Improving Security For Elliptic Curve Implementations on...

Improving Security For Elliptic Curve Implementationson Smart Cards:

A Random Number Generator Test Unit

Vom Fachbereich für Physik und Elektrotechnik

der Universität Bremen

zur Erlangung des akademischen Grades eines

DOKTOR-INGENIEURS (Dr.-Ing.)genehmigte Dissertation

von

Andrew Weigl, M.E.Sc.aus Bremen

Referent: Professor Dr.-Ing. W. Anheier

Koreferent: Professor Dr.-Ing. R. Laur

Eingeriecht am: 05.04.2006

Tag des Promotionskolloquiums: 24.07.2006

CONTENTS i

Contents

1 Introduction 1

1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.3 Contents of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Smart Cards 7

2.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Smart Card Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2.1 Physical properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2.2 Electrical properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.2.3 Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.3 Types of Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.3.1 Memory only cards (also called synchronous cards) . . . . . . . . . . . . 15

2.3.2 Microprocessor cards (also called asynchronous cards) . . . . . . . . . . 15

3 Elliptic Curve Theory and Cryptography 19

3.1 Elliptic Curve Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2 Point Operations on Elliptic Curves over Prime Fields Fp . . . . . . . . . . . . . 19

3.3 Point Operations on Elliptic Curves over Polynomial Fields F2m . . . . . . . . . 21

3.4 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.4.1 Symmetric (Private) Key Cryptography . . . . . . . . . . . . . . . . . . 23

3.4.2 Asymmetric (Public-Private) Key Cryptography . . . . . . . . . . . . . . 24

4 Random Numbers, Generation and Testing 29

4.1 Definition of a random sequence . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.2 Random number generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.2.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.2.2 Properties of random number generators . . . . . . . . . . . . . . . . . . 32

4.2.3 Types of random number generators . . . . . . . . . . . . . . . . . . . . 33

Pseudorandom number generators . . . . . . . . . . . . . . . . . . . . . 33

ii CONTENTS

True random number generators . . . . . . . . . . . . . . . . . . . . . . 34

Cryptographic random number generators . . . . . . . . . . . . . . . . 34

4.2.4 Popular random number generators . . . . . . . . . . . . . . . . . . . . 35

Linear congruential generator (LCG) . . . . . . . . . . . . . . . . . . . 35

Blum-Blum-Shub generator (computationally perfect PRNG) . . . . . . 35

Cryptographic RNG (hardware RNG) . . . . . . . . . . . . . . . . . . . 36

4.3 Testing of random number generators . . . . . . . . . . . . . . . . . . . . . . . 37

4.4 Testing a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.5 Statistical (empirical) tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.5.1 Hypothesis testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

4.6 Some examples of statistical models on Σn . . . . . . . . . . . . . . . . . . . . . 41

4.7 Hypothesis testing and random sequences . . . . . . . . . . . . . . . . . . . . . 42

4.8 Empirical test examples for binary sequences . . . . . . . . . . . . . . . . . . . 44

5 Hardware Implementation 55

5.1 Hardware Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

5.1.1 Frequency Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

5.1.2 Frequency Block Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

5.1.3 Runs Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5.1.4 Longest Runs Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5.1.5 Poker Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

5.1.6 Autocorrelation Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

5.1.7 Turning Point Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

5.1.8 Serial Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

5.2 Functional Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

5.3 Hardware Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

5.3.1 Hardware Analysis Strategy . . . . . . . . . . . . . . . . . . . . . . . . 69

5.3.2 Hardware Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

6 Empirical Test Quality Measurement 75

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

6.2 Random Number Generator Failure Experiments . . . . . . . . . . . . . . . . . 77

6.2.1 Control Experiment 1: True Random Number Generator . . . . . . . . . 77

6.2.2 Control Experiment 2: “Good” Pseudorandom Number Generator . . . . 78

6.2.3 Failure Point 1 Experiment: ANSI C Generator . . . . . . . . . . . . . . 80

6.2.4 Failure Point 1 Experiment: Repeating Pattern Random Number Generator 83

6.2.5 Failure Point 1 Experiment: Bias Random Number Generator . . . . . . 88

6.2.6 Failure Point 2 Experiment: External Frequency Interference . . . . . . . 94

6.2.7 Failure Point 3 Experiment: Oversampling RNG . . . . . . . . . . . . . 113

CONTENTS iii

7 Random Number Generator Testing Unit 121

7.1 Hardware and Software Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 121

7.2 Poker-Frequency Test Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

8 Conclusion 127

9 Appendix A 131

Bibliography 135

iv CONTENTS

CONTENTS v

Abbreviations

BSI Bundesamt für Sicherheit in der Informationstechnik

BMS Binary Memoryless Source

CISC Complex Instruction Set Computer

CMOS Complementary Metal Oxide Semiconductor

CPU Central Processing Unit

DES Data Encryption Standard

DSA Digital Signature Algorithm

ECDSA Elliptic Curve Digital Signature Algorithm

EC-AES Elliptic Curve Autheication Encryption Scheme

ECC Elliptic Curve Cryptography

EEPROM Electrically Erasable Programmable Read-Only Memory

EPROM Erasable Programmable Read-only Memory

FIPS Federal Information Processing Standards

GSM Global System for Mobile communications

GUT Generator Under Test

HMAC keyed-Hashing Message Authentication Code

HCC Hyper-elliptic Curve Cryptography

ISO International Organization for Standardization

LSB Least Significant Bit

MSB Most Significant Bit

vi CONTENTS

NIST National Institute of Standards and Technology

NSA National Security Agency

PRNG Pseudorandom Number Generator

PROM Programmable Read-only Memory

PTT Posal and Telecom services

PVC Poly-vinyl Chloride

RAM Random Access Memory

RISC Reduced Instruction Set Computer

ROM Read-Only Memory

RP-RNG Repeating Pattern Random Number Generator

RSA Rivest, Shamir, and Adleman cryptosystem

SRAM Static RAM

ST Source Transition

USB Universal Serial Bus

VHDL Very High Speed Integrated Circuit Hardware Description Language

XOR Exclusive-Or

chi2inv Inverse χ2cumulative distribution function

CONTENTS vii

Acknowledgements

I would like to offer special thanks to the following people for without their help this thesis

would not have been possible. To my supervisor, Professor Anheier, for the opportunity and the

advice. To my parents, who have guided and supported me all my life. To David Lubicz, for

his discussions into the mathematics of random numbers and random number generators. To

the AREHCC team and particularly Philips Semiconductor for introducing me to the problem of

testing random number generators on smart cards. To Volker Meyer, for his help with editing my

thesis and to all my friends for their support and suggestions.

viii CONTENTS

1

Chapter 1

Introduction

In 1965 Gordon Moore, co-founder of Intel, made the observation that the number of transistors

per chip doubles every eighteen months. This was picked up by the media and dubbed “Moore’s

Law.” Moore’s observation highlights the exponential growth in computer computation power.

While this is good news for home computer users and the public in general, the growth does

present problems for people who wish to maintain the integrity and security of their data.

Security protocols are measured by calculating the approximate time it takes to crack the

system by using brute trail-and-error methods. The judgment is based on current computer pro-

cessing power. For a given protocol a suggested key length is given that allows for “reasonable”

security. The current suggested length for the RSA1 cryptosystem is 1024 bits; however, this

will be upgraded to 2048 bits key within the next five years. The problem with larger keys is that

they require more computational power to process. Long key lengths are not a problem for large

computer systems, but this is not the case for small microprocessors, like those used in smart

cards.

Smart cards are finding wider acceptance in customer electronics that require either secure

data transmission, identification, or both. A smart card is a plastic or Poly-Vinyl-Chloride (PVC)

card with an incorporated microprocessor. It ranges in complexity from a simple memory stor-

age device to a complex microprocessor. Smart cards are also increasing in calculation power,

but they have a more restricted working environment than their larger microprocessor siblings,

for example, the microprocessor power supply. The power consumption for desktop computer

Central Processing Unit (CPU) has increased with the increase in computational power, for smart

cards, work is under way to try and reduce the power consumption.

Current and future smart cards will be a hybrid between contact and contactless cards. For

contact cards, power is available to the processor through the terminals and contacts. Contactless

cards use induction methods to supply their power but it does not achieve the same levels of

power as is available through the contacts. This sets a limit on the design: it needs low power

consumption or else the whole chip has to be clocked at a lower frequency.

1A public key cryptosystem developed by Ronald Rivest, Adi Shamir, and Leonard Adleman in 1977.

2 CHAPTER 1. INTRODUCTION

Not only is the hardware improving for cryptographic applications but new methods and sys-

tems are being researched and discovered. In 1985 Neal Koblitz and Victor Miller independently

discovered a public-key cryptographic method that used the algebra of elliptic curves. This new

method is able to provide, with a given key length, the same level of security as far larger RSA

keys. For example, a 160-bit length key in Elliptic Curve Cryptography (ECC) provides the

equivalent security to a 1024-bit RSA key. The shorter key requires less memory and processor

resources. For the smart card application, research is now focused on elliptic curves and, the next

step, hyperelliptic curves. Currently, the ECC is more computationally intensive than the RSA

algorithm; however, new hardware and software implementations plus calculation methods bring

the ECC processing requirements closer to what is required for RSA. Benefits will be seen with

the next jump in RSA key sizes, since the next recommended level is a key length of 2048-bits,

whereas the ECC system only needs a key length of 224-bits.

1.1 Motivation

A very important, but often overlooked aspect of cryptography, is the initial seed value for cryp-

tographic algorithms. When using encryption applications it is suggested that the designer use

known algorithms and parameters, since these have undergone rigorous testing in the public.

Usually only military applications have modified or new cryptographic algorithms provided by

special governmental departments like the National Security Agency (NSA) or the Bundesamt

für Sicherheit in der Informationstechnik (BSI).

Using a published asymmetric algorithm results in an attacker potentially having the algo-

rithm, the parameters, the public key, and the encrypted message when trying to decipher the

encrypted message. The only secret aspect lies in the private key, which is produced by a random

number generator (RNG).

Random number generators have a long history, but it was not until the advent of the mi-

crocomputer that they became use in normal applications. Today, there are two main classes of

random number generators: the true and pseudorandom number generator. A true RNG incorpo-

rates a natural source of entropy and is indeterminate, since it is not known when the next impulse

or bit will arrive. A pseudorandom number generator (PRNG) is a deterministic equation that

mimics the properties of a true RNG. The benefit of a PRNG is that it is fast and the results are

repeatable. Most applications that use RNGs are built with some form of PRNG.

Regardless of the type of RNG if it is to be used in an application it needs to have four prop-

erties: independent output bits, a long period, uniform distribution and efficient bit generation.

These four factors are used to judge a good RNG. Random number generators used for crypto-

graphic applications require an extra property, they need to be unpredictable even when knowing

the algorithm and output sequence.

The whole encryption process is put in jeopardy should the random number generator fail. If

1.1. MOTIVATION 3

an attacker can change or influence the RNG, they may be able to reduce the possible range of

keys generated, which is a reduction in the RNG period. This allows the attacker to perform a

brute force attack on the cryptographic algorithm, whereby they test all possible key combina-

tions in the reduced key space.

It is impossible to determine exactly if a random number generator is functioning correctly;

however, there do exists mathematical models that can be used with statistical analysis to com-

pare the generator’s output to what a true RNG would produce. A characteristic trait from the

Generator-Under-Test (GUT) is selected and using hypothesis testing this characteristic is com-

pared to the results from a true RNG. If the results fall outside the acceptance range, the RNG

is rejected as being non-random; however, if it is in the acceptance range, it is only accepted as

random for the characteristics tested. This acceptance is not a proof of randomness.

The operations used to calculate the statistical acceptance or rejection are heavy loads for

the processor. On modern personal computers this does not present a problem due to the large

processor and memory storage resources, but on small, microprocessor capable devices there is

not much processing power and memory. For example, smart cards are limited in their processing

power, memory, size, and allowable power consumption. Therefore, as a result smart cards are

not fully capable of implementing all RNG testing in software or hardware.

Older style smart cards require contact to a power source, but newer style cards are either

contactless or a hybrid of contact and contactless cards. This forces any new circuitry addition

to the card to have low power consumption requirements. For smart cards the most important

characteristic of any new hardware design is the power consumption, followed closely by design

area and time delay. Smart card processors have a limited surface area to be deployed on and

a large portion of this is used by memory. A circuit design’s time delay is a measure of its

maximum operating speed. If it cannot handle the processor speed, then it becomes the bottle

neck that slow down the whole processor.

Current RNG tests are designed mainly for software implementations. Some common pub-

lished test suites are the NIST SP800-42, FIPS 140-2, and the Diehard test group. A common

standard used by manufacturers for RNG testing is the FIPS 140-2 group. It is a combination of

four tests (poker, frequency, runs, and longest runs) that analyse a sequence of 20000 bits. If any

of the tests fails, the FIPS 140-2 group reports that the RNG is rejected and non-random.

For security and marketing reasons, smart card manufacturers want to be able to implement

standards in their products. In the case of testing the smart card RNG, the main standard is

the FIPS 140-2; however, current processors and RNGs running software RNG tests are not

powerful enough to fulfill the FIPS requirements. In order to achieve the same level of security

new solutions need to be applied. This thesis proposes a new online hardware test unit for the

smart card environment that operates during the initialization phase. The first design step is

an investigation into the hardware characteristics of eight random number generator tests. The

tests are implemented in VHDL using SynopsysTM tools. The power consumption, area, and


time delay information garnered from these tests are used to classify the tests, hardwarewise, as

complex or simple.

The hardware characteristics are not enough to judge which tests should be applied to the

online test unit. Efficient hardware implementation of the random number generator test is only

one aspect of finding an efficient online RNG test unit. The number of tests implemented in the

test unit need to be as few as possible with a sample sequence of minimum length that has no loss

in quality. To judge both criteria a simulator is required. A simulator has been programmed in

MatlabTM that examines each test individually and in groups, and looks at how they compare to

the results of the FIPS 140-2 standard. The simulator simultaneously measures the response of

the test(s) using sample sequences varying from 25 to 100000 bits. Each test reaches a minimum

sample sequence length where the underlying model does not fit anymore. At this point the test

has reached its minimum sequence length for testing of that failure type. From this information a

judgment is made on the best test or test combination for each RNG failure type plus a minimum

sample sequence. The thesis also includes a recommeded online RNG test unit design. It is only

a recommendation, since each manufacturer has to do its own security hardware requirement

balance to match with the exact usage of their cards.

1.2 Previous Work

The first step taken in this thesis was to determine what research has already occurred in this

field and what solutions were already available. After interviewing an employee at a smart card

manufacturer, it was found that they used a simple exclusive-or operation between generated bits

as their test method. This catches catastrophic failure, but it leaves open the possibility of other

failures like repeating pattern or outside frequency interference.

A literature and patent search revealed very little information . There were seven patents for

online testing of random number generators [Har03g, Har03f, Har03e, Har03b, Har03a, Har03c,

Har03d]; however, they were software solutions in C++.

The solutions found are not acceptable test solutions that operate during the initialization

of the smart card. No other literature or patents have been found that dealt with the hardware

implementation of online RNG tests.

1.3 Contents of the Thesis

In the following chapter, the thesis starts with an introduction into smart card technology. This

provides the basic framework from which the boundary conditions for the Test Unit design are

gathered. Chapter 3 is an introduction to a cryptographic system where random numbers play

an important role. This chapter emphasizes the importance of random numbers and why it is

imperative that the RNG is working properly. Before going into the theory of testing RNGs,

1.3. CONTENTS OF THE THESIS 5

Chapter 4 begins with the theory of random binary sequences and their generators. After this,

the statistical theory for testing RNGs is introduced. Chapter 5 is the first part of the solution

to find the optimum RNG test unit for smart cards. The hardware characteristics of eight test

are examined. The second part to the Test Unit solution continues in Chapter 6, where a sim-

ulator is presented to judge which test should be implemented and the minimum length of the

sample sequence for each failure type. In Chapter 7 an analysis of the results from the previous

two chapters is done to determine the optimum smart card test unit. The designed test unit is

compared to the original FIPS standard unit. The thesis is then summarized and further study

remarks are given in Chapter 8.

7

Chapter 2

Smart Cards

Although smart cards are now very common, the technology is still very new, with the first smart

cards appearing in the 1970’s. Since then, their evolution has been very rapid. Smart cards have

advanced from simple memory cards to very efficient “microcomputers” with multiple applica-

tions. Equipped with a microcontroller, these cards are able to store and protect information

using cryptographic algorithms. They are also resistant to physical stresses such as twisting and

bending. The physical structure of the smart card consist of a small plastic rectangle with a

magnetic stripe, holograms, relief characters and an embedded chip. They are small, and easy

to use and carry. The security and portability of smart cards provide a safe, reliable, convenient,

and effective way to ensure secure transactions (banking, e-business, etc.), and to enable a broad

range of applications. Thus, modern smart cards can actually be used in any system that needs

security and authentication. They have been proven to be an ideal means of making high-level

security available to everyone. This chapter aims to present an overview of today’s smart card

technology and show the limitations that smart card manufacturers must take into account when

implementing cryptographic algorithms, for example, elliptic or hyperelliptic curve algorithms,

in a smart card environment.

2.1 History

In the beginning of the 1950’s, the first plastic (PVC) cards appeared in the USA as a substitute

for paper money. They were initially aimed at the rich and powerful, and were only accepted by

prestigious hotels and restaurants. These cards were very simple with the owner’s name printed

in relief, and sometimes the handwritten signature was added. These cards provided a more con-

venient payment system than paper money. With the involvement of VISATM and MasterCardTM

in plastic money, credit cards spread rapidly around the world. Later a magnetic stripe was added

to reduce fraud and to increase security. Confidential digitized data was stored on this stripe, but

this information was accessible to anyone possessing the appropriate card reader. Between 1970

and 1973 there was a significant development in plastic cards with the addition of microcircuits

8 CHAPTER 2. SMART CARDS

to the card. Many patents were filed during this time; the best known inventors include: J. Deth-

leff, K. Arimura, and R. Moreno. The term “smart card” was proposed by R. Bright. It was not

until 1984 that the smart card was first put into commercial use by the French PTT (postal and

telecom services) with their first telephone cards (smart cards with memory chips). By 1986,

millions of these smart cards were sold in France and other countries. After telephone cards, the

next big application was their use as banking cards. This development was more difficult because

they contained more complicated chips that were able to compute cryptographic calculations. A

number of ISO standards were created to encourage interoperability of smart cards. By 1997,

bank cards were widely used in France and Germany. The microcontrollers continued to advance

and became more powerful with larger memory capacity. This allowed for sophisticated cryp-

tographic algorithms, providing higher levels of security. Nowadays, smart cards are present all

over the world, and their use is likely to spread even further.

2.2 Smart Card Properties

Smart cards are physically similar to the classic embossed plastic cards. The older model cards

are used as the base design for the newer smart cards. There are two different categories of smart

cards: memory only cards, which are the cheapest and the simplest, and the microprocessor

cards, which are more expensive, but have more applications and security features. The structure

of smart cards is standardized by ISO, principally: ISO 7816 [gro99a, gro99b, gro99c, gro99d],

and ISO 7810[gro95].

The following sections look at the different aspects of the smart card properties.

2.2.1 Physical properties

The most widely used smart card format, ID-1, is part of the 1985 ISO 7810 standard [gro95].

Most smart cards are made from PVC (Polyvinyl Chloride), which is also used for credit cards.

Some are made from ABS (Acrylonitrile-Butadiene-Styrol), but they cannot be embossed; an

example application is the mobile phone card.

The body of the card includes the following components: magnetic stripe, signature strip,

embossing, imprinting of personal data (picture, text, fingerprint), hologram, security printing,

invisible authentication features (fluorescence, UV), and a microprocessor chip.

The chip module and its embedding

The chip module, also called the micromodule, is the thin gold contact seen on the left side of the

smart card. This module needs to be firmly attached to the plastic of the card. Its purpose is to

protect the card and the microprocessor chip. The contacts for contact-type smart cards can also

be in the chip module.

2.2. SMART CARD PROPERTIES 9

Many embedding techniques have been tested and used with the aim to optimize overall card

resilience to everyday physical and mechanical stresses (temperature abrasion, twisting, bending,

etc.) while the keeping production costs as low as possible.

Contact and Contactless Cards

There are two main ways a smart card can communicate with the card terminal: through physical

contact or by using a contactless connection. The contact cards were the first types of smart cards

on the market. However, with new advances in microcircuit technology, contactless cards have

become physically feasible.

Contact Card

This is currently the most common type of card. It communicates via a card reader where the

information passes through the contacts. There are metal contacts inside the card reader and on

the chip module of the smart card. The position and dimensions of these contacts (power supply,

data transfer, etc.) are set in the ISO 7816-2 standard [gro99b]. Another standard, AFNOR, is

still in use by some cards in France, but is likely to disappear in the near future.

C 3

C 2

C 1

C 4 C 8

C 5

C 6

C 7

GND

I/O

VPPRESET

VCC

CLK

RFU RFU

Figure 2.1: Pin layout for contact smart cards.

There are 8 contact areas C1...C8:

C1: Supply voltage, VCC C5: Ground, GND

C2: Reset C6: External voltage programming

C3: Clock, CLK C7: Input/Output for serial communication

C4: Not in use, reserved for future use C8: Not in use reserved for future use


Contactless Card

These cards contain special circuits, which allow data transmission over short distances with-

out mechanical contact and without a direct supply of power. This technology is not new but is

difficult to apply to smart cards. At the moment it is not possible to incorporate a battery into the

card due to the size and thickness of the card, but research is ongoing to overcome this problem.

Not only is there a problem supplying power to the smart card circuits, but data and clock

signals also need to be transmitted between the card and the terminal. The technique of capacitive

and inductive coupling, at this time, is the most suitable for smart cards and has been standardized

in ISO/IEC 14443 [gro00]. This standard presents a method for capacitive and inductive coupling

where the card’s conductive surfaces act as capacitor plates. One or several coupling loops are

integrated into the card to receive energy from the terminal. A carrier frequency in the range of

100-300 kHz is used, which allows very rapid transmission.

Dual Interface or “combi cards”

In the future it is likely that “combi-cards” will become more common. They combine the

advantages of contact and contactless cards. In ISO/IEC 10536 the application is described as

"slot or surface operation." Depending on the operation, the card must either be inserted in a

slot to make contact or placed on a certain surface for contactless transaction. This type of card

allows applications such as credit, debit, membership, and mass transit to be used on the same

card.

2.2.2 Electrical properties

The electrical properties of a smart card depend on its embedded microcontroller, since this is

the only component of the card with an electrical circuitry. The basic electrical requirements are

defined by the ISO/IEC 7816-3 standard, Part 3: Electronic signals and transmission protocols

[gro99c]. Electrical characteristics and class indication for operating at 5 V, 3 V, 1.8 V are de-

scribed within Amendment 1. Amendment 2, which describes an USB interface for smart cards,

is currently under preparation. The GSM mobile telephone network (GSM 11.11) should be men-

tioned here, because it also contributes to the requirements in this area. Further modifications of

the ISO/IEC 7816 standard are driven by the UMTS specification.

Supply Voltage

A smart cards supply voltage is 5 V, with a maximum deviation of±10%. This voltage, which is

the same as that used for conventional transistor-transistor-logic (TTL) circuits, is standard for all

cards currently on the market. Since all modern cellular telephones are built on 1.8 V technology

(GSM 11.18), modern smart cards are designed for a voltage range of 1.8-5 V ±10%, which


Specification ISO 7816-3 GSMNotation Class A Class B GSM 11.11 GSM 11.12 GSM 11.18Supply voltage 5 V 3 V 5 V 3 V 1.8 VSupply current 60 mA 50 mA 10 mA 6 mA 4 mAFrequency 5 MHz 4 MHz 5 MHz 4 MHz 4 MHzPower consumption 300 mW 150 mW 50 mW 18 mW 7.2 mW

Table 2.1: Smart card power consumption specified by ISO 7816 and the GSM specifications [WW00].

results in an effective voltage range of 1.6-5.5 V. They can be used in both, 1.8 V and 5 V

terminals, to keep the advantage of simple and straightforward card usage.

Supply Current

The built-in microcontroller obtains its supply voltage via contact C1 (see Figure 2.1). According

to the GSM 11.11 specification, the current may not exceed 10 mA, so the maximum power dis-

sipation is 50 mW, with a supply voltage of 5 V and an assumed current consumption of 10 mA.

Table 2.1 gives an overview of the actually defined maximum power consumption classes, spec-

ified by ISO 7816 and GSM.

