taigrr/arduinolibs
1
0
Fork 0
mirror of https://github.com/taigrr/arduinolibs synced 2025-01-18 04:33:12 -08:00
Code Issues Projects Releases Wiki Activity
arduinolibs/crypto_rng_ring.html
Rhys Weatherley c81350fcbe Update docs
2018-04-02 18:37:36 +10:00

160 lines
14 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.8.6"/>
<title>ArduinoLibs: Ring Oscillator Noise Sources</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/search.js"></script>
<script type="text/javascript">
$(document).ready(function() { searchBox.OnSelectItem(0); });
</script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 56px;">
<td style="padding-left: 0.5em;">
<div id="projectname">ArduinoLibs
</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.8.6 -->
<script type="text/javascript">
var searchBox = new SearchBox("searchBox", "search",false,'Search');
</script>
<div id="navrow1" class="tabs">
<ul class="tablist">
<li><a href="index.html"><span>Main&#160;Page</span></a></li>
<li class="current"><a href="pages.html"><span>Related&#160;Pages</span></a></li>
<li><a href="modules.html"><span>Modules</span></a></li>
<li><a href="annotated.html"><span>Classes</span></a></li>
<li><a href="files.html"><span>Files</span></a></li>
<li>
<div id="MSearchBox" class="MSearchBoxInactive">
<span class="left">
<img id="MSearchSelect" src="search/mag_sel.png"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
alt=""/>
<input type="text" id="MSearchField" value="Search" accesskey="S"
onfocus="searchBox.OnSearchFieldFocus(true)"
onblur="searchBox.OnSearchFieldFocus(false)"
onkeyup="searchBox.OnSearchFieldChange(event)"/>
</span><span class="right">
<a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
</span>
</div>
</li>
</ul>
</div>
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&#160;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&#160;</span>Classes</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&#160;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&#160;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&#160;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&#160;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&#160;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&#160;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&#160;</span>Friends</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(9)"><span class="SelectionMark">&#160;</span>Groups</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(10)"><span class="SelectionMark">&#160;</span>Pages</a></div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
</div><!-- top -->
<div class="header">
<div class="headertitle">
<div class="title">Ring Oscillator Noise Sources </div> </div>
</div><!--header-->
<div class="contents">
<div class="textblock"><p>This page discusses how to construct and use a noise source based on the jitter from a ring oscillator. The circuit here is very simple: more complex ring oscillator designs are possible and may give better results.</p>
<dl class="section note"><dt>Note</dt><dd>The output from a ring oscillator is not generally as good as a "true" noise source. The oscillation can easily settle into regular patterns or sync up with other clock sources on the board. It is even possible to "hack" a ring oscillator by injecting chosen frequencies on the power supply rails to force the oscillation into a predictable waveform (see <a href="http://www.cl.cam.ac.uk/~atm26/papers/markettos-ches2009-inject-trng.pdf">this paper</a> for an example). It is very important that the output of this class be whitened with <a class="el" href="classRNGClass.html">RNG</a> before it is used for cryptography and that the device is isolated from attacker-controlled sources of power. Unless you have a very good reason to use a ring oscillator, <a class="el" href="classTransistorNoiseSource.html" title="Processes the signal from a transistor-based noise source. ">TransistorNoiseSource</a> is usually a better option.</dd></dl>
<h1><a class="anchor" id="ring_osc_theory"></a>
Ring oscillator theory</h1>
<p>A ring oscillator is formed out of an odd number of inverter gates. A 1 value on the input to the first gate will be inverted several times, resulting in a 0 value being fed back into the first gate. In turn that 0 is inverted several times to generate another 1. And so on. In schematic form, a 3-stage ring oscillator looks like this:</p>
<div class="image">
<img src="ring_oscillator_basic.png" alt="ring_oscillator_basic.png"/>
</div>
<p>Because electronic circuits are not instanteous devices it can take some time for the values to propagate down the inverter chain. The longer the chain (5-stage, 7-stage, 9-stage, or more) the longer the propagation delay. The important thing is that the delay is not fixed: differences in components, ambient temperature, and other factors combine to introduce a little bit of random jitter in the output waveform.</p>
<p>For our purposes, the jitter is what we are after. The timing differences from one rising edge to the the next gives us the random bits.</p>
<p>The triangular-shaped output from the final inverter isn't very friendly to microprocessors. So it is common to select out the jitter using a D flip-flop and a periodic clock signal:</p>
<div class="image">
<img src="ring_oscillator_sampled.png" alt="ring_oscillator_sampled.png"/>
</div>
<p>Practical designs inside CPU's often use multiple ring oscillators XOR'ed together:</p>
<div class="image">
<img src="ring_oscillator_multi.png" alt="ring_oscillator_multi.png"/>
</div>
<p>Even after all that the output won't be uniformly random. It is necessary to whiten the output with a secure hash function before using the data for cryptography. Fortunately for us, <a class="el" href="classRNGClass.html#ad99535ea23ae2fec55bdebb8c24def02">RNG.stir()</a> has built-in support for whitening so we just need to collect the raw bits.</p>
<h1><a class="anchor" id="ring_osc_ours"></a>
Our ring oscillator</h1>
<p>To keep things simple, we are going to use a single 5-stage ring oscillator with a sampling clock provided by a 555 timer:</p>
<div class="image">
<img src="ring_oscillator.png" alt="ring_oscillator.png"/>
</div>
<p>The components were deliberately chosen to be commonly available. The only special one is the 555. I recommend using the CMOS LM7555 variant (or something equivalent) instead because it can operate at higher frequencies than a garden variety 555. The 56 ohm resistor on the output of U2 inhibits ringing on the clock line: we want the noise to come from U1 not U2.</p>
<p>The frequency output from U1 will depend upon the properties of your 4069 chip. A cheap bargain bin chip is actually better than a high quality chip. Some inverter datasheets I have read proudly advertise reduced jitter but the jitter is what we are after here. My 4069 was generating about 1.7MHz with a 5-stage ring oscillator. Other chips I tried were able to exceed 12MHz with a 3-stage ring oscillator. Because the Arduino isn't fast enough to sample high frequency signals, lower is actually better for our needs.</p>
<p>To further lower the frequency to something the Arduino can measure, the 555 timer should be set to between 100kHz and 200kHz (it's ok to be a little over 200kHz). Start with an R1 value of about 2.2K and adjust it up or down to get the frequency into the target range. Also measure the output frequency from U3A and try to target between 20kHz and 50kHz. The Arduino can easily sample that without putting too much burden on the CPU. The signal should be very jittery at this point.</p>
<p>This design can of course be improved by using multiple ring oscillators and an XOR gate, but I wanted to keep the component count low for the basic design.</p>
<h1><a class="anchor" id="ring_osc_parts"></a>
Parts list</h1>
<ul>
<li>1 x 4069 CMOS Hex Inverter </li>
<li>1 x 4013 Dual D Flip-Flop </li>
<li>1 x LM7555 CMOS Timer </li>
<li>1 x 10uF electrolytic capacitor (25V or better) </li>
<li>1 x 100nF ceramic capacitor </li>
<li>1 x 10nF ceramic capacitor </li>
<li>1 x 1nF ceramic capacitor </li>
<li>1 x 56 ohm resistor </li>
<li>1 x 1.2k ohm resistor </li>
<li>1 x 2.2k ohm resistor (or some other value for R1)</li>
</ul>
<h1><a class="anchor" id="ring_osc_connecting"></a>
Connecting to the Arduino</h1>
<p>The <a class="el" href="classRingOscillatorNoiseSource.html" title="Processes the signal from a ring oscillator based noise source. ">RingOscillatorNoiseSource</a> class uses the input capture feature of the AVR microcontroller to measure the time between successive rising edges. Input capture is only possible on certain pins and the output of the circuit above needs to be connected to the correct pin:</p>
<table class="doxtable">
<tr>
<td>Variant</td><td>Arduino Pin / AVR Pin</td><td>Timer </td></tr>
<tr>
<td>Arduino Uno</td><td>D8 / PB0</td><td>Timer 1 </td></tr>
<tr>
<td>Arduino Leonardo</td><td>D4 / PD4</td><td>Timer 1 </td></tr>
<tr>
<td>Arduino Mega or Mega 2560</td><td>D49 / PL0</td><td>Timer 4 </td></tr>
</table>
<p>If your board is not pin-compatible with one of the above, then the source for the <a class="el" href="classRingOscillatorNoiseSource.html" title="Processes the signal from a ring oscillator based noise source. ">RingOscillatorNoiseSource</a> class will need to be modified to use a different pin/timer combination. Also, when the timer is in use by this class it cannot be used for other application tasks.</p>
<p>The timer is set up in free-running mode to count as fast as possible. Whenever a rising edge occurs on the input signal, the timer's current value is written to a special register and an interrupt occurs. Within the interrupt service routine, the previous register value is subtracted from the current value to determine the amount of time that has elapsed between the two rising edges.</p>
<p>The jitter is extracted from the time difference in a very simple way: the lowest bit of the difference is the jitter and all other bits are discarded. The interrupt service routine collects up 16 bits of jitter over successive input pulses and then passes them to the higher level code in the <a class="el" href="classRingOscillatorNoiseSource.html" title="Processes the signal from a ring oscillator based noise source. ">RingOscillatorNoiseSource</a> class.</p>
<p>Within the higher level code, the input bits are first debiased using the Von Neumann method to discard the parts of the signal that don't jitter very much:</p>
<ul>
<li>Collect two input bits. </li>
<li>If they are the same, then discard both. </li>
<li>If they are different, then choose one as the output bit and discard the other one.</li>
</ul>
<p>The debiased bits are collected up into a 256-bit buffer. Once the buffer is full it is passed to <a class="el" href="classRNGClass.html#ad99535ea23ae2fec55bdebb8c24def02">RNG.stir()</a> to be whitened and incorporated into the global random number pool.</p>
<p>And that's it!</p>
<p>As noted earlier, the output from a ring oscillator is not uniform. To deal with this, the <a class="el" href="classRingOscillatorNoiseSource.html" title="Processes the signal from a ring oscillator based noise source. ">RingOscillatorNoiseSource</a> class takes a fairly conservative approach. It credits a very small amount of entropy to each full buffer, forcing the system to collect more input data to achieve full entropy.</p>
<p>My investigations showed that at 20kHz it takes about a second to generate 256 bits of good random data after Von Neumann debiasing and whitening. Two to three seconds after startup there should be enough entropy in the random number pool to generate encryption keys and other secret material safely. The <a class="el" href="classRNGClass.html#a49e3231ba65a5e4b045bc90976e0a659">RNG.available()</a> function can be used to determine when there is enough entropy in the pool for the application's needs. </p>
</div></div><!-- contents -->
<!-- start footer part -->
<hr class="footer"/><address class="footer"><small>
Generated on Mon Apr 2 2018 18:36:53 for ArduinoLibs by &#160;<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/>
</a> 1.8.6
</small></address>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink