CN113760221B - True random number generator based on physical unclonable function and related method - Google Patents
True random number generator based on physical unclonable function and related method Download PDFInfo
- Publication number
- CN113760221B CN113760221B CN202110578028.3A CN202110578028A CN113760221B CN 113760221 B CN113760221 B CN 113760221B CN 202110578028 A CN202110578028 A CN 202110578028A CN 113760221 B CN113760221 B CN 113760221B
- Authority
- CN
- China
- Prior art keywords
- seed
- random number
- entropy
- circuit
- preliminary
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000006870 function Effects 0.000 claims description 101
- 238000012360 testing method Methods 0.000 claims description 88
- 230000036541 health Effects 0.000 claims description 17
- 230000004044 response Effects 0.000 claims description 10
- 238000005070 sampling Methods 0.000 claims description 9
- 230000000737 periodic effect Effects 0.000 claims description 8
- 230000010355 oscillation Effects 0.000 claims description 7
- 101100453289 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) JSN1 gene Proteins 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 101100138725 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) PUF2 gene Proteins 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 235000012431 wafers Nutrition 0.000 description 4
- 230000002411 adverse Effects 0.000 description 2
- 230000001186 cumulative effect Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000704 physical effect Effects 0.000 description 2
- 239000000654 additive Substances 0.000 description 1
- 230000000996 additive effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000010899 nucleation Methods 0.000 description 1
- 230000003595 spectral effect Effects 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 238000000528 statistical test Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/588—Random number generators, i.e. based on natural stochastic processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Physics (AREA)
- Computational Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Semiconductor Integrated Circuits (AREA)
- Seasonings (AREA)
- Saccharide Compounds (AREA)
- Adhesives Or Adhesive Processes (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a true random number generator based on a Physical Unclonable Function (PUF) and a method for generating the true random number. The PUF-based random number generator may include a first garbled circuit, a cryptographic circuit coupled to the first garbled circuit, and a second garbled circuit coupled to the cryptographic circuit. The first obfuscation circuit takes a first PUF value from a pool of PUFs of the electronic device and performs a first obfuscation function on a preliminary seed based on the first PUF value to produce a final seed. The cryptographic circuit uses the final seed as a key for a cryptographic function to generate a plurality of preliminary random numbers. The second obfuscation circuit takes a second PUF value from the pool of PUFs and performs a second obfuscation function on the plurality of preliminary random numbers based on the second PUF value to generate a plurality of final random numbers. The invention can improve the security and output randomness of the true random number generator based on the physical unclonable function.
Description
Technical Field
The present invention relates to a true random number generator, and more particularly, to a true random number generator based on a physically unclonable function and a method for generating a true random number.
Background
The physical uncloneable function may be considered as a fingerprint on the wafer, since the physical properties of different wafers may be slightly different due to some uncontrollable factors in the manufacturing process, which cannot be copied or predicted, and thus may be used as a static entropy (entopy) value for security related applications. In some related art, a pool of physically unclonable functions requires memory space in an electronic device, and in particular, in order to improve randomness of output values based on the physically unclonable functions, the hardware resources required are correspondingly increased. Thus, there is a need for a novel architecture and associated method to improve the output randomness of a true random number generator based on physically unclonable functions without or with less adverse effects.
Disclosure of Invention
It is therefore an object of the present invention to provide a true random number generator based on physically unclonable functions and a method for generating true random numbers to improve the overall performance of a true random number generator based on physically unclonable functions without significantly increasing the overall hardware cost.
At least one embodiment of the invention provides a true random number generator for an electronic device based on a physically uncloneable function (Physical Unclonable Function, PUF). The physically unclonable function-based true random number generator may include a first garbled circuit, a crypto circuit coupled to the first garbled circuit, and a second garbled circuit coupled to the crypto circuit. The first confusion circuit is used for obtaining a first physical unclonable function value from a physical unclonable function pool of the electronic device, and performing a first confusion function on a preliminary seed based on the first physical unclonable function value to generate a final seed. The cryptographic circuit is configured to generate a preliminary random number sequence using the final seed as a key for a cryptographic function. The second confusion circuit is configured to obtain a second physical uncloneable function value from the pool of physical uncloneable functions, and perform a second confusion function on the preliminary random number sequence based on the second physical uncloneable function value to generate a final random number sequence.
At least one embodiment of the present invention provides a method for generating true random numbers, wherein the method is applicable to an electronic device. The method may comprise: performing a first obfuscation function on a preliminary seed based on a first physical uncloneable function value using a first obfuscation circuit to generate a final seed; using a cryptographic circuit to use the final seed as a key of a cryptographic function to generate a preliminary random number sequence; and performing a second obfuscation function on the preliminary random number sequence based on a second physical uncloneable function value using a second obfuscation circuit to generate a final random number sequence. In particular, the first physical uncloneable function value and the second physical uncloneable function value are obtained from a pool of physical uncloneable functions of the electronic device.
Embodiments of the present invention provide a true random number generator based on physically unclonable functions and associated methods that can improve overall performance with various features such as cryptographic functions (e.g., good security, and good pseudo-randomness), dynamic entropy (e.g., providing "live" entropy to the system, particularly the electronic device), and static entropy (e.g., physically unclonable functions, which may be considered as fingerprints on a chip). Thus, embodiments of the present invention can improve the security and output randomness of a true random number generator based on physically unclonable functions without or with less adverse effects.
