ADCs, Chaos and TRNGs: A Generalized View ... - IEEE Xplore

ADCs, Chaos and TRNGs: a Generalized View Exploiting Markov Chain Lumpability Properties Sergio Callegari

Gianluca Setti

ARCES and DEIS, University of Bologna [email protected]

ARCES, University of Bologna and ENDIF, University of Ferrara [email protected]

Abstract— We show that any TRNG architecture based on the cascade of a noise source, an ADC, and a digital postprocessor can be simplified getting rid of the explicit noise source, by modifying the ADC to simultaneously act as both an entropy source and a data acquisition block. Though gains may vary, this is practicable with any ADC type and can be seen as the generalization of a recent proposal where a TRNG was obtained out of the 1 + 1/2 bit stages of a pipeline converter.

I. I NTRODUCTION

Q(x) 1

E(x) Q(x) 2 0, 125

E(x) 0, 500

0, 875

0, 109

1, 5

0, 375

0, 75

0, 094

1

0, 250

0, 625

0, 078

0, 5

0, 125

0, 5

0, 062

0

0, 000

0, 375

0, 047

0, 5

0, 125

0, 25

0, 031

−1

0, 250

0, 016 −1, 5

0, 375

0, 000

0, 500

0, 125 0

−2 −2 −1, 5 −1 0, 5

0 0, 25 0, 5 0, 75 1 0 0, 5 1 1, 5 2 Since the publication of the first formal documents advising x x against Pseudo Random Number Generators (PRNGs) in security Fig. 2. Sample ADC quantization and error functions. Left: ADC operating related application [1] and the recent endorsement of True Ran- on input range [0, 1] and rounding to the lower quantization level. Right: ADC dom Number Generators (TRNGs) by big players of information operating on input range [−2, 2] and rounding to the nearest quantization level. technology [2], [3], a growing number of TRNGs have started to In both cases the resolution is 3 bits. appear in the Literature. Notably, some designs are based on the architecture of figure 1 [4], [5]. Here, the output of an analog noise source (either based on environmental noise, thermal noise, minor modifications any ADC can be converted into an almost chaotic dynamics, or more exotic phenomena), is acquired by an ideal chaos based entropy source. In other terms the ADC can Analog to Digital Converter (ADC) and passed to a digital system be modified to simultaneously act as an optimal entropy source capable of distilling an (almost) true random bit-stream. Entropy and a data acquisition block, with significant hardware savings. distillation (practiced by hash/cryptographic functions, recurrent This can be seen as a generalization of [6] where the 1 + 1/2 bit shift registers, and the like) is unavoidable since real world noise stages of a pipeline ADC where re-used as building blocks in a sources always show some “imperfection” in terms of bias and high-performance TRNG. correlation. It involves a combination of mixing and decimation II. R ELATING ADC S , D ISCRETE -T IME C HAOTIC S YSTEMS and should always result in a final data rate inferior to that at AND E NTROPY S OURCES 1 the ADC output . Due to many trade-offs, designers have so far As well known, an ADC implicitly implements a Piece-Wise proposed different incarnations of the general architecture. For instance, in some cases the noise source has been optimized to Affine (PWA) function whenever the conversion error (residue) allow for simpler distillers and more parsimonious rate reductions. is taken into account. Let Q(x) be the quantization function of In other cases, only the least significant bits of the ADC have been the ADC and E(x) = x − Q(x) the residue function. For a k bit passed to the distiller, again to ease the distiller operation [5]. ADC, Q(x) is stepwise with 2k steps, and E(x) is consequently This latter approach exploits the fact that correlations are more “rampwise”, with 2k unitary-slope ramps. Depending on the ADC evident in the high order bits but, by discarding them, significantly type, all or most of the ramps are “fully developed”, i.e. stretching on a set exactly as large as the quantization step q (see examples in reduces the available data rate. figure 2). Often, ADC circuits do not make Q(x) and E(x) directly   accessible, and only provide the binary-vector output B computed
  

