[Cryptech Tech] Hardware entropy

Bernd Paysan bernd at net2o.de
Mon May 19 13:39:25 UTC 2014

Previous message: [Cryptech Tech] Hardware entropy
Next message: [Cryptech Tech] Hardware entropy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Montag, 19. Mai 2014, 13:09:51 schrieb Bernd Paysan:
> How to measure the jitter or the quality of this ring oscillator source? 
> The ring oscillator runs at significant higher speed than the internal
> clock, and certainly also faster than the IO bandwith capability.  So you
> can't feed it out and measure it directly.  You can sample it with the
> clock frequency or some integer division of the clock frequency; that gives
> you a subsampling of the actual state.  As it is a somewhat jittery
> oscillator, i.e. it has some frequency +- some delta (through jitter),
> there are no frequency components outside this range. The subsampling is
> good enough if the subsample frequency has a larger span than the jitter
> delta (Shannon theoreme).  So feed the samples into an FFT, and you would
> expect a random distribution (bell curve) around the center frequency: that
> is your jitter.  The actual base frequency is not of interest, only the
> jitter is.

Ok, here are some first analyses (three runs, attached as PDF).

The sample loop takes 17 cycles per iteration (will try 16, because that's 
easier to think about).  I sample 1024 values (bits).  The FFT is done by 
converting these bits to -1/1, applying a von Hann window.  For the output, I 
only print absolute values, (|@f| + |@-f|)/2.  Most of the clocks have a 
similar jitter, some a much higher (those are probably badly rounted).  Clock 
frequency is 50MHz.  There are 32 roscs under test.

Given that 2 roscs give one random bit as result, and we can probably sample 
them every 1024th cycle, so we get ~50kbps of entropy per rosc pair (and a 
rosc pair takes about one LC slice).  That is with chain length 8, I'll try 
different delay chain lengths, assuming a "the shorter, the more jitter" 
relation.

analyse4.pdf is the same data as analsye3.pdf, but with a rectangular window.  
That's to see what the window function does here, and I conclude that it is 
not needed at all.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: analyse1.pdf
Type: application/pdf
Size: 106644 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/tech/attachments/20140519/87c72bef/attachment-0004.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: analyse2.pdf
Type: application/pdf
Size: 106647 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/tech/attachments/20140519/87c72bef/attachment-0005.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: analyse3.pdf
Type: application/pdf
Size: 106774 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/tech/attachments/20140519/87c72bef/attachment-0006.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: analyse4.pdf
Type: application/pdf
Size: 107547 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/tech/attachments/20140519/87c72bef/attachment-0007.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20140519/87c72bef/attachment-0001.sig>

Previous message: [Cryptech Tech] Hardware entropy
Next message: [Cryptech Tech] Hardware entropy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list