Modeling and observing the jitter in ring oscillators ... - Semantic Scholar

Download PDF
1 downloads 0 Views 490KB Size Report
Comment
Gate 1 Gate 2. Gate k. ∆dLG1. ∆dLG2. ∆dLGk. ∆dLD1. ∆dG1 ∆dLD2. ∆dG2. ∆dLDk. ∆dGk. ∆dG from VCC_INT. Transmission to IO. ∆dLGtr. ∆dLDtr. ∆dGtr. Buffer.
Modeling and observing the jitter in ring oscillators implemented in FPGAs Boyan Valtchanov, Alain Aubert, Florent Bernard, Viktor Fischer Abstract— Random number generators represent one of basic cryptographic primitives used to compose cryptographic protocols. While Field Programmable Gate Arrays (FPGAs) are well suited for implementing algorithmic random number generators (pseudo-random number generators), generating fast and secured true random bitstreams inside FPGAs is an open problem. Most of true random number generators in FPGAs employ the timing jitter present in ring oscillator clocks as a source of randomness. The paper analyses the jitter generated in ring oscillators and presents a simple physical model of its sources. The jitter generated in MATLAB in accordance with the proposed model is then used as an input in VHDL simulations. To evaluate the model, we use an embedded technique of jitter measurement. The principle is simulated in VHDL and validated by experiments using different FPGA technologies.

I. I NTRODUCTION Cryptographic applications are typically based on ASIC technology as it is believed to provide sufficient security level. However, recent advances in attacks on implementations show that this preconceived idea is not necessarily valid. Static implementations based on ASICs are inherently impossible to update nor upgrade in response to new security threats. On the other hand, FPGA technology has much greater potential because of its capability for dynamic reconfiguration [1]. We believe that FPGA technology is an important future platform for cryptographic applications. Random number generators (RNGs) represent one of basic cryptographic primitives used to compose cryptographic protocols. Their applications include but are not restricted to the generation of cryptographic keys, initialization vectors, challenges, nonces and padding values, and also to the implementation of counter-measures against side-channel attacks. Besides of giving unpredictable output bitstream with good statistical properties, RNGs aimed at cryptographic applications must fulfill several security requirements: they should be either testable in real time or provably secure. Security of hardware cryptographic systems is related to the protection of confidential keys. In high-end information security systems, when used in an un-controlled environment, cryptographic keys should never be generated outside the system and they should never leave the system in clear. For this reason, if the security system is implemented in a single chip (cryptographic system on chip), the keys should be generated inside the chip. Implementation of random number generators in logic devices (including configurable logic devices) is therefore an important issue. While FPGAs are well suited for implementing algorithmic random number generators (pseudo-random number generators

- PRNGs), generating fast true random bitstreams inside FPGAs is an open problem. True random number generators in FPGAs employ mostly ring oscillators to generate randomness. The delay instability of logic gates (inverters) connected into the ring is seen as a frequency/phase instability (a jitter) of the generated clock. The jitter is extracted in a sampling unit using flip-flops or latches. Because the jitter included in the generated clock is used directly as a source of randomness, it is necessary to evaluate its statistical and temporal parameters before it is employed. Usually, the jitter is measured outside the device using fast digital oscilloscope. However, the input-output circuitry generates an additional jitter and the measured values do not correspond exactly to the jitter, which is used to generate random numbers. For this reason, we propose a method, which enables to evaluate the jitter employed in the generator. It is known that the jitter generated in ring oscillators is composed of a random Gaussian jitter and a deterministic jitter. It is important to evaluate the proportion of the random jitter and deterministic jitter in the total clock jitter and their contribution to the generation of random numbers. It is especially important in the case of the deterministic jitter, because it can be manipulated from outside the device and it can thus constitute some attack on the generator. However, the impact of the random and deterministic jitter on the quality of generated random number was not sufficiently evaluated up to now. We propose a simplified model of jitter generation and distribution in ring oscillators, which permits to simulate in VHDL the behavior of the random number generator and evaluate exactly the contribution of random and deterministic jitter to the quality of generated random numbers. The paper is organized as follows: in Section II we propose a simplified model of the ring oscillator including jitter generation. The model proposed is validated in Section III using VHDL simulation of the embedded jitter measurement method. In Section IV the results of simulation with the jitter measurement in hardware. The obtained results are discussed in the next section. Finally, some practical conclusions are given in the end of the paper. II. M ODELING THE JITTER IN RING OSCILLATORS Ring oscillators are free-running oscillators composed of an odd number of inverters (see Fig. 1). Each inverter of the ring oscillator propagates rising and falling edge of the generated clock signal in two half-periods respectively. The total clock

Output clock signal

INV1

Fig. 1.

INV2n-1

INV2

Ring oscillator with odd number of inverters Output clock signal

Ena

Gate

Fig. 2.

To evaluate the influence of the gate delay variation on ring oscillator-generated clock and on random number generators in general, we propose a physical model of the jitter sources and their distribution in the logic device. In this model, the delay di of individual gates is defined as

DE1

DE2

di = Di + ∆di = Di + ∆dLi + ∆dGi ,

where Di is a stable delay of gate i corresponding to the nominal supply voltage level and nominal temperature of the logic device and ∆di is the delay variation composed of the jitter introduced by local physical events ( ∆dLi ) and of the jitter caused by global device working conditions as VCC, temperature, etc. (∆dGi ).

DEk

Controlled ring oscillator with non-inverting delay elements

period is thus given as T = 2kd,

(3)

(1)

where k ∈ {3, 5, 7, . . . , 2n − 1} is the number of inverters and d is the delay of one inverter INV. The smallest value of k was observed empirically [2], and it comes from the fact that each delay element shifts the signal phase by a maximum of 60 °. Because the oscillator has to be composed of an odd number of inverters, the period can be tuned only in steps of 4d. The difficulty to fine-tune the oscillator clock period can be overcome by using only one inverter and any number of non-inverting delay elements in the ring. The resulting period can then be tuned in steps of 2d. It can be sometimes useful to invert and control the generation of the clock signal using a NAND gate [3]. The proposed ring oscillator from Fig. 2 can be fine-tuned and synchronized with some external control signal. If the oscillator is realized in an FPGA, both the non-inverting delay elements (DE) and the NAND gate are implemented in look-up tables (LUTs) having the same delay. The generated clock period is given by the form (1), where where k ∈ {3, 4, 5, . . . , n} is the number of delay elements. In the previous analysis we have supposed that all the delay elements (or gates) have some identical and timeinvariant delay. In fact, neither of these assumptions is valid in real physical devices. First, because of technology limits, the delay of gates depends on their location in the device. Second, because of physical processes in the device and its environment, the gate delay varies in time. The clock period generated by the proposed physical ring oscillator is thus given by the form k X T =2 di , (2) i=1

where k ∈ {3, 4, 5, . . . , n} is the number of delay elements and di is the delay of the i-th delay element. A. Jitter sources in logic devices In the case of ring oscillators, the delay variation of gates is observed as the clock jitter. This jitter can be seen as a composition of a local jitter caused by local sources and of a global jitter common for all gates and coming usually from power supply and/or global device environment.

1) Local jitter sources: The delay di of a logic gate is dynamically modified by some amount of an indeterministic jitter ∆dLGi (LG - Local Gaussian jitter) and by some local cross-talks from the neighboring circuitry ∆dLDi (LD - local deterministic jitter). We suppose in our simplified model that the local indeterministic jitter introduced to individual gate delays is independent between gates. In the same time, we suppose that the local deterministic jitter can feature some inter-gate dependency. The complete local jitter of gate i from equation (3) can be thus expressed as ∆dLi = ∆dLGi + ∆dLDi ,

(4)

where ∆dLGi is the local Gaussian jitter of this gate characterized by a normal probability distribution N (µi , σi2 ) with the mean value µi = 0 and the standard deviation σi . 2) Global jitter sources: Besides being influenced locally, the delays of all logic gates in the device are modified both slowly and dynamically by global jitter sources. The slow changes of the gate delay ∆D can be caused by a slow variation of the power supply and/or temperature. The power source noise and some deterministic signal, which can be superposed on the supply voltage can cause dynamic gate delay modification, composed of a Gaussian global jitter ∆dGGi and a deterministic global jitter ∆dGDi . The overall global jitter from equation (3) can be therefore expressed as ∆dGi = Ki (∆D + ∆dGG + ∆dGD ),