   from a function N : [Rmin , Rmax ] 7→ {0, 1}k where Rmin and Rmax   identify the ADC input range and N evidently combines both quantization and coding. Even in this case, it is easy to obtain Fig. 1. A commonly used TRNG architecture. Q(x) and E(x) introducing a complementary Digital to Analog Converter (DAC) and a summation block, as shown in the upper In this paper, we show that it is possible to get rid of the explicit part of figure 3. noise source up-hill of the ADC, still obtaining at the distiller In function E, the domain [Rmin , Rmax ] and the image set cannot input almost optimal, high-rate sequences. The idea is that by coincide, being the latter necessarily much smaller than the former. 1 In an entropy-theoretic sense. Under practical indicators the rate reduction However, by the application of a suitable affine transformation, a ˜ new function E(x) = aE(x) + b can be defined so that an interval might be unnecessary.

1-4244-0921-7/07 $25.00 © 2007 IEEE.

213

x

ADC

DAC

Q  x −



E  x

a

N  x = B=b0 , b 1 , , b k −1  xn x n1 −1

E  x 

Rmax

E  x

  b

z

Fig. 3. Extension of an ADC architecture to obtain physical representation ˜ of Q(x), E(x), and E(x), and its exploitation to build a 1-D autonomous dynamical system.

I ⊆ [Rmin , Rmax ] is mapped exactly onto itself. This creates the premises for building an autonomous 1-D discrete time system with state space I, as shown in figure 3. The model is: ( ˜ n) xn+1 = E(x (1) B n = N(xn ) To this aim, the parameters of the affine block should be suitably chosen. Particularly, a should be set so that 1 < a < 2k (to have stretching, a pre-requisite for chaos) while b should be set so that I is “reasonably large” and “well centered” in [Rmin , Rmax ]. Specifically, b should depend on the ADC input range (which can comprise only positive values, as in Rmin = 0, Rmax = R, or either positive and negative values as in Rmin = −Rmax = R/2) and its type of quantization (either rounding to the nearest quantization level, or not rounding, i.e. always taking the lower nearest level). Table I summarizes the various cases. TABLE I S ET UP OF AFFINE CONVERTER PARAMETERS . Rmin , Rmax 0, R 0, R − R2 , R2 − R2 , R2

Rounding No Yes No Yes

a 1 < a < 2k 1 < a < 2k 1 < a < 2k 1 < a < 2k

b 0 < b < R − aq a q2 < b < R − (a + 1) 2q − R2 < b < R2 − aq − R2 + a q2 < b < R2 − (a + 1) q2

Note that it is important that a and b belong to the given ranges with clearance. This to assure well determined and robust behavior even in presence of noise or implementation non-ideality that might temporary take x slightly out of I (figure 4). Once the dynamical system is set up, it is easy to verify that the stretching and folding features of E˜ make it necessarily characterized by a fully developed (and exact [7], [8]) chaotic behavior. During system operation, the digital output B coarsely tracks the chaotic (and thus noise-like) trajectory of x and is thus a suitable entropy source for a TRNG. Again, a distiller is necessary Bn } may well contain correlated words (in because the sequence {B Bn } can well be less than the ideal other terms the entropy rate at {B k bits/cycle that would enable it to be directly used as a true random bit stream). A. Example An 8-bit ADC operating on a [−1, 1] V range and characterized by a quantization function rounding to the nearest level is modified to operate as an entropy source. In doing so, a is set to 100 and b to 0. This results in a dynamical system with a state space ∼ 0.8 V large, well embedded in the input range of the ADC with a clearance > 0.5 V assuring robust operation. Simulation shows

I

aq

depends on b R min clearance

I

clearance

Rmax x

Fig. 4. Role of parameters a and b in determining the state space I of the invariant system and the clearance necessary to assure robust operation.

