[Cryptech Tech] Onchip Open-V TRNG

[Bernd Paysan]

Am Dienstag, 25. Juli 2017, 03:13:37 CEST schrieb Peter Stuge:
> Columbian Onchip designed a TRNG peripheral into their microcontroller.
> They use a ring oscillator with seemingly simple postprocessing. Their
> paper:
> 
> https://github.com/onchipuis/mriscv/blob/master/fully-synthesized-trng.pdf

I don't understand the reason why to use a three-wave ring oscillator.  The 
overall jitter goes down with the length of the ring oscillator, which is why 
I designed a very short one, using the fastest delay elements available (the 
carry chain in the FPGA). This is not even a linear effect, because the ultra-
short one has often setup and hold violations when sampled, and these increase 
the actual noise. An explanation could be that after using a long ring 
oscillator with very poor jitter, they went to the three-wave design, and due 
to more setup and hold violations, their entropy got up.

Our current post-conditioner is xor-collapsing all the sampled rosc_outs, and 
shifting that into a shift register.  This seems to work quite well.

What I originally had proposed as post-conditioner hasn't been implemented, it 
should do

    entropy_new = { entropy[30:0], entropy[31] } ^ rosc_dout;

every single cycle so that the different sources should smear across the 
entire width of the entropy, and the biases should go away, too (if you sample 
entropy only at even rounds, there is no way a bias in rosc_dout can be 
observed).  This should get a considerably higher bandwidth of entropy with 
about the same gate count, or allow us to use less roscs to produce the same 
bandwidth.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
http://bernd-paysan.de/