WO1999038069A1 - Random number generation method and apparatus - Google Patents

Random number generation method and apparatus Download PDF

Info

Publication number
WO1999038069A1
WO1999038069A1 PCT/EP1999/000268 EP9900268W WO9938069A1 WO 1999038069 A1 WO1999038069 A1 WO 1999038069A1 EP 9900268 W EP9900268 W EP 9900268W WO 9938069 A1 WO9938069 A1 WO 9938069A1
Authority
WO
WIPO (PCT)
Prior art keywords
random number
physical
binary
pseudo
smoothing
Prior art date
Application number
PCT/EP1999/000268
Other languages
French (fr)
Inventor
Bo Lin
Stephen Mcallister
Original Assignee
Motorola Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Motorola Limited filed Critical Motorola Limited
Publication of WO1999038069A1 publication Critical patent/WO1999038069A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/582Pseudo-random number generators
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes
    • HELECTRICITY
    • H03ELECTRONIC CIRCUITRY
    • H03KPULSE TECHNIQUE
    • H03K3/00Circuits for generating electric pulses; Monostable, bistable or multistable circuits
    • H03K3/84Generating pulses having a predetermined statistical distribution of a parameter, e.g. random pulse generators

Definitions

  • the present invention relates general to methods for generating a random number, and more particularly to methods for improving the randomness of random numbers generated from physical means.
  • Random number generation is required in a range of applications, particularly, though not exclusively, in security applications where a random number is used in the generation of an encoding or encryption key.
  • a physical Random Number Generator (RNG) is often used.
  • RNG Physical Random Number Generator
  • a "physical" RNG refers to an RNG which generates a random number based upon sample "noise” from reverse-biased diodes, oscillator phase noise, or other physical phenomena.
  • An example of a physical RNG used in cryptography applications is the combination of two independent oscillator circuits which are cascaded together, whereby the current source of the second oscillator is modulated by the saw-tooth wave-form output of the first oscillator to produce a pulse train representing a binary random number.
  • Such an RNG is sometimes incorporated as part of the integrated circuitry of the cryptography device, e.g. a smart card chip.
  • Physical RNGs are accepted as being highly unpredictable. But many applications, including cryptography, require that the random number distribution be uniform as well. In a binary random number, a uniform distribution means that the percentage of Os and the percentage of 1s is the same, i.e. 50% of each.
  • traditional physical RNGs inherently suffer from some form of bias, such that random numbers generated either have more 1s than Os, or vice versa. If such a bias were fixed, one could compensate for the bias. See, e.g., "Various Techniques Used in Connection with Random Digits," by J. von Neumann in the National Bureau of Standards, Applied Math Series, 1951, Vol. 12, pp. 36-38 (reprinted in von Neumann's Collected Works, Vol.
  • FIG. 1 illustrates an integrated circuit at a functional block level suitable for use in conjunction with practising the present invention.
  • FIG. 2 illustrates a physical random number generator suitable for use in accordance with practising the present invention.
  • FIG. 3 illustrates a flow diagram depicting a method for generating a random number in accordance with one embodiment of the present invention.
  • FIG. 4 illustrates the manner in which a random number generated from a physical RNG is smoothed using a pseudo RNG to produce a more uniform random binary number in accordance with the present invention.
  • the present invention utilises a physical Random Number Generator (RNG) to create a random number which is then made unbiased by combination with a pseudo random number.
  • RNG physical Random Number Generator
  • the physical random number is either XORed with the pseudo random number or ADDed to the pseudo random number .
  • the unpredictability of the physical random number is thus combined with the uniformity of a pseudo random number to produce a provably unbiased binary random number, i.e. one having a 50/50 distribution of Os and 1s.
  • the effect of the combination is referred to as a "smoothing" of the inherent bias in random numbers generated from a physical RNG.
  • FIG. 1 illustrates, at a functional block level, an integrated circuit (IC) 12 which is suitable for use in practising the present invention. While IC 12 as shown is intended for use in a smart card, or personal data carrier, this is not a requirement of the present invention. Nor is the invention limited to performance by an integrated circuit. Rather, the invention is useful in any application which employs a physical random number generator means. It is also noted that while IC 12 is illustrated to include definitive blocks for performing particular functions, as further described below, in practice the particular functional blocks of IC 12 are likely to not be clearly identifiable as "blocks" on the actual manufactured IC. Furthermore, the arrangement of such "blocks" on the chip are likely to not correspond to the arrangement shown. It is also noted that while IC 12 may be illustrated in the form of a single semiconductor die, the functionality described -4-
  • an IC can be implemented in one or more die.
  • an IC may include functional blocks other than those illustrated in FIG. 1. Accordingly, the figures are not intended to limit the scope or applicability of the invention unless expressly indicated otherwise.
  • an operating power module 14 receives operating power by either direct contact with contacts between a reader terminal and the smart card, or by radio frequency (RF) transmission from the reader terminal in the case of a contactless smart card.
  • Power module 14 provides a positive power supply potential (e.g. VDD) to the other circuitry in IC 12.
  • a central processing unit (CPU) 16 also referred to a microprocessor or microcontroller core, performs the control, timing, and decision making functions. For example, CPU 16 controls the read, write and erase operations to the memory and makes data available to data I/O module 18.
  • Data I/O module 18 sends and receives data to and from the reader terminal.
  • a Read-Only-Memory (ROM) module 20 of IC 12 stores the program instructions for the given card application which are set during the IC manufacturing process and then executed by CPU 16.
  • a Random-Access-Memory (RAM) module 22 is also included. RAM is volatile memory and thus provides temporary storage of information.
  • Electrically Erasable Programmable ROM (EEPROM) 24 is a non-volatile memory array of IC 12 that stores the primary information of the card, such as personal identification, medical history, banking information, monetary values, security codes, etc. depending on the card application. While EEPROM is a preferred form of memory, other types of nonvolatile memory can be used in place of EEPROM 24.
  • IC 12 further includes a Modular Exponentiation Unit (MEU) 26 which is used to encrypt data being transferred between the card and the reader and to decrypt data being transferred from the reader to the card.
  • MEU Modular Exponentiation Unit
  • IC 12 also includes a physical Random Number Generator (RNG) 28 suitable for use in conjunction with the present invention.
  • RNG 28 need not be of any particular circuit design for use with the present invention. Any known or to-be-developed physical RNG (as defined previously) will benefit from present invention.
  • RNG 28 includes two independent oscillators which are cascaded as shown in FIG. 2. It is noted that as described below RNG 28 includes an adjustment means between the two oscillators for adjusting by a variable amount the frequency of the second oscillator for improved randomness. However, use of such adjustment means is not necessary in practising the present -5-
  • RNG 28 includes a first relaxation oscillator 212 which charges and discharges a capacitor (not shown) from a first, fixed current source 214 to produce a saw-tooth waveform output at a first frequency.
  • a second relaxation oscillator 216 charges and discharges a capacitor (not shown) from a second, voltage-controlled current source 218.
  • the second current source 218 is coupled at a first control input directly to the output of the first oscillator 212 to be modulated by the saw-tooth waveform output thereof.
  • the output of the first oscillator 212 is also coupled to a second control input of the second current source 218 via a transmission gate 220, which is controlled by the state of a software settable data bit (not shown), which controls an adjust signal Adjl.
  • a storage capacitor 222 is connected between ground and a point between the transmission gate 220 and the second current source 218. The transmission gate 220 and the storage capacitor 222 allow the user to adjust the second current source 218 by an analogue value determined by the point in time when the output saw-tooth waveform from the first oscillator 212 is sampled and held upon closure of the transmission gate 220.
  • the user adjusts the randomness of the resultant number by 'blipping' or 'pulsing' the adjustment bit for the transmission gate 220 (i.e., setting the adjustment bit to a value, say '0' to open the transmission gate 220, then waiting for a predetermined time - set in software - before setting the adjustment bit to the opposite value, say T, to close the transmission gate 220 and leave the sampled value of the output saw-tooth waveform from the first oscillator 212 at that instant stored on the capacitor 222).
  • the adjust bit for the transmission gate 220 adds an amount of extra current to the second oscillator (and so changes its frequency) by an amount (between minimum and maximum values of the output saw-tooth waveform from the first oscillator 212) determined by the instant at which the transmission gate 220 is closed.
  • the user in order to obtain increased randomisation, the user 'blips' or 'pulses' the adjustment bit for the transmission gate 220 immediately before reading a random number from the random number generating arrangement 210.
  • the output of the second oscillator 216 is coupled through a divider 224 and a transmission gate 226 (controlled by a read signal Rd) onto a data bus 228.
  • the divide ratio of the divider 224 is selectable between unity and a predetermined, non-unity value by the state of a software settable data bit (not shown), which controls an adjust signal Adj2.