that an entropy rate of about 6.5 bits/cycle is delivered at the ADC output B , that can be further distilled (in software or in digital hardware) to obtain a true random bitstream2 . III. O PTIMIZATION OF S YSTEM PARAMETERS With the above it has been shown that rather than devising TRNGs based on the ADC acquisition of the output of some some up-hill noise source, it may well be preferable to get rid of the up-hill circuitry altogether and to apply some modifications to the ADC to allow it to operate as an entropy source itself. What remains to be investigated is how to select the optimal parameters for the affine transformer, i.e. the values of a and b that maximally ease entropy distillation. To this aim, one needs Bn }, exploiting the properties of to analyze the statistics of {B ˜ As long as a and the specific state transformation function E. b are rational numbers, this is evidently a Piece-Wise Affine Markov (PWAM) map [8], namely a map where it is possible to identify an interval partition {Xi } of the state space such that the map is affine on each Xi and partition points are mapped into partition points. Being E˜ PWAM, the dynamics by which the state x enters and leaves each Xi is described by a Markov chain whose transition probabilities are immediately derived from a straightforward inspection of E˜ itself. Specifically, the probability of jumping from Xi to X j is given by µ (Xi ∩E˜ −1 (X j ))/µ(Xi ) where µ is the Borel measure [8]. To apply this convenient analysis Bn }, it is reasonable to choose a and b tool to the study of {B so that the partition {Xi } is immediately related to the ADC quantization intervals. This implies choosing a to be a power of 2. The optimal value is the largest possible one, namely a = 2k−1 , since the rate of mixing of the chaotic dynamical system improves with the stretching property of the map and can be related to the deliverable entropy rate [8]. For what concerns b, apparently a reasonable choice could be to make the partition points of {Xi } perfectly aligned with the quantization levels. However, considering that implementation errors can easily occur in the form of offsets, it is easy to see that such choice would 2 Simulations run on 2 · 109 cycles (16 · 109 bits) estimating entropy by collecting 24-bit packets (used method slightly overestimates entropy).

214

0

Rmax

1

2

3

4

E  x  0 (7 ∨ 0)

3 (5 ∨ 6)

0 1 2 3 4 5 6 7

Fig. 7.

Rmax x

R min I

Fig. 5. Sample result of an optimal setting of a and b for a non-rounding ADC with a 3-bit resolution.

0 7

K=

1

2

6

5

3 4

1 2k−1

·

···

0

1

···

···

1 .. .

0 .. .

···

 0 1    .. .   0

···

0

1

···

 1 0   ..  .   1

1

···

1

0

···

0

All transition probabilities are 1/4

Fig. 6.

1 (1 ∨ 2)

2 (3 ∨ 4)

I

Markov chain for k = 3 and transition probability matrix for any k.

be unfortunate. In fact, it allows any offset to modify the set of quantization intervals spawned by I, leading to unnecessary complications in the distiller implementation. One should thus resort to b = mq (for rounding ADCs) or to b = mq + q/2 (for nonrounding ones), with m ∈ and such that the b bounds defined in table I are respected. With this, the partition points of {Xi } align to the middle of the quantization intervals as shown in the sample plot in figure 5. Let the partition intervals (and thus the Markov states) be indicated by numbers from 0 to 2k − 1 for growing x,while the  relevant quantization intervals take labels from 0
to 2k−1 − 1  , as in the plot. Figure 6 shows the resulting Markov chain for k = 3 and the form of the transition probability matrix for a general k. This kind of chain does not result in a Markov process producing independent symbols. However, its regular structure still provides special features:

Z

Property (A class of generally lumpable Markov chains) Let M1 = (S1 , K 1 , π 1 ) be a Markov chain characterized by: a finite state space S1 with m elements {0, . . . , m − 1} so that m = 2k with k ∈ ; an arbitrary initial state probability distribution π 1 ; and a kneading matrix K 1 representing the state transition

N

K=

1 · 2k−1

 1 . . .

···

1

···

 1 ..   . 1

All transition probabilities are 1/4

Markov chain for k = 3 and transition probability matrix for any k.

probabilities having the special structure: ( 2−k+1 (i even ∧ j ≥ 2k−1 ) ∨ (i odd ∧ j < 2k−1 ) K (K 1 )i, j = (2) 0 otherwise With the above, the surjective mapping l : S1 7→ S2   (s + 1) mod 2k l(s) = 2

(3)

where S2 = {0, . . . , m/2 − 1} defines a stochastic process which can be eventually described in terms of a a new Markov chain M2 = (S2 , K 2 , π 2 ) characterized by a kneading matrix with the structure: 1 K 2 )i, j = k−1 for any i, j (K (4) 2 Proof The statement is equivalent to saying that M1 is generally lumpable [9], [10] into M2 through l when π 1 is set to the steadystate probability distribution π 1 of M1 . While general lumpability is normally very hard to prove, for the particular form of K 1 it is easy to see that ∃ π 2 , K 2 such that: 1) ∀u ∈ S2 , ∀s ∈ l −1 (u), π 2 )u = #[l −1 (u)] · (π π 1 )s ; (π 2) ∀u ∈ S2 , ∀t ∈ S1 , −1 (u)] K 1 )s,t = #[l#[l−1 (l(t))] K 2 )u,l(t) · (K ∑s∈l −1 (u) (K where the operator #[·] returns the cardinality of a finite set. These latter conditions capture what is known as exact lumpability [10] and are easy to verify, because when they hold they can be used as constructive definitions for π 2 and K 2 . Particularly, it is trivial to check that 2 implies that K 2 has the form given in the property statement. Now, knowing that exact lumpability implies general lumpability [9], the property is proved. Exploiting lumpability with lumping function (3), a Markov chain such as that in figure 6 can be rewritten as shown in figure 7. Here, there are 2k−1 “lumped” states (indicated by underlined numbers) and two notable points to notice: 1) The lumped chain describes a Markov process producing balanced and independent (namely true random) symbols, being evidently identical to that describing the dynamics of a 2k−1 -faced die. 2) The states of the lumped chain can be put in direct relation with the quantization intervals of the ADC. For instance, comparing figures 5, 6, and 7 it is evident that the lumped chain is in a state u = i 6= 0 when the unlumped chain is in state s = 2i − 1 or s = 2i and the ADC output B marks the

215



quantization interval i
. Also, the lumped chain is in state u = 0, when the unlumped chain state s = 0 or s = 2k − 1 and B  is in   corresponds to 0
or 2k−1 − 1  . With the above, it should be clear how the particular choice of a and b optimizes and eases the design of the entropy distiller, that can now be split in two parts, as illustrated in figure 8. The
 


   

      



VR CC

SB

SY

SZ

SW

Analog input

SX

CA

VX

CB

Affine transformer

VB

V IN S4 C 1

   
 


S3 C 2

S2 C 4

S1 C 8

S0 C 16

S 0' C 16

(enhanced)

VC

B

SAR

SA

   

Fig. 8.

mode

Two-layer entropy distiller specific to the ADC based entropy source.

first is a thin combinatorial layer that merely maps the ADC output into the lumped Markov state. Given that the latter can be perfectly codified on k − 1 bits, at this point one should already have a truly random bitstream. The second layer is a traditional entropy distillation block. Yet, it aims only at eliminating residual correlations that could derive from imperfections in the ADC and consequently can be extremely lightweight. Experiments have shown that recurrent shift registers with as little as 10 bits of storage can prove sufficient [11]. Eventually, it is worth considering what kind of implementation errors the architecture is actually sensitive to. Following the lines in [12] it can be proved that there is zero sensitivity to offsets (and thus to errors in the setting of b) up to q/2. Similarly, there is no sensitivity to noise levels up to q/2. Hence, only errors on gain a and in the original quantization function Q of the ADC (or ADC+DAC couple) need to be carefully watched. IV. E XAMPLE : A TRNG BASED ON A SUCCESSIVE APPROXIMATION ADC Looking at figure 3, one might think that the modification required by an ADC to operate as an entropy source could turn out to be substantial, with the introduction of a complementary DAC, a couple of adders, a gain block, and an analog register. In fact, this is not the case, since most ADC architectures already include a DAC or some alternative means to do residue computation3 , as well as some elements of analog storage (e.g. sample and hold blocks). In order to demonstrate that if one has access to the internal ADC design, the required modifications are in fact modest, figure 9 shows how a popular converter architecture, namely the Successive Approximation Register (SAR), can be modified into a reconfigurable circuit capable of operating either as an ADC or as an entropy source. In the figure, the SAR has a limited k = 5 bit resolution for representation convenience and is not rounding. The input range is defined by the external reference voltage VR to be [0,VR ] and all the switches are driven by the SAR unit. When in ADC mode, the affine transformer is not used, and everything goes as in a normal SAR ADC. Conversely, in “entropy-source” mode, the affine transformer (that implicitly acts also as an analog latch thanks to its switched capacitor nature) is used to feed back the previous conversion residue (found at VC ) after having applied a gain and an offset. The gain a is set by the capacitor ratio CB/CA (that in this case should be 2k−1 = 16). 3 With



Fig. 9. A SAR ADC based on the charge redistribution principle, modified to be reconfigurable into an entropy source. The added/modified parts are identified by the usage of a lighter color.

The offset b is given by VR CC/CA . Since the quantization step k +1 . is VR/2k , a reasonable assumption can be to set b at VR 22k+1 Namely, CC/CA should be at 33/64 for the particular case. Note that the modifications with regard to the original SAR converter are limited to the addition of the switched capacitor affine transformer and to a slight enhancement of the SAR itself to accommodate for the driving of a larger number of switches and for the extra “feedback phase”. Changes to the SAR, however, are cheap thanks to its digital nature. R EFERENCES [1] D. E. Eastlake, S. D. Crocker, and J. I. Shiller, “Randomness recommendations for security,” RFC 1750, Internet Engineering Task Force, 1994. [Online]. Available: http://www.ietf.org/rfc/rfc1750.txt [2] B. Jun and P. Kocher, “The Intel random number generator,” Cryptography Research Inc.,” White paper, Apr. 1999. [Online]. Available: http://www.cryptography.com/resources/whitepapers [3] “Evaluation summary: VIA C3 Nehemiah random number generator,” Cryptography Research Inc.,” White paper, Mar. 2003. [Online]. Available: http://www.cryptography.com/resources/whitepapers [4] K. W. Tang and W. Tang, “A low cost chaos-based random number generator realized in 8-bit precision environment,” in Proceedings of NOLTA 2006. Bologna - ITA: IEICE, Sept. 2006, pp. 395–398. [5] T. Moro, Y. S. Saitoh, J. Hori, and T. Kiryu, “Generation of physical random number using the lowest bit of an A-D converter,” Electronics and Communications in Japan (Part III: Fundamental Electronic Science), vol. 89, no. 6, pp. 13–21, June 2006. [6] S. Callegari, R. Rovatti, and G. Setti, “Embeddable ADC-based true random number generator for cryptographic applications exploiting nonlinear signal processing and chaos,” IEEE Trans. Signal Processing, vol. 53, no. 2, pp. 793–805, 2005. [7] A. Lasota and M. C. Mackey, Chaos, Fractals and Noise. Stochastic Aspects of Dynamics, 2nd ed. Springer-Verlag, 1995. [8] G. Setti, G. Mazzini, R. Rovatti, and S. Callegari, “Statistical modeling of discrete time chaotic processes: Basic finite dimensional tools and applications,” Proc. IEEE, vol. 90, no. 5, pp. 662–690, May 2002. [9] A. Sokolova and E. de Vink, “On relational properties of lumpability,” in Proceedings of the 4th PROGRESS symposium on embedded systems, Niewegein, NL, Oct. 2003. [10] P. Buchholz, “Exact and ordinary lumpability in finite markov chains,” Journal of Applied Probability, vol. 31, pp. 59–75, 1994. [11] F. Pareschi, R. Rovatti, and G. Setti, “Simple and effective postprocessing stage for random stream generated by a chaos-based RNG,” in Proceedings of NOLTA 2006. Bologna - ITA: IEICE, Sept. 2006, pp. 383–386. [12] F. Pareschi, G. Setti, and R. Rovatti, “Noise robustness condition for chaotic maps with piecewise constant invariant density,” in Proc. of ISCAS 2004, vol. IV, Vancouver (CA), May 2004, pp. 681–684.

the notable exception of flash converters.

216