The current consumption is directly proportional to the clock frequency used, so it is also

possible to specify the current as a function of the clock frequency: Dynamic Power = CV 2 f ,

where C is the load, V is the voltage swing, and f is the frequency [SS91]. State-of-the-art smart

card microcontrollers use configurable internal clock frequencies for their processor and their

arithmetic coprocessor. Hence, the current consumption is not only dependent on the external

clock, but also on the given configuration of the microcontroller itself and the setting of the

coprocessor. The coprocessor can be programmed to keep power consumption under a set value,

for example, the GSM values.

2.2.3 Memory

Smart cards can be divided into two main components: the processor (including coprocessor)

and memory. Memory can be sub-divided into volatile and non-volatile memory. Figure 2.2

shows the different types of volatile and non-volatile memory. Since the smart card needs to be

able to function as an independent unit, most cards will be found with a combination of RAM,

ROM, and EEPROM.

Read-only Memory (ROM)

ROMs are non-volatile memory that can be randomly accessed during reading. There is no limit

to the number of times the memory can be read, but it can only be written during production. This

type of memory requires no voltage to hold the information, so when the power is disconnected,


Memory types found in smart cards

Non-volatile MemoryVolatile Memory

ROMPROMEPROMEEPROMFlash EEPROMFRAM

RAM

Figure 2.2: Types of memory found in smart cards [WW00].

the data is still retained. This is excellent memory for storing vital programs that the smart card

needs to run, like the operating system and the diagnostic functions. The data is imprinted onto

the chip by using lithographic techniques. ROM cells require the least amount of area per cell

compared to other available types of memory.

Random Access Memory (RAM)

RAM is the work area for the smart card. It can quickly read and write data, and there is no limit

to the number of writes a RAM cell can handle. However, since it is volatile memory, constant

power needs to be supplied, or otherwise the contents will be lost. The method for accessing this

memory is what gives it its name; random access means that the memory is selected and directly

accessed without having to sequentially traverse the memory block.

In smart cards, the most common form of RAM is static RAM (SRAM), which, unlike dy-

namic RAM (DRAM), does not need to be periodically refreshed. SRAM has flip-flops as the

basic component while DRAM uses capacitors with refresh circuitry.

Smart card chip designers try to keep the amount of RAM to a minimum, since it requires

a large area per cell. Indeed, RAM cells require seventeen times more area than a ROM cell

[WW00].

Programmable Read-only Memory (PROM)

Programmable read-only memory is similar to ROM in that once it has been written to it can-

not be rewritten. The difference is that the code does not need to be written with lithographic

techniques. PROM has a serious drawback; access needs to be granted to the address, data and


i

a) Preprogrammed (1) b) Programmed (0)

vGS

DSensed voltage

Figure 2.3: Threshold voltage curves for programmed and preprogrammed state [SS91].

p substrate

Depletion layer

Source n+Drain n+

Oxide

Select gate

n channel

Floating gate+25V

+16V

Figure 2.4: EPROM during programming [SS91].

control buses for the writing process. This leaves a security hole in the smart card that a hacker

could use to read the data stored on the chip. PROM is not used in smart cards because of this

vulnerability.

Erasable Programmable Read-only Memory (EPROM)

An EPROM is essentially an n-channel MOSFET (Metal-Oxide-Semiconductor Field Effect

Transistor) with an extra polysilicon gate called the floating gate. Initially, the EPROM finds

itself in a preprogrammed state where the device has an iD− vgs characteristic similar to the n-

channel MOSFET. The threshold voltage is relatively low, as can be seen in Figure 2.3 a). This

state is generally labeled as state “1.”

In order to program the EPROM, a large voltage needs to be applied, around 16 to 20 V,

between the drain and source (see Figure 2.4). Simultaneously, on the select gate a voltage

of approximately 25 V needs to be applied. Since smart card controllers use a supply voltage

between 3 and 5 V, a cascaded voltage-multiplier circuit, or charge pump, needs to be used to

generate the required voltage levels.

The device acts as a regular n-channel enhancement MOSFET when there is no charge

present on the floating gate. With the voltages present, a tapered n-type inversion layer is formed


at the surface of the substrate. The drain-to-source voltage accelerates the electrons through the

channel. The electric field formed by the voltage on the select gate attracts the hot electrons (the

accelerated electrons) towards the floating gate. At the floating gate the electrons collect, causing

the gate to become negatively charged. This process continues until enough of a negative charge

is formed on the floating gate to reduce the strength of the electric field to the point of not being

able to accelerate any more hot electrons.

The negatively charged floating gate repels electrons away from the surface of the substrate.

To compensate for the loss of electrons in the region, a larger select gate voltage is required to

form an n-channel. This will shift the iD− vGS characteristic graph upwards, as can be seen in

Figure 2.3 b) [SS91].

For the microcontroller to read the state of the EPROM, the unit needs only to apply a test

VGS between the two iD− vGS curves. If the current flows, the EPROM is in state “1” and if it

does not flow then it is in state “0.”

For smart cards, EPROM was used by the French PTT in their first telephone cards, since, at

that time, it was the only ROM type memory available [WW00]. As with other ROM types, it

does not require a supply voltage to retain the data. EPROM can be reprogrammed, but it first

requires ultraviolet light to erase the old data. This method is not feasible for smart cards, so this

technology has been abandoned for newer erasable ROMs.

Electrically Erasable Programmable Read-only Memory (EEPROM)

As with regular computers, sometimes data needs to be read, altered and then stored with the

possibility that the voltage supply is disconnected. Computers use hard drives to store the data

for longer periods of time, but smart cards do not have this option. Instead they use a type of ROM

that can handle multiple writes. EPROM can only be erased with ultraviolet light, which makes

it unsuitable as a multi-write memory. The solution is found with another type of ROM that can

be electrically erased, the electrically erasable programmable read-only memory (EEPROM).

EEPROM operates similarly to the method described in Section 2.2.3. There are two main

differences between EPROM and EEPROM. The first difference is how the electrons travel from

the substrate to the floating oxide layer. The method described in Section 2.2.3 uses hot electron

injection, while standard EEPROM uses the tunnel effect (Fowler-Nordheim effect). A high

positive voltage at the select gate causes electrons to migrate through the tunnel oxide to the

floating gate, where they collect. Eventually, the floating gate becomes negatively charged.

The second difference between EPROM and EEPROM is how the data is erased. As stated

earlier, EPROM requires ultraviolet light to reset its state. For EEPROM a negative voltage

applied to the select gate forces the electrons from the floating gate back to the substrate. After

this process, the EEPROM is classified again as discharged and the Vt is low.

Similar to RAM and other types of ROM, EEPROM can be read an unlimited number of

times. However, there is a limit to the number of writes that can be performed. The life ex-

2.3. TYPES OF SMART CARDS 15

pectancy is limited by the quality, type, and thickness of the tunnel oxide layer, which is the

oxide layer between the floating gate and the substrate (see Figure 2.4). During production the

tunnel oxide is one of the first layers to be produced. As the rest of the production continues,

it undergoes large thermal stresses that cause minute faults in the oxide layer. This allows the

tunnel oxide to absorb electrons during the programming cycle, which are not returned to the

substrate when the data is erased. The trapped electrons then collect at the channel between the

drain and source. This process continues until enough electrons collect that they influence the

threshold voltage to a greater degree than the floating gate. The threshold voltage then stays in

one state regardless of whether the floating gate is charged or not; the EEPROM becomes useless.

2.3 Types of Smart Cards

2.3.1 Memory only cards (also called synchronous cards)

This is the first type of card to be widely used. The prepaid telephone cards mentioned in the

introduction are an example of this type of card. The data required for the applications are stored

in the EEPROM memory (EPROM for the first cards). In the simplest case the cards use memory

that can only be written to once, and then after use, the memory is deleted and made inoperable

(the Thomson ST1200 SGS, introduced in 1983, worked in this way). The addition of a security

logic device allows more control with memory access. There now exist more complex memory

cards, which can perform simple encryption.

These types of cards are easy to use, the electronics are simple, the chip is small, and the price

is low. However, memory space and flexibility are limited, and they are not adapted to security

applications.

2.3.2 Microprocessor cards (also called asynchronous cards)

These cards are equipped with an "intelligent circuit": a processor connected to memory blocks

capable of carrying out complex calculations. The added functionality of the microprocessor

allows for higher security and application choices. However, as a result, these cards are larger and

more complex. It is possible to connect other devices to the microprocessor for communication,

special operations or security. Figure 2.5 shows many of the possible components that can be

added to the microprocessor card. There are many different types of microprocessor smart cards.

All of them function as a secured unit, protected from unauthorized access.

All microprocessors (and most computers) employ the principle of the stored program digital

computer. This means data and instructions, which are stored in a memory area, must first be

loaded into registers. Then the central processing unit (CPU) operates on these registers and

places the results back into the memory areas.


Timers UART CPUCrypto

Device

Security

SensorsRAMROM EEPROM

Bus

Figure 2.5: Components of the microprocessor.

CISC RISCExtensive instruction set. Small instruction set.

Complex and efficient machine instructions. Simple instructions.Advanced instructions microencoded. Hardwired machine instructions.

Extensive addressing capabilities for memory operations. Few addressing modes.Few registers. Many registers.

Table 2.2: Characteristics of CISC and RISC based processors.

The CPUs used in smart cards are usually built around proven modules from other appli-

cations. Many CPUs are based on the CISC (Complex Instruction Set Computer) architecture,

which requires several clock cycles per instruction. However, CPUs based on the RISC (Re-

duced Instruction Set Computer) architecture are becoming more common. Table 2.2 shows the

different characteristics between the CISC and RISC type processors. Many current CISC type

processors are based on either one of two main families, the Intel 8051 or the Motorola 6805

family. Manufacturers take the base design of either a CISC or RISC processor and add their

own functionality as needed. Some common smart card processor manufacturers are Philips

S.C., Infineon, ST Microelectronics, Hitachi, ARM, and MIPS.

The processing speed of the smart card is controlled by a clock circuit normally set to 5 MHz.

Modern smart card processors use clock multipliers (by two or four) to increase this operating

clock speed for internal calculations. Using clock multipliers smart cards are able to operate at

speeds between 20 to 30 MHz.

The area occupied by the microprocessor on the chip has a big influence on its manufacturing

costs and its resistance to bending and shearing forces. Therefore, effort is made to reduce the

chip’s size as much as possible. The chip’s surface area must be less than 25 mm2. This means

that the microprocessor contains between 150 000 and 200 000 transistors using 0.25 or 0.30 μm2

CMOS process for chip fabrication. New smart card microprocessor designs use the 0.18 μm

CMOS process.

To provide additional functionality to the smart card manufacturers add specialized copro-

2.3. TYPES OF SMART CARDS 17

cessors to perform only specified tasks. The next section takes a closer look at co-processors in

smart cards.

Coprocessors

Coprocessors are used on the majority of current chips for special operations. Among those used

for cryptography are:

• a DES [NIS99a] coprocessor: for DES encryption/decryption

• a random number generator coprocessor: allows the use of random values in algorithms.

• an arithmetic coprocessor: dedicated to arithmetic operations (modular operations) on long

integers.

An arithmetic coprocessor element is essential for asymmetric cryptography algorithms such as

RSA, DSA, ECDSA ... [Mur01] Adding such coprocessors has a significant impact on the cost

of the chip, increasing it by as much as a factor of ten. This being the case, one may wonder why

with increasingly powerful processors it continues to be necessary to add coprocessors. But at

the same time cryptographic algorithms require longer keys to keep them secure, so coprocessors

are likely to remain necessary for high performance cards.

19

Chapter 3

Elliptic Curve Theory and Cryptography

In 1985 Koblitz [N. 87] and Miller [V.S86] independently suggested elliptic curves for public key

cryptography. The first methods for calculating elliptic curve additions and scalar multiplications

were very complicated; however, by the late 1990s the process had been optimized to the point

where it could compete with other public key cryptosystems. Elliptic curves provide the same

security level as competing public key cryptosystems but at a much smaller key length; hence,

providing a saving in cost, calculation time and implementation size.

A very good introduction to elliptic curves cryptography can also be found in [Cor98, Dah00,

Kne02, V.S86, Mil96, Ros99].

3.1 Elliptic Curve Algebra

The elliptic curve E(k) over a field k is defined as a set of points Pi = {xi,yi} in an affine two

dimensional space. The “Weierstrass” form of the elliptic curve is

y2 +a1xy+a3y = x3 +a2x2 +a4x+a6. (3.1)

The values for ai, x and y are elements of the field k.

Definition: Let O∞ be the identity element that satisfies P+O∞ = P. This point is also called

the “the point at infinity.”

The “Weierstrass” equation can be rewritten depending on the field chosen, Fp or F2m .

3.2 Point Operations on Elliptic Curves over Prime Fields Fp

If p > 3 is an odd prime and a,b∈Fp satisfies 4a3 + 27b2 �= 0 mod p, then the elliptic curve

E(Fp) is

y2 = x3 +ax+b. (3.2)

20 CHAPTER 3. ELLIPTIC CURVE THEORY AND CRYPTOGRAPHY

A point addition operator + using the O∞ element can be defined on the set E(Fp) to form

an abelian group. With P = (x1,y1), Q = (x2,y2) and {P,Q}∈E(Fp) the addition operator + is

defined as follows (see Figure 3.1):

1. For point addition, P+Q = (x3,y3) and P �=±Q:

x3 = λ 2− x1− x2 (3.3)

y3 = λ (x1− x3)− y1

λ =y2− y1

x2− x1

2. For point doubling, P+P = 2P = (x3,y3):

x3 = λ 2−2x1 (3.4)

y3 = λ (x1− x3)− y1

λ =3x2

1 +a

2y1

The addition of two different points on the elliptic curve requires the following arithmetic op-

erations in Fp: six additions, one squaring, two multiplications and one inversion. The point

doubling on the elliptic curve in Fp requires: eight additions, two squaring, two multiplications,

and one inversion.

The previous equations can also be obtained graphically by applying the following steps:

• To calculate R=P+Q (see Figure 3.1 a)):

1. Plot P = (x1,y1) and Q = (x2,y2) on the curve;

2. Connect P and Q with a line;

3. The point where the line intersects with the curve is the new point −R = (x3,−y3);

4. Mirror −R over the y-axis to get the new point R = (x3,y3).

• To calculate R=2P (see Figure 3.1 b)):

1. Plot P = (x1,y1) on the curve;

2. Draw the tangent to the curve at point P, where the tangent is λ =3x2

1+a2y1

;

3. The point where the tangent line connects with the curve is the new point −R =

(x3,−y3),

4. Mirror −R over the y-axis to achieve the new point R = (x3,y3).

3.3. POINT OPERATIONS ON ELLIPTIC CURVES OVER POLYNOMIAL FIELDS F2M 21

P

Q

y

x

R = P+Q

−R

P

−R

R = 2P

x

y

a) b)

Figure 3.1: Geometric elliptic curve addition and doubling.

The order of the elliptic curve is the number of points in E (Fp) denoted by #E (Fp). For

prime fields Hasse’s theorem [Gjø00, N. 87] provides a boundary for #E (Fp)

q+1−2√

q≤ #E (Fp)≤ q+1+2√

q (3.5)

where q is the prime power.

3.3 Point Operations on Elliptic Curves over Polynomial Fields

F2m

It is common to implement elliptic curves on computers in either the Fp field or the F2m field.

The constants for F2m can either be in polynomial or normal basis. The reduced Weierstrass

form for Fp is different than for F2m . The polynomial field has two possible forms called the

“supersingular” curve:

y2 + y = x3 +a4x+a6 (3.6)

and the “nonsupersingular” curve:

y2 + xy = x3 +a2x2 +a6 (3.7)

The addition of two points using a polynomial elliptic curve E (F2m) over F2m follows similar

to the Fp case:


1. For point addition, P+Q = (x3,y3) and P �=±Q:

x3 = λ 2 +λ + x1 + x2 +a4 (3.8)

y3 = λ (x1 + x3)+ x3 + y1

λ =y2 + y1

x2 + x1

2. For point doubling, P+P = 2P = (x3,y3):

x3 = λ 2 +λ +a4 (3.9)

y3 = λ (x1 + x3)+ x3 + y1

λ = x1 +x1

y1

The point addition in F2m has a little more overhead than its Fp counterpart with: one inversion,

two multiplications, one squaring and eight additions. The point doubling, however, has a lower

overhead with: one inversion, two multiplications, one squaring and six additions.

Definition: Let p be the characteristic of Fq, and given that t = q+1−#E. The elliptic curve

E is supersingular if p divides t, else it is nonsupersingular.

Care must be taken in choosing the proper F2m curves for cryptographic applications. Su-

persingular curves allow for quick calculations; however, they are also susceptible to certain

attacks. When using nonsupersingular curves care must also be taken, since there are curves

where the Frey-Rück attack applies [Coh05]. However, for nonsupersingular curves there are

still many groups that are not vulnerable to attack whereas supersingular curves are always vul-

nerable [Gal01].

Elliptic curve algebra, shown here, is the basis for a popular form of asymmetric cryptogra-

phy. The next section presents the differences between asymmetric and symmetric cryptography

and a common implementation of the elliptic curve in cryptographic applications.

3.4 Cryptography

Throughout history there are many examples of people using cryptography to secure their mes-

sages or information. The communication model can be viewed as in Figure 3.2. Person 1 wants

to communicate privately with Person 2, however, Person 3 uses available techniques to listen

in. If Person 3, the attacker, can see and/or modify the information, the communication channel

is insecure. Other examples of communication are variations on Figure 3.2 where Person 2 may

be a human, as would be the case for cellphone calls, or it could be a website where Person 1

may wish to make a purchase, or it may be a smart card automated teller machine (ATM). Each

3.4. CRYPTOGRAPHY 23

Person 1 Person 2

Person 3

Figure 3.2: Communication channel between Person 1 and 2 with Person 3 attacking the channel.

of these examples can lead to financial and reputation loss if a third person retrieves Person 1’s

information or if the attacker can imitate Person 1. These are some examples that illustrate the

goals of security. From the previous paragraph the following list of the security goals can be

formed:

Confidentiality: The information is kept private and only authorized people or devices may see

and interact with the information.

Data Integrity: The data retains its original message, even when transmitted over an open medium.

A third person is not able to alter the data without the receiver being aware of it.

Authentication: The receiver is assured that the data comes from the intended sender.

Non-repudiation: The receiver is able to convince an impartial third party that the data originated

from the sender.

There are two forms of cryptography currently available, symmetric and asymmetric key cryp-

tography (see Figures 3.3 and 3.4). Both methods are used regularly to secure data; for example,

symmetric key cryptography is often used for high data transfer applications, since it is 1000 to

10000 times faster than equivalent asymmetric key algorithms [APS96]. Asymmetric keys are of-

ten used in secure key management and exchange over an unsecured channel, the Diffie-Hellman

public key algorithm [Kae04] is such an example.

3.4.1 Symmetric (Private) Key Cryptography

For symmetric key systems both parties (encrypter and decrypter) need to have the same key.

Figure 3.3 gives a visual picture of the symmetric key encryption process. The sender has a

plain text message and a private key psecret , which they input into the symmetric encryption

algorithm. The function then outputs an encrypted text message that can be openly sent to the

receiver. However, the key needs to be transported by some secure method, either by physically

exchanging the key or through newer key management systems that transport keys securely. The

receiver has the encrypted message, the private key, and the decryption algorithm. They use as

input for decryption the key and the cipher message. The output is the plain text message.


A system is said to be secure when the attacker has the ciphering algorithms and the cipher

message, but is not able to recalculate the plain text message (in a reasonable time period).

Symmetric EncryptionAlgorithm

- Encrypt Message


- Decrypt Message

Secret KeyRandom Number

Generator

OpenChannel

Receiver

psecretSender

Plain TextMessage

Plain TextMessage

EncryptedText

Message

psecret

Secure Transportof Secret Key

psecret

Figure 3.3: Symmetric encryption scheme.

3.4.2 Asymmetric (Public-Private) Key Cryptography

One of the major drawbacks with the private key encryption method is how to give both parties

exclusive access to the private key. If they are at the same location, it is not a problem, but that

is not always the case. A message may wish to be sent to people who are far from each other. A

solution to this problem was introduced in 1976 with the the advent of asymmetric or public key

encryption.

Public key encryption works by using two keys, a public and a private key. The key pair is

selected such that deriving the private key from the public key is equivalent to solving a compu-

tational problem that is believed to be intractable.

If the sender wants to send a message, as in Figure 3.4, the receiver must first supply the

sender with a public key PKrec over an unsecured channel. The sender then uses the receiver’s

public key PKrec and their own private key psen to calculate a common secret S. An encrypted

message can be created with S, the plain text message and the encryption function. The encrypted

message is sent to the receiver, where they first calculate the common secret S using their private


key prec and the public key from the sender PKsen. The common secret is used again with the

symmetric encryption algorithm (in decrypt mode) and the encrypted message to recreate the

plain text message.


- Encrypt Message


- Decrypt Message

Sender'sRandom Number

Generator

Receiver'sRandom Number

Generator

Calc Receiver'sPublic Key

PK rec= prec*Q

Calc Sender'sPublic Key

PK sen= psen*Q

PK rec

PKsen

OpenChannel

Receiver

psen

prec

Sender

Plain TextMessage

Plain TextMessage

EncryptedText

Message

CalcCommon Secret

S(PK rec, psen)

CalcCommon Secret

S(PK sen, prec)

S

S

Figure 3.4: Asymmetric encryption.

The public key system has the benefit of being more robust than the private key system,

however, this comes at the cost of higher computation and algorithm complexity. Table 3.1

shows a comparison of the key lengths for various private and public key systems. It is evident

that the private key algorithm requires a smaller key length to achieve the equivalent security

to a public key system. Also included in Table 3.1 is the newer elliptic curve cryptosystem.

The public key architecture is moving away from the older RSA/DSA systems, see [Lab02]

and [18600] for further details on these algorithms, towards the Elliptic Curve Cryptography

(ECC). Currently, ECC algorithms are more complex than the RSA equivalent; however, ongoing

research is allowing ECC technology to be used in small devices such as smart cards. The major

benefit of ECC is in future expandability of the algorithm. Whereas the RSA algorithm requires

an extremely large key of 15360 bits for an equivalent 256 bit symmetric key, the ECC system

only needs a key size of 512 bits. The smaller key size requires less memory and processor

power.

Example 3.4.1. An example of an ECC algorithm is the Elliptic Curve Authentication Encryp-

tion Scheme (EC-AES) algorithm [LeR00, Han04]. To send a message using EC-AES it is as-

sumed that the sender has the receiver’s public key Kpub2 and the domain D =(q,F,a,b,BP,n,#E(F)),

where q is the prime power (q = p or q = 2m), F is the field representation, a,b∈Fq specify the


Symmetric Algorithm ECC Algorithm DSA/RSA AlgorithmKey length (bits) Key length (bits) Key length (bits)

80 160 1024112 224 2048128 256 3072192 384 7680256 512 15360

Table 3.1: Comparison of key lengths for symmetric, ECC and RSA/DSA cryptographic algorithms .

curve over Fq (i.e. y2 = x3 +ax+b for p > 3), BP is the base point BP = (xBP,yBP), n is the order

of BP, and curve order #E(F) is the number of points on the curve. The EC-AES uses elliptic

curve cryptography and a Key Derivation Function (KDF), such as the ANSI X9.42 [Kel00], to

transport the key from sender to receiver while the actual encryption of the message is done by

a symmetric encryption scheme, for example the AES standard [19701]. The authentication is

performed by a Message Authentication Code (MAC) such as the HMAC [oST02].

To encrypt a message m the needs to perform the following:

1. Select a random number in the range [1,n−1].

2. Calculate the senders public key(Kpub1,kpriv1

)pair Kpub1 = kpriv1 ·BP.

3. Calculate shared secret on the curve S = #E(F) · kpriv1 ·Kpub2 = (Sx,Sy).

4. Verify that S �= O .

5. Use the key derivation function to calculate the signature and encryption keys ksign ‖ kenc =

KDF (Sx).

6. Encrypt the message using the symmetric encryption algorithm c = Ekenc (m).

7. Sign the message using the MAC algorithm v = MACksign (c).

8. Send(Kpub1,c,v

).