Drawings
Fig. 1 is a schematic diagram of an electronic device according to an embodiment of the invention.
Fig. 2 is a schematic diagram of an electronic device according to an embodiment of the invention.
Fig. 3 is a schematic diagram of an electronic device according to another embodiment of the invention.
Fig. 4 is a schematic diagram of an electronic device according to an embodiment of the invention.
Fig. 5 is a schematic diagram of an electronic device according to an embodiment of the invention.
FIG. 6 is a workflow of a method for generating true random numbers according to an embodiment of the invention.
Wherein reference numerals are as follows:
10. 20, 40, 50 electronic device
15. Physical unclonable function pool
100. 200, 400, 500 true random number generator based on a pool of physically unclonable functions
110. Confusion circuit
120. Cipher circuit
130. Confusion circuit
140. Entropy circuit
141. Oscillator
142. Exclusive OR logic circuit
143. Multi-path selector
144. Entropy collector
145. Selective entropy collector
150. Nonvolatile memory
160. Health test circuit
170. Multi-path selector
180. Demultiplexer
PUF1, PUF2 physical uncloneable function value
SEED DYN Dynamic entropy seed
SEED NVM Nonvolatile memory seed
SEED PRE Preliminary seed
SEED FINAL Final seed
{RN PRE Preliminary random number sequence
{RN FINAL Final random number sequence
TEST results
610. 620, 630, 640, 650 steps
Detailed Description
Fig. 1 is a schematic diagram of an electronic device 10 according to an embodiment of the present invention, wherein the electronic device 10 may include a pool of physically uncloneable functions (Physical Unclonable Function, PUFs) 15, and a PUF-based true random number generator 100 coupled to the pool of PUFs 15. As shown in fig. 1, the PUF-based true random number generator 100 may include a first obfuscation (obfuscation) circuitSuch as garbled circuit 110, a crypto circuit 120, and a second garbled circuit, such as garbled circuit 130, wherein garbled circuit 120 is coupled to garbled circuit 110 and garbled circuit 130 is coupled to garbled circuit 120. In the present embodiment, the obfuscating circuit 110 may take a first PUF value, such as PUF value PUF1, from the pool of PUFs 15 and perform a first obfuscating function on a preliminary SEED based on the PUF value PUF1 to generate a final SEED FINAL . The cryptographic circuit 120 may be used to utilize a final SEED FINAL A key (key) as a cryptographic function to generate a preliminary random number sequence { RN }, a key (key) PRE }. For example, the cryptographic circuit 120 may perform a cryptographic algorithm of DES, AES, RSA or MD 5. The obfuscation circuit 130 may take a second PUF value, such as PUF value PUF2, from the pool of PUFs 15 and based on the PUF value PUF2 pair the preliminary random number sequence { RN } PRE Performing a second confusion function to generate a sequence of final random numbers { RN } FINAL -wherein the final random number sequence { RN } FINAL Each random number in the sequence may be used as an output random number for the PUF-based true random number generator 100, if desired.
In the present embodiment, the PUF-based true random number generator 100 may further include an entropy (entropy) circuit 140 for providing an entropy SEED such as a dynamic entropy SEED DYN As the preliminary seed. For example, entropy circuit 140 may include at least one oscillator for outputting a plurality of random single bit (bit, also referred to as "bit") values. In detail, the oscillator is capable of generating a periodic signal that varies between a logic value "0" and a logic value "1" at an oscillation frequency, and the value of the periodic signal is sampled at a sampling frequency (e.g., by a sampler built at an output terminal of the oscillator, wherein the sampler is controlled by the sampling frequency) to output the plurality of random single-bit values, wherein the sampling frequency is different from the oscillation frequency (e.g., the sampling frequency may be lower than the oscillation frequency). Because of factors such as temperature, noise, etc., the logic values "1" and "0" generated by the periodic signal are sampled in a random manner so that the logic values"1" and a logical value of "0" appear randomly in the plurality of random single bit values. In addition, the physical properties of the different wafers may have slight differences due to some uncontrollable factors in the manufacturing process, which cannot be replicated or predicted, and the differences may be reflected on the PUF values (e.g. PUF1 and PUF 2) in the PUF pool 15 of the electronic device 10. These PUF values can thus be regarded as fingerprints on a wafer, while in this embodiment they provide static entropy. In some embodiments, the first PUF value may be different from the second PUF value (e.g., puf1+notepuf2).
To determine whether a random number sequence is available, the random number sequence requires certain test items defined by the national institute of standards and technology (National Institute of Standards and Technology, NIST) -800-22. Although based on dynamic entropy SEED generated by an oscillator SEED DYN With a certain degree of randomness, but dynamic entropy SEED DYN It may still be difficult to pass all of the test items of NIST-800-22. For example, dynamic entropy SEED DYN Perhaps through binary matrix rank test (binary matrix rank test), non-overlapping template matching test (non-overlapping template matching test), linear complexity test (linear complexity test), and random offset variation test (randomexcursion variant test), but may not be able to pass frequency tests such as single bit test (monobit test), intra-block frequency test (frequency within a block test), run test (run test), intra-block run time longest test (longest run ones in a block test), discrete fourier transform test (discrete Fourier transformtest) such as discrete fourier transform spectrum test (discrete Fourier transform spectral test), overlapping template matching test (Overlapping template matching test), ma You early universal statistics test (Maurer's universal statistical test), serial test (serial test), approximate entropy test, cumulative sum test (cumulative sums test), and random offset test (random excursion test). However, after processing by the garbled circuit 110 and the cryptographic circuit 120, the preliminary random sequence { RN } PRE All of the above can be passedTest items. The frequency (single bit) test is used to detect whether the probabilities of occurrence of "0" and "1" are close to each other, the series of tests is used to detect whether the longest continuous "0" and the longest continuous "1" are reasonable (e.g., below a predetermined threshold), and the non-overlapping pattern matching test is used to detect whether the repetition pattern of a random number sequence is reasonable (e.g., to determine whether the pattern is repeated regularly or randomly). Since these test items are defined in the well-known NIST-800-22 standard, those of ordinary skill in the art will understand the meaning of these test items, and the details are not described here for brevity.
In this embodiment, any of the first obfuscation function and the second obfuscation function (e.g., each) may include an addition operand (e.g., an addition operation), a multiplication operand (e.g., a multiplication operation), a permutation (permutation), a substitution (underposition), a one-way function, an encryption (encryption), or a combination thereof. For example, either one (e.g., each) of the garbling circuits 110 and 130 may be exclusive-OR (XOR) logic circuits to implement an additive arithmetic function. Those of ordinary skill in the art will understand how to implement logic circuits corresponding to the other types of obfuscation functions described above, and the details are not described here for brevity. In some embodiments, the first aliasing function may be the same as the second aliasing function (e.g., the aliasing circuits 110 and 130 may be implemented by the same type of logic circuit). In some embodiments, the first obfuscation function may be different from the second obfuscation function (e.g., obfuscation circuits 110 and 130 may be implemented by different types of logic circuits). When each of the garbled circuits 110 and 130 is a exclusive or logic circuit, garbled circuit 110 SEEDs SEED for dynamic entropy DYN Exclusive OR operation with PUF value PUF1 to produce final SEED FINAL The aliasing circuit 130 performs aliasing on the primary random number sequence { RN } PRE Exclusive OR operation with PUF value PUF2 to generate final random number sequence { RN } FINAL }。
In an embodiment, the garbling circuit 110 may SEED the preliminary SEED, such as a dynamic entropy SEED DYN Spliced with PUF value PUF1 (conestablishment), for example, by sequentially arranging dynamic entropy SEED DYN And PUF value PUF1 to produce the final SEED FINAL . For example, assume a dynamic entropy SEED DYN For an M-bit digital value and a PUF value PUF1 for an N-bit digital value, the garbling circuit 110 may SEED the dynamic entropy DYN SEED as final SEED FINAL The first M bits and additionally the PUF value PUF1 as final SEED FINAL To produce a final SEED of m+n bits FINAL 。
In one embodiment, the cryptographic function may include a ciphertext function (e.g., stream cipher) such as Trivium cipher or hash function (hash function). When a specific key (e.g. the final SEED FINAL ) Is input to the cipher circuit 120, a corresponding bit stream is output and the bit stream has good security and good pseudo-randomness. If the key is unchanged at each power-up of the electronic device 10, the corresponding bit stream is also unchanged at each time. To further improve security and randomness, the key used by the cryptographic circuit 120 may be dynamic. Due to the final SEED FINAL Is based on dynamic entropy SEED DYN And a preliminary random number sequence { RN } generated by the PUF value PUF1 PRE The use of dynamic entropy seeds with PUF values PUF1 may be carried with the benefit of improving security and randomness. Furthermore, even if the cryptographic function is implemented by well known methods or standards, it is still difficult for a person of ordinary skill in the art to derive from the final random number sequence { RN ] FINAL Backtracking to decrypt the cryptographic function (decipher) because of the final output (i.e., { RN FINAL }) are generated by the garbling circuit 130 based on the unpredictable PUF value PUF 2. Thus, the final random number sequence { RN } FINAL The security performance of the is further improved. It should be noted that the cryptographic functions are not limited to a specific type of cryptographic functions, but that some well-known algorithms can also be employed for the cryptographic functions of the present invention.
FIG. 2 is a schematic diagram of an electronic device 20 according to an embodiment of the invention, in which the electronic device is an electronic deviceThe device 20 may comprise a pool of PUFs 15, and a PUF-based true random number generator 200 coupled to the pool of PUFs 15. The embodiment of fig. 2 is similar to that of fig. 1, but the main difference is that the PUF-based true random number generator 200 may comprise a non-volatile memory (NVM) 150 (labeled "NVM" in the figure for simplicity) for providing the preliminary SEED, in particular a non-volatile memory SEED (NVM SEED) SEED stored in the non-volatile memory 150 NVM As the preliminary seed. In addition, a feedback random number may be written to non-volatile memory 150 at one or more predetermined points in time to update the NVM SEED stored in non-volatile memory 150 NVM . In one embodiment, the feedback random number may be derived from a preliminary random number sequence { RN } PRE Acquired as shown in fig. 2. In another embodiment, the feedback random number may be derived from the final random number sequence { RN } FINAL Acquired as shown in fig. 3. Similar to the embodiment of fig. 1, the final random number sequence { RN } FINAL Each random number in the sequence may be used as an output random number of the PUF-based true random number generator 200, if desired.
Note that the NVM SEED stored in non-volatile memory 150 is updated NVM Is not limiting of the invention. For example, the feedback random number may be a preliminary random number sequence { RN } PRE Sequence of { RN } or final random numbers FINAL The first random number after powering on the electronic device 20, and once the first random number is generated, the first random number may be written into the nonvolatile memory 150. As another example, the feedback random number may be written to the non-volatile memory 150 every predetermined time interval to update the NVM SEED NVM . For another example, when the electronic device 20 receives the power-off command, the feedback random number may be a preliminary random number sequence { RN } PRE Sequence of { RN } or final random numbers FINAL The latest random number after the electronic device 20 is powered on, which may be written into the non-volatile memory 150 to update the NVM SEED before the electronic device 20 is powered off NVM 。
Fig. 4 is a schematic diagram of an electronic device 40 according to an embodiment of the invention. As shown in fig. 4, the electronic device 40 may include the PUF pool 15, and a PUF-based true random number generator 400 coupled to the PUF pool 15, wherein the PUF-based true random number generator 400 may be considered as a combination of the PUF-based true random number generator 100 shown in fig. 1, the PUF-based true random number generator 200 shown in any one of fig. 2 and 3, and one or more additional circuits. Specifically, the PUF-based true random number generator 400 may include the garbling circuit 110, the cryptographic circuit 120, the aliasing circuit 130, the entropy circuit 140, and the nonvolatile memory 150 mentioned in the above embodiments, and may further include a test circuit such as a health test circuit 160, and a Multiplexer (MUX) 170 (labeled "MUX" in the figure for simplicity). In the present embodiment, the health test circuit 160 is coupled to the entropy circuit 140, and the multiplexer 170 is coupled to the entropy circuit 140, the nonvolatile memory 150 and the health test circuit 160. For example, health test circuit 160 may be used to test a dynamic entropy SEED DYN (or any data/signals related to the operation of the entropy circuit 140) to generate a TEST result TEST, in particular the health TEST circuit 160 is a TEST for dynamic entropy SEEDs DYN A health TEST is performed and the multiplexer 170 is operable to SEED from dynamic entropy in response to the TEST result TEST DYN SEED with NVM SEED NVM One of them is selected for use as the preliminary SEED (e.g. SEED PRE ) Is output to the garbled circuit 110.
Specifically, when the TEST result TEST indicates that the entropy circuit 140 is in a healthy state, the multiplexer 170 may select the dynamic entropy SEED DYN As a preliminary SEED PRE When the TEST result TEST indicates that the entropy circuit 140 is in an unhealthy state, the multiplexer 170 may select the NVM SEED NVM As a preliminary SEED PRE . For example, the health test circuit 160 can collect a certain number of random single bit values as a set of data from the oscillator in the entropy circuit 140 once every predetermined time interval. If the health test circuit 160 detects a logical value "0" (or logical value "1") in a set of dataThe coverage falls within a predetermined range (e.g., from 20% to 80%), the health TEST circuit 160 may output a TEST result TEST with a first logic state (e.g., "0") to indicate that the entropy circuit 140 is "healthy", and the multiplexer 170 may select the dynamic entropy SEED DYN As a preliminary SEED PRE . If the health TEST circuit 160 detects that the coverage of a logical value "0" (or logical value "1") within a set of data does not fall within the predetermined range (e.g., greater than a predetermined upper limit such as 80% or less than a predetermined lower limit such as 20%), the health TEST circuit 160 may output a TEST result TEST with a second logical state (e.g., "1") to indicate that the entropy circuit 140 is "unhealthy", and the multiplexer 170 may select the NVM SEED NVM As a preliminary SEED PRE . It should be noted that the detailed operation associated with the at least one test is for illustrative purposes only and is not limiting, as one or more of the test items defined by NIST-800-22 standard, for example, can also be employed for the at least one test.
In some cases, either of the entropy circuitry 140 and the non-volatile memory 150 may be at risk of being hacked/hacked (hack) or corrupted from outside the electronic device 40, resulting in security issues. Since the garbled circuit 110 has two sources for obtaining the preliminary SEED PRE If one of the entropy circuit 140 and the non-volatile memory 150 is hacked/hacked or corrupted, the other can be replaced to provide a preliminary SEED PRE . Thus, the robustness and security performance of the PUF-based true random number generator 400 is improved.
In some embodiments, the health test circuit 160 may be omitted and the multiplexer 170 may be capable of seeding the SEED with dynamic entropy in response to another control signal DYN SEED with NVM SEED NVM One of them is selected to be outputted as a preliminary SEED PRE Wherein this control signal can be retrieved from outside the electronic device 40. For example, by controlling the logic state of this control signal, the user can manually control the multiplexer 170 to SEED from dynamic entropy DYN SEED with NVM SEED NVM Selecting one of themFor being output as a preliminary SEED PRE While the health test circuit 160 may be omitted, the present invention is not limited thereto.