(5)

where Ki corresponds to the proportion of the global jitter sources on the given gate delay. This comes from the fact that the amount of the global jitter included in delays of individual logic gates is not necessarily the same for all gates. 3) Discussion on jitter sources included in the gate delay model: To simplify the proposed model, we have selected the most important local and global jitter sources in the device. We consider the local Gaussian jitter ∆dLGi from equation (4) as a principal source of randomness in the TRNG. We suppose that it is statistically independent between individual logic gates. However, we do not take into account the local deterministic jitter ∆dLDi in our model, because it is supposed

∆dLD1

∆dG1

∆dLD2

∆dG2

∆dLDk

∆dGk

the ring oscillator, 2.) the jitter added to the signal during its transmission to the output pin, 3.) the jitter added to the output clock signal in the input/output circuitry.

∆dG from VCC_IO

∆dG from VCC_INT

∆dLDtr

∆dGtr

∆dLDio

∆dGio Output clock signal

Gate 1 Gate 2 ∆dLG1

∆dLG2

Gate k

Transmission to IO

Buffer

∆dLGk

∆dLGtr

∆dLGio

Ring oscillator

Fig. 3.

Logic device

Jitter distribution in the logic device including ring oscillator

to be negligible in size and difficult to use in attacks (only well localized EMI or similar complex attacks could use them). Other sources of jitter, which are considered in our model are the global deterministic jitter sources ∆dGDi . Their role in ring oscillator based TRNGs is very important, since they can be manipulated from outside the device and they can thus be used to implement active attacks on the generator. The slow delay changes ∆D from equation (5) is neglected in our model, because they do not contribute to randomness generation. Finally, the global Gaussian jitter ∆dGG from the same equation is neglected, too, because it can be filtered out from the power signal and if it is not, it can be considered to be included in the deterministic global jitter. The delay variation of each gate in the device as it is used in the proposed simplified model can be expressed as ∆di = ∆dLGi + Ki ∆dGD ,

1) Jitter accumulation in ring oscillator gates: One of the most important aspects of the jitter behavior in ring oscillators is its accumulation in time. The simulation and evaluation of the jitter accumulation in ring oscillators together with the simulation and evaluation of its extraction in TRNGs were the main objectives, which have led us to work on the proposed model. Using equation (2), the ring oscillator half period can be expresses as: H

=

i=1

=

B. Jitter generation, distribution and accumulation in ring oscillators To quantify the jitter of the clock generated in ring oscillators, many TRNG designers measure the clock jitter using digital oscilloscope outside FPGA [4],[5],[6]. However, depending on the generated clock frequency, the measured jitter parameters can be far from those employed by the generator inside the device. This can be illustrated by the fact that input/output circuitry and mechanical connection (device pin) act as a low-pass filter and it filter out all signals faster than 200 MHz even in the fastest versions of FPGA. The jitter measured outside the device can be viewed in a way presented in Fig. 3. As it can be seen, both local and global jitter sources can contribute during clock signal generation and transfer inside the device and during its output from the device. The jitter observed externally can thus be decomposed into: 1.) the jitter introduced by all gates of

k X

Di + ∆HLGacc + ∆HGDacc ,

(7)

i=1

where ∆HLGacc =

k X

∆dLGi ,

(8)

i=1

is the local Gaussian jitter with the probability distribution 2 N (0, σacc ), which is accumulated during one half period H in k gates of the ring oscillator and

(6)

To simplify further the gate delay model, we suppose that the delay of individual gates depends on various jitter sources linearly. However, the non linearity can be easily introduced to the proposed model, if it would be necessary. In real physical systems, the switching current of each individual gate modifies locally and/or globally the voltage level of the power supply, which in turn modifies (again locally and/or globally) the gate delay. The delays of individual gates are not completely independent. This mutual dependence between gates is not included in our model, yet.

k X (Di + ∆dLGi + ∆dGDi )

∆HGDacc =

k X

∆dGDi =

i=1

k X

Ki ∆dGD ∼ k∆dGD

(9)

i=1

is the global deterministic jitter accumulated during one half period H in k gates. If the Gaussian jitter introduced in all oscillator gates has the same variance, the accumulated jitter has the variance 2 σacc =

k X

σi2 = kσ 2 .

(10)

i=1

The total jitter accumulated in k gates of the ring oscillator during l generated clock periods can be expressed as ∆Ttot = ∆TLGtot + ∆TGDtot where ∆TLGtot =

2l X k X

∆dLGij ,

(11)

(12)

j=1 i=1

is the total local Gaussian jitter with the probability distribu2 tion N (0, σtot ), which is accumulated during l periods T in k gates of the ring oscillator and ∆TGDtot =

2l X k X j=1 i=1

∆dGDij ∼

2l X

k∆dGDj

(13)

j=1

is the total global deterministic jitter accumulated during l periods T in k gates. If the Gaussian jitter introduced in all oscillator gates had the same statistical parameters (what often

Jitter file 1 Ref clk

Time base generator

Jitter file k

Jitter file 2

Ena

Gate k

Gate 1 Gate 2

Gated clock Control signal

8-bit counter

Output file

Jitter measurement VHDL behavioral model

Fig. 5.

VHDL behavioral model of the jitter measurement

Fig. 4. Left: Gaussian jitter (in ps on the vertical axis) accumulated in ring oscillator during l clock periods (l ∈ 1, 2, 3, . . . , 1000). Right: histogram representing the distribution of accumulated Gaussian jitter obtained in 50,000 realizations of 1000 periods

true in real devices), the accumulated jitter would have the variance 2l X 2 2 σtot = σacc = 2klσ 2 . (14)

a)

j=1

We have simulated the accumulation of random jitter with normal distribution N (0, σ 2 ) and standard deviation σ = 35 ps in 10 realizations of 1 to 1000 clock periods (see left part of Fig. 4). Following the normal distribution laws, less than 99.7% of accumulated jitter values should lie within distance of three standard deviations, i.e. ±3σtot (see dashed line in left part of Fig. 4). The right part of Fig. 4 shows the histogram of distribution of accumulated jitter values after 1000 clock periods in 50,000 different realizations. It can be see, that √ the standard deviation is about 1000 ps as expected (= 35 1000 ps). 2) Jitter added in routing and output circuitry: The routing can contribute to the distribution of jitter sources in two ways: first, the long routes transmitting fast signals can induce a deterministic noise to neighboring gates, second, logic gates included in routing can add some additional jitter to the clock signal. The effect of input/output circuitry on the overall clock jitter is particularly important for high clock frequencies. Because of high parasitic capacities, the input/output circuitry behaves as a low-pass filter at frequencies, which can be significantly lower than those generated by ring oscillators inside the device. III. M ODELING JITTER MEASUREMENT IN VHDL USING BEHAVIORAL MODEL OF RING OSCILLATOR

To validate the model of the jitter accumulation in ring oscillators, we have simulate a jitter measurement method from Fig. 5. The oscillator had seven gates and each gate had a slightly different delay of about 720 ps. The dynamic delay variation of individual gates of the ring oscillator was generated in MATLAB into seven separate files. The time-base generator was used to generate successive measurement intervals Tena = 264 µs corresponding to 8000 periods of the 30 MHz reference clock. During this time the output 16-bit counter was incremented on each rising edge

b)

Fig. 6. Plot of the jitter file contents featuring Gaussian jitter (a) and a composition of Gaussian and deterministic jitter (b)

of the clock generated in ring oscillator, which included the jitter. At the end of the measurement interval, the obtained value was saved to an output file. The generation was stopped after about 500 measurements. Due to the accumulation of the jitter during generated time window, the counter values were different on each measure. Two situations have been simulated: in the first one the jitter introduced to individual gates was a random jitter with normal distribution, in the second one the jitter was constituted of a random and a deterministic component. The aim of both simulations was to get the size of the jitter corresponding to that introduced to oscillator gates using the proposed embedded measurement method. A. Modeling embedded measurement of random jitter In the first simulation, the delay evolution data included in each file consisted of the Gaussian jitter, which was generated for every file separately and which had the mean value µ = 0 and the standard deviation σ = 35 ps (see Fig. 6 (a)). These values are close to those, which can be found in real FPGAs. Figure 7 (a) presents a plot of values of simulation output file. These values were obtained from the behavioral simulation of the embedded jitter measurement. We have used the

simulation output file to quantify the injected jitter. Knowing that the jitter distribution follows a normal law, we have first calculated the standard deviation σcnt and the mean value µcnt of the distribution of counter values (µcnt = 26, 120 and σcnt = 2.14 in our case). Using these two values and knowing the time interval Tena , we have converted the standard deviation of counter values to a standard deviation of the total accumulated jitter σtot = σcnt

Tena , µcnt

a)

(15)

which is equal to σtot = 21.6 ns. Finally, we could compute the jitter introduced by individual delay elements using equation σtot σLGi = √ , (16) 2kµcnt which can be obtained from (14) when replacing l by µcnt . From (16) it follows that σLGi = 35.75 ps. This value corresponds to the random jitter injected to individual gates. b)

B. Modeling embedded measurement of a composition of random and deterministic jitter In the second simulation, the contents of the delay evolution data file consisted of a mixture of the Gaussian jitter and the deterministic jitter according to equation (6). The deterministic jitter added to the random jitter in individual files was identical for all delay elements (see Fig. 6 (b)). It had a linearly decreasing slope with the mean value equal to zero. The time period of the deterministic signal was approximately 220 ns. Figure 7 (b) presents the time evolution of measured values. The difference between these values corresponds to the random jitter introduced to the gates of the oscillator. IV. J ITTER MEASUREMENT IN HARDWARE In order to validate the jitter generation and measurement model, we have implemented 7-element ring oscillator in two different FPGA families: one based on the RAM technology (the Stratix II family from Altera) and one using FLASH ROM technology (the Fusion family from Actel). A. Jitter measurement system implementation in hardware To guarantee as much objectivity of the measurement as possible, we have decided to use original evaluation boards from the two FPGA vendors. We have used Nios2 development board from Altera featuring StratixII EP2S60 device and System Management board from Actel with Fusion M7AFS600 device. The measurement principle is depicted in Figure 8 and it can be seen that it is the same as that used in the behavioral measurement model evaluated in Section III (see Fig. 5). The control signal ENA is generated from a quartz-oscillator generated reference clock, which is used to enable/disable the oscillations of the ring oscillator. During the operating phase, an 8-bit counter is connected to the output of the ring oscillator. The counter counts the rising edges of the oscillator output signal. Since the ENA signal is generated by an external quartz reference clock the duration of the operating phase of

Fig. 7. Plot of results of embedded measurement of jitter: Gaussian jitter only (a), mixture of Gaussian and deterministic jitter (b) ∆d1

Ref clk

Time base generator

∆d2

∆dk

Ena

Gate 1 Gate 2

Gate k 8-bit counter

USB interface

PC

FPGA

Fig. 8.

Principle of the jitter measurement in hardware

the ring oscillator is fixed. During that phase the accumulation of the timing jitter during each period of the generated clock signal leads to a variation of the counter value. The obtained values are output from FPGA and transmitted to a personal computer trough a USB module - small application board connected to the Santa Cruz connector of the used evaluation board. The acquired values represent the variation in time of the accumulated jitter. The delay elements are implemented in look-up tables (LUT) of logic elements in Altera Stratix II device. In the Actel Fusion device, the control gate of the ring oscillator is implemented as a two-input NAND gate and the delay elements as two-input AND gates with two inputs shorted. Both gates are implemented using Actel library component instantiation. B. Results of the jitter measurement in hardware The estimated delays of the two-input NAND gate and twoinput AND gate in Actel Fusion family are identical and equal to 0.63 ns for the selected device speed. The estimated output frequency of the 7-element ring oscillator in the chosen device is thus equal to about 113 MHz. The real output frequency was 98 MHz probably because of routing delay. Figure 9 presents the plot of counter values obtained using

Fig. 9. Jitter measurement results in Actel Fusion device on the Actel ARM Fusion evaluation board

Fig. 11. Signal superimposed on the VCC INT power supply voltage in Altera Stratix II NIOS II evaluation board. The waveform was obtained using Tektronix TDS 224 digital oscilloscope.

Fig. 10. Jitter measurement results in Altera Stratix II device on the Altera NIOS II evaluation board

Actel ARM Fusion evaluation board. The reference clock frequency was 30 MHz and the time-base interval was 10,000 clock periods. The measurement set was found to exhibit Gaussian properties so we could apply the same method explained in section III.A (equation 16) to estimate the amount of RMS jitter due to each elementary logic element. The value found by that way is σLG = 33 ps. Since both the control gate and delay elements in Altera family are implemented in LUTs, the estimated delay is the same for all of them and equal to about 0.33 ns. The estimated output frequency of the ring oscillator in the Altera Stratix II family is thus equal to about 216 MHz. The real output frequency of the ring oscillator is 198 MHz. Figure 10 presents the plot of counter values obtained using Altera Stratix II NIOS II evaluation board. The reference clock frequency was 50 MHz and the time-base interval was 100 clock periods. Note, that the curve obtained by the embedded jitter measurement has the same form as that measured using the oscilloscope (see Fig. 11). This is because there was a significant noise signal ( 100 mV) superimposed on the power voltage signal VCC INT (1.2 V) in the Altera board. V. D ISCUSSION Equations (11) to (14) in Section II represent the proposed model of the jitter generation and distribution in ring oscillators. The model is very simple, but its behavior is sufficiently close to that of true ring oscillators implemented in FPGAs. The jitter from equation (11) can be observed as cycleto-cycle jitter of the clock signal and it is used to generate random numbers in TRNGs. It can be seen that it is composed mainly of the locally generated Gaussian jitter and the globally generated deterministic jitter. Both jitter components are accumulated in time, but not in the same way. The accumulated Gaussian jitter is proportional √ to the square root of the time (σ 2kl) and the deterministic jitter is proportional to the global jitter source in time linearly

(2kl∆dGDj ). We can therefore conclude that the deterministic jitter accumulates faster than the Gaussian jitter. While the Gaussian jitter cannot be manipulated outside the device, the deterministic global jitter can be controlled very easily e.g. by modulating the power supply. This phenomenon should to be taken into account in all TRNG designs. Unfortunately, this is very often not the case. Many TRNGs are so vulnerable to active attacks. The behavior of the ring oscillator in jitter accumulation observed in VHDL model was confirmed in hardware, too. If the deterministic jitter was negligibly small, the measured jitter was a Gaussian random jitter (see results obtained using Actel Fusion evaluation board from Fig. 10). However, when the deterministic jitter was not negligible, the proportion of the Gaussian jitter component in the measured jitter was attenuated (see results obtained using Altera Stratix II NIOS II evaluation board from Fig. 10). VI. C ONCLUSIONS In this paper, we have proposed a simple model of the jitter generation and distribution in ring oscillators. The model is very simple, but its behavior is sufficiently close to that of real ring oscillators implemented in FPGAs. It permits to show that both Gaussian and deterministic jitter components are accumulated in ring oscillator, but not in the same way. Since the accumulated Gaussian jitter is proportional to the square root of the time, the deterministic jitter accumulates faster than Gaussian one. This fact has to be taken into account in TRNG design, because it can constitute a base for active cryptographic attacks. The proposed model enables to conclude that the embedded method used to measure the jitter generated in ring oscillators is precise enough if the jitter has only random (Gaussian) component. However, if the jitter is composed of both Gaussian and deterministic component, the method is not exact, because the deterministic component accumulates faster. R EFERENCES Davies. Thales e-Security White paper: Flex[1] P. ible security. [Online]. Available: http://www.thalesesecurity.com/Whitepapers/documents/WP Flexible Security.pdf

[2] A. M. Fahim, Clock Generators for SOC Processors. Kluwer Academic Publishers, 2005. [3] M. Bucci and R. Luzzi, “Design of Testable Random Bit Generators,” in International Workshop on Cryptographic Hardware and Embedded Systems (CHES, ser. LNCS, J. R. Rao and B. Sunar, Eds., vol. 3659, Edinburgh, Scotland. Springer-Verlag, August 2005, pp. 147–156. [4] B. Sunar, W. J. Martin, and D. R. Stinson, “A Provably Secure True Random Number Generator with Built-in Tolerance to Active Attacks,” IEEE Transactions on Computers, vol. 56, no. 1, pp. 109–119, January 2007. [5] W. Coppock and C. Philbrook, “A Mathematical and Physical Analysis of Circuit Jitter with Application to Cryptographic Random Bit Generation,” MQP Report, Worcester Polytechnic Institute, 2005. [6] B. Abcunas, S. Coughlin, G. Pedro, and D. Reisberg, “Evaluation of Random Number Generators on FPGA’s,” MQP Report, Worcester Polytechnic Institute, 2004.