  • the adjustment bit which controls the divider 224 determines whether the output pulse train from the second oscillator 216 is divided by a predetermined ratio before being gated onto the data bus 228. It will be appreciated that such division of the output pulse train from the second oscillator 216 further 'randomises' the resultant -6-
  • the CPU of IC 12 will encounter routines which require use of a random number, which the CPU will fetch from RNG 28.
  • a random number is often needed to create a cryptographic key.
  • random numbers can also be used to modify the execution time or software program flow of an application to prevent hackers from being able to duplicate the routine.
  • a random number is also used in some instances to determine whether to round up or round down in performing a currency conversion. Collisions between multiple contactless smart cards and a reader terminal can also be resolved by having each card generate a random number which is compared to a number generated by the reader.
  • a random number is generated in accordance with the present invention and is fed to the CPU for processing via bus 228.
  • An example of the manner in which such a random number is generated using a method of the present invention is illustrated in the flow diagram of FIG. 3.
  • a physical RNG is used to generate a random number.
  • the particular type or design of physical RNG used is not important.
  • the size of the random number generated is not critical, but for purposes of explanation it is assumed that the physical RNG generates a 64 byte random number. From this physical random number, a seed for generating a pseudo random number is extracted as represented in a next step 32.
  • a pseudo random number is a number which has been generated through algorithmic manipulation of a seed number. Pseudo random numbers can be used in place of physically generated random numbers in some instances, however pseudo random numbers are undesirable in high security applications because they are too predictable. If one starts with the same seed, the result will be the same pseudo random number.
  • a pseudo random number is generated to smooth the bias from a physically generated random number rather than being used by the CPU as the finally generated random number.
  • the seed as random as possible.
  • a subset of bytes or bits from the physical random number to produce the pseudo seed e.g. randomly select 3 or 4 bytes from the 64 byte physical random number.
  • the bytes extracted from the physical RNG can be XORed with a pre-selected number to create the seed.
  • a pre-selected fixed number is used to avoid producing a number which is all zeros or all 1s.
  • a counter is set as shown in step 34 of FIG. 3.
  • one byte of a pseudo random number is generated at a time, as provided in a step 36, but this is not a requirement of the present invention and will depend upon the particular pseudo random number generation algorithm used.
  • the counter is thus used to determine when the pseudo random number generation is complete (i.e. when each byte of the physical random number has a corresponding byte of a pseudo random number).
  • the counter is an incrementing counter, but could alternatively be decrementing. Alternatively, the entire pseudo random number could be generated from the seed without need for a counter or repetition of the generation algorithm.
  • step 36 The particular algorithm(s) used to generate one byte of a pseudo random number in step 36 is not particularly important for purposes or practising and understanding the present invention.
  • a byte of the physically generated random number is sampled, as in step 38, and is smoothed in step 40 with the byte of the pseudo random number generated in step 36.
  • Smoothing refers to performing a mathematical function on both the physical and pseudo random numbers which significantly removes the inherent bias or non- uniform distribution associated with the physically generated random number while maintaining its unpredictability.
  • the smoothing operation is one which can be mathematically proven to produce a random number having a 50/50 distribution of Os and 1s.
  • the smoothing function is accomplished by XORing the bytes of the pseudo and physical random numbers.
  • the bytes are merely ADDed together. The mathematical proofs that each of these functions will result in a random number of uniform distribution is provided in the Appendix. -8-
  • the result is stored in a memory, as shown in a step 42.
  • the counter is then incremented, or decremented, as indicated in step 44. If the counter has not reached its last count, as determined at step 46, another byte of the pseudo random number is generated. To avoid generating the same byte of the pseudo random number, a seed other than that used to generate previous bytes is used. In some instances, the algorithms used by the pseudo RNG modify the seed in the course of pseudo number generation. In this case, it would be determined at a step 48 that a new seed is not needed. However, if the seed has not been modified, a new seed is needed to perform the pseudo random number generation. This is accomplished by step 50. The generation of new bytes of the pseudo random number continues until all bytes of the physical random number have been smoothed.
  • a 64 byte random number 100 is generated from a physical RNG. Random bytes of number 100 are used to create a seed number 102. A pseudo RNG is then used to create a pseudo random number 104 from the seed. The physical random number 100 is then smoothed by the pseudo random number 104 by the function f( Xiyi ) to produce a random number 106 having an improved uniform distribution of Os and 1s as compared to physical random number 100.
  • smoothing a random number generated by physical means in accordance with the present invention provides a marked improvement in uniformity of distribution of Os and 1s.
  • the improvement is evident from several tests which were conducted on random numbers generated from a physical RNG alone, as compared to random numbers generated from a physical RNG which has been smoothed in accordance with the present invention.
  • the physical RNG used in the comparison was that as described above in reference to FIG. 2, and the smoothing function used was to XOR the physical random number with a pseudo random number as described above in reference to FIG. 3.
  • a 1 Megabyte random number was generated in each instance so that all tests could be performed on the same set of data points.
  • temperature, voltage, and frequency were varied as follows: Temperature- -25 °C, 25 °C, and 85 °C; Voltage- 3.5 V, 5.5 V, and 6.5 V; Frequency- 2.5 MHz, 4.9 MHz, and 8.0 MHz. All other operating variables remained constant.
  • Table 1 provides the results of the comparison, while a description of the various tests performed and the significance of the results of each test follow the table. Test Data Average Stddev % Fail Comment
  • the "Zeros” test in a test which determines the percentage of Os in the resulting random number. Similarly the “Ones” test determines the percentage of 1s in the resulting random number. The “Bias” test shows how far the percentage of Os or 1s is away from 50%. Bias is presented by a -10-
  • the "Chi Sqr255" test is a Chi Square test with 255 degrees of freedom, and examines if the frequency of 8-bit (1 byte) patterns in a sequence looks like those of a truly random sequence. If the result of the test is less than 335, 8-bit patterns are regarded as uniformly distributed. This test is stronger than Chi Sqrl because a sequence producing a good Chi Sqrl result can nonetheless have poor results using Chi Sqr255.
  • the "Run Up” test examines if a sequence runs up like a truly random one.
  • the "Run Down” test examines if a sequence runs down like a truly random one. In other words, the results show if a candidate sequence changes like a truly random number sequence in either direction. If each of the results is less than 16.812, the candidate sequence is regarded as one which changes like a truly random sequence.
  • a collision test examines the number of collisions in the first 2 (327,680) 20-bit elements. A collision is when an RNG produces two same numbers. A truly random RNG produces numbers with a low probability of collision, although some number of collisions is inevitable.
  • Multi-Cllsn Multiple Collision
  • the "Universal” test measures the average information entropy in a segment with a specified number of bits by means of the Elias compression algorithm.
  • the test produces two values, v, and v 2 , for a specified L where v, is the average -1 1-
  • v 2 is the test boundary which is sample size dependent.
  • Table 1 v, is shown, with v 2 being 12.136731 in both cases. If v, > v 2 then the candidate sequence passes the universal test.
  • the "3 1-bit” tests the independence between three bits by examining every bit in a sequence, and checks uniformity as well.
  • the "3 3-bit” tests the independence between three 3-bit elements by examining every 3-bit element in the sequence, again while checking uniformity. If a random number sequence passes the tests the Chi Square and various Os/1 s tests, the result of 3 1 - bit and 3 3-bit tests presents if adjacent elements in the sequence depend on each other. In other words, this test not only determines whether elements in a sequence are uniformly distributed but also if they behave like tossing coins. A good result is expected to be less than 13.277 for the 3 1-bit test and less than 520.556 for the 3 3-bit test.
  • the invention is not limited to being implemented by an integrated circuit. Any general data processing system can be used, and the smoothing function can be performed using software, hardware, firmware or any combination thereof. If using a hardware design, conventional hardware implementations of a pseudo RNG can be used with the invention.
  • the invention is not limited to the particular application for which the random number is to be used. Nor is the invention limited to the particular type of physical RNG used to generate the initial random number, since all physical RNGs are inherently biased and/or provide non-uniform distributions to a degree and will therefore benefit from the present invention. Therefore, it is intended that this invention encompass all such variations and modifications as fall within the scope of the appended claims.
  • z. will always be 0 or 1 with probability of — no matter what the distribution of ⁇ JC, ⁇ is.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • General Engineering & Computer Science (AREA)
  • Computational Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Tests Of Electronic Circuits (AREA)
  • Complex Calculations (AREA)

Abstract

The bias inherently associated with random number generation using a physical means (e.g. noise diodes, Geiger counters, etc.) is removed with the present invention by smoothing the physically generated random number with a pseudo random number. For instance by XORing or ADDing the physically generated random number with a pseudo random number, it can be shown that the distribution of 0s and 1s in the resulting binary random number is uniform.

Description

-1-
RANDOM NUMBER GENERATION METHOD AND APPARATUS
Field of the Inventions
The present invention relates general to methods for generating a random number, and more particularly to methods for improving the randomness of random numbers generated from physical means.
Background of the Invention
Random number generation is required in a range of applications, particularly, though not exclusively, in security applications where a random number is used in the generation of an encoding or encryption key. in such an application, a physical Random Number Generator (RNG) is often used. As used herein a "physical" RNG refers to an RNG which generates a random number based upon sample "noise" from reverse-biased diodes, oscillator phase noise, or other physical phenomena. An example of a physical RNG used in cryptography applications is the combination of two independent oscillator circuits which are cascaded together, whereby the current source of the second oscillator is modulated by the saw-tooth wave-form output of the first oscillator to produce a pulse train representing a binary random number. Such an RNG is sometimes incorporated as part of the integrated circuitry of the cryptography device, e.g. a smart card chip.
Physical RNGs are accepted as being highly unpredictable. But many applications, including cryptography, require that the random number distribution be uniform as well. In a binary random number, a uniform distribution means that the percentage of Os and the percentage of 1s is the same, i.e. 50% of each. However, traditional physical RNGs inherently suffer from some form of bias, such that random numbers generated either have more 1s than Os, or vice versa. If such a bias were fixed, one could compensate for the bias. See, e.g., "Various Techniques Used in Connection with Random Digits," by J. von Neumann in the National Bureau of Standards, Applied Math Series, 1951, Vol. 12, pp. 36-38 (reprinted in von Neumann's Collected Works, Vol. 5, Pergamon Press, 1963, pp. 768-770) which discloses a simple real time algorithm to extract unbiased binary outputs from a fixed bias source. But the bias of physical RNGs in the form of integrated circuits, for example, varies with such factors as time, temperature, supply voltage, and frequency. Because the bias is not fixed. -2-
compensation for such bias is not possible using such techniques. Nor is the bias of a typical physical RNG dependent solely upon the history of past output. Thus, the method to determine the dependency of the next bit on the previous bit(s) as proposed by M. Blum in "Independent Unbiased Coin Flips From a Correlated Biased Source: a Finite Sate Markov Chain," Combatorica, Vol. 6, 1986, pp. 97-108, is likewise not a suitable solution.
A proposed method to overcome an unfixed bias of a physical RNG was disclosed by M. Santha and W. Vazirani in "Generating Quasi-Random Sequences from Slightly-Random Sources," Proceedings of the 25th Annual IEEE Symposium on the Foundations of Computer Science, October 1984, pp. 434-440. In this method, the physical RNG (e.g. a zener diode in which the frequency of Os and 1s inherently drifts over a period of time) was considered to be a "slightly-random source". The authors show how a "quasi-random number" (one which is indistinguishable from a truly random number, but which is not truly random) can be generated from a plurality of slightly random sources operating in parallel. B. Chor and 0. Glodreich go a step further and show that just two such slightly random sources can be used to generate unbiased bits, as disclosed in "Unbiased Bits from Sources of Weak Randomness and Probabilistic Communication Complexity," SIAM Journal on Computing, Vol. 17, No. 2, April 1988, pp. 230-261.
However, the use of multiple physical RNGs in parallel is not desirable. For example in smart cards and in other portable devices requiring random number generation, the size of the integrated circuit is undesirably increased by the incorporation of multiple physical RNGs. Furthermore, it is very difficult to make multiple RNGs truly independent from one another in a single integrated circuit chip. Therefore, two on-chip physical RNGs are not likely to work in practice as well as in theory, in using multiple physical RNGs there is also the need for addition read-only-memory (ROM) to store the algorithm used for extracting unbiased bits. In view of these disadvantages, it is apparent that there is a need for improving the uniformity of distribution of a physical random number generator without the inclusion of additional physical RNGs. Moreover, it is desirable that a method for generating the random number be computationally simply, so as not to slow down or impede other device functions.
Brief Description of the Drawings
FIG. 1 illustrates an integrated circuit at a functional block level suitable for use in conjunction with practising the present invention.
FIG. 2 illustrates a physical random number generator suitable for use in accordance with practising the present invention. -3-
FIG. 3 illustrates a flow diagram depicting a method for generating a random number in accordance with one embodiment of the present invention.
FIG. 4 illustrates the manner in which a random number generated from a physical RNG is smoothed using a pseudo RNG to produce a more uniform random binary number in accordance with the present invention.
Detailed Description of a Preferred Embodiment
Generally, the present invention utilises a physical Random Number Generator (RNG) to create a random number which is then made unbiased by combination with a pseudo random number. In a preferred embodiment, the physical random number is either XORed with the pseudo random number or ADDed to the pseudo random number . The unpredictability of the physical random number is thus combined with the uniformity of a pseudo random number to produce a provably unbiased binary random number, i.e. one having a 50/50 distribution of Os and 1s. The effect of the combination is referred to as a "smoothing" of the inherent bias in random numbers generated from a physical RNG. Smoothing a physical random number in accordance with the present invention can be achieved using software control alone, thereby negating any increase in circuit area, or can be implemented as firmware or hardware for improved security. In the latter case, a pseudo RNG is hardwired to provide an independent source of random numbers and then plays the same role as its software implementation. These and other features, and advantages, will be more clearly understood from the following detailed description taken in conjunction with the FIGs. 1-4.
While there are many suitable applications for using the present invention, a particularly important application is generation of random numbers for cryptography, as would be performed by integrated circuit devices in smart cards. FIG. 1 illustrates, at a functional block level, an integrated circuit (IC) 12 which is suitable for use in practising the present invention. While IC 12 as shown is intended for use in a smart card, or personal data carrier, this is not a requirement of the present invention. Nor is the invention limited to performance by an integrated circuit. Rather, the invention is useful in any application which employs a physical random number generator means. It is also noted that while IC 12 is illustrated to include definitive blocks for performing particular functions, as further described below, in practice the particular functional blocks of IC 12 are likely to not be clearly identifiable as "blocks" on the actual manufactured IC. Furthermore, the arrangement of such "blocks" on the chip are likely to not correspond to the arrangement shown. It is also noted that while IC 12 may be illustrated in the form of a single semiconductor die, the functionality described -4-
can be implemented in one or more die. Moreover, an IC may include functional blocks other than those illustrated in FIG. 1. Accordingly, the figures are not intended to limit the scope or applicability of the invention unless expressly indicated otherwise.
In IC 12, an operating power module 14 receives operating power by either direct contact with contacts between a reader terminal and the smart card, or by radio frequency (RF) transmission from the reader terminal in the case of a contactless smart card. Power module 14 provides a positive power supply potential (e.g. VDD) to the other circuitry in IC 12. A central processing unit (CPU) 16, also referred to a microprocessor or microcontroller core, performs the control, timing, and decision making functions. For example, CPU 16 controls the read, write and erase operations to the memory and makes data available to data I/O module 18. Data I/O module 18 sends and receives data to and from the reader terminal.
A Read-Only-Memory (ROM) module 20 of IC 12 stores the program instructions for the given card application which are set during the IC manufacturing process and then executed by CPU 16. A Random-Access-Memory (RAM) module 22 is also included. RAM is volatile memory and thus provides temporary storage of information. Electrically Erasable Programmable ROM (EEPROM) 24 is a non-volatile memory array of IC 12 that stores the primary information of the card, such as personal identification, medical history, banking information, monetary values, security codes, etc. depending on the card application. While EEPROM is a preferred form of memory, other types of nonvolatile memory can be used in place of EEPROM 24.
IC 12 further includes a Modular Exponentiation Unit (MEU) 26 which is used to encrypt data being transferred between the card and the reader and to decrypt data being transferred from the reader to the card. The manner in which data is encrypted or decrypted is not particularly important for the purposes of understanding and practising the present invention, thus a detailed explanation of such methods is omitted.
IC 12 also includes a physical Random Number Generator (RNG) 28 suitable for use in conjunction with the present invention. RNG 28 need not be of any particular circuit design for use with the present invention. Any known or to-be-developed physical RNG (as defined previously) will benefit from present invention. In one embodiment, and as was used in the comparison test results presented below, RNG 28 includes two independent oscillators which are cascaded as shown in FIG. 2. It is noted that as described below RNG 28 includes an adjustment means between the two oscillators for adjusting by a variable amount the frequency of the second oscillator for improved randomness. However, use of such adjustment means is not necessary in practising the present -5-
invention since the invention alone will offset any non-uniformity of the physically generated random number.
Referring again to FIG. 2, RNG 28 includes a first relaxation oscillator 212 which charges and discharges a capacitor (not shown) from a first, fixed current source 214 to produce a saw-tooth waveform output at a first frequency. A second relaxation oscillator 216 charges and discharges a capacitor (not shown) from a second, voltage-controlled current source 218. The second current source 218 is coupled at a first control input directly to the output of the first oscillator 212 to be modulated by the saw-tooth waveform output thereof.
The output of the first oscillator 212 is also coupled to a second control input of the second current source 218 via a transmission gate 220, which is controlled by the state of a software settable data bit (not shown), which controls an adjust signal Adjl. A storage capacitor 222 is connected between ground and a point between the transmission gate 220 and the second current source 218. The transmission gate 220 and the storage capacitor 222 allow the user to adjust the second current source 218 by an analogue value determined by the point in time when the output saw-tooth waveform from the first oscillator 212 is sampled and held upon closure of the transmission gate 220. The user adjusts the randomness of the resultant number by 'blipping' or 'pulsing' the adjustment bit for the transmission gate 220 (i.e., setting the adjustment bit to a value, say '0' to open the transmission gate 220, then waiting for a predetermined time - set in software - before setting the adjustment bit to the opposite value, say T, to close the transmission gate 220 and leave the sampled value of the output saw-tooth waveform from the first oscillator 212 at that instant stored on the capacitor 222). Thus, 'blipping' or 'pulsing' the adjust bit for the transmission gate 220 adds an amount of extra current to the second oscillator (and so changes its frequency) by an amount (between minimum and maximum values of the output saw-tooth waveform from the first oscillator 212) determined by the instant at which the transmission gate 220 is closed. Thus, in order to obtain increased randomisation, the user 'blips' or 'pulses' the adjustment bit for the transmission gate 220 immediately before reading a random number from the random number generating arrangement 210.
The output of the second oscillator 216 is coupled through a divider 224 and a transmission gate 226 (controlled by a read signal Rd) onto a data bus 228. The divide ratio of the divider 224 is selectable between unity and a predetermined, non-unity value by the state of a software settable data bit (not shown), which controls an adjust signal Adj2. The adjustment bit which controls the divider 224 determines whether the output pulse train from the second oscillator 216 is divided by a predetermined ratio before being gated onto the data bus 228. It will be appreciated that such division of the output pulse train from the second oscillator 216 further 'randomises' the resultant -6-
number. It is also noted that as with the adjustment means coupled between the oscillators, the adjustment means which controls the output of second oscillator 216 is not necessary in practising the present invention since the invention alone will offset any non-uniformity of the physically generated random number. However, the circuit design of FIG. 2 was used in testing the benefits of the present invention, which results are shown below, and thus a description of the circuit is included for reference.
In operation, the CPU of IC 12 will encounter routines which require use of a random number, which the CPU will fetch from RNG 28. For example, a random number is often needed to create a cryptographic key. As an additional security measure, random numbers can also be used to modify the execution time or software program flow of an application to prevent hackers from being able to duplicate the routine. A random number is also used in some instances to determine whether to round up or round down in performing a currency conversion. Collisions between multiple contactless smart cards and a reader terminal can also be resolved by having each card generate a random number which is compared to a number generated by the reader.
Once CPU 12 determines that a random number is needed, a random number is generated in accordance with the present invention and is fed to the CPU for processing via bus 228. An example of the manner in which such a random number is generated using a method of the present invention is illustrated in the flow diagram of FIG. 3. In a first step 30, a physical RNG is used to generate a random number. As explained above, the particular type or design of physical RNG used is not important. Furthermore, the size of the random number generated is not critical, but for purposes of explanation it is assumed that the physical RNG generates a 64 byte random number. From this physical random number, a seed for generating a pseudo random number is extracted as represented in a next step 32.
A pseudo random number is a number which has been generated through algorithmic manipulation of a seed number. Pseudo random numbers can be used in place of physically generated random numbers in some instances, however pseudo random numbers are undesirable in high security applications because they are too predictable. If one starts with the same seed, the result will be the same pseudo random number. In accordance with the present invention, a pseudo random number is generated to smooth the bias from a physically generated random number rather than being used by the CPU as the finally generated random number.
The manner in which a seed is extracted from the physically generated random number is also not particularly important for practising the invention since the lack of randomness from the seed will be compensated for by the smoothing operation. However, in general it is desirable to make -7-
the seed as random as possible. Thus, one might randomly select a subset of bytes or bits from the physical random number to produce the pseudo seed (e.g. randomly select 3 or 4 bytes from the 64 byte physical random number). To achieve an even more random seed, the bytes extracted from the physical RNG can be XORed with a pre-selected number to create the seed. A pre-selected fixed number is used to avoid producing a number which is all zeros or all 1s. Alternatively, it may be desirable to fix the most significant bits (MSBs) of the pseudo seed to also avoid an all Os or all 1s scenario, depending on the algorithm used to generate the pseudo random number.
After extracting the seed, a counter is set as shown in step 34 of FIG. 3. In accordance with the embodiment shown, one byte of a pseudo random number is generated at a time, as provided in a step 36, but this is not a requirement of the present invention and will depend upon the particular pseudo random number generation algorithm used. The counter is thus used to determine when the pseudo random number generation is complete (i.e. when each byte of the physical random number has a corresponding byte of a pseudo random number). As shown, the counter is an incrementing counter, but could alternatively be decrementing. Alternatively, the entire pseudo random number could be generated from the seed without need for a counter or repetition of the generation algorithm.
The particular algorithm(s) used to generate one byte of a pseudo random number in step 36 is not particularly important for purposes or practising and understanding the present invention.
However, again it is always advisable to use routines which have the highest degree of randomness.
Numerous algorithms have been written to generate pseudo random numbers, any of which can be used in practising the present invention. See, for example, "Random Numbers for Simulation" by P.
L'Ecuyer in Communications of the ACM, Vol. 33, No. 3, October 1990, pp. 85-97, and references sighted therein.
Next in accordance with the invention, a byte of the physically generated random number is sampled, as in step 38, and is smoothed in step 40 with the byte of the pseudo random number generated in step 36. Smoothing, as used herein, refers to performing a mathematical function on both the physical and pseudo random numbers which significantly removes the inherent bias or non- uniform distribution associated with the physically generated random number while maintaining its unpredictability. Ideally, the smoothing operation is one which can be mathematically proven to produce a random number having a 50/50 distribution of Os and 1s. In a preferred embodiment of the invention, the smoothing function is accomplished by XORing the bytes of the pseudo and physical random numbers. In another preferred embodiment, the bytes are merely ADDed together. The mathematical proofs that each of these functions will result in a random number of uniform distribution is provided in the Appendix. -8-
After smoothing the physical and pseudo bytes, the result is stored in a memory, as shown in a step 42. The counter is then incremented, or decremented, as indicated in step 44. If the counter has not reached its last count, as determined at step 46, another byte of the pseudo random number is generated. To avoid generating the same byte of the pseudo random number, a seed other than that used to generate previous bytes is used. In some instances, the algorithms used by the pseudo RNG modify the seed in the course of pseudo number generation. In this case, it would be determined at a step 48 that a new seed is not needed. However, if the seed has not been modified, a new seed is needed to perform the pseudo random number generation. This is accomplished by step 50. The generation of new bytes of the pseudo random number continues until all bytes of the physical random number have been smoothed.
The flow explained above is graphically represented in FIG. 4. A 64 byte random number 100 is generated from a physical RNG. Random bytes of number 100 are used to create a seed number 102. A pseudo RNG is then used to create a pseudo random number 104 from the seed. The physical random number 100 is then smoothed by the pseudo random number 104 by the function f( Xiyi ) to produce a random number 106 having an improved uniform distribution of Os and 1s as compared to physical random number 100.
As stated above, smoothing a random number generated by physical means in accordance with the present invention provides a marked improvement in uniformity of distribution of Os and 1s. The improvement is evident from several tests which were conducted on random numbers generated from a physical RNG alone, as compared to random numbers generated from a physical RNG which has been smoothed in accordance with the present invention. The physical RNG used in the comparison was that as described above in reference to FIG. 2, and the smoothing function used was to XOR the physical random number with a pseudo random number as described above in reference to FIG. 3. A 1 Megabyte random number was generated in each instance so that all tests could be performed on the same set of data points. To establish that the present invention could be used to correct biased random number generation due to variable operation conditions, temperature, voltage, and frequency were varied as follows: Temperature- -25 °C, 25 °C, and 85 °C; Voltage- 3.5 V, 5.5 V, and 6.5 V; Frequency- 2.5 MHz, 4.9 MHz, and 8.0 MHz. All other operating variables remained constant.
Table 1 provides the results of the comparison, while a description of the various tests performed and the significance of the results of each test follow the table. Test Data Average Stddev % Fail Comment
Zeros Raw 50.7661 3.50648 N/A
Smoothe 50.0006 0.04778 N/A Signif. Diff. d
Ones Raw 49.2339 3.50648 N/A
Smoothe 49.9994 0.04778 N/A Signif. Diff d
Bias Raw 0.023669 0.026927 61.8%
Smoothe 0.000389 0.000276 0.0% Signif. Diff d
Chi Sqrl Raw 5388.95 14373.5 95.3%
Smoothe 0.93 1.1 0.0% Signif. Diff d
Chi Sqr255 Raw 40369.7 131372 99.4%
Smoothe 258.0 24 0.0% Signif. Diff d
Run Up Raw 6.41720 4.47521 4.1%
Smoothe 6.41982 3.66742 1.8% No Signif. Diff d
Run Down Raw 6.27865 3.96110 2.9%
Smoothe 6.03363 3.38882 0.6% No. Signif. d Diff
Collision Raw 364.576 856.947 45.9%
Smoothe 128.256 10.805 0.6% Signif. Diff d
Multi-Cllsn Raw 461.665 1123.47 47.1%
Smoothe 128.333 7.07 0.0% Signif. Diff d
Universal Raw 12.0005 0.433735 94.1%
Smoothe 12.1674 0.006089 0.0% Signif. Diff d
3 1-bit Raw 6601.11 17955.0 97.1%
Smoothe 4.13 2.6 1.2% Signif. Diff d
3 3-bit Raw 20826.9 72239.8 91.8%
Smoothe 451.6 30.0 2.4% Signif. Diff
Figure imgf000011_0001
d
TABLE 1
The "Zeros" test in a test which determines the percentage of Os in the resulting random number. Similarly the "Ones" test determines the percentage of 1s in the resulting random number. The "Bias" test shows how far the percentage of Os or 1s is away from 50%. Bias is presented by a -10-