Fig. 5 is a schematic diagram of an electronic device 50 according to an embodiment of the invention. As shown in fig. 5, the electronic device 50 may include the PUF pool 15 and a PUF-based true random number generator 500 coupled to the PUF pool 15, wherein the PUF-based true random number generator 500 may be regarded as an example of the PUF-based true random number generator 400 shown in fig. 4, and the health test circuit 160 is not shown in fig. 5 for simplicity. Specifically, fig. 5 shows implementation details of entropy circuit 140. In the present embodiment, the entropy circuit 140 may include an oscillator 141 and a collecting circuit such as a selective entropy collector (selective entropy collector) 145 coupled to the oscillator 141, wherein the oscillator 141 may be used to output a random control bit SEL (e.g., each of the random single bit values) and the selective entropy collector 145 may determine whether to resort to a feedback random number RN in response to the random control bit SEL FB Updating dynamic entropy SEED DYN . In the embodiment of fig. 5, a random number RN is fed back FB Is a self-final random number sequence { RN } FINAL Obtained, but the invention is not limited thereto. In certain embodiments, the random number RN is fed back FB Is a self-preliminary random number sequence { RN } PRE Obtained, but the invention is not limited thereto. In detail, the selective entropy collector 145 may include a third aliasing circuit such as exclusive OR logic 142 (labeled as "XOR" in the figure for simplicity), a multiplexer 143 (labeled as "MUX" in the figure for simplicity) coupled to the oscillator 141 and the exclusive OR logic 142, and an entropy collector 144 coupled to the multiplexer 143 and the exclusive OR logic 142. For example, a third garbling circuit such as exclusive OR logic 142 may be used to base the feedback random number RN FB SEED for dynamic entropy DYN A third obfuscation function, such as a exclusive or operation, is performed to generate an updated entropy seed, and multiplexer 143 is operable to select one of the pre-update entropy seed (i.e., the entropy seed from the output of entropy collector 144) and the updated entropy seed in response to random control bit SEL,to output a latest entropy SEED (e.g. dynamic entropy SEED DYN The latest version of (c). Furthermore, the entropy collector 144 may receive and output the latest entropy SEED as a dynamic entropy SEED DYN And dynamic entropy SEED DYN Is a feedback entropy seed to be transmitted to the multiplexer 143 and the exclusive-or logic 142. Thus, exclusive OR logic 142 performs the exclusive OR operation to generate the updated entropy SEED (which is a dynamic entropy SEED DYN And feeding back a random number RN FB Exclusive or result of (a), and the multiplexer 143 may SEED the updated entropy or the pre-updated dynamic entropy SEED according to the random control bit SEL DYN Output to the entropy collectors 144, wherein the entropy collectors 144 may be implemented by flip-flops (flip-flop), although the invention is not limited thereto. Since the random control bit SEL is randomly switched between logic states "0" and "1", the dynamic entropy SEED is updated DYN Can be randomly performed. For example, when the random control bit SEL is "0", the dynamic entropy SEED DYN Will not change; and when the random control bit SEL is "1", the dynamic entropy SEED DYN Will be updated. It should be noted that exclusive OR logic 142 is not limiting on the implementation of the third garbling circuit, in which the dynamic entropy SEED can be changed DYN Any logic circuit within (a) falls within the scope of the present invention.
In the embodiment of FIG. 5, when multiplexer 170 selects the NVM SEED NVM And the multiplexer 143 selects the updated entropy SEED, the dynamic entropy SEED DYN Can be based on NVM SEED NVM Is generated. In detail, when the multiplexer 170 selects the NVM SEED NVM As a preliminary SEED PRE At the time, the random number RN is fed back FB Is based on the preliminary SEED PRE Generating (representing feedback random number RN) FB Is based on NVM SEED NVM Generated) and exclusive or logic 142 based on the feedback random number RN FB The exclusive OR result is generated. Then, the multiplexer 143 outputs the exclusive OR result as the updated entropy seed due to the updated entropy seedIs based on NVM SEED NVM Generated, therefore, the entropy collector 144 can rely on the NVM SEED NVM Generating dynamic entropy SEED DYN 。
In addition, the embodiment of FIG. 5 is not limiting of the invention. In certain embodiments, the entropy circuit 140 shown in fig. 1 and 4 may be implemented by different architectures. For example, entropy circuit 140 may include an oscillator operable to output a plurality of random single bit values and a collection circuit coupled to the oscillator operable to collect the random single bit values to generate dynamic entropy SEED DYN (e.g., by concatenating, such as sequentially arranging, a predetermined number of random single bit values from the random single bit values to produce a dynamic entropy SEED DYN ) But the present invention is not limited thereto.
Furthermore, the final random number sequence { RN } FINAL Each final random number in the sequence is preferably transferred to only one object. For example, the PUF-based true random number generator 500 may further include a de-multiplexer (DEMUX) 180 (labeled "DEMUX" in the figures for simplicity) coupled to the garbled circuit 130. In this embodiment, the final random number sequence { RN } FINAL There may be three possible paths including a first path for providing an output random number to the external of the PUF-based true random number generator 500, a second signal path for updating the NVM SEED NVM And a third signal path for updating the dynamic entropy SEED DYN Wherein the demultiplexer 180 controls that only one of these signal paths is enabled (enabled) at a single point in time. Thus, from the final random number sequence { RN } FINAL Any single final random number taken is not reused by different elements, so the security of the PUF-based true random number generator 500 can be ensured. For example, the final random number sequence { RN } FINAL The first final random number after powering up the electronic device 50 may be written to the non-volatile memory 150 (e.g., the first operation cycle of the second signal path after powering up the electronic device 50 is enabled); then, in the NVM SEED stored in the non-volatile memory 150 NVM After being updated, the second signal path is disabled and the third signal path is enabled; the first signal path is enabled only when another element in the electronic device 50 requests a random number. It should be noted that the above-mentioned enabling of the first signal path, the second signal path and the third signal path is for illustrative purposes only and is not a limitation of the present invention.
Fig. 6 is a workflow of a method for generating true random numbers according to an embodiment of the present invention, wherein the method is applicable to an electronic device such as the electronic devices 10, 20, 40 and 50 shown in fig. 1-5. It should be noted that the workflow shown in fig. 6 is for illustration purposes only and is not limiting of the present invention. One or more steps may be added, deleted, or modified within the workflow shown in fig. 6 as long as the overall results are not affected, and the steps do not have to be performed entirely in the order shown in fig. 6.
In step 610, the garbled circuit 110 obtains a first PUF value (e.g., PUF 1) from the pool of PUFs 15.
In step 620, the garbling circuit 110 pairs a preliminary SEED (e.g. SEED) based on the first PUF value (e.g. PUF 1) PRE ) Performing a first obfuscation function to generate a final SEED (e.g. SEED FINAL )。
In step 630, the cryptographic circuit 120 uses the final SEED (e.g., SEED FINAL ) A key used as a cryptographic function to generate a preliminary random number sequence (e.g., { RN PRE })。
In step 640, the garbling circuit 130 obtains a second PUF value (e.g., PUF 2) from the pool of PUFs 15.
In step 650, the obfuscation circuit 130 performs a predetermined processing on the preliminary random number sequence (e.g., { RN }, based on the second PUF value (e.g., PUF 2) PRE -performing a second obfuscation function (e.g., exclusive or) to generate a final random number sequence (e.g., { RN } FINAL })。
The true random number generator based on the PUF and the related method can control related operations by matching the characteristics of the password function, the dynamic entropy and the static entropy. In addition, the invention can reduce the size requirement of the PUF pool without reducing randomness and security. The invention thus enables to improve the overall performance of a true random number generator based on PUFs without side effects or with less side effects.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (20)
1. A physically unclonable function-based true random number generator for an electronic device, the physically unclonable function-based true random number generator comprising:
a first obfuscating circuit configured to obtain a first physical uncloneable function value from a pool of physical uncloneable functions of the electronic device, and perform a first obfuscating function on a preliminary seed based on the first physical uncloneable function value to generate a final seed;
a cryptographic circuit coupled to the first garbled circuit for generating a preliminary random number sequence using the final seed as a key for a cryptographic function; and
a second obfuscation circuit coupled to the cryptographic circuit, for obtaining a second physical uncloneable function value from the pool of physical uncloneable functions, and performing a second obfuscation function on the preliminary random number sequence based on the second physical uncloneable function value to generate a final random number sequence.
2. The physically unclonable function based true random number generator of claim 1, wherein the first garbled circuit concatenates the preliminary seed with the first physically unclonable function value to produce the final seed.
3. The physically unclonable function based true random number generator of claim 1, wherein the physically unclonable function based true random number generator further comprises an entropy circuit to provide the preliminary seed, and the entropy circuit comprises:
an oscillator for outputting a plurality of random single bit values; and
a collection circuit for collecting the plurality of random single bit values to generate the preliminary seed.
4. The physically unclonable function based true random number generator of claim 1, further comprising a non-volatile memory to provide the preliminary seed, wherein a feedback random number is written to the non-volatile memory at one or more predetermined points in time to update the preliminary seed stored in the non-volatile memory, and the feedback random number is derived from the preliminary random number sequence or the final random number sequence.
5. The physically unclonable function based true random number generator of claim 1, further comprising:
an entropy circuit for providing an entropy seed;
a non-volatile memory for providing a non-volatile memory seed, wherein a feedback random number is written into the non-volatile memory at one or more predetermined time points to update the non-volatile memory seed stored in the non-volatile memory, and the feedback random number is obtained from the preliminary random number sequence or the final random number sequence;
a testing circuit, coupled to the entropy circuit, for testing the entropy seed to generate a test result; and
and a multiplexer, coupled to the entropy circuit, the nonvolatile memory and the test circuit, for selecting one of the entropy seed and the nonvolatile memory seed for outputting as the preliminary seed in response to the test result.
6. The physically unclonable function based true random number generator of claim 5, wherein the test circuit tests the degree of health of the entropy seed, the multiplexer selecting the entropy seed as the preliminary seed when the test result indicates that the entropy circuit is in a healthy state, and the multiplexer selecting the nonvolatile memory seed as the preliminary seed when the test result indicates that the entropy circuit is in a non-healthy state.
7. The physically unclonable function based true random number generator of claim 1, wherein the physically unclonable function based true random number generator further comprises an entropy circuit to provide an entropy seed, and the entropy circuit comprises:
an oscillator for outputting a random control bit; and
a collection circuit coupled to the oscillator, wherein the collection circuit determines whether to update the entropy seed by means of a feedback random number in response to the random control bit, and the feedback random number is derived from the preliminary random number sequence or the final random number sequence.
8. The physically unclonable function based true random number generator of claim 7, wherein the collection circuit comprises:
a third obfuscation circuit configured to perform a third obfuscation function on the entropy seeds based on the feedback random number to generate updated entropy seeds; and
a first multiplexer, coupled to the oscillator, for selecting one of the entropy seeds before updating and the entropy seeds after updating in response to the random control bit to output a latest entropy seed.
9. The physically unclonable function based true random number generator of claim 8, wherein the physically unclonable function based true random number generator further comprises:
a nonvolatile memory for providing a nonvolatile memory seed, wherein the feedback random number is written into the nonvolatile memory at one or more predetermined time points to update the nonvolatile memory seed stored in the nonvolatile memory; and
a second multiplexer, coupled to the non-volatile memory and the collection circuit, for selecting one of the non-volatile memory seed and the entropy seed as the preliminary seed;
wherein when the second multiplexer selects the non-volatile memory seed, the feedback random number is generated based on the non-volatile memory seed, and the updated entropy seed is generated based on the feedback random number.
10. The physically unclonable function based true random number generator of claim 1, wherein the physically unclonable function based true random number generator further comprises an entropy circuit for providing the preliminary seed, and the entropy circuit comprises:
an oscillator for outputting a plurality of random single bit values, wherein the oscillator generates a periodic signal that varies between a first logic value and a second logic value at an oscillation frequency, and the periodic signal is sampled at a sampling frequency such that the first logic value and the second logic value randomly appear in the plurality of random single bit values;
wherein the sampling frequency is different from the oscillation frequency.
11. A method for generating true random numbers, applicable to an electronic device, comprising:
performing a first obfuscation function on a preliminary seed based on a first physical uncloneable function value using a first obfuscation circuit to generate a final seed;
using a cryptographic circuit to use the final seed as a key of a cryptographic function to generate a preliminary random number sequence; and
performing a second obfuscation function on the preliminary random number sequence based on a second physical uncloneable function value using a second obfuscation circuit to generate a final random number sequence;
wherein the first physical uncloneable function value and the second physical uncloneable function value are obtained from a pool of physical uncloneable functions of the electronic device.
12. The method of claim 11, wherein performing the first obfuscation function on the preliminary seed based on the first physical uncloneable function value with the first obfuscation circuit to generate the final seed comprises:
the preliminary seed is spliced with the first physical uncloneable function value using the first garbled circuit to produce the final seed.
13. The method of claim 11, further comprising:
generating a plurality of random single bit values; and
the preliminary seed is obtained from the plurality of random single bit values.
14. The method of claim 11, further comprising:
the preliminary seed is obtained from a non-volatile memory, wherein a feedback random number is written to the non-volatile memory at one or more predetermined points in time to update the preliminary seed stored in the non-volatile memory, and the feedback random number is obtained from the preliminary random number sequence or the final random number sequence.
15. The method of claim 11, further comprising:
obtaining an entropy seed from an entropy circuit;
obtaining a non-volatile memory seed from a non-volatile memory, wherein a feedback random number is written into the non-volatile memory at one or more predetermined points in time to update the non-volatile memory seed stored in the non-volatile memory, and the feedback random number is obtained from the preliminary random number sequence or the final random number sequence;
testing the entropy seeds by using a testing circuit to generate a testing result; and
a multiplexer is utilized to select one of the entropy seed and the nonvolatile memory seed for output as the preliminary seed in response to the test result.
16. The method of claim 15, wherein the testing circuit tests the entropy seed for health, the step of selecting one of the entropy seed and the nonvolatile memory seed comprising:
selecting the entropy seed as the preliminary seed when the test result indicates that the entropy circuit is in a healthy state; and
when the test result indicates that the entropy circuit is in a non-healthy state, the non-volatile memory seed is selected as the preliminary seed.
17. The method of claim 11, further comprising:
generating a random control bit; and
determining whether to update an entropy seed by means of a feedback random number in response to the random control bit, wherein the feedback random number is derived from the preliminary random number sequence or the final random number sequence.
18. The method of claim 17, wherein the step of responding to the random control bits to determine whether to update the entropy seed by means of the feedback random number comprises:
performing a third obfuscation function on the entropy seeds based on the feedback random number to generate updated entropy seeds; and
selecting one of the pre-update entropy seeds and the post-update entropy seeds to output a latest entropy seed in response to the random control bits.
19. The method of claim 18, further comprising:
retrieving a nonvolatile memory seed from a nonvolatile memory, wherein the feedback random number is written to the nonvolatile memory at one or more predetermined points in time to update the nonvolatile memory seed stored in the nonvolatile memory; and
selecting one of the non-volatile memory seed and the entropy seed as the preliminary seed;
wherein when the non-volatile memory seed is selected, the feedback random number is generated based on the non-volatile memory seed, and the updated entropy seed is generated based on the feedback random number.
20. The method of claim 17, wherein the step of generating the random control bits comprises:
generating a periodic signal by using an oscillator, wherein the periodic signal is changed between a first logic value and a second logic value at an oscillation frequency; and
sampling the periodic signal at a sampling frequency such that the first logical value and the second logical value appear randomly in a plurality of random single bit values output by the oscillator to produce the random control bits;
wherein the sampling frequency is different from the oscillation frequency.
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US202063034410P | 2020-06-04 | 2020-06-04 | |
| US63/034,410 | 2020-06-04 | ||
| US17/211,799 | 2021-03-24 | ||
| US17/211,799 US11487505B2 (en) | 2020-06-04 | 2021-03-24 | Physical unclonable function based true random number generator, method for generating true random numbers, and associated electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113760221A CN113760221A (en) | 2021-12-07 |
| CN113760221B true CN113760221B (en) | 2024-02-23 |
Family
ID=78787220
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110578028.3A Active CN113760221B (en) | 2020-06-04 | 2021-05-26 | True random number generator based on physical unclonable function and related method |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113760221B (en) |
| TW (1) | TWI782540B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108664234A (en) * | 2018-01-17 | 2018-10-16 | 北京智芯微电子科技有限公司 | Real random number generator |
| EP3557407A1 (en) * | 2018-04-18 | 2019-10-23 | eMemory Technology Inc. | Puf-based true random number generation system |
| CN110537191A (en) * | 2017-03-22 | 2019-12-03 | 维萨国际服务协会 | Secret protection machine learning |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120079281A1 (en) * | 2010-06-28 | 2012-03-29 | Lionstone Capital Corporation | Systems and methods for diversification of encryption algorithms and obfuscation symbols, symbol spaces and/or schemas |
| US9558358B2 (en) * | 2013-06-27 | 2017-01-31 | Visa International Service Association | Random number generator in a virtualized environment |
| CN106020771B (en) * | 2016-05-31 | 2018-07-20 | 东南大学 | A kind of pseudo-random sequence generator based on PUF |
| EP3407335B1 (en) * | 2017-05-22 | 2023-07-26 | Macronix International Co., Ltd. | Non-volatile memory based physically unclonable function with random number generator |
| EP3407336B1 (en) * | 2017-05-22 | 2022-08-17 | Macronix International Co., Ltd. | Unchangeable phyisical unclonable function in non-volatile memory |
-
2021
- 2021-05-24 TW TW110118674A patent/TWI782540B/en active
- 2021-05-26 CN CN202110578028.3A patent/CN113760221B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110537191A (en) * | 2017-03-22 | 2019-12-03 | 维萨国际服务协会 | Secret protection machine learning |
| CN108664234A (en) * | 2018-01-17 | 2018-10-16 | 北京智芯微电子科技有限公司 | Real random number generator |
| EP3557407A1 (en) * | 2018-04-18 | 2019-10-23 | eMemory Technology Inc. | Puf-based true random number generation system |
| CN110389747A (en) * | 2018-04-18 | 2019-10-29 | 力旺电子股份有限公司 | With physics can not copy function true random number generate system |
Non-Patent Citations (1)
| Title |
|---|
| 基于线性反馈的多模混合可重构PUF电路设计;栾志存;张跃军;王佳伟;潘钊;;电子技术应用(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| TWI782540B (en) | 2022-11-01 |
| CN113760221A (en) | 2021-12-07 |
| TW202147097A (en) | 2021-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110389747B (en) | True random number generation system with physical unclonable function | |
| US11487505B2 (en) | Physical unclonable function based true random number generator, method for generating true random numbers, and associated electronic device | |
| JP5248328B2 (en) | Equipment security based on signal generators | |
| Xu et al. | Robust and flexible FPGA-based digital PUF | |
| JP7006887B2 (en) | Random number generator and how to generate output random numbers | |
| JP3696209B2 (en) | Seed generation circuit, random number generation circuit, semiconductor integrated circuit, IC card and information terminal device | |
| EP3234857A1 (en) | Reliability enhancement methods for physically unclonable function bitstring generation | |
| JP5863994B2 (en) | Integrated security device and signal processing method used for integrated security device | |
| Wang et al. | Lattice PUF: A strong physical unclonable function provably secure against machine learning attacks | |
| Sunar | True random number generators for cryptography | |
| Srinivasu et al. | CoLPUF: a novel configurable LFSR-based PUF | |
| Torii et al. | ASIC implementation of random number generators using SR latches and its evaluation | |
| JP6187462B2 (en) | Universal hash function computing device, method and program | |
| Shariffuddin et al. | Review on arbiter physical unclonable function and its implementation in FPGA for IoT security applications | |
| Nassar et al. | CaPUF: Cascaded PUF structure for machine learning resiliency | |
| WO2017209890A1 (en) | Single clock cycle cryptographic engine | |
| Garcia-Bosque et al. | Suitability of generalized GAROs on FPGAs as PUFs or TRNGs considering spatial correlations | |
| CN113760221B (en) | True random number generator based on physical unclonable function and related method | |
| Rai et al. | Design and analysis of reconfigurable cryptographic primitives: TRNG and PUF | |
| US20230139712A1 (en) | Circuit apparatus and methods for puf source and generating random digital sequence | |
| JP2000242470A (en) | Device and method for generating random number and recording medium | |
| Anchana et al. | Design of PUF Based Chaotic Random Number Generator | |
| CN112202548A (en) | Stream encryption key stream generation method, device, circuit and encryption method | |
| Garipcan et al. | FPGA modeling of a novel fully-synthesizable and secure TRNG based on key-dependent s-box | |
| Yu et al. | Malicious attacks on physical unclonable function sensors of internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |