title : "New AIS 20/31"
Abstract : In the German certification scheme (Common Criteria) the evaluation guidelines AIS 20 (deterministic RNGs) and AIS 31 (physical RNGs) have been effective since 1999 and 2001, respectively. Version 3.0 of the mathematical-technical reference, often shortly denoted as AIS 20/31, has been published in September 2024.
The AIS 20/31 specifies seven functionality classes. The applicant for a certificate and the evaluation lab have to provide evidence that the requirements of the claimed functionality class are satisfied. In the presentation central features of the new AIS 20/31 are addressed. The emphasis is on physical RNGs with a focus on the stochastic model and postprocessing algorithms. -
10:25 - 10:40
Break
-
10:40 - 11:20
Grégoire Gimenez, Icalps
Title : "Some pitfalls to consider when designing a TRNG"
Abstract : Model limitation, worst-case design, noise amplification, duty cycle consideration… there are many obstacles to overcome when designing a ring oscillator based True Random Number Generator. Based on ICAlps experience in porting an innovative academic solution to an industrial product, we will discuss a few solutions to address these challenges.
-
11:20 - 12:00
Lucile Quatravaux, Antoine Christin, Thales
Title : "High-grade security TRNG - A practical application in industrial chip development"
Abstract : Thales develops cryptographic devices for the protection of sensitive data. These applications require to embed entropy sources with the highest level of assurance and proof of unpredictability as required by the most up-to-date certification standards. In this context, we therefore have to integrate state-of-the-art TRNG designs and qualification methodologies into industrial development flows. In this talk we introduce some challenges associated with the need to fulfil both industrial chip development constraints and high-grade security standard compliance for random number generation.
-
12:00 - 13:30
Lunch
-
13:30 - 14:25
John Kelsey, NIST
Title : "An overview of SP 800-90"
Abstract : In talk, we present an overview of SP 800-90, including the recent addition of SP 800-90C and our harmonization efforts with BSI.
-
14:25 - 15:05
Kevin Layat, IDQuantique
Title : "ID Quantique’s QRNG, from quantum physics to security certification"
Abstract : SP 800-90, including the recent addition of SP 800-90C and our harmonization efforts with BSI: Quantum physics, with its intrinsically probabilistic nature, proposes physical phenomena that are perfectly suited for the design of random number generators.
However, for cryptographic applications, the physical phenomenon alone is not sufficient; it is necessary to present a physical model, stochastic model in order to characterize our source and adapt its evaluation and post-processing. T he objective of this presentation is to introduce the physical phenomenon at the basis of ID Quantique’s QRNG, its physical model, and the QRNG chip architecture that enables the construction of a robust randomness generator. We will analyze this design from the perspective of various international certifications and standards such as NIST’s Entropy Source Validation (ESV), FIPS 140-3, and Common Criteria. -
15:05 - 15:20
Break
-
15:20 - 16:00
Sylvain Guilley, Secure-IC
Title : "Entropy and Reliability of the Loop-PUF"
Abstract: The Loop-PUF is a strong Physically Unclonable Function (PUF), that can be implemented from a Register Transfer Level (RTL) description. It thus enjoys a portability on several targets, such as Field Programmable Gate Arrays (FPGAs) and Application Specific Integrated Circuits (ASICs). Its loop structure makes it possible to trade rebuilding time for rebuilding reliability & entropy. Moreover, L-PUF is compliant to ISO/IEC 20897 and is robust against both passive (side-channel measurement) and active (fault injection) attacks. Extensive characterizations show its resilience to PVT, aging, and physical attacks. Deployment examples and use-cases will be covered as well.
-
16:00 - 16:40
Florian Pebay Peyroula, CEA
Title : "OpenTRNG: an open-source initiative for ring-oscillator based TRNGs"
Abstract: OpenTRNG initiative introduces an open-source framework for physical True Random Number Generators (TRNG), focusing on ring-oscillator-based architectures. This project offers a comprehensive toolkit comprising reference designs, emulation tools, and analytical tools aiming at facilitating the development and characterization of hardware TRNG implementations. Key components include emulators capable of simulating noisy ring oscillators and digital noise sources, hardware descriptions for FPGA implementations, and analytical tools for assessing randomness metrics such as variance, entropy and autocorrelation. By providing accessible resources and fostering collaboration within the community, OpenTRNG aims to accelerate the advancement and validation of TRNG architectures at different technology nodes and at the highest level of security. It also seeks to promote good design practices, methodology, and reproducibility in the field of random number generation.
-
16:40 - 17:20
Marco Bucci, Infineon Technologies
Title : "Chaotic Entropy Sources for a New Generation of Random Bit Generators"
Abstract : Random sequence generators must rely on physical entropy sources to be non-deterministic. Typically, these sources are based on noise sampling, such as direct sampling of electric noise (e.g., from resistors or semiconductor junc-tions) or sampling of a jittering oscillator. However, these sources, compared to pseudo-random generators, are slower, less inefficient, and, in some cases, very power-hungry. Moreover, since they exploit small noise signals, they are vulnerable to manipulation by malicious environmental perturbations (e.g., on the power supply). Chaotic sources offer a valid alternative, as they feature an exponential expansion of any perturbation and uncertainty through a “stretching and folding” mechanism of their internal state. These systems, well-known in physics, are characterized by a definable entropy rate that depends on the rate of expansion of their state’s indeterminacy, rather than the statistical distribution of perturbations and noise affecting them.
They are also intrinsically more robust, as any malicious perturbation makes them even less predictable. The inherent properties of exponential expansions make it possible, contrary to common belief, to create random sequence generators that are more than one order of magnitude more efficient than cryptographic pseudorandom generators. In fact, hundreds of Mbit/s of entropy can be produced with an area and power consumption equivalent to just a few flip-flops, while a cryptographic algorithm, with comparable performance, requires hundreds of flip-flops. Maximum entropy can therefore be achieved by applying a strong hash compression using simple non-cryptographic algorithms. In terms of reliability, it becomes possible to use multiple sources in parallel, thus applying the redundancy techniques that are state-of-the-art in all critical applications, such as communications and aerospace. These characteristics allow us to move beyond the current approach, which relies on heavy cryptographic post-processing algorithms that only mask source defects and on equally heavy online tests that only reveal malfunctions that cannot be resolved anyway, since, typically, the service cannot be interrupted and devices cannot be replaced in real-time. -
17:20 - 18:00
Raimondo Luzzi, Infineon Technologies
Title : "A Reliable Low-area Low-power PUF-based Key Generator"
Abstract : PUF technology is one of the latest developments in semiconductor security, a type of electronic fingerprint for semiconductor ICs. PUF extracts unique “secrets” from each and every IC. These secrets are used to authenticate ICs, and enable a broad range of security applications. PUFs can be embedded in all kinds of semiconductor ICs that require anti-counterfeiting and authentication functionality. Conventionally the storage of secret chip-individual keys requires embedded non-volatile memory (NVM) and a key management (to provision and store the key). PUFs can be used to dynamically generate chip-individual secret keys without need for embedded NVM. The individual key is extracted by the PUF only when used. Thus it is expected that PUFs are inherently tamper proof. An invasive (or non-invasive) physical attack will change the PUF physical characteristics, and hence preventing successful key generation.
In this work, we focused on the usage of PUFs as secure key generators and the target was the design of a reliable small footprint PUF module which can be used as key generator in a chipcard controller, as a replacement or better, in addition to an NVM stored key, as an extra security feature. Since area and power consumption are main constraints in a chip-card controller, the focus was on the design of a custom PUF cell which is inherently more reliable than a standard latch or SRAM cell, thus reducing the complexity of the error correction scheme. This results in a stable PUF response in spite of process and environmental variations thus requiring a low cost error correction algorithm in order to generate a reliable key.
Program for Thursday, November 21
-
09:00 - 09:40
Onur Günlü, Linköping University, Sweden
Title : "Physical Unclonable Functions (PUFs): Signal Processing and Information-theoretic Aspects"
Abstract : We address security and privacy challenges in digital devices, where secret keys are generated for authentication, identification, or secure computations. A physical unclonable function (PUF) is a promising solution for local security in digital devices. In this talk, we will discuss the state-of-the-art low-complexity transform-coding algorithms that make the information-theoretic analysis tractable and motivate a noisy (remote) PUF source model. We will explore the optimal trade-offs between the secret-key, privacy-leakage, and storage rates for multiple measurements of noisy PUFs. Additionally, we will discuss both optimal and low-complexity coding strategies, demonstrating that nested polar codes are optimal for secret key generation with PUFs. Recent findings on estimating the information leakage about secret keys using deep neural networks will also be presented. Finally, we will consider potential extensions of these works and discuss the industrial relevance of PUFs.
-
09:40 - 09:55
Break
-
09:55 - 10:35
Nicola Massari, Institut Bruno Kessler
Title : "SPAD-based QRNGs: an overview"
Abstract : In recent years, the interest in establishing innovative and reliable secure communication protocols has grown substantially, particularly with the forthcoming advent of quantum computers and their possible applications. The reason for this is their incredible computational capability, which can threaten and undermine traditional cryptography that has been utilized until now. Random number generators (RNG) play an important role in this context, as they provide random cryptographic keys. These keys must be generated with a high degree of unpredictability, which requires the usage of physical or true RNG (TRNG). Among the several varieties of TRNG, quantum RNG (QRNG) is a promising choice for current encryption because of the inherent unpredictable nature of quantum mechanics. This talk provides an overview of QRNGs, with a particular emphasis on SPAD-based QRNG. The presentation will show various solutions published in the literature or found in the market, some physical implementations, and future perspectives for research and the market.
-
10:35 - 11:15
Maciej Skorski, Hubert Curien Laboratory, France / University of Warsaw, Poland
Title : "On Jitter Transfer in Ring Oscillators and Comprehensive Modelling of 1/f Noises"
Abstract : Ring oscillator jitter serves as a crucial entropy source for provably secure True Random Number Generators (TRNGs). This talk addresses two gaps in the existing research. First, practical implementations use coupled oscillators (one serving as a reference clock), and their joint stochastic dynamics remain only approximately understood, potentially leading to inaccuracies in security assessment. Second, numerical challenges in quantitative modeling of low-frequency noises make the entropy source underutilized.
The first part of this talk presents an analytical solution for the relative stochastic dynamics of coupled ring oscillators, providing formal justification for the jitter transfer principle—a heuristic approach where one oscillator is assumed jitter-free while the other is jitter-compensated. These insights enable more accurate jitter estimation in multi-ring oscillator systems, improving TRNG performance (joint work with David Lubicz).
The second part presents a general and scalable framework for modeling low-frequency noises with negative power law, through Fractional Brownian Motion and forecasting properties of Gaussian Processes, inspired by the pioneering work of atomic clock physicists D.W. Allan and J.A. Barnes.
-
11:15 - 12:05
Benjamin Malthiery, 3D-Oxides
Title : "PUF based on multifunctional oxide thin films"
Abstract : Physical unclonable functions are presented as efficient solutions to ensure the security of constrained connected objects. We focus here on a construction based on multifunctional oxide thin films. From a theoretical point of view, it offers a significant capacity of diversification, thanks to the multiple properties of the oxides, making it more complex to obtain a physical clone or a mathematical model. In practice, however, such a construction requires an integrated solution capable of generating the challenges to be applied and measuring the corresponding property. Shared results are based on the study of the transmittance of various thin films using a platform consisting of a Raspberry Pi board, a camera module and an OLED screen.
-
12:05 - 13:30
Lunch
-
13:30 - 14:10
Torsten Schuetze, Rohde-Schwartz, Germany
Title : "Binning, Generalized von Neumann and XOR, von Neumann procedure – Digitization and mathematical post-processing in (Q)RNGs"
Abstract : There exists a rich theory and praxis about common post-processing methods in True Physical Random Number Generators, but all / most methods are considered for independent and identically (iid) distributed bits. So, we all know, that for iid and biased bits, the (Generalized) von Neumann procedure removes the bias completely, while pairwise XOR only leads to quadratic damping.
In this contribution, we talk about our experiences with well-known digitization and post-processing methods in case of dependencies and perturbations. All results reported are from practical RNG evaluations, when things aren’t going so well.
Specifically, we consider binning – equidistant subdivision of the cumulative distribution function – as a means for getting from normally distributed sample values to uniformly distributed numbers. Another method to go from an almost arbitrary, but independent, distribution of sample values to uniformly distributed bits working with differences of consecutive, but non-overlapping pairs of sample values is the Generalized von Neumann procedure. We illuminate both methods in case of perturbations, e.g., non-exact normal distributions. Binning as well as Generalized von Neumann procedure can be considered as part of the digitization process.
When we have already independent and identically distributed bits that still have a small bias ϵ≔P(b_j=1)-0.5, then known mathematical post-processing techniques come into play as there are: XOR, von Neumann anti-biasing procedure, Peres / Generalized von Neumann procedure, length of runs methods, optimal XOR constructions, resilient functions, etc. We applied two of them, namely XOR with two or four bits and von Neumann procedure, to real data. Unfortunately, these data showed under some environmental conditions some dependencies, characterized by a higher correlation coefficient.
In theory, for biased, but otherwise iid bits, the von Neumann procedure should outperform the XOR of two or four bits. In practice, with correlation, we saw satisfactory results for XOR with four bits, only.
Unfortunately, the exact probability distribution of the XOR of two or four bits is not easy to calculate exactly, even in the case of one-step dependent Bernoulli experiments. -
14:10 - 14:50
Patrick Haddad, RAMBUS
Title : "Random numbers for Security Applications in Industrial Context"
Abstract : At Rambus, we produce industry-leading chips and silicon IP making data faster and safer. Our products and innovations enable critical performance improvements for data centers and other growing markets. Rambus solutions improve data bandwidth, capacity and security from cloud to consumer.
Random Number Generators are key IPs in the broad portfolio of cryptographic hardware accelerators offered by Rambus.
This talk is an opportunity for one of Rambus experts to share an analysis of the literature available on this topic for several decades, and to discuss opportunities opened by recently published works. -
14:50 - 15:05
Break
-
15:05 - 15:45
Johannes Mittmann, BSI
Title : "Post-processing algorithms for Markov chain models"
(based on joint work with Maciej Skórski)Abstract : Post-processing algorithms are usually applied to the raw random output of physical noise sources to increase the entropy per data bit. To demonstrate that a post-processing algorithm is appropriate for a given noise source, an entropy lower bound for the post-processed bits can be proven based on a stochastic model for the raw random numbers. For IID models, several efficient post-processing algorithms are known in the literature.
In this talk, we analyze the effects of known post-processing algorithms on sample paths of binary Markov chains and prove entropy lower bounds for the post-processed bits. -
15:45 - 16:25
Milos Grujic, KU Leuven
Title : "Advancing Secure Randomness: Challenges and Innovations in TRNG and PUF Design"
Abstract : This talk will explore the critical challenges in the design and implementation of TRNGs and PUFs in the context of modern secure hardware. We will discuss novel approaches to enhancing the stability and reliability of PUFs - soft oxide breakdown and resistive-RAM technologies, which could offer promising entropy sources. Additionally, we will also address vulnerabilities of PUFs, such as the susceptibility to cryptanalysis and side-channel attacks.
On the TRNG front, we will cover recent developments in oscillator-based designs, addressing the challenges of phase noise characterization. We will also explore algorithmic post-processing techniques and their
hardware-efficient architectures, which are essential for maximizing the security and throughput of TRNGs. Finally, the talk will touch on the ongoing quest for verifiability in TRNGs and whether similar principles to those used in quantum random number generators can be applied to ensure trust in classical TRNG designs. -
16:25 - 17:05
Florent Bernard, Hubert Curien Laboratory
Title : "Low cost and precise jitter measurement method: application to ERO and PLL-based TRNGs"
Abstract : Assessing the quality of a TRNG is an important issue to guarantee security of cryptographic systems in hardware.
In modern approaches (e.g., AIS 20/31), a parameterized stochastic model of the generator is required as it serves to compute a minimum bound of the TRNG output entropy rate. Usually, the local thermal noise causing the phase instability of a clock signal is used as a source of randomness. Its size is an important parameter of the stochastic model.
It must therefore be measured as accurately as possible in order to avoid any overestimation of the output entropy rate.
In this talk, we propose an embeddable, accurate and conservative jitter measurement method, which can serve to evaluate the jitter component coming from the thermal noise.
We first give some examples of its use on an elementary ring oscillator-based TRNG (ERO-TRNG). Moreover, we show that this method can be adapted to other types of oscillators.
We show that the method is particularly interesting when applied on the PLL-based TRNG (work in progress).
Part of the European Cyber Week 2024
The RNG and PUF conference is featured on the program of the European Cyber Week 2024.