positive real number ε such that the percentage of O's or 1 's = 0.5 ± ε . In practice, ε < 0.01 is expected. However, a small ε does not mean the difference between the number of Os and the number of Is is not significant. The significance of the difference is measured by the Chi Square test with one degree of freedom ("Chi Sqrl"). If the result from Chi Sqrl is less than 6.635, the sequence is regarded as having no significant difference between the number of Os and the number of 1s.
The "Chi Sqr255" test is a Chi Square test with 255 degrees of freedom, and examines if the frequency of 8-bit (1 byte) patterns in a sequence looks like those of a truly random sequence. If the result of the test is less than 335, 8-bit patterns are regarded as uniformly distributed. This test is stronger than Chi Sqrl because a sequence producing a good Chi Sqrl result can nonetheless have poor results using Chi Sqr255.
The "Run Up" test examines if a sequence runs up like a truly random one. Similarly, the "Run Down" test examines if a sequence runs down like a truly random one. In other words, the results show if a candidate sequence changes like a truly random number sequence in either direction. If each of the results is less than 16.812, the candidate sequence is regarded as one which changes like a truly random sequence.
A "Collision" test examines the number of collisions in the first 2 (327,680) 20-bit elements. A collision is when an RNG produces two same numbers. A truly random RNG produces numbers with a low probability of collision, although some number of collisions is inevitable. The
Multiple Collision ("Multi-Cllsn") test examines the maximum, minimum and average number of collisions in whole sequences composed of segments of 2 20-bit elements. The collision possibili in practical applications is inferred from the observations of collision characteristics of 20 bit long
14 segments. If less than 153 collisions occur in a 327,680 (2 ) bit candidate sequence, the sequel is regarded as "low collision risk".
The "Universal" test measures the average information entropy in a segment with a specified number of bits by means of the Elias compression algorithm. The test was proposed by U. M. Maurer and is recommend by the IEEE to evaluate if a hardware (physical) random number generator can produce a sequence with enough uncertainty. By testing a sequence with one million bits, the test presents an average evaluation of the uncertainty in any 13-bit segment produced by the RNG. By testing a sequence with seven million bits, it presents an average value in any 16- bit segment. For example, if L = 16 bits and 15.166144 is presented, this means that 15.166144 bits in average are really uncertain (or unguessable, unpredictable) in any 16 bit segment of the candidate sequence. The test produces two values, v, and v2 , for a specified L where v, is the average -1 1-
uncertainty and v2 is the test boundary which is sample size dependent. In Table 1, v, is shown, with v2 being 12.136731 in both cases. If v, > v2 then the candidate sequence passes the universal test.
The "3 1-bit" tests the independence between three bits by examining every bit in a sequence, and checks uniformity as well. The "3 3-bit" tests the independence between three 3-bit elements by examining every 3-bit element in the sequence, again while checking uniformity. If a random number sequence passes the tests the Chi Square and various Os/1 s tests, the result of 3 1 - bit and 3 3-bit tests presents if adjacent elements in the sequence depend on each other. In other words, this test not only determines whether elements in a sequence are uniformly distributed but also if they behave like tossing coins. A good result is expected to be less than 13.277 for the 3 1-bit test and less than 520.556 for the 3 3-bit test.
From the above table it is apparent that the output from the physical RNG alone, without smoothing, is statistically poor with > 90% of the data points failing the Chi Sqrl/255, Universal and Independence tests and > 60% failing the Bias test. This is driven not only by a high average value for each test, but also by a very large standard deviation. Accordingly, the physical RNG is not capable of producing a random number across the voltage, temperature and frequency ranges evaluated. A dramatic improvement in performance can be achieved by smoothing the physical RNG output with a number generated by a pseudo RNG as the results above demonstrate. The only tests not significantly improved by the smoothing were the Run Up and Run Down tests. The results of these two tests provide acceptable results with or without smoothing.
The foregoing description and illustrations contained herein demonstrate many of the advantages associated with the present invention. In particular, it has been revealed that the bias and non-uniformity of a random number generator from physical means can be removed by smoothing the number with a pseudo random number. Such smoothing can be accomplished simply by XORing or adding the numbers together, without the need for additional hardware. Of twelve tests for measuring randomness used to evaluate the merits of the invention, ten showed that a significant improvement is obtained by smoothing the physical RNG output.
Thus it is apparent that there has been provided, in accordance with the invention, a method for generating a random number that fully meets the need and advantages set forth previously. Although the invention has been described and illustrated with reference to specific embodiments thereof, it is not intended that the invention be limited to these illustrative embodiments. Those skilled in the art will recognise that modifications and variations can be made without departing from -12-
the scope invention. For example, the invention is not limited to being implemented by an integrated circuit. Any general data processing system can be used, and the smoothing function can be performed using software, hardware, firmware or any combination thereof. If using a hardware design, conventional hardware implementations of a pseudo RNG can be used with the invention. In addition, the invention is not limited to the particular application for which the random number is to be used. Nor is the invention limited to the particular type of physical RNG used to generate the initial random number, since all physical RNGs are inherently biased and/or provide non-uniform distributions to a degree and will therefore benefit from the present invention. Therefore, it is intended that this invention encompass all such variations and modifications as fall within the scope of the appended claims.
-13-
Appendix
XOR Proof:
It is noticed that if a biased sequence {x,} is XORed with a well balanced sequence {y,} , a well balanced resultant sequence {z.} will be achieved. This fact can be proved as follows:
p - 0} = p{{x, = 0 ny, - 0) (x, - 1 n = 1)}
= p{x, = 0 ny, = 0} + p{x, = 1 ny, = 1} -p{x, -0ny, = nx,-l ny, = 1}
= p{x, = 0 ny, = 0} + /?{x, = 1 n = 1}
= p{x, = 0} - {y, = 0} +/?{*, = 1} • {y, = 1}
= p{x- = 0}'- + p{x, = l}>-
= (p{x,=0} + p{χl = l}).±
_ ]_
~ 2
< ι, ! {∑r, = 1} = — can be achieved by the same deduction.
As a result, z. will always be 0 or 1 with probability of — no matter what the distribution of {JC,} is.
-14-
ADD Proof:
Similar to the XOR operation, the ADD operation has the same effect. It can be proved as follows.
Let c be the carry from previous addition with unknown probability.
piz, = 0} = p{(x, = 0 y, = 0 nc = 0) (x, = 1 n y, = 1 n c - 0)
(x, = 0 n =lnc = l)u(xι = lnj, = Onc = l)} =-(p{x, = 0}-p{c=0}+p{x, = \}-p{c = 0} + p{x, = 1} • p{c = 0} +p{x, = \}-p{c = 1}) = (p{x, = 0} + p{x,= l})-(p{c=0} + p{c=l})
= 1.1.1
2
_J_
~ 2
p\z, = 1} = — can be achieved by the same deduction.
1 Again, as a result, z. will always be 0 or 1 with probability of — no matter what the distribution of
The above results imply that the following structure provides a balanced output.
physical RNG x.
pseudo RNG yt
where (1)/(x,, ) = x, Θ^, or
{2)f(xl,y,) = xl+yl+cl_ c,_, = carry of (x,_, -i-^,.,) and c0 = 0.

Claims

-15-Claims
A method for generating a random number using a physical random number generator, the method comprising the steps of: generating a binary random number using the physical random number generator; generating a binary pseudo random number; and smoothing the binary random number by combining the binary random number with the binary pseudo random number to substantially remove any distribution bias associated with the binary random number.
The method of claim 1 wherein the step of smoothing comprises XORing the binary random number with the binary pseudo random number.
3. The method of claim 1 wherein the step of smoothing comprises ADDing the binary random number with the binary pseudo random number.
4. The method of claim 1 wherein the step of smoothing comprises combining the binary random number with the binary pseudo random number in a manner which can mathematically be proven to produce a resulting random number which has a uniform distribution of Os and 1s.
5. The method of any preceding claim wherein the physical random number generator comprises two independent, cascaded oscillators.
6. The method of any preceding claim wherein the data processing system comprises an integrated circuit.
7. The method of claim 6 wherein the integrated circuit is used in a smart card.
8. The method of any preceding claim wherein the pseudo random number is generated from a seed derived from the binary random number, and wherein only one physical random generator is used to create the random number. -16-
9. A random number generator comprising: a physical random number generator means which generates a first number; means for generating a pseudo random number which generates a second number; and means for smoothing the first number by combining the first number with the second number to substantially remove any distribution bias associated with the first number.
10. The random number generator of claim 9 wherein the first and second numbers are binary numbers.
1 1. The random number generator of claim 9 or 10 wherein the means for smoothing comprises means for performing an XOR function on the first and second numbers.
12. The random number generator of claim 9 or 10 wherein the means for smoothing comprises means for performing an ADD function on the first and second numbers.
PCT/EP1999/000268 1998-01-24 1999-01-13 Random number generation method and apparatus WO1999038069A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB9801492A GB2333652A (en) 1998-01-24 1998-01-24 Random number generator with improved equiprobability
GB9801492.1 1998-01-24

Publications (1)

Publication Number Publication Date
WO1999038069A1 true WO1999038069A1 (en) 1999-07-29

Family

ID=10825800

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP1999/000268 WO1999038069A1 (en) 1998-01-24 1999-01-13 Random number generation method and apparatus

Country Status (3)

Country Link
GB (1) GB2333652A (en)
TW (1) TW417059B (en)
WO (1) WO1999038069A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6771104B2 (en) 2002-07-25 2004-08-03 Koninklijke Philips Electronics N.V. Switching electronic circuit for random number generation
US7047262B2 (en) 2002-08-21 2006-05-16 Koninklijke Philips Electronics N.V. Entropy estimation and decimation for improving the randomness of true random number generation
US7124155B2 (en) 2002-07-25 2006-10-17 Koninklijke Philips Electronics N.V. Latching electronic circuit for random number generation
DE102007025780A1 (en) 2007-05-22 2008-11-27 Atmel Germany Gmbh Apparatus and method for generating a random number
EP3009928A1 (en) * 2008-08-06 2016-04-20 Cassy Holdings LLC Uncertainty random value generator

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0102840D0 (en) 2001-02-05 2001-03-21 Cambridge Silicon Radio Ltd Generating random data
FR2824153B1 (en) * 2001-04-27 2003-08-15 Trialog PROCESS FOR PRODUCING A SEQUENCE OF RANDOM NUMBERS AND DEVICE IMPLEMENTING THE METHOD
JP3525146B2 (en) * 2001-11-05 2004-05-10 独立行政法人 科学技術振興機構 Random number sequence output device, random number sequence output method, program, and information recording medium
US8074081B2 (en) 2002-04-15 2011-12-06 Infineon Technologies Ag Method for replacing contents of a data storage unit
KR102083271B1 (en) * 2012-07-31 2020-03-02 삼성전자주식회사 Flash memory system generating random number using physical characteristic of flash memory and random number generating method thereof

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4810975A (en) * 1987-08-10 1989-03-07 Dallas Semiconductor Corp. Random number generator using sampled output of variable frequency oscillator

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2390047B1 (en) * 1977-05-06 1982-09-17 Aerospatiale
US4355366A (en) * 1980-11-28 1982-10-19 Ncr Corporation Circuitry for minimizing auto-correlation and bias in a random number generator
US5224165A (en) * 1988-10-25 1993-06-29 Hughes Aircraft Company High speed word generator
US5153532A (en) * 1989-05-24 1992-10-06 Honeywell Inc. Noise generator using combined outputs of two pseudo-random sequence generators

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4810975A (en) * 1987-08-10 1989-03-07 Dallas Semiconductor Corp. Random number generator using sampled output of variable frequency oscillator

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"RANDOM NUMBERS PRODUCED VIA A TECHNIQUE EMPLOYING BOTH A WHITE NOISE GENERATOR AND THE DATA ENCRYPTION ALGORITHM", IBM TECHNICAL DISCLOSURE BULLETIN, vol. 34, no. 7B, 1 December 1991 (1991-12-01), pages 316 - 318, XP000282592 *
RITTER T: "THE EFFICIENT GENERATION OF CRYTOPGRAPHIC CONFUSION SEQUENCES", CRYTOLOGIA, vol. 15, no. 2, April 1991 (1991-04-01), pages 81 - 139, XP000647031 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6771104B2 (en) 2002-07-25 2004-08-03 Koninklijke Philips Electronics N.V. Switching electronic circuit for random number generation
US7124155B2 (en) 2002-07-25 2006-10-17 Koninklijke Philips Electronics N.V. Latching electronic circuit for random number generation
US7047262B2 (en) 2002-08-21 2006-05-16 Koninklijke Philips Electronics N.V. Entropy estimation and decimation for improving the randomness of true random number generation
DE102007025780A1 (en) 2007-05-22 2008-11-27 Atmel Germany Gmbh Apparatus and method for generating a random number
US8244786B2 (en) 2007-05-22 2012-08-14 Atmel Corporation Device and method for generating a random number
DE112008000057B4 (en) * 2007-05-22 2013-11-14 Atmel Corp. Apparatus and method for generating a random number
EP3009928A1 (en) * 2008-08-06 2016-04-20 Cassy Holdings LLC Uncertainty random value generator

Also Published As

Publication number Publication date
GB2333652A (en) 1999-07-28
GB9801492D0 (en) 1998-03-18
TW417059B (en) 2001-01-01

Similar Documents

Publication Publication Date Title
EP1073021B1 (en) Information processing apparatus, card and information processing system
Bucci et al. A high-speed oscillator-based truly random number source for cryptographic applications on a smart card IC
EP2320344B1 (en) Key generation
US6419159B1 (en) Integrated circuit device with power analysis protection circuitry
US10353638B2 (en) Security method and apparatus to prevent replay of external memory data to integrated circuits having only one-time programmable non-volatile memory
CN100530077C (en) Random number generator and method for random number generation
JP7006887B2 (en) Random number generator and how to generate output random numbers
US6795837B1 (en) Programmable random bit source
JP3696209B2 (en) Seed generation circuit, random number generation circuit, semiconductor integrated circuit, IC card and information terminal device
US7191340B2 (en) Generation of a secret quantity based on an identifier of an integrated circuit
US8990578B2 (en) Password authentication circuit and method
WO1999038069A1 (en) Random number generation method and apparatus
CN102474416A (en) Authentication token with incremental key establishment capability
US11487505B2 (en) Physical unclonable function based true random number generator, method for generating true random numbers, and associated electronic device
WO2005029315A1 (en) System and method for generating pseudo-random numbers
US7500110B2 (en) Method and arrangement for increasing the security of circuits against unauthorized access
Baturone et al. A unified multibit PUF and TRNG based on ring oscillators for secure IoT devices
Buchovecká et al. True random number generator based on ROPUF circuit
US7177888B2 (en) Programmable random bit source
CN113535124B (en) True random number generator based on-chip digital feedback self-calibration system
Lee et al. Samsung physically unclonable function (SAMPUF™) and its integration with Samsung security system
Tuncer Real-time random number generation with RO-based double PUF
US10164646B1 (en) Frequency generator with warning mechanism
Fischer et al. Random number generators for cryptography
US20190215156A1 (en) Chip and method for securely storing secret data

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): CN JP KR US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase