Improving Security For Elliptic Curve Implementations On Smart Cards: A Random Number Generator Test Unit

Improving Security For Elliptic Curve Implementations
on Smart Cards:
A Random Number Generator Test Unit
Vom Fachbereich fr Physik und Elektrotechnik
der Universitt Bremen
zur Erlangung des akademischen Grades eines
DOKTOR-INGENIEURS (Dr.-Ing.)
genehmigte Dissertation
von
Andrew Weigl, M.E.Sc.
aus Bremen
Referent: Professor Dr.-Ing. W. Anheier
Koreferent: Professor Dr.-Ing. R. Laur
Eingeriecht am: 05.04.2006
Tag des Promotionskolloquiums: 24.07.2006
CONTENTS i
Contents
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Contents of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Smart Cards 7
2.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Smart Card Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1 Physical properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.2 Electrical properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.3 Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Types of Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.1 Memory only cards (also called synchronous cards) . . . . . . . . . . . . 15
2.3.2 Microprocessor cards (also called asynchronous cards) . . . . . . . . . . 15
3 Elliptic Curve Theory and Cryptography 19
3.1 Elliptic Curve Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2 Point Operations on Elliptic Curves over Prime Fields F
p
. . . . . . . . . . . . . 19
3.3 Point Operations on Elliptic Curves over Polynomial Fields F
2
m . . . . . . . . . 21
3.4 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.4.1 Symmetric (Private) Key Cryptography . . . . . . . . . . . . . . . . . . 23
3.4.2 Asymmetric (Public-Private) Key Cryptography . . . . . . . . . . . . . . 24
4 Random Numbers, Generation and Testing 29
4.1 Denition of a random sequence . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2 Random number generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.2.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.2.2 Properties of random number generators . . . . . . . . . . . . . . . . . . 32
4.2.3 Types of random number generators . . . . . . . . . . . . . . . . . . . . 33
Pseudorandom number generators . . . . . . . . . . . . . . . . . . . . . 33
ii CONTENTS
True random number generators . . . . . . . . . . . . . . . . . . . . . . 34
Cryptographic random number generators . . . . . . . . . . . . . . . . 34
4.2.4 Popular random number generators . . . . . . . . . . . . . . . . . . . . 35
Linear congruential generator (LCG) . . . . . . . . . . . . . . . . . . . 35
Blum-Blum-Shub generator (computationally perfect PRNG) . . . . . . 35
Cryptographic RNG (hardware RNG) . . . . . . . . . . . . . . . . . . . 36
4.3 Testing of random number generators . . . . . . . . . . . . . . . . . . . . . . . 37
4.4 Testing a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.5 Statistical (empirical) tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.5.1 Hypothesis testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.6 Some examples of statistical models on
n
. . . . . . . . . . . . . . . . . . . . . 41
4.7 Hypothesis testing and random sequences . . . . . . . . . . . . . . . . . . . . . 42
4.8 Empirical test examples for binary sequences . . . . . . . . . . . . . . . . . . . 44
5 Hardware Implementation 55
5.1 Hardware Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.1.1 Frequency Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.1.2 Frequency Block Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.1.3 Runs Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.1.4 Longest Runs Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.1.5 Poker Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.1.6 Autocorrelation Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.1.7 Turning Point Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.1.8 Serial Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.2 Functional Verication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
5.3 Hardware Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.3.1 Hardware Analysis Strategy . . . . . . . . . . . . . . . . . . . . . . . . 69
5.3.2 Hardware Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
6 Empirical Test Quality Measurement 75
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.2 Random Number Generator Failure Experiments . . . . . . . . . . . . . . . . . 77
6.2.1 Control Experiment 1: True Random Number Generator . . . . . . . . . 77
6.2.2 Control Experiment 2: Good Pseudorandom Number Generator . . . . 78
6.2.3 Failure Point 1 Experiment: ANSI C Generator . . . . . . . . . . . . . . 80
6.2.4 Failure Point 1 Experiment: Repeating Pattern Random Number Generator 83
6.2.5 Failure Point 1 Experiment: Bias Random Number Generator . . . . . . 88
6.2.6 Failure Point 2 Experiment: External Frequency Interference . . . . . . . 94
6.2.7 Failure Point 3 Experiment: Oversampling RNG . . . . . . . . . . . . . 113
CONTENTS iii
7 Random Number Generator Testing Unit 121
7.1 Hardware and Software Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 121
7.2 Poker-Frequency Test Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
8 Conclusion 127
9 Appendix A 131
Bibliography 135
iv CONTENTS
CONTENTS v
Abbreviations
BSI Bundesamt fr Sicherheit in der Informationstechnik
BMS Binary Memoryless Source
CISC Complex Instruction Set Computer
CMOS Complementary Metal Oxide Semiconductor
CPU Central Processing Unit
DES Data Encryption Standard
DSA Digital Signature Algorithm
ECDSA Elliptic Curve Digital Signature Algorithm
EC-AES Elliptic Curve Autheication Encryption Scheme
ECC Elliptic Curve Cryptography
EEPROM Electrically Erasable Programmable Read-Only Memory
EPROM Erasable Programmable Read-only Memory
FIPS Federal Information Processing Standards
GSM Global System for Mobile communications
GUT Generator Under Test
HMAC keyed-Hashing Message Authentication Code
HCC Hyper-elliptic Curve Cryptography
ISO International Organization for Standardization
LSB Least Signicant Bit
MSB Most Signicant Bit
vi CONTENTS
NIST National Institute of Standards and Technology
NSA National Security Agency
PRNG Pseudorandom Number Generator
PROM Programmable Read-only Memory
PTT Posal and Telecom services
PVC Poly-vinyl Chloride
RAM Random Access Memory
RISC Reduced Instruction Set Computer
ROM Read-Only Memory
RP-RNG Repeating Pattern Random Number Generator
RSA Rivest, Shamir, and Adleman cryptosystem
SRAM Static RAM
ST Source Transition
USB Universal Serial Bus
VHDL Very High Speed Integrated Circuit Hardware Description Language
XOR Exclusive-Or
chi2inv Inverse
2
cumulative distribution function
CONTENTS vii
Acknowledgements
I would like to offer special thanks to the following people for without their help this thesis
would not have been possible. To my supervisor, Professor Anheier, for the opportunity and the
advice. To my parents, who have guided and supported me all my life. To David Lubicz, for
his discussions into the mathematics of random numbers and random number generators. To
the AREHCC team and particularly Philips Semiconductor for introducing me to the problem of
testing random number generators on smart cards. To Volker Meyer, for his help with editing my
thesis and to all my friends for their support and suggestions.
viii CONTENTS
1
Chapter 1
Introduction
In 1965 Gordon Moore, co-founder of Intel, made the observation that the number of transistors
per chip doubles every eighteen months. This was picked up by the media and dubbed Moores
Law. Moores observation highlights the exponential growth in computer computation power.
While this is good news for home computer users and the public in general, the growth does
present problems for people who wish to maintain the integrity and security of their data.
Security protocols are measured by calculating the approximate time it takes to crack the
system by using brute trail-and-error methods. The judgment is based on current computer pro-
cessing power. For a given protocol a suggested key length is given that allows for reasonable
security. The current suggested length for the RSA
1
cryptosystem is 1024 bits; however, this
will be upgraded to 2048 bits key within the next ve years. The problem with larger keys is that
they require more computational power to process. Long key lengths are not a problem for large
computer systems, but this is not the case for small microprocessors, like those used in smart
cards.
Smart cards are nding wider acceptance in customer electronics that require either secure
data transmission, identication, or both. A smart card is a plastic or Poly-Vinyl-Chloride (PVC)
card with an incorporated microprocessor. It ranges in complexity from a simple memory stor-
age device to a complex microprocessor. Smart cards are also increasing in calculation power,
but they have a more restricted working environment than their larger microprocessor siblings,
for example, the microprocessor power supply. The power consumption for desktop computer
Central Processing Unit (CPU) has increased with the increase in computational power, for smart
cards, work is under way to try and reduce the power consumption.
Current and future smart cards will be a hybrid between contact and contactless cards. For
contact cards, power is available to the processor through the terminals and contacts. Contactless
cards use induction methods to supply their power but it does not achieve the same levels of
power as is available through the contacts. This sets a limit on the design: it needs low power
consumption or else the whole chip has to be clocked at a lower frequency.
1
A public key cryptosystem developed by Ronald Rivest, Adi Shamir, and Leonard Adleman in 1977.
2 CHAPTER 1. INTRODUCTION
Not only is the hardware improving for cryptographic applications but new methods and sys-
tems are being researched and discovered. In 1985 Neal Koblitz and Victor Miller independently
discovered a public-key cryptographic method that used the algebra of elliptic curves. This new
method is able to provide, with a given key length, the same level of security as far larger RSA
keys. For example, a 160-bit length key in Elliptic Curve Cryptography (ECC) provides the
equivalent security to a 1024-bit RSA key. The shorter key requires less memory and processor
resources. For the smart card application, research is now focused on elliptic curves and, the next
step, hyperelliptic curves. Currently, the ECC is more computationally intensive than the RSA
algorithm; however, new hardware and software implementations plus calculation methods bring
the ECC processing requirements closer to what is required for RSA. Benets will be seen with
the next jump in RSA key sizes, since the next recommended level is a key length of 2048-bits,
whereas the ECC system only needs a key length of 224-bits.
1.1 Motivation
A very important, but often overlooked aspect of cryptography, is the initial seed value for cryp-
tographic algorithms. When using encryption applications it is suggested that the designer use
known algorithms and parameters, since these have undergone rigorous testing in the public.
Usually only military applications have modied or new cryptographic algorithms provided by
special governmental departments like the National Security Agency (NSA) or the Bundesamt
fr Sicherheit in der Informationstechnik (BSI).
Using a published asymmetric algorithm results in an attacker potentially having the algo-
rithm, the parameters, the public key, and the encrypted message when trying to decipher the
encrypted message. The only secret aspect lies in the private key, which is produced by a random
number generator (RNG).
Random number generators have a long history, but it was not until the advent of the mi-
crocomputer that they became use in normal applications. Today, there are two main classes of
random number generators: the true and pseudorandom number generator. A true RNG incorpo-
rates a natural source of entropy and is indeterminate, since it is not known when the next impulse
or bit will arrive. A pseudorandom number generator (PRNG) is a deterministic equation that
mimics the properties of a true RNG. The benet of a PRNG is that it is fast and the results are
repeatable. Most applications that use RNGs are built with some form of PRNG.
Regardless of the type of RNG if it is to be used in an application it needs to have four prop-
erties: independent output bits, a long period, uniform distribution and efcient bit generation.
These four factors are used to judge a good RNG. Random number generators used for crypto-
graphic applications require an extra property, they need to be unpredictable even when knowing
the algorithm and output sequence.
The whole encryption process is put in jeopardy should the random number generator fail. If
1.1. MOTIVATION 3
an attacker can change or inuence the RNG, they may be able to reduce the possible range of
keys generated, which is a reduction in the RNG period. This allows the attacker to perform a
brute force attack on the cryptographic algorithm, whereby they test all possible key combina-
tions in the reduced key space.
It is impossible to determine exactly if a random number generator is functioning correctly;
however, there do exists mathematical models that can be used with statistical analysis to com-
pare the generators output to what a true RNG would produce. A characteristic trait from the
Generator-Under-Test (GUT) is selected and using hypothesis testing this characteristic is com-
pared to the results from a true RNG. If the results fall outside the acceptance range, the RNG
is rejected as being non-random; however, if it is in the acceptance range, it is only accepted as
random for the characteristics tested. This acceptance is not a proof of randomness.
The operations used to calculate the statistical acceptance or rejection are heavy loads for
the processor. On modern personal computers this does not present a problem due to the large
processor and memory storage resources, but on small, microprocessor capable devices there is
not much processing power and memory. For example, smart cards are limited in their processing
power, memory, size, and allowable power consumption. Therefore, as a result smart cards are
not fully capable of implementing all RNG testing in software or hardware.
Older style smart cards require contact to a power source, but newer style cards are either
contactless or a hybrid of contact and contactless cards. This forces any new circuitry addition
to the card to have low power consumption requirements. For smart cards the most important
characteristic of any new hardware design is the power consumption, followed closely by design
area and time delay. Smart card processors have a limited surface area to be deployed on and
a large portion of this is used by memory. A circuit designs time delay is a measure of its
maximum operating speed. If it cannot handle the processor speed, then it becomes the bottle
neck that slow down the whole processor.
Current RNG tests are designed mainly for software implementations. Some common pub-
lished test suites are the NIST SP800-42, FIPS 140-2, and the Diehard test group. A common
standard used by manufacturers for RNG testing is the FIPS 140-2 group. It is a combination of
four tests (poker, frequency, runs, and longest runs) that analyse a sequence of 20000 bits. If any
of the tests fails, the FIPS 140-2 group reports that the RNG is rejected and non-random.
For security and marketing reasons, smart card manufacturers want to be able to implement
standards in their products. In the case of testing the smart card RNG, the main standard is
the FIPS 140-2; however, current processors and RNGs running software RNG tests are not
powerful enough to fulll the FIPS requirements. In order to achieve the same level of security
new solutions need to be applied. This thesis proposes a new online hardware test unit for the
smart card environment that operates during the initialization phase. The rst design step is
an investigation into the hardware characteristics of eight random number generator tests. The
tests are implemented in VHDL using Synopsys
TM
tools. The power consumption, area, and
time delay information garnered from these tests are used to classify the tests, hardwarewise, as
complex or simple.
The hardware characteristics are not enough to judge which tests should be applied to the
online test unit. Efcient hardware implementation of the random number generator test is only
one aspect of nding an efcient online RNG test unit. The number of tests implemented in the
test unit need to be as few as possible with a sample sequence of minimumlength that has no loss
in quality. To judge both criteria a simulator is required. A simulator has been programmed in
Matlab
TM
that examines each test individually and in groups, and looks at how they compare to
the results of the FIPS 140-2 standard. The simulator simultaneously measures the response of
the test(s) using sample sequences varying from 25 to 100000 bits. Each test reaches a minimum
sample sequence length where the underlying model does not t anymore. At this point the test
has reached its minimum sequence length for testing of that failure type. From this information a
judgment is made on the best test or test combination for each RNG failure type plus a minimum
sample sequence. The thesis also includes a recommeded online RNG test unit design. It is only
a recommendation, since each manufacturer has to do its own security hardware requirement
balance to match with the exact usage of their cards.
1.2 Previous Work
The rst step taken in this thesis was to determine what research has already occurred in this
eld and what solutions were already available. After interviewing an employee at a smart card
manufacturer, it was found that they used a simple exclusive-or operation between generated bits
as their test method. This catches catastrophic failure, but it leaves open the possibility of other
failures like repeating pattern or outside frequency interference.
A literature and patent search revealed very little information . There were seven patents for
online testing of random number generators [Har03g, Har03f, Har03e, Har03b, Har03a, Har03c,
Har03d]; however, they were software solutions in C++.
The solutions found are not acceptable test solutions that operate during the initialization
of the smart card. No other literature or patents have been found that dealt with the hardware
implementation of online RNG tests.
1.3 Contents of the Thesis
In the following chapter, the thesis starts with an introduction into smart card technology. This
provides the basic framework from which the boundary conditions for the Test Unit design are
gathered. Chapter 3 is an introduction to a cryptographic system where random numbers play
an important role. This chapter emphasizes the importance of random numbers and why it is
imperative that the RNG is working properly. Before going into the theory of testing RNGs,
1.3. CONTENTS OF THE THESIS 5
Chapter 4 begins with the theory of random binary sequences and their generators. After this,
the statistical theory for testing RNGs is introduced. Chapter 5 is the rst part of the solution
to nd the optimum RNG test unit for smart cards. The hardware characteristics of eight test
are examined. The second part to the Test Unit solution continues in Chapter 6, where a sim-
ulator is presented to judge which test should be implemented and the minimum length of the
sample sequence for each failure type. In Chapter 7 an analysis of the results from the previous
two chapters is done to determine the optimum smart card test unit. The designed test unit is
compared to the original FIPS standard unit. The thesis is then summarized and further study
remarks are given in Chapter 8.
7
Chapter 2
Smart Cards
Although smart cards are now very common, the technology is still very new, with the rst smart
cards appearing in the 1970s. Since then, their evolution has been very rapid. Smart cards have
advanced from simple memory cards to very efcient microcomputers with multiple applica-
tions. Equipped with a microcontroller, these cards are able to store and protect information
using cryptographic algorithms. They are also resistant to physical stresses such as twisting and
bending. The physical structure of the smart card consist of a small plastic rectangle with a
magnetic stripe, holograms, relief characters and an embedded chip. They are small, and easy
to use and carry. The security and portability of smart cards provide a safe, reliable, convenient,
and effective way to ensure secure transactions (banking, e-business, etc.), and to enable a broad
range of applications. Thus, modern smart cards can actually be used in any system that needs
security and authentication. They have been proven to be an ideal means of making high-level
security available to everyone. This chapter aims to present an overview of todays smart card
technology and show the limitations that smart card manufacturers must take into account when
implementing cryptographic algorithms, for example, elliptic or hyperelliptic curve algorithms,
in a smart card environment.
2.1 History
In the beginning of the 1950s, the rst plastic (PVC) cards appeared in the USA as a substitute
for paper money. They were initially aimed at the rich and powerful, and were only accepted by
prestigious hotels and restaurants. These cards were very simple with the owners name printed
in relief, and sometimes the handwritten signature was added. These cards provided a more con-
venient payment system than paper money. With the involvement of VISA
TM
and MasterCard
TM
in plastic money, credit cards spread rapidly around the world. Later a magnetic stripe was added
to reduce fraud and to increase security. Condential digitized data was stored on this stripe, but
this information was accessible to anyone possessing the appropriate card reader. Between 1970
and 1973 there was a signicant development in plastic cards with the addition of microcircuits
8 CHAPTER 2. SMART CARDS
to the card. Many patents were led during this time; the best known inventors include: J. Deth-
leff, K. Arimura, and R. Moreno. The term smart card was proposed by R. Bright. It was not
until 1984 that the smart card was rst put into commercial use by the French PTT (postal and
telecom services) with their rst telephone cards (smart cards with memory chips). By 1986,
millions of these smart cards were sold in France and other countries. After telephone cards, the
next big application was their use as banking cards. This development was more difcult because
they contained more complicated chips that were able to compute cryptographic calculations. A
number of ISO standards were created to encourage interoperability of smart cards. By 1997,
bank cards were widely used in France and Germany. The microcontrollers continued to advance
and became more powerful with larger memory capacity. This allowed for sophisticated cryp-
tographic algorithms, providing higher levels of security. Nowadays, smart cards are present all
over the world, and their use is likely to spread even further.
2.2 Smart Card Properties
Smart cards are physically similar to the classic embossed plastic cards. The older model cards
are used as the base design for the newer smart cards. There are two different categories of smart
cards: memory only cards, which are the cheapest and the simplest, and the microprocessor
cards, which are more expensive, but have more applications and security features. The structure
of smart cards is standardized by ISO, principally: ISO 7816 [gro99a, gro99b, gro99c, gro99d],
and ISO 7810[gro95].
The following sections look at the different aspects of the smart card properties.
2.2.1 Physical properties
The most widely used smart card format, ID-1, is part of the 1985 ISO 7810 standard [gro95].
Most smart cards are made from PVC (Polyvinyl Chloride), which is also used for credit cards.
Some are made from ABS (Acrylonitrile-Butadiene-Styrol), but they cannot be embossed; an
example application is the mobile phone card.
The body of the card includes the following components: magnetic stripe, signature strip,
embossing, imprinting of personal data (picture, text, ngerprint), hologram, security printing,
invisible authentication features (uorescence, UV), and a microprocessor chip.
The chip module and its embedding
The chip module, also called the micromodule, is the thin gold contact seen on the left side of the
smart card. This module needs to be rmly attached to the plastic of the card. Its purpose is to
protect the card and the microprocessor chip. The contacts for contact-type smart cards can also
be in the chip module.
2.2. SMART CARD PROPERTIES 9
Many embedding techniques have been tested and used with the aim to optimize overall card
resilience to everyday physical and mechanical stresses (temperature abrasion, twisting, bending,
etc.) while the keeping production costs as low as possible.
Contact and Contactless Cards
There are two main ways a smart card can communicate with the card terminal: through physical
contact or by using a contactless connection. The contact cards were the rst types of smart cards
on the market. However, with new advances in microcircuit technology, contactless cards have
become physically feasible.
Contact Card
This is currently the most common type of card. It communicates via a card reader where the
information passes through the contacts. There are metal contacts inside the card reader and on
the chip module of the smart card. The position and dimensions of these contacts (power supply,
data transfer, etc.) are set in the ISO 7816-2 standard [gro99b]. Another standard, AFNOR, is
still in use by some cards in France, but is likely to disappear in the near future.
C 3
C 2
C 1
C 4 C 8
C 5
C 6
C 7
GND
I/O
VPP RESET
VCC
CLK
RFU RFU
Figure 2.1: Pin layout for contact smart cards.
There are 8 contact areas C
1
...C
8
:
C
1
: Supply voltage, VCC C
5
: Ground, GND
C
2
: Reset C
6
: External voltage programming
C
3
: Clock, CLK C
7
: Input/Output for serial communication
C
4
: Not in use, reserved for future use C
8
: Not in use reserved for future use
Contactless Card
These cards contain special circuits, which allow data transmission over short distances with-
out mechanical contact and without a direct supply of power. This technology is not new but is
difcult to apply to smart cards. At the moment it is not possible to incorporate a battery into the
card due to the size and thickness of the card, but research is ongoing to overcome this problem.
Not only is there a problem supplying power to the smart card circuits, but data and clock
signals also need to be transmitted between the card and the terminal. The technique of capacitive
and inductive coupling, at this time, is the most suitable for smart cards and has been standardized
in ISO/IEC 14443 [gro00]. This standard presents a method for capacitive and inductive coupling
where the cards conductive surfaces act as capacitor plates. One or several coupling loops are
integrated into the card to receive energy from the terminal. A carrier frequency in the range of
100-300 kHz is used, which allows very rapid transmission.
Dual Interface or combi cards
In the future it is likely that combi-cards will become more common. They combine the
advantages of contact and contactless cards. In ISO/IEC 10536 the application is described as
"slot or surface operation." Depending on the operation, the card must either be inserted in a
slot to make contact or placed on a certain surface for contactless transaction. This type of card
allows applications such as credit, debit, membership, and mass transit to be used on the same
card.
2.2.2 Electrical properties
The electrical properties of a smart card depend on its embedded microcontroller, since this is
the only component of the card with an electrical circuitry. The basic electrical requirements are
dened by the ISO/IEC 7816-3 standard, Part 3: Electronic signals and transmission protocols
[gro99c]. Electrical characteristics and class indication for operating at 5 V, 3 V, 1.8 V are de-
scribed within Amendment 1. Amendment 2, which describes an USB interface for smart cards,
is currently under preparation. The GSMmobile telephone network (GSM11.11) should be men-
tioned here, because it also contributes to the requirements in this area. Further modications of
the ISO/IEC 7816 standard are driven by the UMTS specication.
Supply Voltage
A smart cards supply voltage is 5 V, with a maximum deviation of 10%. This voltage, which is
the same as that used for conventional transistor-transistor-logic (TTL) circuits, is standard for all
cards currently on the market. Since all modern cellular telephones are built on 1.8 V technology
(GSM 11.18), modern smart cards are designed for a voltage range of 1.8-5 V 10%, which
Specication ISO 7816-3 GSM
Notation Class A Class B GSM 11.11 GSM 11.12 GSM 11.18
Supply voltage 5 V 3 V 5 V 3 V 1.8 V
Supply current 60 mA 50 mA 10 mA 6 mA 4 mA
Frequency 5 MHz 4 MHz 5 MHz 4 MHz 4 MHz
Power consumption 300 mW 150 mW 50 mW 18 mW 7.2 mW
Table 2.1: Smart card power consumption specied by ISO 7816 and the GSM specications [WW00].
results in an effective voltage range of 1.6-5.5 V. They can be used in both, 1.8 V and 5 V
terminals, to keep the advantage of simple and straightforward card usage.
Supply Current
The built-in microcontroller obtains its supply voltage via contact C1 (see Figure 2.1). According
to the GSM 11.11 specication, the current may not exceed 10 mA, so the maximum power dis-
sipation is 50 mW, with a supply voltage of 5 V and an assumed current consumption of 10 mA.
Table 2.1 gives an overview of the actually dened maximum power consumption classes, spec-
ied by ISO 7816 and GSM.
The current consumption is directly proportional to the clock frequency used, so it is also
possible to specify the current as a function of the clock frequency: Dynamic Power = CV
2
f ,
where C is the load, V is the voltage swing, and f is the frequency [SS91]. State-of-the-art smart
card microcontrollers use congurable internal clock frequencies for their processor and their
arithmetic coprocessor. Hence, the current consumption is not only dependent on the external
clock, but also on the given conguration of the microcontroller itself and the setting of the
coprocessor. The coprocessor can be programmed to keep power consumption under a set value,
for example, the GSM values.
2.2.3 Memory
Smart cards can be divided into two main components: the processor (including coprocessor)
and memory. Memory can be sub-divided into volatile and non-volatile memory. Figure 2.2
shows the different types of volatile and non-volatile memory. Since the smart card needs to be
able to function as an independent unit, most cards will be found with a combination of RAM,
ROM, and EEPROM.
Read-only Memory (ROM)
ROMs are non-volatile memory that can be randomly accessed during reading. There is no limit
to the number of times the memory can be read, but it can only be written during production. This
type of memory requires no voltage to hold the information, so when the power is disconnected,
Memory types found in smart cards
Non-volatile Memory Volatile Memory
ROM
PROM
EPROM
EEPROM
Flash EEPROM
FRAM
RAM
Figure 2.2: Types of memory found in smart cards [WW00].
the data is still retained. This is excellent memory for storing vital programs that the smart card
needs to run, like the operating system and the diagnostic functions. The data is imprinted onto
the chip by using lithographic techniques. ROM cells require the least amount of area per cell
compared to other available types of memory.
Random Access Memory (RAM)
RAM is the work area for the smart card. It can quickly read and write data, and there is no limit
to the number of writes a RAM cell can handle. However, since it is volatile memory, constant
power needs to be supplied, or otherwise the contents will be lost. The method for accessing this
memory is what gives it its name; random access means that the memory is selected and directly
accessed without having to sequentially traverse the memory block.
In smart cards, the most common form of RAM is static RAM (SRAM), which, unlike dy-
namic RAM (DRAM), does not need to be periodically refreshed. SRAM has ip-ops as the
basic component while DRAM uses capacitors with refresh circuitry.
Smart card chip designers try to keep the amount of RAM to a minimum, since it requires
a large area per cell. Indeed, RAM cells require seventeen times more area than a ROM cell
[WW00].
Programmable Read-only Memory (PROM)
Programmable read-only memory is similar to ROM in that once it has been written to it can-
not be rewritten. The difference is that the code does not need to be written with lithographic
techniques. PROM has a serious drawback; access needs to be granted to the address, data and
i
a) Preprogrammed (1)
b) Programmed (0)
v
GS
D
Sensed voltage
Figure 2.3: Threshold voltage curves for programmed and preprogrammed state [SS91].
p substrate
Depletion layer
Source n
+ Drain n
+
Oxide
Select gate
n channel
Floating gate
+25V
+16V
Figure 2.4: EPROM during programming [SS91].
control buses for the writing process. This leaves a security hole in the smart card that a hacker
could use to read the data stored on the chip. PROM is not used in smart cards because of this
vulnerability.
Erasable Programmable Read-only Memory (EPROM)
An EPROM is essentially an n-channel MOSFET (Metal-Oxide-Semiconductor Field Effect
Transistor) with an extra polysilicon gate called the oating gate. Initially, the EPROM nds
itself in a preprogrammed state where the device has an i
D
v
gs
characteristic similar to the n-
channel MOSFET. The threshold voltage is relatively low, as can be seen in Figure 2.3 a). This
state is generally labeled as state 1.
In order to program the EPROM, a large voltage needs to be applied, around 16 to 20 V,
between the drain and source (see Figure 2.4). Simultaneously, on the select gate a voltage
of approximately 25 V needs to be applied. Since smart card controllers use a supply voltage
between 3 and 5 V, a cascaded voltage-multiplier circuit, or charge pump, needs to be used to
generate the required voltage levels.
The device acts as a regular n-channel enhancement MOSFET when there is no charge
present on the oating gate. With the voltages present, a tapered n-type inversion layer is formed
at the surface of the substrate. The drain-to-source voltage accelerates the electrons through the
channel. The electric eld formed by the voltage on the select gate attracts the hot electrons (the
accelerated electrons) towards the oating gate. At the oating gate the electrons collect, causing
the gate to become negatively charged. This process continues until enough of a negative charge
is formed on the oating gate to reduce the strength of the electric eld to the point of not being
able to accelerate any more hot electrons.
The negatively charged oating gate repels electrons away from the surface of the substrate.
To compensate for the loss of electrons in the region, a larger select gate voltage is required to
form an n-channel. This will shift the i
D
v
GS
characteristic graph upwards, as can be seen in
Figure 2.3 b) [SS91].
For the microcontroller to read the state of the EPROM, the unit needs only to apply a test
V
GS
between the two i
D
v
GS
curves. If the current ows, the EPROM is in state 1 and if it
does not ow then it is in state 0.
For smart cards, EPROM was used by the French PTT in their rst telephone cards, since, at
that time, it was the only ROM type memory available [WW00]. As with other ROM types, it
does not require a supply voltage to retain the data. EPROM can be reprogrammed, but it rst
requires ultraviolet light to erase the old data. This method is not feasible for smart cards, so this
technology has been abandoned for newer erasable ROMs.
Electrically Erasable Programmable Read-only Memory (EEPROM)
As with regular computers, sometimes data needs to be read, altered and then stored with the
possibility that the voltage supply is disconnected. Computers use hard drives to store the data
for longer periods of time, but smart cards do not have this option. Instead they use a type of ROM
that can handle multiple writes. EPROM can only be erased with ultraviolet light, which makes
it unsuitable as a multi-write memory. The solution is found with another type of ROM that can
be electrically erased, the electrically erasable programmable read-only memory (EEPROM).
EEPROM operates similarly to the method described in Section 2.2.3. There are two main
differences between EPROM and EEPROM. The rst difference is how the electrons travel from
the substrate to the oating oxide layer. The method described in Section 2.2.3 uses hot electron
injection, while standard EEPROM uses the tunnel effect (Fowler-Nordheim effect). A high
positive voltage at the select gate causes electrons to migrate through the tunnel oxide to the
oating gate, where they collect. Eventually, the oating gate becomes negatively charged.
The second difference between EPROM and EEPROM is how the data is erased. As stated
earlier, EPROM requires ultraviolet light to reset its state. For EEPROM a negative voltage
applied to the select gate forces the electrons from the oating gate back to the substrate. After
this process, the EEPROM is classied again as discharged and the V
t
is low.
Similar to RAM and other types of ROM, EEPROM can be read an unlimited number of
times. However, there is a limit to the number of writes that can be performed. The life ex-
2.3. TYPES OF SMART CARDS 15
pectancy is limited by the quality, type, and thickness of the tunnel oxide layer, which is the
oxide layer between the oating gate and the substrate (see Figure 2.4). During production the
tunnel oxide is one of the rst layers to be produced. As the rest of the production continues,
it undergoes large thermal stresses that cause minute faults in the oxide layer. This allows the
tunnel oxide to absorb electrons during the programming cycle, which are not returned to the
substrate when the data is erased. The trapped electrons then collect at the channel between the
drain and source. This process continues until enough electrons collect that they inuence the
threshold voltage to a greater degree than the oating gate. The threshold voltage then stays in
one state regardless of whether the oating gate is charged or not; the EEPROM becomes useless.
2.3 Types of Smart Cards
2.3.1 Memory only cards (also called synchronous cards)
This is the rst type of card to be widely used. The prepaid telephone cards mentioned in the
introduction are an example of this type of card. The data required for the applications are stored
in the EEPROM memory (EPROM for the rst cards). In the simplest case the cards use memory
that can only be written to once, and then after use, the memory is deleted and made inoperable
(the Thomson ST1200 SGS, introduced in 1983, worked in this way). The addition of a security
logic device allows more control with memory access. There now exist more complex memory
cards, which can perform simple encryption.
These types of cards are easy to use, the electronics are simple, the chip is small, and the price
is low. However, memory space and exibility are limited, and they are not adapted to security
applications.
2.3.2 Microprocessor cards (also called asynchronous cards)
These cards are equipped with an "intelligent circuit": a processor connected to memory blocks
capable of carrying out complex calculations. The added functionality of the microprocessor
allows for higher security and application choices. However, as a result, these cards are larger and
more complex. It is possible to connect other devices to the microprocessor for communication,
special operations or security. Figure 2.5 shows many of the possible components that can be
added to the microprocessor card. There are many different types of microprocessor smart cards.
All of them function as a secured unit, protected from unauthorized access.
All microprocessors (and most computers) employ the principle of the stored programdigital
computer. This means data and instructions, which are stored in a memory area, must rst be
loaded into registers. Then the central processing unit (CPU) operates on these registers and
places the results back into the memory areas.
Timers UART CPU
Crypto
Device
Security
Sensors
RAM ROM
EEPROM
Bus
Figure 2.5: Components of the microprocessor.
CISC RISC
Extensive instruction set. Small instruction set.
Complex and efcient machine instructions. Simple instructions.
Advanced instructions microencoded. Hardwired machine instructions.
Extensive addressing capabilities for memory operations. Few addressing modes.
Few registers. Many registers.
Table 2.2: Characteristics of CISC and RISC based processors.
The CPUs used in smart cards are usually built around proven modules from other appli-
cations. Many CPUs are based on the CISC (Complex Instruction Set Computer) architecture,
which requires several clock cycles per instruction. However, CPUs based on the RISC (Re-
duced Instruction Set Computer) architecture are becoming more common. Table 2.2 shows the
different characteristics between the CISC and RISC type processors. Many current CISC type
processors are based on either one of two main families, the Intel 8051 or the Motorola 6805
family. Manufacturers take the base design of either a CISC or RISC processor and add their
own functionality as needed. Some common smart card processor manufacturers are Philips
S.C., Inneon, ST Microelectronics, Hitachi, ARM, and MIPS.
The processing speed of the smart card is controlled by a clock circuit normally set to 5 MHz.
Modern smart card processors use clock multipliers (by two or four) to increase this operating
clock speed for internal calculations. Using clock multipliers smart cards are able to operate at
speeds between 20 to 30 MHz.
The area occupied by the microprocessor on the chip has a big inuence on its manufacturing
costs and its resistance to bending and shearing forces. Therefore, effort is made to reduce the
chips size as much as possible. The chips surface area must be less than 25 mm
2
. This means
that the microprocessor contains between 150 000 and 200 000 transistors using 0.25 or 0.30 m
2
CMOS process for chip fabrication. New smart card microprocessor designs use the 0.18 m
CMOS process.
To provide additional functionality to the smart card manufacturers add specialized copro-
2.3. TYPES OF SMART CARDS 17
cessors to perform only specied tasks. The next section takes a closer look at co-processors in
smart cards.
Coprocessors
Coprocessors are used on the majority of current chips for special operations. Among those used
for cryptography are:
a DES [NIS99a] coprocessor: for DES encryption/decryption
a random number generator coprocessor: allows the use of random values in algorithms.
an arithmetic coprocessor: dedicated to arithmetic operations (modular operations) on long
integers.
An arithmetic coprocessor element is essential for asymmetric cryptography algorithms such as
RSA, DSA, ECDSA ... [Mur01] Adding such coprocessors has a signicant impact on the cost
of the chip, increasing it by as much as a factor of ten. This being the case, one may wonder why
with increasingly powerful processors it continues to be necessary to add coprocessors. But at
the same time cryptographic algorithms require longer keys to keep them secure, so coprocessors
are likely to remain necessary for high performance cards.
19
Chapter 3
Elliptic Curve Theory and Cryptography
In 1985 Koblitz [N. 87] and Miller [V.S86] independently suggested elliptic curves for public key
cryptography. The rst methods for calculating elliptic curve additions and scalar multiplications
were very complicated; however, by the late 1990s the process had been optimized to the point
where it could compete with other public key cryptosystems. Elliptic curves provide the same
security level as competing public key cryptosystems but at a much smaller key length; hence,
providing a saving in cost, calculation time and implementation size.
A very good introduction to elliptic curves cryptography can also be found in [Cor98, Dah00,
Kne02, V.S86, Mil96, Ros99].
3.1 Elliptic Curve Algebra
The elliptic curve E(k) over a eld k is dened as a set of points P
i
= x
i
, y
i
in an afne two
dimensional space. The Weierstrass form of the elliptic curve is
y
2
+a
1
xy +a
3
y = x
3
+a
2
x
2
+a
4
x +a
6
. (3.1)
The values for a
i
, x and y are elements of the eld k.
Denition: Let O
be the identity element that satises P+O
= P. This point is also called

the the point at innity.
The Weierstrass equation can be rewritten depending on the eld chosen, F
p
or F
2
m.
3.2 Point Operations on Elliptic Curves over Prime Fields F
p
If p > 3 is an odd prime and a, b
F
p
satises 4a
3
+27b
2
,= 0 mod p, then the elliptic curve
E(F
p
) is
y
2
= x
3
+ax +b. (3.2)
20 CHAPTER 3. ELLIPTIC CURVE THEORY AND CRYPTOGRAPHY
A point addition operator + using the O
element can be dened on the set E(F

p
) to form
an abelian group. With P = (x
1
, y
1
), Q = (x
2
, y
2
) and P, Q
E(F
p
) the addition operator + is
dened as follows (see Figure 3.1):
1. For point addition, P+Q = (x
3
, y
3
) and P ,=Q:
x
3
=
2
x
1
x
2
(3.3)
y
3
= (x
1
x
3
) y
1
=
y
2
y
1
x
2
x
1
2. For point doubling, P+P = 2P = (x
3
, y
3
):
x
3
=
2
2x
1
(3.4)
y
3
= (x
1
x
3
) y
1
=
3x
2
1
+a
2y
1
The addition of two different points on the elliptic curve requires the following arithmetic op-
erations in F
p
: six additions, one squaring, two multiplications and one inversion. The point
doubling on the elliptic curve in F
p
requires: eight additions, two squaring, two multiplications,
and one inversion.
The previous equations can also be obtained graphically by applying the following steps:
To calculate R=P+Q (see Figure 3.1 a)):
1. Plot P = (x
1
, y
1
) and Q = (x
2
, y
2
) on the curve;
2. Connect P and Q with a line;
3. The point where the line intersects with the curve is the new point R = (x
3
, y
3
);
4. Mirror R over the y-axis to get the new point R = (x
3
, y
3
).
To calculate R=2P (see Figure 3.1 b)):
1. Plot P = (x
1
, y
1
) on the curve;
2. Draw the tangent to the curve at point P, where the tangent is =
3x
2
1
+a
2y
1
;
3. The point where the tangent line connects with the curve is the new point R =
(x
3
, y
3
),
4. Mirror R over the y-axis to achieve the new point R = (x
3
, y
3
).
3.3. POINT OPERATIONS ON ELLIPTIC CURVES OVER POLYNOMIAL FIELDS F
2
M 21
P
Q
y
x
R = P+Q
R
P
R
R = 2P
x
y
a) b)
Figure 3.1: Geometric elliptic curve addition and doubling.
The order of the elliptic curve is the number of points in E(F
p
) denoted by #E (F
p
). For
prime elds Hasses theorem [Gj00, N. 87] provides a boundary for #E(F
p
)
q+12
q #E(F
p
) q+1+2
q (3.5)
where q is the prime power.
3.3 Point Operations on Elliptic Curves over Polynomial Fields
F
2
m
It is common to implement elliptic curves on computers in either the F
p
eld or the F
2
m eld.
The constants for F
2
m can either be in polynomial or normal basis. The reduced Weierstrass
form for F
p
is different than for F
2
m. The polynomial eld has two possible forms called the
supersingular curve:
y
2
+y = x
3
+a
4
x +a
6
(3.6)
and the nonsupersingular curve:
y
2
+xy = x
3
+a
2
x
2
+a
6
(3.7)
The addition of two points using a polynomial elliptic curve E(F
2
m) over F
2
m follows similar
to the F
p
case:
1. For point addition, P+Q = (x
3
, y
3
) and P ,=Q:
x
3
=
2
+ +x
1
+x
2
+a
4
(3.8)
y
3
= (x
1
+x
3
) +x
3
+y
1
=
y
2
+y
1
x
2
+x
1
2. For point doubling, P+P = 2P = (x
3
, y
3
):
x
3
=
2
+ +a
4
(3.9)
y
3
= (x
1
+x
3
) +x
3
+y
1
= x
1
+
x
1
y
1
The point addition in F
2
m has a little more overhead than its F
p
counterpart with: one inversion,
two multiplications, one squaring and eight additions. The point doubling, however, has a lower
overhead with: one inversion, two multiplications, one squaring and six additions.
Denition: Let p be the characteristic of F
q
, and given that t =q+1#E. The elliptic curve
E is supersingular if p divides t, else it is nonsupersingular.
Care must be taken in choosing the proper F
2
m curves for cryptographic applications. Su-
persingular curves allow for quick calculations; however, they are also susceptible to certain
attacks. When using nonsupersingular curves care must also be taken, since there are curves
where the Frey-Rck attack applies [Coh05]. However, for nonsupersingular curves there are
still many groups that are not vulnerable to attack whereas supersingular curves are always vul-
nerable [Gal01].
Elliptic curve algebra, shown here, is the basis for a popular form of asymmetric cryptogra-
phy. The next section presents the differences between asymmetric and symmetric cryptography
and a common implementation of the elliptic curve in cryptographic applications.
3.4 Cryptography
Throughout history there are many examples of people using cryptography to secure their mes-
sages or information. The communication model can be viewed as in Figure 3.2. Person 1 wants
to communicate privately with Person 2, however, Person 3 uses available techniques to listen
in. If Person 3, the attacker, can see and/or modify the information, the communication channel
is insecure. Other examples of communication are variations on Figure 3.2 where Person 2 may
be a human, as would be the case for cellphone calls, or it could be a website where Person 1
may wish to make a purchase, or it may be a smart card automated teller machine (ATM). Each
3.4. CRYPTOGRAPHY 23
Person 1 Person 2
Person 3
Figure 3.2: Communication channel between Person 1 and 2 with Person 3 attacking the channel.
of these examples can lead to nancial and reputation loss if a third person retrieves Person 1s
information or if the attacker can imitate Person 1. These are some examples that illustrate the
goals of security. From the previous paragraph the following list of the security goals can be
formed:
Condentiality: The information is kept private and only authorized people or devices may see
and interact with the information.
Data Integrity: The data retains its original message, even when transmitted over an open medium.
A third person is not able to alter the data without the receiver being aware of it.
Authentication: The receiver is assured that the data comes from the intended sender.
Non-repudiation: The receiver is able to convince an impartial third party that the data originated
from the sender.
There are two forms of cryptography currently available, symmetric and asymmetric key cryp-
tography (see Figures 3.3 and 3.4). Both methods are used regularly to secure data; for example,
symmetric key cryptography is often used for high data transfer applications, since it is 1000 to
10000 times faster than equivalent asymmetric key algorithms [APS96]. Asymmetric keys are of-
ten used in secure key management and exchange over an unsecured channel, the Dife-Hellman
public key algorithm [Kae04] is such an example.
3.4.1 Symmetric (Private) Key Cryptography
For symmetric key systems both parties (encrypter and decrypter) need to have the same key.
Figure 3.3 gives a visual picture of the symmetric key encryption process. The sender has a
plain text message and a private key p
secret
, which they input into the symmetric encryption
algorithm. The function then outputs an encrypted text message that can be openly sent to the
receiver. However, the key needs to be transported by some secure method, either by physically
exchanging the key or through newer key management systems that transport keys securely. The
receiver has the encrypted message, the private key, and the decryption algorithm. They use as
input for decryption the key and the cipher message. The output is the plain text message.
A system is said to be secure when the attacker has the ciphering algorithms and the cipher
message, but is not able to recalculate the plain text message (in a reasonable time period).
Symmetric Encryption
Algorithm
- Encrypt Message
Algorithm
- Decrypt Message
Secret Key
Random Number
Generator
Open
Channel
Receiver
p
secret
Sender
Plain Text
Message
Plain Text
Message
Encrypted
Text
Message
p
secret
Secure Transport
of Secret Key
p
secret
Figure 3.3: Symmetric encryption scheme.
3.4.2 Asymmetric (Public-Private) Key Cryptography
One of the major drawbacks with the private key encryption method is how to give both parties
exclusive access to the private key. If they are at the same location, it is not a problem, but that
is not always the case. A message may wish to be sent to people who are far from each other. A
solution to this problem was introduced in 1976 with the the advent of asymmetric or public key
encryption.
Public key encryption works by using two keys, a public and a private key. The key pair is
selected such that deriving the private key from the public key is equivalent to solving a compu-
tational problem that is believed to be intractable.
If the sender wants to send a message, as in Figure 3.4, the receiver must rst supply the
sender with a public key PK
rec
over an unsecured channel. The sender then uses the receivers
public key PK
rec
and their own private key p
sen
to calculate a common secret S. An encrypted
message can be created with S, the plain text message and the encryption function. The encrypted
message is sent to the receiver, where they rst calculate the common secret S using their private
key p
rec
and the public key from the sender PK
sen
. The common secret is used again with the
symmetric encryption algorithm (in decrypt mode) and the encrypted message to recreate the
plain text message.
Algorithm
- Encrypt Message
Algorithm
- Decrypt Message
Sender's
Random Number
Generator
Receiver's
Random Number
Generator
Calc Receiver's
Public Key
PK
rec
= p
rec
*Q
Calc Sender's
Public Key
PK
sen
= p
sen
*Q
PK
rec
PK
sen
Open
Channel
Receiver
p
sen
p
rec
Sender
Plain Text
Message
Plain Text
Message
Encrypted
Text
Message
Calc
Common Secret
S(PK
rec
, p
sen
)
Calc
Common Secret
S(PK
sen
, p
rec
)
S
S
Figure 3.4: Asymmetric encryption.
The public key system has the benet of being more robust than the private key system,
however, this comes at the cost of higher computation and algorithm complexity. Table 3.1
shows a comparison of the key lengths for various private and public key systems. It is evident
that the private key algorithm requires a smaller key length to achieve the equivalent security
to a public key system. Also included in Table 3.1 is the newer elliptic curve cryptosystem.
The public key architecture is moving away from the older RSA/DSA systems, see [Lab02]
and [18600] for further details on these algorithms, towards the Elliptic Curve Cryptography
(ECC). Currently, ECC algorithms are more complex than the RSA equivalent; however, ongoing
research is allowing ECC technology to be used in small devices such as smart cards. The major
benet of ECC is in future expandability of the algorithm. Whereas the RSA algorithm requires
an extremely large key of 15360 bits for an equivalent 256 bit symmetric key, the ECC system
only needs a key size of 512 bits. The smaller key size requires less memory and processor
power.
Example 3.4.1. An example of an ECC algorithm is the Elliptic Curve Authentication Encryp-
tion Scheme (EC-AES) algorithm [LeR00, Han04]. To send a message using EC-AES it is as-
sumed that the sender has the receivers public key K
pub2
and the domain D= (q, F, a, b, BP, n, #E(F)),
where q is the prime power (q = p or q = 2
m
), F is the eld representation, a, b
F
q
specify the
Symmetric Algorithm ECC Algorithm DSA/RSA Algorithm
Key length (bits) Key length (bits) Key length (bits)
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360
Table 3.1: Comparison of key lengths for symmetric, ECC and RSA/DSA cryptographic algorithms .
curve over F
q
(i.e. y
2
=x
3
+ax+b for p >3), BP is the base point BP = (x
BP
, y
BP
), n is the order
of BP, and curve order #E(F) is the number of points on the curve. The EC-AES uses elliptic
curve cryptography and a Key Derivation Function (KDF), such as the ANSI X9.42 [Kel00], to
transport the key from sender to receiver while the actual encryption of the message is done by
a symmetric encryption scheme, for example the AES standard [19701]. The authentication is
performed by a Message Authentication Code (MAC) such as the HMAC [oST02].
To encrypt a message m the needs to perform the following:
1. Select a random number in the range [1, n1].
2. Calculate the senders public key
_
K
pub1
, k
priv1
_
pair K
pub1
= k
priv1
BP.
3. Calculate shared secret on the curve S = #E(F) k
priv1
K
pub2
= (S
x
, S
y
).
4. Verify that S ,=O.
5. Use the key derivation function to calculate the signature and encryption keys k
sign
| k
enc
=
KDF (S
x
).
6. Encrypt the message using the symmetric encryption algorithm c = E
k
enc
(m).
7. Sign the message using the MAC algorithm v = MAC
k
sign
(c).
8. Send
_
K
pub1
, c, v
_
.
On the other end of the communication line, the receiver gets
_
K
pub1
, c, v
_
and has the domain
D. They proceed to calculate the following to retrieve the message:
1. Check that K
pub1
,=O.
2. Verify that the points x
k
pub1
and y
k
pub1
are elements of F
q
.
3. Conrm that K
pub1
is on the curve dened by a and b.
4. Derive the shared secret S =CO k
priv2
K
pub1
= (S
x
, S
y
).
5. Verify that S ,=O.
6. Calculate the keys for authentication and decryption fromthe curve k
auth
| k
dec
=KDF (S
x
).
7. Check v = MAC
k
auth
(c).
8. Decrypt the message m = DEC
k
dec
(c).
29
Chapter 4
Random Numbers, Generation and Testing
4.1 Denition of a random sequence
What exactly are random numbers? Is number 5 random? In this section we closely follow the
exposition of [Lub]. Let = 0, 1 and
be the set of sequences of countable innite

1
length
with coefcients in the alphabet . An element of u
can be written as a sequence of 0 and 1:

u = u
0
u
1
u
2
u
3
u
4
u
5
. . . ,
with u
i
0, 1. For n
N, the set of nite binary sequences of length n is denoted by

n
. An
element u
n
can be written as:
u = u
0
u
1
u
2
. . . u
n1
.
The objective of this paragraph is to dene among all the elements of
those that are random.

Let W
k
be the map from
in the set of sequences with coefcients in

k
, which associates
to u
the unique sequence such that:

u = w
0
[ w
1
[ . . . w
q
[ . . .
with [ the concatenation and w
i
k
.
In the following, a sequence of events is dened as a sequence (u
n
)
n
N
with values in a set
which will always be nite. The probability denoted by
P
e
[(u
n
) = x]
1
A countable innite set is any set which, in spite of its boundlessness, can be shown equivalent to the natural
numbers [Wei].
30 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING
is the empirical probability that an event is equal to x if the following limit exists
lim
k
S
k
(x)
k
, (4.1)
with S
k
= [n k[u
n
= x[. If (w
n
) is a sequence of words of
k
then E((w
n
)) denotes the
Shannon entropy function of (w
n
), dened by
E((w
n
)) =

x
k
P
e
[(w
n
) = x] log
_
1
P
e
[(w
n
) = x]
_
.
The denition from [Knu97] can now be stated.
Denition 4.1.1. A sequence (u
n
)
is l-distributed for l
, if E
_
W
l
((u
n
))
_
= l or that for
all x
l
, P
e
[W
l
((u
n
)) = x] = (
1
2
)
l
. A sequence u
n
is then -distributed if it is l-distributed

for all l
.
Temporarily, it can be stated that a sequence is random if it is -distributed. In particular,
if (u
n
) is a random sequence then W
k
((u
n
)) is an equidistributed sequence of words of
k
. If
a random subsequence of length k is picked from a random sequence, then the probability of
selecting a given subsequence is the same for all words in
k
. This illustrates well the intuitive
idea of a random phenomenon. A consequence of this is that it is impossible to precisely dene
what is a nite random sequence.
The link between the statistical tests and the preceding denition of a random sequence can
be shown by rewriting the preceding denition in the terms of probability theory. For that, let
(, A, P) be a probability space, which is dened by , a set that is nite, endowed by the
discrete sigma-algebra, i.e. the one generated by all the elements of and a positive measure P
on A equidistributed and of total weight 1. For this paragraph, will be
n
, the set of binary
sequences of length n. The probability space is then denoted by (
n
, A
n
, P
n
).
A random variable is a map X : R. This endows R with a structure of measured space,
and the induced measure is indicated by the abuse of notation P
X
. The function which maps x
R
to P[X = x] = P(X
1
(x)) is called the law of X. This gives the following alternative denition
of a random sequence, which is just a reformulation of Denition 4.1.1.
Denition 4.1.2. A sequence (u
n
)
is random if and only if for all random variables from

k
endowed with the equidistributed law of probability to R and for all x
R there is
P
e
[X(W
k
((u
n
)) = x] = P[X = x].
In other words, the empiric law determined by the sequence X(u) follows the theoretical
law induced by the random variable on R by the equidistributed probability law of
k
. This
denition gives a general principle that underlies statistical tests in order to assess if a sequence
4.2. RANDOM NUMBER GENERATORS 31
is random: some random variables are dened on the sets
k
, k being an integer endowed with the
equidistributed probability. This gives a law on R that is able to be computed or approximately
computed thanks to the results from the probability theory. Most of the time, this law will
use a Gaussian or a
2
distribution. This law is then compared, for example, using a test of
Kolmogorov-Smirnov, to the empiric law, obtained from limit in 4.1, which is approximated
with a computation on a sample nite sequence.
The problem is that the preceding general principle is asymptotic by nature: as by denition
all the sequences of xed length l have the same probability to occur in a random sequence.
Without any further hypothesis, it is not possible to distinguish a random sequence from a non-
random sequence only having a nite subsequence. It is important to remember two main ideas:
an innite sequence can be associated with a probability distribution on the space of nite se-
quences of length l and a property for all random sequences of length l is that they have a uniform
distribution.
As noted in [Knu97], the denition of a random sequence that has been stated does not catch
all the properties that may be expected from a random sequence. For instance, let u
be a
-distributed sequence and let u
0
be the sequence deduced from u by forcing to zero the bits
of rank n
2
, n 2. Then it is easy to see that the sequence u
0
is also -distributed and is not
random, because the value of some of its bits can be easily predicted a priori. However, even if
the denition does not catch the unpredictability notion that is expected from a random sequence,
it is enough for the purpose of statistical tests.
The next section will take a closer look at generating random sequences and the testing to see
if these generators are operating properly.
4.2 Random number generators
4.2.1 History
Progress in generating random number sequences has been signicant. However, people are still
trying to gure out newmethods for producing fast, cryptographically secure randombits. Before
the rst table of random numbers was published in 1927, researchers had to work with very slow
and simple random number generators (RNG), like tossing a coin or rolling dice. Needless to say,
these methods were very time consuming. It was not until 1927 when Tippetts published a table
of 40,000 numbers derived from the census reports that people had access to a large sequence of
random numbers.
This lack of a ready source of random number sequences led people to try and create more
efcient means of producing random numbers. In 1939, the rst mechanical random number
machine was created by Kendell and Babington-Smith. Their machine was used to generate
a table of 100,000 numbers, which was later published for further use. The practice of using
random number machines to generate tables of random numbers continued with the publishing
of 1,000,000 digits by the Rand Corporation. Their generator could be best described as an
electronic roulette wheel. The rst version produced sequences with a statistical biases. The
Rand Corp. had to optimize and x their machine, but even after this new sequences showed a
slight statistical bias. However, the random sequences were deemed to be good enough.
Even though tables provided researchers with a larger selection of random numbers, this
method still had its drawbacks. It required large amounts of memory, since each random number
had to be preloaded into memory, and it took a long time to input the data. At this point RNG
research branched into two paths: the algorithmic approach and the sampling of physical sys-
tems. The algorithmic approach looked into producing random numbers by using the computers
arithmetic operations, and this led to the creation of deterministic random number generators or
pseudorandom number generators. Sampling of physical systems, however, looked at how to
create statistically acceptable sequences from natural random sources. These random number
generators are called true random number generators, since they are based on a truly random
source.
Remark 4.2.1. A detailed timeline for the random number machine can be found in [Rit02].
4.2.2 Properties of random number generators
When looking at a random number generator, how is it possible to determine if it is a source of
random numbers? Four properties distinguish a random number generator from just an ordinary
number generator. The best way to illustrate these properties is to examine a simple random
number generator. One of the most recognized and used RNG is the coin toss; if the coin is
assumed to be fair.
By giving the coin a 0 and 1 for each side, it can be used to generate a random binary
sequence. One of the rst properties noticed is that the result from each toss is not affected, in
any way, by the previous tosses. This means that if ten ones are tossed in a row, the probability
of tossing an eleventh one is still 50%. This example illustrates the property of independence;
previous results do not affect future results.
Random number generators can be designed to produce any range of values, or distribution.
When analyzing the output of common RNGs, the values usually fall into an uniformdistribution,
which means that they have an equal probability of obtaining any of the values in the specied
range. This distribution does not need to be uniform; for some simulations a designer may
wish to produce a random sequence following a normal or other distribution. For cryptographic
applications it is important that the distribution is uniform. Using a nonuniform distribution
allows a hacker to concentrate on a smaller group of numbers to attack the system.
There are physical and computational limits to the size of numbers that an RNG can create.
These limitations impose a natural boundary on the RNG and once it has reached these limits, the
RNG repeats its output. This denes the period of the RNG. A well designed RNG will only be
bound by the hardware limits. If the RNG is designed without taking care, there can be multiple
sequence groups that the RNG could produce, with each group less than the ideal period.
The size of random sequences required is dependent upon the desired application. Crypto-
graphic applications require relatively small sequences, in the range of 1024 bits depending on
the algorithm, whereas simulations require extremely large sequences. A good example is the
Monte Carlo simulation, which may require random sequences up to a billion bits in length, or
even more. Therefore, RNGs need to be very efcient and must quickly generate numbers.
The next sections examine the different properties of three classes of random number gen-
erators: pseudo, true, and cryptographic random number generators. Each has its own unique
requirements and restrictions.
4.2.3 Types of random number generators
Pseudorandom number generators
As mentioned in the history of RNGs (cf. Subsection 4.2.1), development of random number
generators branched with the advent of computers. Researchers looked for methods to create
large random sequences by using algorithms. Using such algorithms, they were able to make
sequences, which mimic the properties of true random generators. Since they were created
with a deterministic equation, they could not be called truly random. This led to a new class
of generators, called pseudorandom number generators (PRNGs).
Compared to true random number generators, PRNGs are easier to implement in both hard-
ware and software, and they also produce large sequences very quickly. In [LE98, LE01], the
PRNG is described as a structure of the form (X, x
0
, f , f
t
, f
o
, Z) where X is the nite set of states
with a distribution of . The element x
0
X is called the initial state or seed. Using the transition

function f
t
and the output function f
o
as shown in Algorithm 1 a pseudorandom sequence can be
generated, (z
0
, . . . , z
n
) with z
i
Z and Z = [0, 1) as the output set.

Algorithm 1 A pseudorandom number generator.
INPUT: An integer n.
OUTPUT: A pseudorandom sequence (z
0
, . . . , z
n
) with z
i
Z
1. for i = 0 to n do
2. x
i+1
f
t
(x
i
)
3. z
o
f
o
(x
i
)
The benet of the PRNG is its ability to quickly produce large sequences of statistically
random numbers. This is very important for running simulations when input data may require
Table 4.1: Characteristics of pseudo- and true random number generators.
True RNG Pseudo-RNG
Physical random source Deterministic algorithm
Slow Fast
Hard to implement Easy to implement
millions or even billions of random values. Caution must be taken when using pseudorandom
number generators for cryptographic applications. Attacks have been published that are able to
reveal the secret generator values for some types of pseudorandom generators, which enables a
hacker to accurately reproduce the sequence. Cryptographic secure RNGs will be looked at in
Subsection 4.2.3.
True random number generators
A computer algorithm can only create pseudorandom sequences. However, there exist a vari-
ety of phenomena related to a computation that are nondeterministic. Some examples are noise
generated by a transistor, a dual oscillator, air turbulence in a hard drive, or capturing user input
on the computer. Whatever the source of natural entropy, the data need to be digitized and con-
verted into a working space, often a binary sequence. True random number generators provide
a source of random numbers that is impossible to predict (nondeterministic), but at the cost of
the sequence generation speed. Therefore, these generators are generally suitable for crypto-
graphic applications but unsuitable for simulations. The use of natural entropy is a good source
of randomness, but care must still be taken to examine the sequence for other weaknesses: cor-
relation or superposition of regular structures. To overcome these weaknesses, RNG sources are
mathematically altered to mask weaknesses in the digitized analogue signal. Table 4.1 shows the
characteristics of both pseudo- and true random number generators.
Cryptographic random number generators
Cryptography has taken on a new importance as more personal and nancial information is avail-
able in digital form. The strength of encrypted messages depends on many factors, one of which
is the random number sequence used in key generation. Many people believe that the random
number generator, provided with their compiler or math package, is good enough. However,
research has shown that they are very insecure for cryptographic applications. An example of an
insecure RNG is where an attacker, who knows the pseudorandom algorithm and has a generated
sequence, can take this information and calculate future values. With these values the attacker
can calculate a secret key.
Cryptographic random number generators have an added property compared to other genera-
tors. They need to be unpredictable, given knowledge of the algorithm and previously generated
bits.
These properties can be found in both pseudo- and true random number generators. Often
the most efcient method of creating secure cryptographic random number sequences is using a
combination of the two generator types.
4.2.4 Popular random number generators
This subsection describes three common random number generators, but there are many more
available [NIS99b, APS96, And00, Knu97, Ent98]. Care must be taken to select the correct
generator for the required application.
Linear congruential generator (LCG)
The Linear Congruential Generator (LCG) is a classic pseudorandom number generator and
has been published in many journals and books [Knu97, Car94, Ent98]. The LCG can be fully
described using the following formula:
X
n
= (aX
n1
+c) mod m (4.2)
with a the multiplier, c the increment and m the modulus. Care has to be taken when selecting
the constants, since it is very easy to create a poor random generator. This generator is so pop-
ular because it is simple to implement in both software and hardware after having selected the
constants. Another benet of this algorithm is its low memory requirement, since only the last
value and the secret constants are required to calculate a new value. Knuth [Knu97] dedicates a
large portion of the chapter on LCGs to the selection of each constant.
Table 4.2 is a list of popular linear congruential generators. The constants used and the
quality of the generator are shown along with the generators name. Two noteworthy LCGs
are the RANDU and the ANSI-C generators, which can still be found in many mathematical
packages and compilers. Both generators have been extensively researched and it was found that
their quality is very poor. Park and Miller [PM98] describe the RANDU as:
RANDU represents a awed generator with no signicant redeeming features.
It does not have a full period and it has some distinctly non-random characteristics.
As for the ANSI-C generator, it was found to be very nonrandom at lower bits.
Blum-Blum-Shub generator (computationally perfect PRNG)
The Blum-Blum-Shub (BBS) generator is an example of a class of provably secure random
number generators. It works under the complexity theory assumption that P ,= NP. The BBS
Table 4.2: Popular LCGs.
Constants
Generator a c m seed Good/Poor
RANDU 65539 0 2
31
Poor
ANSI-C 1103515245 12345 2
31
12345 Poor
Minimum
Standard
[PM98]
16807 0 2
31
1 Good
Note: Good and bad and generators are rated on how well they pass empirical tests.
generator was rst published in 1986 by Blum et al. [BBS86], where they showed that a quadratic
residue of the form:
X
n+1
= X
2
n
mod m (4.3)
is very easy to calculate in the forwards direction. However, the backwards calculation of nd-
ing the square root of a number modulo m, when m is large, is very difcult. The modulus is
m = p
1
p
2
, where p
1
and p
2
are large Blum prime numbers. Blum primes are prime numbers,
satisfying:
p 3( mod4)
as 1 is not a square modulo p.
The BBS generator is targeted towards cryptographic applications, since it is not a permuta-
tion generator, which means the period of the generator is not necessarily m1. This makes the
BBS generator unsuitable for stochastic simulations.
Cryptographic RNG (hardware RNG)
All previous examples of random number generators used deterministic algorithms. These gener-
ators statistically act like true RNGs but in fact are not. In order to be thought of as a true random
number generator, the source of bits needs to be nondeterministic, which is usually achieved by
sampling a natural stochastic process. There are many sources of natural randomness, including
measuring radioactive decay, thermal noise, or noise generated by a reversed biased diode.
The problemwith nondeterministic randomsources is the possible presence of biasing, which
means that ones or zeros occur more often. A variety of methods have been developed to reduce
the effect of biasing. A few common methods include XORing of the successive bits using the
von Neumann algorithm [Dav00], or XORing the nondeterministic bit stream with the bits from
a cryptographically secure random number generator (see Figure 4.1).
Hardware random number generators tend to be slower than their pseudorandom counter-
parts. However, for cryptographic applications, which may need only a few thousand bits, this is
usually not a factor. For applications that need many random digits, hardware random generators
4.3. TESTING OF RANDOM NUMBER GENERATORS 37
XOR
Corrector
(Combine sequence)
Output
Xor
von Neumann
Nondeterministic
source
Digitizer
Amplifier &
Pseudorandom
number generator
Figure 4.1: Cryptographic hardware random number design.
are generally too slow.
Remark 4.2.2. There are many implementations of hardware cryptographic random number gen-
erators [Dav00, CR03].
4.3 Testing of random number generators
There are two methods for testing random number generators. One is to treat the generator as a
black box and only examine a portion of the resulting sequence; this is called empirical testing.
The other method is to open the box and examine a priori the internal structure. This type of
testing is called theoretical testing. Both empirical and theoretical tests use statistical tests, but
they differ in the length of the sequence they examine. For theoretical tests, the full period of
the generator is used; therefore, they detect global non-randomness. Not all statistical tests are
suitable for this type of testing.
Empirical testing is used to detect local non-randomness. It examines subsequences with
lengths signicantly less than the full period. Often these tests are used during the operation
of the RNG to determine if the generator is still functioning properly, or as a quick test of a
newly selected generators randomness. When selecting a RNG for an application, if possible,
it is best to use both, theoretical and empirical testing. This helps to avoid both local and global
abnormalities.
4.4 Testing a device
This section presents a denition of the mathematical objects that represent the device under test.
A source S
T
is the mapping from a parameter space T in the set
to a binary sequence of innite

length with either discrete or continuous parameter space. In the case of a physical generator T
there can be a set of continuous variables that describes the state of the RNG (temperature of
the circuit, position of each of the bits). As for a LFSR, T is the discrete space describing the
initialization vector, the polynomial of retroaction, and the ltration function.
For an innite binary sequence there can be associated for all n
a probability distribution
on
n
given by the denition of the empiric probability of W
k
(u). In particular, a source denes
a map from the set of parameters T to the set of probability distributions on
n
for all n. This
justies the following denition:
Denition 4.4.1. Let T be a set of parameters, the statistical model on
n
is the data for all n
with a probability distribution denoted by P

n
t
for t
T on the set
n
.
In practice, the set of parameters can take into account the normal operation of the source as
well as aws. It is possible that the source can produce sequences with good statistical properties
for some values of the parameter in T and poor statistical properties for the other values of
T. For instance, a physical random generator can be built so that the output bits have a bias
p independent of the preceding draws. It outputs 1 with a probability of p and a 0 with a
probability of q = 1 p. A hard to control production process may inuence the parameter p.
Therefore, a means is needed to assess the generator and reject any source that has a parameter
p too far from
1
2
.
4.5 Statistical (empirical) tests
Often it is not possible or feasible to look at the physical structure of the random number gen-
erator; for example, when the RNG needs to be tested before each operation. The only method
to determine, to any degree of certainty, if the device is producing statistically independent and
symmetrically distributed binary digits, is to examine a sample sequence of a given length n.
In [Mau92] the idea is presented where a statistical or empirical test T is an algorithm that has
as input a binary sample sequence and produces as output an accept or reject decision
T : B
n
accept, re ject (4.4)
where B is a binary set of 0, 1. Using this function, all the possible binary sequences x of
length n, x
n
= x
1
, . . . , x
n
are divided into two subsets
A
T
=s
n
: T(s
n
) = accept B
n
(4.5)
4.5. STATISTICAL (EMPIRICAL) TESTS 39
and
R
T
=s
n
: T(s
n
) = re ject B
n
(4.6)
with A
T
being the set of accepted or random sequences and R
T
being the set of rejected or
nonrandom sequences.
4.5.1 Hypothesis testing
The method used to determine whether a device is operating properly, as a binary symmetric
source, or is malfunctioning, is to test a parameter using the theory of hypothesis testing. The rst
step of this testing method is to calculate a test parameter by comparing the estimated parameters
from a sample sequence for the given statistical model to the parameters for a binary stationary
source. The sample is then accepted or rejected by comparing the test parameter to a probability
distribution from a binary symmetric source.
Remark 4.5.1. Randomness is a property of the device being tested, not of the nite sequence.
The researcher wishes to test the hypothesis that the devices parameter follows the parameter
of the theoretical distribution. For hypothesis testing, the null hypothesis, H
0
, is the claim that the
sequence is acceptable as random, while the alternative hypothesis, H
a
, states that the sequence
is rejected. This hypothesis is in a general form and can take on a wide variety of parameters.
One example is the examining of the population mean of the sample sequence and comparing it
to the distribution of the mean for a binary symmetric sequence,
0
. The hypothesis can then be
written as follows:
H
0
: =
0
H
a
: ,=
0
In order to decide between H
0
and H
a
, the researcher needs to rst determine the error thresh-
old or signicance level . This level indicates the probability the researcher is willing to take in
rejecting a true H
0
. For a signicance level of = 0.001, the probability is that one sequence in
a thousand will be rejected when in fact it should be accepted. This level is also called a Type I
error.
0
Figure 4.2: Parameters and for a statistical test [Sch95].

Table 4.3: Type I and II errors.
Decision
Reject H
0
Do Not Reject H
0
H
0
True Type I Error Correct
H
0
False Correct Type II Error
The next step in hypothesis testing is to calculate the test statistic. This step is dependent
on the data under study. From the previous example, using the mean, the test statistic can be
calculated by examining the sample mean, x; the sample variance, s
2
; the theoretical mean from
a truly random sequence,
0
; the theoretical variance,
2
; and the sample size, n. The statistical
test is then as follows:
[Z[ =
x
0
> Z
2
(4.7)
The rejection region works by examining the sample mean and determining whether there
are too many standard deviations, more than Z
2
, from
0
. The rejection region can be seen in
Figure 4.2 and if the statistical test falls in this region, then the null hypothesis is rejected in favor
of the alternative hypothesis.
Often empirical tests described in literature use a value called the P-value, to determine
whether the sample sequence should be rejected or not. The signicance level, as described in
the last paragraph, is the boundary value between acceptance and rejection of the null hypothesis:
P >, H
0
is accepted
P , H
0
is re jected
Hypothesis testing can have two possible conclusions; the test accepts H
0
or it accepts H
a
.
As can be seen in Table 4.3, there are two possible errors that may arise. The Type I error has
already been discussed and it is the signicance level of the test. Type II error is the probability
that the device is assumed to be random when it is not. The goal of the statistic test is to minimize
the possibility of both types of errors. When dealing with statistical tests, the researcher is often
able to set the sample size and one of the two types of errors, usually the Type I error. Setting the
two points produces a as small as possible. It is not possible to determine the probability,
which means that it is only possible to draw a rm conclusion about the Type I error. However,
if the statistical test does not fall inside the rejection region, it can only be stated that there is
insufcient evidence to reject H
0
. The null hypothesis is not afrmatively accepted, since there
is a lack of information about the Type II error.
4.6. SOME EXAMPLES OF STATISTICAL MODELS ON
N
41
4.6 Some examples of statistical models on
n
This paragraph presents some statistical models currently used (sometimes in an implicit way)
in the denition of random sequence tests. Further information can be found in [Mau92, Lub].
A random variable X is said to be binary if its values are in the set B = 0, 1. In that case,
the distribution of probability dened on B is given by a unique parameter called the bias of X,
which is by denition P[X = 1]. Let X
1
, . . . , X
n
, . . . be a sequence of binary independent random
variables. They dene a distribution of probability on
n
. When all these random variables have
the same bias, the previous distribution depends only on the parameter p.
This model describes a Binary Memoryless Source (BMS) that outputs independent random
variables with a bias p. As stated, a BMS denes a distribution of probability on the sets
n
depending on the parameter p, and is therefore a statistical model on
n
. A particular case of a
BMS is the binary symmetric memoryless channel, which corresponds to the parameter p =
1
2
.
Another model is the Source Transition (ST) that outputs a sequence of binary random vari-
ables X
1
, . . . , X
n
, . . . of parameter
1
2
such that P[X
i
+X
i+1
= 1] = p and P[X
i
+X
i+1
= 0] = 1p
for i
N.0
Generally, a source can produce a sequence of binary random variables X
1
, . . . , X
n
, . . . such
that the conditional probability of X
n
given X
1
, X
2
, . . . , X
n1
depends only on the m last bits, i.e.,
such that
P
X
n
[X
n1
...X
1
(x
n
[x
n1
. . . x
1
) = P
X
n
[X
n1
...X
nm
(x
n
[x
n1
. . . x
nm
). (4.8)
The least m satisfying this preceding property is called the memory of the source S and
n
=
[X
n
1, . . . X
nm
] is the state at the time n. Therefore, taking the sequence (X
n
)
n
N
is equivalent
to consider an initial state
m1
, represented by the trivial random variables [X
m
, . . . , X
0
] (their
weight being totally concentrated on 0 or 1) as well as a distribution of probability for the tran-
sition of states P
n
[
n1
for all n greater that m. If this last probability is independent of n, then
the source is classied as stationary. So, a stationary source is completely described by its initial
state and P
m+1
[
m
.
The set of states is a particular case of a Markov chain
2
, with the restriction that each state can
have only two successors. If this Markov chain has the property where every sizable sample is
an equal representative of the whole sequence (ergodic), the limit of the probability distribution
on the set of states converges towards a limit. Let the integers between 0 and 2
m1
represent the
set of possible states of the sources. Using the Chapman-Kolmogorov equations, which are an
equivalent to the identity on transition densities, gives:
lim
n+
P
n
( j) = p
j
2
Denition from Merriam-Webster [Mis95]:Usually a discrete stochastic process (as a random walk) in which the
probabilities of occurrence of various future states depends only on the present state of the system or on the
immediately preceding state and not on the path by which the present state was achieved.
where the p
j
are the solution of a system of 2
m
equations :
2
m
1
j=0
p
j
= 0, (4.9)
p
j
=
2
m
1
k=0
P
2
[
1
p
k
, 0 j 2
m
2. (4.10)
There are two interesting points to consider with the statistical model of ergodic stationary
sources:
this model seems to be the most general of the models presented. In particular, it contains
the BMS and ST models.
this model has been extensively studied in the eld of information theory. In particular, it
is possible to compute its entropy.
4.7 Hypothesis testing and random sequences
The previous section stated that statistical models can be used to perform statistical tests on a
binary sequence. From [Lub], the link between the theory of hypothesis testings and random
sequences is given as follows:
A statistical model is adapted to the device that is under test (e.g. random number genera-
tor);
An H
0
chosen that the model parameters are veried if the random input variables are
Bernoulli variables with a parameter of
1
2
; and
As an alternative hypothesis there is a large in the parameter from
1
2
.
For example, if it is known that the statistical model of the device is a BMS, the monobit fre-
quency test can be used on its own: this is the best test associated with this model. It may happen
that the statistical model is more general and includes several different tests. For instance, the
BMS is contained in the general model of a stationary ergodic source with a certain amount of
memory. In this case, the advantage of the more specic test is that it is more powerful. However,
it may not discover deviations in the parameters that it does not control. Therefore, it is important
to rst use the more specic tests and then the more general ones. It amounts to restraining the
variance, in some direction, of the parameter space.
In general, the use of the techniques of hypothesis tests in order to verify the random quality
of a source is characterized by:
4.7. HYPOTHESIS TESTING AND RANDOM SEQUENCES 43
the choice of a statistical model based on the operation of the device;
the use of only a small number of tests (one or maybe two) that are associated with the
statistical model.
It should be pointed out that this general technique does not describe the set of available pro-
cedures in order to test a random number generator. It is apparent that it is difcult to attach a
statistical model to some tests that are widely published and recommended. Moreover, in the
available test suites it is quite common to use many different tests. In practice, it is often difcult
to prove that a certain physical device corresponds to a given statistical model apart from very
general models, which then leads to tests of very poor quality.
In cases where no statistical model is available, it is possible to use the property that the
estimators computed by the tests are consistent. Then, under the assumption of the Bernoulli
distribution with a parameter equal to
1
2
(BSS), the property that the sequence is -distributed
can be checked by the convergence in probability of certain estimators. Therefore, it is possible
to use a group of several tests, so that each of them, with a given probability, outputs a pass for
a random sequence. It should be noted that it is not easy to compute the rejection rate of a full
test suite, because the estimators of different tests are often extremely dependent. This rate can,
nevertheless, be estimated by stochastic simulations.
The reader should keep in mind that, if the device is not provided with a statistical model
and if the statistical tests can not be interpreted with respect to the cryptographic use of the
random sequence, the rejection zone selected by the statical tests is totally arbitrary. If we have a
statistical model, the rejection zone is chosen to contain most of the weight of probability when
the device is faulty. But, if we do not know this statistical model, it may happen, on the contrary,
that the rejection zone contains sequences with a low probability of appearance: this means that
the probability of passing the test is higher when the device is faulty. In this respect, a statistical
test is nothing but a convenient way to choose a certain proportion of sequences in the set of
all binary sequences of a given length. In particular, if the tests do not pass, it is difcult to
pronounce with any degree of certainty that there is no systemic interpretation of the result of the
tests.
It is also important to realize that a random test may undermine cryptographic security in
some applications. The problem is that, if a statistical test is used to lter the ux of a random
generator, it introduces a bias that is very easy to detect by using the same test. A practical
example of this is given to draw the readers attention to this topic.
Example 4.7.1. A user may want to cipher the content of a hard drive by using a strong sym-
metric encryption function. It may be required that an intruder, who does not posses the secret
key, is not able to distinguish the written sectors on the hard drive from the blank ones. One way
to implement this functionality is to consider the symmetric encryption function as a pseudo-
random function. Therefore, a random number generator can be used to write random noise on
non-written sectors of the hard drive. If the output of this random number generator is ltered by
a statistical test with, for instance, a rejection rate of 1%, it means that 1% of the sequences of a
given length will never appear in the non-written sectors of the hard drive, but will be present in
the written sectors. This allows an attacker to nd the distinguishing point between the written
and non-written sectors easily.
4.8 Empirical test examples for binary sequences
Frequency Test
A test that counts the number of ones in a sequence is an example of an empirical test based on
the random walk. The random walk Y
n
is the sum of independent Bernoulli random variables X
i
.
It can be written:
Y
n
=
n
i=1
X
i
(4.11)
Using the Central Limit Theorem and the De Moivre-Laplace Theorem, a binomial sum,
normalized by
n, follows a normal distribution if the sample size n is large. This can be written
as:
lim
n
P
_
Y
n
n
y
_
=
1
2
_
y
h
2
2
dh = f (y) (4.12)
This theory is the basis for one of the simplest but most important statistical tests, the fre-
quency (monobit) test. The null hypothesis for this test states that a sequence of independent,
identically distributed Bernoulli variables has a probability:
P(X
i
= 1) = 0.5
As mentioned in previous sections this statistical test is based on the model for a binary
memoryless source. An implementation of this theory into a statistical test is presented in Sec-
tion 5.1.1.
Another implementation of the random walk is a variation on the previous frequency test
called the frequency block test. This test performs multiple frequency tests on smaller, equally
distributed subsequences of the main sample sequence. This detects localized deviations from
randomness. The sample sequence is divided into n sets of m bits. The number of ones in each m
sequence is counted,
i
. A test characteristic is then calculated by using the following formula:
X
obs
= 4m
n
i=1
_
i
m

1
2
_
2
(4.13)
The observed characteristic is compared to a theoretical limit to determine if the sequence is
acceptable as random. The implementation of this test is presented in Section 5.1.2.
4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 45
Runs Test
The runs test is a group of tests based on the bit oscillation in a sequence. There are many
published denitions of runs (see [Knu97, Feh68, AJJ
+
, APS96, And00, Ent98]). The data
type, binary or real, determines the runs denition that should be used. One of the earliest
denitions of runs for randomness testing has been published in 1944 by Wolfowitz. Given
a sequence X
1
= (x
1
, . . . , x
n
), a second sequence X
2
can be formed by taking the sign of the
difference between two adjacent numbers x
i+1
x
i
, 1 i n1. An example of this is:
X
1
= (7, 4, 1, 0, 5, 2, 8, 9, 6, 0)
which converts to
X
2
= (, , , +, , +, +, , ).
A + is treated as a run up, while a is considered a run down, with l being the length of
each run subsequence. Various statistical tests for real numbers use this denition.
Another denition of a run has been published by Knuth [Knu97]. He examines real number
sequences and denes a run as the length l of a trend in a sequence X, with the trend being either
increasing or decreasing. Given a sequence X = (x
1
, . . . , x
n
), each neighboring number, x
i
and
x
i+1
, is compared, and a vertical line is used to divide each number group whenever x
i
> x
i+1
.
Using the previous example sequence X
1
, we obtain:
[7[4[1[0, 5[2, 8, 9[6[0[.
Counting the runs for lengths one to three, there are ve runs of length 1, one run of length 2, and
one run length 3. Adjacent runs are not independent, since a long run tends to be followed by
a short run; therefore, the
2
test cannot be applied at this point. A new random variable needs
to be dened. The random variable Z
li
with 1 i n counts the number of runs in a sequence.
Variable Z
li
is dened as follows:
Z
li
=
1 if position i is the beginning of an

ascending run of length l or more,
0 otherwise.
Using this new variable, the number of runs of length l is:
R
/
l
= Z
l1
+. . . +Z
ln
,
and the number of runs equal to length l is:
R
l
= R
/
l
R
/
l+1
.
The statistical test counts the occurrence of runs up to a given length t and any run longer than t
is classied as a run of length t. The derivation Q
l
with 1 l t is calculated by subtracting the
resulting run counts R
l
from the expect run counts (R
l
):
Q
1
= R
1
(R
1
)
.
.
.
.
.
.
Q
t1
= R
t1
(R
t1
)
Q
t
= R
/
t
_
R
/
t
_
These values are used to calculate the test statistic for a
2
test with t degrees of freedom
X
obs
=
t
i, j = 1
Q
i
Q
j
a
i j
, (4.14)
where the matrix A = a
i j
is the inverse matrix of C = covar(R
l
, R
m
), with 1 l, m t. The
covariance matrix C and the mean (R
l
) are calculated using the following relations
(R
l
) =
_
R
/
l
_
_
R
/
l+1
_
covar
_
R
l
, R
/
m
_
= covar
_
R
/
l
, R
/
m
_
covar
_
R
/
l+1
, R
/
m
_
covar (R
l
, R
m
) = covar
_
R
l
, R
/
m
_
covar
_
R
l
, R
/
m+1
_
To calculate
_
R
/
l
_
and covar
_
R
/
l
, R
/
m
_
the following holds:
_
R
/
l
_
=
(n+1) l
(l +1)!

l 1
l!
1 l n
covar
_
R
/
l
, R
/
m
_
=
_
(R
/
t
) + f (l, m, n), if l +m n
(R
/
t
)
_
R
/
l
_
(R
/
m
), if l +m > n
where
s = l +m,
t = max(l, m),
and
f (l, m, n) = (n+1)
_
s(1lm) +lm
(l +1)! (m+1)!
2s
(s +1)!
_
+2
_
2s
s!
_
+ (4.15)
_
s
2
s 2
_
lms
2
l
2
m
2
+1
(l +1)! (m+1)!
Another denition of a run is found in [Feh68]. Fehler provides a denition for runs with
Bernoulli trials.
Denition 4.8.1. A sequence of n bits contains as many runs of ones with a length of r as there
are non-overlapping uninterrupted blocks containing exactly r bits [Feh68]. Each run length is
counted from the beginning of the sequence.
An example runs count using this denition is seen in the following sample sequence
1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0. (4.16)
This sequence has ten runs of length one, ve runs of length two, three runs of length three, two
runs of length four, one run of length ve, and one run of length six or more. Using Deni-
tion 4.8.1, a test statistic for analyzing the randomness of the sequences is
X
obs
=
N
r
(obs) n
n
(4.17)
with N
r
being the number of runs of length r in a sequence of n number of bits. The statistic for
Fehlers denition follows a normal distribution as n .
The runs test used in this thesis comes from the [APS96]. This runs test has been used in
the thesis (see Section 5.1.3) due to its ease of implementation in hardware and software. The
denition of a run in [APS96] is similar to Denition 4.8.1. However, the number of runs is only
counted once during the sequence. Also, the number of runs of zero Gap and one Blk are used
in the calculation of the test statistic. For example, from sequence 4.16 the number of runs of
one are: one run of length four and one run of length six, while for the runs of zero there are two
runs of length one. This statistical test examines the difference between the expected run lengths
e
r
=
(nr+3)
2
r+2
with 1 r < k and the sampled run lengths, Blk
r
and Gap
r
:
X
obs
=
k
r=1
(Blk
r
e
r
)
2
e
r
+
k
r=1
(Gap
r
e
r
)
2
e
r
(4.18)
which approximately follows a
2
distribution with 2k 2 degrees of freedom.
The turning point test is another type of runs test, found in [Gop93]. This test counts the
number of turning points (peaks and troughs) in a sequence. To calculate the test statistic the
number of samples tested needs to be large. The large sample allows for the assumption of a
normal distribution with a mean of =
2
3
(n2), and a variance of
2
=
(16n29)
90
. The test
characteristic can be calculated as follows:
X
obs
=
(4.19)
The hardware and software implementation of the turning point test is presented in Sec-
tion 5.1.7.
0 5 10 15 20 25 30 35 40 45 50
0
200
400
600
800
1000
1200
1400
Figure 4.3: Longest runs at 20000 bits sample probability distribution using 5000 samples.
Longest runs test
This test is included in the FIPS 140-2 testing group, where a maximum run length of 26 is given
for 20000 bits. However, only this value and a signicance level of 0.0001 are given without any
other background information. This presents a problem when trying to determine the maximum
lengths for sequences other than 20000 bits. To overcome this problem an experiment has been
performed to determine the maximum run length distributions for different test sequence lengths.
This experiment was programmed in Matlab
TM
with a sample of 50000 sequences ranging in
length from 25 to 100000 (the lengths used in the simulator from Chapter 6). After programming
the experiment, the program was run and the probability distribution was calculated for each of
the different sample lengths. The sample sequences required a random number source, in this
case the pseudorandom generator provided by Matlab
TM
(see Section 6.2.2 for a description of
this generator). Asample size of 50000 sequences was used and the longest run fromeach sample
was calculated. The probability for the longest run of a given sequence length was calculated and
plotted, see Figure 4.3 for an example probability distribution at 20000 bits and 5000 samples.
Figure 4.3 shows a zoomed-in result for the probability distribution. Using this distribution it
was possible to calculate the point x where the probability P(X x) = 1.
The experimental signicance level was initially published as =0.0001 by NIST; however,
further study by FDK Corp. [Vit03] revealed that the actual signicance level used was =
0.000298. This newvalue was used as the limit in the experiment (see Table 4.4 for the maximum
run lengths). The results from this table were used in the software and hardware implementation
of the longest runs test presented in Section 4.8
There are a variety of ways to calculate the longest run, the method used in this thesis is to
keep track of the longest run of either zero or one in the sequence. Another method published by
the FDK Corp. [Vit03] looks at the probability P
y
() of a run longer than appearing in a bit
Sequence Length P(x y)
25 14
50 15
75 16
100 17
250 19
500 19
1000 21
2500 21
5000 22
10000 23
15000 23
20000 25
30000 26
50000 26
100000 27
Table 4.4: Maximum run length for the given sample sequence length.
stream. This information can be used to calculate the probability of longest run M
n
of length
appears in n bits:
M
n
() = P
n
() P
n
( +1).
Further information on this second method for calculating the longest runs can be found in [Vit03].
Autocorrelation
Visually, it is possible to detect regular waveforms as non-random. How can this property be
automated for randomness testing in applications? One method is to compare the signal with a
shifted copy of itself, which is the autocorrelation function. A random sequence has the property
that a sample random sequence has very little correlation with any copy of itself.
The autocorrelation test, as described in [APS96], checks for the correlation between the
current sequence and a shifted version. A sample sequence is XORed with a d delayed version.
With a large sample, n, and nd 10, the test statistic is assumed to followa normal distribution.
The test characteristic is calculated using the following formulas:
A(d) =
nd1
i=0
s
i
s
i+d
(4.20)
X
obs
= 2
_
A(d)
nd
2
nd
_
(4.21)
Pattern Matching Tests
A non-overlapping test using pattern matching is the poker test, also called the k-tuple test. There
are many variations of this test with the two best known published in [APS96] and [Knu97]. More
focus is placed on the poker test from [APS96], since it is ideally suited for binary data.
The poker test is modeled on the
2
distribution. In general, the poker test takes k independent
observations and sorts them into g categories. The probability of a particular category being
observed is indicated by p
s
with x
s
being the actual number of observations for each category s.
This allows the building of the statistic from the
2
formula:
X
obs
=
g
s=1
(x
s
kp
s
)
2
kp
s
. (4.22)
This is the general form of the
2
statistic; however, this thesis uses a modied form for binary
data.
The number of categories g for a binary sequence is selected to match a subsequence of bit
length m, this gives g = 2
m
categories. A sequence is subdivided into k independent observations
with k =
_
n
m
_
and n the number bits in the full sequence. For a random binary sequence, each
category has an equal probability of appearing p
s
=
1
2
m
. Expanding (x
s
kp
s
)
2
= x
2
s
2kp
s
x
s
+
k
2
p
2
s
plus using the relation:
x
1
+x
2
+. . . +x
s
= k
p
1
+ p
2
+. . . + p
s
= 1
this allows the Equation 4.22 to be rewritten:
X
obs
=
2
m
s=1
_
x
s
k
2
m
_
2
k
2
m
and then to
X
obs
=
2
m
k
2
m
s=1
x
2
s
k.
There are 2
m
space categories; therefore, the statistic X
obs
follows a
2
distribution with
= 2
m
1 degrees of freedom. If the test subsequence m is reduced to 1 then the test is the
frequency test [APS96].
The overlapping m-tuple test is another pattern counting test. However, in this case the
counted patterns are overlapping and the pattern counted is selected by shifting the vector one
bit with each new input. The particular test implemented and studied in this thesis is the 2-tuple
test or the serial test.
In general, for a vector i
1
, . . . , i
m
, which has a length of m, there are 2
m
possible binary values.
Let n
i
1
,...,i
m
be the count for each pattern (i
1
, . . . , i
m
). Since each count n
i
x
is dependent on the
other counts n
i
1
,...,i
m
, the standard Pearsons
2
statistic
2
m
=
2
m
n
m
2
m
i=1
n
2
i
1
,...,i
m
n
m
is not appropriate as a randomgenerator test. However, LEcuyer et al. [LE02] and Rukhin [And00]
show that
_
2
m
=
2
m
2
m1
=
_
2
m
n
m
2
m
j=1
n
2
j
1
,..., j
m
n
m
_
_
2
m1
n
m1
2
m1
i=1
n
2
i
1
,...,i
m
n
m1
_
approximately follows a
2
-distribution with 2
m1
degrees of freedom. For the specic serial
test implemented in this thesis the vector length is set to m = 2, which gives
_
2
2
=
2
2

2
1
with
n
2
= n
00
+n
01
+n
10
+n
11
= n1
and
n
1
= n.
Using these values the
2
test statistic can be found
X
obs
=_
2
2
=
4
n1
_
n
2
00
+n
2
01
+n
2
10
+n
2
11
_
2
n
_
n
2
0
+n
2
1
_
+1
with 2 degrees of freedom. This form of the serial test can be found in [APS96] and is the version
implemented in hardware in the next chapter.
Example 4.8.2. Random Number Generator Test Example
The eight tests described in the previous paragraphs are used here in an example for testing
a random number generator. The input string is a binary sequence of 100 bits that is the result of
the following sequence being concatenated four times together:
1010110010111100110100100.
1. Frequency test: n
0
= 48 and n
1
= 52.
2. Serial test: n
0
= 48, n
1
= 52, n
00
= 16, n
01
= 32, n
10
= 31, n
11
= 20 gives a X
obs
= 7.54.
3. Longest Runs test: Longest run is 4.
4. Autocorrelation test: d = 4, sum = 61 and X
obs
= 2.65.
5. Poker test: m = 4 with the following patterns
Pattern #o f Occurances
0000 0
0001 0
0010 3
0011 1
0100 2
0101 3
0110 2
0111 1
1000 0
1001 4
1010 2
1011 2
1100 2
1101 1
1110 1
1111 1
giving a X
obs
= 12.76.
6. Frequency Block test: m = 4 (block length)
n
i=1
_
i
m

1
2
_
2
= 0.87
giving X
obs
= 14.
7. Turning Point test: = 6.67,
2
= 1.81
2
obs
=
= 1.98.
8. Runs test: X
obs
= 34.25
Runs of 0 Runs of 1
Length Occurrence Length Occurrence
1 16 1 20
2 16 2 8
3 0 3 0
4 0 4 4
5 0 5 0
6+ 0 6+ 0
The following table shows each of the tests threshold value, the observed
2
value or test
result, and if the test has passed or failed the generator:
Test Observed Value Threshold Value Pass / Fail
X
obs
< X
threshold
Frequency n
1
= 52 n
1_lower
= 35 , n
1_upper
= 64 Pass
Serial X
obs
= 7.54 X
threshold
= 9.21 Pass
Longest Runs longest run = 4 max. run length = 17 Pass
Autocorrelation X
obs
= 2.65 X
threshold
= 2.57 Fail
Runs X
obs
= 34.25 X
threshold
= 23.21 Fail
Poker X
obs
= 12.76 X
threshold_lower
= 4.60 Pass
X
threshold_upper
= 32.80
Frequency Block X
obs
= 14 X
threshold
= 44.31 Pass
Turning Point X
obs
= 1.98 X
threshold
= 2.58 Pass
The empirical tests presented here are only a small fraction of what is available in litera-
ture. Three popular test suites that incorporate the tests presented here plus many more are:
NIST Statistical Test Suite [AJJ
+
], The Diehard Battery of Stringent Statistical Randomness
Tests [Mar95], and the ENT: A Pseudorandom Number Sequence Test Program [Wal98]. Some
of these tests are not practical for a smart card environment. Only the tests that are possible on a
smart card have been studied further.
55
Chapter 5
Hardware Implementation
5.1 Hardware Design
The theory behind each of the selected tests has been extensively covered in the preceding chap-
ters (see Chapter 4.8). For most designers a software implementation of each of the RNG tests
is perfectly acceptable; however, for some applications this is not the case. For example, smart
cards need to perform the tests while the processor is being initialized. Therefore, the test pack-
age needs to run while the rest of the processor is also being initialized. The RNG and the testing
unit has to be a self-sufcient unit. Since most of the published RNG test have been designed for
a software implementation or if they do have a hardware implementation, their requirements far
exceed what is possible on modern smart cards.
From Chapter 2.3.2 we see that the area requirements for the complete smart card circuit
is approximately 25 mm
2
. Most of the area is required for memory cells; therefore, area is a
premium characteristic. Even though area is very important to smart card processor designers,
they are more concerned with the power consumption of the design. With the advent of the
wireless smart card, which supplies its voltage through induction, any card design requires a very
low power consumption. Additional security modules must also have a low power consumption.
We have mentioned that area and power consumption are very important to the designer;
however, there is one last hardware characteristic that needs to be examined, the time delay of
the circuit. This detail indicates how quickly the test is able to run. With the known sequence
length and the time delay of the circuit, the processing time for the full test can be calculated.
The initialization phase in a smart card lasts two seconds, and during that time the RNG test unit
must have the RNG produce a sequence of bits and also test the resulting sequence.
This chapter begins by presenting the hardware implementation for each of the RNG tests.
Using Synopsys
TM
and VHDL each of the tests has been simulated and synthesized. The results fromthe analysis
of area, power consumption and time delay are presented.
56 CHAPTER 5. HARDWARE IMPLEMENTATION
Comparator
Counter
Clk
Din
Start
Reset
Result
Bits_Over
Figure 5.1: Test unit input and output.
5.1.1 Frequency Test
The rst test that has been implemented in hardware is the frequency test. The basic test unit (see
Figure 5.1) has as input the test data D
in
, the clock Clk, the reset signal Reset, and a start signal
Start. There are two output signals: the Bits_over signal tells the rest of the test unit when it has
nished testing, and a pass or fail is waiting at the output Result signal.
The internal diagram of the frequency test can be seen in Figure 5.2. The resulting test
circuit is a four state device, which begins counting when the start signal goes high. There is
an asynchronous reset built in the device should it need to be reset at any stage along the state
diagram. The third state is achieved once the count reaches its limit, which is 20000 bits in this
example. This number can be adjusted at the design stage to t the required test length. In the
third state, a test is performed to check if the count of ones is in range. If so, a 1 is outputted to
indicate a pass, otherwise a 0 is outputted for a fail.
With a sufcient test length the frequency test models a
2
distribution with = 1 degree of
freedom. Using this information it is possible to precalculate the limits for a given bit length, in
this example n = 20000. The limits calculation is as follows:
x = F
1
(p[) =x : F (x[) = p
where
p = F (x[) =
_
x
0
t
2
2
e
t
2
2
2

_
2
_dt
and
(a) =
_

0
t
a1
e
t
.
Using these formulas it is the characteristic limit X
lim
for a probability of p = 1 = 1
0.0001 with one degree of freedom:
X
lim
= F
1
(10.0001[1) = 19.5114
5.1. HARDWARE DESIGN 57
States
1) WAIT_FOR_START
2) READ_BITS
3) OUTPUT
4) HALT
4
1
2
3
Reset = 1
Reset = 1
Reset = 1
Start = 1
Reset = 1
Count > 20000
Figure 5.2: State diagram for the Frequency test.
X
lim
=
(n
0
n
1
)
2
n
9688 < X
pass
< 10312
5.1.2 Frequency Block Test
The frequency block test is very similar to the frequency test, since it calculates for each given
block the frequency test. The state diagram for the internal frequency test on each block is the
same as the frequency test with only one large block for the full test sequence. The input and
output signals for this test are also the same as the frequency test (see Figure 5.1).
The design difference between the frequency and the frequency block test is how it handles
the frequency test results of the subsequences. Figure 5.3 shows the owchart for the frequency
block test, and Figure 5.4 shows the output owchart. A bit counter (Count) keeps track of the
full test sequence length, and for this implementation as long as the sequence is less than or equal
to 20000 the testing can continue. The next counter is for the subsequence (Blockcount). When
the 100th bit is reached it can be tested, and its result is added to a running sum. After the full
bit sequence is processed a total sum value is calculated and compared to a precalculated value.
If the sum is less than the value, the result signal is set to 1, and if it is over the value, it is set
to 0.
The precalculated value depends on the signicance level and the bit sequence length and can
Increment
i
Input = 1 ?
Start
Calculate
i
( 50 )
200 2
i = 1
Sum =
Reset
End
Nextstate
<=
Output
Nextstate
<=
Read_Bits
Increment Count
?
Blockcount = 99
?
Count < 20000
No Yes
Yes
No
Yes
No
Figure 5.3: Frequency block test owchart.
Start
No Yes
Result = 0 Result = 1
Next
State
9725 <
Rcount
< 10275
Figure 5.4: Frequency block test output owchart.
Algorithm 2 X
lim
calculation for the runs test.
X
lim
= gaminv(1, ) where = 2k 2 and k is the number of runs groups (6)
X
lim
= gaminv(10.0001, 10)
X
lim
= 35.56
be calculated as follows:
X
lim
= F
1
(p[a, b) = x : F (x[a, b) = p
X
lim
2
= gaminv
_
1,
N
2
_
X
lim
= 2 gaminv
_
10.0001,
200
2
_
X
lim
= 249.4
Therefore, the observed test statistic needs to be below 249.4 in order for the test to determine it
as a pass.
5.1.3 Runs Test
The runs test is a more complex test than the previous two tests. Its state diagram is shown in
Figure 5.5. The runs test module has the same inputs and outputs as the other two tests (see
Figure 5.1). However, internally it has many more states. Depending on the rst bit in the run,
either the S
1
S
6
(D
in
= 1) or the S
12
S
7
(D
in
= 0) branch is followed. If the next bit is the
same as the last bit, then the state branch is followed until either the input bit changes or it reaches
states S
6
or S
7
. If it reaches either of these points, the input length is treated as a run of six even
if it is longer. Whenever a change in the input bit occurs the counter for that state is incremented
(z
1
. . . z
6
) and (e
1
. . . e
6
). A main counter (Count) is used to count the testing sequence length.
The bits_over signal is set high at the end of the test and the test unit can read the results from
the result signal. Using Algorithm 2 the
2
obs
value is calculated and compared to a precalculated
range. If it falls within this range, the test outputs a pass else a fail is outputted.
5.1.4 Longest Runs Test
The longest runs test is a variation on the runs test, in which case the longest run in the sequence
is found and the counted length is saved. A precalculated boundary value for the given test
sequence length is compared to the samples longest run. Should the samples sequence have a
run longer than the boundary value, the test outputs a fail, else it outputs a pass. The boundary
values are given in Table 4.4 in Section 4.8.
Start
S6
S5
S4
111
S3
S2
11
1
S1
S7
S8
11111
1111
111111 000000
00000
0000
S9
000
S10
S11
00
S12
0
Output
Halt
Count = 20000
Din=1
Din=1
Din=1
Din=1
Din=1
Din=1
Din=1
Din=0
Din=0
Din=0
Din=0
Din=0
Din=0
Din=0
Din=0
Din=0
Din=1
Din=0
Reset = 1
Start = 0
Start = 1
Start = 1
S1
S12
Din=1
Din=1
Din=1
Din=1
Din=1
Din=0
Din=0
Figure 5.5: Runs test state diagram.
Halt
Count < 20000 Cnt_reg +1 < 4
Readbits
Readbits
set
Start = 1
Wait
for
Start
Start = 0
Reset = 1
Reset = 0
Output
Count >= 20000
Count >= 20000
Figure 5.6: Poker and autocorrelation test state diagram.
The external structure of the longest runs test is the same as for the previous tests, see Fig-
ure 5.1. Internally, the test is started when the Start signal is set high. The rst input bit is read
and if the bit is 1 then the next state is S
1
, else it goes to S
0
. If the same bit repeats itself, the
counter for that bit type is incremented. However, if the new input is not the same as the previous
bit, the counter is cleared and reset for the new bit value. The counter continues until the input
bit changes. If the maximum run length is passed, an indicator register IND is set high. After the
full sample is examined, the test enters the next state and the IND register is checked. If the IND
is high, a fail is set on the output otherwise it is set to a pass.
5.1.5 Poker Test
The poker test is another part of the FIPS 140-2 test suite. Of the four tests in the suite it has
the most complex hardware implementation. The theoretical details are found in Chapter 5.1 on
page 56. As with the previous tests detailed in this chapter, the input and output entity for the
poker test is as shown in Figure 5.1. This allows for easy substitution of the tests.
The poker tests state diagram is shown in Figure 5.6. After a reset the process begins in the
Wait_f or_start state. Once the Start signal goes high the test begins by entering the Read_bits
state and reading the rst bit. The input bit is read and stored in the MSB of the Reg register.
The counter register Cnt_reg is checked to see if all the bit positions have been lled with new
bits. If the register does not hold four new bits, the state is returned to the Read_bits state until
four new bits are present. Once the Reg has been lled the process compares the pattern found
in Reg to a list of patterns. The counter for the matching pattern is incremented. This process is
repeated for the full test sequence. When all the bits have been read and matched, the test value
Sum is calculated using the following formula:
Sum = X
poker_obs
k
2
m
=
_
2
m
i=1
n
2
i
_
k
2
2
m
This formula can be arrived at by using the theory from Section 5.1.5 and the given constants:
m = 4
= 0.0001
n = 20000
Therefore, the following can be calculated:
k =
_
n
m
_
=
_
20000
4
_
= 5000
2
obs
=
_
2
m
k
2
m
i=1
n
2
i
_
k
Sum =
k
2
m

2
obs
=
_
2
m
i=1
n
2
i
_
k
2
2
m
After calculating Sum, the process proceeds to the Out put state. The value in Sum is com-
pared to a precalculated range for = 0.0001. In this implementation the range is 675 <
Sum < 14428, which is calculated as follows:
2
upper
= chi2inv
_
1
_
0.0001
2
_
, 2
4
1
_
2
lower
= chi2inv
_
0.0001
2
, 2
4
1
_
2
upper
<
2
obs
<
2
lower
_
k
2
m

2
upper
_
< Sum <
_
k
2
m

2
lower
_
_
2.16 5000
16
_
< Sum <
_
46.17 5000
16
_
The Out put state sets the Result signal to 1 for a pass and a 0 for a fail. The process then
moves to the Halt state, and remains there until a reset signal is received.
5.1.6 Autocorrelation Test
The autocorrelation test compares a bit sequence with a shifted version of itself by using a shift
register and an exclusive-OR:
4 3 1 2
Din
Auto_corr
The length of the shift register has been arbitrarily chosen at four bits. A better coverage is
achieved by using multiple XOR gates attached to shorter bit differences, i.e. bits 3/4 and 2/4, at
the expense of a larger circuit. The entity of the autocorrelation test follows the other tests with
the four inputs and two outputs shown in Figure 5.1.
The control ow of the autocorrelation test is the same as for the poker test (see Figure 5.6).
During the Read_bits state the data is rst read into the shift register. Once that has completed the
fourth and rst bits are XORed and summed to a running total, which is stored in Auto_corr. The
states bounce between the Read_bits and Read_bits_set state counting all the matching rst and
fourth bits. This continues until the full test length is reached. The total found in the Auto_corr
register is then compared to a precalculated range.
Using the values from the FIPS 140-2 standard (n = 20000, = 0.0001) and a shift of d = 3,
the limits on Auto_corr can be calculated. As mentioned in Chapter 4, the autocorrelation test
follows a normal distribution if nd 10; therefore, the range for the test characteristic is:
2.575 < X
Auto_lim
< 2.575.
From this range the Auto_corr can also be calculated:
X
Auto
=
2
_
Auto_corr
nd
2
_
nd
Auto_corr
lim
=
[X
Auto
[
nd
2
+
nd
2
Auto_corr
lim
=
[2.575[
200003
2
+
200003
2
Halt
Wait
for
Start
Start = 0
Reset = 1
Output
Count >= 20000
Start = 1
Reset = 0
Readbits Count < 20000
Figure 5.7: State diagram for the turning point test.
Auto_corr
upper
= 10181
Auto_corr
lower
= 9816
This gives the Auto_corr range, which is tested during the Out put state. The test sets a pass
(Result =1) if it falls within the range, else a fail (Result =0) is set.
After outputting the results, the process continues into the Halt state, where it waits until a
reset is sent.
5.1.7 Turning Point Test
The turning points of a sequence are the peaks and troughs found after a run up or down. This
test is not, strickly speaking, a test for binary sequences; however, it can be modied to handle
binary input by grouping bits into blocks of bits and converting them into integer values. The
outer entity has the same I/O as the other tests (see Figure 5.1).
The state diagramis a simplied version of the poker and autocorrelation tests, see Figure 5.7.
After a reset the test is in the Wait_f or_start state until the Start signal goes high. With the
Algorithm 3 Algorithm for calculating the test characteristic limits.
n = 20000
=
2
3
(n2) = 13332

2
=
(16n29)
90
= 35552
= 59.6258
X
obs
= X
TP,=0.0001
= 4.719
X
obs_upper
= 13332+281 = 13613
X
obs_lower
= 13332281 = 13051
presence of the Start signal the test begins to collect bits and shifts to the state Read_bits .
The Read_bits state not only reads each new bit but also organizes them into blocks of bits and
counts when peaks or troughs occur. The algorithm is seen graphically in the owchart shown in
Figure 5.8. The Read_bit state groups, analyzes, and counts the bits. Once the full sequence is
processed the test moves to the Out put state, and the bits are grouped into 8-bit integers. After
the eight bits are collected, the current value R
curr
is stored as the previous value R
prev
. As
soon as the second group of bits is collected the two values are compared. If the newer number
is larger than the previous value R
curr
> R
prev
, the toggle is set to toggle
new
=1. This new
toggle value is compared to the old value: toggle
new
? = toggle
old
. If they are the same, then no
change is recorded; however, if the previous toggle value is a 0, then the transition counter is
incremented. The same transition counting process is performed if the current number is less
than the previous value, except the toggle is set to 0 and a transition is recorded if the previous
toggle is a 1. The third possibility is that the current and previous values are equal. This is
recorded as no change and the toggle counter is left unchanged. After comparing the two values
the process moves back to Read_bits state, and the whole algorithm is repeated until all bits are
tested.
Upon the completing the peak and trough count for the full sequence the process moves to
the Out put state. Using the same method as for the autocorrelation test, the acceptance limits for
the transition counter are precalculated and integrated into the output algorithm, see Algorithm3.
5.1.8 Serial Test
The last test implemented in hardware is the serial test. This test counts the number of occur-
rences of the bit patterns 00 to 11 and the number of 0 and 1. This process is similar to the
counter unit built in the poker test. The full data ow design can be seen in Figure 5.9. After
the counter nishes, the controller passes the values to the statistic calculator, the
2
calculation
Cnt_Reg = 7?
?
Keep Toggle Set Next_state to
Read_bits
Set Next_state to
Output
Yes
No
Yes
Yes
No
Yes
No No
Set Toggle to 0 Set Toggle to 1
Previous state
of Toggle =0
?
Yes Yes
End
No
counter
Clear gathering
Next num
> Previous num
?
Previous num
counter
Keep Transition
Increment Transition
counter
Previous state
of Toggle = 1
= Current num?
Store the previous
in num
Previous_Reg
new bits
Begin collecting
Save bit and
Increment counters
No
Begin
count > 20000
Figure 5.8: Algorithm owchart for turning point test.
5.2. FUNCTIONAL VERIFICATION 67
2
Calculation
Unit
Start
Reset
Clock
Controller
Counter
Pass/Fail
Input
Figure 5.9: Data ow diagram for the serial test.
Area (m
2
) Power (W) Time Delay (ns)
Addition / Subtraction 1057 73 2.97
Multiplication 11025 829 6.58
Division 6787 500 20.27
Table 5.1: Arithmetic hardware characteristics calculated using a 50 ns clock.
unit. This is the part that differs from the other tests. The operations found in the other tests are
addition, subtraction and multiplication; however, this random generator test also includes two
division operations. In comparison to addition and subtraction, the multiplication and division
operations are very complex. When possible, designs are optimized to reduce the number of
multiplication and division operations, since their hardware requirements are far higher than for
addition and subtraction. Table 5.1 shows an example of the synthesis results from Synopsys for
8-bit arithmetic operations using UMC 0.25 m CMOS technology.
The time delay for the division causes some concern, because any design using this operation
has a time delay of at least 20.27 ns or a maximum clock frequency of 50 MHz, which is the
current maximum operating frequency for smart cards (see Chapter 2).
The calculation of the serial characteristic
10000 X =
_
4
n1
_
n
2
00
+n
2
01
+n
2
10
+n
2
11
_
2
n
_
n
2
0
+n
2
1
_
+1
_
10000
is broken down into into seven steps and uses two registers (R
1
, R
2
). The algorithm has been
slightly changed from the version published in [APS96] by multiplying both sides by 10000,
giving an accuracy to four decimal points. The algorithm for this test is shown in Algorithm 4.
5.2 Functional Verication
Before any hardware analysis was performed on the VHDL designs, each design was functionally
veried against the RNG test written in Matlab (see Figure 5.10). The synthesized versions were
also checked for any logic and design errors.
Algorithm 4 Pseudocode for to calculate the
2
characteristic and the pass/fail for the serial test
State 1:
R
1
= n
00
n
00
+n
01
n
01
R
2
= n
0
n
0
+n
1
n
1
State 2:
R
1
= n
10
n
10
+R
1
a = 10000R
2
b = n
State 3:
R
1
= n
11
n
11
+R
1
R
2
=
a
b
State 4:
R
2
= 2R
2
a = 10000R
1
b = n1
State 5:
R
1
=
a
b
State 6:
R
1
= 4R
1
+10000
State 7:
2
= R
1
R
2
i f
2
X
max
pass
else
f ail
endi f
The verication was performed by rst generating a test le with binary sequences from
a poor generator (LSFR generator). Included were the all zero and all one sequences, these
sequences were known to fail the tests. The test length for each sample was 20000 bits, since
this was the design parameter for the hardware implementation.
A test bench was written to rst read in the binary data, which was inputted to the RNG
tests. The output from each simulated run was stored in an output text le. Another test bench
was programmed for the RNG test functions in Matlab. This test bench rst loaded in the test
sequence le and then the results from the VHDL version. The test sequences were processed
using the Matlab RNG empirical test functions, and their outputs were compared to the results
from the VHDL simulation. When both results matched, an output of 1 was given, else 0
was set.
The results from the functional testing showed that the tests from the Synopsys synthesis
agreed with the results from the Matlab simulation. Therefore, the VHDL versions were func-
tionally equivalent to the algorithm versions.
5.3. HARDWARE TESTING 69
Test
Data
Synthesized Design
VHDL VHDL
Logic Design
Simulation Simulation
Matlab
Design
Simulation
Compare
Results
Pass/Fail
Figure 5.10: Functional verication process.
5.3 Hardware Testing
5.3.1 Hardware Analysis Strategy
Each RNG test algorithm was programmed using VHDL. After verifying the designs using a
design simulator, they were loaded into Synopsys Design Analyzer
TM
. The optimization tools
from Synopsys were used to improve the design hardware properties.
Using a VHDL simulator, the circuit activity for testing a sequence of 20000 bits was recorded.
This information was then used by the Power Compiler
TM
from Synopsys to calculate the power
consumed using UMC 0.25 m CMOS technology libraries.
The study of power consumption proceeded differently than the area and time delay. For
those two characteristics a CMOS technology (0.25 m) was selected and the VHDL code was
synthesized. At that point, the Synopsys tool provided a convenient method to calculate the
area and time delay for the given technology; however, the power consumption tool was not as
accurate as wished. For power consumption calculations, the switching activity for each design
was recorded. The source data for this study was a four -delayed feed back shift register. Using
the simulation tools from Mentor Graphics
TM
, the switching data was stored in saif les, which
was then processed by Synopsys Power Analyzer at different clock frequencies. This gave a
more accurate reading of the power consumption.
The results of the power consumption of the RNG tests need to take into account the power
consumption of a smart card during normal operation, which is 50 mW with a voltage of 5 V and
a supply current of 10 mA.
0
200000
400000
600000
800000
1000000
1200000
L
o
n
g
e
s
t
R
u
n
s
F
r
e
q
u
e
n
c
y
A
u
t
o
c
o
r
r
e
l
a
t
i
o
n
T
u
r
n
i
n
g
P
o
i
n
t
F
r
e
q
u
e
n
c
y
B
l
o
c
k
R
u
n
s
P
o
k
e
r
S
e
r
i
a
l
RNG Tests
A
r
e
a
(
)
Figure 5.11: Complete area results for eight randomness tests.
5.3.2 Hardware Results
The results fromthe hardware synthesis and power simulation can be seen in Figures 5.11 to 5.14.
The rst hardware characteristic to be studied is area.
The area results for each of the selected designs is shown in Figure 5.11. The synthesis used
an out-of-date 0.25 m CMOS process, industry uses 180 nm or 90 nm technology; however, it
did allow for a comparison of different designs. The newer technology allows for a scaling down
in size, but the general size ratios between the designs remain the same.
The area analysis divides the RNG tests into two groups, the random walk/runs based tests
and the pattern matching tests. The pattern matching tests are signicantly larger than the other
tests, by at least a factor of ten. The smallest design is the longest runs test. The number of
multiplication and division operations present in the poker and serial tests make their designs
more complex when compared to the relatively simple additions needed for the other designs.
The synthesized serial test circuit is approximately 4% of the total smart card chip area. For
some designers this might be too large.
The FIPS test group made up of the longest runs, runs, poker and frequency test requires an
area of 691286m
2
. Within this group, the poker test is the largest contributor to the area with it
making up 88% of the FIPS area.
In Figure 5.12 the area results have been zoomed in to include only the smaller tests. It is
easier to notice the differences in sizes for each of these designs now that the two longest tests are
removed. Here the designs are divided again into two groups, in essence making three groupings
0
10000
20000
30000
40000
50000
60000
70000
Longest Runs Frequency Autocorrelation Turning Point Frequency Block Runs
RNG Tests
A
r
e
a
(
)
Figure 5.12: The area results for the six smallest randomness tests.
for the area analysis. The simple counters are the smallest designs, which include the following
tests:
longest runs
frequency
autocorrelation
turning point.
The more complex counters are the
runs
frequency block tests.
Smart cards work with a base speed of 5 MHz but the internal processing speed is usually looped
up to speeds of 25 to 50 MHz. This is a design restriction that hardware developers for smart
cards need to take into account. For a 50 MHz smart card, the algorithm implementation needs
to have a device time delay less than 20 ns. In other words, any algorithm implementation needs
to reach the end of its slowest processing path for that clock cycle before the 20 ns are up. If
a design cannot t in this time restriction, it either needs to be optimized further or, if that is
0
5
10
15
20
25
30
35
40
45
50
L
o
n
g
e
s
t
R
u
n
s
F
r
e
q
u
e
n
c
y
A
u
t
o
c
o
r
r
e
l
a
t
i
o
n
T
u
r
n
i
n
g
P
o
i
n
t
F
r
e
q
u
e
n
c
y
B
l
o
c
k
R
u
n
s
P
o
k
e
r
S
e
r
i
a
l
RNG Test
D
e
s
i
g
n
T
i
m
e
D
e
l
a
y
(
n
s
)
Figure 5.13: Longest path timing delay analysis for the eight randomness tests.
not possible, the smart card has to run at a slower clock speed. This has the negative effect of
reducing the processing speed for all calculations.
Figure 5.13 shows the longest path time delay for the eight implemented tests. The ordering
of the tests on the x-axis is the same as in the area measurement graph (see Figure 5.12). This
is used to allow for easier comparison of the different tests. The most striking result is the serial
test. It is the largest test which is assumed to have the longest delay path, however, the difference
between the serial test and the poker test is immense. The time delay path has been examined
to investigate where the design is spending most of its time and it is in the division component.
Of the 45.22 ns spent processing the longest path in the serial test, 44.5 ns is in the divider. The
serial test implementation uses a Designware
TM
divider. Therefore, for greater optimization a
custom divider or a new serial test implementation without the division has be to designed.
The rest of the tests all fall below the 50 MHz (20 ns) line. Therefore, except for the serial
test, they are all acceptable for current smart card speeds. The ordering of the designs based on
the time delay do not necessarily follow the area size; for example, the longest runs test has a
longer processing path than the frequency test. For many applications a compromise is required
between the time delay and the design size to achieve efcient operation. This is the reason for
the variance in the time delay.
The designs have been optimized with regard to all three characteristics: power consumption,
area and time delay. However, the area and power consumption characteristics have been given a
higher rating in the optimization hierarchy, since they are the most important properties for smart
0
1
2
3
4
5
6
7
8
9
10
0 20 40 60 80 100 120 140 160 180
Clock Speed (MHz)
P
o
w
e
r
C
o
n
s
u
m
p
t
i
o
n
(
m
W
)
Longest Runs Frequency Autocorrelation Turning Point
Frequency Block Runs Poker Serial
Figure 5.14: Power consumption analysis for the eight randomness tests.
card manufacturers.
The current trend in smart card development is shifting away from contact only cards to
either all contactless or a hybrid contact/contactless card. The use of contactless technology has
increased the importance of using low power designs. Each of the design has been optimized
using the power consumption parameters in Synopsys Design Compiler
TM
.
The power consumption results can be seen in Figure 5.14. The data is plotted as points on a
power vs clock frequency axis. Some of the data lines are shorter than others; for example, the
frequency block, poker and serial tests. They are shorter due to the limitation from their time
delay. The mentioned test implementations operating speeds are restricted to a clock frequency
of
1
timedelay
or slower.
Three speeds are of particular interest in the power analysis: 5 MHz, or the base smart card
frequency; 20 MHz, the last point where all the tests can be compared; and 50 MHz, the max-
imum operating speed of current smart cards. At the speed of 50 MHz the poker test is by far
the most power hungry circuit design at approximately 6 mW. The next closest tests are the fre-
quency block and runs tests. The autocorrelation, turning point, frequency and longest runs are
grouped closely near the 1 mW mark. For the 20 MHz point, the serial test result is also available.
This test requires slightly less power (2.0 mW) than the poker test (2.5 mW).
The power consumption results generally follow the results from the area with the largest
design requiring the most power. However, it is interesting that the serial test is more efcient
than the poker test. The main difference between them is not in the counting of the various
statistical properties but in the actual calculation of the statistic. The poker test has more mul-
tiplications whereas the serial test has a divider circuit. The one divider circuit from Synopsys
Designware
TM
is slow and large but has been designed to be efcient with power consumption.
The multiplications are also efcient but not to the point of the divider.
The calculation times required in clock cycles for the tests is shown in Table 5.2. As a
boundary limit the tests have to complete their calculation within the initialization time of two
seconds. The tests are setup to count as each bit arrives from the RNG. The important point to
keep small is the time between the last bit arriving and the calculation of the pass or fail.
The shorter this time the more bits the generator is able to create before reaching the two second
limit. Current cryptographic RNGs in smart cards are not able to produce the full 20000 bits
within that time interval. The more bits the RNG is allowed to produce the better the results are
for testing purposes. The hardware implementations of the RNG all require 20000 bits, since
they are based on the FIPS 140-2. It is hoped that the results from the simulator allows this to be
reduced.
The results from the calculation time show that the smallest tests do not have long calculation
times. The more complex tests, poker and serial, require more time, since they perform the
calculation of the statistic and then compare it to a given range. This statistic calculation is the
time consuming part. However, even these designs are very quick, and most of the two seconds
can be dedicated to the bit generation.
From a hardware point of view, only the serial test has any problems in modern smart card
implementations. Its current design does not allow it to be clocked at a standard operating fre-
quency. The rest of the tests are all acceptable.
Test Number of Cycles
Frequency 2
Runs 2
Longest Runs 2
Serial 8
Poker 8
Autocorrelation 2
Frequency Block 2
Turing Point 3
Table 5.2: Cycles required to calculate the test results after the arrival of the last bit in the test sequence.
75
Chapter 6
Empirical Test Quality Measurement
6.1 Introduction
In the previous chapter we have looked at the hardware aspects of the random number generator
tests, which has allowed us to see if the selected tests are acceptable for a smart card implemen-
tation from a physical point of view (area, power consumption, and calculation time). However,
this still leaves a variety of questions unanswered:
1. What are the minimum number of tests that are required to be implemented on the smart
card RNG test unit?
2. Can the test sequence be reduced from 20000 bits to a smaller sequence without loss of
testing quality?
It is not possible to determine the quality of a random number generator without having a
measuring point. The standard for this thesis is the FIPS 140-2 test criteria, as it is the desired
standard to be implemented in the smart card. The FIPS 140-2 test suite is made up of four
tests (frequency, poker, runs and longest runs), a sample sequence length of 20000 bits, and a
signicance level of = 0.0001 (1 misjudgment in 10000 trials). Therefore, the following is
used as the denition for quality for this thesis.
Denition 6.1.1. A test or test groups quality is a percent measure of how well the selected test
or test group mimics the FIPS 140-2 test criteria.
Normally, a failure in a RNG results in a stuck-at type failure (stuck-at 0 or stuck-at 1).
However, there are also cases where a bit stream may still be produced with nonrandom char-
acteristics. For cryptographic applications, the use of nonrandom sequences is worse than a full
deactivation of the device. These poor cryptographic random sequences provide a false sense of
security without informing the user to a possible breach in security. In essence, these poor ran-
dom sequences are a hole in the protective shield around the users data. To prevent this security
hole from occurring, the RNG must be tested before each use.
76 CHAPTER 6. EMPIRICAL TEST QUALITY MEASUREMENT
Test 3) Digitiser
2) Noise
1) RNG
Source
FIPS 1402
Pass/Fail
Pass/Fail
Figure 6.1: Simulator setup and possible failure points.
There are many different random number generator tests available in literature; however,
they detect faults at different sensitivities. To investigate the sensitivities of the eight selected
tests requires a simulator. This chapter describes the simulator that has been programmed to
incorporate the possible failure points in a RNG system, and presents the results from the study
of the behavior of the empirical test to the different faulty bit streams. These failure points are
modeled as poor RNGs. Figure 6.1 shows the three points of vulnerability in the RNG system.
The rst point is the actual RNG itself. It is possible that the generator has a awed design or is
damaged during use and begins to produce a poor sequence of bits. The second point examines
the effects of outside interference. Howwill the test unit react to interference or noise on the line?
The nal point is the digitizer. Often a natural source is sampled and used as the randomness
source. If the digitizer oversamples the natural source the output will have nonrandom qualities.
The following is a list of the models of the failure points and the type of generators used to
represent these failures:
Failure Point 1: Failure in the random number generator
1. ANSI C generator
2. Repeating pattern generator
3. Biased generator
Failure Point 2: Frequency noise introduced into the random source
1. Frequency addition with a wide spectrum
2. Frequency addition with a narrow spectrum
3. Addition of pink (
1
f
) noise
Failure Point 3: Failure in the digitizer or the sampling
1. Oversampling
6.2. RANDOM NUMBER GENERATOR FAILURE EXPERIMENTS 77
Test FIP 140 Result
0 0 1
0 1 0
1 0 0
1 1 1
Table 6.1: Logical equation: Test XOR FIPS 140 = Result
In addition to the previous possible failures, the Matlab random number generator has been
studied since it is the base generator for the failure generators. The experiment setup also in-
corporates as a control (Control 1) sequences from a true random number generator. The data is
from Marsaglias Random Number CD-ROM
1
.
Each sample sequence has been tested with the eight selected empirical tests, with the results
compared to the result from the FIPS 140-2 test group. The FIPS 140-2 is calculated by taking
the pass or fail result from the poker, frequency, runs and longest runs at 20000 bits, which are
then ANDed together. This FIPS result is used as a comparison for the other tests, with a match
as a 1 and non-match as 0, see Table 6.1. In addition to looking at the results from each of the
individual tests, test combinations have been examined. The results from the individual tests are
ANDed together and treated as one test result, which is then judged according to Table 6.1. This
shows any improvement obtained through test groups.
The next section takes a closer look at the each of the sample generators and gives a short
description of how they have been implemented in Matlab. The last section discusses the results
from each of the generators, and looks at the effects of the sequence length.
6.2 Random Number Generator Failure Experiments
6.2.1 Control Experiment 1: True Random Number Generator
As a control experiment, bits from a random number generator are used. The bits are not self-
generated with a hardware random number generator, but have been copied from Marsaglias
CD-ROM. This CD-ROM has approximately ve billion bits that have been divided into sixty
10 MB les. The source for these bits is the combination of three white noise sources with
a deterministic random number generator. Marsalgila ran the Diehard
2
tests over the bits and
found that it passed all of them.
From these bits, 500 sample sequences of 100000 bits have been stored in a Matlab readable
format. The same test procedure is used for these data samples as for the other tests. The
results from this experiment are seen in Figures 6.2 and 6.3. Almost all the sequences pass the
1
website: http://stats.fsu.edu/pub/diehard/cdrom/bits.01, Sourced: February, 2002.
2
A random number generator test suite from George Marsaglia. Source: http://stat.fsu.edu/pub/diehard
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Frequency Runs Longest Runs Poker Turning Point Autocorrelation Frequency Block Serial Test
Figure 6.2: True random number generator test results compared to the FIPS 140-2 standard.
experiment for the different bit lengths. Not all tests pass each sequence with 100% matching,
but this is to be expected. A true random number generator will produce sequences that have
nonrandom characteristics. However, the large majority of sequences fall within the acceptable
range. The results also show that a true random number generator looks random irrespective of
the random sequence length. This result is the optimum for each of the other experiments.
6.2.2 Control Experiment 2: Good Pseudorandom Number Generator
Description
The Matlab generator has been included in the study because it is the underlying engine for
most of the sample generators. It is also used as the control for a good pseudorandom number
generator. The function that has been used is the unidrnd function.
The Rand function from Moler [Mol95, Mol04] is essentially two combined random number
generators. The main generator uses thirty-ve words of memory or states. The rst thirty-two
states hold the oating-point numbers between 0 and 1. The other three states hold the indices
i, j and the borrow ag b. The index i is an integer between 1 and 32, and the index j is a
random integer. The state b is one of either two values: 0 or ul p. An ul p is one half the built-in
Matlab function eps
3
, and is one unit in the last place for oating point numbers slightly less
than 1 [Mol95].
3
eps is a Matlab function that returns the distance from 1.0 to the next largest double-precision number, that is
eps = 2
52
. Source: http://www.mathworks.com/access/helpdesk/help/techdoc/ref/eps.html
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.3: True random number generator single test pass count.
To calculate the i-th value, the generator uses the formula
z
i
= z
(i+20) mod 32
z
(i+5) mod 32
b
where b is calculated from the previous step. If the z
i
is positive, then b is set to 0; however, if z
i
is negative, then b is set to ul p and 1.0 is added to z
i
to make it positive.
The previously stated random number generator has a period of 2
1430
; however, it has a aw
with the way oating point binary numbers are distributed for the range ul p x 1 ul p.
Many of the possible values are not represented. Figure 6.4 gives an example of this problem
using ul p = 2
4
. For the range
_
1
2
, 1
all the values can be generated with ul p; however, for

binary oating-point values less than
1
2
this is not possible due to the limitation of the ul p size.
The range
_
1
4
,
1
2
has only half of the possible values, and with the range
_
1
8
,
1
4
it is only a quarter
of the possible values.
To overcome this problem the second RNG is used to divide the values less than
1
2
into non-
equally spaced values. This allows for a xed oating point size, i.e. x.xxx2
y
, where all values
are generated instead of only the 32 values for ul p = 2
4
.
The last point to be taken into account is the relative frequency of each result happening. Us-
ing the new method divides each region
_
1
2
, 1
,
_
1
4
,
1
2
,
_
1
8
,
1
4
,
_
1
16
,
1
8
into eight equal parts; how-

ever, the generator needs to be adjusted to access these lower value areas only the appropriate
number of times. Since the interval between
_
1
4
,
1
2
is half as large as
_
1
2
, 1
its relative frequency

should also be divided in half. This process is continued for each smaller interval. Combining
both RNGs forms a oating-point generator that has a period of 2
1492
.
Results
Similar to the true random number generator, the Matlab RNG produced sequences that are
classied as random by the FIPS 140-2. Figure 6.5 shows that the individual tests all agree with
the FIPS 140-2 standard irrespective of the test sequence length. Therefore, these two control
experiments show that a random sequence results in a pass a large majority of the time.
6.2.3 Failure Point 1 Experiment: ANSI C Generator
Description
Not all RNG failures are catastrophic, a more subtle type of error happens when a good generator
becomes a poor one. Although it is not as serious a security hole as a catastrophic failure it should
be included in the tests to secure against all possible alleys of attack. A procedure for evaluating
the empirical tests is to run them using the output froma poor generator; for example, the ANSI C
generator.
Results The results have been compared to the FIPS standard, see Figure 6.6. As can be seen,
the only test to pick up the change to a poor RNG, with a high degree of certainty, is the poker test
(between 85 and 100%). The rest of the tests only agree with the FIPS standard approximately
50% of the time.
Figure 6.6 also shows very little variability in the results between the different sequence
lengths. With the exception of the poker test, the rest of them show a near straight line across
the sequence lengths. The poker test is the only test that has some change in its results, ranging
from 87% up to 100% correct at 20000 bits. The 100% result can be attributed to the poker test
having the most inuence in the FIPS standard. Therefore, the poker test at 20000 bits agrees
closest with the FIPS standard.
Figure 6.7 show the test results of the ANSI C generator using a combination of empirical
tests. There is no improvement when the tests are combined. Again, only the combinations with
the poker test have scores near to 100%. The other test combinations stay on a line around 50%,
just as in the lone tests found in Figure 6.6.
Figure 6.8 provides a better view of the effect of the poker test. Only it is detecting non-
random characteristics in the sequences. A the 20000 bit point, it has detected approximately
half of the sequences as coming from a non-random generator. This value increases with the
increase in sequence length to the point that at 100000 bits all the sequences are rejected. The
higher rejection rate is shown in Figure 6.6 as lower match with the FIPS standard. Therefore,
for this failure only the poker test is recorded as detecting it, and since the FIPS 140-2 standard
is the standard for this thesis, a sequence of 20000 bits is recommended.
a)
2
1
2
2
2
3
2
4
1.000 1.00 1.0 1
1.001 1.01 1.1
1.010 1.10
1.011 1.11
1.100
1.101
1.110
1.111
b)
2
1
2
2
2
3
2
4
1.000 1.000 1.000 1.000
1.001 1.001 1.001 1.001
1.010 1.010 1.010 1.010
1.011 1.011 1.011 1.011
1.100 1.100 1.100 1.100
1.101 1.101 1.101 1.101
1.110 1.110 1.110 1.110
1.111 1.111 1.111 1.111
Figure 6.4: Binary oating-point segments. a) Binary values multiplies of ul p from rst generator stage.
b) Full binary values for oating point generator after second generator.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.5: Matlab random number generator test results compared to the FIPS 140-2 standard.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.6: ANSI C random number generator test results compared to the FIPS 140-2 standard.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
F_R_FIPS
F_L_FIPS
F_P_FIPS
F_T_FIPS
F_A_FIPS
F_FB_FIPS
F_S_FIPS
R_L_FIPS
R_P_FIPS
R_T_FIPS
R_A_FIPS
R_FB_FIPS
R_S_FIPS
L_P_FIPS
Figure 6.7: Test Combination results compared to the FIPS 140-2 standard for the ANSI C random num-
ber generator.
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.8: Single test pass count for the ANSI C random number generator.
6.2.4 Failure Point 1 Experiment: Repeating Pattern Random Number
Generator
Description
The effects of a poor RNG has been studied, another possible failure at the RNG is a repeating
pattern sequence. The possible causes of this type of failure can be a malfunctioning RNG
either through hardware damage or an innite loop in the program code. The output from the
generator is similar to a functioning RNG for a given number of bits but no new bits are created
afterwards, just a repeat of the old sequence. Another way of viewing this is as a pseudorandom
number generator with a small period. This problem is more likely to occur in generators that
store data in internal memory before outputting it for use by the encryption process instead of in
memoryless generators. Should this failure occur, a hacker would have easy access to the secure
data, since the secret code is easy to see and reproduce.
The repeating pattern random number generator (RP-RNG) has been created to examine the
sensitivity of the RNG tests to this type of failure. The base programming language used for
the generator is Matlab where 500 samples have been created for the simulator. The RP-RNG
functions by taking the rst 100 bits from each of the 500 true RNG samples. This way the data
is known to be random up to the 100 bit point in each of the sample sequences. The 100 bits are
copied 1000 times to form a 100000 bit sample sequence.
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.9: Single test pass count for the repeating pattern generator.
In this study only the effects using a 100 bit initial random source have been examined. This
provides a good starting point to determine the sensitivity for each of the tests. Lengthing the ini-
tial sequence would shift the detection point upwards to a higher test sequence length; whereas, a
shorter initial sequence would have the opposite effect and reduce the detection sequence length.
The 100 bit initial sequence has been chosen as a good compromise.
Results
The results from the repeating pattern RNG experiment can be seen in Figures 6.10 to 6.12. Since
the repeating pattern RNG uses a 100 bit length sample sequence from the true RNG, the testing
starts at the 250 bit length. The test sequence length of 100 bits and smaller should achieve the
same pass/fail results as has been obtained in the true RNG experiment, Figure 6.9 shows that
this is the case.
The single test experiment results are divided into ve groups with the poker and runs test
being in the rst group, the serial test in the second group, the frequency and turning point test,
then the autocorrelation and frequency block test, and nally the longest runs test. The fth
group is dropped from further study, since it does not recognize any sequence as faulty and does
not help to improve the results from the other tests using test combinations.
The group of greatest interest is the rst one. Examing Figure 6.9 reveals that the FIPS
standard at 20000 bits rejects all the tests. Further study of the pass count also shows that both
the runs and poker test fail all the sample sequences. Both these two tests are part of the FIPS
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.10: Single test percent matching with FIPS 140-2 results for the repeating pattern generator.
group and either one may be the most sensitive test for this particular failure model. A closer
look at the percent matching to FIPS should show that test groupings with either the poker or the
runs test should have the best results. This is examined in the coming paragraphs.
Another point of interest is the autocorrelation test, since it is currently the one used in pro-
duction for smart cards. For this fault, the test begins to detect sequences as being from a nonran-
dom generator at the 500 bit sample sequence length. The test achieves 40% matching with the
FIPS at 10000 bits where it levels off and does not show any more improvement. This indicate
that this test is not very good for this fault type.
The FIPS standard rejects all the sample sequences; therefore, this experiment is an analysis
of how quickly each test or test groups reject the sample sequences, shown in Figure 6.10. The
best group detects a fault in 20% of the sequences with a length of 250 bits. An improvement in
fault recognition is obtained when the test length is increased. At a test length of 500 bits there is
a 75% and 85% matching with the FIPS for runs and poker respectively. The tests almost achieve
100% matching when the test sequences have a length of 1000 bits. However, only at 2500 bits
sequences do the tests catch all the samples.
The poker and runs test both work by counting the occurrence of either patterns or runs
lengths. A closer look at the most sensitive test, the poker test, reveals when analyzing the initial
subsequence certain patterns occur more often than others; however, the pattern counts are still
in the acceptable range. Ideally the number of occurrence of patterns should be equal for all
possible patterns in a countable innite sequence. Since the analyzed data is only a nite sample
this does not occur and one type of pattern occurs more often than another. If the acceptable
range for the 25 bit test sequence is also increased in comparison to the test sequence length (for
example from 25 to 20000 bits), then the acceptable range is larger than that properly calculated
for a signicance level at 20000 bits. Therefore, more tests will be accept at 25 bits as coming
from a random source when in fact they should be rejected. Here the distribution model fails to
accurately portray the distribution from a true random source.
The poker test is ahead of the runs test in FIPS matching percentage until the 2500 bit test
length, where they both achieve 100% matching. The second group, the serial test, has a slower
matching percentage gain than the rst group. There is a signicant increase between the length
of 500 and 2500; however, after this point the test slows down in catching the faulty sequences.
The serial test is also a pattern matching test which explains why it is initially good at rejecting the
samples sequences. However, the last 5% of the faulty sample sequences can not be recognized
due to the shorter pattern analysis. Even though it is counting the patterns the serial test is more
concentrating on near bit correlation. The last 5% of the samples have very little correlation in
the initial subsequence and even with the repeating of the subsequence the test still remains in
the acceptance range. It does improve when the test sequence length is increased to 50000 bits
and higher, but it still does reach 100%.
The last test to reach 100% within the given sample test lengths is the turning point test.
It matches the FIPS standard, but only starting at 50000 bits. This test is still included in the
combination test because it counts a different characteristic than the other tests, and it may have
caught samples at lower test lengths that the other tests did not catch.
The results from the combination test can be seen in Figures 6.11 and 6.12. The one test
combination that shows good improvement, at least initially, is the runs/poker test group. There
is approximately a 12 percentage point increase at the 250 bit test length, and approximately 10
percentage point increase at the 500 bit length. After this point, the percent matching does not
differ from the single tests, which indicates that starting from the 1000 bit test length the runs
and poker test are catching the same sequences. Therefore, if 100% matching is required, no
improvement is achieved by using a combination of tests.
Conclusion
The repeating pattern error is one type of error that may arise from a faulty RNG. To cover this
security hole a test or test group needs to be implemented that detects this fault with the smallest
sample sequence length.
The standard, FIPS 140-2 group with a sample sequence of 20000 bits, is able to recognize
that all the sample sequences come from a faulty generator. At the 20000 bit point, there are
two tests that reject the same samples at 20000 bits, the poker and runs test. These two tests
accurately model the FIPS standard at lower testing lengths, but reach their limits at a testing
length of 2500 bits. The accuracy below that point degrades.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
F_R_FIPS
F_L_FIPS
F_P_FIPS
F_T_FIPS
F_A_FIPS
F_FB_FIPS
F_S_FIPS
R_L_FIPS
R_P_FIPS
R_T_FIPS
R_A_FIPS
R_FB_FIPS
R_S_FIPS
L_P_FIPS
Figure 6.11: Test combinations percent matching with FIPS 140-2 results for the repeating pattern gener-
ator showing the combinations Frequency/Runs to Longest Runs/Poker.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
L_T_FIPS
L_A_FIPS
L_FB_FIPS
L_S_FIPS
P_T_FIPS
P_A_FIPS
P_FB_FIPS
P_S_FIPS
T_A_FIPS
T_FB_FIPS
T_S_FIPS
A_FB_FIPS
A_S_FIPS
FB_S_FIPS
Figure 6.12: Test combinations percent matching with FIPS 140-2 results for the repeating pattern gener-
ator showing the combinations Longest Runs/Turning Point to Frequency Block/Serial.
After examining the combination tests where 100% matching is obtained, it can be seen that
there is no improvement over the single tests. Therefore, for the repeating pattern failure a single
test, either the runs or poker test, with a testing sequence length of 2500 bits is recommended.
6.2.5 Failure Point 1 Experiment: Bias Random Number Generator
Description
Another possible aw in cryptographic random number generators happens when the generator
loses the characteristic of equal probability of a zero or one being produced. Generators that do
not have a probability P(X = 1) = 0.50 are labeled biased. There is a variety of causes for bias,
for example, a malfunction in the generator hardware, environmental stress, or external inu-
ences on the generator by a hacker. An experiment has been included in the simulator to show
the sensitivity of the random number generator tests to this type of fault. The experiment uses a
biased RNG to create sample sequences with biases of 52%, 54% and 56%. These bias values
indicate the probability of the generator producing a one. These example biases probabilities
have been chosen to show the sensitivity of each of the tests to this type of failure, and to give an
indication how the tests react to an increasing bias error. The 50% generator (proper functioning
generator) has not been mentioned in this part, since it is a normal working Matlab RNG, which
has been tested with the given RNG tests.
For the normal operation of the Matlab RNG in other experiments the generator produces a
sequence of bits of a given length. However, this time the bit outputs need to be inuenced, so
the generator is set to create sequence with values between 0 and 99. This value is compared to
the selected bias value (i.e. 52, 54, or 56), and if it is less than this limit, then a one is produced.
Should it fall above the limit, then a zero is outputted.
This generator was used to create 500 samples of 100000 bits for the simulator. As mentioned
previously, the bias selected for this experiment was 52%, 54%, and 56%. Each of the sample
sequences was tested with the eight RNG tests, and with sequence lengths from 25 to 100000
bits.
Results
The results for this generator can be seen in Figures 6.15 to 6.18. It is assumed that with a bias
a certain number of tests will pick up the faulty generator. A major question is how quickly can
the error be identied (sequence length)? Looking at Figure 6.13 shows that the FIPS standard
does not pass any of the sample biased sequences. Therefore, for the other tests to match with
the FIPS standard they need to label all the samples sequences as fails. At the 20000 point, three
tests that are part of the FIPS group (Frequency, Runs and Poker) plus the serial have rejected all
of the sample sequences. Since the FIPS group has failed all the sample sequences, the percent
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.13: Single test pass count for the 54% biased generator.
matching for the single tests is more a count of how many fails the test processes at the sample
sequence length.
For the 54% bias generator using the single tests (see Figure 6.14), the frequency and serial
tests begin to label the generator as a fail at a sequence length of 500. As mentioned in the
Description, a bias in a generator either produces more ones or zeros. So, for a 54% ones bias
a generator will statistically produce 54 ones for every 100 bits. For small sample sequence
lengths, it is not possible to pick up a 54% biased generator, since it falls into the acceptable
range. For example, at a test sequence of 25 bits has 12.5 ones as the 50% point with 11 to 14
ones being in the acceptable range. If this is extended to 20000 bit sequences the acceptance
range is then 8800 to 11200 which may not match the signicance level anymore. For the serial
test, the increase in the number of ones also increases the likelihood of the sequence pattern 11
happening, with this coming at the expense of the 00 pattern.
The frequency and serial tests are the most sensitive tests for the biased random number gen-
erator with 54%. They almost reach 100% matching with the FIPS standard at a sequence length
of 5000; however, it only fully matches at the 10000 bit length mark. The slight change in the
FIPS matching percentage between 5000 and 10000 indicates that actual 100% FIPS matching
point is between these two values. An experiment has been run with a test sequence length be-
tween 5000 and 10000 to nd a more accurate point of where the tests reach 100%. The point
where the frequency and serial test match 100% with the FIPS standard is with a test sequence
length of 8000. The poker test reached 100% at 10000 bits (see Table 6.2 for the results between
0
10
20
30
40
50
60
70
80
90
100
25 50 75 100 250 500 1000 2500 5000 10000 15000 20000 30000 50000 1E+05
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.14: Single test percent matching with FIPS 140-2 results for the 54% biased generator.
Test/Bit Length 5000 6000 7000 8000 9000 10000
Frequency 98.2% 99.4% 99.8% 100% 100% 100%
Runs 56.2% 73.4% 86.6% 92% 97.2% 98.6%
Poker 70.4% 86% 95.6% 98.4% 99.6% 100%
Serial 98% 99.4% 99.6% 100% 100% 100%
Table 6.2: The four tests percent matching to FIPS that have been zoomed in between a test sequence of
5000 and 10000.
5000 and 10000).
The next sensitive group for the 54% bias includes the poker and runs test. This test group
exhibits approximately the same error identication rate as the rst group but at one sequence
length grouping higher, i.e. a 2500 bit sample length before errors are detected instead of 1000
bits for the rst group. It also copies the rst group by plateauing around the 98% FIPS matching
and then reaching 100%. The runs and poker tests have also been tested analyzed between 5000
and 10000. Table 6.2 shows the poker test reaching 100% matching at the 10000 bit length, but
the runs test still does not reach it.
The results from the 52% and 56% bias RNG (see Figures 6.15 and 6.16) show that the same
trend applies to both a higher and lower bias. The same grouping of tests is present in all three
bias generator results with the serial and frequency tests being the best group and poker and
runs tests making up the second group. It is assumed that the lower biased generator is harder
to detect, hence shifting the detection sequence length upwards. The same thought holds for
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Frequency Runs Longest Runs Poker Turning Point Autocorrelation Frequency Block Serial
the 56% biased RNG with it being easier to detect resulting in the detection sequence being
shifted down. The results shown in Figures 6.15, 6.14, 6.16 backup this assumption, where the
detection point for the 52%, 54% and 56% biased RNGs are at 2500, 500 and 250 sequence
length respectively. Also the 100% FIPS matching level is sooner reached for the higher biased
generators.
Up to this point each of the tests have been investigated separately; however, if the tests do
not matching 100% with the FIPS standard, then there is room for improvement by combining
results of two or more tests. The results of the two test combinations are shown in Figures 6.17
and 6.18. Combination of three tests have also been performed but are not included in this thesis
due to little change being seen in the results between two and three test combinations.
The test combination results can be seen in Figures 6.17 and 6.18. Most of the test combina-
tions do not show any improvement in their results over the single tests due to test masking. This
happens when the more sensitive test not only fails all the same sequences as the second test but
also a few more. The result on the chart show grouping points around single test results. There
is, however, one test that does show an improvement for some bit lengths, the Frequency-Serial
test group. There is a 2% percent matching improvement to the FIPS at the 1000 and 2500 bit
lengths. This improvement does not continue beyond this point and the Frequency-Serial test
again matches the results from the single Frequency and Serial tests.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
F_R_FIPS
F_L_FIPS
F_P_FIPS
F_T_FIPS
F_A_FIPS
F_FB_FIPS
F_S_FIPS
R_L_FIPS
R_P_FIPS
R_T_FIPS
R_A_FIPS
R_FB_FIPS
R_S_FIPS
L_P_FIPS
Figure 6.17: Test combinations percent matching with FIPS 140-2 results for the 54% biased generator
showing the combinations Frequency/Runs to Longest Runs/Poker.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
L_T_FIPS
L_A_FIPS
L_FB_FIPS
L_S_FIPS
P_T_FIPS
P_A_FIPS
P_FB_FIPS
P_S_FIPS
T_A_FIPS
T_FB_FIPS
T_S_FIPS
A_FB_FIPS
A_S_FIPS
FB_S_FIPS
Figure 6.18: Test combinations percent matching with FIPS 140-2 results for the 54% biased generator
showing the combinations Longest Runs/Turning Point to Frequency Block/Serial.
Conclusion
A biased sequence is one possible failure that can come directly from the RNG. A properly
functioning cryptographic RNG has an equal probability of producing a one or a zero, P(x =
1) = 0.5. To ensure that the generator is functioning properly and/or is not being inuenced, it
needs to be tested for this particular failure before operation.
The results in the last section show that a bias as low as 52% can be detected using the FIPS
test. For each of the biased generators the best tests are the Frequency and Serial tests. There is
an improvement at lower test sequence lengths (1000 to 2500) when they are combined; however,
this improvement does not push the tests to full FIPS matching. It is recommended that either
the Serial or Frequency test be included in any online test unit for cryptographic RNGs.
Selecting the testing length is hard, since each of the tests have different sensitivity levels. A
good compromise is the 10000 bit sequence length. The selected tests can catch both the 54%
and 56% bias with 100% match to the FIPS standard while at 52% bias there is still an 82%
success rate. This test sequence length is signicantly lower than the 20000 bits for the FIPS, but
still provides good testing for the given bias levels.
A nal test selection and sequence length for the test unit suggestion is provided in the nal
conclusion where the results from the hardware and software analysis are combined.
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
0
500
1000
1500
2000
2500
3000
3500
4000
data 2
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
0
500
1000
1500
2000
2500
3000
3500
4000
data 1
a) Single frequency example. b) Wide frequency group example.
Figure 6.19: Frequency spectrum of single frequency and wide frequency group example.
6.2.6 Failure Point 2 Experiment: External Frequency Interference
The smart card is a portable processor that needs to function in a variety of environments and
still be secure. It is not possible for the smart card manufacturers to dictate how and where the
card can be used; therefore, they need to consider the possibility of environmental interference
from temperature, pressure, and external noise sources. These factors may also effect the random
number generator in the smart card. For example, if a smart cards initial seed generator uses a
thermal measurement as the seed source, a third party may try to reduce the possible seeds by
operating the card in an articially cold environment. Another method where a third party can
inuence the security of the card is by introducing frequencies into the random sequences. This
distorts the sequence from a uniform distribution and increases the likelihood that the third party
is able to nd the secret key. Not only can interference come from a third party but also from
faulty circuitry or nearby noise sources.
The simulator has been run with three possible frequency interference models: single fre-
quency, wide frequency group, and pink noise. The difference between the single frequency and
the wide frequency group is the single frequency model has a single sinusoid at a given frequency,
for example, 4 kHz, whereas the wide frequency group is the given frequency plus decreasing
strength neighbouring frequencies, see Figure 6.19.
The frequencies selected in the next experiments are only example failures. If a manufacturer
has more information about specic interference (e.g. square wave or specic frequencies), then
this can be analyzed using the simulator as well.
Implementation of the Frequency Addition (Single and Wide Frequency)
The frequency addition for the wide and single frequency generator use the same Matlab func-
tion (freqaddRNG) and a sample random sequence. The Matlab function accepts as input the
Single Frequency Wide Frequency Group
Frequency 4000 [3800 3850 3900 3950 4000 4050 4100 4150 4200]
Magnitude 1.0 [0.2 0.4 0.6 0.8 1.0 0.8 0.6 0.4 0.2]
Table 6.3: Experimental settings for the single and wide frequency group used with the freqaddRNG
function.
sample random sequences, the frequencies to be added and the magnitude for each of the new
frequencies.
The experiment parameters testing are found in Table 6.3. Using these settings the freqad-
dRNG function adds the interference signal at different ratios. For these experiments the ratios
used are 0%, 10%, 30%, 50%, 70%, and 90%. Only the 50% and 90% levels are to be discussed
in this thesis to show the effect the interference has on the random data.
Results for the Frequency Addition (Single Frequency)
The rst results examined come from the single frequency interference experiment. Many of the
observations for the addition of a single frequency component also apply to the addition of the
wide frequency group to the random signal. The results for both error types have been graphed.
It is impossible to determine before hand the strength of the interference, so only the trend of
how the random number generator tests react at different interference levels can be examined.
The results of the signal at no interference (Matlab RNG results), 50% interference, and 90%
interference are studied here.
The single frequency component results can be seen in Figures 6.22 to 6.24. One of the
methods used to determine if this type of error is present in a RNG is to perform the spectral
analysis. If present, a frequency component is clearly apparent, and a signicance level can be
set where any frequency component passing this level indicates a defective RNG. Currently, it
is not possible to implement an efcient spectral test on the smart card due to the complexity of
required operations; for example, the fast Fourier transform.
Figure 6.20 displays an example sequence using 5 points/cycle and a sample length of 50
points, where the x-axis shows the point count and the y-axis the random value between -1 and
1. It is clear the inuence the sine wave signal has on the random data. In this particular case the
random data is concentrated in the lower region (0.50 to 0.50) where more zeros are likely to
occur. The addition of the sine wave also adds a pattern to the data where every 2.5 cycles the
chance of ones increases. For the 50% case, the basic pattern for the random data is still evident;
however, for the 90% ratio experiment (ie. extreme interference) the random data only has a
minor inuence on the output data, which shows a lot of regularity (see Figure 6.20b).
The conclusion drawn from analyzing the sample data is that the data generated by this RNG
is not acceptable for cryptographic applications. The rst experimental sequence to be studied
in detail is the 50% single frequency generator. Figure 6.21 reveals that not all of the sequences
0 10 20 30 40 50 60
1
0.8
0.6
0.4
0.2
0
0.2
0.4
0.6
0.8
1
Sine Wave
Random Signal
Combined Signal
a) 50% interference
0 5 10 15 20 25 30 35 40 45 50
1
0.8
0.6
0.4
0.2
0
0.2
0.4
0.6
0.8
1
Sine Wave
Random Signal
Combined Signal
b) 90% interference
Figure 6.20: Example sine wave interference with random data.
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.21: Single test pass count for the Frequency Add Narrow generator with 50% interference.
have been rejected by the FIPS standard. Approximately 70% of the sequences have been re-
jected. The FIPS standard has rejected more sequences than any single test; therefore, the test
combinations should provide better matching than the single tests. It should also be noted that
the FIPS test group is used as the standard measurement for generator randomness. Therefore,
the higher rejection at longer sequences for the poker, frequency and serial tests will show up as
a lower matching value. Another observation from this graph is that the tests only start to reject
the sequences at the 5000 bit length mark.
Figure 6.21 shows some of the same observations that Figure 6.22 displays. The constant
matching sits approximately at 30% at the lower bit sample lengths, because the FIPS standard
only rejects about 70% of the sequences at the 20000 bit mark. The lower sequence lengths
passed all the sequences, so the starting mark for a poor test for the generator is set at 30%. The
three tests that start to catch the failure in the generator are the poker, frequency and the serial
test. They steadily improve until the 20000 bit point after which they decrease in matching. As
has been previously explained, the loss in matching is due to the particular tests labeling more
sequences as fail than the FIPS, which is a deviation from the standard laid out at the beginning
of this chapter.
The best test, the frequency test, does not achieve 100% matching with the FIPS standard. It
only has a 92% success rate; whereas, the next two tests, serial and poker tests, have a 82% and
a 79% maximum success rate, respectively. The highest matching percentage occurs only at the
20000 bit mark.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.22: Single test percent matching with FIPS 140-2 results for the Frequency Add Narrow gener-
ator with 50% interference.
After looking at the single test results, it is hoped that the combination tests provide better re-
sults. As has been mentioned in previous paragraphs, the indication from the pass count graph
is that the test do not fully overlap when rejecting the various sample sequences. This should
show up in the combination test results with better matching for some combinations. The results
are presented in Figure 6.23 and 6.24. Here it is seen that the frequency and poker test achieve
100% matching; however, this occurs only at 20000 bits. The rest of the test combinations only
show a slight or no improvement (0 to 1%) over the single tests.
Before drawing any nal conclusions about the addition of a single frequency to a random
bit stream experiment, an extreme case of interference is examined. The single RNG test results
and the total pass counts are shown in Figures 6.25 and 6.26.
Even with the extreme sinusoidal interference, the RNG tests are not able to recognize that
there is a failure occurring with the RNG until the test sequence is at least 2500 bits. Only at
a test sequence length of 15000 bits does one test, the poker test, achieve 100% matching. The
poker test is by far the most sensitive test for this type of failure. Looking at the results from
the number of passes given to the sample sequences, the FIPS test rejects all the samples, as
does the poker test. However, three of the eight tests do not detect any failure with one test only
able to slightly detect the failure. This can be explained by the regular swing in the sine wave
interference, which is hard to detect for the frequency type tests. In this case, the average value
from the sine wave is zero; therefore, it swings between the maximum and minimum value, but
the number of zeros and ones is approximately equal. Refer to Figure 6.27 for an example binary
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
F_R_FIPS
F_L_FIPS
F_P_FIPS
F_T_FIPS
F_A_FIPS
F_FB_FIPS
F_S_FIPS
R_L_FIPS
R_P_FIPS
R_T_FIPS
R_A_FIPS
R_FB_FIPS
R_S_FIPS
L_P_FIPS
Figure 6.23: Test combination percent matching with FIPS 140-2 results for the Frequency Add Nar-
row generator with 50% interference showing the combinations Frequency/Runs to Longest
Runs/Poker.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
L_T_FIPS
L_A_FIPS
L_FB_FIPS
L_S_FIPS
P_T_FIPS
P_A_FIPS
P_FB_FIPS
P_S_FIPS
T_A_FIPS
T_FB_FIPS
T_S_FIPS
A_FB_FIPS
A_S_FIPS
FB_S_FIPS
Figure 6.24: Test combination percent matching with FIPS 140-2 results for the Frequency Add Narrow
generator with 50% interference showing the combinations Longest Runs/Turning Point to
Frequency Block/Serial.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.25: Single test percent matching with FIPS 140-2 results for the Frequency Add Narrow gener-
ator with 90% interference.
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.26: Single test pass count for the Frequency Add Narrow generator with 90% interference.
Example:
Sampled data: 100 101 110 111 110 101 100 011 010 001 000 001 010 011
Poker test data: 10 01 01 11 01 11 11 01 01 10 00 11 01 00 01 00 00 01 01 00 11
Sampled input sine wave:
Number of 1s: 21
Number of 0s: 21
Pattern Count
00 5
01 9
10 2
11 4
Figure 6.27: Binary analysis for a sine wave
breakdown of a sine wave. There it is apparent that the frequencies of the 01 and 00 patterns
are not similar to what a random sequence would produce where all the dual bit patterns should
occur approximately the same number of times.
The graphical results from the 90% interference generator combination tests are not pub-
lished in this chapter, since none of the combinations show a signicant increase in sensitivity to
the FIPS standard. They are, however, included in the appendix if the reader is interested (see
Figures 9.1 on page 131 and 9.2 on page 132).
Conclusion for the Frequency Addition (Single Frequency)
The interference from the external frequencies and, in particular, the addition of the single fre-
quency is a challenge for the selected RNG tests to detect. Normal procedure is to include a
spectral test where the error can readily be seen; however, as mentioned in the results discussion,
this type of test is not possible to implement on a smart card processor at this time. Extreme
interference, for example, a 90% sine wave addition, is detectable with the poker test starting at
2500 bits, but only at 10000 bits is it achieving the FIPS standard level of accuracy. The less
extreme interference, with a sine wave addition of 50%, is signicantly harder to detect. Perfect
FIPS matching is only achieved with the frequency and poker test combination at 20000 bits.
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.28: Single test pass count for the Frequency Add Wide generator with 50% interference.
This indicates that the FIPS standard is basing its rejection on the combination of the frequency
and poker tests. The other two tests in the FIPS group do either not catch the failure or overlap
with the rst two tests.
The recommendation for the addition of a single frequency detection is very hard to set,
since it is up to the manufacturer to decide the sensitivity of the test unit. However, if designing
for the worst case situation is required, the detection of both types of signal addition, then the
test combination with the poker and frequency tests at 20000 bits is recommended. Reducing the
test units detection sensitivity allows the testing sequence length to be reduced to 10000 bits with
only the poker test. This reduction in quality still allows for the detection of extreme interference.
Results for the Frequency Addition (Wide Group Frequency)
The last sections investigated the detection quality or sensitivity of the RNG tests for single
frequency type interference. The results studied in this section deal with interference that has a
main component and some neighbouring falloff components. This type of interference is more
likely to occur in a natural environment. The experimental results for the selected interference
settings, see Section 6.2.6 for the parameters, can be seen in Figures 6.29 to 6.33. As with the
single frequency study, multiple levels of interference have been tested, but only the 50% and
90% interference levels are analyzed in detail.
The analysis begins with the 50% levels by examining the results found in Figures 6.28
and 6.29. The addition of more frequencies into the random signal has the effect of making the
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.29: Single test percent matching with FIPS 140-2 results for the Frequency Add Wide generator
with 50% interference.
error more detectable when compared to the single frequency interference. The three tests that
show the greatest sensitivity to the FIPS standard are the poker, frequency, and the serial tests.
These three tests are the same tests that showhigh sensitivity for the single frequency interference
(see Figure 6.22). However, the sensitivity of each is switched around for this experiment. In
the single frequency trial the poker test is the least sensitive of the top three, but here it is the
rst to have 100% FIPS matching. For this experiment, the poker test requires only 10000 bits to
achieve 100% FIPS matching, whereas the other two tests require at least 20000 bits. Looking
at Figure 6.28 reveals that the FIPS standard rejects all the sample sequences. Therefore, as with
the other experiments where the FIPS rejects all the sample sequences, the single tests are being
measured for their ability to reject the generator. The results from the FIPS matching graph
(Figure 6.29) are easily seen in this gure as well, since 100% matching is equal to zero tests
passed.
After analyzing the the results from the single RNG tests, a closer look at the poker data
reveals the type of data present. A sample sequence has been divided into bits of four and
converted into decimal values. The examination of of one sample sequence reveals that the
sequences produces zeros with greater probability than it does ones. In Table 6.4 it is visible
that the subsequences with more ones than zeros () appear less often than the subsequences that
have more zeros than ones (**). The reason for this phenomenon is the sine interference moves
the data around the the zero mark. This can be seen if the data is reorganized as shown in the
second part of Table 6.4). The data around the average (0000) occurs more often than the outer
Table 6.4: Sample data examining using poker test.
values (0111 and 1111). This shows the effect the sine wave interference has on the data, and
the more sinusoidal interference there is the easier it is to detect the error.
The test combinations are again examined to checked if any improvement in quality is achieved.
The poker test is able to achieve 100% FIPS matching with a test sequence of 10000 bits. The
question is is it possible to get 100% FIPS matching at 5000 bits or smaller? From Figures 6.30
and 6.31 it is evident that this is not possible. The frequency-poker and frequency-serial tests
both show improvement over the single poker test; however, this improvement is only in the
range of 3 to 4%. The test combinations do not achieve 100% matching at the 5000 test bit
length.
As with the single frequency interference, this experiment has been tested at an extreme in-
terference level (90% level). The results for the single tests and pass count have been included
in Figures 6.32 and 6.33, with the combination test results included in Appendix 9 in Figures 9.3
and 9.4 on pages 132 and 133.
The results from Figure 6.33 show that the FIPS standard rejects all the sample sequences.
Therefore, the percent matching graph is the measure of how quickly the test rejects all the
sequences, and the results from Figure 6.33 should matching closely with Figure 6.32.
The results in Figure 6.32 show a signicant jump between the 500 and 1000 bit test lengths.
Initially, the two best tests are the serial and the poker test; however, the frequency test catches
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
F_R_FIPS
F_L_FIPS
F_P_FIPS
F_T_FIPS
F_A_FIPS
F_FB_FIPS
F_S_FIPS
R_L_FIPS
R_P_FIPS
R_T_FIPS
R_A_FIPS
R_FB_FIPS
R_S_FIPS
L_P_FIPS
Figure 6.30: Test combination percent matching with FIPS 140-2 results for the Frequency Add Wide
generator with 50% interference showing the combinations Frequency/Runs to Longest
Runs/Poker.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
L_T_FIPS
L_A_FIPS
L_FB_FIPS
L_S_FIPS
P_T_FIPS
P_A_FIPS
P_FB_FIPS
P_S_FIPS
T_A_FIPS
T_FB_FIPS
T_S_FIPS
A_FB_FIPS
A_S_FIPS
FB_S_FIPS
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.32: Single test percent matching with FIPS 140-2 results for the Frequency Add Wide generator
with 90% interference.
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS
Figure 6.33: Single test pass count for the Frequency Add Wide generator with 90% interference.
up, and all three tests achieve perfect matching with the FIPS standard at the 2500 bit length.
The runs test is not far behind, and it also reaches perfect FIPS matching, but with a test length
of 5000 bits.
The extreme interference example is a lot easier to detect than the 50% interference RNG
sample. The tests are able to achieve 100% FIPS matching at greatly reduced test lengths (2500
bits and 10000 bits). In the 50% interference experiment only the poker test at 10000 test bit
length reaches perfect matching with FIPS; whereas, the rest require at least 20000 bits if they
reach perfect FIPS matching at all. In this study the extreme interference is detectable by more
tests and at lower test lengths; therefore, it stands to reason that the effects discussed in the 50%
interference case are only more pronounced allowing the tests to detect a more denite error.
Conclusion for the Frequency Addition (Wide Group Frequency)
This interference type is similar to the single frequency interference in the type of results shown;
the best test for detecting single frequency interference is also the best test to detect wide group
interference. The effect the added frequencies has on the random sequence is to average the RNG
data even more than is present in the single frequency experiments. This allows the poker, serial,
and frequency tests to be used to detect this type of error instead of requiring the spectral test.
The recommended test for the wide group frequency interference is the poker test with a
10000 bit sample sequence. This test is able to catch both the 50% and 90% interference and
reject the samples as not being good for cryptographic applications.
Implementation of the Frequency Addition (Pink Noise or
1
f
Noise)
The two frequency interference models discussed previously are for simple types of signal in-
terference. Another type of frequency interference found in many unexpected sources is the
1
f
frequency interference (also called pink or icker noise). This type of noise has the characteristic
of having equal power per decade of frequency or a spectrum proportional to
1
f
. In comparison,
white noise has the same distribution of power for all frequencies. One cause of this noise is
the recombination effects at defects along the semiconductors border, material surface or in the
volume itself. Figure 6.34 is an example of the frequency spectrum of
1
f
noise.
0 100 200 300 400 500 600 700 800 900 1000
0.2
0.15
0.1
0.05
0
0.05
0.1
0.15
0 100 200 300 400 500 600 700 800 900 1000
0
2
4
6
8
10
12
Time Frequency
Figure 6.34: Random
1
f
noise sample in the time and the frequency domain.
It is possible to empirically describe the
1
f
spectrum using the following formula [Sis02]:
C1
f
=

N

1
f
(6.1)
where N is the total number of moving charges in a device. The variable is a material charac-
teristic called the Hooge-Parameter. Another form of Equation 6.1 is:
C1
f
= KF
I
AF
f
B
with KF, AF, B the model parameters. This form is more common in simulation programs.
There is another method for modeling
1
f
noise, ltering white noise with a lter that has an
amplitude response G() proportional to
1
. The lter should roll at -3 dB per octave in the

frequency domain. One type of
1
f
lter proposed in [Whi99] uses a lter with poles and zeros set
at:
Pole Zero
0.99516 0.98223
0.9438 0.83265
0.5559 0.107980 (6.2)
Another method is to use weighted sums of rst order lters. The following lter is found in
[Whi99] on page 3:
b
0
= 0.99886b
0
+white 0.0555179;
b
1
= 0.99332b
1
+white 0.0750759;
b
2
= 0.96900b
2
+white 0.1538520;
b
3
= 0.86650b
3
+white 0.3104856;
b
4
= 0.55000b
4
+white 0.5329522;
b
5
= 0.7616b
5
white 0.0168980;
pink = b
0
+b
1
+b
2
+b
3
+b
4
+b
5
+b
6
+white 0.5362;
b
6
= white 0.115926; (6.3)
For the
1
f
noise generator used in the simulator, the rst lter has been implemented. It has
been programmed in Matlab where the lter function is employed on random numbers between
-1 and 1. The lter data is then scaled by the maximum value of each lter (see Figure 6.35),
after which the data is converted to a 20 bit fractional binary number. The binary number is
stored the process is repeated until a 100000 bit sample sequence is created.
Results for the Frequency Addition (Pink Noise or
1
f
Noise)
The results from the
1
f
noise experiment are found in Figures 6.37 to 6.39. The rst step in the
1
f
noise analysis is checking to see how many sequences passed the FIPS standard. Figure 6.36
reveals that at 20000 bits the FIPS standard rejects all the sample sequences. As with the previous
experiments that have the FIPS standard reject all the sequences, the sensitivity or quality is a
measure of how quickly the individual test or test group rejects each of the samples.
The
1
f
noise interference has been described previously and can be looked at as low frequency
interference. It is a more extreme frequency interference case than the previous two experiments.
It has been included in the experiment due to the common occurrence of this type of interference
in normal usage.
The addition of even more frequencies than what is present in the wide group frequency
experiment should show a result where the tests are able to detect the failure at a smaller test
0 200 400 600 800 1000 1200
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Samples
A
m
p
lit
u
d
e
Step Response
Figure 6.35: Finding the maximum value of the lter.
sequence length than both the wide group and the single frequency interference experiments.
Closer examination of the results in Figures 6.37 and 6.36 show that this assumption is veried.
Both the runs and serial test are able to detect this type of error at a test sequence length of 25 bits.
This is extremely early to detect an error when compared to the other experiments. The runs test
is the best test at 25 bits, but as the testing bit lengths are increased the top three tests from the
previous two experiments prove again to be the best tests. The poker test passes the serial test at
the 500 bit mark to take over as the most sensitive test for this error, and it reaches perfect FIPS
matching at a test length of 1000 bits. The serial, frequency, and runs test also achieve perfect
FIPS matching but at the next higher testing length, 2500 bits. The frequency block test reaches
100% FIPS matching at the 20000 bit point, and the turning point test drastically improves its
results at the 50000 and 100000 test bit lengths. The rest of the tests either do not recognize the
presence of an error or else only to a very small degree (< 2%).
Investigating the test combinations (see Figures 6.38 and 6.39) reveals the poker and serial
tests do not exactly overlap with the sequences that they reject. The poker-serial combination
has an improvement over either of the single tests, an 8% improvement over the poker test, and
it has a quality of approximately 99% at 500 bits. At this point, the manufacturer has to decide
if a sensitivity of 99% FIPS matching is acceptable using the test combination with 500 bits or a
slightly longer bit length with a sensitivity of 100% FIPS matching and only one test. The rest of
the test combinations do not reveal any signicant improvement over the single tests; therefore,
they can be ignored in favour of the poker-serial test combination.
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.36: Single test pass count for the
1
f
noise generator.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.37: Single test percent matching with FIPS 140-2 results for the
1
f
noise generator.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
F_R_FIPS
F_L_FIPS
F_P_FIPS
F_T_FIPS
F_A_FIPS
F_FB_FIPS
F_S_FIPS
R_L_FIPS
R_P_FIPS
R_T_FIPS
R_A_FIPS
R_FB_FIPS
R_S_FIPS
L_P_FIPS
Figure 6.38: Test combination percent matching with FIPS 140-2 results for the
1
f
noise generator show-
ing the combinations Frequency/Runs to Longest Runs/Poker.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
L_T_FIPS
L_A_FIPS
L_FB_FIPS
L_S_FIPS
P_T_FIPS
P_A_FIPS
P_FB_FIPS
P_S_FIPS
T_A_FIPS
T_FB_FIPS
T_S_FIPS
A_FB_FIPS
A_S_FIPS
FB_S_FIPS
Figure 6.39: Test combination percent matching with FIPS 140-2 results for the
1
f
noise generator show-
ing the combinations Longest Runs/Turning Point to Frequency Block/Serial.
Conclusion for the Frequency Addition (Pink Noise or
1
f
Noise)
The pink or
1
f
noise RNG experiment has been included in this these even though it is a type of
wide group frequency interference, since it is a noise type common in semiconductor noise. For
this type of error there are a variety of tests to choose: poker, frequency, serial and the runs test.
The recommended test and sample length is the poker test at 2500 bits.
6.2.7 Failure Point 3 Experiment: Oversampling RNG
The previous experiments examined possible failure points in the random number source or from
outside interference. They only cover two of the possible three failure points mentioned in the
simulator introduction (see Section 6.1). This last experiment examines the tests sensitivity to a
defective digitizer.
The experiment is broken into two parts with the rst investigating extreme oversampling
where every bit is repeated. The second section investigates the effect of a whole 24-bit word
being repeated. Figure 6.40 shows an example of both oversampling failures.
Bit oversampling: 101110 11 00 11 11 11 00
Word oversampling: 101 001 111101 101 001 001 111 111
Figure 6.40: Bit and word oversampling error example.
Oversampling RNG Implementation
Both the bit- and word- repeating RNG are modications of the Matlab
TM
binary random number
generator. They have been implemented by storing either one bit or a full binary word from the
Matlab
TM
generator in a temporary variable. The data in the variable is stored twice during the
assembly of the 100000 bit sequence. The place holder counter is advanced after each bit or
word storage to prepare it for the next input. This process is repeated until all the 100000 bits are
created. The RNG is reinitialized and the full process is run 500 times to create the full sample
sequences.
Results for the Bit Oversampling RNG
Examing the results from the bit repeating oversample experiment (see Figures 6.42 to 6.44), it
is apparent that the error is quickly identied. The pass counting graph (Figure 6.41) shows
the FIPS 140-2 test standard rejects all the sequences and labels the generator as nonrandom. It
is easier to identify the sequences that do not recognize an error compared to the FIPS matching
chart. The three tests that do not recognize the presence of an error are the frequency, turning
point and the autocorrelation tests. For the frequency test, the full sequence can be represented
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.41: Single test pass count for the bit oversampling generator.
as two half sized random sequences. Comparing these two sequences together still provides the
correct number of ones and zeros for the test to pass the sequence.
The implementation of the autocorrelation test examines bits with another bit four time units
delayed. In this case the correlation is in the neighbouring bit not the further delayed bit. A
more complex autocorrelation test that examines the correlation of the neighbouring bits up to
a given value would be a more powerful autocorrelation test, but would increase the hardware
requirements.
The turning point test also does not catch the error in the experiment. The evidence for the
turning point test indicates that doubling the bits does not change the number of peak and troughs
enough to indicate an error.
A closer examination of Figure 6.42 shows the poker test is the most sensitive to the over-
sampling error with it perfectly matching the FIPS standard at a sequence sample length of 75
bits. The runs and serial test are both close behind with their perfect FIPS matching occurring at
sequence lengths of 100 and 250 respectively.
Four tests have perfect FIPS matching: poker, runs, serial and frequency block tests. This is
also the rst that has the longest runs test indicate an error with any degree of sensitivity, even
though it does not reach 100% matching in the sequence lengths selected for the experiment.
The poker test is an ideal test for nding this error, since the doubling of the bits means
some patterns happen more often than others. The example in Figure 6.40 shows how the begin-
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.42: Single test percent matching with FIPS 140-2 results for the bit oversampling generator.
ning 10 combination becomes the four bit 11 00 combination. In this situation the patterns
0000, 0011, 1100 or 1111 occur exclusively. The patterns with mixed values i.e. 01
or 10, do not occur at all.
The single tests show very high quality in matching to the FIPS standard at very small test bit
lengths. The test combinations have been included to see if the 75 bit level can be lowered to 50 or
even 25 bits. The test combination results can be seen in Figures 6.43 and 6.44. The rst point of
interest is there are no test combinations with a sample sequence length of 50 having 100% FIPS
matching. However, there are two tests groups that provide better coverage at the 50 bit sample
length than is possible from the single poker test. The runs-poker test shows approximately a
23% improvement in the error detection at a 72% FIPS matching. The runs-serial test has a 64%
FIPS matching, which is a 15% improvement over the poker test. This indicates the runs test is
nding the generator faulty through different sequences than the poker test. The fail result is not
overlapping, allowing for an improved group combination. This improvement is good; however,
it does not reach the magical 100% that is desired by smart card manufacturers.
Results 24-bit Word Oversampling
The results from the bit oversampling show that the poker, runs and serial tests are very sensitive
to this type of error, however, the word oversample is another error that may manifest itself. In
comparison to the bit oversampling this error is far more subtle. The graphical results from the
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
F_R_FIPS
F_L_FIPS
F_P_FIPS
F_T_FIPS
F_A_FIPS
F_FB_FIPS
F_S_FIPS
R_L_FIPS
R_P_FIPS
R_T_FIPS
R_A_FIPS
R_FB_FIPS
R_S_FIPS
L_P_FIPS
Figure 6.43: Test combination percent matching with FIPS 140-2 results for the bit oversampling gener-
ator showing the combinations Frequency/Runs to Longest Runs/Poker.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
L_T_FIPS
L_A_FIPS
L_FB_FIPS
L_S_FIPS
P_T_FIPS
P_A_FIPS
P_FB_FIPS
P_S_FIPS
T_A_FIPS
T_FB_FIPS
T_S_FIPS
A_FB_FIPS
A_S_FIPS
FB_S_FIPS
Figure 6.44: Test combination percent matching with FIPS 140-2 results for the bit oversampling gener-
ator showing the combinations Longest Runs/Turning Point to Frequency Block/Serial.
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.45: Single test pass count for the word oversampling generator.
word oversample experiment is shown in Figures 6.46 to 6.48. Figures 6.46 and 6.45 display the
results for the single tests. It is important to note that the FIPS test group only marks approxi-
mately 440 samples as coming from a faulty source. It is also seen in Figure 6.45 that no single
test matches FIPS at 20000. A better picture of this can be seen in Figure 6.46 where it is evident
that none of the test reach perfect FIPS matching. An interesting phenomena occurs with both
the poker and runs test. They both decrease in quality at the lower sequence bit lengths and only
at 15000 do they improve beyond the singles test. The results from these two graphs do no seem
to match. The poker and runs test both fail more sequences than the other tests and appear to
be closer to the FIPS total in Figure 6.46. However, Figure 6.45 shows that this is not the case
and the poker and runs tests have a lower matching than the other tests. The individual data have
been investigated and the results indicate that the poker and runs test fail more sequences than the
other tests but they are different than the ones failed by the FIPS group at 20000. For example,
using a test sequence of 100 bits, sequences 15 and 19 are marked as fail by the poker test while
at 20000 bits, the FIPS group marks sequence 13 and 21 as fails. Therefore, even with the higher
failure rates the poker and runs test have a lower FIPS matching percent.
The single tests do not reach perfect matching with the FIPS standard, this leaves room for
the test combinations to possibly provide perfect matching. The results are shown in Figures 6.47
and 6.48. Most of the combinations follow the dominate test of the combination, however, the
runs-poker test display worse results than the individual tests until the 15000 bit test length, at that
point the test matches the poker test result. Only at the 20000 bit length does the test combination
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Figure 6.46: Single test percent matching with FIPS 140-2 results for the word oversampling generator.
reach 100% FIPS matching. The reason for the worse results, other than at the 15000 and 20000
test lengths, is the same reason as is given for the individual tests. The test combinations are
marking fail to different sequences than the FIPS standard. The perfect matching at 20000
shows that the runs and poker are the two important tests for this experiment.
Oversampling Conclusion
The oversampling experiment shows two extremes in the random generator testing, one test with
a very distinct failure detection and the other with very little detection. For both failure models,
the poker and runs test are the primary tests. The poker test can be set to a test length of 75 for
the bit oversampling; however, the only reliable test for the word oversampling is the poker-runs
combination at 20000 bits.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
F_R_FIPS
F_L_FIPS
F_P_FIPS
F_T_FIPS
F_A_FIPS
F_FB_FIPS
F_S_FIPS
R_L_FIPS
R_P_FIPS
R_T_FIPS
R_A_FIPS
R_FB_FIPS
R_S_FIPS
L_P_FIPS
Figure 6.47: Test combination percent matching with FIPS 140-2 results for the word oversampling gen-
erator showing the combinations Frequency/Runs to Longest Runs/Poker.
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
L_T_FIPS
L_A_FIPS
L_FB_FIPS
L_S_FIPS
P_T_FIPS
P_A_FIPS
P_FB_FIPS
P_S_FIPS
T_A_FIPS
T_FB_FIPS
T_S_FIPS
A_FB_FIPS
A_S_FIPS
FB_S_FIPS
Figure 6.48: Test combination percent matching with FIPS 140-2 results for the word oversampling gen-
erator showing the combinations Longest Runs/Turning Point to Frequency Block/Serial.
121
Chapter 7
Random Number Generator Testing Unit
7.1 Hardware and Software Analysis
The previous two sections examined both the hardware implementation and quality characteris-
tics of the selected eight tests. In this chapter the two separate results are used to determine an
efcient test unit design with perfect FIPS matching capabilities.
Using the hardware implementation results from Chapter 5 the RNG tests are categorized
into two groups: simple and complex tests. Simple tests have low hardware requirements, while
complex tests require more area and power. The complex tests usually perform more complex
calculations. The division of the RNG tests into the two groups allows for an easy overview
showing which tests can be combined with each other and still have low hardware requirements.
Simple tests can be combined with complex tests, since they do not add signicantly to the overall
test unit requirements. For complex tests, combining two such tests leads to a very large test unit
and/or high power consumption. They are best left as single tests or, if required, combined with
simple tests. The tests are shown in Table 7.1. The designs have been separated mainly on the
power consumption and area requirements with some consideration to the time delay. The cut-
off line for the implemented tests is the runs test, which means the poker and serial tests are
considered complex with the rest being simple.
The simple/complex design rule does not allow for a poker-serial test unit combination, since
Simple Complex
Frequency Poker
Runs Serial
Longest Runs
Frequency Block
Turning Point
Autocorrelation
Table 7.1: Simple and complex tests based on hardware requirement results.
122 CHAPTER 7. RANDOM NUMBER GENERATOR TESTING UNIT
RNG Test RNG Test
100% 1 2 3 Detection
ANSI C Poker Poker Combos Hard
20000 20000
Repeating Runs-Poker Runs Poker Detectable
Pattern 1000 2500 2500
Bias Frequency Frequency Combos Serial Detectable
52% 20000 20000 30000
Bias Frequency Poker Serial Detectable
54% 10000 10000 10000
Frequency Add Freq-Poker Hard
Narrow 50% 20000
Frequency Add Poker Poker Combos Runs Detectable
Narrow 90% 15000 15000 30000
Frequency Add Poker Poker Combos Frequency Detectable
Wide 50% 10000 10000 20000
Frequency Add Poker Serial Poker or Serial Combos Detectable
Wide 90% 2500 2500 2500
Pink Poker Poker Combos Serial Detectable
Noise 1000 1000 1000
Oversample Poker Poker Combos Runs Detectable
bit 75 75 250
Oversample Runs-Poker Hard
word 20000
Table 7.2: Top 3 tests for perfect FIPS 140-2 matching.
both of these tests are considered complex. When selecting the test or tests for the end unit, the
ideal design is a single simple test that covers all the failure models presented in the last chapter.
However, also acceptable are simple tests combinations, a complex test, or a simple and a single
complex test combination.
Having divided the RNG tests into two hardware categories the next step is to examine the
simulator results to nd out the best sample length and to answer which tests are to be included
in the test unit to provide perfect FIPS 140-2 matching. A table has been compiled with the top
three tests for each each failure model and the lowest bit testing length to achieve the perfect
FIPS matching (see Tables 7.2).
Examing the perfect FIPS matching table reveals that the poker test is constantly, with one
exception, in the top three list, either as a single test or as part of a test combination. It is best
able to match the FIPS standard. For some of the more subtle errors, it requires a second test to
reach full matching. From this result the conclusion is drawn that it is important to include the
poker test in the test unit design.
The next step before deciding on using a second test is selecting a sequence test length and
7.1. HARDWARE AND SOFTWARE ANALYSIS 123
examing the results with just the poker test. The last column in Table 7.2 is a rating of the
failure model judging how difcult it was for the top tests to match with the FIPS standard. The
models used to examine the RNG tests have been set at different levels of interference or non-
randomness. For example, an RNG with a ones bias of 52% produces sequences, statistically
seen, that are close to what a true RNG would produce. The minor deviation from a true RNG
only slightly increases the number of ones, meaning most sequences still pass any statistical test.
They do not fall outside the given acceptance range. A classication has been given to each of the
models, where a hard is dened for error models that the FIPS standard had trouble detecting.
This data is obtained by examining the FIPS test count graph for each of the models and labeling
any failure model as hard that does not have a pass count of zero for the FIPS group. For models
with a FIPS count at zero, the model is said to be detectable.
The results in Table 7.2 show that three of the models are hard for the FIPS standard to
determine: ANSI C, frequency addition of a narrow single frequency at 50%, and the word
oversampling. These three models will not be used towards determining the nal design.
From the remaining models the range of the sample sequence length is from 75 to 20000 bits.
A decision needs to be made that provides a compromise between the best statistical coverage
and a possible implementation. It has been stated that a length of 20000 bits is too long for the
generation and testing of bits during the initialization phase in smart cards. Therefore, any model
that requires 20000 bits test length can not be 100% covered by this test unit. This decision has
the effect that the 52% bias generator is not fully covered.
The next step down in the bit sequence length is 15000 bits to cover the frequency addition of
a narrow signal at 90%. A 97% FIPS matching is achieved for 10000 bits for this failure, but this
is not enough for perfect FIPS matching. Therefore, for the remaining failure models a choice
has to be made. If the coverage of the narrow signal interference is important then the test bit
length needs to be 15000 bits. However, this error is not very common in practice with wider
signal interference being the norm. A sample length of 10000 bits can be used that would cover
the following tests at 100% FIPS matching:
Repeating pattern
Bias 54%
Frequency addition of a wide signal at 50%
Frequency addition of a wide signal at 90%
Pink noise
Bit oversample
and the single frequency addition at 90% is covered with a 97% FIPS matching accuracy. This
length provides the best compromise between testing time and test accuracy.
Test Percentage FIPS matching Improvement
Bit Oversampling 100% -
Word Oversampling 86% no improvement
Frequency Addition Wide 50% 100% -
Frequency Addition Wide 90% 100% -
Frequency Addition Narrow 50% 38.8% Freq-Poker 50.2%
Frequency Addition Narrow 90% 97% -
Bias 52% 22.6% Freq-Poker 82.4%
Bias 54% 100% -
Bias 56% 100% -
Pink noise 100% -
Repeating Pattern 100% -
ANSI C 54.4% -
Table 7.3: Poker test results for each faulty generator with a test sequence of 10000 bits.
At this point, the design has a 10000 bit sample sequence length and the poker test. The next
step is to see if better coverage can be achieved by adding a second simple test.
Table 7.3 shows the coverage for each of the failure models using only a poker test with a
sequence length of 10000 bits. Also included in Table 7.3 is any improvement by adding the
next best test. For two of the generators, ANSI C and narrow frequency addition fault generator
with 50% interference ratio, the fault detection cannot be improved by applying a second test.
However, for the 52% biased, word sampling, and single frequency addition at 50% generators
the results show that the fault detection is improved with the addition of a second test. The 52%
biased RNG shows a signicant improvement over only the poker test, while the single frequency
addition RNG has at least a 50% chance of catching the failure. The word oversampling RNG is
negligible in its improvement.
The frequency test is a simple test, and combining it with the poker test adds little to the
hardware characteristics. To conrm this, the poker-frequency test combination has been imple-
mented in hardware. There is added circuit logic due to the extra structures required to control
both tests and make a nal pass/fail judgment. This is minor compared to the requirements from
the tests themselves. The design is set to a maximum of 50 MHz, which allows Synopsys
TM
extra
optimization room to improve the hardware requirements. Hopefully, this keeps the hardware
requirements close to that of the poker tests requirements.
7.2 Poker-Frequency Test Unit
The test unit has been laid out as shown in Figure 7.1. The two tests selected are the poker
and frequency test with the control keeping track of the results from both tests. A pass is only
allowed when both tests agree on the sequence coming from a random source. The control logic
7.2. POKER-FREQUENCY TEST UNIT 125
Poker Test Test Unit FIPS Unit
Area (0.25m CMOS technology) 524179m
2
530982m
2
588707m
2
Time Delay 17.28 ns 17.28 ns 17.19 ns
Power Consumption at 20 ns (50 MHz) 5.159 mW 5.541 mW 8.909 mW
Controller 34.2 W 34.1 W
Poker Test 4.852 mW 4.743 mW
Frequency Test 0.654 mW 0.645 mW
Runs Test - 2.797 mW
Longest Runs Test - 0.690 mW
Table 7.4: Hardware characteristics of the Online RNG Test Unit.
is shown in Figure 7.2. The controller and the tests wait for the start bit to indicate when the test
unit should begin. After the rst test is nished it sets the Finished signal high, the controller
then knows to read the result line for that test. In this case the rst test read is the frequency
test followed by the poker test. If both tests agree on a pass then the Unit_Result signal is set
high, else it is left low. The Finished is also set high to indicate that a result is sitting on the
Unit_Result line. The unit examines a test sequence of 10000 bits.
The implementation of the test unit is programmed using VHDL and, as with the other tests,
has been synthesized using Synopsys
TM
tools. Since current smart cards run at a maximum of
50 MHz and the current poker test design has a maximum around 50 MHz , the design has also
been optimized to function at this speed. This allows for a higher time delay, which means dy-
namic power and area savings are possible. The time delay has been examined only to make sure
that the unit design is capable of operating at the 50 MHz mark, and that the extra functionality
does not require a slower operating speed.
The results for the hardware design are shown in Table 7.4. The Synopsys
TM
tools are able to
optimize the test unit to be close to the original poker test. The optimization tools in Synopsys
TM
are able to produce a test unit design that is close in size, power consumption, and speed to the
original poker tests even with the added structures.
Table 7.4 also includes the results from the FIPS test group unit. It is designed in the same
way as the Test Unit but it includes the runs and longest runs test. Running both units through the
same experiments have given a result for area, time delay and power consumption at 50 MHz.
The results show that a 10% saving in area and a 38% saving in power consumption is achieved
by using the test unit over the FIPS test unit.
The results indicate that there exists a design that is acceptable for smart card implementa-
tions. Therefore, a test unit can be provided that achieves perfect FIPS matching for the error
models previously covered that does not require the full FIPS group or the full 20000 bit test
length. The test unit provides excellent coverage, is small, and has low power consumption.
FINISHED
UNIT_RESULT
CLK
RESET
START
3bit
Din
Finished_PT
Result_RT
Finished_PT
Result_PT
Controller
Test Unit
Poker
Test
Test
Frequency
Figure 7.1: Test Unit block design.
Wait_for_tst1_Finished
Wait_for_tst2_Finished
Halt
Wait_for_Start
Result_Output
tst1_finished = 1
tst2 finished = 1
Reset = 1
Reset = 1
Reset = 1
Reset = 1
Start = 1
Figure 7.2: Control logic for the Test Unit, located in the Controller block.
127
Chapter 8
Conclusion
The improvement in computer processing power has seen many benets in our society; however,
it has also increased the risk to our privacy. New and more powerful computers are capable of
performing calculations in the 200 to 300 million instructions per second range (Intel P4 proces-
sors), which means older encryption methods are not secure enough to protect our private data.
A new development in cryptography is to use elliptic curves to form the space and arithmetic for
the cryptographic algorithms. In order for the elliptic curve encryption process to remain secure
the private key must remain secret and unguessable, since it is the only part of the cipher process
a potential hacker does not know. The private and public keys for elliptic curve encryption are
created by random number generators. If the random number generator fails, the whole encryp-
tion process is put at risk. A failure in the generator can be anything from a RNG that does not
produce any bits to one that produces statistically poor random sequences. To prevent an attacker
from nding or creating a security hole, RNGs are tested before being used in cryptographic op-
erations. However, in the case of the smart cards this has not been done properly. The current
method is to test the current bit with the next bit. This detects catastrophic failure, but does not
detect RNG manipulation or outside interference. Other statistical methods are required for this;
for example, the FIPS 140-2 test standard. This standard is used in many products and provides
excellent RNG testing; however, the requirements are too high for the smart card environment.
The tests need to be performed independent of the main processor, which is running its initializa-
tion routines, and the current cryptographic smart card RNGs are too slow to generate the 20000
bits in the 2 sec time limit. Therefore, a hardware online RNG test unit is required that is more or
at least as efcient as the FIPS 140-2 standard but requires less hardware resources and a smaller
test sequence than 20000 bits. This thesis presents a solution to this problem with the design of
a test unit that is smaller, consumes less power, and requires a shorter sample sequence than the
FIPS 140-2 test unit.
The rst step in the thesis was to select empirical RNG tests suitable for hardware implemen-
tation. Eight tests were selected for possible use in the test unit: frequency, runs, longest runs,
autocorrelation, poker, frequency block, turning point, and serial test. The selection of the empir-
128 CHAPTER 8. CONCLUSION
ical tests for the test unit was based on two criteria: test design hardware characteristics and the
tests ability to match the FIPS 140-2 standard. The selection process was done in two parts. The
rst part examined the hardware characteristics, while the second part studied how each of the
tests compared to the FIPS standard in respect to different faulty generators. The second section
also examined how each of the tests reacted with varying sample sequence lengths.
The hardware characteristic examination was performed using VHDL and Synopsys
TM
, and
it revealed that the tests could be divided into two categories: simple and complex tests. The
hardware judgment was based on the power consumption, area, and time delay results. Six of the
eight tests fell into either the simple category or tests that could be combined with other tests and
still have low hardware resource requirements. The poker and serial tests were the two tests that
received a complex classication. A complex test should not be combined with another complex
test due to their large resource characteristics.
After classifying the tests on a hardware basis, the tests were run through a simulator pro-
grammed in Matlab. Using different failure points and models, the results from each of the tests
and test groups were compared to the FIPS 140-2 standard. Some faults were easy to recognize
(the pink noise generator) but others were more difcult (word oversampling generator.) For
each of the faulty generators, an experiment was setup to nd the optimum test or test combi-
nation and the sample sequence length where perfect FIPS matching occurred. The results from
the simulator experiments indicated that the poker test was a very important in identifying the
different faults. The sample sequence length ranged from 75 to 20000 bits, depending on the
fault measured.
At this point, the data to select which test should be included in the test unit was available, but
still needed to be consolidated and analyzed. Chapter 7 combined the results from the previous
two chapters and examined single tests, and test combinations and found that the poker-frequency
group provided the best coverage with a sequence length of 10000 bits. This test group was only
able to catch six of the faults. Results fromthree experiments were disregarded because they were
difcult even for the FIPS 140-2 standard to detect and could not be detected with a sequence
length less than 20000 bits.
The nal design was able to detect with perfect FIPS matching and a sample sequence of
10000 bits the following faulty generator types:
repeating pattern failure
a bias of 54% or greater
wide and pink noise frequency interference
bitwise oversampling.
It also provided a power reduction of 38% and an area reduction of 10% when compared to the
FIPS test unit.
129
This thesis has shown the importance of the poker test in providing excellent RNG test cover-
age. From the selected empirical tests, it is one of the complex tests and requires a lot of hardware
resources. Further work is needed to bring this requirement down and achieve an optimized de-
sign for the poker test. Another method to improve the test unit is to increase the number studied
tests from the current eight. There are hundreds of tests available in literature, and with new
circuit technology, it becomes possible to implement these tests in smart card hardware.
Another area of study is the implementation of another standard as the measuring point. The
FIPS 140-2 is only one possible standard available. Another common and often quoted test suite
is the Diehard suite. The empirical tests in the suite can also be implemented in Matlab and
integrated into the simulator. This would allow for the user to select between the two standards
when selecting a test or test combinations comparisons.
The random number generator tests may have a wider use than just testing random number
generators. Another idea that has not been explored in this thesis but may be a new application
for RNG tests is as a quick post-encryption test for units that store long term data, or as an
intermittent test to check that the data has not changed signicantly. Data stored in memory
for long periods of time may become corrupted and unusable. However, this is not possible
to determine with encrypted data until the data is decrypted. Encrypted data, however, has the
property that it mimics random data. A quick random test maybe run on the data to see if it
possesses any regular structure. If it does, then there is a strong indication that the data has been
changed or damaged and further examination is required. A randomness test is quick, requires
less power than the decryption or signature methods currently used, plus the random method
does not require the secret key and can be performed at any time.
The application of the test unit is wider than just for smart cards. There are many applications
that require low power consumption, fast initialization time and secure random number genera-
tors; for example, on satellites or embedded systems. Cryptography is nding itself integrated
into more and more applications and each of these applications need to test the full encryption
path for full functionality. Therefore, in the future RNG testing will be included in more appli-
cations as well.
130 CHAPTER 8. CONCLUSION
131
Chapter 9
Appendix A
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
F_R_FIPS
F_L_FIPS
F_P_FIPS
F_T_FIPS
F_A_FIPS
F_FB_FIPS
F_S_FIPS
R_L_FIPS
R_P_FIPS
R_T_FIPS
R_A_FIPS
R_FB_FIPS
R_S_FIPS
L_P_FIPS
Figure 9.1: Test combination percent matching with FIPS 140-2 results for the Frequency Add Nar-
row generator with 90% interference showing the combinations Frequency/Runs to Longest
Runs/Poker.
132 CHAPTER 9. APPENDIX A
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Lengths
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
L_T_FIPS
L_A_FIPS
L_FB_FIPS
L_S_FIPS
P_T_FIPS
P_A_FIPS
P_FB_FIPS
P_S_FIPS
T_A_FIPS
T_FB_FIPS
T_S_FIPS
A_FB_FIPS
A_S_FIPS
FB_S_FIPS
Figure 9.2: Test combination percent matching with FIPS 140-2 results for the Frequency Add Narrow
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
F_R_FIPS
F_L_FIPS
F_P_FIPS
F_T_FIPS
F_A_FIPS
F_FB_FIPS
F_S_FIPS
R_L_FIPS
R_P_FIPS
R_T_FIPS
R_A_FIPS
R_FB_FIPS
R_S_FIPS
L_P_FIPS
generator with 90% interference showing the combinations Frequency/Runs to Longest
Runs/Poker.
133
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
L_T_FIPS
L_A_FIPS
L_FB_FIPS
L_S_FIPS
P_T_FIPS
P_A_FIPS
P_FB_FIPS
P_S_FIPS
T_A_FIPS
T_FB_FIPS
T_S_FIPS
A_FB_FIPS
A_S_FIPS
FB_S_FIPS
134 CHAPTER 9. APPENDIX A
BIBLIOGRAPHY 135
Bibliography
[18600] FIPS 186-2. Digital signature standard. Federal Information Processing Standards
Publication 186-2, February 2000.
[19701] FIPS 197. Advanced encryption standard (AES). Federal information processing stan-
dards publication 197, 2001.
[AJJ
+
] AndrewRukhin, Juan Soto, James Nechvatal, Miles Smid, Elaine Barker, Stefan Leigh,
Mark Levenson, Mark Vangel, David Banks, Alan Heckert, James Dray, and San Vo.
A Statisitical Test Suite for Random and Pseudorandom Number Generators for Cryp-
tographic Applications. NIST Special Publication 800-22, http://csrc.nist.gov/rng/.
[And00] Andrew Rukhin. Testing Randomness: A Suite of Statistical Procedures. Theory
Probab. Appl., 45(1):111131, 2000.
[APS96] Alfred Menezes, Paul Van Oorschot, and Scott Vanstone. Handbook of Applied Cryp-
tography. CRC Press, 1996.
[BBS86] L. Blum, M. Blum, and M. Shub. A simple unpredictable pseudo-random number
generator. SIAM Journal on Computing, 15:364383, May 1986.
[Car94] E. F. Carter. The generation and application of random numbers. Forth Dimensions,
XVI(1 & 2), 1994.
[Coh05] H. Cohen. Handbook of Elliptic and Hyperelliptic Curve Cryptography (Discrete
Mathematics and Its Applications). CRC Press, 2005.
[Cor98] Certicom Corp. The elliptic curve cryptosystemfor smart cards: The seventh in a series
of ecc white papers. A Certicom White Paper, May 1998.
[CR03] Inc. Cryptographic Research. Evaluation of via c3 nememiak random number genera-
tor. Technical report, Cryptographic Research, Inc., 2003.
[Dah00] J. Lpez R. Dahab. An overview of elliptic curve cryptography.
http://citeseer.ist.psu.edu/333066.html, May 2000.
136 BIBLIOGRAPHY
[Dav00] R. Davies. Hardware random number generators. New Zealand Statistics Conference,
2000.
[Ent98] K. Entacher. Bad subsequences of well-known linear congruential pseudorandomnum-
ber generators. ACM Transactions on Modeling and Computer Simulation, 8(1), Jan-
uary 1998.
[Feh68] W. Fehler. An Introduction to Probability Theory and Its Application. J. Wiley, New
York, 3rd edition, 1968.
[Gal01] S. Galbraith. Supersingular Curves in Cryptography. Lecture Notes in Computer Sci-
ence, 2248:495, 2001.
[Gj00] Kristian Gjsteen. Hasses theorem. Website:
http://www.item.ntnu.no/ kristiag/notes/hasse-short.pdf, September 2000. Last
Viewed: April 3, 2006.
[Gop93] K. Gopal. 100 Statistical Tests. Sage Publications Ltd., London, 1st edition, 1993.
[gro95] ISO group. International Standard ISO 7810 identication cards - physical character-
istics. Technical report, ISO/IEC Copyright Ofce, 1995.
[gro00] ISO group. International standard ISO/IEC 14443: Identication cards - contactless
integrated circuit(s) cards - proximity cards. Technical report, ISO/IEC Copyright,
2000.
[gro99a] ISO group. Part 1: Physial characterisitics, international standard ISO/IEC 7816: Iden-
tication cards - integrated circuit(s) cards with contacts. Technical report, ISO/IEC
Copyright Ofce, 1995-99.
[gro99b] ISO group. Part 2: Dimensions and location of the contacts, international standard
ISO/IEC7816: Identication cards - integrated circuit(s) cards with contacts. Technical
report, ISO/IEC Copyright Ofce, 1995-99.
[gro99c] ISO group. Part 3: Electronic signals and transmission protocols, international standard
ISO/IEC7816: Identication cards - integrated circuit(s) cards with contacts. Technical
[gro99d] ISO group. Part 4: Interindustry commands for interchange, international standard
iso/iec 7816: Identication cards - integrated circuit(s) cards with contacts. Technical
[Han04] A. J. Vanstone S. A. Hankerson, D. Menezes. Guide to Elliptic Curve Cryptography.
Springer-Verlag, 2004.
BIBLIOGRAPHY 137
[Har03a] L. Hars. Functional gap average on-line randomness test. United States Patent Appli-
cation Publication, October 2003. Pub. No.: US2003/0187889 A1.
[Har03b] L. Hars. Gap average on-line randomness test. United States Patent Application Pub-
lication, October 2003. Pub. No.: US2003/0187890 A1.
[Har03c] L. Hars. Gap histogram on-line randomness test. United States Patent Application
Publication, October 2003. Pub. No.: US2003/0200239 A1.
[Har03d] L. Hars. Hadamard-transform on-line randomness test. United States Patent Applica-
tion Publication, October 2003. Pub. No.: US2003/0200238 A1.
[Har03e] L. Hars. Monobit-run frequency on-line randomness test. United States Patent Appli-
cation Publication, October 2003. Pub. No.: US2003/0187598 A1.
[Har03f] L. Hars. On-line randomness test through overlapping word counts. United States
Patent Application Publication, August 2003. Pub. No.: US2003/0158876 A1.
[Har03g] L. Hars. Randomness test utilizing autocorrelation. United States Patent Application
Publication, August 2003. Pub. No.: US2003/0158875 A1.
[Kae04] M. Kaeo. Designing Network Security. Cisco Press, 2nd edition, 2004.
[Kel00] S. Keller. ANSI X9.42 Agreement of Symmetric Keys Using Discrete LogarithmCryp-
tography. Website: http://csrc.nist.gov/CryptoToolkit/kms/x942.pdf, February 2000.
Last Viewed: April 5, 2006.
[Kne02] S. Kneip. Entwicklung, Optimierung und Hardware-Realisierung von parametrierbaren
Arithmetik-Modulen zur Anwendung in der Kryptographie auf der Basis elliptischer
Kurven. Masters thesis, Universitt Bremen, 2002.
[Knu97] D. Knuth. The Art of Computer Programming, volume 2. Addison-Wesley, 3rd edition,
1997.
[Lab02] RSA Laboratories. Pkcs 1 v2.1: RSA cryptography standard. Website,
http://ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf, June 2002.
[LE98] P. LEcuyer. Uniform Random Number Generators. Proceedings of the 1998 Winter
Simulation Conference, pages 97104, 1998.
[LE01] P. LEcuyer. Software for Uniform Random Number Generation: Distinguishing the
Good and the Bad. Proceedings of the 2001 Winter Simulation Conference, pages 95
105, 2001.
138 BIBLIOGRAPHY
[LE02] R. Wegenkittl S. LEcuyer, P. Simard. Sparse serial tests of uniformity for random
number generators. SIAM J. Sci. Comput., 24(2):652668, 2002.
[LeR00] J. Lop and e Ricardo. An overview of elliptic curve cryptography. Website:
http://citeseer.ist.psu.edu/lop00overview.html, 2000. Last Viewed: March 28, 2006.
[Lub] D. Lubicz. Sur les tests statistiques de gnrateurs alatoires. Sur les tests statistiques
de gnrateurs alatoires.
[Mar95] G. Marsaglia. The diehard battery of stringent statistical randomness tests. Website:
http://stat.fsu.edu/ geo/diehard.html, 1995. Last Viewed: April 4, 2006.
[Mau92] U. M. Maurer. A universal statistical test for random number generators. Journal of
Applied Cryptography, 5(2):89105, 1992.
[Mil96] J.S. Milne. Elliptic curves. Math 679 Course Notes, University of Michigan, August
1996.
[Mis95] Frederick C. Mish. Merriam-Websters Collegiate Dictionary. Merriam-Webster, Inc.,
Springeld, Massachusetts, USA, 10th edition, 1995.
[Mol95] Cleve Moler. Random thoughts 10
435
years is a very long time. Matlab News & Notes,
1995.
[Mol04] C. Moler. Numerical Computing with Matlab. Society for Industrial and Applied
Mathematic, 2004.
[Mur01] J. Murphy, S. White. Security evaluation of nessie rst phase. Technical report, Com-
mission of the European Communities IST-1999-12324, 2001.
[N. 87] N. Koblitz. Elliptic Curve Cryptosystems. Mathematics of Computation, 48(177):203
209, January 1987.
[NIS99a] NIST. Data encryption standard (des). Technical report, U.S Department of Com-
merce/National Institute of Standards and Technology, 1999.
[NIS99b] NIST. FIPS PUB 140-2: Security Requirements for Cryptographic Modules. Techni-
cal report, National Institute of Standards and Technology, 1999.
[oST02] National Institute of Standards and Technology. Fips 198a: The keyed-hash message
authentication code (hmac). Technical report, U.S. Department of Commerce, 2002.
[PM98] S.K. Park and K.W. Miller. Random Number Generators: Good Ones are Hard to Find.
Communications of the ACM, 31(10):11921201, October 1998.
BIBLIOGRAPHY 139
[Rit02] T. Ritter. Randomness tests: A literature survey. Website:
http://www.ciphersbyritter.com/RES/RANDTEST.HTM, September 2002. Last
Viewed: March 26, 2006.
[Ros99] M. Rosing. Implementing Elliptic Curve Cryptography. Manning Publications Co.,
Greenwich, 1999.
[Sch95] J. T. Scheaffer, R. L. McClave. Probability and Statistics for Engineers. Duxbury
Press, 1995.
[Sis02] F. Sischka. 1/f noise modeling for semiconductors. Website:
http://eesof.tm.agilent.com/docs/ iccap2002/ MDLGBOOK/ 7DEVICE_MODELING/
6NOISE/NOISEdoc.pdf, April 2002. Last Viewed March 26, 2006.
[SS91] A. S. Sedra and K.C. Smith. Microelectronic Circuits. Oxford University Press, New
York, 1991.
[Vit03] T. Vithanage, A. Shimizu. Fips 140-2(change notice 1) random number tests. Web-
site: http://www.fdk.co.jp/cyber-e/pdf/HM-RAE103.pdf, October 2003. FIPS 140-
2(Change Notice 1) Random Number Tests.
[V.S86] V.S. Miller. Use of Ellitptic Curves in Cryptography. In H.C. Williams, editor, Lecture
Notes in Computer Science, volume 218, pages 417426. Springer-Verlag, 1986.
[Wal98] John Walker. Ent: A pseudorandom number sequence test program. Website:
http://www.fourmilab.ch/random/, October 1998. Last Viewed: March 28, 2006.
[Wei] Eric W. Weisstein. Countably innite. From MathWorld - A Wolfram Web Resource
http://mathworld.wolfram.com/CountablyInnite.html. Last Viewed: March 28, 2006.
[Whi99] Robin Whittle. Dsp generation of pink (1/f) noise. Website:
http://www.rstpr.com.au/dsp/pink-noise/, October 1999. Last Viewed: March
26, 2006.
[WW00] Wolfgang Rankl and Wolfgang Efng. Smart Card Handbook. John Wiley & Sons,
Ltd., 2nd edition, 2000.

Improving Security For Elliptic Curve Implementations On Smart Cards: A Random Number Generator Test Unit

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Improving Security For Elliptic Curve Implementations On Smart Cards: A Random Number Generator Test Unit

Caricato da

Copyright:

Formati disponibili

Improving Security For Elliptic Curve Implementations

be the identity element that satises P+O

= P. This point is also called

element can be dened on the set E(F

be the set of sequences of countable innite

can be written as a sequence of 0 and 1:

N, the set of nite binary sequences of length n is denoted by

those that are random.

in the set of sequences with coefcients in

the unique sequence such that:

is then -distributed if it is l-distributed

is random if and only if for all random variables from

X is called the initial state or seed. Using the transition

Z and Z = [0, 1) as the output set.

to a binary sequence of innite

with a probability distribution denoted by P

Figure 4.2: Parameters and for a statistical test [Sch95].

1 if position i is the beginning of an

all the values can be generated with ul p; however, for

into eight equal parts; how-

its relative frequency

. The lter should roll at -3 dB per octave in the

Potrebbero piacerti anche