Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
on Smart Cards:
A Random Number Generator Test Unit
Vom Fachbereich fr Physik und Elektrotechnik
der Universitt Bremen
zur Erlangung des akademischen Grades eines
DOKTOR-INGENIEURS (Dr.-Ing.)
genehmigte Dissertation
von
Andrew Weigl, M.E.Sc.
aus Bremen
Referent: Professor Dr.-Ing. W. Anheier
Koreferent: Professor Dr.-Ing. R. Laur
Eingeriecht am: 05.04.2006
Tag des Promotionskolloquiums: 24.07.2006
CONTENTS i
Contents
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Contents of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Smart Cards 7
2.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Smart Card Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1 Physical properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.2 Electrical properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.3 Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Types of Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.1 Memory only cards (also called synchronous cards) . . . . . . . . . . . . 15
2.3.2 Microprocessor cards (also called asynchronous cards) . . . . . . . . . . 15
3 Elliptic Curve Theory and Cryptography 19
3.1 Elliptic Curve Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2 Point Operations on Elliptic Curves over Prime Fields F
p
. . . . . . . . . . . . . 19
3.3 Point Operations on Elliptic Curves over Polynomial Fields F
2
m . . . . . . . . . 21
3.4 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.4.1 Symmetric (Private) Key Cryptography . . . . . . . . . . . . . . . . . . 23
3.4.2 Asymmetric (Public-Private) Key Cryptography . . . . . . . . . . . . . . 24
4 Random Numbers, Generation and Testing 29
4.1 Denition of a random sequence . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2 Random number generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.2.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.2.2 Properties of random number generators . . . . . . . . . . . . . . . . . . 32
4.2.3 Types of random number generators . . . . . . . . . . . . . . . . . . . . 33
Pseudorandom number generators . . . . . . . . . . . . . . . . . . . . . 33
ii CONTENTS
True random number generators . . . . . . . . . . . . . . . . . . . . . . 34
Cryptographic random number generators . . . . . . . . . . . . . . . . 34
4.2.4 Popular random number generators . . . . . . . . . . . . . . . . . . . . 35
Linear congruential generator (LCG) . . . . . . . . . . . . . . . . . . . 35
Blum-Blum-Shub generator (computationally perfect PRNG) . . . . . . 35
Cryptographic RNG (hardware RNG) . . . . . . . . . . . . . . . . . . . 36
4.3 Testing of random number generators . . . . . . . . . . . . . . . . . . . . . . . 37
4.4 Testing a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.5 Statistical (empirical) tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.5.1 Hypothesis testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.6 Some examples of statistical models on
n
. . . . . . . . . . . . . . . . . . . . . 41
4.7 Hypothesis testing and random sequences . . . . . . . . . . . . . . . . . . . . . 42
4.8 Empirical test examples for binary sequences . . . . . . . . . . . . . . . . . . . 44
5 Hardware Implementation 55
5.1 Hardware Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.1.1 Frequency Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.1.2 Frequency Block Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.1.3 Runs Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.1.4 Longest Runs Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.1.5 Poker Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.1.6 Autocorrelation Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.1.7 Turning Point Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.1.8 Serial Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.2 Functional Verication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
5.3 Hardware Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.3.1 Hardware Analysis Strategy . . . . . . . . . . . . . . . . . . . . . . . . 69
5.3.2 Hardware Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
6 Empirical Test Quality Measurement 75
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.2 Random Number Generator Failure Experiments . . . . . . . . . . . . . . . . . 77
6.2.1 Control Experiment 1: True Random Number Generator . . . . . . . . . 77
6.2.2 Control Experiment 2: Good Pseudorandom Number Generator . . . . 78
6.2.3 Failure Point 1 Experiment: ANSI C Generator . . . . . . . . . . . . . . 80
6.2.4 Failure Point 1 Experiment: Repeating Pattern Random Number Generator 83
6.2.5 Failure Point 1 Experiment: Bias Random Number Generator . . . . . . 88
6.2.6 Failure Point 2 Experiment: External Frequency Interference . . . . . . . 94
6.2.7 Failure Point 3 Experiment: Oversampling RNG . . . . . . . . . . . . . 113
CONTENTS iii
7 Random Number Generator Testing Unit 121
7.1 Hardware and Software Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 121
7.2 Poker-Frequency Test Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
8 Conclusion 127
9 Appendix A 131
Bibliography 135
iv CONTENTS
CONTENTS v
Abbreviations
BSI Bundesamt fr Sicherheit in der Informationstechnik
BMS Binary Memoryless Source
CISC Complex Instruction Set Computer
CMOS Complementary Metal Oxide Semiconductor
CPU Central Processing Unit
DES Data Encryption Standard
DSA Digital Signature Algorithm
ECDSA Elliptic Curve Digital Signature Algorithm
EC-AES Elliptic Curve Autheication Encryption Scheme
ECC Elliptic Curve Cryptography
EEPROM Electrically Erasable Programmable Read-Only Memory
EPROM Erasable Programmable Read-only Memory
FIPS Federal Information Processing Standards
GSM Global System for Mobile communications
GUT Generator Under Test
HMAC keyed-Hashing Message Authentication Code
HCC Hyper-elliptic Curve Cryptography
ISO International Organization for Standardization
LSB Least Signicant Bit
MSB Most Signicant Bit
vi CONTENTS
NIST National Institute of Standards and Technology
NSA National Security Agency
PRNG Pseudorandom Number Generator
PROM Programmable Read-only Memory
PTT Posal and Telecom services
PVC Poly-vinyl Chloride
RAM Random Access Memory
RISC Reduced Instruction Set Computer
ROM Read-Only Memory
RP-RNG Repeating Pattern Random Number Generator
RSA Rivest, Shamir, and Adleman cryptosystem
SRAM Static RAM
ST Source Transition
USB Universal Serial Bus
VHDL Very High Speed Integrated Circuit Hardware Description Language
XOR Exclusive-Or
chi2inv Inverse
2
cumulative distribution function
CONTENTS vii
Acknowledgements
I would like to offer special thanks to the following people for without their help this thesis
would not have been possible. To my supervisor, Professor Anheier, for the opportunity and the
advice. To my parents, who have guided and supported me all my life. To David Lubicz, for
his discussions into the mathematics of random numbers and random number generators. To
the AREHCC team and particularly Philips Semiconductor for introducing me to the problem of
testing random number generators on smart cards. To Volker Meyer, for his help with editing my
thesis and to all my friends for their support and suggestions.
viii CONTENTS
1
Chapter 1
Introduction
In 1965 Gordon Moore, co-founder of Intel, made the observation that the number of transistors
per chip doubles every eighteen months. This was picked up by the media and dubbed Moores
Law. Moores observation highlights the exponential growth in computer computation power.
While this is good news for home computer users and the public in general, the growth does
present problems for people who wish to maintain the integrity and security of their data.
Security protocols are measured by calculating the approximate time it takes to crack the
system by using brute trail-and-error methods. The judgment is based on current computer pro-
cessing power. For a given protocol a suggested key length is given that allows for reasonable
security. The current suggested length for the RSA
1
cryptosystem is 1024 bits; however, this
will be upgraded to 2048 bits key within the next ve years. The problem with larger keys is that
they require more computational power to process. Long key lengths are not a problem for large
computer systems, but this is not the case for small microprocessors, like those used in smart
cards.
Smart cards are nding wider acceptance in customer electronics that require either secure
data transmission, identication, or both. A smart card is a plastic or Poly-Vinyl-Chloride (PVC)
card with an incorporated microprocessor. It ranges in complexity from a simple memory stor-
age device to a complex microprocessor. Smart cards are also increasing in calculation power,
but they have a more restricted working environment than their larger microprocessor siblings,
for example, the microprocessor power supply. The power consumption for desktop computer
Central Processing Unit (CPU) has increased with the increase in computational power, for smart
cards, work is under way to try and reduce the power consumption.
Current and future smart cards will be a hybrid between contact and contactless cards. For
contact cards, power is available to the processor through the terminals and contacts. Contactless
cards use induction methods to supply their power but it does not achieve the same levels of
power as is available through the contacts. This sets a limit on the design: it needs low power
consumption or else the whole chip has to be clocked at a lower frequency.
1
A public key cryptosystem developed by Ronald Rivest, Adi Shamir, and Leonard Adleman in 1977.
2 CHAPTER 1. INTRODUCTION
Not only is the hardware improving for cryptographic applications but new methods and sys-
tems are being researched and discovered. In 1985 Neal Koblitz and Victor Miller independently
discovered a public-key cryptographic method that used the algebra of elliptic curves. This new
method is able to provide, with a given key length, the same level of security as far larger RSA
keys. For example, a 160-bit length key in Elliptic Curve Cryptography (ECC) provides the
equivalent security to a 1024-bit RSA key. The shorter key requires less memory and processor
resources. For the smart card application, research is now focused on elliptic curves and, the next
step, hyperelliptic curves. Currently, the ECC is more computationally intensive than the RSA
algorithm; however, new hardware and software implementations plus calculation methods bring
the ECC processing requirements closer to what is required for RSA. Benets will be seen with
the next jump in RSA key sizes, since the next recommended level is a key length of 2048-bits,
whereas the ECC system only needs a key length of 224-bits.
1.1 Motivation
A very important, but often overlooked aspect of cryptography, is the initial seed value for cryp-
tographic algorithms. When using encryption applications it is suggested that the designer use
known algorithms and parameters, since these have undergone rigorous testing in the public.
Usually only military applications have modied or new cryptographic algorithms provided by
special governmental departments like the National Security Agency (NSA) or the Bundesamt
fr Sicherheit in der Informationstechnik (BSI).
Using a published asymmetric algorithm results in an attacker potentially having the algo-
rithm, the parameters, the public key, and the encrypted message when trying to decipher the
encrypted message. The only secret aspect lies in the private key, which is produced by a random
number generator (RNG).
Random number generators have a long history, but it was not until the advent of the mi-
crocomputer that they became use in normal applications. Today, there are two main classes of
random number generators: the true and pseudorandom number generator. A true RNG incorpo-
rates a natural source of entropy and is indeterminate, since it is not known when the next impulse
or bit will arrive. A pseudorandom number generator (PRNG) is a deterministic equation that
mimics the properties of a true RNG. The benet of a PRNG is that it is fast and the results are
repeatable. Most applications that use RNGs are built with some form of PRNG.
Regardless of the type of RNG if it is to be used in an application it needs to have four prop-
erties: independent output bits, a long period, uniform distribution and efcient bit generation.
These four factors are used to judge a good RNG. Random number generators used for crypto-
graphic applications require an extra property, they need to be unpredictable even when knowing
the algorithm and output sequence.
The whole encryption process is put in jeopardy should the random number generator fail. If
1.1. MOTIVATION 3
an attacker can change or inuence the RNG, they may be able to reduce the possible range of
keys generated, which is a reduction in the RNG period. This allows the attacker to perform a
brute force attack on the cryptographic algorithm, whereby they test all possible key combina-
tions in the reduced key space.
It is impossible to determine exactly if a random number generator is functioning correctly;
however, there do exists mathematical models that can be used with statistical analysis to com-
pare the generators output to what a true RNG would produce. A characteristic trait from the
Generator-Under-Test (GUT) is selected and using hypothesis testing this characteristic is com-
pared to the results from a true RNG. If the results fall outside the acceptance range, the RNG
is rejected as being non-random; however, if it is in the acceptance range, it is only accepted as
random for the characteristics tested. This acceptance is not a proof of randomness.
The operations used to calculate the statistical acceptance or rejection are heavy loads for
the processor. On modern personal computers this does not present a problem due to the large
processor and memory storage resources, but on small, microprocessor capable devices there is
not much processing power and memory. For example, smart cards are limited in their processing
power, memory, size, and allowable power consumption. Therefore, as a result smart cards are
not fully capable of implementing all RNG testing in software or hardware.
Older style smart cards require contact to a power source, but newer style cards are either
contactless or a hybrid of contact and contactless cards. This forces any new circuitry addition
to the card to have low power consumption requirements. For smart cards the most important
characteristic of any new hardware design is the power consumption, followed closely by design
area and time delay. Smart card processors have a limited surface area to be deployed on and
a large portion of this is used by memory. A circuit designs time delay is a measure of its
maximum operating speed. If it cannot handle the processor speed, then it becomes the bottle
neck that slow down the whole processor.
Current RNG tests are designed mainly for software implementations. Some common pub-
lished test suites are the NIST SP800-42, FIPS 140-2, and the Diehard test group. A common
standard used by manufacturers for RNG testing is the FIPS 140-2 group. It is a combination of
four tests (poker, frequency, runs, and longest runs) that analyse a sequence of 20000 bits. If any
of the tests fails, the FIPS 140-2 group reports that the RNG is rejected and non-random.
For security and marketing reasons, smart card manufacturers want to be able to implement
standards in their products. In the case of testing the smart card RNG, the main standard is
the FIPS 140-2; however, current processors and RNGs running software RNG tests are not
powerful enough to fulll the FIPS requirements. In order to achieve the same level of security
new solutions need to be applied. This thesis proposes a new online hardware test unit for the
smart card environment that operates during the initialization phase. The rst design step is
an investigation into the hardware characteristics of eight random number generator tests. The
tests are implemented in VHDL using Synopsys
TM
tools. The power consumption, area, and
4 CHAPTER 1. INTRODUCTION
time delay information garnered from these tests are used to classify the tests, hardwarewise, as
complex or simple.
The hardware characteristics are not enough to judge which tests should be applied to the
online test unit. Efcient hardware implementation of the random number generator test is only
one aspect of nding an efcient online RNG test unit. The number of tests implemented in the
test unit need to be as few as possible with a sample sequence of minimumlength that has no loss
in quality. To judge both criteria a simulator is required. A simulator has been programmed in
Matlab
TM
that examines each test individually and in groups, and looks at how they compare to
the results of the FIPS 140-2 standard. The simulator simultaneously measures the response of
the test(s) using sample sequences varying from 25 to 100000 bits. Each test reaches a minimum
sample sequence length where the underlying model does not t anymore. At this point the test
has reached its minimum sequence length for testing of that failure type. From this information a
judgment is made on the best test or test combination for each RNG failure type plus a minimum
sample sequence. The thesis also includes a recommeded online RNG test unit design. It is only
a recommendation, since each manufacturer has to do its own security hardware requirement
balance to match with the exact usage of their cards.
1.2 Previous Work
The rst step taken in this thesis was to determine what research has already occurred in this
eld and what solutions were already available. After interviewing an employee at a smart card
manufacturer, it was found that they used a simple exclusive-or operation between generated bits
as their test method. This catches catastrophic failure, but it leaves open the possibility of other
failures like repeating pattern or outside frequency interference.
A literature and patent search revealed very little information . There were seven patents for
online testing of random number generators [Har03g, Har03f, Har03e, Har03b, Har03a, Har03c,
Har03d]; however, they were software solutions in C++.
The solutions found are not acceptable test solutions that operate during the initialization
of the smart card. No other literature or patents have been found that dealt with the hardware
implementation of online RNG tests.
1.3 Contents of the Thesis
In the following chapter, the thesis starts with an introduction into smart card technology. This
provides the basic framework from which the boundary conditions for the Test Unit design are
gathered. Chapter 3 is an introduction to a cryptographic system where random numbers play
an important role. This chapter emphasizes the importance of random numbers and why it is
imperative that the RNG is working properly. Before going into the theory of testing RNGs,
1.3. CONTENTS OF THE THESIS 5
Chapter 4 begins with the theory of random binary sequences and their generators. After this,
the statistical theory for testing RNGs is introduced. Chapter 5 is the rst part of the solution
to nd the optimum RNG test unit for smart cards. The hardware characteristics of eight test
are examined. The second part to the Test Unit solution continues in Chapter 6, where a sim-
ulator is presented to judge which test should be implemented and the minimum length of the
sample sequence for each failure type. In Chapter 7 an analysis of the results from the previous
two chapters is done to determine the optimum smart card test unit. The designed test unit is
compared to the original FIPS standard unit. The thesis is then summarized and further study
remarks are given in Chapter 8.
6 CHAPTER 1. INTRODUCTION
7
Chapter 2
Smart Cards
Although smart cards are now very common, the technology is still very new, with the rst smart
cards appearing in the 1970s. Since then, their evolution has been very rapid. Smart cards have
advanced from simple memory cards to very efcient microcomputers with multiple applica-
tions. Equipped with a microcontroller, these cards are able to store and protect information
using cryptographic algorithms. They are also resistant to physical stresses such as twisting and
bending. The physical structure of the smart card consist of a small plastic rectangle with a
magnetic stripe, holograms, relief characters and an embedded chip. They are small, and easy
to use and carry. The security and portability of smart cards provide a safe, reliable, convenient,
and effective way to ensure secure transactions (banking, e-business, etc.), and to enable a broad
range of applications. Thus, modern smart cards can actually be used in any system that needs
security and authentication. They have been proven to be an ideal means of making high-level
security available to everyone. This chapter aims to present an overview of todays smart card
technology and show the limitations that smart card manufacturers must take into account when
implementing cryptographic algorithms, for example, elliptic or hyperelliptic curve algorithms,
in a smart card environment.
2.1 History
In the beginning of the 1950s, the rst plastic (PVC) cards appeared in the USA as a substitute
for paper money. They were initially aimed at the rich and powerful, and were only accepted by
prestigious hotels and restaurants. These cards were very simple with the owners name printed
in relief, and sometimes the handwritten signature was added. These cards provided a more con-
venient payment system than paper money. With the involvement of VISA
TM
and MasterCard
TM
in plastic money, credit cards spread rapidly around the world. Later a magnetic stripe was added
to reduce fraud and to increase security. Condential digitized data was stored on this stripe, but
this information was accessible to anyone possessing the appropriate card reader. Between 1970
and 1973 there was a signicant development in plastic cards with the addition of microcircuits
8 CHAPTER 2. SMART CARDS
to the card. Many patents were led during this time; the best known inventors include: J. Deth-
leff, K. Arimura, and R. Moreno. The term smart card was proposed by R. Bright. It was not
until 1984 that the smart card was rst put into commercial use by the French PTT (postal and
telecom services) with their rst telephone cards (smart cards with memory chips). By 1986,
millions of these smart cards were sold in France and other countries. After telephone cards, the
next big application was their use as banking cards. This development was more difcult because
they contained more complicated chips that were able to compute cryptographic calculations. A
number of ISO standards were created to encourage interoperability of smart cards. By 1997,
bank cards were widely used in France and Germany. The microcontrollers continued to advance
and became more powerful with larger memory capacity. This allowed for sophisticated cryp-
tographic algorithms, providing higher levels of security. Nowadays, smart cards are present all
over the world, and their use is likely to spread even further.
2.2 Smart Card Properties
Smart cards are physically similar to the classic embossed plastic cards. The older model cards
are used as the base design for the newer smart cards. There are two different categories of smart
cards: memory only cards, which are the cheapest and the simplest, and the microprocessor
cards, which are more expensive, but have more applications and security features. The structure
of smart cards is standardized by ISO, principally: ISO 7816 [gro99a, gro99b, gro99c, gro99d],
and ISO 7810[gro95].
The following sections look at the different aspects of the smart card properties.
2.2.1 Physical properties
The most widely used smart card format, ID-1, is part of the 1985 ISO 7810 standard [gro95].
Most smart cards are made from PVC (Polyvinyl Chloride), which is also used for credit cards.
Some are made from ABS (Acrylonitrile-Butadiene-Styrol), but they cannot be embossed; an
example application is the mobile phone card.
The body of the card includes the following components: magnetic stripe, signature strip,
embossing, imprinting of personal data (picture, text, ngerprint), hologram, security printing,
invisible authentication features (uorescence, UV), and a microprocessor chip.
The chip module and its embedding
The chip module, also called the micromodule, is the thin gold contact seen on the left side of the
smart card. This module needs to be rmly attached to the plastic of the card. Its purpose is to
protect the card and the microprocessor chip. The contacts for contact-type smart cards can also
be in the chip module.
2.2. SMART CARD PROPERTIES 9
Many embedding techniques have been tested and used with the aim to optimize overall card
resilience to everyday physical and mechanical stresses (temperature abrasion, twisting, bending,
etc.) while the keeping production costs as low as possible.
Contact and Contactless Cards
There are two main ways a smart card can communicate with the card terminal: through physical
contact or by using a contactless connection. The contact cards were the rst types of smart cards
on the market. However, with new advances in microcircuit technology, contactless cards have
become physically feasible.
Contact Card
This is currently the most common type of card. It communicates via a card reader where the
information passes through the contacts. There are metal contacts inside the card reader and on
the chip module of the smart card. The position and dimensions of these contacts (power supply,
data transfer, etc.) are set in the ISO 7816-2 standard [gro99b]. Another standard, AFNOR, is
still in use by some cards in France, but is likely to disappear in the near future.
C 3
C 2
C 1
C 4 C 8
C 5
C 6
C 7
GND
I/O
VPP RESET
VCC
CLK
RFU RFU
Figure 2.1: Pin layout for contact smart cards.
There are 8 contact areas C
1
...C
8
:
C
1
: Supply voltage, VCC C
5
: Ground, GND
C
2
: Reset C
6
: External voltage programming
C
3
: Clock, CLK C
7
: Input/Output for serial communication
C
4
: Not in use, reserved for future use C
8
: Not in use reserved for future use
10 CHAPTER 2. SMART CARDS
Contactless Card
These cards contain special circuits, which allow data transmission over short distances with-
out mechanical contact and without a direct supply of power. This technology is not new but is
difcult to apply to smart cards. At the moment it is not possible to incorporate a battery into the
card due to the size and thickness of the card, but research is ongoing to overcome this problem.
Not only is there a problem supplying power to the smart card circuits, but data and clock
signals also need to be transmitted between the card and the terminal. The technique of capacitive
and inductive coupling, at this time, is the most suitable for smart cards and has been standardized
in ISO/IEC 14443 [gro00]. This standard presents a method for capacitive and inductive coupling
where the cards conductive surfaces act as capacitor plates. One or several coupling loops are
integrated into the card to receive energy from the terminal. A carrier frequency in the range of
100-300 kHz is used, which allows very rapid transmission.
Dual Interface or combi cards
In the future it is likely that combi-cards will become more common. They combine the
advantages of contact and contactless cards. In ISO/IEC 10536 the application is described as
"slot or surface operation." Depending on the operation, the card must either be inserted in a
slot to make contact or placed on a certain surface for contactless transaction. This type of card
allows applications such as credit, debit, membership, and mass transit to be used on the same
card.
2.2.2 Electrical properties
The electrical properties of a smart card depend on its embedded microcontroller, since this is
the only component of the card with an electrical circuitry. The basic electrical requirements are
dened by the ISO/IEC 7816-3 standard, Part 3: Electronic signals and transmission protocols
[gro99c]. Electrical characteristics and class indication for operating at 5 V, 3 V, 1.8 V are de-
scribed within Amendment 1. Amendment 2, which describes an USB interface for smart cards,
is currently under preparation. The GSMmobile telephone network (GSM11.11) should be men-
tioned here, because it also contributes to the requirements in this area. Further modications of
the ISO/IEC 7816 standard are driven by the UMTS specication.
Supply Voltage
A smart cards supply voltage is 5 V, with a maximum deviation of 10%. This voltage, which is
the same as that used for conventional transistor-transistor-logic (TTL) circuits, is standard for all
cards currently on the market. Since all modern cellular telephones are built on 1.8 V technology
(GSM 11.18), modern smart cards are designed for a voltage range of 1.8-5 V 10%, which
2.2. SMART CARD PROPERTIES 11
Specication ISO 7816-3 GSM
Notation Class A Class B GSM 11.11 GSM 11.12 GSM 11.18
Supply voltage 5 V 3 V 5 V 3 V 1.8 V
Supply current 60 mA 50 mA 10 mA 6 mA 4 mA
Frequency 5 MHz 4 MHz 5 MHz 4 MHz 4 MHz
Power consumption 300 mW 150 mW 50 mW 18 mW 7.2 mW
Table 2.1: Smart card power consumption specied by ISO 7816 and the GSM specications [WW00].
results in an effective voltage range of 1.6-5.5 V. They can be used in both, 1.8 V and 5 V
terminals, to keep the advantage of simple and straightforward card usage.
Supply Current
The built-in microcontroller obtains its supply voltage via contact C1 (see Figure 2.1). According
to the GSM 11.11 specication, the current may not exceed 10 mA, so the maximum power dis-
sipation is 50 mW, with a supply voltage of 5 V and an assumed current consumption of 10 mA.
Table 2.1 gives an overview of the actually dened maximum power consumption classes, spec-
ied by ISO 7816 and GSM.
The current consumption is directly proportional to the clock frequency used, so it is also
possible to specify the current as a function of the clock frequency: Dynamic Power = CV
2
f ,
where C is the load, V is the voltage swing, and f is the frequency [SS91]. State-of-the-art smart
card microcontrollers use congurable internal clock frequencies for their processor and their
arithmetic coprocessor. Hence, the current consumption is not only dependent on the external
clock, but also on the given conguration of the microcontroller itself and the setting of the
coprocessor. The coprocessor can be programmed to keep power consumption under a set value,
for example, the GSM values.
2.2.3 Memory
Smart cards can be divided into two main components: the processor (including coprocessor)
and memory. Memory can be sub-divided into volatile and non-volatile memory. Figure 2.2
shows the different types of volatile and non-volatile memory. Since the smart card needs to be
able to function as an independent unit, most cards will be found with a combination of RAM,
ROM, and EEPROM.
Read-only Memory (ROM)
ROMs are non-volatile memory that can be randomly accessed during reading. There is no limit
to the number of times the memory can be read, but it can only be written during production. This
type of memory requires no voltage to hold the information, so when the power is disconnected,
12 CHAPTER 2. SMART CARDS
Memory types found in smart cards
Non-volatile Memory Volatile Memory
ROM
PROM
EPROM
EEPROM
Flash EEPROM
FRAM
RAM
Figure 2.2: Types of memory found in smart cards [WW00].
the data is still retained. This is excellent memory for storing vital programs that the smart card
needs to run, like the operating system and the diagnostic functions. The data is imprinted onto
the chip by using lithographic techniques. ROM cells require the least amount of area per cell
compared to other available types of memory.
Random Access Memory (RAM)
RAM is the work area for the smart card. It can quickly read and write data, and there is no limit
to the number of writes a RAM cell can handle. However, since it is volatile memory, constant
power needs to be supplied, or otherwise the contents will be lost. The method for accessing this
memory is what gives it its name; random access means that the memory is selected and directly
accessed without having to sequentially traverse the memory block.
In smart cards, the most common form of RAM is static RAM (SRAM), which, unlike dy-
namic RAM (DRAM), does not need to be periodically refreshed. SRAM has ip-ops as the
basic component while DRAM uses capacitors with refresh circuitry.
Smart card chip designers try to keep the amount of RAM to a minimum, since it requires
a large area per cell. Indeed, RAM cells require seventeen times more area than a ROM cell
[WW00].
Programmable Read-only Memory (PROM)
Programmable read-only memory is similar to ROM in that once it has been written to it can-
not be rewritten. The difference is that the code does not need to be written with lithographic
techniques. PROM has a serious drawback; access needs to be granted to the address, data and
2.2. SMART CARD PROPERTIES 13
i
a) Preprogrammed (1)
b) Programmed (0)
v
GS
D
Sensed voltage
Figure 2.3: Threshold voltage curves for programmed and preprogrammed state [SS91].
p substrate
Depletion layer
Source n
+ Drain n
+
Oxide
Select gate
n channel
Floating gate
+25V
+16V
Figure 2.4: EPROM during programming [SS91].
control buses for the writing process. This leaves a security hole in the smart card that a hacker
could use to read the data stored on the chip. PROM is not used in smart cards because of this
vulnerability.
Erasable Programmable Read-only Memory (EPROM)
An EPROM is essentially an n-channel MOSFET (Metal-Oxide-Semiconductor Field Effect
Transistor) with an extra polysilicon gate called the oating gate. Initially, the EPROM nds
itself in a preprogrammed state where the device has an i
D
v
gs
characteristic similar to the n-
channel MOSFET. The threshold voltage is relatively low, as can be seen in Figure 2.3 a). This
state is generally labeled as state 1.
In order to program the EPROM, a large voltage needs to be applied, around 16 to 20 V,
between the drain and source (see Figure 2.4). Simultaneously, on the select gate a voltage
of approximately 25 V needs to be applied. Since smart card controllers use a supply voltage
between 3 and 5 V, a cascaded voltage-multiplier circuit, or charge pump, needs to be used to
generate the required voltage levels.
The device acts as a regular n-channel enhancement MOSFET when there is no charge
present on the oating gate. With the voltages present, a tapered n-type inversion layer is formed
14 CHAPTER 2. SMART CARDS
at the surface of the substrate. The drain-to-source voltage accelerates the electrons through the
channel. The electric eld formed by the voltage on the select gate attracts the hot electrons (the
accelerated electrons) towards the oating gate. At the oating gate the electrons collect, causing
the gate to become negatively charged. This process continues until enough of a negative charge
is formed on the oating gate to reduce the strength of the electric eld to the point of not being
able to accelerate any more hot electrons.
The negatively charged oating gate repels electrons away from the surface of the substrate.
To compensate for the loss of electrons in the region, a larger select gate voltage is required to
form an n-channel. This will shift the i
D
v
GS
characteristic graph upwards, as can be seen in
Figure 2.3 b) [SS91].
For the microcontroller to read the state of the EPROM, the unit needs only to apply a test
V
GS
between the two i
D
v
GS
curves. If the current ows, the EPROM is in state 1 and if it
does not ow then it is in state 0.
For smart cards, EPROM was used by the French PTT in their rst telephone cards, since, at
that time, it was the only ROM type memory available [WW00]. As with other ROM types, it
does not require a supply voltage to retain the data. EPROM can be reprogrammed, but it rst
requires ultraviolet light to erase the old data. This method is not feasible for smart cards, so this
technology has been abandoned for newer erasable ROMs.
Electrically Erasable Programmable Read-only Memory (EEPROM)
As with regular computers, sometimes data needs to be read, altered and then stored with the
possibility that the voltage supply is disconnected. Computers use hard drives to store the data
for longer periods of time, but smart cards do not have this option. Instead they use a type of ROM
that can handle multiple writes. EPROM can only be erased with ultraviolet light, which makes
it unsuitable as a multi-write memory. The solution is found with another type of ROM that can
be electrically erased, the electrically erasable programmable read-only memory (EEPROM).
EEPROM operates similarly to the method described in Section 2.2.3. There are two main
differences between EPROM and EEPROM. The rst difference is how the electrons travel from
the substrate to the oating oxide layer. The method described in Section 2.2.3 uses hot electron
injection, while standard EEPROM uses the tunnel effect (Fowler-Nordheim effect). A high
positive voltage at the select gate causes electrons to migrate through the tunnel oxide to the
oating gate, where they collect. Eventually, the oating gate becomes negatively charged.
The second difference between EPROM and EEPROM is how the data is erased. As stated
earlier, EPROM requires ultraviolet light to reset its state. For EEPROM a negative voltage
applied to the select gate forces the electrons from the oating gate back to the substrate. After
this process, the EEPROM is classied again as discharged and the V
t
is low.
Similar to RAM and other types of ROM, EEPROM can be read an unlimited number of
times. However, there is a limit to the number of writes that can be performed. The life ex-
2.3. TYPES OF SMART CARDS 15
pectancy is limited by the quality, type, and thickness of the tunnel oxide layer, which is the
oxide layer between the oating gate and the substrate (see Figure 2.4). During production the
tunnel oxide is one of the rst layers to be produced. As the rest of the production continues,
it undergoes large thermal stresses that cause minute faults in the oxide layer. This allows the
tunnel oxide to absorb electrons during the programming cycle, which are not returned to the
substrate when the data is erased. The trapped electrons then collect at the channel between the
drain and source. This process continues until enough electrons collect that they inuence the
threshold voltage to a greater degree than the oating gate. The threshold voltage then stays in
one state regardless of whether the oating gate is charged or not; the EEPROM becomes useless.
2.3 Types of Smart Cards
2.3.1 Memory only cards (also called synchronous cards)
This is the rst type of card to be widely used. The prepaid telephone cards mentioned in the
introduction are an example of this type of card. The data required for the applications are stored
in the EEPROM memory (EPROM for the rst cards). In the simplest case the cards use memory
that can only be written to once, and then after use, the memory is deleted and made inoperable
(the Thomson ST1200 SGS, introduced in 1983, worked in this way). The addition of a security
logic device allows more control with memory access. There now exist more complex memory
cards, which can perform simple encryption.
These types of cards are easy to use, the electronics are simple, the chip is small, and the price
is low. However, memory space and exibility are limited, and they are not adapted to security
applications.
2.3.2 Microprocessor cards (also called asynchronous cards)
These cards are equipped with an "intelligent circuit": a processor connected to memory blocks
capable of carrying out complex calculations. The added functionality of the microprocessor
allows for higher security and application choices. However, as a result, these cards are larger and
more complex. It is possible to connect other devices to the microprocessor for communication,
special operations or security. Figure 2.5 shows many of the possible components that can be
added to the microprocessor card. There are many different types of microprocessor smart cards.
All of them function as a secured unit, protected from unauthorized access.
All microprocessors (and most computers) employ the principle of the stored programdigital
computer. This means data and instructions, which are stored in a memory area, must rst be
loaded into registers. Then the central processing unit (CPU) operates on these registers and
places the results back into the memory areas.
16 CHAPTER 2. SMART CARDS
Timers UART CPU
Crypto
Device
Security
Sensors
RAM ROM
EEPROM
Bus
Figure 2.5: Components of the microprocessor.
CISC RISC
Extensive instruction set. Small instruction set.
Complex and efcient machine instructions. Simple instructions.
Advanced instructions microencoded. Hardwired machine instructions.
Extensive addressing capabilities for memory operations. Few addressing modes.
Few registers. Many registers.
Table 2.2: Characteristics of CISC and RISC based processors.
The CPUs used in smart cards are usually built around proven modules from other appli-
cations. Many CPUs are based on the CISC (Complex Instruction Set Computer) architecture,
which requires several clock cycles per instruction. However, CPUs based on the RISC (Re-
duced Instruction Set Computer) architecture are becoming more common. Table 2.2 shows the
different characteristics between the CISC and RISC type processors. Many current CISC type
processors are based on either one of two main families, the Intel 8051 or the Motorola 6805
family. Manufacturers take the base design of either a CISC or RISC processor and add their
own functionality as needed. Some common smart card processor manufacturers are Philips
S.C., Inneon, ST Microelectronics, Hitachi, ARM, and MIPS.
The processing speed of the smart card is controlled by a clock circuit normally set to 5 MHz.
Modern smart card processors use clock multipliers (by two or four) to increase this operating
clock speed for internal calculations. Using clock multipliers smart cards are able to operate at
speeds between 20 to 30 MHz.
The area occupied by the microprocessor on the chip has a big inuence on its manufacturing
costs and its resistance to bending and shearing forces. Therefore, effort is made to reduce the
chips size as much as possible. The chips surface area must be less than 25 mm
2
. This means
that the microprocessor contains between 150 000 and 200 000 transistors using 0.25 or 0.30 m
2
CMOS process for chip fabrication. New smart card microprocessor designs use the 0.18 m
CMOS process.
To provide additional functionality to the smart card manufacturers add specialized copro-
2.3. TYPES OF SMART CARDS 17
cessors to perform only specied tasks. The next section takes a closer look at co-processors in
smart cards.
Coprocessors
Coprocessors are used on the majority of current chips for special operations. Among those used
for cryptography are:
a DES [NIS99a] coprocessor: for DES encryption/decryption
a random number generator coprocessor: allows the use of random values in algorithms.
an arithmetic coprocessor: dedicated to arithmetic operations (modular operations) on long
integers.
An arithmetic coprocessor element is essential for asymmetric cryptography algorithms such as
RSA, DSA, ECDSA ... [Mur01] Adding such coprocessors has a signicant impact on the cost
of the chip, increasing it by as much as a factor of ten. This being the case, one may wonder why
with increasingly powerful processors it continues to be necessary to add coprocessors. But at
the same time cryptographic algorithms require longer keys to keep them secure, so coprocessors
are likely to remain necessary for high performance cards.
18 CHAPTER 2. SMART CARDS
19
Chapter 3
Elliptic Curve Theory and Cryptography
In 1985 Koblitz [N. 87] and Miller [V.S86] independently suggested elliptic curves for public key
cryptography. The rst methods for calculating elliptic curve additions and scalar multiplications
were very complicated; however, by the late 1990s the process had been optimized to the point
where it could compete with other public key cryptosystems. Elliptic curves provide the same
security level as competing public key cryptosystems but at a much smaller key length; hence,
providing a saving in cost, calculation time and implementation size.
A very good introduction to elliptic curves cryptography can also be found in [Cor98, Dah00,
Kne02, V.S86, Mil96, Ros99].
3.1 Elliptic Curve Algebra
The elliptic curve E(k) over a eld k is dened as a set of points P
i
= x
i
, y
i
in an afne two
dimensional space. The Weierstrass form of the elliptic curve is
y
2
+a
1
xy +a
3
y = x
3
+a
2
x
2
+a
4
x +a
6
. (3.1)
The values for a
i
, x and y are elements of the eld k.
Denition: Let O
F
p
satises 4a
3
+27b
2
,= 0 mod p, then the elliptic curve
E(F
p
) is
y
2
= x
3
+ax +b. (3.2)
20 CHAPTER 3. ELLIPTIC CURVE THEORY AND CRYPTOGRAPHY
A point addition operator + using the O
E(F
p
) the addition operator + is
dened as follows (see Figure 3.1):
1. For point addition, P+Q = (x
3
, y
3
) and P ,=Q:
x
3
=
2
x
1
x
2
(3.3)
y
3
= (x
1
x
3
) y
1
=
y
2
y
1
x
2
x
1
2. For point doubling, P+P = 2P = (x
3
, y
3
):
x
3
=
2
2x
1
(3.4)
y
3
= (x
1
x
3
) y
1
=
3x
2
1
+a
2y
1
The addition of two different points on the elliptic curve requires the following arithmetic op-
erations in F
p
: six additions, one squaring, two multiplications and one inversion. The point
doubling on the elliptic curve in F
p
requires: eight additions, two squaring, two multiplications,
and one inversion.
The previous equations can also be obtained graphically by applying the following steps:
To calculate R=P+Q (see Figure 3.1 a)):
1. Plot P = (x
1
, y
1
) and Q = (x
2
, y
2
) on the curve;
2. Connect P and Q with a line;
3. The point where the line intersects with the curve is the new point R = (x
3
, y
3
);
4. Mirror R over the y-axis to get the new point R = (x
3
, y
3
).
To calculate R=2P (see Figure 3.1 b)):
1. Plot P = (x
1
, y
1
) on the curve;
2. Draw the tangent to the curve at point P, where the tangent is =
3x
2
1
+a
2y
1
;
3. The point where the tangent line connects with the curve is the new point R =
(x
3
, y
3
),
4. Mirror R over the y-axis to achieve the new point R = (x
3
, y
3
).
3.3. POINT OPERATIONS ON ELLIPTIC CURVES OVER POLYNOMIAL FIELDS F
2
M 21
P
Q
y
x
R = P+Q
R
P
R
R = 2P
x
y
a) b)
Figure 3.1: Geometric elliptic curve addition and doubling.
The order of the elliptic curve is the number of points in E(F
p
) denoted by #E (F
p
). For
prime elds Hasses theorem [Gj00, N. 87] provides a boundary for #E(F
p
)
q+12
q #E(F
p
) q+1+2
q (3.5)
where q is the prime power.
3.3 Point Operations on Elliptic Curves over Polynomial Fields
F
2
m
It is common to implement elliptic curves on computers in either the F
p
eld or the F
2
m eld.
The constants for F
2
m can either be in polynomial or normal basis. The reduced Weierstrass
form for F
p
is different than for F
2
m. The polynomial eld has two possible forms called the
supersingular curve:
y
2
+y = x
3
+a
4
x +a
6
(3.6)
and the nonsupersingular curve:
y
2
+xy = x
3
+a
2
x
2
+a
6
(3.7)
The addition of two points using a polynomial elliptic curve E(F
2
m) over F
2
m follows similar
to the F
p
case:
22 CHAPTER 3. ELLIPTIC CURVE THEORY AND CRYPTOGRAPHY
1. For point addition, P+Q = (x
3
, y
3
) and P ,=Q:
x
3
=
2
+ +x
1
+x
2
+a
4
(3.8)
y
3
= (x
1
+x
3
) +x
3
+y
1
=
y
2
+y
1
x
2
+x
1
2. For point doubling, P+P = 2P = (x
3
, y
3
):
x
3
=
2
+ +a
4
(3.9)
y
3
= (x
1
+x
3
) +x
3
+y
1
= x
1
+
x
1
y
1
The point addition in F
2
m has a little more overhead than its F
p
counterpart with: one inversion,
two multiplications, one squaring and eight additions. The point doubling, however, has a lower
overhead with: one inversion, two multiplications, one squaring and six additions.
Denition: Let p be the characteristic of F
q
, and given that t =q+1#E. The elliptic curve
E is supersingular if p divides t, else it is nonsupersingular.
Care must be taken in choosing the proper F
2
m curves for cryptographic applications. Su-
persingular curves allow for quick calculations; however, they are also susceptible to certain
attacks. When using nonsupersingular curves care must also be taken, since there are curves
where the Frey-Rck attack applies [Coh05]. However, for nonsupersingular curves there are
still many groups that are not vulnerable to attack whereas supersingular curves are always vul-
nerable [Gal01].
Elliptic curve algebra, shown here, is the basis for a popular form of asymmetric cryptogra-
phy. The next section presents the differences between asymmetric and symmetric cryptography
and a common implementation of the elliptic curve in cryptographic applications.
3.4 Cryptography
Throughout history there are many examples of people using cryptography to secure their mes-
sages or information. The communication model can be viewed as in Figure 3.2. Person 1 wants
to communicate privately with Person 2, however, Person 3 uses available techniques to listen
in. If Person 3, the attacker, can see and/or modify the information, the communication channel
is insecure. Other examples of communication are variations on Figure 3.2 where Person 2 may
be a human, as would be the case for cellphone calls, or it could be a website where Person 1
may wish to make a purchase, or it may be a smart card automated teller machine (ATM). Each
3.4. CRYPTOGRAPHY 23
Person 1 Person 2
Person 3
Figure 3.2: Communication channel between Person 1 and 2 with Person 3 attacking the channel.
of these examples can lead to nancial and reputation loss if a third person retrieves Person 1s
information or if the attacker can imitate Person 1. These are some examples that illustrate the
goals of security. From the previous paragraph the following list of the security goals can be
formed:
Condentiality: The information is kept private and only authorized people or devices may see
and interact with the information.
Data Integrity: The data retains its original message, even when transmitted over an open medium.
A third person is not able to alter the data without the receiver being aware of it.
Authentication: The receiver is assured that the data comes from the intended sender.
Non-repudiation: The receiver is able to convince an impartial third party that the data originated
from the sender.
There are two forms of cryptography currently available, symmetric and asymmetric key cryp-
tography (see Figures 3.3 and 3.4). Both methods are used regularly to secure data; for example,
symmetric key cryptography is often used for high data transfer applications, since it is 1000 to
10000 times faster than equivalent asymmetric key algorithms [APS96]. Asymmetric keys are of-
ten used in secure key management and exchange over an unsecured channel, the Dife-Hellman
public key algorithm [Kae04] is such an example.
3.4.1 Symmetric (Private) Key Cryptography
For symmetric key systems both parties (encrypter and decrypter) need to have the same key.
Figure 3.3 gives a visual picture of the symmetric key encryption process. The sender has a
plain text message and a private key p
secret
, which they input into the symmetric encryption
algorithm. The function then outputs an encrypted text message that can be openly sent to the
receiver. However, the key needs to be transported by some secure method, either by physically
exchanging the key or through newer key management systems that transport keys securely. The
receiver has the encrypted message, the private key, and the decryption algorithm. They use as
input for decryption the key and the cipher message. The output is the plain text message.
24 CHAPTER 3. ELLIPTIC CURVE THEORY AND CRYPTOGRAPHY
A system is said to be secure when the attacker has the ciphering algorithms and the cipher
message, but is not able to recalculate the plain text message (in a reasonable time period).
Symmetric Encryption
Algorithm
- Encrypt Message
Symmetric Encryption
Algorithm
- Decrypt Message
Secret Key
Random Number
Generator
Open
Channel
Receiver
p
secret
Sender
Plain Text
Message
Plain Text
Message
Encrypted
Text
Message
p
secret
Secure Transport
of Secret Key
p
secret
Figure 3.3: Symmetric encryption scheme.
3.4.2 Asymmetric (Public-Private) Key Cryptography
One of the major drawbacks with the private key encryption method is how to give both parties
exclusive access to the private key. If they are at the same location, it is not a problem, but that
is not always the case. A message may wish to be sent to people who are far from each other. A
solution to this problem was introduced in 1976 with the the advent of asymmetric or public key
encryption.
Public key encryption works by using two keys, a public and a private key. The key pair is
selected such that deriving the private key from the public key is equivalent to solving a compu-
tational problem that is believed to be intractable.
If the sender wants to send a message, as in Figure 3.4, the receiver must rst supply the
sender with a public key PK
rec
over an unsecured channel. The sender then uses the receivers
public key PK
rec
and their own private key p
sen
to calculate a common secret S. An encrypted
message can be created with S, the plain text message and the encryption function. The encrypted
message is sent to the receiver, where they rst calculate the common secret S using their private
3.4. CRYPTOGRAPHY 25
key p
rec
and the public key from the sender PK
sen
. The common secret is used again with the
symmetric encryption algorithm (in decrypt mode) and the encrypted message to recreate the
plain text message.
Symmetric Encryption
Algorithm
- Encrypt Message
Symmetric Encryption
Algorithm
- Decrypt Message
Sender's
Random Number
Generator
Receiver's
Random Number
Generator
Calc Receiver's
Public Key
PK
rec
= p
rec
*Q
Calc Sender's
Public Key
PK
sen
= p
sen
*Q
PK
rec
PK
sen
Open
Channel
Receiver
p
sen
p
rec
Sender
Plain Text
Message
Plain Text
Message
Encrypted
Text
Message
Calc
Common Secret
S(PK
rec
, p
sen
)
Calc
Common Secret
S(PK
sen
, p
rec
)
S
S
Figure 3.4: Asymmetric encryption.
The public key system has the benet of being more robust than the private key system,
however, this comes at the cost of higher computation and algorithm complexity. Table 3.1
shows a comparison of the key lengths for various private and public key systems. It is evident
that the private key algorithm requires a smaller key length to achieve the equivalent security
to a public key system. Also included in Table 3.1 is the newer elliptic curve cryptosystem.
The public key architecture is moving away from the older RSA/DSA systems, see [Lab02]
and [18600] for further details on these algorithms, towards the Elliptic Curve Cryptography
(ECC). Currently, ECC algorithms are more complex than the RSA equivalent; however, ongoing
research is allowing ECC technology to be used in small devices such as smart cards. The major
benet of ECC is in future expandability of the algorithm. Whereas the RSA algorithm requires
an extremely large key of 15360 bits for an equivalent 256 bit symmetric key, the ECC system
only needs a key size of 512 bits. The smaller key size requires less memory and processor
power.
Example 3.4.1. An example of an ECC algorithm is the Elliptic Curve Authentication Encryp-
tion Scheme (EC-AES) algorithm [LeR00, Han04]. To send a message using EC-AES it is as-
sumed that the sender has the receivers public key K
pub2
and the domain D= (q, F, a, b, BP, n, #E(F)),
where q is the prime power (q = p or q = 2
m
), F is the eld representation, a, b
F
q
specify the
26 CHAPTER 3. ELLIPTIC CURVE THEORY AND CRYPTOGRAPHY
Symmetric Algorithm ECC Algorithm DSA/RSA Algorithm
Key length (bits) Key length (bits) Key length (bits)
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360
Table 3.1: Comparison of key lengths for symmetric, ECC and RSA/DSA cryptographic algorithms .
curve over F
q
(i.e. y
2
=x
3
+ax+b for p >3), BP is the base point BP = (x
BP
, y
BP
), n is the order
of BP, and curve order #E(F) is the number of points on the curve. The EC-AES uses elliptic
curve cryptography and a Key Derivation Function (KDF), such as the ANSI X9.42 [Kel00], to
transport the key from sender to receiver while the actual encryption of the message is done by
a symmetric encryption scheme, for example the AES standard [19701]. The authentication is
performed by a Message Authentication Code (MAC) such as the HMAC [oST02].
To encrypt a message m the needs to perform the following:
1. Select a random number in the range [1, n1].
2. Calculate the senders public key
_
K
pub1
, k
priv1
_
pair K
pub1
= k
priv1
BP.
3. Calculate shared secret on the curve S = #E(F) k
priv1
K
pub2
= (S
x
, S
y
).
4. Verify that S ,=O.
5. Use the key derivation function to calculate the signature and encryption keys k
sign
| k
enc
=
KDF (S
x
).
6. Encrypt the message using the symmetric encryption algorithm c = E
k
enc
(m).
7. Sign the message using the MAC algorithm v = MAC
k
sign
(c).
8. Send
_
K
pub1
, c, v
_
.
On the other end of the communication line, the receiver gets
_
K
pub1
, c, v
_
and has the domain
D. They proceed to calculate the following to retrieve the message:
1. Check that K
pub1
,=O.
2. Verify that the points x
k
pub1
and y
k
pub1
are elements of F
q
.
3. Conrm that K
pub1
is on the curve dened by a and b.
4. Derive the shared secret S =CO k
priv2
K
pub1
= (S
x
, S
y
).
3.4. CRYPTOGRAPHY 27
5. Verify that S ,=O.
6. Calculate the keys for authentication and decryption fromthe curve k
auth
| k
dec
=KDF (S
x
).
7. Check v = MAC
k
auth
(c).
8. Decrypt the message m = DEC
k
dec
(c).
28 CHAPTER 3. ELLIPTIC CURVE THEORY AND CRYPTOGRAPHY
29
Chapter 4
Random Numbers, Generation and Testing
4.1 Denition of a random sequence
What exactly are random numbers? Is number 5 random? In this section we closely follow the
exposition of [Lub]. Let = 0, 1 and
0, 1. For n
n
can be written as:
u = u
0
u
1
u
2
. . . u
n1
.
The objective of this paragraph is to dene among all the elements of
k
.
In the following, a sequence of events is dened as a sequence (u
n
)
n
N
with values in a set
which will always be nite. The probability denoted by
P
e
[(u
n
) = x]
1
A countable innite set is any set which, in spite of its boundlessness, can be shown equivalent to the natural
numbers [Wei].
30 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING
is the empirical probability that an event is equal to x if the following limit exists
lim
k
S
k
(x)
k
, (4.1)
with S
k
= [n k[u
n
= x[. If (w
n
) is a sequence of words of
k
then E((w
n
)) denotes the
Shannon entropy function of (w
n
), dened by
E((w
n
)) =
x
k
P
e
[(w
n
) = x] log
_
1
P
e
[(w
n
) = x]
_
.
The denition from [Knu97] can now be stated.
Denition 4.1.1. A sequence (u
n
)
is l-distributed for l
, if E
_
W
l
((u
n
))
_
= l or that for
all x
l
, P
e
[W
l
((u
n
)) = x] = (
1
2
)
l
. A sequence u
n
.
Temporarily, it can be stated that a sequence is random if it is -distributed. In particular,
if (u
n
) is a random sequence then W
k
((u
n
)) is an equidistributed sequence of words of
k
. If
a random subsequence of length k is picked from a random sequence, then the probability of
selecting a given subsequence is the same for all words in
k
. This illustrates well the intuitive
idea of a random phenomenon. A consequence of this is that it is impossible to precisely dene
what is a nite random sequence.
The link between the statistical tests and the preceding denition of a random sequence can
be shown by rewriting the preceding denition in the terms of probability theory. For that, let
(, A, P) be a probability space, which is dened by , a set that is nite, endowed by the
discrete sigma-algebra, i.e. the one generated by all the elements of and a positive measure P
on A equidistributed and of total weight 1. For this paragraph, will be
n
, the set of binary
sequences of length n. The probability space is then denoted by (
n
, A
n
, P
n
).
A random variable is a map X : R. This endows R with a structure of measured space,
and the induced measure is indicated by the abuse of notation P
X
. The function which maps x
R
to P[X = x] = P(X
1
(x)) is called the law of X. This gives the following alternative denition
of a random sequence, which is just a reformulation of Denition 4.1.1.
Denition 4.1.2. A sequence (u
n
)
R there is
P
e
[X(W
k
((u
n
)) = x] = P[X = x].
In other words, the empiric law determined by the sequence X(u) follows the theoretical
law induced by the random variable on R by the equidistributed probability law of
k
. This
denition gives a general principle that underlies statistical tests in order to assess if a sequence
4.2. RANDOM NUMBER GENERATORS 31
is random: some random variables are dened on the sets
k
, k being an integer endowed with the
equidistributed probability. This gives a law on R that is able to be computed or approximately
computed thanks to the results from the probability theory. Most of the time, this law will
use a Gaussian or a
2
distribution. This law is then compared, for example, using a test of
Kolmogorov-Smirnov, to the empiric law, obtained from limit in 4.1, which is approximated
with a computation on a sample nite sequence.
The problem is that the preceding general principle is asymptotic by nature: as by denition
all the sequences of xed length l have the same probability to occur in a random sequence.
Without any further hypothesis, it is not possible to distinguish a random sequence from a non-
random sequence only having a nite subsequence. It is important to remember two main ideas:
an innite sequence can be associated with a probability distribution on the space of nite se-
quences of length l and a property for all random sequences of length l is that they have a uniform
distribution.
As noted in [Knu97], the denition of a random sequence that has been stated does not catch
all the properties that may be expected from a random sequence. For instance, let u
be a
-distributed sequence and let u
0
be the sequence deduced from u by forcing to zero the bits
of rank n
2
, n 2. Then it is easy to see that the sequence u
0
is also -distributed and is not
random, because the value of some of its bits can be easily predicted a priori. However, even if
the denition does not catch the unpredictability notion that is expected from a random sequence,
it is enough for the purpose of statistical tests.
The next section will take a closer look at generating random sequences and the testing to see
if these generators are operating properly.
4.2 Random number generators
4.2.1 History
Progress in generating random number sequences has been signicant. However, people are still
trying to gure out newmethods for producing fast, cryptographically secure randombits. Before
the rst table of random numbers was published in 1927, researchers had to work with very slow
and simple random number generators (RNG), like tossing a coin or rolling dice. Needless to say,
these methods were very time consuming. It was not until 1927 when Tippetts published a table
of 40,000 numbers derived from the census reports that people had access to a large sequence of
random numbers.
This lack of a ready source of random number sequences led people to try and create more
efcient means of producing random numbers. In 1939, the rst mechanical random number
machine was created by Kendell and Babington-Smith. Their machine was used to generate
a table of 100,000 numbers, which was later published for further use. The practice of using
32 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING
random number machines to generate tables of random numbers continued with the publishing
of 1,000,000 digits by the Rand Corporation. Their generator could be best described as an
electronic roulette wheel. The rst version produced sequences with a statistical biases. The
Rand Corp. had to optimize and x their machine, but even after this new sequences showed a
slight statistical bias. However, the random sequences were deemed to be good enough.
Even though tables provided researchers with a larger selection of random numbers, this
method still had its drawbacks. It required large amounts of memory, since each random number
had to be preloaded into memory, and it took a long time to input the data. At this point RNG
research branched into two paths: the algorithmic approach and the sampling of physical sys-
tems. The algorithmic approach looked into producing random numbers by using the computers
arithmetic operations, and this led to the creation of deterministic random number generators or
pseudorandom number generators. Sampling of physical systems, however, looked at how to
create statistically acceptable sequences from natural random sources. These random number
generators are called true random number generators, since they are based on a truly random
source.
Remark 4.2.1. A detailed timeline for the random number machine can be found in [Rit02].
4.2.2 Properties of random number generators
When looking at a random number generator, how is it possible to determine if it is a source of
random numbers? Four properties distinguish a random number generator from just an ordinary
number generator. The best way to illustrate these properties is to examine a simple random
number generator. One of the most recognized and used RNG is the coin toss; if the coin is
assumed to be fair.
By giving the coin a 0 and 1 for each side, it can be used to generate a random binary
sequence. One of the rst properties noticed is that the result from each toss is not affected, in
any way, by the previous tosses. This means that if ten ones are tossed in a row, the probability
of tossing an eleventh one is still 50%. This example illustrates the property of independence;
previous results do not affect future results.
Random number generators can be designed to produce any range of values, or distribution.
When analyzing the output of common RNGs, the values usually fall into an uniformdistribution,
which means that they have an equal probability of obtaining any of the values in the specied
range. This distribution does not need to be uniform; for some simulations a designer may
wish to produce a random sequence following a normal or other distribution. For cryptographic
applications it is important that the distribution is uniform. Using a nonuniform distribution
allows a hacker to concentrate on a smaller group of numbers to attack the system.
There are physical and computational limits to the size of numbers that an RNG can create.
These limitations impose a natural boundary on the RNG and once it has reached these limits, the
4.2. RANDOM NUMBER GENERATORS 33
RNG repeats its output. This denes the period of the RNG. A well designed RNG will only be
bound by the hardware limits. If the RNG is designed without taking care, there can be multiple
sequence groups that the RNG could produce, with each group less than the ideal period.
The size of random sequences required is dependent upon the desired application. Crypto-
graphic applications require relatively small sequences, in the range of 1024 bits depending on
the algorithm, whereas simulations require extremely large sequences. A good example is the
Monte Carlo simulation, which may require random sequences up to a billion bits in length, or
even more. Therefore, RNGs need to be very efcient and must quickly generate numbers.
The next sections examine the different properties of three classes of random number gen-
erators: pseudo, true, and cryptographic random number generators. Each has its own unique
requirements and restrictions.
4.2.3 Types of random number generators
Pseudorandom number generators
As mentioned in the history of RNGs (cf. Subsection 4.2.1), development of random number
generators branched with the advent of computers. Researchers looked for methods to create
large random sequences by using algorithms. Using such algorithms, they were able to make
sequences, which mimic the properties of true random generators. Since they were created
with a deterministic equation, they could not be called truly random. This led to a new class
of generators, called pseudorandom number generators (PRNGs).
Compared to true random number generators, PRNGs are easier to implement in both hard-
ware and software, and they also produce large sequences very quickly. In [LE98, LE01], the
PRNG is described as a structure of the form (X, x
0
, f , f
t
, f
o
, Z) where X is the nite set of states
with a distribution of . The element x
0
a probability distribution
on
n
given by the denition of the empiric probability of W
k
(u). In particular, a source denes
a map from the set of parameters T to the set of probability distributions on
n
for all n. This
justies the following denition:
Denition 4.4.1. Let T be a set of parameters, the statistical model on
n
is the data for all n
T on the set
n
.
In practice, the set of parameters can take into account the normal operation of the source as
well as aws. It is possible that the source can produce sequences with good statistical properties
for some values of the parameter in T and poor statistical properties for the other values of
T. For instance, a physical random generator can be built so that the output bits have a bias
p independent of the preceding draws. It outputs 1 with a probability of p and a 0 with a
probability of q = 1 p. A hard to control production process may inuence the parameter p.
Therefore, a means is needed to assess the generator and reject any source that has a parameter
p too far from
1
2
.
4.5 Statistical (empirical) tests
Often it is not possible or feasible to look at the physical structure of the random number gen-
erator; for example, when the RNG needs to be tested before each operation. The only method
to determine, to any degree of certainty, if the device is producing statistically independent and
symmetrically distributed binary digits, is to examine a sample sequence of a given length n.
In [Mau92] the idea is presented where a statistical or empirical test T is an algorithm that has
as input a binary sample sequence and produces as output an accept or reject decision
T : B
n
accept, re ject (4.4)
where B is a binary set of 0, 1. Using this function, all the possible binary sequences x of
length n, x
n
= x
1
, . . . , x
n
are divided into two subsets
A
T
=s
n
: T(s
n
) = accept B
n
(4.5)
4.5. STATISTICAL (EMPIRICAL) TESTS 39
and
R
T
=s
n
: T(s
n
) = re ject B
n
(4.6)
with A
T
being the set of accepted or random sequences and R
T
being the set of rejected or
nonrandom sequences.
4.5.1 Hypothesis testing
The method used to determine whether a device is operating properly, as a binary symmetric
source, or is malfunctioning, is to test a parameter using the theory of hypothesis testing. The rst
step of this testing method is to calculate a test parameter by comparing the estimated parameters
from a sample sequence for the given statistical model to the parameters for a binary stationary
source. The sample is then accepted or rejected by comparing the test parameter to a probability
distribution from a binary symmetric source.
Remark 4.5.1. Randomness is a property of the device being tested, not of the nite sequence.
The researcher wishes to test the hypothesis that the devices parameter follows the parameter
of the theoretical distribution. For hypothesis testing, the null hypothesis, H
0
, is the claim that the
sequence is acceptable as random, while the alternative hypothesis, H
a
, states that the sequence
is rejected. This hypothesis is in a general form and can take on a wide variety of parameters.
One example is the examining of the population mean of the sample sequence and comparing it
to the distribution of the mean for a binary symmetric sequence,
0
. The hypothesis can then be
written as follows:
H
0
: =
0
H
a
: ,=
0
In order to decide between H
0
and H
a
, the researcher needs to rst determine the error thresh-
old or signicance level . This level indicates the probability the researcher is willing to take in
rejecting a true H
0
. For a signicance level of = 0.001, the probability is that one sequence in
a thousand will be rejected when in fact it should be accepted. This level is also called a Type I
error.
0
x
0
> Z
2
(4.7)
The rejection region works by examining the sample mean and determining whether there
are too many standard deviations, more than Z
2
, from
0
. The rejection region can be seen in
Figure 4.2 and if the statistical test falls in this region, then the null hypothesis is rejected in favor
of the alternative hypothesis.
Often empirical tests described in literature use a value called the P-value, to determine
whether the sample sequence should be rejected or not. The signicance level, as described in
the last paragraph, is the boundary value between acceptance and rejection of the null hypothesis:
P >, H
0
is accepted
P , H
0
is re jected
Hypothesis testing can have two possible conclusions; the test accepts H
0
or it accepts H
a
.
As can be seen in Table 4.3, there are two possible errors that may arise. The Type I error has
already been discussed and it is the signicance level of the test. Type II error is the probability
that the device is assumed to be random when it is not. The goal of the statistic test is to minimize
the possibility of both types of errors. When dealing with statistical tests, the researcher is often
able to set the sample size and one of the two types of errors, usually the Type I error. Setting the
two points produces a as small as possible. It is not possible to determine the probability,
which means that it is only possible to draw a rm conclusion about the Type I error. However,
if the statistical test does not fall inside the rejection region, it can only be stated that there is
insufcient evidence to reject H
0
. The null hypothesis is not afrmatively accepted, since there
is a lack of information about the Type II error.
4.6. SOME EXAMPLES OF STATISTICAL MODELS ON
N
41
4.6 Some examples of statistical models on
n
This paragraph presents some statistical models currently used (sometimes in an implicit way)
in the denition of random sequence tests. Further information can be found in [Mau92, Lub].
A random variable X is said to be binary if its values are in the set B = 0, 1. In that case,
the distribution of probability dened on B is given by a unique parameter called the bias of X,
which is by denition P[X = 1]. Let X
1
, . . . , X
n
, . . . be a sequence of binary independent random
variables. They dene a distribution of probability on
n
. When all these random variables have
the same bias, the previous distribution depends only on the parameter p.
This model describes a Binary Memoryless Source (BMS) that outputs independent random
variables with a bias p. As stated, a BMS denes a distribution of probability on the sets
n
depending on the parameter p, and is therefore a statistical model on
n
. A particular case of a
BMS is the binary symmetric memoryless channel, which corresponds to the parameter p =
1
2
.
Another model is the Source Transition (ST) that outputs a sequence of binary random vari-
ables X
1
, . . . , X
n
, . . . of parameter
1
2
such that P[X
i
+X
i+1
= 1] = p and P[X
i
+X
i+1
= 0] = 1p
for i
N.0
Generally, a source can produce a sequence of binary random variables X
1
, . . . , X
n
, . . . such
that the conditional probability of X
n
given X
1
, X
2
, . . . , X
n1
depends only on the m last bits, i.e.,
such that
P
X
n
[X
n1
...X
1
(x
n
[x
n1
. . . x
1
) = P
X
n
[X
n1
...X
nm
(x
n
[x
n1
. . . x
nm
). (4.8)
The least m satisfying this preceding property is called the memory of the source S and
n
=
[X
n
1, . . . X
nm
] is the state at the time n. Therefore, taking the sequence (X
n
)
n
N
is equivalent
to consider an initial state
m1
, represented by the trivial random variables [X
m
, . . . , X
0
] (their
weight being totally concentrated on 0 or 1) as well as a distribution of probability for the tran-
sition of states P
n
[
n1
for all n greater that m. If this last probability is independent of n, then
the source is classied as stationary. So, a stationary source is completely described by its initial
state and P
m+1
[
m
.
The set of states is a particular case of a Markov chain
2
, with the restriction that each state can
have only two successors. If this Markov chain has the property where every sizable sample is
an equal representative of the whole sequence (ergodic), the limit of the probability distribution
on the set of states converges towards a limit. Let the integers between 0 and 2
m1
represent the
set of possible states of the sources. Using the Chapman-Kolmogorov equations, which are an
equivalent to the identity on transition densities, gives:
lim
n+
P
n
( j) = p
j
2
Denition from Merriam-Webster [Mis95]:Usually a discrete stochastic process (as a random walk) in which the
probabilities of occurrence of various future states depends only on the present state of the system or on the
immediately preceding state and not on the path by which the present state was achieved.
42 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING
where the p
j
are the solution of a system of 2
m
equations :
2
m
1
j=0
p
j
= 0, (4.9)
p
j
=
2
m
1
k=0
P
2
[
1
p
k
, 0 j 2
m
2. (4.10)
There are two interesting points to consider with the statistical model of ergodic stationary
sources:
this model seems to be the most general of the models presented. In particular, it contains
the BMS and ST models.
this model has been extensively studied in the eld of information theory. In particular, it
is possible to compute its entropy.
4.7 Hypothesis testing and random sequences
The previous section stated that statistical models can be used to perform statistical tests on a
binary sequence. From [Lub], the link between the theory of hypothesis testings and random
sequences is given as follows:
A statistical model is adapted to the device that is under test (e.g. random number genera-
tor);
An H
0
chosen that the model parameters are veried if the random input variables are
Bernoulli variables with a parameter of
1
2
; and
As an alternative hypothesis there is a large in the parameter from
1
2
.
For example, if it is known that the statistical model of the device is a BMS, the monobit fre-
quency test can be used on its own: this is the best test associated with this model. It may happen
that the statistical model is more general and includes several different tests. For instance, the
BMS is contained in the general model of a stationary ergodic source with a certain amount of
memory. In this case, the advantage of the more specic test is that it is more powerful. However,
it may not discover deviations in the parameters that it does not control. Therefore, it is important
to rst use the more specic tests and then the more general ones. It amounts to restraining the
variance, in some direction, of the parameter space.
In general, the use of the techniques of hypothesis tests in order to verify the random quality
of a source is characterized by:
4.7. HYPOTHESIS TESTING AND RANDOM SEQUENCES 43
the choice of a statistical model based on the operation of the device;
the use of only a small number of tests (one or maybe two) that are associated with the
statistical model.
It should be pointed out that this general technique does not describe the set of available pro-
cedures in order to test a random number generator. It is apparent that it is difcult to attach a
statistical model to some tests that are widely published and recommended. Moreover, in the
available test suites it is quite common to use many different tests. In practice, it is often difcult
to prove that a certain physical device corresponds to a given statistical model apart from very
general models, which then leads to tests of very poor quality.
In cases where no statistical model is available, it is possible to use the property that the
estimators computed by the tests are consistent. Then, under the assumption of the Bernoulli
distribution with a parameter equal to
1
2
(BSS), the property that the sequence is -distributed
can be checked by the convergence in probability of certain estimators. Therefore, it is possible
to use a group of several tests, so that each of them, with a given probability, outputs a pass for
a random sequence. It should be noted that it is not easy to compute the rejection rate of a full
test suite, because the estimators of different tests are often extremely dependent. This rate can,
nevertheless, be estimated by stochastic simulations.
The reader should keep in mind that, if the device is not provided with a statistical model
and if the statistical tests can not be interpreted with respect to the cryptographic use of the
random sequence, the rejection zone selected by the statical tests is totally arbitrary. If we have a
statistical model, the rejection zone is chosen to contain most of the weight of probability when
the device is faulty. But, if we do not know this statistical model, it may happen, on the contrary,
that the rejection zone contains sequences with a low probability of appearance: this means that
the probability of passing the test is higher when the device is faulty. In this respect, a statistical
test is nothing but a convenient way to choose a certain proportion of sequences in the set of
all binary sequences of a given length. In particular, if the tests do not pass, it is difcult to
pronounce with any degree of certainty that there is no systemic interpretation of the result of the
tests.
It is also important to realize that a random test may undermine cryptographic security in
some applications. The problem is that, if a statistical test is used to lter the ux of a random
generator, it introduces a bias that is very easy to detect by using the same test. A practical
example of this is given to draw the readers attention to this topic.
Example 4.7.1. A user may want to cipher the content of a hard drive by using a strong sym-
metric encryption function. It may be required that an intruder, who does not posses the secret
key, is not able to distinguish the written sectors on the hard drive from the blank ones. One way
to implement this functionality is to consider the symmetric encryption function as a pseudo-
random function. Therefore, a random number generator can be used to write random noise on
44 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING
non-written sectors of the hard drive. If the output of this random number generator is ltered by
a statistical test with, for instance, a rejection rate of 1%, it means that 1% of the sequences of a
given length will never appear in the non-written sectors of the hard drive, but will be present in
the written sectors. This allows an attacker to nd the distinguishing point between the written
and non-written sectors easily.
4.8 Empirical test examples for binary sequences
Frequency Test
A test that counts the number of ones in a sequence is an example of an empirical test based on
the random walk. The random walk Y
n
is the sum of independent Bernoulli random variables X
i
.
It can be written:
Y
n
=
n
i=1
X
i
(4.11)
Using the Central Limit Theorem and the De Moivre-Laplace Theorem, a binomial sum,
normalized by
n, follows a normal distribution if the sample size n is large. This can be written
as:
lim
n
P
_
Y
n
n
y
_
=
1
2
_
y
h
2
2
dh = f (y) (4.12)
This theory is the basis for one of the simplest but most important statistical tests, the fre-
quency (monobit) test. The null hypothesis for this test states that a sequence of independent,
identically distributed Bernoulli variables has a probability:
P(X
i
= 1) = 0.5
As mentioned in previous sections this statistical test is based on the model for a binary
memoryless source. An implementation of this theory into a statistical test is presented in Sec-
tion 5.1.1.
Another implementation of the random walk is a variation on the previous frequency test
called the frequency block test. This test performs multiple frequency tests on smaller, equally
distributed subsequences of the main sample sequence. This detects localized deviations from
randomness. The sample sequence is divided into n sets of m bits. The number of ones in each m
sequence is counted,
i
. A test characteristic is then calculated by using the following formula:
X
obs
= 4m
n
i=1
_
i
m
1
2
_
2
(4.13)
The observed characteristic is compared to a theoretical limit to determine if the sequence is
acceptable as random. The implementation of this test is presented in Section 5.1.2.
4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 45
Runs Test
The runs test is a group of tests based on the bit oscillation in a sequence. There are many
published denitions of runs (see [Knu97, Feh68, AJJ
+
, APS96, And00, Ent98]). The data
type, binary or real, determines the runs denition that should be used. One of the earliest
denitions of runs for randomness testing has been published in 1944 by Wolfowitz. Given
a sequence X
1
= (x
1
, . . . , x
n
), a second sequence X
2
can be formed by taking the sign of the
difference between two adjacent numbers x
i+1
x
i
, 1 i n1. An example of this is:
X
1
= (7, 4, 1, 0, 5, 2, 8, 9, 6, 0)
which converts to
X
2
= (, , , +, , +, +, , ).
A + is treated as a run up, while a is considered a run down, with l being the length of
each run subsequence. Various statistical tests for real numbers use this denition.
Another denition of a run has been published by Knuth [Knu97]. He examines real number
sequences and denes a run as the length l of a trend in a sequence X, with the trend being either
increasing or decreasing. Given a sequence X = (x
1
, . . . , x
n
), each neighboring number, x
i
and
x
i+1
, is compared, and a vertical line is used to divide each number group whenever x
i
> x
i+1
.
Using the previous example sequence X
1
, we obtain:
[7[4[1[0, 5[2, 8, 9[6[0[.
Counting the runs for lengths one to three, there are ve runs of length 1, one run of length 2, and
one run length 3. Adjacent runs are not independent, since a long run tends to be followed by
a short run; therefore, the
2
test cannot be applied at this point. A new random variable needs
to be dened. The random variable Z
li
with 1 i n counts the number of runs in a sequence.
Variable Z
li
is dened as follows:
Z
li
=
_
R
/
t
_
These values are used to calculate the test statistic for a
2
test with t degrees of freedom
X
obs
=
t
i, j = 1
Q
i
Q
j
a
i j
, (4.14)
where the matrix A = a
i j
is the inverse matrix of C = covar(R
l
, R
m
), with 1 l, m t. The
covariance matrix C and the mean (R
l
) are calculated using the following relations
(R
l
) =
_
R
/
l
_
_
R
/
l+1
_
covar
_
R
l
, R
/
m
_
= covar
_
R
/
l
, R
/
m
_
covar
_
R
/
l+1
, R
/
m
_
covar (R
l
, R
m
) = covar
_
R
l
, R
/
m
_
covar
_
R
l
, R
/
m+1
_
To calculate
_
R
/
l
_
and covar
_
R
/
l
, R
/
m
_
the following holds:
_
R
/
l
_
=
(n+1) l
(l +1)!
l 1
l!
1 l n
covar
_
R
/
l
, R
/
m
_
=
_
(R
/
t
) + f (l, m, n), if l +m n
(R
/
t
)
_
R
/
l
_
(R
/
m
), if l +m > n
where
s = l +m,
t = max(l, m),
and
f (l, m, n) = (n+1)
_
s(1lm) +lm
(l +1)! (m+1)!
2s
(s +1)!
_
+2
_
2s
s!
_
+ (4.15)
_
s
2
s 2
_
lms
2
l
2
m
2
+1
(l +1)! (m+1)!
Another denition of a run is found in [Feh68]. Fehler provides a denition for runs with
4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 47
Bernoulli trials.
Denition 4.8.1. A sequence of n bits contains as many runs of ones with a length of r as there
are non-overlapping uninterrupted blocks containing exactly r bits [Feh68]. Each run length is
counted from the beginning of the sequence.
An example runs count using this denition is seen in the following sample sequence
1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0. (4.16)
This sequence has ten runs of length one, ve runs of length two, three runs of length three, two
runs of length four, one run of length ve, and one run of length six or more. Using Deni-
tion 4.8.1, a test statistic for analyzing the randomness of the sequences is
X
obs
=
N
r
(obs) n
n
(4.17)
with N
r
being the number of runs of length r in a sequence of n number of bits. The statistic for
Fehlers denition follows a normal distribution as n .
The runs test used in this thesis comes from the [APS96]. This runs test has been used in
the thesis (see Section 5.1.3) due to its ease of implementation in hardware and software. The
denition of a run in [APS96] is similar to Denition 4.8.1. However, the number of runs is only
counted once during the sequence. Also, the number of runs of zero Gap and one Blk are used
in the calculation of the test statistic. For example, from sequence 4.16 the number of runs of
one are: one run of length four and one run of length six, while for the runs of zero there are two
runs of length one. This statistical test examines the difference between the expected run lengths
e
r
=
(nr+3)
2
r+2
with 1 r < k and the sampled run lengths, Blk
r
and Gap
r
:
X
obs
=
k
r=1
(Blk
r
e
r
)
2
e
r
+
k
r=1
(Gap
r
e
r
)
2
e
r
(4.18)
which approximately follows a
2
distribution with 2k 2 degrees of freedom.
The turning point test is another type of runs test, found in [Gop93]. This test counts the
number of turning points (peaks and troughs) in a sequence. To calculate the test statistic the
number of samples tested needs to be large. The large sample allows for the assumption of a
normal distribution with a mean of =
2
3
(n2), and a variance of
2
=
(16n29)
90
. The test
characteristic can be calculated as follows:
X
obs
=
(4.19)
The hardware and software implementation of the turning point test is presented in Sec-
tion 5.1.7.
48 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING
0 5 10 15 20 25 30 35 40 45 50
0
200
400
600
800
1000
1200
1400
Figure 4.3: Longest runs at 20000 bits sample probability distribution using 5000 samples.
Longest runs test
This test is included in the FIPS 140-2 testing group, where a maximum run length of 26 is given
for 20000 bits. However, only this value and a signicance level of 0.0001 are given without any
other background information. This presents a problem when trying to determine the maximum
lengths for sequences other than 20000 bits. To overcome this problem an experiment has been
performed to determine the maximum run length distributions for different test sequence lengths.
This experiment was programmed in Matlab
TM
with a sample of 50000 sequences ranging in
length from 25 to 100000 (the lengths used in the simulator from Chapter 6). After programming
the experiment, the program was run and the probability distribution was calculated for each of
the different sample lengths. The sample sequences required a random number source, in this
case the pseudorandom generator provided by Matlab
TM
(see Section 6.2.2 for a description of
this generator). Asample size of 50000 sequences was used and the longest run fromeach sample
was calculated. The probability for the longest run of a given sequence length was calculated and
plotted, see Figure 4.3 for an example probability distribution at 20000 bits and 5000 samples.
Figure 4.3 shows a zoomed-in result for the probability distribution. Using this distribution it
was possible to calculate the point x where the probability P(X x) = 1.
The experimental signicance level was initially published as =0.0001 by NIST; however,
further study by FDK Corp. [Vit03] revealed that the actual signicance level used was =
0.000298. This newvalue was used as the limit in the experiment (see Table 4.4 for the maximum
run lengths). The results from this table were used in the software and hardware implementation
of the longest runs test presented in Section 4.8
There are a variety of ways to calculate the longest run, the method used in this thesis is to
keep track of the longest run of either zero or one in the sequence. Another method published by
the FDK Corp. [Vit03] looks at the probability P
y
() of a run longer than appearing in a bit
4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 49
Sequence Length P(x y)
25 14
50 15
75 16
100 17
250 19
500 19
1000 21
2500 21
5000 22
10000 23
15000 23
20000 25
30000 26
50000 26
100000 27
Table 4.4: Maximum run length for the given sample sequence length.
stream. This information can be used to calculate the probability of longest run M
n
of length
appears in n bits:
M
n
() = P
n
() P
n
( +1).
Further information on this second method for calculating the longest runs can be found in [Vit03].
Autocorrelation
Visually, it is possible to detect regular waveforms as non-random. How can this property be
automated for randomness testing in applications? One method is to compare the signal with a
shifted copy of itself, which is the autocorrelation function. A random sequence has the property
that a sample random sequence has very little correlation with any copy of itself.
The autocorrelation test, as described in [APS96], checks for the correlation between the
current sequence and a shifted version. A sample sequence is XORed with a d delayed version.
With a large sample, n, and nd 10, the test statistic is assumed to followa normal distribution.
The test characteristic is calculated using the following formulas:
A(d) =
nd1
i=0
s
i
s
i+d
(4.20)
X
obs
= 2
_
A(d)
nd
2
nd
_
(4.21)
50 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING
Pattern Matching Tests
A non-overlapping test using pattern matching is the poker test, also called the k-tuple test. There
are many variations of this test with the two best known published in [APS96] and [Knu97]. More
focus is placed on the poker test from [APS96], since it is ideally suited for binary data.
The poker test is modeled on the
2
distribution. In general, the poker test takes k independent
observations and sorts them into g categories. The probability of a particular category being
observed is indicated by p
s
with x
s
being the actual number of observations for each category s.
This allows the building of the statistic from the
2
formula:
X
obs
=
g
s=1
(x
s
kp
s
)
2
kp
s
. (4.22)
This is the general form of the
2
statistic; however, this thesis uses a modied form for binary
data.
The number of categories g for a binary sequence is selected to match a subsequence of bit
length m, this gives g = 2
m
categories. A sequence is subdivided into k independent observations
with k =
_
n
m
_
and n the number bits in the full sequence. For a random binary sequence, each
category has an equal probability of appearing p
s
=
1
2
m
. Expanding (x
s
kp
s
)
2
= x
2
s
2kp
s
x
s
+
k
2
p
2
s
plus using the relation:
x
1
+x
2
+. . . +x
s
= k
p
1
+ p
2
+. . . + p
s
= 1
this allows the Equation 4.22 to be rewritten:
X
obs
=
2
m
s=1
_
x
s
k
2
m
_
2
k
2
m
and then to
X
obs
=
2
m
k
2
m
s=1
x
2
s
k.
There are 2
m
space categories; therefore, the statistic X
obs
follows a
2
distribution with
= 2
m
1 degrees of freedom. If the test subsequence m is reduced to 1 then the test is the
frequency test [APS96].
The overlapping m-tuple test is another pattern counting test. However, in this case the
counted patterns are overlapping and the pattern counted is selected by shifting the vector one
bit with each new input. The particular test implemented and studied in this thesis is the 2-tuple
test or the serial test.
In general, for a vector i
1
, . . . , i
m
, which has a length of m, there are 2
m
possible binary values.
Let n
i
1
,...,i
m
be the count for each pattern (i
1
, . . . , i
m
). Since each count n
i
x
is dependent on the
4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 51
other counts n
i
1
,...,i
m
, the standard Pearsons
2
statistic
2
m
=
2
m
n
m
2
m
i=1
n
2
i
1
,...,i
m
n
m
is not appropriate as a randomgenerator test. However, LEcuyer et al. [LE02] and Rukhin [And00]
show that
_
2
m
=
2
m
2
m1
=
_
2
m
n
m
2
m
j=1
n
2
j
1
,..., j
m
n
m
_
_
2
m1
n
m1
2
m1
i=1
n
2
i
1
,...,i
m
n
m1
_
approximately follows a
2
-distribution with 2
m1
degrees of freedom. For the specic serial
test implemented in this thesis the vector length is set to m = 2, which gives
_
2
2
=
2
2
2
1
with
n
2
= n
00
+n
01
+n
10
+n
11
= n1
and
n
1
= n.
Using these values the
2
test statistic can be found
X
obs
=_
2
2
=
4
n1
_
n
2
00
+n
2
01
+n
2
10
+n
2
11
_
2
n
_
n
2
0
+n
2
1
_
+1
with 2 degrees of freedom. This form of the serial test can be found in [APS96] and is the version
implemented in hardware in the next chapter.
Example 4.8.2. Random Number Generator Test Example
The eight tests described in the previous paragraphs are used here in an example for testing
a random number generator. The input string is a binary sequence of 100 bits that is the result of
the following sequence being concatenated four times together:
1010110010111100110100100.
1. Frequency test: n
0
= 48 and n
1
= 52.
2. Serial test: n
0
= 48, n
1
= 52, n
00
= 16, n
01
= 32, n
10
= 31, n
11
= 20 gives a X
obs
= 7.54.
3. Longest Runs test: Longest run is 4.
52 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING
4. Autocorrelation test: d = 4, sum = 61 and X
obs
= 2.65.
5. Poker test: m = 4 with the following patterns
Pattern #o f Occurances
0000 0
0001 0
0010 3
0011 1
0100 2
0101 3
0110 2
0111 1
1000 0
1001 4
1010 2
1011 2
1100 2
1101 1
1110 1
1111 1
giving a X
obs
= 12.76.
6. Frequency Block test: m = 4 (block length)
n
i=1
_
i
m
1
2
_
2
= 0.87
giving X
obs
= 14.
7. Turning Point test: = 6.67,
2
= 1.81
2
obs
=
= 1.98.
8. Runs test: X
obs
= 34.25
Runs of 0 Runs of 1
Length Occurrence Length Occurrence
1 16 1 20
2 16 2 8
3 0 3 0
4 0 4 4
5 0 5 0
6+ 0 6+ 0
4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 53
The following table shows each of the tests threshold value, the observed
2
value or test
result, and if the test has passed or failed the generator:
Test Observed Value Threshold Value Pass / Fail
X
obs
< X
threshold
Frequency n
1
= 52 n
1_lower
= 35 , n
1_upper
= 64 Pass
Serial X
obs
= 7.54 X
threshold
= 9.21 Pass
Longest Runs longest run = 4 max. run length = 17 Pass
Autocorrelation X
obs
= 2.65 X
threshold
= 2.57 Fail
Runs X
obs
= 34.25 X
threshold
= 23.21 Fail
Poker X
obs
= 12.76 X
threshold_lower
= 4.60 Pass
X
threshold_upper
= 32.80
Frequency Block X
obs
= 14 X
threshold
= 44.31 Pass
Turning Point X
obs
= 1.98 X
threshold
= 2.58 Pass
The empirical tests presented here are only a small fraction of what is available in litera-
ture. Three popular test suites that incorporate the tests presented here plus many more are:
NIST Statistical Test Suite [AJJ
+
], The Diehard Battery of Stringent Statistical Randomness
Tests [Mar95], and the ENT: A Pseudorandom Number Sequence Test Program [Wal98]. Some
of these tests are not practical for a smart card environment. Only the tests that are possible on a
smart card have been studied further.
54 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING
55
Chapter 5
Hardware Implementation
5.1 Hardware Design
The theory behind each of the selected tests has been extensively covered in the preceding chap-
ters (see Chapter 4.8). For most designers a software implementation of each of the RNG tests
is perfectly acceptable; however, for some applications this is not the case. For example, smart
cards need to perform the tests while the processor is being initialized. Therefore, the test pack-
age needs to run while the rest of the processor is also being initialized. The RNG and the testing
unit has to be a self-sufcient unit. Since most of the published RNG test have been designed for
a software implementation or if they do have a hardware implementation, their requirements far
exceed what is possible on modern smart cards.
From Chapter 2.3.2 we see that the area requirements for the complete smart card circuit
is approximately 25 mm
2
. Most of the area is required for memory cells; therefore, area is a
premium characteristic. Even though area is very important to smart card processor designers,
they are more concerned with the power consumption of the design. With the advent of the
wireless smart card, which supplies its voltage through induction, any card design requires a very
low power consumption. Additional security modules must also have a low power consumption.
We have mentioned that area and power consumption are very important to the designer;
however, there is one last hardware characteristic that needs to be examined, the time delay of
the circuit. This detail indicates how quickly the test is able to run. With the known sequence
length and the time delay of the circuit, the processing time for the full test can be calculated.
The initialization phase in a smart card lasts two seconds, and during that time the RNG test unit
must have the RNG produce a sequence of bits and also test the resulting sequence.
This chapter begins by presenting the hardware implementation for each of the RNG tests.
Using Synopsys
TM
and VHDL each of the tests has been simulated and synthesized. The results fromthe analysis
of area, power consumption and time delay are presented.
56 CHAPTER 5. HARDWARE IMPLEMENTATION
Comparator
Counter
Clk
Din
Start
Reset
Result
Bits_Over
Figure 5.1: Test unit input and output.
5.1.1 Frequency Test
The rst test that has been implemented in hardware is the frequency test. The basic test unit (see
Figure 5.1) has as input the test data D
in
, the clock Clk, the reset signal Reset, and a start signal
Start. There are two output signals: the Bits_over signal tells the rest of the test unit when it has
nished testing, and a pass or fail is waiting at the output Result signal.
The internal diagram of the frequency test can be seen in Figure 5.2. The resulting test
circuit is a four state device, which begins counting when the start signal goes high. There is
an asynchronous reset built in the device should it need to be reset at any stage along the state
diagram. The third state is achieved once the count reaches its limit, which is 20000 bits in this
example. This number can be adjusted at the design stage to t the required test length. In the
third state, a test is performed to check if the count of ones is in range. If so, a 1 is outputted to
indicate a pass, otherwise a 0 is outputted for a fail.
With a sufcient test length the frequency test models a
2
distribution with = 1 degree of
freedom. Using this information it is possible to precalculate the limits for a given bit length, in
this example n = 20000. The limits calculation is as follows:
x = F
1
(p[) =x : F (x[) = p
where
p = F (x[) =
_
x
0
t
2
2
e
t
2
2
2
_
2
_dt
and
(a) =
_
0
t
a1
e
t
.
Using these formulas it is the characteristic limit X
lim
for a probability of p = 1 = 1
0.0001 with one degree of freedom:
X
lim
= F
1
(10.0001[1) = 19.5114
5.1. HARDWARE DESIGN 57
States
1) WAIT_FOR_START
2) READ_BITS
3) OUTPUT
4) HALT
4
1
2
3
Reset = 1
Reset = 1
Reset = 1
Start = 1
Reset = 1
Count > 20000
Figure 5.2: State diagram for the Frequency test.
X
lim
=
(n
0
n
1
)
2
n
9688 < X
pass
< 10312
5.1.2 Frequency Block Test
The frequency block test is very similar to the frequency test, since it calculates for each given
block the frequency test. The state diagram for the internal frequency test on each block is the
same as the frequency test with only one large block for the full test sequence. The input and
output signals for this test are also the same as the frequency test (see Figure 5.1).
The design difference between the frequency and the frequency block test is how it handles
the frequency test results of the subsequences. Figure 5.3 shows the owchart for the frequency
block test, and Figure 5.4 shows the output owchart. A bit counter (Count) keeps track of the
full test sequence length, and for this implementation as long as the sequence is less than or equal
to 20000 the testing can continue. The next counter is for the subsequence (Blockcount). When
the 100th bit is reached it can be tested, and its result is added to a running sum. After the full
bit sequence is processed a total sum value is calculated and compared to a precalculated value.
If the sum is less than the value, the result signal is set to 1, and if it is over the value, it is set
to 0.
The precalculated value depends on the signicance level and the bit sequence length and can
58 CHAPTER 5. HARDWARE IMPLEMENTATION
Increment
i
Input = 1 ?
Start
Calculate
i
( 50 )
200 2
i = 1
Sum =
Reset
End
Nextstate
<=
Output
Nextstate
<=
Read_Bits
Increment Count
?
Blockcount = 99
?
Count < 20000
No Yes
Yes
No
Yes
No
Figure 5.3: Frequency block test owchart.
Start
No Yes
Result = 0 Result = 1
Next
State
9725 <
Rcount
< 10275
Figure 5.4: Frequency block test output owchart.
5.1. HARDWARE DESIGN 59
Algorithm 2 X
lim
calculation for the runs test.
X
lim
= gaminv(1, ) where = 2k 2 and k is the number of runs groups (6)
X
lim
= gaminv(10.0001, 10)
X
lim
= 35.56
be calculated as follows:
X
lim
= F
1
(p[a, b) = x : F (x[a, b) = p
X
lim
2
= gaminv
_
1,
N
2
_
X
lim
= 2 gaminv
_
10.0001,
200
2
_
X
lim
= 249.4
Therefore, the observed test statistic needs to be below 249.4 in order for the test to determine it
as a pass.
5.1.3 Runs Test
The runs test is a more complex test than the previous two tests. Its state diagram is shown in
Figure 5.5. The runs test module has the same inputs and outputs as the other two tests (see
Figure 5.1). However, internally it has many more states. Depending on the rst bit in the run,
either the S
1
S
6
(D
in
= 1) or the S
12
S
7
(D
in
= 0) branch is followed. If the next bit is the
same as the last bit, then the state branch is followed until either the input bit changes or it reaches
states S
6
or S
7
. If it reaches either of these points, the input length is treated as a run of six even
if it is longer. Whenever a change in the input bit occurs the counter for that state is incremented
(z
1
. . . z
6
) and (e
1
. . . e
6
). A main counter (Count) is used to count the testing sequence length.
The bits_over signal is set high at the end of the test and the test unit can read the results from
the result signal. Using Algorithm 2 the
2
obs
value is calculated and compared to a precalculated
range. If it falls within this range, the test outputs a pass else a fail is outputted.
5.1.4 Longest Runs Test
The longest runs test is a variation on the runs test, in which case the longest run in the sequence
is found and the counted length is saved. A precalculated boundary value for the given test
sequence length is compared to the samples longest run. Should the samples sequence have a
run longer than the boundary value, the test outputs a fail, else it outputs a pass. The boundary
values are given in Table 4.4 in Section 4.8.
60 CHAPTER 5. HARDWARE IMPLEMENTATION
Start
S6
S5
S4
111
S3
S2
11
1
S1
S7
S8
11111
1111
111111 000000
00000
0000
S9
000
S10
S11
00
S12
0
Output
Halt
Count = 20000
Din=1
Din=1
Din=1
Din=1
Din=1
Din=1
Din=1
Din=0
Din=0
Din=0
Din=0
Din=0
Din=0
Din=0
Din=0
Din=0
Din=1
Din=0
Reset = 1
Start = 0
Start = 1
Start = 1
S1
S12
Din=1
Din=1
Din=1
Din=1
Din=1
Din=0
Din=0
Figure 5.5: Runs test state diagram.
5.1. HARDWARE DESIGN 61
Halt
Count < 20000 Cnt_reg +1 < 4
Readbits
Readbits
set
Start = 1
Wait
for
Start
Start = 0
Reset = 1
Reset = 0
Output
Count >= 20000
Count >= 20000
Figure 5.6: Poker and autocorrelation test state diagram.
The external structure of the longest runs test is the same as for the previous tests, see Fig-
ure 5.1. Internally, the test is started when the Start signal is set high. The rst input bit is read
and if the bit is 1 then the next state is S
1
, else it goes to S
0
. If the same bit repeats itself, the
counter for that bit type is incremented. However, if the new input is not the same as the previous
bit, the counter is cleared and reset for the new bit value. The counter continues until the input
bit changes. If the maximum run length is passed, an indicator register IND is set high. After the
full sample is examined, the test enters the next state and the IND register is checked. If the IND
is high, a fail is set on the output otherwise it is set to a pass.
5.1.5 Poker Test
The poker test is another part of the FIPS 140-2 test suite. Of the four tests in the suite it has
the most complex hardware implementation. The theoretical details are found in Chapter 5.1 on
page 56. As with the previous tests detailed in this chapter, the input and output entity for the
poker test is as shown in Figure 5.1. This allows for easy substitution of the tests.
The poker tests state diagram is shown in Figure 5.6. After a reset the process begins in the
Wait_f or_start state. Once the Start signal goes high the test begins by entering the Read_bits
state and reading the rst bit. The input bit is read and stored in the MSB of the Reg register.
The counter register Cnt_reg is checked to see if all the bit positions have been lled with new
62 CHAPTER 5. HARDWARE IMPLEMENTATION
bits. If the register does not hold four new bits, the state is returned to the Read_bits state until
four new bits are present. Once the Reg has been lled the process compares the pattern found
in Reg to a list of patterns. The counter for the matching pattern is incremented. This process is
repeated for the full test sequence. When all the bits have been read and matched, the test value
Sum is calculated using the following formula:
Sum = X
poker_obs
k
2
m
=
_
2
m
i=1
n
2
i
_
k
2
2
m
This formula can be arrived at by using the theory from Section 5.1.5 and the given constants:
m = 4
= 0.0001
n = 20000
Therefore, the following can be calculated:
k =
_
n
m
_
=
_
20000
4
_
= 5000
2
obs
=
_
2
m
k
2
m
i=1
n
2
i
_
k
Sum =
k
2
m
2
obs
=
_
2
m
i=1
n
2
i
_
k
2
2
m
After calculating Sum, the process proceeds to the Out put state. The value in Sum is com-
pared to a precalculated range for = 0.0001. In this implementation the range is 675 <
Sum < 14428, which is calculated as follows:
2
upper
= chi2inv
_
1
_
0.0001
2
_
, 2
4
1
_
2
lower
= chi2inv
_
0.0001
2
, 2
4
1
_
2
upper
<
2
obs
<
2
lower
_
k
2
m
2
upper
_
< Sum <
_
k
2
m
2
lower
_
_
2.16 5000
16
_
< Sum <
_
46.17 5000
16
_
5.1. HARDWARE DESIGN 63
The Out put state sets the Result signal to 1 for a pass and a 0 for a fail. The process then
moves to the Halt state, and remains there until a reset signal is received.
5.1.6 Autocorrelation Test
The autocorrelation test compares a bit sequence with a shifted version of itself by using a shift
register and an exclusive-OR:
4 3 1 2
Din
Auto_corr
The length of the shift register has been arbitrarily chosen at four bits. A better coverage is
achieved by using multiple XOR gates attached to shorter bit differences, i.e. bits 3/4 and 2/4, at
the expense of a larger circuit. The entity of the autocorrelation test follows the other tests with
the four inputs and two outputs shown in Figure 5.1.
The control ow of the autocorrelation test is the same as for the poker test (see Figure 5.6).
During the Read_bits state the data is rst read into the shift register. Once that has completed the
fourth and rst bits are XORed and summed to a running total, which is stored in Auto_corr. The
states bounce between the Read_bits and Read_bits_set state counting all the matching rst and
fourth bits. This continues until the full test length is reached. The total found in the Auto_corr
register is then compared to a precalculated range.
Using the values from the FIPS 140-2 standard (n = 20000, = 0.0001) and a shift of d = 3,
the limits on Auto_corr can be calculated. As mentioned in Chapter 4, the autocorrelation test
follows a normal distribution if nd 10; therefore, the range for the test characteristic is:
2.575 < X
Auto_lim
< 2.575.
From this range the Auto_corr can also be calculated:
X
Auto
=
2
_
Auto_corr
nd
2
_
nd
Auto_corr
lim
=
[X
Auto
[
nd
2
+
nd
2
Auto_corr
lim
=
[2.575[
200003
2
+
200003
2
64 CHAPTER 5. HARDWARE IMPLEMENTATION
Halt
Wait
for
Start
Start = 0
Reset = 1
Output
Count >= 20000
Start = 1
Reset = 0
Readbits Count < 20000
Figure 5.7: State diagram for the turning point test.
Auto_corr
upper
= 10181
Auto_corr
lower
= 9816
This gives the Auto_corr range, which is tested during the Out put state. The test sets a pass
(Result =1) if it falls within the range, else a fail (Result =0) is set.
After outputting the results, the process continues into the Halt state, where it waits until a
reset is sent.
5.1.7 Turning Point Test
The turning points of a sequence are the peaks and troughs found after a run up or down. This
test is not, strickly speaking, a test for binary sequences; however, it can be modied to handle
binary input by grouping bits into blocks of bits and converting them into integer values. The
outer entity has the same I/O as the other tests (see Figure 5.1).
The state diagramis a simplied version of the poker and autocorrelation tests, see Figure 5.7.
After a reset the test is in the Wait_f or_start state until the Start signal goes high. With the
5.1. HARDWARE DESIGN 65
Algorithm 3 Algorithm for calculating the test characteristic limits.
n = 20000
=
2
3
(n2) = 13332
2
=
(16n29)
90
= 35552
= 59.6258
X
obs
= X
TP,=0.0001
= 4.719
X
obs_upper
= 13332+281 = 13613
X
obs_lower
= 13332281 = 13051
presence of the Start signal the test begins to collect bits and shifts to the state Read_bits .
The Read_bits state not only reads each new bit but also organizes them into blocks of bits and
counts when peaks or troughs occur. The algorithm is seen graphically in the owchart shown in
Figure 5.8. The Read_bit state groups, analyzes, and counts the bits. Once the full sequence is
processed the test moves to the Out put state, and the bits are grouped into 8-bit integers. After
the eight bits are collected, the current value R
curr
is stored as the previous value R
prev
. As
soon as the second group of bits is collected the two values are compared. If the newer number
is larger than the previous value R
curr
> R
prev
, the toggle is set to toggle
new
=1. This new
toggle value is compared to the old value: toggle
new
? = toggle
old
. If they are the same, then no
change is recorded; however, if the previous toggle value is a 0, then the transition counter is
incremented. The same transition counting process is performed if the current number is less
than the previous value, except the toggle is set to 0 and a transition is recorded if the previous
toggle is a 1. The third possibility is that the current and previous values are equal. This is
recorded as no change and the toggle counter is left unchanged. After comparing the two values
the process moves back to Read_bits state, and the whole algorithm is repeated until all bits are
tested.
Upon the completing the peak and trough count for the full sequence the process moves to
the Out put state. Using the same method as for the autocorrelation test, the acceptance limits for
the transition counter are precalculated and integrated into the output algorithm, see Algorithm3.
5.1.8 Serial Test
The last test implemented in hardware is the serial test. This test counts the number of occur-
rences of the bit patterns 00 to 11 and the number of 0 and 1. This process is similar to the
counter unit built in the poker test. The full data ow design can be seen in Figure 5.9. After
the counter nishes, the controller passes the values to the statistic calculator, the
2
calculation
66 CHAPTER 5. HARDWARE IMPLEMENTATION
Cnt_Reg = 7?
?
Keep Toggle Set Next_state to
Read_bits
Set Next_state to
Output
Yes
No
Yes
Yes
No
Yes
No No
Set Toggle to 0 Set Toggle to 1
Previous state
of Toggle =0
?
Yes Yes
End
No
counter
Clear gathering
Next num
> Previous num
?
Previous num
counter
Keep Transition
Increment Transition
counter
Previous state
of Toggle = 1
= Current num?
Store the previous
in num
Previous_Reg
new bits
Begin collecting
Save bit and
Increment counters
No
Begin
count > 20000
Figure 5.8: Algorithm owchart for turning point test.
5.2. FUNCTIONAL VERIFICATION 67
2
Calculation
Unit
Start
Reset
Clock
Controller
Counter
Pass/Fail
Input
Figure 5.9: Data ow diagram for the serial test.
Area (m
2
) Power (W) Time Delay (ns)
Addition / Subtraction 1057 73 2.97
Multiplication 11025 829 6.58
Division 6787 500 20.27
Table 5.1: Arithmetic hardware characteristics calculated using a 50 ns clock.
unit. This is the part that differs from the other tests. The operations found in the other tests are
addition, subtraction and multiplication; however, this random generator test also includes two
division operations. In comparison to addition and subtraction, the multiplication and division
operations are very complex. When possible, designs are optimized to reduce the number of
multiplication and division operations, since their hardware requirements are far higher than for
addition and subtraction. Table 5.1 shows an example of the synthesis results from Synopsys for
8-bit arithmetic operations using UMC 0.25 m CMOS technology.
The time delay for the division causes some concern, because any design using this operation
has a time delay of at least 20.27 ns or a maximum clock frequency of 50 MHz, which is the
current maximum operating frequency for smart cards (see Chapter 2).
The calculation of the serial characteristic
10000 X =
_
4
n1
_
n
2
00
+n
2
01
+n
2
10
+n
2
11
_
2
n
_
n
2
0
+n
2
1
_
+1
_
10000
is broken down into into seven steps and uses two registers (R
1
, R
2
). The algorithm has been
slightly changed from the version published in [APS96] by multiplying both sides by 10000,
giving an accuracy to four decimal points. The algorithm for this test is shown in Algorithm 4.
5.2 Functional Verication
Before any hardware analysis was performed on the VHDL designs, each design was functionally
veried against the RNG test written in Matlab (see Figure 5.10). The synthesized versions were
also checked for any logic and design errors.
68 CHAPTER 5. HARDWARE IMPLEMENTATION
Algorithm 4 Pseudocode for to calculate the
2
characteristic and the pass/fail for the serial test
State 1:
R
1
= n
00
n
00
+n
01
n
01
R
2
= n
0
n
0
+n
1
n
1
State 2:
R
1
= n
10
n
10
+R
1
a = 10000R
2
b = n
State 3:
R
1
= n
11
n
11
+R
1
R
2
=
a
b
State 4:
R
2
= 2R
2
a = 10000R
1
b = n1
State 5:
R
1
=
a
b
State 6:
R
1
= 4R
1
+10000
State 7:
2
= R
1
R
2
i f
2
X
max
pass
else
f ail
endi f
The verication was performed by rst generating a test le with binary sequences from
a poor generator (LSFR generator). Included were the all zero and all one sequences, these
sequences were known to fail the tests. The test length for each sample was 20000 bits, since
this was the design parameter for the hardware implementation.
A test bench was written to rst read in the binary data, which was inputted to the RNG
tests. The output from each simulated run was stored in an output text le. Another test bench
was programmed for the RNG test functions in Matlab. This test bench rst loaded in the test
sequence le and then the results from the VHDL version. The test sequences were processed
using the Matlab RNG empirical test functions, and their outputs were compared to the results
from the VHDL simulation. When both results matched, an output of 1 was given, else 0
was set.
The results from the functional testing showed that the tests from the Synopsys synthesis
agreed with the results from the Matlab simulation. Therefore, the VHDL versions were func-
tionally equivalent to the algorithm versions.
5.3. HARDWARE TESTING 69
Test
Data
Synthesized Design
VHDL VHDL
Logic Design
Simulation Simulation
Matlab
Design
Simulation
Compare
Results
Pass/Fail
Figure 5.10: Functional verication process.
5.3 Hardware Testing
5.3.1 Hardware Analysis Strategy
Each RNG test algorithm was programmed using VHDL. After verifying the designs using a
design simulator, they were loaded into Synopsys Design Analyzer
TM
. The optimization tools
from Synopsys were used to improve the design hardware properties.
Using a VHDL simulator, the circuit activity for testing a sequence of 20000 bits was recorded.
This information was then used by the Power Compiler
TM
from Synopsys to calculate the power
consumed using UMC 0.25 m CMOS technology libraries.
The study of power consumption proceeded differently than the area and time delay. For
those two characteristics a CMOS technology (0.25 m) was selected and the VHDL code was
synthesized. At that point, the Synopsys tool provided a convenient method to calculate the
area and time delay for the given technology; however, the power consumption tool was not as
accurate as wished. For power consumption calculations, the switching activity for each design
was recorded. The source data for this study was a four -delayed feed back shift register. Using
the simulation tools from Mentor Graphics
TM
, the switching data was stored in saif les, which
was then processed by Synopsys Power Analyzer at different clock frequencies. This gave a
more accurate reading of the power consumption.
The results of the power consumption of the RNG tests need to take into account the power
consumption of a smart card during normal operation, which is 50 mW with a voltage of 5 V and
a supply current of 10 mA.
70 CHAPTER 5. HARDWARE IMPLEMENTATION
0
200000
400000
600000
800000
1000000
1200000
L
o
n
g
e
s
t
R
u
n
s
F
r
e
q
u
e
n
c
y
A
u
t
o
c
o
r
r
e
l
a
t
i
o
n
T
u
r
n
i
n
g
P
o
i
n
t
F
r
e
q
u
e
n
c
y
B
l
o
c
k
R
u
n
s
P
o
k
e
r
S
e
r
i
a
l
RNG Tests
A
r
e
a
(
)
Figure 5.11: Complete area results for eight randomness tests.
5.3.2 Hardware Results
The results fromthe hardware synthesis and power simulation can be seen in Figures 5.11 to 5.14.
The rst hardware characteristic to be studied is area.
The area results for each of the selected designs is shown in Figure 5.11. The synthesis used
an out-of-date 0.25 m CMOS process, industry uses 180 nm or 90 nm technology; however, it
did allow for a comparison of different designs. The newer technology allows for a scaling down
in size, but the general size ratios between the designs remain the same.
The area analysis divides the RNG tests into two groups, the random walk/runs based tests
and the pattern matching tests. The pattern matching tests are signicantly larger than the other
tests, by at least a factor of ten. The smallest design is the longest runs test. The number of
multiplication and division operations present in the poker and serial tests make their designs
more complex when compared to the relatively simple additions needed for the other designs.
The synthesized serial test circuit is approximately 4% of the total smart card chip area. For
some designers this might be too large.
The FIPS test group made up of the longest runs, runs, poker and frequency test requires an
area of 691286m
2
. Within this group, the poker test is the largest contributor to the area with it
making up 88% of the FIPS area.
In Figure 5.12 the area results have been zoomed in to include only the smaller tests. It is
easier to notice the differences in sizes for each of these designs now that the two longest tests are
removed. Here the designs are divided again into two groups, in essence making three groupings
5.3. HARDWARE TESTING 71
0
10000
20000
30000
40000
50000
60000
70000
Longest Runs Frequency Autocorrelation Turning Point Frequency Block Runs
RNG Tests
A
r
e
a
(
)
Figure 5.12: The area results for the six smallest randomness tests.
for the area analysis. The simple counters are the smallest designs, which include the following
tests:
longest runs
frequency
autocorrelation
turning point.
The more complex counters are the
runs
frequency block tests.
Smart cards work with a base speed of 5 MHz but the internal processing speed is usually looped
up to speeds of 25 to 50 MHz. This is a design restriction that hardware developers for smart
cards need to take into account. For a 50 MHz smart card, the algorithm implementation needs
to have a device time delay less than 20 ns. In other words, any algorithm implementation needs
to reach the end of its slowest processing path for that clock cycle before the 20 ns are up. If
a design cannot t in this time restriction, it either needs to be optimized further or, if that is
72 CHAPTER 5. HARDWARE IMPLEMENTATION
0
5
10
15
20
25
30
35
40
45
50
L
o
n
g
e
s
t
R
u
n
s
F
r
e
q
u
e
n
c
y
A
u
t
o
c
o
r
r
e
l
a
t
i
o
n
T
u
r
n
i
n
g
P
o
i
n
t
F
r
e
q
u
e
n
c
y
B
l
o
c
k
R
u
n
s
P
o
k
e
r
S
e
r
i
a
l
RNG Test
D
e
s
i
g
n
T
i
m
e
D
e
l
a
y
(
n
s
)
Figure 5.13: Longest path timing delay analysis for the eight randomness tests.
not possible, the smart card has to run at a slower clock speed. This has the negative effect of
reducing the processing speed for all calculations.
Figure 5.13 shows the longest path time delay for the eight implemented tests. The ordering
of the tests on the x-axis is the same as in the area measurement graph (see Figure 5.12). This
is used to allow for easier comparison of the different tests. The most striking result is the serial
test. It is the largest test which is assumed to have the longest delay path, however, the difference
between the serial test and the poker test is immense. The time delay path has been examined
to investigate where the design is spending most of its time and it is in the division component.
Of the 45.22 ns spent processing the longest path in the serial test, 44.5 ns is in the divider. The
serial test implementation uses a Designware
TM
divider. Therefore, for greater optimization a
custom divider or a new serial test implementation without the division has be to designed.
The rest of the tests all fall below the 50 MHz (20 ns) line. Therefore, except for the serial
test, they are all acceptable for current smart card speeds. The ordering of the designs based on
the time delay do not necessarily follow the area size; for example, the longest runs test has a
longer processing path than the frequency test. For many applications a compromise is required
between the time delay and the design size to achieve efcient operation. This is the reason for
the variance in the time delay.
The designs have been optimized with regard to all three characteristics: power consumption,
area and time delay. However, the area and power consumption characteristics have been given a
higher rating in the optimization hierarchy, since they are the most important properties for smart
5.3. HARDWARE TESTING 73
0
1
2
3
4
5
6
7
8
9
10
0 20 40 60 80 100 120 140 160 180
Clock Speed (MHz)
P
o
w
e
r
C
o
n
s
u
m
p
t
i
o
n
(
m
W
)
Longest Runs Frequency Autocorrelation Turning Point
Frequency Block Runs Poker Serial
Figure 5.14: Power consumption analysis for the eight randomness tests.
card manufacturers.
The current trend in smart card development is shifting away from contact only cards to
either all contactless or a hybrid contact/contactless card. The use of contactless technology has
increased the importance of using low power designs. Each of the design has been optimized
using the power consumption parameters in Synopsys Design Compiler
TM
.
The power consumption results can be seen in Figure 5.14. The data is plotted as points on a
power vs clock frequency axis. Some of the data lines are shorter than others; for example, the
frequency block, poker and serial tests. They are shorter due to the limitation from their time
delay. The mentioned test implementations operating speeds are restricted to a clock frequency
of
1
timedelay
or slower.
Three speeds are of particular interest in the power analysis: 5 MHz, or the base smart card
frequency; 20 MHz, the last point where all the tests can be compared; and 50 MHz, the max-
imum operating speed of current smart cards. At the speed of 50 MHz the poker test is by far
the most power hungry circuit design at approximately 6 mW. The next closest tests are the fre-
quency block and runs tests. The autocorrelation, turning point, frequency and longest runs are
grouped closely near the 1 mW mark. For the 20 MHz point, the serial test result is also available.
This test requires slightly less power (2.0 mW) than the poker test (2.5 mW).
The power consumption results generally follow the results from the area with the largest
design requiring the most power. However, it is interesting that the serial test is more efcient
than the poker test. The main difference between them is not in the counting of the various
74 CHAPTER 5. HARDWARE IMPLEMENTATION
statistical properties but in the actual calculation of the statistic. The poker test has more mul-
tiplications whereas the serial test has a divider circuit. The one divider circuit from Synopsys
Designware
TM
is slow and large but has been designed to be efcient with power consumption.
The multiplications are also efcient but not to the point of the divider.
The calculation times required in clock cycles for the tests is shown in Table 5.2. As a
boundary limit the tests have to complete their calculation within the initialization time of two
seconds. The tests are setup to count as each bit arrives from the RNG. The important point to
keep small is the time between the last bit arriving and the calculation of the pass or fail.
The shorter this time the more bits the generator is able to create before reaching the two second
limit. Current cryptographic RNGs in smart cards are not able to produce the full 20000 bits
within that time interval. The more bits the RNG is allowed to produce the better the results are
for testing purposes. The hardware implementations of the RNG all require 20000 bits, since
they are based on the FIPS 140-2. It is hoped that the results from the simulator allows this to be
reduced.
The results from the calculation time show that the smallest tests do not have long calculation
times. The more complex tests, poker and serial, require more time, since they perform the
calculation of the statistic and then compare it to a given range. This statistic calculation is the
time consuming part. However, even these designs are very quick, and most of the two seconds
can be dedicated to the bit generation.
From a hardware point of view, only the serial test has any problems in modern smart card
implementations. Its current design does not allow it to be clocked at a standard operating fre-
quency. The rest of the tests are all acceptable.
Test Number of Cycles
Frequency 2
Runs 2
Longest Runs 2
Serial 8
Poker 8
Autocorrelation 2
Frequency Block 2
Turing Point 3
Table 5.2: Cycles required to calculate the test results after the arrival of the last bit in the test sequence.
75
Chapter 6
Empirical Test Quality Measurement
6.1 Introduction
In the previous chapter we have looked at the hardware aspects of the random number generator
tests, which has allowed us to see if the selected tests are acceptable for a smart card implemen-
tation from a physical point of view (area, power consumption, and calculation time). However,
this still leaves a variety of questions unanswered:
1. What are the minimum number of tests that are required to be implemented on the smart
card RNG test unit?
2. Can the test sequence be reduced from 20000 bits to a smaller sequence without loss of
testing quality?
It is not possible to determine the quality of a random number generator without having a
measuring point. The standard for this thesis is the FIPS 140-2 test criteria, as it is the desired
standard to be implemented in the smart card. The FIPS 140-2 test suite is made up of four
tests (frequency, poker, runs and longest runs), a sample sequence length of 20000 bits, and a
signicance level of = 0.0001 (1 misjudgment in 10000 trials). Therefore, the following is
used as the denition for quality for this thesis.
Denition 6.1.1. A test or test groups quality is a percent measure of how well the selected test
or test group mimics the FIPS 140-2 test criteria.
Normally, a failure in a RNG results in a stuck-at type failure (stuck-at 0 or stuck-at 1).
However, there are also cases where a bit stream may still be produced with nonrandom char-
acteristics. For cryptographic applications, the use of nonrandom sequences is worse than a full
deactivation of the device. These poor cryptographic random sequences provide a false sense of
security without informing the user to a possible breach in security. In essence, these poor ran-
dom sequences are a hole in the protective shield around the users data. To prevent this security
hole from occurring, the RNG must be tested before each use.
76 CHAPTER 6. EMPIRICAL TEST QUALITY MEASUREMENT
Test 3) Digitiser
2) Noise
1) RNG
Source
FIPS 1402
Pass/Fail
Pass/Fail
Figure 6.1: Simulator setup and possible failure points.
There are many different random number generator tests available in literature; however,
they detect faults at different sensitivities. To investigate the sensitivities of the eight selected
tests requires a simulator. This chapter describes the simulator that has been programmed to
incorporate the possible failure points in a RNG system, and presents the results from the study
of the behavior of the empirical test to the different faulty bit streams. These failure points are
modeled as poor RNGs. Figure 6.1 shows the three points of vulnerability in the RNG system.
The rst point is the actual RNG itself. It is possible that the generator has a awed design or is
damaged during use and begins to produce a poor sequence of bits. The second point examines
the effects of outside interference. Howwill the test unit react to interference or noise on the line?
The nal point is the digitizer. Often a natural source is sampled and used as the randomness
source. If the digitizer oversamples the natural source the output will have nonrandom qualities.
The following is a list of the models of the failure points and the type of generators used to
represent these failures:
Failure Point 1: Failure in the random number generator
1. ANSI C generator
2. Repeating pattern generator
3. Biased generator
Failure Point 2: Frequency noise introduced into the random source
1. Frequency addition with a wide spectrum
2. Frequency addition with a narrow spectrum
3. Addition of pink (
1
f
) noise
Failure Point 3: Failure in the digitizer or the sampling
1. Oversampling
6.2. RANDOM NUMBER GENERATOR FAILURE EXPERIMENTS 77
Test FIP 140 Result
0 0 1
0 1 0
1 0 0
1 1 1
Table 6.1: Logical equation: Test XOR FIPS 140 = Result
In addition to the previous possible failures, the Matlab random number generator has been
studied since it is the base generator for the failure generators. The experiment setup also in-
corporates as a control (Control 1) sequences from a true random number generator. The data is
from Marsaglias Random Number CD-ROM
1
.
Each sample sequence has been tested with the eight selected empirical tests, with the results
compared to the result from the FIPS 140-2 test group. The FIPS 140-2 is calculated by taking
the pass or fail result from the poker, frequency, runs and longest runs at 20000 bits, which are
then ANDed together. This FIPS result is used as a comparison for the other tests, with a match
as a 1 and non-match as 0, see Table 6.1. In addition to looking at the results from each of the
individual tests, test combinations have been examined. The results from the individual tests are
ANDed together and treated as one test result, which is then judged according to Table 6.1. This
shows any improvement obtained through test groups.
The next section takes a closer look at the each of the sample generators and gives a short
description of how they have been implemented in Matlab. The last section discusses the results
from each of the generators, and looks at the effects of the sequence length.
6.2 Random Number Generator Failure Experiments
6.2.1 Control Experiment 1: True Random Number Generator
As a control experiment, bits from a random number generator are used. The bits are not self-
generated with a hardware random number generator, but have been copied from Marsaglias
CD-ROM. This CD-ROM has approximately ve billion bits that have been divided into sixty
10 MB les. The source for these bits is the combination of three white noise sources with
a deterministic random number generator. Marsalgila ran the Diehard
2
tests over the bits and
found that it passed all of them.
From these bits, 500 sample sequences of 100000 bits have been stored in a Matlab readable
format. The same test procedure is used for these data samples as for the other tests. The
results from this experiment are seen in Figures 6.2 and 6.3. Almost all the sequences pass the
1
website: http://stats.fsu.edu/pub/diehard/cdrom/bits.01, Sourced: February, 2002.
2
A random number generator test suite from George Marsaglia. Source: http://stat.fsu.edu/pub/diehard
78 CHAPTER 6. EMPIRICAL TEST QUALITY MEASUREMENT
0
10
20
30
40
50
60
70
80
90
100
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
P
e
r
c
e
n
t
M
a
t
c
h
i
n
g
Frequency Runs Longest Runs Poker Turning Point Autocorrelation Frequency Block Serial Test
Figure 6.2: True random number generator test results compared to the FIPS 140-2 standard.
experiment for the different bit lengths. Not all tests pass each sequence with 100% matching,
but this is to be expected. A true random number generator will produce sequences that have
nonrandom characteristics. However, the large majority of sequences fall within the acceptable
range. The results also show that a true random number generator looks random irrespective of
the random sequence length. This result is the optimum for each of the other experiments.
6.2.2 Control Experiment 2: Good Pseudorandom Number Generator
Description
The Matlab generator has been included in the study because it is the underlying engine for
most of the sample generators. It is also used as the control for a good pseudorandom number
generator. The function that has been used is the unidrnd function.
The Rand function from Moler [Mol95, Mol04] is essentially two combined random number
generators. The main generator uses thirty-ve words of memory or states. The rst thirty-two
states hold the oating-point numbers between 0 and 1. The other three states hold the indices
i, j and the borrow ag b. The index i is an integer between 1 and 32, and the index j is a
random integer. The state b is one of either two values: 0 or ul p. An ul p is one half the built-in
Matlab function eps
3
, and is one unit in the last place for oating point numbers slightly less
than 1 [Mol95].
3
eps is a Matlab function that returns the distance from 1.0 to the next largest double-precision number, that is
eps = 2
52
. Source: http://www.mathworks.com/access/helpdesk/help/techdoc/ref/eps.html
6.2. RANDOM NUMBER GENERATOR FAILURE EXPERIMENTS 79
0
50
100
150
200
250
300
350
400
450
500
550
2
5
5
0
7
5
1
0
0
2
5
0
5
0
0
1
0
0
0
2
5
0
0
5
0
0
0
1
0
0
0
0
1
5
0
0
0
2
0
0
0
0
3
0
0
0
0
5
0
0
0
0
1
0
0
0
0
0
Sequence Length
C
o
u
n
t
o
f
"
P
a
s
s
"
S
e
q
u
e
n
c
e
s
(
m
a
x
.
5
0
0
)
Frequency
Runs
Longest Runs
Poker
Turning Point
Autocorrelation
Frequency Block
Serial
FIPS @ 20000
Figure 6.3: True random number generator single test pass count.
To calculate the i-th value, the generator uses the formula
z
i
= z
(i+20) mod 32
z
(i+5) mod 32
b
where b is calculated from the previous step. If the z
i
is positive, then b is set to 0; however, if z
i
is negative, then b is set to ul p and 1.0 is added to z
i
to make it positive.
The previously stated random number generator has a period of 2
1430
; however, it has a aw
with the way oating point binary numbers are distributed for the range ul p x 1 ul p.
Many of the possible values are not represented. Figure 6.4 gives an example of this problem
using ul p = 2
4
. For the range
_
1
2
, 1
has only half of the possible values, and with the range
_
1
8
,
1
4
it is only a quarter
of the possible values.
To overcome this problem the second RNG is used to divide the values less than
1
2
into non-
equally spaced values. This allows for a xed oating point size, i.e. x.xxx2
y
, where all values
are generated instead of only the 32 values for ul p = 2
4
.
The last point to be taken into account is the relative frequency of each result happening. Us-
ing the new method divides each region
_
1
2
, 1
,
_
1
4
,
1
2
,
_
1
8
,
1
4
,
_
1
16
,
1
8
is half as large as
_
1
2
, 1