On the other end of the communication line, the receiver gets(Kpub1,c,v

)and has the domain

D. They proceed to calculate the following to retrieve the message:

1. Check that Kpub1 �= O .

2. Verify that the points xkpub1 and ykpub1 are elements of Fq.

3. Confirm that Kpub1 is on the curve defined by a and b.

4. Derive the shared secret S = CO · kpriv2 ·Kpub1 = (Sx,Sy).


5. Verify that S �= O .

6. Calculate the keys for authentication and decryption from the curve kauth ‖ kdec = KDF (Sx).

7. Check v = MACkauth(c).

8. Decrypt the message m = DECkdec (c) .

29

Chapter 4

Random Numbers, Generation and Testing

4.1 Definition of a random sequence

What exactly are random numbers? Is number “5” random? In this section we closely follow the

exposition of [Lub]. Let Σ = {0,1} and Σ∗ be the set of sequences of countable infinite1 length

with coefficients in the alphabet Σ. An element of u∈Σ∗ can be written as a sequence of 0 and 1:

u = u0u1u2u3u4u5 . . . ,

with ui∈{0,1}. For n∈N, the set of finite binary sequences of length n is denoted by Σn. An

element u∈Σn can be written as:

u = u0u1u2 . . .un−1.

The objective of this paragraph is to define among all the elements of Σ∗ those that are random.

Let Wk be the map from Σ∗ in the set of sequences with coefficients in Σk, which associates

to u∈Σ∗ the unique sequence such that:

u = w0 | w1 | . . .wq | . . .

with | the concatenation and wi∈Σk.

In the following, a sequence of events is defined as a sequence (un)n∈Nwith values in a set

Ω which will always be finite. The probability denoted by

Pe[(un) = x]

1A countable infinite set is any set which, in spite of its boundlessness, can be shown equivalent to the naturalnumbers [Wei].

30 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING

is the empirical probability that an event is equal to x if the following limit exists

limk→∞

Sk(x)k

, (4.1)

with Sk = |{n≤ k|un = x}|. If (wn) is a sequence of words of Σk then E((wn)) denotes the

Shannon entropy function of (wn), defined by

E((wn)) =− ∑x∈Σk

Pe[(wn) = x] log

(1

Pe[(wn) = x]

).

The definition from [Knu97] can now be stated.

Definition 4.1.1. A sequence (un)∈Σ∗ is l-distributed for l∈N∗, if E(Wl((un))

)= l or that for

all x∈Σl , Pe[Wl((un)) = x] = (12)l. A sequence un∈Σ∗ is then ∞-distributed if it is l-distributed

for all l∈N∗.

Temporarily, it can be stated that a sequence is random if it is ∞-distributed. In particular,

if (un) is a random sequence then Wk((un)) is an equidistributed sequence of words of Σk. If

a random subsequence of length k is picked from a random sequence, then the probability of

selecting a given subsequence is the same for all words in Σk. This illustrates well the intuitive

idea of a random phenomenon. A consequence of this is that it is impossible to precisely define

what is a finite random sequence.

The link between the statistical tests and the preceding definition of a random sequence can

be shown by rewriting the preceding definition in the terms of probability theory. For that, let

(Ω,A ,P) be a probability space, which is defined by Ω, a set that is finite, endowed by the

discrete sigma-algebra, i.e. the one generated by all the elements of Ω and a positive measure P

on A equidistributed and of total weight 1. For this paragraph, Ω will be Σn, the set of binary

sequences of length n. The probability space is then denoted by (Σn,A n,Pn).

A random variable is a map X : Ω → R. This endows R with a structure of measured space,

and the induced measure is indicated by the abuse of notation PX . The function which maps x∈R

to P[X = x] = P(X−1(x)) is called the law of X . This gives the following alternative definition

of a random sequence, which is just a reformulation of Definition 4.1.1.

Definition 4.1.2. A sequence (un)∈Σ∗ is random if and only if for all random variables from Σk

endowed with the equidistributed law of probability to R and for all x∈R there is

Pe[X(Wk((un)) = x] = P[X = x].

In other words, the empiric law determined by the sequence X(u) follows the theoretical

law induced by the random variable on R by the equidistributed probability law of Σk. This

definition gives a general principle that underlies statistical tests in order to assess if a sequence

4.2. RANDOM NUMBER GENERATORS 31

is random: some random variables are defined on the sets Σk, k being an integer endowed with the

equidistributed probability. This gives a law on R that is able to be computed or approximately

computed thanks to the results from the probability theory. Most of the time, this law will

use a Gaussian or a χ2 distribution. This law is then compared, for example, using a test of

Kolmogorov-Smirnov, to the empiric law, obtained from limit in 4.1, which is approximated

with a computation on a sample finite sequence.

The problem is that the preceding general principle is asymptotic by nature: as by definition

all the sequences of fixed length l have the same probability to occur in a random sequence.

Without any further hypothesis, it is not possible to distinguish a random sequence from a non-

random sequence only having a finite subsequence. It is important to remember two main ideas:

an infinite sequence can be associated with a probability distribution on the space of finite se-

quences of length l and a property for all random sequences of length l is that they have a uniform

distribution.

As noted in [Knu97], the definition of a random sequence that has been stated does not catch

all the properties that may be expected from a random sequence. For instance, let u∈Σ∗ be a

∞-distributed sequence and let u0 be the sequence deduced from u by forcing to zero the bits

of rank n2, n ≥ 2. Then it is easy to see that the sequence u0 is also ∞-distributed and is not

random, because the value of some of its bits can be easily predicted a priori. However, even if

the definition does not catch the unpredictability notion that is expected from a random sequence,

it is enough for the purpose of statistical tests.

The next section will take a closer look at generating random sequences and the testing to see

if these generators are operating properly.

4.2 Random number generators

4.2.1 History

Progress in generating random number sequences has been significant. However, people are still

trying to figure out new methods for producing fast, cryptographically secure random bits. Before

the first table of random numbers was published in 1927, researchers had to work with very slow

and simple random number generators (RNG), like tossing a coin or rolling dice. Needless to say,

these methods were very time consuming. It was not until 1927 when Tippetts published a table

of 40,000 numbers derived from the census reports that people had access to a large sequence of

random numbers.

This lack of a ready source of random number sequences led people to try and create more

efficient means of producing random numbers. In 1939, the first mechanical random number

machine was created by Kendell and Babington-Smith. Their machine was used to generate

a table of 100,000 numbers, which was later published for further use. The practice of using


random number machines to generate tables of random numbers continued with the publishing

of 1,000,000 digits by the Rand Corporation. Their generator could be best described as an

electronic roulette wheel. The first version produced sequences with a statistical biases. The

Rand Corp. had to optimize and fix their machine, but even after this new sequences showed a

slight statistical bias. However, the random sequences were deemed to be “good enough.”

Even though tables provided researchers with a larger selection of random numbers, this

method still had its drawbacks. It required large amounts of memory, since each random number

had to be preloaded into memory, and it took a long time to input the data. At this point RNG

research branched into two paths: the algorithmic approach and the sampling of physical sys-

tems. The algorithmic approach looked into producing random numbers by using the computer’s

arithmetic operations, and this led to the creation of deterministic random number generators or

pseudorandom number generators. Sampling of physical systems, however, looked at how to

create statistically acceptable sequences from natural random sources. These random number

generators are called “true” random number generators, since they are based on a truly random

source.

Remark 4.2.1. A detailed timeline for the random number machine can be found in [Rit02].

4.2.2 Properties of random number generators

When looking at a random number generator, how is it possible to determine if it is a source of

random numbers? Four properties distinguish a random number generator from just an ordinary

number generator. The best way to illustrate these properties is to examine a simple random

number generator. One of the most recognized and used RNG is the coin toss; if the coin is

assumed to be “fair.”

By giving the coin a “0” and “1” for each side, it can be used to generate a random binary

sequence. One of the first properties noticed is that the result from each toss is not affected, in

any way, by the previous tosses. This means that if ten ones are tossed in a row, the probability

of tossing an eleventh one is still 50%. This example illustrates the property of independence;

previous results do not affect future results.

Random number generators can be designed to produce any range of values, or distribution.

When analyzing the output of common RNGs, the values usually fall into an uniform distribution,

which means that they have an equal probability of obtaining any of the values in the specified

range. This distribution does not need to be uniform; for some simulations a designer may

wish to produce a random sequence following a normal or other distribution. For cryptographic

applications it is important that the distribution is uniform. Using a nonuniform distribution

allows a hacker to concentrate on a smaller group of numbers to attack the system.

There are physical and computational limits to the size of numbers that an RNG can create.

These limitations impose a natural boundary on the RNG and once it has reached these limits, the


RNG repeats its output. This defines the period of the RNG. A well designed RNG will only be

bound by the hardware limits. If the RNG is designed without taking care, there can be multiple

sequence groups that the RNG could produce, with each group less than the ideal period.

The size of random sequences required is dependent upon the desired application. Crypto-

graphic applications require relatively small sequences, in the range of 1024 bits depending on

the algorithm, whereas simulations require extremely large sequences. A good example is the

Monte Carlo simulation, which may require random sequences up to a billion bits in length, or

even more. Therefore, RNGs need to be very efficient and must quickly generate numbers.

The next sections examine the different properties of three classes of random number gen-

erators: pseudo, true, and cryptographic random number generators. Each has its own unique

requirements and restrictions.

4.2.3 Types of random number generators

Pseudorandom number generators

As mentioned in the history of RNGs (cf. Subsection 4.2.1), development of random number

generators branched with the advent of computers. Researchers looked for methods to create

large random sequences by using algorithms. Using such algorithms, they were able to make

sequences, which mimic the properties of “true” random generators. Since they were created

with a deterministic equation, they could not be called “truly” random. This led to a new class

of generators, called pseudorandom number generators (PRNGs).

Compared to true random number generators, PRNGs are easier to implement in both hard-

ware and software, and they also produce large sequences very quickly. In [L’E98, L’E01], the

PRNG is described as a structure of the form (X ,x0, f , ft , fo,Z) where X is the finite set of states

with a distribution of δ . The element x0∈X is called the initial state or seed. Using the transition

function ft and the output function fo as shown in Algorithm 1 a pseudorandom sequence can be

generated, (z0, . . . ,zn) with zi∈Z and Z = [0,1) as the output set.

Algorithm 1 A pseudorandom number generator.INPUT: An integer n.OUTPUT: A pseudorandom sequence (z0, . . . ,zn) with zi∈Z

1. for i = 0 to n do

2. xi+1← ft(xi)

3. zo← fo(xi)

The benefit of the PRNG is its ability to quickly produce large sequences of statistically

random numbers. This is very important for running simulations when input data may require


Table 4.1: Characteristics of pseudo- and true random number generators.

True RNG Pseudo-RNGPhysical random source Deterministic algorithm

Slow FastHard to implement Easy to implement

millions or even billions of random values. Caution must be taken when using pseudorandom

number generators for cryptographic applications. Attacks have been published that are able to

reveal the secret generator values for some types of pseudorandom generators, which enables a

hacker to accurately reproduce the sequence. Cryptographic secure RNGs will be looked at in

Subsection 4.2.3.

True random number generators

A computer algorithm can only create pseudorandom sequences. However, there exist a vari-

ety of phenomena related to a computation that are nondeterministic. Some examples are noise

generated by a transistor, a dual oscillator, air turbulence in a hard drive, or capturing user input

on the computer. Whatever the source of natural entropy, the data need to be digitized and con-

verted into a working space, often a binary sequence. True random number generators provide

a source of random numbers that is impossible to predict (nondeterministic), but at the cost of

the sequence generation speed. Therefore, these generators are generally suitable for crypto-

graphic applications but unsuitable for simulations. The use of natural entropy is a good source

of randomness, but care must still be taken to examine the sequence for other weaknesses: cor-

relation or superposition of regular structures. To overcome these weaknesses, RNG sources are

mathematically altered to mask weaknesses in the digitized analogue signal. Table 4.1 shows the

characteristics of both pseudo- and true random number generators.

Cryptographic random number generators

Cryptography has taken on a new importance as more personal and financial information is avail-

able in digital form. The strength of encrypted messages depends on many factors, one of which

is the random number sequence used in key generation. Many people believe that the random

number generator, provided with their compiler or math package, is good enough. However,

research has shown that they are very insecure for cryptographic applications. An example of an

insecure RNG is where an attacker, who knows the pseudorandom algorithm and has a generated

sequence, can take this information and calculate future values. With these values the attacker

can calculate a secret key.

Cryptographic random number generators have an added property compared to other genera-


tors. They need to be unpredictable, given knowledge of the algorithm and previously generated

bits.

These properties can be found in both pseudo- and true random number generators. Often

the most efficient method of creating secure cryptographic random number sequences is using a

combination of the two generator types.

4.2.4 Popular random number generators

This subsection describes three common random number generators, but there are many more

available [NIS99b, APS96, And00, Knu97, Ent98]. Care must be taken to select the correct

generator for the required application.

Linear congruential generator (LCG)

The Linear Congruential Generator (LCG) is a classic pseudorandom number generator and

has been published in many journals and books [Knu97, Car94, Ent98]. The LCG can be fully

described using the following formula:

Xn = (aXn−1 + c) mod m (4.2)

with a the multiplier, c the increment and m the modulus. Care has to be taken when selecting

the constants, since it is very easy to create a poor random generator. This generator is so pop-

ular because it is simple to implement in both software and hardware after having selected the

constants. Another benefit of this algorithm is its low memory requirement, since only the last

value and the secret constants are required to calculate a new value. Knuth [Knu97] dedicates a

large portion of the chapter on LCGs to the selection of each constant.

Table 4.2 is a list of popular linear congruential generators. The constants used and the

quality of the generator are shown along with the generator’s name. Two noteworthy LCGs

are the RANDU and the ANSI-C generators, which can still be found in many mathematical

packages and compilers. Both generators have been extensively researched and it was found that

their quality is very poor. Park and Miller [PM98] describe the RANDU as:

“RANDU represents a flawed generator with no significant redeeming features.

It does not have a full period and it has some distinctly non-random characteristics.”

As for the ANSI-C generator, it was found to be very nonrandom at lower bits.

Blum-Blum-Shub generator (computationally perfect PRNG)

The Blum-Blum-Shub (BBS) generator is an example of a class of provably secure random

number generators. It works under the complexity theory assumption that P �= NP. The BBS


Table 4.2: Popular LCGs.

ConstantsGenerator a c m seed Good/PoorRANDU 65539 0 231 PoorANSI-C 1103515245 12345 231 12345 PoorMinimumStandard[PM98]

16807 0 231−1 Good

Note: Good and bad and generators are rated on how well they pass empirical tests.

generator was first published in 1986 by Blum et al. [BBS86], where they showed that a quadratic

residue of the form:

Xn+1 = X2n mod m (4.3)

is very easy to calculate in the forwards direction. However, the backwards calculation of find-

ing the square root of a number modulo m, when m is large, is very difficult. The modulus is

m = p1p2, where p1 and p2 are large Blum prime numbers. Blum primes are prime numbers,

satisfying:

p≡ 3(mod4)

as −1 is not a square modulo p.

The BBS generator is targeted towards cryptographic applications, since it is not a permuta-

tion generator, which means the period of the generator is not necessarily m−1. This makes the

BBS generator unsuitable for stochastic simulations.

Cryptographic RNG (hardware RNG)

All previous examples of random number generators used deterministic algorithms. These gener-

ators statistically act like true RNGs but in fact are not. In order to be thought of as a true random

number generator, the source of bits needs to be nondeterministic, which is usually achieved by

sampling a natural stochastic process. There are many sources of natural randomness, including

measuring radioactive decay, thermal noise, or noise generated by a reversed biased diode.

The problem with nondeterministic random sources is the possible presence of biasing, which

means that ones or zeros occur more often. A variety of methods have been developed to reduce

the effect of biasing. A few common methods include XORing of the successive bits using the

von Neumann algorithm [Dav00], or XORing the nondeterministic bit stream with the bits from

a cryptographically secure random number generator (see Figure 4.1).

Hardware random number generators tend to be slower than their pseudorandom counter-

parts. However, for cryptographic applications, which may need only a few thousand bits, this is

usually not a factor. For applications that need many random digits, hardware random generators

4.3. TESTING OF RANDOM NUMBER GENERATORS 37

XOR

Corrector

(Combine sequence)

Output

− Xor

− von Neumann

Non−deterministicsource

Digitizer

Amplifier &

Pseudorandom

number generator

Figure 4.1: Cryptographic hardware random number design.

are generally too slow.

Remark 4.2.2. There are many implementations of hardware cryptographic random number gen-

erators [Dav00, CR03].

4.3 Testing of random number generators

There are two methods for testing random number generators. One is to treat the generator as a

black box and only examine a portion of the resulting sequence; this is called empirical testing.

The other method is to open the box and examine a priori the internal structure. This type of

testing is called theoretical testing. Both empirical and theoretical tests use statistical tests, but

they differ in the length of the sequence they examine. For theoretical tests, the full period of

the generator is used; therefore, they detect global non-randomness. Not all statistical tests are

suitable for this type of testing.

Empirical testing is used to detect local non-randomness. It examines subsequences with

lengths significantly less than the full period. Often these tests are used during the operation

of the RNG to determine if the generator is still functioning properly, or as a quick test of a

newly selected generator’s randomness. When selecting a RNG for an application, if possible,

it is best to use both, theoretical and empirical testing. This helps to avoid both local and global

abnormalities.


4.4 Testing a device

This section presents a definition of the mathematical objects that represent the device under test.

A source ST is the mapping from a parameter space T in the set Σ∗ to a binary sequence of infinite

length with either discrete or continuous parameter space. In the case of a physical generator T

there can be a set of continuous variables that describes the state of the RNG (temperature of

the circuit, position of each of the bits). As for a LFSR, T is the discrete space describing the

initialization vector, the polynomial of retroaction, and the filtration function.

For an infinite binary sequence there can be associated for all n∈N∗ a probability distribution

on Σn given by the definition of the empiric probability of Wk(u). In particular, a source defines

a map from the set of parameters T to the set of probability distributions on Σn for all n. This

justifies the following definition:

Definition 4.4.1. Let T be a set of parameters, the statistical model on Σn is the data for all n∈N∗

with a probability distribution denoted by Pnt for t∈T on the set Σn.

In practice, the set of parameters can take into account the normal operation of the source as

well as flaws. It is possible that the source can produce sequences with good statistical properties

for some values of the parameter in T and poor statistical properties for the other values of

T . For instance, a physical random generator can be built so that the output bits have a bias

p independent of the preceding draws. It outputs “1” with a probability of p and a “0” with a

probability of q = 1− p. A hard to control production process may influence the parameter p.

Therefore, a means is needed to assess the generator and reject any source that has a parameter

p too far from 12 .

4.5 Statistical (empirical) tests

Often it is not possible or feasible to look at the physical structure of the random number gen-

erator; for example, when the RNG needs to be tested before each operation. The only method

to determine, to any degree of certainty, if the device is producing statistically independent and

symmetrically distributed binary digits, is to examine a sample sequence of a given length n.

In [Mau92] the idea is presented where a statistical or empirical test T is an algorithm that has

as input a binary sample sequence and produces as output an “accept” or reject” decision

T : Bn→{”accept”,”re ject”} (4.4)

where B is a binary set of {0,1}. Using this function, all the possible binary sequences x of

length n, xn = x1, . . . ,xn are divided into two subsets

AT = {sn : T(sn) = ”accept”} ⊆ Bn (4.5)

4.5. STATISTICAL (EMPIRICAL) TESTS 39

and

RT = {sn : T(sn) = ”re ject”} ⊆ Bn (4.6)

with AT being the set of accepted or “random” sequences and RT being the set of rejected or

“nonrandom” sequences.

4.5.1 Hypothesis testing

The method used to determine whether a device is operating properly, as a binary symmetric

source, or is malfunctioning, is to test a parameter using the theory of hypothesis testing. The first

step of this testing method is to calculate a test parameter by comparing the estimated parameters

from a sample sequence for the given statistical model to the parameters for a binary stationary

source. The sample is then accepted or rejected by comparing the test parameter to a probability

distribution from a binary symmetric source.

Remark 4.5.1. Randomness is a property of the device being tested, not of the finite sequence.

The researcher wishes to test the hypothesis that the device’s parameter follows the parameter

of the theoretical distribution. For hypothesis testing, the null hypothesis, H0, is the claim that the

sequence is acceptable as random, while the alternative hypothesis, Ha, states that the sequence

is rejected. This hypothesis is in a general form and can take on a wide variety of parameters.

One example is the examining of the population mean of the sample sequence and comparing it

to the distribution of the mean for a binary symmetric sequence, μ0. The hypothesis can then be

written as follows:

H0 : μ = μ0 Ha : μ �= μ0

In order to decide between H0 and Ha, the researcher needs to first determine the error thresh-

old or significance level α. This level indicates the probability the researcher is willing to take in

rejecting a true H0. For a significance level of α = 0.001, the probability is that one sequence in

a thousand will be rejected when in fact it should be accepted. This level is also called a Type I

error.

0μ

α

μa

β

Figure 4.2: Parameters αand β for a statistical test [Sch95].


Table 4.3: Type I and II errors.

DecisionReject H0 Do Not Reject H0

H0 True Type I Error CorrectH0 False Correct Type II Error

The next step in hypothesis testing is to calculate the test statistic. This step is dependent

on the data under study. From the previous example, using the mean, the test statistic can be

calculated by examining the sample mean, x; the sample variance, s2; the theoretical mean from

a truly random sequence, μ0; the theoretical variance, σ 2; and the sample size, n. The statistical

test is then as follows:

|Z|=∣∣∣∣∣x−μ0

σ√n

∣∣∣∣∣> Zα2

(4.7)

The rejection region works by examining the sample mean and determining whether there

are too many standard deviations, more than Zα2, from μ0. The rejection region can be seen in

Figure 4.2 and if the statistical test falls in this region, then the null hypothesis is rejected in favor

of the alternative hypothesis.

Often empirical tests described in literature use a value called the P-value, to determine

whether the sample sequence should be rejected or not. The significance level, as described in

the last paragraph, is the boundary value between acceptance and rejection of the null hypothesis:

P > α, H0 is accepted

P≤ α, H0 is re jected

Hypothesis testing can have two possible conclusions; the test accepts H0 or it accepts Ha.

As can be seen in Table 4.3, there are two possible errors that may arise. The Type I error has

already been discussed and it is the significance level of the test. Type II error β is the probability

that the device is assumed to be random when it is not. The goal of the statistic test is to minimize

the possibility of both types of errors. When dealing with statistical tests, the researcher is often

able to set the sample size and one of the two types of errors, usually the Type I error. Setting the

two points produces a β as small as possible. It is not possible to determine the β probability,

which means that it is only possible to draw a firm conclusion about the Type I error. However,

if the statistical test does not fall inside the rejection region, it can only be stated that there is

insufficient evidence to reject H0. The null hypothesis is not affirmatively accepted, since there

is a lack of information about the Type II error.

4.6. SOME EXAMPLES OF STATISTICAL MODELS ON ΣN 41

4.6 Some examples of statistical models on Σn

This paragraph presents some statistical models currently used (sometimes in an implicit way)

in the definition of random sequence tests. Further information can be found in [Mau92, Lub].

A random variable X is said to be binary if its values are in the set B = {0,1}. In that case,

the distribution of probability defined on B is given by a unique parameter called the bias of X ,

which is by definition P[X = 1]. Let X1, . . . ,Xn, . . . be a sequence of binary independent random

variables. They define a distribution of probability on Σn. When all these random variables have

the same bias, the previous distribution depends only on the parameter p.

This model describes a Binary Memoryless Source (BMS) that outputs independent random

variables with a bias p. As stated, a BMS defines a distribution of probability on the sets Σn

depending on the parameter p, and is therefore a statistical model on Σn. A particular case of a

BMS is the binary symmetric memoryless channel, which corresponds to the parameter p = 12 .

Another model is the Source Transition (ST) that outputs a sequence of binary random vari-

ables X1, . . . ,Xn, . . . of parameter 12 such that P[Xi +Xi+1 = 1] = p and P[Xi +Xi+1 = 0] = 1− p

for i∈N.0

Generally, a source can produce a sequence of binary random variables X1, . . . ,Xn, . . . such

that the conditional probability of Xn given X1,X2, . . . ,Xn−1 depends only on the m last bits, i.e.,

such that

PXn|Xn−1...X1(xn|xn−1 . . .x1) = PXn|Xn−1...Xn−m

(xn|xn−1 . . .xn−m). (4.8)

The least m satisfying this preceding property is called the memory of the source S and Σn =

[Xn−1, . . .Xn−m] is the state at the time n. Therefore, taking the sequence (Xn)n∈N is equivalent

to consider an initial state Σm−1, represented by the trivial random variables [Xm, . . . ,X0] (their

weight being totally concentrated on 0 or 1) as well as a distribution of probability for the tran-

sition of states PΣn|Σn−1for all n greater that m. If this last probability is independent of n, then

the source is classified as stationary. So, a stationary source is completely described by its initial

state and PΣm+1|Σm.

The set of states is a particular case of a Markov chain2, with the restriction that each state can

have only two successors. If this Markov chain has the property where every sizable sample is

an equal representative of the whole sequence (ergodic), the limit of the probability distribution

on the set of states converges towards a limit. Let the integers between 0 and 2m−1 represent the

set of possible states of the sources. Using the Chapman-Kolmogorov equations, which are an

equivalent to the identity on transition densities, gives:

limn→+∞

PΣn( j) = p j

2Definition from Merriam-Webster [Mis95]:Usually a discrete stochastic process (as a random walk) in which theprobabilities of occurrence of various future states depends only on the present state of the system or on theimmediately preceding state and not on the path by which the present state was achieved.


where the p j are the solution of a system of 2m equations :

2m−1

∑j=0

p j = 0, (4.9)

p j =2m−1

∑k=0

PΣ2|Σ1pk,0≤ j ≤ 2m−2. (4.10)

There are two interesting points to consider with the statistical model of ergodic stationary

sources:

• this model seems to be the most general of the models presented. In particular, it contains

the BMS and ST models.

• this model has been extensively studied in the field of information theory. In particular, it

is possible to compute its entropy.

4.7 Hypothesis testing and random sequences

The previous section stated that statistical models can be used to perform statistical tests on a

binary sequence. From [Lub], the link between the theory of hypothesis testings and random

sequences is given as follows:

• A statistical model is adapted to the device that is under test (e.g. random number genera-

tor);

• An H0 chosen that the model parameters are verified if the random input variables are

Bernoulli variables with a parameter of 12 ; and

• As an alternative hypothesis there is a large in the parameter from 12.

For example, if it is known that the statistical model of the device is a BMS, the monobit fre-

quency test can be used on its own: this is the best test associated with this model. It may happen

that the statistical model is more general and includes several different tests. For instance, the

BMS is contained in the general model of a stationary ergodic source with a certain amount of

memory. In this case, the advantage of the more specific test is that it is more powerful. However,

it may not discover deviations in the parameters that it does not control. Therefore, it is important

to first use the more specific tests and then the more general ones. It amounts to restraining the

variance, in some direction, of the parameter space.

In general, the use of the techniques of hypothesis tests in order to verify the random quality

of a source is characterized by:

4.7. HYPOTHESIS TESTING AND RANDOM SEQUENCES 43

• the choice of a statistical model based on the operation of the device;

• the use of only a small number of tests (one or maybe two) that are associated with the

statistical model.

It should be pointed out that this general technique does not describe the set of available pro-

cedures in order to test a random number generator. It is apparent that it is difficult to attach a

statistical model to some tests that are widely published and recommended. Moreover, in the

available test suites it is quite common to use many different tests. In practice, it is often difficult

to prove that a certain physical device corresponds to a given statistical model apart from very

general models, which then leads to tests of very poor quality.

In cases where no statistical model is available, it is possible to use the property that the

estimators computed by the tests are consistent. Then, under the assumption of the Bernoulli

distribution with a parameter equal to 12 (BSS), the property that the sequence is ∞-distributed

can be checked by the convergence in probability of certain estimators. Therefore, it is possible

to use a group of several tests, so that each of them, with a given probability, outputs a pass for

a random sequence. It should be noted that it is not easy to compute the rejection rate of a full

test suite, because the estimators of different tests are often extremely dependent. This rate can,

nevertheless, be estimated by stochastic simulations.

The reader should keep in mind that, if the device is not provided with a statistical model

and if the statistical tests can not be interpreted with respect to the cryptographic use of the

random sequence, the rejection zone selected by the statical tests is totally arbitrary. If we have a

statistical model, the rejection zone is chosen to contain most of the weight of probability when

the device is faulty. But, if we do not know this statistical model, it may happen, on the contrary,

that the rejection zone contains sequences with a low probability of appearance: this means that

the probability of passing the test is higher when the device is faulty. In this respect, a statistical

test is nothing but a convenient way to choose a certain proportion of sequences in the set of

all binary sequences of a given length. In particular, if the tests do not pass, it is difficult to

pronounce with any degree of certainty that there is no systemic interpretation of the result of the

tests.

It is also important to realize that a random test may undermine cryptographic security in

some applications. The problem is that, if a statistical test is used to filter the flux of a random

generator, it introduces a bias that is very easy to detect by using the same test. A practical

example of this is given to draw the reader’s attention to this topic.

Example 4.7.1. A user may want to cipher the content of a hard drive by using a strong sym-

metric encryption function. It may be required that an intruder, who does not posses the secret

key, is not able to distinguish the written sectors on the hard drive from the blank ones. One way

to implement this functionality is to consider the symmetric encryption function as a pseudo-

random function. Therefore, a random number generator can be used to write random noise on


non-written sectors of the hard drive. If the output of this random number generator is filtered by

a statistical test with, for instance, a rejection rate of 1%, it means that 1% of the sequences of a

given length will never appear in the non-written sectors of the hard drive, but will be present in

the written sectors. This allows an attacker to find the distinguishing point between the written

and non-written sectors easily.

4.8 Empirical test examples for binary sequences

Frequency Test

A test that counts the number of ones in a sequence is an example of an empirical test based on

the random walk. The random walk Yn is the sum of independent Bernoulli random variables Xi.

It can be written:

Yn =n

∑i=1

Xi (4.11)

Using the Central Limit Theorem and the De Moivre-Laplace Theorem, a binomial sum,

normalized by√

n, follows a normal distribution if the sample size n is large. This can be written

as:

limn→∞

P

(Yn√n≤ y

)=

1√2π

∫ y

−∞e−

h22 dh = f (y) (4.12)

This theory is the basis for one of the simplest but most important statistical tests, the fre-

quency (monobit) test. The null hypothesis for this test states that a sequence of independent,

identically distributed Bernoulli variables has a probability:

P(Xi = 1) = 0.5

As mentioned in previous sections this statistical test is based on the model for a binary

memoryless source. An implementation of this theory into a statistical test is presented in Sec-

tion 5.1.1.

Another implementation of the random walk is a variation on the previous frequency test

called the frequency block test. This test performs multiple frequency tests on smaller, equally

distributed subsequences of the main sample sequence. This detects localized deviations from

randomness. The sample sequence is divided into n sets of m bits. The number of ones in each m

sequence is counted, πi. A test characteristic is then calculated by using the following formula:

Xobs = 4mn

∑i=1

(πi

m− 1

2

)2

(4.13)

The observed characteristic is compared to a theoretical limit to determine if the sequence is

acceptable as random. The implementation of this test is presented in Section 5.1.2.

4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 45

Runs Test

The runs test is a group of tests based on the bit oscillation in a sequence. There are many

published definitions of runs (see [Knu97, Feh68, AJJ+, APS96, And00, Ent98]). The data

type, binary or real, determines the runs definition that should be used. One of the earliest

definitions of runs for randomness testing has been published in 1944 by Wolfowitz. Given

a sequence X1 = (x1, . . . ,xn), a second sequence X2 can be formed by taking the sign of the

difference between two adjacent numbers xi+1− xi,1≤ i≤ n−1. An example of this is:

X1 = (7,4,1,0,5,2,8,9,6,0)

which converts to

X2 = (−,−,−,+,−,+,+,−,−).

A ” + ” is treated as a run up, while a ”− ” is considered a run down, with l being the length of

each run subsequence. Various statistical tests for real numbers use this definition.

Another definition of a run has been published by Knuth [Knu97]. He examines real number

sequences and defines a run as the length l of a trend in a sequence X , with the trend being either

increasing or decreasing. Given a sequence X = (x1, . . . ,xn), each neighboring number, xi and

xi+1, is compared, and a vertical line is used to divide each number group whenever xi > xi+1.

Using the previous example sequence X1, we obtain:

|7|4|1|0,5|2,8,9|6|0|.

Counting the runs for lengths one to three, there are five runs of length 1, one run of length 2, and

one run length 3. Adjacent runs are not independent, since a long run tends to be followed by

a short run; therefore, the χ2 test cannot be applied at this point. A new random variable needs

to be defined. The random variable Zli with 1≤ i ≤ n counts the number of runs in a sequence.

Variable Zli is defined as follows:

Zli =

⎧⎪⎨⎪⎩

1 if position i is the beginning of an

ascending run of length l or more,

0 otherwise.

Using this new variable, the number of runs of length ≥ l is:

R′l = Zl1 + . . .+Zln,

and the number of runs equal to length l is:

Rl = R′l−R′l+1.


The statistical test counts the occurrence of runs up to a given length t and any run longer than t

is classified as a run of length t. The derivation Ql with 1≤ l ≤ t is calculated by subtracting the

resulting run counts Rl from the expect run counts μ (Rl):

Q1 = R1−μ (R1)...

...

Qt−1 = Rt−1−μ (Rt−1)

Qt = R′t−μ(R′t)

These values are used to calculate the test statistic for a χ2 test with t degrees of freedom

Xobs =t

∑i, j = 1

Qi ·Qj ·ai j, (4.14)

where the matrix A = ai j is the inverse matrix of C = covar(Rl,Rm), with 1 ≤ {l,m} ≤ t. The

covariance matrix C and the mean μ (Rl) are calculated using the following relations

μ (Rl) = μ(R′l)−μ

(R′l+1

)covar

(Rl,R

′m

)= covar

(R′l,R

′m

)− covar(R′l+1,R

′m

)covar (Rl,Rm) = covar

(Rl,R

′m

)− covar(Rl,R

′m+1

)To calculate μ

(R′l)

and covar(R′l,R

′m

)the following holds:

μ(R′l)

=(n+1) · l(l +1)!

− l−1l!

1≤ l ≤ n

covar(R′l,R

′m

)=

{μ (R′t)+ f (l,m,n) , if l +m≤ n

μ (R′t)−μ(R′l) ·μ (R′m) , if l +m > n

where

s = l +m,

t = max(l,m) ,

and

f (l,m,n) = (n+1)

(s(1− lm)+ lm(l +1)!(m+1)!

− 2s(s+1)!

)+2

(2ss!

)+ (4.15)

(s2− s−2

)lm− s2− l2m2 +1

(l +1)!(m+1)!

Another definition of a run is found in [Feh68]. Fehler provides a definition for runs with


Bernoulli trials.

Definition 4.8.1. A sequence of n bits contains as many runs of ones with a length of r as there

are non-overlapping uninterrupted blocks containing exactly r bits [Feh68]. Each run length is

counted from the beginning of the sequence.

An example runs count using this definition is seen in the following sample sequence

1,1,1,1,0,1,1,1,1,1,1,0. (4.16)

This sequence has ten runs of length one, five runs of length two, three runs of length three, two

runs of length four, one run of length five, and one run of length six or more. Using Defini-

tion 4.8.1, a test statistic for analyzing the randomness of the sequences is

Xobs =√

μμ ·Nr(obs)−n

σ√

n(4.17)

with Nr being the number of runs of length r in a sequence of n number of bits. The statistic for

Fehler’s definition follows a normal distribution as n→ ∞.

The runs test used in this thesis comes from the [APS96]. This runs test has been used in

the thesis (see Section 5.1.3) due to its ease of implementation in hardware and software. The

definition of a run in [APS96] is similar to Definition 4.8.1. However, the number of runs is only

counted once during the sequence. Also, the number of runs of zero Gap and one Blk are used

in the calculation of the test statistic. For example, from sequence 4.16 the number of runs of

one are: one run of length four and one run of length six, while for the runs of zero there are two

runs of length one. This statistical test examines the difference between the expected run lengths

er = (n−r+3)2r+2 with 1≤ r < k and the sampled run lengths, Blkr and Gapr:

Xobs =k

∑r=1

(Blkr− er)2

er+

k

∑r=1

(Gapr− er)2

er(4.18)

which approximately follows a χ2 distribution with 2k−2 degrees of freedom.

The turning point test is another type of runs test, found in [Gop93]. This test counts the

number of turning points (peaks and troughs) in a sequence. To calculate the test statistic the

number of samples tested needs to be large. The large sample allows for the assumption of a

normal distribution with a mean of μ = 23 (n−2), and a variance of σ 2 = (16n−29)

90 . The test

characteristic can be calculated as follows:

Xobs =

∣∣∣∣ x̄−μσ

∣∣∣∣ (4.19)

The hardware and software implementation of the turning point test is presented in Sec-

tion 5.1.7.


0 5 10 15 20 25 30 35 40 45 500

200

400

600

800

1000

1200

1400

Figure 4.3: Longest runs at 20000 bits sample probability distribution using 5000 samples.

Longest runs test

This test is included in the FIPS 140-2 testing group, where a maximum run length of 26 is given

for 20000 bits. However, only this value and a significance level of 0.0001 are given without any

other background information. This presents a problem when trying to determine the maximum

lengths for sequences other than 20000 bits. To overcome this problem an experiment has been

performed to determine the maximum run length distributions for different test sequence lengths.

This experiment was programmed in MatlabTM with a sample of 50000 sequences ranging in

length from 25 to 100000 (the lengths used in the simulator from Chapter 6). After programming

the experiment, the program was run and the probability distribution was calculated for each of

the different sample lengths. The sample sequences required a random number source, in this

case the pseudorandom generator provided by MatlabTM (see Section 6.2.2 for a description of

this generator). A sample size of 50000 sequences was used and the longest run from each sample

was calculated. The probability for the longest run of a given sequence length was calculated and

plotted, see Figure 4.3 for an example probability distribution at 20000 bits and 5000 samples.

Figure 4.3 shows a zoomed-in result for the probability distribution. Using this distribution it

was possible to calculate the point x where the probability P(X ≤ x) = 1−α .

The experimental significance level was initially published as α = 0.0001 by NIST; however,

further study by FDK Corp. [Vit03] revealed that the actual significance level used was α =

0.000298. This new value was used as the limit in the experiment (see Table 4.4 for the maximum

run lengths). The results from this table were used in the software and hardware implementation

of the longest runs test presented in Section 4.8

There are a variety of ways to calculate the longest run, the method used in this thesis is to

keep track of the longest run of either zero or one in the sequence. Another method published by

the FDK Corp. [Vit03] looks at the probability Py(η) of a run longer than η appearing in a bit


Sequence Length P(x≥ y)25 1450 1575 16

100 17250 19500 19

1000 212500 215000 22

10000 2315000 2320000 2530000 2650000 26100000 27

Table 4.4: Maximum run length for the given sample sequence length.

stream. This information can be used to calculate the probability of longest run Mn of length ηappears in n bits:

Mn(η) = Pn(η)−Pn(η +1).

Further information on this second method for calculating the longest runs can be found in [Vit03].

Autocorrelation

Visually, it is possible to detect regular waveforms as non-random. How can this property be

automated for randomness testing in applications? One method is to compare the signal with a

shifted copy of itself, which is the autocorrelation function. A random sequence has the property

that a sample random sequence has very little correlation with any copy of itself.

The autocorrelation test, as described in [APS96], checks for the correlation between the

current sequence and a shifted version. A sample sequence is XORed with a d delayed version.

With a large sample, n, and n−d≥ 10, the test statistic is assumed to follow a normal distribution.

The test characteristic is calculated using the following formulas:

A(d) =n−d−1

∑i=0

si⊕ si+d (4.20)

Xobs = 2

(A(d)− n−d

2√n−d

)(4.21)


Pattern Matching Tests

A non-overlapping test using pattern matching is the poker test, also called the k-tuple test. There

are many variations of this test with the two best known published in [APS96] and [Knu97]. More

focus is placed on the poker test from [APS96], since it is ideally suited for binary data.

The poker test is modeled on the χ2 distribution. In general, the poker test takes k independent

observations and sorts them into g categories. The probability of a particular category being

observed is indicated by ps with xs being the actual number of observations for each category s.

This allows the building of the statistic from the χ2 formula:

Xobs =g

∑s=1

(xs− kps)2

kps. (4.22)

This is the general form of the χ2 statistic; however, this thesis uses a modified form for binary

data.

The number of categories g for a binary sequence is selected to match a subsequence of bit

length m, this gives g = 2m categories. A sequence is subdivided into k independent observations

with k =⌊

nm

⌋and n the number bits in the full sequence. For a random binary sequence, each

category has an equal probability of appearing ps = 12m . Expanding (xs− kps)

2 = x2s −2kpsxs +

k2p2s plus using the relation:

x1 + x2 + . . .+ xs = k

p1 + p2 + . . .+ ps = 1

this allows the Equation 4.22 to be rewritten:

Xobs =2m

∑s=1

(xs− k

2m

)2

k2m

and then to

Xobs =2m

k

2m

∑s=1

x2s − k.

There are 2m space categories; therefore, the statistic Xobs follows a χ2 distribution with

υ = 2m− 1 degrees of freedom. If the test subsequence m is reduced to 1 then the test is the

frequency test [APS96].

The overlapping m-tuple test is another pattern counting test. However, in this case the

counted patterns are overlapping and the pattern counted is selected by shifting the vector one

bit with each new input. The particular test implemented and studied in this thesis is the 2-tuple

test or the serial test.

In general, for a vector i1, . . . , im, which has a length of m, there are 2m possible binary values.

Let ni1,...,im be the count for each pattern (i1, . . . , im). Since each count nix is dependent on the


other counts ni1,...,im , the standard Pearson’s χ2 statistic

ψ2m =

2m

nm

2m

∑i=1

n2i1,...,im−nm

is not appropriate as a random generator test. However, L’Ecuyer et al. [L’E02] and Rukhin [And00]

show that

�ψ2m = ψ2

m−ψ2m−1

=

(2m

nm

2m

∑j=1

n2j1,..., jm−nm

)−(

2m−1

nm−1

2m−1

∑i=1

n2i1,...,im−nm−1

)

approximately follows a χ2-distribution with 2m−1 degrees of freedom. For the specific serial

test implemented in this thesis the vector length is set to m = 2, which gives

�ψ22 = ψ2

2 −ψ21

with

n2 = n00 +n01 +n10 +n11 = n−1

and

n1 = n.

Using these values the χ2 test statistic can be found

Xobs =�ψ22 =

4n−1

(n2

00 +n201 +n2

10 +n211

)− 2n

(n2

0 +n21

)+1

with 2 degrees of freedom. This form of the serial test can be found in [APS96] and is the version

implemented in hardware in the next chapter.

Example 4.8.2. Random Number Generator Test Example

The eight tests described in the previous paragraphs are used here in an example for testing

a random number generator. The input string is a binary sequence of 100 bits that is the result of

the following sequence being concatenated four times together:

1010110010111100110100100.

1. Frequency test: n0 = 48 and n1 = 52.

2. Serial test: n0 = 48, n1 = 52, n00 = 16, n01 = 32, n10 = 31, n11 = 20 gives a Xobs = 7.54.

3. Longest Runs test: Longest run is 4.


4. Autocorrelation test: d = 4, sum = 61 and Xobs = 2.65.

5. Poker test: m = 4 with the following patterns

Pattern #o f Occurances

0000 0

0001 0

0010 3

0011 1

0100 2

0101 3

0110 2

0111 1

1000 0

1001 4

1010 2

1011 2

1100 2

1101 1

1110 1

1111 1

giving a Xobs = 12.76.

6. Frequency Block test: m = 4 (block length)

n

∑i=1

(πi

m− 1

2

)2

= 0.87

giving Xobs = 14.

7. Turning Point test: μ = 6.67, σ 2 = 1.81

χ2obs =

∣∣∣∣ x̄−μσ

∣∣∣∣= 1.98.

8. Runs test: Xobs = 34.25

Runs of 0 Runs of 1Length Occurrence Length Occurrence

1 16 1 202 16 2 83 0 3 04 0 4 45 0 5 0

6+ 0 6+ 0


The following table shows each of the test’s threshold value, the observed χ2 value or testresult, and if the test has passed or failed the generator:

Test Observed Value Threshold Value Pass / FailXobs < Xthreshold

Frequency n1 = 52 n1_lower = 35 , n1_upper = 64 PassSerial Xobs = 7.54 Xthreshold = 9.21 Pass

Longest Runs longest run = 4 max. run length = 17 PassAutocorrelation Xobs = 2.65 Xthreshold = 2.57 Fail

Runs Xobs = 34.25 Xthreshold = 23.21 FailPoker Xobs = 12.76 Xthreshold_lower = 4.60 Pass

Xthreshold_upper = 32.80Frequency Block Xobs = 14 Xthreshold = 44.31 Pass

Turning Point Xobs = 1.98 Xthreshold = 2.58 Pass

The empirical tests presented here are only a small fraction of what is available in litera-

ture. Three popular test suites that incorporate the tests presented here plus many more are:

NIST Statistical Test Suite [AJJ+], The Diehard Battery of Stringent Statistical Randomness

Tests [Mar95], and the ENT: A Pseudorandom Number Sequence Test Program [Wal98]. Some

of these tests are not practical for a smart card environment. Only the tests that are possible on a

smart card have been studied further.

55

Chapter 5

Hardware Implementation

5.1 Hardware Design

The theory behind each of the selected tests has been extensively covered in the preceding chap-

ters (see Chapter 4.8). For most designers a software implementation of each of the RNG tests

is perfectly acceptable; however, for some applications this is not the case. For example, smart

cards need to perform the tests while the processor is being initialized. Therefore, the test pack-

age needs to run while the rest of the processor is also being initialized. The RNG and the testing

unit has to be a self-sufficient unit. Since most of the published RNG test have been designed for

a software implementation or if they do have a hardware implementation, their requirements far

exceed what is possible on modern smart cards.

From Chapter 2.3.2 we see that the area requirements for the complete smart card circuit

is approximately 25 mm2. Most of the area is required for memory cells; therefore, area is a

premium characteristic. Even though area is very important to smart card processor designers,

they are more concerned with the power consumption of the design. With the advent of the

wireless smart card, which supplies its voltage through induction, any card design requires a very

low power consumption. Additional security modules must also have a low power consumption.

We have mentioned that area and power consumption are very important to the designer;

however, there is one last hardware characteristic that needs to be examined, the time delay of

the circuit. This detail indicates how quickly the test is able to run. With the known sequence

length and the time delay of the circuit, the processing time for the full test can be calculated.

The initialization phase in a smart card lasts two seconds, and during that time the RNG test unit

must have the RNG produce a sequence of bits and also test the resulting sequence.

This chapter begins by presenting the hardware implementation for each of the RNG tests.

Using SynopsysTM

and VHDL each of the tests has been simulated and synthesized. The results from the analysis

of area, power consumption and time delay are presented.

56 CHAPTER 5. HARDWARE IMPLEMENTATION

Comparator

Counter

Clk

Din

Start

Reset

Result

Bits_Over

Figure 5.1: Test unit input and output.

5.1.1 Frequency Test

The first test that has been implemented in hardware is the frequency test. The basic test unit (see

Figure 5.1) has as input the test data Din, the clock Clk, the reset signal Reset, and a start signal

Start. There are two output signals: the Bits_over signal tells the rest of the test unit when it has

finished testing, and a pass or fail is waiting at the output Result signal.

The internal diagram of the frequency test can be seen in Figure 5.2. The resulting test

circuit is a four state device, which begins counting when the start signal goes high. There is

an asynchronous reset built in the device should it need to be reset at any stage along the state

diagram. The third state is achieved once the count reaches its limit, which is 20000 bits in this

example. This number can be adjusted at the design stage to fit the required test length. In the

third state, a test is performed to check if the count of ones is in range. If so, a ’1’ is outputted to

indicate a pass, otherwise a ’0’ is outputted for a fail.

With a sufficient test length the frequency test models a χ2 distribution with υ = 1 degree of

freedom. Using this information it is possible to precalculate the limits for a given bit length, in

this example n = 20000. The limits calculation is as follows:

x = F−1 (p|υ) = {x : F (x|υ) = p}

where

p = F (x|υ) =∫ x

0

tυ−2

2 · e−t2

2υ2 ·Γ(υ

2

)dt

and

Γ(a) =∫ ∞

0ta−1 · e−t

.

Using these formulas it is the characteristic limit Xlim for a probability of p = 1−α = 1−0.0001 with one degree of freedom:

Xlim = F−1 (1−0.0001|1) = 19.5114

5.1. HARDWARE DESIGN 57

States1) WAIT_FOR_START2) READ_BITS3) OUTPUT4) HALT

4

1

2

3

Reset = ’1’

Reset = ’1’

Reset = ’1’

Start = ’1’

Reset = ’1’

Count > 20000

Figure 5.2: State diagram for the Frequency test.

Xlim =(n0−n1)

2

n

∴ 9688 < Xpass < 10312

5.1.2 Frequency Block Test

The frequency block test is very similar to the frequency test, since it calculates for each given

block the frequency test. The state diagram for the internal frequency test on each block is the

same as the frequency test with only one large block for the full test sequence. The input and

output signals for this test are also the same as the frequency test (see Figure 5.1).

The design difference between the frequency and the frequency block test is how it handles

the frequency test results of the subsequences. Figure 5.3 shows the flowchart for the frequency

block test, and Figure 5.4 shows the output flowchart. A bit counter (Count) keeps track of the

full test sequence length, and for this implementation as long as the sequence is less than or equal

to 20000 the testing can continue. The next counter is for the subsequence (Blockcount). When

the 100th bit is reached it can be tested, and its result is added to a running sum. After the full

bit sequence is processed a total sum value is calculated and compared to a precalculated value.

If the sum is less than the value, the result signal is set to ’1’, and if it is over the value, it is set

to ’0’.

The precalculated value depends on the significance level and the bit sequence length and can


Increment πi

Input = ’1’ ?

Start

Calculate

iΣ (π − 50 )200 2

i = 1Sum =

Reset π

End

Nextstate<=

Output

Nextstate<=

Read_Bits

Increment Count

?Blockcount = 99

?

Count < 20000

NoYes

Yes

No

Yes

No

Figure 5.3: Frequency block test flowchart.

Start

No YesResult = ’0’ Result = ’1’

NextState

9725 <Rcount

< 10275

Figure 5.4: Frequency block test output flowchart.


Algorithm 2 Xlim calculation for the runs test.

Xlim = gaminv(1−α,υ) where υ = 2∗ k−2 and k is the number of runs groups (6)

Xlim = gaminv(1−0.0001,10)

Xlim = 35.56

be calculated as follows:

Xlim = F−1 (p|a,b) = {x : F (x|a,b) = p}Xlim

2= gaminv

(1−α,

N2

)Xlim = 2 ·gaminv

(1−0.0001,

2002

)Xlim = 249.4

Therefore, the observed test statistic needs to be below 249.4 in order for the test to determine it

as a pass.

5.1.3 Runs Test

The runs test is a more complex test than the previous two tests. Its state diagram is shown in

Figure 5.5. The runs test module has the same inputs and outputs as the other two tests (see

Figure 5.1). However, internally it has many more states. Depending on the first bit in the run,

either the S1− S6 (Din = 1) or the S12− S7 (Din = 0) branch is followed. If the next bit is the

same as the last bit, then the state branch is followed until either the input bit changes or it reaches

states S6 or S7. If it reaches either of these points, the input length is treated as a run of six even

if it is longer. Whenever a change in the input bit occurs the counter for that state is incremented

(z1 . . .z6) and (e1 . . .e6). A main counter (Count) is used to count the testing sequence length.

The bits_over signal is set high at the end of the test and the test unit can read the results from

the result signal. Using Algorithm 2 the χ2obs value is calculated and compared to a precalculated

range. If it falls within this range, the test outputs a “pass” else a “fail” is outputted.

5.1.4 Longest Runs Test

The longest runs test is a variation on the runs test, in which case the longest run in the sequence

is found and the counted length is saved. A precalculated boundary value for the given test

sequence length is compared to the samples longest run. Should the samples sequence have a

run longer than the boundary value, the test outputs a fail, else it outputs a pass. The boundary

values are given in Table 4.4 in Section 4.8.


Start

S6

S5

S4

’111’S3

S2’11’

’1’S1

S7

S8’11111’

’1111’

’111111’’000000’

’00000’

’0000’S9

’000’S10

S11’00’

S12’0’

Output

Halt

Count = 20000

Din=1

Din=1

Din=1

Din=1

Din=1

Din=1

Din=1

Din=0

Din=0

Din=0

Din=0

Din=0

Din=0

Din=0

Din=0

Din=0

Din=1

Din=0

Reset = 1

Start = 0

Start = 1Start = 1

S1 S12

Din=1

Din=1

Din=1

Din=1

Din=1

Din=0

Din=0

Figure 5.5: Runs test state diagram.


Halt Count < 20000 Cnt_reg +1 < 4

Readbits

Readbits

set

Start = ’1’Waitfor

Start

Start = ’0’

Reset = ’1’

Reset = ’0’

Output

Count >= 20000

Count >= 20000

Figure 5.6: Poker and autocorrelation test state diagram.

The external structure of the longest runs test is the same as for the previous tests, see Fig-

ure 5.1. Internally, the test is started when the Start signal is set high. The first input bit is read

and if the bit is ’1’ then the next state is S1, else it goes to S0. If the same bit repeats itself, the

counter for that bit type is incremented. However, if the new input is not the same as the previous

bit, the counter is cleared and reset for the new bit value. The counter continues until the input

bit changes. If the maximum run length is passed, an indicator register IND is set high. After the

full sample is examined, the test enters the next state and the IND register is checked. If the IND

is high, a fail is set on the output otherwise it is set to a pass.

5.1.5 Poker Test

The poker test is another part of the FIPS 140-2 test suite. Of the four tests in the suite it has

the most complex hardware implementation. The theoretical details are found in Chapter 5.1 on

page 56. As with the previous tests detailed in this chapter, the input and output entity for the

poker test is as shown in Figure 5.1. This allows for easy substitution of the tests.

The poker test’s state diagram is shown in Figure 5.6. After a reset the process begins in the

Wait_ f or_start state. Once the Start signal goes high the test begins by entering the Read_bits

state and reading the first bit. The input bit is read and stored in the MSB of the Reg register.

The counter register Cnt_reg is checked to see if all the bit positions have been filled with new


bits. If the register does not hold four new bits, the state is returned to the Read_bits state until

four new bits are present. Once the Reg has been filled the process compares the pattern found

in Reg to a list of patterns. The counter for the matching pattern is incremented. This process is

repeated for the full test sequence. When all the bits have been read and matched, the test value

Sum is calculated using the following formula:

Sum = Xpoker_obs · k2m =

(2m

∑i=1

n2i

)− k2

2m

This formula can be arrived at by using the theory from Section 5.1.5 and the given constants:

m = 4

α = 0.0001

n = 20000

Therefore, the following can be calculated:

k =⌊

nm

⌋=⌊

200004

⌋= 5000

χ2obs =

(2m

k

2m

∑i=1

n2i

)− k

Sum = k2m ·χ2

obs =

(2m

∑i=1

n2i

)− k2

2m

After calculating Sum, the process proceeds to the Out put state. The value in Sum is com-

pared to a precalculated range for α = 0.0001. In this implementation the range is 675 <

Sum < 14428, which is calculated as follows:

χ2upper = chi2inv

(1−(

0.00012

),24−1

)

χ2lower = chi2inv

(0.0001

2,24−1

)χ2

upper < χ2obs < χ2

lower⌊k

2m ·χ2upper

⌋< Sum <

⌊k

2m ·χ2lower

⌋⌊

2.16 ·500016

⌋< Sum <

⌊46.17 ·5000

16

⌋


The Out put state sets the Result signal to ’1’ for a pass and a ’0’ for a fail. The process then

moves to the Halt state, and remains there until a reset signal is received.

5.1.6 Autocorrelation Test

The autocorrelation test compares a bit sequence with a shifted version of itself by using a shift

register and an exclusive-OR:

4 3 12

Din

Auto_corr

The length of the shift register has been arbitrarily chosen at four bits. A better coverage is

achieved by using multiple XOR gates attached to shorter bit differences, i.e. bits 3/4 and 2/4, at

the expense of a larger circuit. The entity of the autocorrelation test follows the other tests with

the four inputs and two outputs shown in Figure 5.1.

The control flow of the autocorrelation test is the same as for the poker test (see Figure 5.6).

During the Read_bits state the data is first read into the shift register. Once that has completed the

fourth and first bits are XORed and summed to a running total, which is stored in Auto_corr. The

states bounce between the Read_bits and Read_bits_set state counting all the matching first and

fourth bits. This continues until the full test length is reached. The total found in the Auto_corr

register is then compared to a precalculated range.

Using the values from the FIPS 140-2 standard (n = 20000,α = 0.0001) and a shift of d = 3,

the limits on Auto_corr can be calculated. As mentioned in Chapter 4, the autocorrelation test

follows a normal distribution if n−d ≥ 10; therefore, the range for the test characteristic is:

−2.575 < XAuto_lim < 2.575.

From this range the Auto_corr can also be calculated:

XAuto =2 · (Auto_corr− n−d

2

)√

n−d

Auto_corrlim =|XAuto| ·

√n−d

2+

n−d2

Auto_corrlim =|2.575| ·√20000−3

2+

20000−32


Halt

Waitfor

Start

Start = ’0’

Reset = ’1’

Output

Count >= 20000

Start = ’1’Reset = ’0’

Readbits Count < 20000

Figure 5.7: State diagram for the turning point test.

Auto_corrupper = 10181

Auto_corrlower = 9816

This gives the Auto_corr range, which is tested during the Out put state. The test sets a pass

(Result =’1’) if it falls within the range, else a fail (Result =’0’) is set.

After outputting the results, the process continues into the Halt state, where it waits until a

reset is sent.

5.1.7 Turning Point Test

The turning points of a sequence are the peaks and troughs found after a run up or down. This

test is not, strickly speaking, a test for binary sequences; however, it can be modified to handle

binary input by grouping bits into blocks of bits and converting them into integer values. The

outer entity has the same I/O as the other tests (see Figure 5.1).

The state diagram is a simplified version of the poker and autocorrelation tests, see Figure 5.7.

After a reset the test is in the Wait_ f or_start state until the Start signal goes high. With the


Algorithm 3 Algorithm for calculating the test characteristic limits.

n = 20000

• μ = 23 (n−2) = 13332

• σ 2 =(16n−29)

90 = 35552

• σ = 59.6258

•∣∣∣Xobs−μ

σ

∣∣∣= XTP,α=0.0001 = 4.719

• Xobs_upper = 13332+281 = 13613

• Xobs_lower = 13332−281 = 13051

presence of the Start signal the test begins to collect bits and shifts to the state Read_bits .

The Read_bits state not only reads each new bit but also organizes them into blocks of bits and

counts when peaks or troughs occur. The algorithm is seen graphically in the flowchart shown in

Figure 5.8. The Read_bit state groups, analyzes, and counts the bits. Once the full sequence is

processed the test moves to the Out put state, and the bits are grouped into 8-bit integers. After

the eight bits are collected, the current value Rcurr is stored as the previous value Rprev. As

soon as the second group of bits is collected the two values are compared. If the newer number

is larger than the previous value Rcurr > Rprev, the toggle is set to togglenew =’1’. This new

toggle value is compared to the old value: togglenew? = toggleold. If they are the same, then no

change is recorded; however, if the previous toggle value is a ’0’, then the transition counter is

incremented. The same transition counting process is performed if the current number is less

than the previous value, except the toggle is set to ’0’ and a transition is recorded if the previous

toggle is a ’1’. The third possibility is that the current and previous values are equal. This is

recorded as no change and the toggle counter is left unchanged. After comparing the two values

the process moves back to Read_bits state, and the whole algorithm is repeated until all bits are

tested.

Upon the completing the peak and trough count for the full sequence the process moves to

the Out put state. Using the same method as for the autocorrelation test, the acceptance limits for

the transition counter are precalculated and integrated into the output algorithm, see Algorithm 3.

5.1.8 Serial Test

The last test implemented in hardware is the serial test. This test counts the number of occur-

rences of the bit patterns 00 to 11 and the number of 0 and 1. This process is similar to the

counter unit built in the poker test. The full data flow design can be seen in Figure 5.9. After

the counter finishes, the controller passes the values to the statistic calculator, the χ2 calculation


Cnt_Reg = 7?

?

Keep ToggleSet Next_state toRead_bits

Set Next_state toOutput

Yes

No

Yes

Yes

No

Yes

No No

Set Toggle to ’0’Set Toggle to ’1’

Previous state

of Toggle =0

?

Yes Yes

End

No

counter

Clear gathering

Next num

> Previous num

?

Previous num

counter

Keep Transition

Increment Transition

counter

Previous state

of Toggle = 1

= Current num?

Store the previousin numPrevious_Reg

new bitsBegin collecting

Save bit and

Increment counters

No

Begin

count > 20000

Figure 5.8: Algorithm flowchart for turning point test.

5.2. FUNCTIONAL VERIFICATION 67

χ2Calculation

Unit

StartResetClock

Controller

Counter

Pass/Fail

Input

Figure 5.9: Data flow diagram for the serial test.

Area (μm2) Power (μW ) Time Delay (ns)Addition / Subtraction 1057 73 2.97

Multiplication 11025 829 6.58Division 6787 500 20.27

Table 5.1: Arithmetic hardware characteristics calculated using a 50 ns clock.

unit. This is the part that differs from the other tests. The operations found in the other tests are

addition, subtraction and multiplication; however, this random generator test also includes two

division operations. In comparison to addition and subtraction, the multiplication and division

operations are very complex. When possible, designs are optimized to reduce the number of

multiplication and division operations, since their hardware requirements are far higher than for

addition and subtraction. Table 5.1 shows an example of the synthesis results from Synopsys for

8-bit arithmetic operations using UMC 0.25 μm CMOS technology.

The time delay for the division causes some concern, because any design using this operation

has a time delay of at least 20.27 ns or a maximum clock frequency of 50 MHz, which is the

current maximum operating frequency for smart cards (see Chapter 2).

The calculation of the serial characteristic

10000 ·X =

(4

n−1· (n2

00 +n201 +n2

10 +n211

)− 2n

(n2

0 +n21

)+1

)·10000

is broken down into into seven steps and uses two registers (R1,R2). The algorithm has been

slightly changed from the version published in [APS96] by multiplying both sides by 10000,

giving an accuracy to four decimal points. The algorithm for this test is shown in Algorithm 4.

5.2 Functional Verification

Before any hardware analysis was performed on the VHDL designs, each design was functionally

verified against the RNG test written in Matlab (see Figure 5.10). The synthesized versions were

also checked for any logic and design errors.


Algorithm 4 Pseudocode for to calculate the χ2 characteristic and the pass/fail for the serial test

State 1:R1 = n00 ∗n00 +n01 ∗n01R2 = n0 ∗n0 +n1 ∗n1

State 2:R1 = n10 ∗n10 +R1a = 10000∗R2

b = nState 3:

R1 = n11 ∗n11 +R1

R2 = ab

State 4:R2 = 2∗R2

a = 10000∗R1b = n−1

State 5:R1 = a

bState 6:

R1 = 4∗R1 +10000State 7:

χ2 = R1−R2

i f χ2 ≤ Xmax

passelse

f ailendi f

The verification was performed by first generating a test file with binary sequences from

a poor generator (LSFR generator). Included were the all zero and all one sequences, these

sequences were known to fail the tests. The test length for each sample was 20000 bits, since

this was the design parameter for the hardware implementation.

A test bench was written to first read in the binary data, which was inputted to the RNG

tests. The output from each simulated run was stored in an output text file. Another test bench

was programmed for the RNG test functions in Matlab. This test bench first loaded in the test

sequence file and then the results from the VHDL version. The test sequences were processed

using the Matlab RNG empirical test functions, and their outputs were compared to the results

from the VHDL simulation. When both results matched, an output of “1” was given, else “0”

was set.

The results from the functional testing showed that the tests from the Synopsys synthesis

agreed with the results from the Matlab simulation. Therefore, the VHDL versions were func-

tionally equivalent to the algorithm versions.

5.3. HARDWARE TESTING 69

TestData

Synthesized DesignVHDLVHDL

Logic DesignSimulation Simulation

MatlabDesign

Simulation

CompareResults

Pass/Fail

Figure 5.10: Functional verification process.

5.3 Hardware Testing

5.3.1 Hardware Analysis Strategy

Each RNG test algorithm was programmed using VHDL. After verifying the designs using a

design simulator, they were loaded into Synopsys Design AnalyzerTM. The optimization tools

from Synopsys were used to improve the design hardware properties.

Using a VHDL simulator, the circuit activity for testing a sequence of 20000 bits was recorded.

This information was then used by the Power CompilerTM from Synopsys to calculate the power

consumed using UMC 0.25 μm CMOS technology libraries.

The study of power consumption proceeded differently than the area and time delay. For

those two characteristics a CMOS technology (0.25 μm) was selected and the VHDL code was

synthesized. At that point, the Synopsys tool provided a convenient method to calculate the

area and time delay for the given technology; however, the power consumption tool was not as

accurate as wished. For power consumption calculations, the switching activity for each design

was recorded. The source data for this study was a four τ-delayed feed back shift register. Using

the simulation tools from Mentor GraphicsTM, the switching data was stored in saif files, which

was then processed by Synopsys Power Analyzer at different clock frequencies. This gave a

more accurate reading of the power consumption.

The results of the power consumption of the RNG tests need to take into account the power

consumption of a smart card during normal operation, which is 50 mW with a voltage of 5 V and

a supply current of 10 mA.


0

200000

400000

600000

800000

1000000

1200000

Longe

stRun

s

Frequ

ency

Aut

ocor

rela

tion

Turni

ngPoi

nt

Frequ

ency

Blo

ckRun

s

Poker

Seria

l

RNG Tests

Are

a(μ

m²)

Figure 5.11: Complete area results for eight randomness tests.

5.3.2 Hardware Results

The results from the hardware synthesis and power simulation can be seen in Figures 5.11 to 5.14.

The first hardware characteristic to be studied is area.

The area results for each of the selected designs is shown in Figure 5.11. The synthesis used

an out-of-date 0.25 μm CMOS process, industry uses 180 nm or 90 nm technology; however, it

did allow for a comparison of different designs. The newer technology allows for a scaling down

in size, but the general size ratios between the designs remain the same.

The area analysis divides the RNG tests into two groups, the random walk/runs based tests

and the pattern matching tests. The pattern matching tests are significantly larger than the other

tests, by at least a factor of ten. The smallest design is the longest runs test. The number of

multiplication and division operations present in the poker and serial tests make their designs

more complex when compared to the relatively simple additions needed for the other designs.

The synthesized serial test circuit is approximately 4% of the total smart card chip area. For

some designers this might be too large.

The FIPS test group made up of the longest runs, runs, poker and frequency test requires an

area of 691286 μm2. Within this group, the poker test is the largest contributor to the area with it

making up 88% of the FIPS area.

In Figure 5.12 the area results have been zoomed in to include only the smaller tests. It is

easier to notice the differences in sizes for each of these designs now that the two longest tests are

removed. Here the designs are divided again into two groups, in essence making three groupings


0

10000

20000

30000

40000

50000

60000

70000

Longest Runs Frequency Autocorrelation Turning Point Frequency Block Runs

RNG Tests

Are

a(μ

m²)

Figure 5.12: The area results for the six smallest randomness tests.

for the area analysis. The simple counters are the smallest designs, which include the following

tests:

• longest runs

• frequency

• autocorrelation

• turning point.

The more complex counters are the

• runs

• frequency block tests.

Smart cards work with a base speed of 5 MHz but the internal processing speed is usually looped

up to speeds of 25 to 50 MHz. This is a design restriction that hardware developers for smart

cards need to take into account. For a 50 MHz smart card, the algorithm implementation needs

to have a device time delay less than 20 ns. In other words, any algorithm implementation needs

to reach the end of its slowest processing path for that clock cycle before the 20 ns are up. If

a design cannot fit in this time restriction, it either needs to be optimized further or, if that is


0

5

10

15

20

25

30

35

40

45

50

Longe

stRun

s

Frequ

ency

Aut

ocor

rela

tion

Turni

ngPoi

nt

Frequ

ency

Blo

ckRun

s

Poker

Seria

l

RNG Test

Des

ign

Tim

eD

elay

(ns)

Figure 5.13: Longest path timing delay analysis for the eight randomness tests.

not possible, the smart card has to run at a slower clock speed. This has the negative effect of

reducing the processing speed for all calculations.

Figure 5.13 shows the longest path time delay for the eight implemented tests. The ordering

of the tests on the x-axis is the same as in the area measurement graph (see Figure 5.12). This

is used to allow for easier comparison of the different tests. The most striking result is the serial

test. It is the largest test which is assumed to have the longest delay path, however, the difference

between the serial test and the poker test is immense. The time delay path has been examined

to investigate where the design is spending most of its time and it is in the division component.

Of the 45.22 ns spent processing the longest path in the serial test, 44.5 ns is in the divider. The

serial test implementation uses a DesignwareTM divider. Therefore, for greater optimization a

custom divider or a new serial test implementation without the division has be to designed.

The rest of the tests all fall below the 50 MHz (20 ns) line. Therefore, except for the serial

test, they are all acceptable for current smart card speeds. The ordering of the designs based on

the time delay do not necessarily follow the area size; for example, the longest runs test has a

longer processing path than the frequency test. For many applications a compromise is required

between the time delay and the design size to achieve efficient operation. This is the reason for

the variance in the time delay.

The designs have been optimized with regard to all three characteristics: power consumption,

area and time delay. However, the area and power consumption characteristics have been given a

higher rating in the optimization hierarchy, since they are the most important properties for smart


0

1

2

3

4

5

6

7

8

9

10

0 20 40 60 80 100 120 140 160 180

Clock Speed (MHz)

Po

wer

Co

nsu

mp

tio

n(m

W)

Longest Runs Frequency Autocorrelation Turning Point

Frequency Block Runs Poker Serial

Figure 5.14: Power consumption analysis for the eight randomness tests.

card manufacturers.

The current trend in smart card development is shifting away from contact only cards to

either all contactless or a hybrid contact/contactless card. The use of contactless technology has

increased the importance of using low power designs. Each of the design has been optimized

using the power consumption parameters in Synopsys Design CompilerTM.

The power consumption results can be seen in Figure 5.14. The data is plotted as points on a

power vs clock frequency axis. Some of the data lines are shorter than others; for example, the

frequency block, poker and serial tests. They are shorter due to the limitation from their time

delay. The mentioned test implementations operating speeds are restricted to a clock frequency

of 1timedelay or slower.

Three speeds are of particular interest in the power analysis: 5 MHz, or the base smart card

frequency; 20 MHz, the last point where all the tests can be compared; and 50 MHz, the max-

imum operating speed of current smart cards. At the speed of 50 MHz the poker test is by far

the most power hungry circuit design at approximately 6 mW. The next closest tests are the fre-

quency block and runs tests. The autocorrelation, turning point, frequency and longest runs are

grouped closely near the 1 mW mark. For the 20 MHz point, the serial test result is also available.

This test requires slightly less power (2.0 mW) than the poker test (2.5 mW).

The power consumption results generally follow the results from the area with the largest

design requiring the most power. However, it is interesting that the serial test is more efficient

than the poker test. The main difference between them is not in the counting of the various


statistical properties but in the actual calculation of the statistic. The poker test has more mul-

tiplications whereas the serial test has a divider circuit. The one divider circuit from Synopsys

DesignwareTM is slow and large but has been designed to be efficient with power consumption.

The multiplications are also efficient but not to the point of the divider.

The calculation times required in clock cycles for the tests is shown in Table 5.2. As a

boundary limit the tests have to complete their calculation within the initialization time of two

seconds. The tests are setup to count as each bit arrives from the RNG. The important point to

keep small is the time between the last bit arriving and the calculation of the “pass” or “fail”.

The shorter this time the more bits the generator is able to create before reaching the two second

limit. Current cryptographic RNGs in smart cards are not able to produce the full 20000 bits

within that time interval. The more bits the RNG is allowed to produce the better the results are

for testing purposes. The hardware implementations of the RNG all require 20000 bits, since

they are based on the FIPS 140-2. It is hoped that the results from the simulator allows this to be

reduced.

The results from the calculation time show that the smallest tests do not have long calculation

times. The more complex tests, poker and serial, require more time, since they perform the

calculation of the statistic and then compare it to a given range. This statistic calculation is the

time consuming part. However, even these designs are very quick, and most of the two seconds

can be dedicated to the bit generation.

From a hardware point of view, only the serial test has any problems in modern smart card

implementations. Its current design does not allow it to be clocked at a standard operating fre-

quency. The rest of the tests are all acceptable.

Test Number of CyclesFrequency 2

Runs 2Longest Runs 2

Serial 8Poker 8

Autocorrelation 2Frequency Block 2

Turing Point 3

Table 5.2: Cycles required to calculate the test results after the arrival of the last bit in the test sequence.

75

Chapter 6

Empirical Test Quality Measurement

6.1 Introduction

In the previous chapter we have looked at the hardware aspects of the random number generator

tests, which has allowed us to see if the selected tests are acceptable for a smart card implemen-

tation from a physical point of view (area, power consumption, and calculation time). However,

this still leaves a variety of questions unanswered:

1. What are the minimum number of tests that are required to be implemented on the smart

card RNG test unit?

2. Can the test sequence be reduced from 20000 bits to a smaller sequence without loss of

testing “quality”?

It is not possible to determine the “quality” of a random number generator without having a

measuring point. The standard for this thesis is the FIPS 140-2 test criteria, as it is the desired

standard to be implemented in the smart card. The FIPS 140-2 test suite is made up of four

tests (frequency, poker, runs and longest runs), a sample sequence length of 20000 bits, and a

significance level of α = 0.0001 (1 misjudgment in 10000 trials). Therefore, the following is

used as the definition for quality for this thesis.

Definition 6.1.1. A test or test group’s quality is a percent measure of how well the selected test

or test group mimics the FIPS 140-2 test criteria.

Normally, a failure in a RNG results in a stuck-at type failure (stuck-at 0 or stuck-at 1).

However, there are also cases where a bit stream may still be produced with nonrandom char-

acteristics. For cryptographic applications, the use of nonrandom sequences is worse than a full

deactivation of the device. These poor cryptographic random sequences provide a false sense of

security without informing the user to a possible breach in security. In essence, these poor ran-

dom sequences are a hole in the protective shield around the users data. To prevent this security

hole from occurring, the RNG must be tested before each use.

76 CHAPTER 6. EMPIRICAL TEST QUALITY MEASUREMENT

Test3) Digitiser

2) Noise

1) RNGSource

FIPS 140−2Pass/Fail

Pass/Fail

Figure 6.1: Simulator setup and possible failure points.

There are many different random number generator tests available in literature; however,

they detect faults at different sensitivities. To investigate the sensitivities of the eight selected

tests requires a simulator. This chapter describes the simulator that has been programmed to

incorporate the possible failure points in a RNG system, and presents the results from the study

of the behavior of the empirical test to the different faulty bit streams. These failure points are

modeled as poor RNGs. Figure 6.1 shows the three points of vulnerability in the RNG system.

The first point is the actual RNG itself. It is possible that the generator has a flawed design or is

damaged during use and begins to produce a poor sequence of bits. The second point examines

the effects of outside interference. How will the test unit react to interference or noise on the line?

The final point is the digitizer. Often a natural source is sampled and used as the randomness

source. If the digitizer oversamples the natural source the output will have nonrandom qualities.

The following is a list of the models of the failure points and the type of generators used to

represent these failures:

Failure Point 1: Failure in the random number generator

1. ANSI C generator

2. Repeating pattern generator

3. Biased generator

Failure Point 2: Frequency noise introduced into the random source

1. Frequency addition with a wide spectrum

2. Frequency addition with a narrow spectrum

3. Addition of pink ( 1f ) noise

Failure Point 3: Failure in the digitizer or the sampling

1. Oversampling

6.2. RANDOM NUMBER GENERATOR FAILURE EXPERIMENTS 77

Test FIP 140 Result0 0 10 1 01 0 01 1 1

Table 6.1: Logical equation: Test XOR FIPS 140 = Result

In addition to the previous possible failures, the Matlab random number generator has been

studied since it is the base generator for the failure generators. The experiment setup also in-

corporates as a control (Control 1) sequences from a true random number generator. The data is

from Marsaglia’s Random Number CD-ROM1.

Each sample sequence has been tested with the eight selected empirical tests, with the results

compared to the result from the FIPS 140-2 test group. The FIPS 140-2 is calculated by taking

the pass or fail result from the poker, frequency, runs and longest runs at 20000 bits, which are

then ANDed together. This FIPS result is used as a comparison for the other tests, with a match

as a 1 and non-match as 0, see Table 6.1. In addition to looking at the results from each of the

individual tests, test combinations have been examined. The results from the individual tests are

ANDed together and treated as one test result, which is then judged according to Table 6.1. This

shows any improvement obtained through test groups.

The next section takes a closer look at the each of the sample generators and gives a short

description of how they have been implemented in Matlab. The last section discusses the results

from each of the generators, and looks at the effects of the sequence length.

6.2 Random Number Generator Failure Experiments

6.2.1 Control Experiment 1: True Random Number Generator

As a control experiment, bits from a random number generator are used. The bits are not self-

generated with a hardware random number generator, but have been copied from Marsaglia’s

CD-ROM. This CD-ROM has approximately five billion bits that have been divided into sixty

10 MB files. The source for these bits is the combination of three white noise sources with

a deterministic random number generator. Marsalgila ran the Diehard2 tests over the bits and

found that it passed all of them.

From these bits, 500 sample sequences of 100000 bits have been stored in a Matlab readable

format. The same test procedure is used for these data samples as for the other tests. The

results from this experiment are seen in Figures 6.2 and 6.3. Almost all the sequences pass the

1website: http://stats.fsu.edu/pub/diehard/cdrom/bits.01, Sourced: February, 2002.2A random number generator test suite from George Marsaglia. Source: http://stat.fsu.edu/pub/diehard


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing

Frequency Runs Longest Runs Poker Turning Point Autocorrelation Frequency Block Serial Test

Figure 6.2: True random number generator test results compared to the FIPS 140-2 standard.

experiment for the different bit lengths. Not all tests pass each sequence with 100% matching,

but this is to be expected. A true random number generator will produce sequences that have

nonrandom characteristics. However, the large majority of sequences fall within the acceptable

range. The results also show that a true random number generator looks random irrespective of

the random sequence length. This result is the optimum for each of the other experiments.

6.2.2 Control Experiment 2: “Good” Pseudorandom Number Generator

Description

The Matlab generator has been included in the study because it is the underlying engine for

most of the sample generators. It is also used as the control for a good pseudorandom number

generator. The function that has been used is the unidrnd function.

The Rand function from Moler [Mol95, Mol04] is essentially two combined random number

generators. The main generator uses thirty-five words of memory or states. The first thirty-two

states hold the floating-point numbers between 0 and 1. The other three states hold the indices

i, j and the “borrow” flag b. The index i is an integer between 1 and 32, and the index j is a

random integer. The state b is one of either two values: 0 or ulp. An ulp is one half the built-in

Matlab function eps3, and is one unit in the last place for floating point numbers slightly less

than 1 [Mol95].

3eps is a Matlab function that “returns the distance from 1.0 to the next largest double-precision number, that iseps = 2−52.” Source: http://www.mathworks.com/access/helpdesk/help/techdoc/ref/eps.html


0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS @ 20000

Figure 6.3: True random number generator single test “pass” count.

To calculate the i-th value, the generator uses the formula

zi = z(i+20) mod 32− z(i+5) mod 32−b

where b is calculated from the previous step. If the zi is positive, then b is set to 0; however, if zi

is negative, then b is set to ulp and 1.0 is added to zi to make it positive.

The previously stated random number generator has a period of 21430; however, it has a flaw

with the way floating point binary numbers are distributed for the range ulp ≤ x ≤ 1− ulp.

Many of the possible values are not represented. Figure 6.4 gives an example of this problem

using ulp = 2−4. For the range[1

2 ,1]

all the values can be generated with ulp; however, for

binary floating-point values less than 12 this is not possible due to the limitation of the ulp size.

The range[

14 ,

12

]has only half of the possible values, and with the range

[18 ,

14

]it is only a quarter

of the possible values.

To overcome this problem the second RNG is used to divide the values less than 12 into non-

equally spaced values. This allows for a fixed floating point size, i.e. x.xxx∗2−y, where all values

are generated instead of only the 32 values for ulp = 2−4.

The last point to be taken into account is the relative frequency of each result happening. Us-

ing the new method divides each region[1

2 ,1],[1

4 ,12

],[1

8 ,14

],[ 1

16 ,18

]into eight equal parts; how-

ever, the generator needs to be adjusted to access these lower value areas only the appropriate

number of times. Since the interval between[

14 ,

12

]is half as large as

[12 ,1]

its relative frequency

should also be divided in half. This process is continued for each smaller interval. Combining


both RNGs forms a floating-point generator that has a period of 21492.

Results

Similar to the true random number generator, the Matlab RNG produced sequences that are

classified as random by the FIPS 140-2. Figure 6.5 shows that the individual tests all agree with

the FIPS 140-2 standard irrespective of the test sequence length. Therefore, these two control

experiments show that a random sequence results in a pass a large majority of the time.

6.2.3 Failure Point 1 Experiment: ANSI C Generator

Description

Not all RNG failures are catastrophic, a more subtle type of error happens when a good generator

becomes a poor one. Although it is not as serious a security hole as a catastrophic failure it should

be included in the tests to secure against all possible alleys of attack. A procedure for evaluating

the empirical tests is to run them using the output from a poor generator; for example, the ANSI C

generator.

Results The results have been compared to the FIPS standard, see Figure 6.6. As can be seen,

the only test to pick up the change to a poor RNG, with a high degree of certainty, is the poker test

(between 85 and 100%). The rest of the tests only agree with the FIPS standard approximately

50% of the time.

Figure 6.6 also shows very little variability in the results between the different sequence

lengths. With the exception of the poker test, the rest of them show a near straight line across

the sequence lengths. The poker test is the only test that has some change in its results, ranging

from 87% up to 100% correct at 20000 bits. The 100% result can be attributed to the poker test

having the most influence in the FIPS standard. Therefore, the poker test at 20000 bits agrees

closest with the FIPS standard.

Figure 6.7 show the test results of the ANSI C generator using a combination of empirical

tests. There is no improvement when the tests are combined. Again, only the combinations with

the poker test have scores near to 100%. The other test combinations stay on a line around 50%,

just as in the lone tests found in Figure 6.6.

Figure 6.8 provides a better view of the effect of the poker test. Only it is detecting non-

random characteristics in the sequences. A the 20000 bit point, it has detected approximately

half of the sequences as coming from a non-random generator. This value increases with the

increase in sequence length to the point that at 100000 bits all the sequences are rejected. The

higher rejection rate is shown in Figure 6.6 as lower match with the FIPS standard. Therefore,

for this failure only the poker test is recorded as detecting it, and since the FIPS 140-2 standard

is the standard for this thesis, a sequence of 20000 bits is recommended.


a)

∗2−1 ∗2−2 ∗2−3 ∗2−4

1.000 1.00 1.0 11.001 1.01 1.11.010 1.101.011 1.111.1001.1011.1101.111

b)

∗2−1 ∗2−2 ∗2−3 ∗2−4

1.000 1.000 1.000 1.0001.001 1.001 1.001 1.0011.010 1.010 1.010 1.0101.011 1.011 1.011 1.0111.100 1.100 1.100 1.1001.101 1.101 1.101 1.1011.110 1.110 1.110 1.1101.111 1.111 1.111 1.111

Figure 6.4: Binary floating-point segments. a) Binary values multiplies of ulp from first generator stage.b) Full binary values for floating point generator after second generator.

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing


Figure 6.5: Matlab random number generator test results compared to the FIPS 140-2 standard.


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing


Figure 6.6: ANSI C random number generator test results compared to the FIPS 140-2 standard.

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

F_R_FIPS

F_L_FIPS

F_P_FIPS

F_T_FIPS

F_A_FIPS

F_FB_FIPS

F_S_FIPS

R_L_FIPS

R_P_FIPS

R_T_FIPS

R_A_FIPS

R_FB_FIPS

R_S_FIPS

L_P_FIPS

Figure 6.7: Test Combination results compared to the FIPS 140-2 standard for the ANSI C random num-ber generator.


0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS @ 20000

Figure 6.8: Single test “pass” count for the ANSI C random number generator.

6.2.4 Failure Point 1 Experiment: Repeating Pattern Random Number

Generator

Description

The effects of a poor RNG has been studied, another possible failure at the RNG is a repeating

pattern sequence. The possible causes of this type of failure can be a malfunctioning RNG

either through hardware damage or an infinite loop in the program code. The output from the

generator is similar to a functioning RNG for a given number of bits but no new bits are created

afterwards, just a repeat of the old sequence. Another way of viewing this is as a pseudorandom

number generator with a small period. This problem is more likely to occur in generators that

store data in internal memory before outputting it for use by the encryption process instead of in

memoryless generators. Should this failure occur, a hacker would have easy access to the secure

data, since the secret code is easy to see and reproduce.

The repeating pattern random number generator (RP-RNG) has been created to examine the

sensitivity of the RNG tests to this type of failure. The base programming language used for

the generator is Matlab where 500 samples have been created for the simulator. The RP-RNG

functions by taking the first 100 bits from each of the 500 true RNG samples. This way the data

is known to be random up to the 100 bit point in each of the sample sequences. The 100 bits are

copied 1000 times to form a 100000 bit sample sequence.


0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS @ 20000

Figure 6.9: Single test “pass” count for the repeating pattern generator.

In this study only the effects using a 100 bit initial random source have been examined. This

provides a good starting point to determine the sensitivity for each of the tests. Lengthing the ini-

tial sequence would shift the detection point upwards to a higher test sequence length; whereas, a

shorter initial sequence would have the opposite effect and reduce the detection sequence length.

The 100 bit initial sequence has been chosen as a good compromise.

Results

The results from the repeating pattern RNG experiment can be seen in Figures 6.10 to 6.12. Since

the repeating pattern RNG uses a 100 bit length sample sequence from the true RNG, the testing

starts at the 250 bit length. The test sequence length of 100 bits and smaller should achieve the

same pass/fail results as has been obtained in the true RNG experiment, Figure 6.9 shows that

this is the case.

The single test experiment results are divided into five groups with the poker and runs test

being in the first group, the serial test in the second group, the frequency and turning point test,

then the autocorrelation and frequency block test, and finally the longest runs test. The fifth

group is dropped from further study, since it does not recognize any sequence as faulty and does

not help to improve the results from the other tests using test combinations.

The group of greatest interest is the first one. Examing Figure 6.9 reveals that the FIPS

standard at 20000 bits rejects all the tests. Further study of the “pass” count also shows that both

the runs and poker test fail all the sample sequences. Both these two tests are part of the FIPS


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing


Figure 6.10: Single test percent matching with FIPS 140-2 results for the repeating pattern generator.

group and either one may be the most sensitive test for this particular failure model. A closer

look at the percent matching to FIPS should show that test groupings with either the poker or the

runs test should have the best results. This is examined in the coming paragraphs.

Another point of interest is the autocorrelation test, since it is currently the one used in pro-

duction for smart cards. For this fault, the test begins to detect sequences as being from a nonran-

dom generator at the 500 bit sample sequence length. The test achieves 40% matching with the

FIPS at 10000 bits where it levels off and does not show any more improvement. This indicate

that this test is not very good for this fault type.

The FIPS standard rejects all the sample sequences; therefore, this experiment is an analysis

of how quickly each test or test groups reject the sample sequences, shown in Figure 6.10. The

best group detects a fault in 20% of the sequences with a length of 250 bits. An improvement in

fault recognition is obtained when the test length is increased. At a test length of 500 bits there is

a 75% and 85% matching with the FIPS for runs and poker respectively. The tests almost achieve

100% matching when the test sequences have a length of 1000 bits. However, only at 2500 bits

sequences do the tests catch all the samples.

The poker and runs test both work by counting the occurrence of either patterns or runs

lengths. A closer look at the most sensitive test, the poker test, reveals when analyzing the initial

subsequence certain patterns occur more often than others; however, the pattern counts are still

in the acceptable range. Ideally the number of occurrence of patterns should be equal for all

possible patterns in a countable infinite sequence. Since the analyzed data is only a finite sample


this does not occur and one type of pattern occurs more often than another. If the acceptable

range for the 25 bit test sequence is also increased in comparison to the test sequence length (for

example from 25 to 20000 bits), then the acceptable range is larger than that properly calculated

for a significance level at 20000 bits. Therefore, more tests will be accept at 25 bits as coming

from a random source when in fact they should be rejected. Here the distribution model fails to

accurately portray the distribution from a true random source.

The poker test is ahead of the runs test in FIPS matching percentage until the 2500 bit test

length, where they both achieve 100% matching. The second group, the serial test, has a slower

matching percentage gain than the first group. There is a significant increase between the length

of 500 and 2500; however, after this point the test slows down in catching the faulty sequences.

The serial test is also a pattern matching test which explains why it is initially good at rejecting the

samples sequences. However, the last 5% of the faulty sample sequences can not be recognized

due to the shorter pattern analysis. Even though it is counting the patterns the serial test is more

concentrating on near bit correlation. The last 5% of the samples have very little correlation in

the initial subsequence and even with the repeating of the subsequence the test still remains in

the acceptance range. It does improve when the test sequence length is increased to 50000 bits

and higher, but it still does reach 100%.

The last test to reach 100% within the given sample test lengths is the turning point test.

It matches the FIPS standard, but only starting at 50000 bits. This test is still included in the

combination test because it counts a different characteristic than the other tests, and it may have

caught samples at lower test lengths that the other tests did not catch.

The results from the combination test can be seen in Figures 6.11 and 6.12. The one test

combination that shows good improvement, at least initially, is the runs/poker test group. There

is approximately a 12 percentage point increase at the 250 bit test length, and approximately 10

percentage point increase at the 500 bit length. After this point, the percent matching does not

differ from the single tests, which indicates that starting from the 1000 bit test length the runs

and poker test are catching the same sequences. Therefore, if 100% matching is required, no

improvement is achieved by using a combination of tests.

Conclusion

The repeating pattern error is one type of error that may arise from a faulty RNG. To cover this

security hole a test or test group needs to be implemented that detects this fault with the smallest

sample sequence length.

The standard, FIPS 140-2 group with a sample sequence of 20000 bits, is able to recognize

that all the sample sequences come from a faulty generator. At the 20000 bit point, there are

two tests that reject the same samples at 20000 bits, the poker and runs test. These two tests

accurately model the FIPS standard at lower testing lengths, but reach their limits at a testing

length of 2500 bits. The accuracy below that point degrades.


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing

F_R_FIPS

F_L_FIPS

F_P_FIPS

F_T_FIPS

F_A_FIPS

F_FB_FIPS

F_S_FIPS

R_L_FIPS

R_P_FIPS

R_T_FIPS

R_A_FIPS

R_FB_FIPS

R_S_FIPS

L_P_FIPS

Figure 6.11: Test combinations percent matching with FIPS 140-2 results for the repeating pattern gener-ator showing the combinations Frequency/Runs to Longest Runs/Poker.

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing

L_T_FIPS

L_A_FIPS

L_FB_FIPS

L_S_FIPS

P_T_FIPS

P_A_FIPS

P_FB_FIPS

P_S_FIPS

T_A_FIPS

T_FB_FIPS

T_S_FIPS

A_FB_FIPS

A_S_FIPS

FB_S_FIPS

Figure 6.12: Test combinations percent matching with FIPS 140-2 results for the repeating pattern gener-ator showing the combinations Longest Runs/Turning Point to Frequency Block/Serial.


After examining the combination tests where 100% matching is obtained, it can be seen that

there is no improvement over the single tests. Therefore, for the repeating pattern failure a single

test, either the runs or poker test, with a testing sequence length of 2500 bits is recommended.

6.2.5 Failure Point 1 Experiment: Bias Random Number Generator

Description

Another possible flaw in cryptographic random number generators happens when the generator

loses the characteristic of equal probability of a zero or one being produced. Generators that do

not have a probability P(X = 1) = 0.50 are labeled biased. There is a variety of causes for bias,

for example, a malfunction in the generator hardware, environmental stress, or external influ-

ences on the generator by a hacker. An experiment has been included in the simulator to show

the sensitivity of the random number generator tests to this type of fault. The experiment uses a

biased RNG to create sample sequences with biases of 52%, 54% and 56%. These bias values

indicate the probability of the generator producing a one. These example biases probabilities

have been chosen to show the sensitivity of each of the tests to this type of failure, and to give an

indication how the tests react to an increasing bias error. The 50% generator (proper functioning

generator) has not been mentioned in this part, since it is a normal working Matlab RNG, which

has been tested with the given RNG tests.

For the normal operation of the Matlab RNG in other experiments the generator produces a

sequence of bits of a given length. However, this time the bit outputs need to be influenced, so

the generator is set to create sequence with values between 0 and 99. This value is compared to

the selected bias value (i.e. 52, 54, or 56), and if it is less than this limit, then a one is produced.

Should it fall above the limit, then a zero is outputted.

This generator was used to create 500 samples of 100000 bits for the simulator. As mentioned

previously, the bias selected for this experiment was 52%, 54%, and 56%. Each of the sample

sequences was tested with the eight RNG tests, and with sequence lengths from 25 to 100000

bits.

Results

The results for this generator can be seen in Figures 6.15 to 6.18. It is assumed that with a bias

a certain number of tests will pick up the faulty generator. A major question is how quickly can

the error be identified (sequence length)? Looking at Figure 6.13 shows that the FIPS standard

does not pass any of the sample biased sequences. Therefore, for the other tests to match with

the FIPS standard they need to label all the samples sequences as fails. At the 20000 point, three

tests that are part of the FIPS group (Frequency, Runs and Poker) plus the serial have rejected all

of the sample sequences. Since the FIPS group has failed all the sample sequences, the percent


0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS @ 20000

Figure 6.13: Single test “pass” count for the 54% biased generator.

matching for the single tests is more a count of how many fails the test processes at the sample

sequence length.

For the 54% bias generator using the single tests (see Figure 6.14), the frequency and serial

tests begin to label the generator as a fail at a sequence length of 500. As mentioned in the

Description, a bias in a generator either produces more ones or zeros. So, for a 54% ones bias

a generator will statistically produce 54 ones for every 100 bits. For small sample sequence

lengths, it is not possible to pick up a 54% biased generator, since it falls into the acceptable

range. For example, at a test sequence of 25 bits has 12.5 ones as the 50% point with 11 to 14

ones being in the acceptable range. If this is extended to 20000 bit sequences the acceptance

range is then 8800 to 11200 which may not match the significance level anymore. For the serial

test, the increase in the number of ones also increases the likelihood of the sequence pattern “11”

happening, with this coming at the expense of the “00” pattern.

The frequency and serial tests are the most sensitive tests for the biased random number gen-

erator with 54%. They almost reach 100% matching with the FIPS standard at a sequence length

of 5000; however, it only fully matches at the 10000 bit length mark. The slight change in the

FIPS matching percentage between 5000 and 10000 indicates that actual 100% FIPS matching

point is between these two values. An experiment has been run with a test sequence length be-

tween 5000 and 10000 to find a more accurate point of where the tests reach 100%. The point

where the frequency and serial test match 100% with the FIPS standard is with a test sequence

length of 8000. The poker test reached 100% at 10000 bits (see Table 6.2 for the results between


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100 250 500 1000 2500 5000 10000 15000 20000 30000 50000 1E+05

Sequence Length

Per

cen

tM

atch

ing


Figure 6.14: Single test percent matching with FIPS 140-2 results for the 54% biased generator.

Test/Bit Length 5000 6000 7000 8000 9000 10000Frequency 98.2% 99.4% 99.8% 100% 100% 100%

Runs 56.2% 73.4% 86.6% 92% 97.2% 98.6%Poker 70.4% 86% 95.6% 98.4% 99.6% 100%Serial 98% 99.4% 99.6% 100% 100% 100%

Table 6.2: The four tests percent matching to FIPS that have been zoomed in between a test sequence of5000 and 10000.

5000 and 10000).

The next sensitive group for the 54% bias includes the poker and runs test. This test group

exhibits approximately the same error identification rate as the first group but at one sequence

length grouping higher, i.e. a 2500 bit sample length before errors are detected instead of 1000

bits for the first group. It also copies the first group by plateauing around the 98% FIPS matching

and then reaching 100%. The runs and poker tests have also been tested analyzed between 5000

and 10000. Table 6.2 shows the poker test reaching 100% matching at the 10000 bit length, but

the runs test still does not reach it.

The results from the 52% and 56% bias RNG (see Figures 6.15 and 6.16) show that the same

trend applies to both a higher and lower bias. The same grouping of tests is present in all three

bias generator results with the serial and frequency tests being the best group and poker and

runs tests making up the second group. It is assumed that the lower biased generator is harder

to detect, hence shifting the detection sequence length upwards. The same thought holds for


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing

Frequency Runs Longest Runs Poker Turning Point Autocorrelation Frequency Block Serial


the 56% biased RNG with it being easier to detect resulting in the detection sequence being

shifted down. The results shown in Figures 6.15, 6.14, 6.16 backup this assumption, where the

detection point for the 52%, 54% and 56% biased RNGs are at 2500, 500 and 250 sequence

length respectively. Also the 100% FIPS matching level is sooner reached for the higher biased

generators.

Up to this point each of the tests have been investigated separately; however, if the tests do

not matching 100% with the FIPS standard, then there is room for improvement by combining

results of two or more tests. The results of the two test combinations are shown in Figures 6.17

and 6.18. Combination of three tests have also been performed but are not included in this thesis

due to little change being seen in the results between two and three test combinations.

The test combination results can be seen in Figures 6.17 and 6.18. Most of the test combina-

tions do not show any improvement in their results over the single tests due to test masking. This

happens when the more sensitive test not only fails all the same sequences as the second test but

also a few more. The result on the chart show grouping points around single test results. There

is, however, one test that does show an improvement for some bit lengths, the Frequency-Serial

test group. There is a 2% percent matching improvement to the FIPS at the 1000 and 2500 bit

lengths. This improvement does not continue beyond this point and the Frequency-Serial test

again matches the results from the single Frequency and Serial tests.


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing



0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

F_R_FIPS

F_L_FIPS

F_P_FIPS

F_T_FIPS

F_A_FIPS

F_FB_FIPS

F_S_FIPS

R_L_FIPS

R_P_FIPS

R_T_FIPS

R_A_FIPS

R_FB_FIPS

R_S_FIPS

L_P_FIPS

Figure 6.17: Test combinations percent matching with FIPS 140-2 results for the 54% biased generatorshowing the combinations Frequency/Runs to Longest Runs/Poker.


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

L_T_FIPS

L_A_FIPS

L_FB_FIPS

L_S_FIPS

P_T_FIPS

P_A_FIPS

P_FB_FIPS

P_S_FIPS

T_A_FIPS

T_FB_FIPS

T_S_FIPS

A_FB_FIPS

A_S_FIPS

FB_S_FIPS

Figure 6.18: Test combinations percent matching with FIPS 140-2 results for the 54% biased generatorshowing the combinations Longest Runs/Turning Point to Frequency Block/Serial.

Conclusion

A biased sequence is one possible failure that can come directly from the RNG. A properly

functioning cryptographic RNG has an equal probability of producing a one or a zero, P(x =

1) = 0.5. To ensure that the generator is functioning properly and/or is not being influenced, it

needs to be tested for this particular failure before operation.

The results in the last section show that a bias as low as 52% can be detected using the FIPS

test. For each of the biased generators the best tests are the Frequency and Serial tests. There is

an improvement at lower test sequence lengths (1000 to 2500) when they are combined; however,

this improvement does not push the tests to full FIPS matching. It is recommended that either

the Serial or Frequency test be included in any online test unit for cryptographic RNGs.

Selecting the testing length is hard, since each of the tests have different sensitivity levels. A

good compromise is the 10000 bit sequence length. The selected tests can catch both the 54%

and 56% bias with 100% match to the FIPS standard while at 52% bias there is still an 82%

success rate. This test sequence length is significantly lower than the 20000 bits for the FIPS, but

still provides good testing for the given bias levels.

A final test selection and sequence length for the test unit suggestion is provided in the final

conclusion where the results from the hardware and software analysis are combined.


0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

500

1000

1500

2000

2500

3000

3500

4000data 2

0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

500

1000

1500

2000

2500

3000

3500

4000data 1

a) Single frequency example. b) Wide frequency group example.

Figure 6.19: Frequency spectrum of single frequency and wide frequency group example.

6.2.6 Failure Point 2 Experiment: External Frequency Interference

The smart card is a portable processor that needs to function in a variety of environments and

still be secure. It is not possible for the smart card manufacturers to dictate how and where the

card can be used; therefore, they need to consider the possibility of environmental interference

from temperature, pressure, and external noise sources. These factors may also effect the random

number generator in the smart card. For example, if a smart cards initial seed generator uses a

thermal measurement as the seed source, a third party may try to reduce the possible seeds by

operating the card in an artificially cold environment. Another method where a third party can

influence the security of the card is by introducing frequencies into the random sequences. This

distorts the sequence from a uniform distribution and increases the likelihood that the third party

is able to find the secret key. Not only can interference come from a third party but also from

faulty circuitry or nearby noise sources.

The simulator has been run with three possible frequency interference models: single fre-

quency, wide frequency group, and pink noise. The difference between the single frequency and

the wide frequency group is the single frequency model has a single sinusoid at a given frequency,

for example, 4 kHz, whereas the wide frequency group is the given frequency plus decreasing

strength neighbouring frequencies, see Figure 6.19.

The frequencies selected in the next experiments are only example failures. If a manufacturer

has more information about specific interference (e.g. square wave or specific frequencies), then

this can be analyzed using the simulator as well.

Implementation of the Frequency Addition (Single and Wide Frequency)

The frequency addition for the wide and single frequency generator use the same Matlab func-

tion (freqaddRNG) and a sample random sequence. The Matlab function accepts as input the


Single Frequency Wide Frequency GroupFrequency 4000 [3800 3850 3900 3950 4000 4050 4100 4150 4200]Magnitude 1.0 [0.2 0.4 0.6 0.8 1.0 0.8 0.6 0.4 0.2]

Table 6.3: Experimental settings for the single and wide frequency group used with the freqaddRNGfunction.

sample random sequences, the frequencies to be added and the magnitude for each of the new

frequencies.

The experiment parameters testing are found in Table 6.3. Using these settings the freqad-

dRNG function adds the interference signal at different ratios. For these experiments the ratios

used are 0%, 10%, 30%, 50%, 70%, and 90%. Only the 50% and 90% levels are to be discussed

in this thesis to show the effect the interference has on the random data.

Results for the Frequency Addition (Single Frequency)

The first results examined come from the single frequency interference experiment. Many of the

observations for the addition of a single frequency component also apply to the addition of the

wide frequency group to the random signal. The results for both error types have been graphed.

It is impossible to determine before hand the strength of the interference, so only the trend of

how the random number generator tests react at different interference levels can be examined.

The results of the signal at no interference (Matlab RNG results), 50% interference, and 90%

interference are studied here.

The single frequency component results can be seen in Figures 6.22 to 6.24. One of the

methods used to determine if this type of error is present in a RNG is to perform the spectral

analysis. If present, a frequency component is clearly apparent, and a significance level can be

set where any frequency component passing this level indicates a defective RNG. Currently, it

is not possible to implement an efficient spectral test on the smart card due to the complexity of

required operations; for example, the fast Fourier transform.

Figure 6.20 displays an example sequence using 5 points/cycle and a sample length of 50

points, where the x-axis shows the point count and the y-axis the random value between -1 and

1. It is clear the influence the sine wave signal has on the random data. In this particular case the

random data is concentrated in the lower region (−0.50 to 0.50) where more zeros are likely to

occur. The addition of the sine wave also adds a pattern to the data where every 2.5 cycles the

chance of ones increases. For the 50% case, the basic pattern for the random data is still evident;

however, for the 90% ratio experiment (ie. extreme interference) the random data only has a

minor influence on the output data, which shows a lot of regularity (see Figure 6.20b).

The conclusion drawn from analyzing the sample data is that the data generated by this RNG

is not acceptable for cryptographic applications. The first experimental sequence to be studied

in detail is the 50% single frequency generator. Figure 6.21 reveals that not all of the sequences


0 10 20 30 40 50 60−1

−0.8

−0.6

−0.4

−0.2

0

0.2

0.4

0.6

0.8

1Sine WaveRandom SignalCombined Signal

a) 50% interference

0 5 10 15 20 25 30 35 40 45 50−1

−0.8

−0.6

−0.4

−0.2

0

0.2

0.4

0.6

0.8

1Sine WaveRandom SignalCombined Signal

b) 90% interference

Figure 6.20: Example sine wave interference with random data.


0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS @ 20000

Figure 6.21: Single test “pass” count for the Frequency Add Narrow generator with 50% interference.

have been rejected by the FIPS standard. Approximately 70% of the sequences have been re-

jected. The FIPS standard has rejected more sequences than any single test; therefore, the test

combinations should provide better matching than the single tests. It should also be noted that

the FIPS test group is used as the standard measurement for generator randomness. Therefore,

the higher rejection at longer sequences for the poker, frequency and serial tests will show up as

a lower matching value. Another observation from this graph is that the tests only start to reject

the sequences at the 5000 bit length mark.

Figure 6.21 shows some of the same observations that Figure 6.22 displays. The constant

matching sits approximately at 30% at the lower bit sample lengths, because the FIPS standard

only rejects about 70% of the sequences at the 20000 bit mark. The lower sequence lengths

passed all the sequences, so the starting mark for a poor test for the generator is set at 30%. The

three tests that start to catch the failure in the generator are the poker, frequency and the serial

test. They steadily improve until the 20000 bit point after which they decrease in matching. As

has been previously explained, the loss in matching is due to the particular tests labeling more

sequences as fail than the FIPS, which is a deviation from the standard laid out at the beginning

of this chapter.

The best test, the frequency test, does not achieve 100% matching with the FIPS standard. It

only has a 92% success rate; whereas, the next two tests, serial and poker tests, have a 82% and

a 79% maximum success rate, respectively. The highest matching percentage occurs only at the

20000 bit mark.


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing


Figure 6.22: Single test percent matching with FIPS 140-2 results for the Frequency Add Narrow gener-ator with 50% interference.

After looking at the single test results, it is hoped that the combination tests provide better re-

sults. As has been mentioned in previous paragraphs, the indication from the “pass” count graph

is that the test do not fully overlap when rejecting the various sample sequences. This should

show up in the combination test results with better matching for some combinations. The results

are presented in Figure 6.23 and 6.24. Here it is seen that the frequency and poker test achieve

100% matching; however, this occurs only at 20000 bits. The rest of the test combinations only

show a slight or no improvement (0 to 1%) over the single tests.

Before drawing any final conclusions about the addition of a single frequency to a random

bit stream experiment, an extreme case of interference is examined. The single RNG test results

and the total “pass” counts are shown in Figures 6.25 and 6.26.

Even with the extreme sinusoidal interference, the RNG tests are not able to recognize that

there is a failure occurring with the RNG until the test sequence is at least 2500 bits. Only at

a test sequence length of 15000 bits does one test, the poker test, achieve 100% matching. The

poker test is by far the most sensitive test for this type of failure. Looking at the results from

the number of “passes” given to the sample sequences, the FIPS test rejects all the samples, as

does the poker test. However, three of the eight tests do not detect any failure with one test only

able to slightly detect the failure. This can be explained by the regular swing in the sine wave

interference, which is hard to detect for the frequency type tests. In this case, the average value

from the sine wave is zero; therefore, it swings between the maximum and minimum value, but

the number of zeros and ones is approximately equal. Refer to Figure 6.27 for an example binary


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

F_R_FIPS

F_L_FIPS

F_P_FIPS

F_T_FIPS

F_A_FIPS

F_FB_FIPS

F_S_FIPS

R_L_FIPS

R_P_FIPS

R_T_FIPS

R_A_FIPS

R_FB_FIPS

R_S_FIPS

L_P_FIPS

Figure 6.23: Test combination percent matching with FIPS 140-2 results for the Frequency Add Nar-row generator with 50% interference showing the combinations Frequency/Runs to LongestRuns/Poker.

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

L_T_FIPS

L_A_FIPS

L_FB_FIPS

L_S_FIPS

P_T_FIPS

P_A_FIPS

P_FB_FIPS

P_S_FIPS

T_A_FIPS

T_FB_FIPS

T_S_FIPS

A_FB_FIPS

A_S_FIPS

FB_S_FIPS

Figure 6.24: Test combination percent matching with FIPS 140-2 results for the Frequency Add Narrowgenerator with 50% interference showing the combinations Longest Runs/Turning Point toFrequency Block/Serial.


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing


Figure 6.25: Single test percent matching with FIPS 140-2 results for the Frequency Add Narrow gener-ator with 90% interference.

0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS @ 20000

Figure 6.26: Single test “pass” count for the Frequency Add Narrow generator with 90% interference.


Example:Sampled data: 100 101 110 111 110 101 100 011 010 001 000 001 010 011Poker test data: 10 01 01 11 01 11 11 01 01 10 00 11 01 00 01 00 00 01 01 00 11

Sampled input sine wave:

Number of 1s: 21Number of 0s: 21

Pattern Count00 501 910 211 4

Figure 6.27: Binary analysis for a sine wave

breakdown of a sine wave. There it is apparent that the frequencies of the 01 and 00 patterns

are not similar to what a random sequence would produce where all the dual bit patterns should

occur approximately the same number of times.

The graphical results from the 90% interference generator combination tests are not pub-

lished in this chapter, since none of the combinations show a significant increase in sensitivity to

the FIPS standard. They are, however, included in the appendix if the reader is interested (see

Figures 9.1 on page 131 and 9.2 on page 132).

Conclusion for the Frequency Addition (Single Frequency)

The interference from the external frequencies and, in particular, the addition of the single fre-

quency is a challenge for the selected RNG tests to detect. Normal procedure is to include a

spectral test where the error can readily be seen; however, as mentioned in the results discussion,

this type of test is not possible to implement on a smart card processor at this time. Extreme

interference, for example, a 90% sine wave addition, is detectable with the poker test starting at

2500 bits, but only at 10000 bits is it achieving the FIPS standard level of accuracy. The less

extreme interference, with a sine wave addition of 50%, is significantly harder to detect. Perfect

FIPS matching is only achieved with the frequency and poker test combination at 20000 bits.


0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS @ 20000

Figure 6.28: Single test “pass” count for the Frequency Add Wide generator with 50% interference.

This indicates that the FIPS standard is basing its rejection on the combination of the frequency

and poker tests. The other two tests in the FIPS group do either not catch the failure or overlap

with the first two tests.

The recommendation for the addition of a single frequency detection is very hard to set,

since it is up to the manufacturer to decide the sensitivity of the test unit. However, if designing

for the worst case situation is required, the detection of both types of signal addition, then the

test combination with the poker and frequency tests at 20000 bits is recommended. Reducing the

test units detection sensitivity allows the testing sequence length to be reduced to 10000 bits with

only the poker test. This reduction in quality still allows for the detection of extreme interference.

Results for the Frequency Addition (Wide Group Frequency)

The last sections investigated the detection quality or sensitivity of the RNG tests for single

frequency type interference. The results studied in this section deal with interference that has a

main component and some neighbouring falloff components. This type of interference is more

likely to occur in a natural environment. The experimental results for the selected interference

settings, see Section 6.2.6 for the parameters, can be seen in Figures 6.29 to 6.33. As with the

single frequency study, multiple levels of interference have been tested, but only the 50% and

90% interference levels are analyzed in detail.

The analysis begins with the 50% levels by examining the results found in Figures 6.28

and 6.29. The addition of more frequencies into the random signal has the effect of making the


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing


Figure 6.29: Single test percent matching with FIPS 140-2 results for the Frequency Add Wide generatorwith 50% interference.

error more detectable when compared to the single frequency interference. The three tests that

show the greatest sensitivity to the FIPS standard are the poker, frequency, and the serial tests.

These three tests are the same tests that show high sensitivity for the single frequency interference

(see Figure 6.22). However, the sensitivity of each is switched around for this experiment. In

the single frequency trial the poker test is the least sensitive of the top three, but here it is the

first to have 100% FIPS matching. For this experiment, the poker test requires only 10000 bits to

achieve 100% FIPS matching, whereas the other two tests require at least 20000 bits. Looking

at Figure 6.28 reveals that the FIPS standard rejects all the sample sequences. Therefore, as with

the other experiments where the FIPS rejects all the sample sequences, the single tests are being

measured for their ability to reject the generator. The results from the FIPS matching graph

(Figure 6.29) are easily seen in this figure as well, since 100% matching is equal to zero tests

passed.

After analyzing the the results from the single RNG tests, a closer look at the poker data

reveals the type of data present. A sample sequence has been divided into bits of four and

converted into decimal values. The examination of of one sample sequence reveals that the

sequences produces zeros with greater probability than it does ones. In Table 6.4 it is visible

that the subsequences with more ones than zeros (–) appear less often than the subsequences that

have more zeros than ones (**). The reason for this phenomenon is the sine interference moves

the data around the the zero mark. This can be seen if the data is reorganized as shown in the

second part of Table 6.4). The data around the average (0000) occurs more often than the outer


Table 6.4: Sample data examining using poker test.

values (0111 and 1111). This shows the effect the sine wave interference has on the data, and

the more sinusoidal interference there is the easier it is to detect the error.

The test combinations are again examined to checked if any improvement in quality is achieved.

The poker test is able to achieve 100% FIPS matching with a test sequence of 10000 bits. The

question is is it possible to get 100% FIPS matching at 5000 bits or smaller? From Figures 6.30

and 6.31 it is evident that this is not possible. The frequency-poker and frequency-serial tests

both show improvement over the single poker test; however, this improvement is only in the

range of 3 to 4%. The test combinations do not achieve 100% matching at the 5000 test bit

length.

As with the single frequency interference, this experiment has been tested at an extreme in-

terference level (90% level). The results for the single tests and “pass” count have been included

in Figures 6.32 and 6.33, with the combination test results included in Appendix 9 in Figures 9.3

and 9.4 on pages 132 and 133.

The results from Figure 6.33 show that the FIPS standard rejects all the sample sequences.

Therefore, the percent matching graph is the measure of how quickly the test rejects all the

sequences, and the results from Figure 6.33 should matching closely with Figure 6.32.

The results in Figure 6.32 show a significant jump between the 500 and 1000 bit test lengths.

Initially, the two best tests are the serial and the poker test; however, the frequency test catches


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing

F_R_FIPS

F_L_FIPS

F_P_FIPS

F_T_FIPS

F_A_FIPS

F_FB_FIPS

F_S_FIPS

R_L_FIPS

R_P_FIPS

R_T_FIPS

R_A_FIPS

R_FB_FIPS

R_S_FIPS

L_P_FIPS

Figure 6.30: Test combination percent matching with FIPS 140-2 results for the Frequency Add Widegenerator with 50% interference showing the combinations Frequency/Runs to LongestRuns/Poker.

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing

L_T_FIPS

L_A_FIPS

L_FB_FIPS

L_S_FIPS

P_T_FIPS

P_A_FIPS

P_FB_FIPS

P_S_FIPS

T_A_FIPS

T_FB_FIPS

T_S_FIPS

A_FB_FIPS

A_S_FIPS

FB_S_FIPS

Figure 6.31: Test combination percent matching with FIPS 140-2 results for the Frequency Add Widegenerator with 50% interference showing the combinations Longest Runs/Turning Point toFrequency Block/Serial.


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing


Figure 6.32: Single test percent matching with FIPS 140-2 results for the Frequency Add Wide generatorwith 90% interference.

0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS

Figure 6.33: Single test “pass” count for the Frequency Add Wide generator with 90% interference.


up, and all three tests achieve perfect matching with the FIPS standard at the 2500 bit length.

The runs test is not far behind, and it also reaches perfect FIPS matching, but with a test length

of 5000 bits.

The extreme interference example is a lot easier to detect than the 50% interference RNG

sample. The tests are able to achieve 100% FIPS matching at greatly reduced test lengths (2500

bits and 10000 bits). In the 50% interference experiment only the poker test at 10000 test bit

length reaches perfect matching with FIPS; whereas, the rest require at least 20000 bits if they

reach perfect FIPS matching at all. In this study the extreme interference is detectable by more

tests and at lower test lengths; therefore, it stands to reason that the effects discussed in the 50%

interference case are only more pronounced allowing the tests to detect a more definite error.

Conclusion for the Frequency Addition (Wide Group Frequency)

This interference type is similar to the single frequency interference in the type of results shown;

the best test for detecting single frequency interference is also the best test to detect wide group

interference. The effect the added frequencies has on the random sequence is to average the RNG

data even more than is present in the single frequency experiments. This allows the poker, serial,

and frequency tests to be used to detect this type of error instead of requiring the spectral test.

The recommended test for the wide group frequency interference is the poker test with a

10000 bit sample sequence. This test is able to catch both the 50% and 90% interference and

reject the samples as not being good for cryptographic applications.


Implementation of the Frequency Addition (Pink Noise or 1f Noise)

The two frequency interference models discussed previously are for simple types of signal in-

terference. Another type of frequency interference found in many unexpected sources is the 1f

frequency interference (also called pink or flicker noise). This type of noise has the characteristic

of having equal power per decade of frequency or a spectrum proportional to 1f . In comparison,

white noise has the same distribution of power for all frequencies. One cause of this noise is

the recombination effects at defects along the semiconductor’s border, material surface or in the

volume itself. Figure 6.34 is an example of the frequency spectrum of 1f noise.

0 100 200 300 400 500 600 700 800 900 1000−0.2

−0.15

−0.1

−0.05

0

0.05

0.1

0.15

0 100 200 300 400 500 600 700 800 900 10000

2

4

6

8

10

12

Time Frequency

Figure 6.34: Random 1f noise sample in the time and the frequency domain.

It is possible to empirically describe the 1f spectrum using the following formula [Sis02]:

C 1f=

αN· 1

f(6.1)

where N is the total number of moving charges in a device. The variable α is a material charac-

teristic called the Hooge-Parameter. Another form of Equation 6.1 is:

C 1f= KF · I

AF

f B

with KF , AF , B the model parameters. This form is more common in simulation programs.

There is another method for modeling 1f noise, filtering white noise with a filter that has an

amplitude response G(ω) proportional to 1√ω . The filter should roll at -3 dB per octave in the

frequency domain. One type of 1f filter proposed in [Whi99] uses a filter with poles and zeros set


at:

Pole Zero

0.99516 0.98223

0.9438 0.83265

0.5559 0.107980 (6.2)

Another method is to use weighted sums of first order filters. The following filter is found in

[Whi99] on page 3:

b0 = 0.99886∗b0 +white∗0.0555179;

b1 = 0.99332∗b1 +white∗0.0750759;

b2 = 0.96900∗b2 +white∗0.1538520;

b3 = 0.86650∗b3 +white∗0.3104856;

b4 = 0.55000∗b4 +white∗0.5329522;

b5 = −0.7616∗b5−white∗0.0168980;

pink = b0 +b1 +b2 +b3 +b4 +b5 +b6 +white∗0.5362;

b6 = white∗0.115926; (6.3)

For the 1f noise generator used in the simulator, the first filter has been implemented. It has

been programmed in Matlab where the filter function is employed on random numbers between

-1 and 1. The filter data is then scaled by the maximum value of each filter (see Figure 6.35),

after which the data is converted to a 20 bit fractional binary number. The binary number is

stored the process is repeated until a 100000 bit sample sequence is created.

Results for the Frequency Addition (Pink Noise or 1f Noise)

The results from the 1f noise experiment are found in Figures 6.37 to 6.39. The first step in the 1

f

noise analysis is checking to see how many sequences “passed” the FIPS standard. Figure 6.36

reveals that at 20000 bits the FIPS standard rejects all the sample sequences. As with the previous

experiments that have the FIPS standard reject all the sequences, the sensitivity or quality is a

measure of how quickly the individual test or test group rejects each of the samples.

The 1f noise interference has been described previously and can be looked at as low frequency

interference. It is a more extreme frequency interference case than the previous two experiments.

It has been included in the experiment due to the common occurrence of this type of interference

in normal usage.

The addition of even more frequencies than what is present in the wide group frequency

experiment should show a result where the tests are able to detect the failure at a smaller test


0 200 400 600 800 1000 12000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Samples

Am

plitu

de

Step Response

Figure 6.35: Finding the maximum value of the filter.

sequence length than both the wide group and the single frequency interference experiments.

Closer examination of the results in Figures 6.37 and 6.36 show that this assumption is verified.

Both the runs and serial test are able to detect this type of error at a test sequence length of 25 bits.

This is extremely early to detect an error when compared to the other experiments. The runs test

is the best test at 25 bits, but as the testing bit lengths are increased the top three tests from the

previous two experiments prove again to be the best tests. The poker test passes the serial test at

the 500 bit mark to take over as the most sensitive test for this error, and it reaches perfect FIPS

matching at a test length of 1000 bits. The serial, frequency, and runs test also achieve perfect

FIPS matching but at the next higher testing length, 2500 bits. The frequency block test reaches

100% FIPS matching at the 20000 bit point, and the turning point test drastically improves its

results at the 50000 and 100000 test bit lengths. The rest of the tests either do not recognize the

presence of an error or else only to a very small degree (< 2%).

Investigating the test combinations (see Figures 6.38 and 6.39) reveals the poker and serial

tests do not exactly overlap with the sequences that they reject. The poker-serial combination

has an improvement over either of the single tests, an 8% improvement over the poker test, and

it has a quality of approximately 99% at 500 bits. At this point, the manufacturer has to decide

if a sensitivity of 99% FIPS matching is acceptable using the test combination with 500 bits or a

slightly longer bit length with a sensitivity of 100% FIPS matching and only one test. The rest of

the test combinations do not reveal any significant improvement over the single tests; therefore,

they can be ignored in favour of the poker-serial test combination.


0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS @ 20000

Figure 6.36: Single test “pass” count for the 1f noise generator.

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing


Figure 6.37: Single test percent matching with FIPS 140-2 results for the 1f noise generator.


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing

F_R_FIPS

F_L_FIPS

F_P_FIPS

F_T_FIPS

F_A_FIPS

F_FB_FIPS

F_S_FIPS

R_L_FIPS

R_P_FIPS

R_T_FIPS

R_A_FIPS

R_FB_FIPS

R_S_FIPS

L_P_FIPS

Figure 6.38: Test combination percent matching with FIPS 140-2 results for the 1f noise generator show-

ing the combinations Frequency/Runs to Longest Runs/Poker.

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing

L_T_FIPS

L_A_FIPS

L_FB_FIPS

L_S_FIPS

P_T_FIPS

P_A_FIPS

P_FB_FIPS

P_S_FIPS

T_A_FIPS

T_FB_FIPS

T_S_FIPS

A_FB_FIPS

A_S_FIPS

FB_S_FIPS

Figure 6.39: Test combination percent matching with FIPS 140-2 results for the 1f noise generator show-

ing the combinations Longest Runs/Turning Point to Frequency Block/Serial.


Conclusion for the Frequency Addition (Pink Noise or 1f Noise)

The pink or 1f noise RNG experiment has been included in this these even though it is a type of

wide group frequency interference, since it is a noise type common in semiconductor noise. For

this type of error there are a variety of tests to choose: poker, frequency, serial and the runs test.

The recommended test and sample length is the poker test at 2500 bits.

6.2.7 Failure Point 3 Experiment: Oversampling RNG

The previous experiments examined possible failure points in the random number source or from

outside interference. They only cover two of the possible three failure points mentioned in the

simulator introduction (see Section 6.1). This last experiment examines the tests sensitivity to a

defective digitizer.

The experiment is broken into two parts with the first investigating extreme oversampling

where every bit is repeated. The second section investigates the effect of a whole 24-bit word

being repeated. Figure 6.40 shows an example of both oversampling failures.

Bit oversampling: 101110→ 11 00 11 11 11 00

Word oversampling: 101 001 111→ 101 101 001 001 111 111

Figure 6.40: Bit and word oversampling error example.

Oversampling RNG Implementation

Both the bit- and word- repeating RNG are modifications of the MatlabTM binary random number

generator. They have been implemented by storing either one bit or a full binary word from the

MatlabTM generator in a temporary variable. The data in the variable is stored twice during the

assembly of the 100000 bit sequence. The place holder counter is advanced after each bit or

word storage to prepare it for the next input. This process is repeated until all the 100000 bits are

created. The RNG is reinitialized and the full process is run 500 times to create the full sample

sequences.

Results for the Bit Oversampling RNG

Examing the results from the bit repeating oversample experiment (see Figures 6.42 to 6.44), it

is apparent that the error is quickly identified. The “pass” counting graph (Figure 6.41) shows

the FIPS 140-2 test standard rejects all the sequences and labels the generator as nonrandom. It

is easier to identify the sequences that do not recognize an error compared to the FIPS matching

chart. The three tests that do not recognize the presence of an error are the frequency, turning

point and the autocorrelation tests. For the frequency test, the full sequence can be represented


0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS @ 20000

Figure 6.41: Single test “pass” count for the bit oversampling generator.

as two half sized random sequences. Comparing these two sequences together still provides the

correct number of ones and zeros for the test to pass the sequence.

The implementation of the autocorrelation test examines bits with another bit four time units

delayed. In this case the correlation is in the neighbouring bit not the further delayed bit. A

more complex autocorrelation test that examines the correlation of the neighbouring bits up to

a given value would be a more powerful autocorrelation test, but would increase the hardware

requirements.

The turning point test also does not catch the error in the experiment. The evidence for the

turning point test indicates that doubling the bits does not change the number of peak and troughs

enough to indicate an error.

A closer examination of Figure 6.42 shows the poker test is the most sensitive to the over-

sampling error with it perfectly matching the FIPS standard at a sequence sample length of 75

bits. The runs and serial test are both close behind with their perfect FIPS matching occurring at

sequence lengths of 100 and 250 respectively.

Four tests have perfect FIPS matching: poker, runs, serial and frequency block tests. This is

also the first that has the longest runs test indicate an error with any degree of sensitivity, even

though it does not reach 100% matching in the sequence lengths selected for the experiment.

The poker test is an ideal test for finding this error, since the doubling of the bits means

some patterns happen more often than others. The example in Figure 6.40 shows how the begin-


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing


Figure 6.42: Single test percent matching with FIPS 140-2 results for the bit oversampling generator.

ning “10” combination becomes the four bit “11 00” combination. In this situation the patterns

“0000”, “0011”, “1100” or “1111” occur exclusively. The patterns with mixed values i.e. “01”

or “10”, do not occur at all.

The single tests show very high quality in matching to the FIPS standard at very small test bit

lengths. The test combinations have been included to see if the 75 bit level can be lowered to 50 or

even 25 bits. The test combination results can be seen in Figures 6.43 and 6.44. The first point of

interest is there are no test combinations with a sample sequence length of 50 having 100% FIPS

matching. However, there are two tests groups that provide better coverage at the 50 bit sample

length than is possible from the single poker test. The runs-poker test shows approximately a

23% improvement in the error detection at a 72% FIPS matching. The runs-serial test has a 64%

FIPS matching, which is a 15% improvement over the poker test. This indicates the runs test is

finding the generator faulty through different sequences than the poker test. The fail result is not

overlapping, allowing for an improved group combination. This improvement is good; however,

it does not reach the magical 100% that is desired by smart card manufacturers.

Results 24-bit Word Oversampling

The results from the bit oversampling show that the poker, runs and serial tests are very sensitive

to this type of error, however, the word oversample is another error that may manifest itself. In

comparison to the bit oversampling this error is far more subtle. The graphical results from the


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

F_R_FIPS

F_L_FIPS

F_P_FIPS

F_T_FIPS

F_A_FIPS

F_FB_FIPS

F_S_FIPS

R_L_FIPS

R_P_FIPS

R_T_FIPS

R_A_FIPS

R_FB_FIPS

R_S_FIPS

L_P_FIPS

Figure 6.43: Test combination percent matching with FIPS 140-2 results for the bit oversampling gener-ator showing the combinations Frequency/Runs to Longest Runs/Poker.

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

L_T_FIPS

L_A_FIPS

L_FB_FIPS

L_S_FIPS

P_T_FIPS

P_A_FIPS

P_FB_FIPS

P_S_FIPS

T_A_FIPS

T_FB_FIPS

T_S_FIPS

A_FB_FIPS

A_S_FIPS

FB_S_FIPS

Figure 6.44: Test combination percent matching with FIPS 140-2 results for the bit oversampling gener-ator showing the combinations Longest Runs/Turning Point to Frequency Block/Serial.


0

50

100

150

200

250

300

350

400

450

500

550

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Co

un

to

f"P

ass"

Seq

uen

ces

(max

.5

00

)

Frequency

Runs

Longest Runs

Poker

Turning Point

Autocorrelation

Frequency Block

Serial

FIPS @ 20000

Figure 6.45: Single test “pass” count for the word oversampling generator.

word oversample experiment is shown in Figures 6.46 to 6.48. Figures 6.46 and 6.45 display the

results for the single tests. It is important to note that the FIPS test group only marks approxi-

mately 440 samples as coming from a faulty source. It is also seen in Figure 6.45 that no single

test matches FIPS at 20000. A better picture of this can be seen in Figure 6.46 where it is evident

that none of the test reach perfect FIPS matching. An interesting phenomena occurs with both

the poker and runs test. They both decrease in quality at the lower sequence bit lengths and only

at 15000 do they improve beyond the singles test. The results from these two graphs do no seem

to match. The poker and runs test both fail more sequences than the other tests and appear to

be closer to the FIPS total in Figure 6.46. However, Figure 6.45 shows that this is not the case

and the poker and runs tests have a lower matching than the other tests. The individual data have

been investigated and the results indicate that the poker and runs test fail more sequences than the

other tests but they are different than the ones failed by the FIPS group at 20000. For example,

using a test sequence of 100 bits, sequences 15 and 19 are marked as fail by the poker test while

at 20000 bits, the FIPS group marks sequence 13 and 21 as fails. Therefore, even with the higher

failure rates the poker and runs test have a lower FIPS matching percent.

The single tests do not reach perfect matching with the FIPS standard, this leaves room for

the test combinations to possibly provide perfect matching. The results are shown in Figures 6.47

and 6.48. Most of the combinations follow the dominate test of the combination, however, the

runs-poker test display worse results than the individual tests until the 15000 bit test length, at that

point the test matches the poker test result. Only at the 20000 bit length does the test combination


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing


Figure 6.46: Single test percent matching with FIPS 140-2 results for the word oversampling generator.

reach 100% FIPS matching. The reason for the worse results, other than at the 15000 and 20000

test lengths, is the same reason as is given for the individual tests. The test combinations are

marking “fail” to different sequences than the FIPS standard. The perfect matching at 20000

shows that the runs and poker are the two important tests for this experiment.

Oversampling Conclusion

The oversampling experiment shows two extremes in the random generator testing, one test with

a very distinct failure detection and the other with very little detection. For both failure models,

the poker and runs test are the primary tests. The poker test can be set to a test length of 75 for

the bit oversampling; however, the only reliable test for the word oversampling is the poker-runs

combination at 20000 bits.


0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

F_R_FIPS

F_L_FIPS

F_P_FIPS

F_T_FIPS

F_A_FIPS

F_FB_FIPS

F_S_FIPS

R_L_FIPS

R_P_FIPS

R_T_FIPS

R_A_FIPS

R_FB_FIPS

R_S_FIPS

L_P_FIPS

Figure 6.47: Test combination percent matching with FIPS 140-2 results for the word oversampling gen-erator showing the combinations Frequency/Runs to Longest Runs/Poker.

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

L_T_FIPS

L_A_FIPS

L_FB_FIPS

L_S_FIPS

P_T_FIPS

P_A_FIPS

P_FB_FIPS

P_S_FIPS

T_A_FIPS

T_FB_FIPS

T_S_FIPS

A_FB_FIPS

A_S_FIPS

FB_S_FIPS

Figure 6.48: Test combination percent matching with FIPS 140-2 results for the word oversampling gen-erator showing the combinations Longest Runs/Turning Point to Frequency Block/Serial.

121

Chapter 7

Random Number Generator Testing Unit

7.1 Hardware and Software Analysis

The previous two sections examined both the hardware implementation and quality characteris-

tics of the selected eight tests. In this chapter the two separate results are used to determine an

efficient test unit design with perfect FIPS matching capabilities.

Using the hardware implementation results from Chapter 5 the RNG tests are categorized

into two groups: simple and complex tests. Simple tests have low hardware requirements, while

complex tests require more area and power. The complex tests usually perform more complex

calculations. The division of the RNG tests into the two groups allows for an easy overview

showing which tests can be combined with each other and still have low hardware requirements.

Simple tests can be combined with complex tests, since they do not add significantly to the overall

test unit requirements. For complex tests, combining two such tests leads to a very large test unit

and/or high power consumption. They are best left as single tests or, if required, combined with

simple tests. The tests are shown in Table 7.1. The designs have been separated mainly on the

power consumption and area requirements with some consideration to the time delay. The cut-

off line for the implemented tests is the runs test, which means the poker and serial tests are

considered complex with the rest being simple.

The simple/complex design rule does not allow for a poker-serial test unit combination, since

Simple ComplexFrequency Poker

Runs SerialLongest Runs

Frequency BlockTurning Point

Autocorrelation

Table 7.1: Simple and complex tests based on hardware requirement results.

122 CHAPTER 7. RANDOM NUMBER GENERATOR TESTING UNIT

RNG Test RNG Test100% 1 2 3 Detection

ANSI C Poker Poker Combos Hard20000 20000

Repeating Runs-Poker Runs Poker DetectablePattern 1000 2500 2500

Bias Frequency Frequency Combos Serial Detectable52% 20000 20000 30000Bias Frequency Poker Serial Detectable54% 10000 10000 10000

Frequency Add Freq-Poker HardNarrow 50% 20000

Frequency Add Poker Poker Combos Runs DetectableNarrow 90% 15000 15000 30000

Frequency Add Poker Poker Combos Frequency DetectableWide 50% 10000 10000 20000

Frequency Add Poker Serial Poker or Serial Combos DetectableWide 90% 2500 2500 2500

Pink Poker Poker Combos Serial DetectableNoise 1000 1000 1000

Oversample Poker Poker Combos Runs Detectablebit 75 75 250

Oversample Runs-Poker Hardword 20000

Table 7.2: Top 3 tests for perfect FIPS 140-2 matching.

both of these tests are considered complex. When selecting the test or tests for the end unit, the

ideal design is a single simple test that covers all the failure models presented in the last chapter.

However, also acceptable are simple tests combinations, a complex test, or a simple and a single

complex test combination.

Having divided the RNG tests into two hardware categories the next step is to examine the

simulator results to find out the best sample length and to answer which tests are to be included

in the test unit to provide perfect FIPS 140-2 matching. A table has been compiled with the top

three tests for each each failure model and the lowest bit testing length to achieve the perfect

FIPS matching (see Tables 7.2).

Examing the perfect FIPS matching table reveals that the poker test is constantly, with one

exception, in the top three list, either as a single test or as part of a test combination. It is best

able to match the FIPS standard. For some of the more subtle errors, it requires a second test to

reach full matching. From this result the conclusion is drawn that it is important to include the

poker test in the test unit design.

The next step before deciding on using a second test is selecting a sequence test length and

7.1. HARDWARE AND SOFTWARE ANALYSIS 123

examing the results with just the poker test. The last column in Table 7.2 is a rating of the

failure model judging how difficult it was for the top tests to match with the FIPS standard. The

models used to examine the RNG tests have been set at different levels of interference or “non-

randomness”. For example, an RNG with a ones bias of 52% produces sequences, statistically

seen, that are close to what a true RNG would produce. The minor deviation from a true RNG

only slightly increases the number of ones, meaning most sequences still pass any statistical test.

They do not fall outside the given acceptance range. A classification has been given to each of the

models, where a “hard” is defined for error models that the FIPS standard had trouble detecting.

This data is obtained by examining the FIPS test count graph for each of the models and labeling

any failure model as hard that does not have a pass count of zero for the FIPS group. For models

with a FIPS count at zero, the model is said to be “detectable.”

The results in Table 7.2 show that three of the models are hard for the FIPS standard to

determine: ANSI C, frequency addition of a narrow single frequency at 50%, and the word

oversampling. These three models will not be used towards determining the final design.

From the remaining models the range of the sample sequence length is from 75 to 20000 bits.

A decision needs to be made that provides a compromise between the best statistical coverage

and a possible implementation. It has been stated that a length of 20000 bits is too long for the

generation and testing of bits during the initialization phase in smart cards. Therefore, any model

that requires 20000 bits test length can not be 100% covered by this test unit. This decision has

the effect that the 52% bias generator is not fully covered.

The next step down in the bit sequence length is 15000 bits to cover the frequency addition of

a narrow signal at 90%. A 97% FIPS matching is achieved for 10000 bits for this failure, but this

is not enough for perfect FIPS matching. Therefore, for the remaining failure models a choice

has to be made. If the coverage of the narrow signal interference is important then the test bit

length needs to be 15000 bits. However, this error is not very common in practice with wider

signal interference being the norm. A sample length of 10000 bits can be used that would cover

the following tests at 100% FIPS matching:

• Repeating pattern

• Bias 54%

• Frequency addition of a wide signal at 50%

• Frequency addition of a wide signal at 90%

• Pink noise

• Bit oversample

and the single frequency addition at 90% is covered with a 97% FIPS matching accuracy. This

length provides the best compromise between testing time and test accuracy.


Test Percentage FIPS matching ImprovementBit Oversampling 100% -

Word Oversampling 86% no improvementFrequency Addition Wide 50% 100% -Frequency Addition Wide 90% 100% -

Frequency Addition Narrow 50% 38.8% Freq-Poker 50.2%Frequency Addition Narrow 90% 97% -

Bias 52% 22.6% Freq-Poker 82.4%Bias 54% 100% -Bias 56% 100% -Pink noise 100% -

Repeating Pattern 100% -ANSI C 54.4% -

Table 7.3: Poker test results for each faulty generator with a test sequence of 10000 bits.

At this point, the design has a 10000 bit sample sequence length and the poker test. The next

step is to see if better coverage can be achieved by adding a second simple test.

Table 7.3 shows the coverage for each of the failure models using only a poker test with a

sequence length of 10000 bits. Also included in Table 7.3 is any improvement by adding the

next best test. For two of the generators, ANSI C and narrow frequency addition fault generator

with 50% interference ratio, the fault detection cannot be improved by applying a second test.

However, for the 52% biased, word sampling, and single frequency addition at 50% generators

the results show that the fault detection is improved with the addition of a second test. The 52%

biased RNG shows a significant improvement over only the poker test, while the single frequency

addition RNG has at least a 50% chance of catching the failure. The word oversampling RNG is

negligible in its improvement.

The frequency test is a simple test, and combining it with the poker test adds little to the

hardware characteristics. To confirm this, the poker-frequency test combination has been imple-

mented in hardware. There is added circuit logic due to the extra structures required to control

both tests and make a final pass/fail judgment. This is minor compared to the requirements from

the tests themselves. The design is set to a maximum of 50 MHz, which allows SynopsysTM extra

optimization room to improve the hardware requirements. Hopefully, this keeps the hardware

requirements close to that of the poker test’s requirements.

7.2 Poker-Frequency Test Unit

The test unit has been laid out as shown in Figure 7.1. The two tests selected are the poker

and frequency test with the control keeping track of the results from both tests. A pass is only

allowed when both tests agree on the sequence coming from a random source. The control logic

7.2. POKER-FREQUENCY TEST UNIT 125

Poker Test Test Unit FIPS UnitArea (0.25μm CMOS technology) 524179μm2 530982μm2 588707μm2

Time Delay 17.28 ns 17.28 ns 17.19 nsPower Consumption at 20 ns (50 MHz) 5.159 mW 5.541 mW 8.909 mW

Controller 34.2 μW 34.1 μWPoker Test 4.852 mW 4.743 mWFrequency Test 0.654 mW 0.645 mWRuns Test - 2.797 mWLongest Runs Test - 0.690 mW

Table 7.4: Hardware characteristics of the Online RNG Test Unit.

is shown in Figure 7.2. The controller and the tests wait for the start bit to indicate when the test

unit should begin. After the first test is finished it sets the Finished signal high, the controller

then knows to read the result line for that test. In this case the first test read is the frequency

test followed by the poker test. If both tests agree on a pass then the Unit_Result signal is set

high, else it is left low. The Finished is also set high to indicate that a result is sitting on the

Unit_Result line. The unit examines a test sequence of 10000 bits.

The implementation of the test unit is programmed using VHDL and, as with the other tests,

has been synthesized using SynopsysTM tools. Since current smart cards run at a maximum of

50 MHz and the current poker test design has a maximum around 50 MHz , the design has also

been optimized to function at this speed. This allows for a higher time delay, which means dy-

namic power and area savings are possible. The time delay has been examined only to make sure

that the unit design is capable of operating at the 50 MHz mark, and that the extra functionality

does not require a slower operating speed.

The results for the hardware design are shown in Table 7.4. The SynopsysTM tools are able to

optimize the test unit to be close to the original poker test. The optimization tools in SynopsysTM

are able to produce a test unit design that is close in size, power consumption, and speed to the

original poker tests even with the added structures.

Table 7.4 also includes the results from the FIPS test group unit. It is designed in the same

way as the Test Unit but it includes the runs and longest runs test. Running both units through the

same experiments have given a result for area, time delay and power consumption at 50 MHz.

The results show that a 10% saving in area and a 38% saving in power consumption is achieved

by using the test unit over the FIPS test unit.

The results indicate that there exists a design that is acceptable for smart card implementa-

tions. Therefore, a test unit can be provided that achieves perfect FIPS matching for the error

models previously covered that does not require the full FIPS group or the full 20000 bit test

length. The test unit provides excellent coverage, is small, and has low power consumption.


FINISHED

UNIT_RESULT

CLKRESETSTART

3−bit

Din

Finished_PT

Result_RT

Finished_PT

Result_PT

Controller

Test Unit

Poker

Test

Test

Frequency

Figure 7.1: Test Unit block design.

Wait_for_tst1_Finished

Wait_for_tst2_Finished

Halt

Wait_for_Start

Result_Output

tst1_finished = ’1’

tst2 finished = ’1’

Reset = ’1’

Reset = ’1’Reset = ’1’

Reset = ’1’

Start = ’1’

Figure 7.2: Control logic for the Test Unit, located in the Controller block.

127

Chapter 8

Conclusion

The improvement in computer processing power has seen many benefits in our society; however,

it has also increased the risk to our privacy. New and more powerful computers are capable of

performing calculations in the 200 to 300 million instructions per second range (Intel P4 proces-

sors), which means older encryption methods are not secure enough to protect our private data.

A new development in cryptography is to use elliptic curves to form the space and arithmetic for

the cryptographic algorithms. In order for the elliptic curve encryption process to remain secure

the private key must remain secret and unguessable, since it is the only part of the cipher process

a potential hacker does not know. The private and public keys for elliptic curve encryption are

created by random number generators. If the random number generator fails, the whole encryp-

tion process is put at risk. A failure in the generator can be anything from a RNG that does not

produce any bits to one that produces statistically poor random sequences. To prevent an attacker

from finding or creating a security hole, RNGs are tested before being used in cryptographic op-

erations. However, in the case of the smart cards this has not been done properly. The current

method is to test the current bit with the next bit. This detects catastrophic failure, but does not

detect RNG manipulation or outside interference. Other statistical methods are required for this;

for example, the FIPS 140-2 test standard. This standard is used in many products and provides

excellent RNG testing; however, the requirements are too high for the smart card environment.

The tests need to be performed independent of the main processor, which is running its initializa-

tion routines, and the current cryptographic smart card RNGs are too slow to generate the 20000

bits in the 2 sec time limit. Therefore, a hardware online RNG test unit is required that is more or

at least as efficient as the FIPS 140-2 standard but requires less hardware resources and a smaller

test sequence than 20000 bits. This thesis presents a solution to this problem with the design of

a test unit that is smaller, consumes less power, and requires a shorter sample sequence than the

FIPS 140-2 test unit.

The first step in the thesis was to select empirical RNG tests suitable for hardware implemen-

tation. Eight tests were selected for possible use in the test unit: frequency, runs, longest runs,

autocorrelation, poker, frequency block, turning point, and serial test. The selection of the empir-

128 CHAPTER 8. CONCLUSION

ical tests for the test unit was based on two criteria: test design hardware characteristics and the

test’s ability to match the FIPS 140-2 standard. The selection process was done in two parts. The

first part examined the hardware characteristics, while the second part studied how each of the

tests compared to the FIPS standard in respect to different faulty generators. The second section

also examined how each of the tests reacted with varying sample sequence lengths.

The hardware characteristic examination was performed using VHDL and SynopsysTM, and

it revealed that the tests could be divided into two categories: simple and complex tests. The

hardware judgment was based on the power consumption, area, and time delay results. Six of the

eight tests fell into either the simple category or tests that could be combined with other tests and

still have low hardware resource requirements. The poker and serial tests were the two tests that

received a complex classification. A complex test should not be combined with another complex

test due to their large resource characteristics.

After classifying the tests on a hardware basis, the tests were run through a simulator pro-

grammed in Matlab. Using different failure points and models, the results from each of the tests

and test groups were compared to the FIPS 140-2 standard. Some faults were easy to recognize

(the pink noise generator) but others were more difficult (word oversampling generator.) For

each of the faulty generators, an experiment was setup to find the optimum test or test combi-

nation and the sample sequence length where perfect FIPS matching occurred. The results from

the simulator experiments indicated that the poker test was a very important in identifying the

different faults. The sample sequence length ranged from 75 to 20000 bits, depending on the

fault measured.

At this point, the data to select which test should be included in the test unit was available, but

still needed to be consolidated and analyzed. Chapter 7 combined the results from the previous

two chapters and examined single tests, and test combinations and found that the poker-frequency

group provided the best coverage with a sequence length of 10000 bits. This test group was only

able to catch six of the faults. Results from three experiments were disregarded because they were

difficult even for the FIPS 140-2 standard to detect and could not be detected with a sequence

length less than 20000 bits.

The final design was able to detect with perfect FIPS matching and a sample sequence of

10000 bits the following faulty generator types:

• repeating pattern failure

• a bias of 54% or greater

• wide and pink noise frequency interference

• bitwise oversampling.

It also provided a power reduction of 38% and an area reduction of 10% when compared to the

FIPS test unit.

129

This thesis has shown the importance of the poker test in providing excellent RNG test cover-

age. From the selected empirical tests, it is one of the complex tests and requires a lot of hardware

resources. Further work is needed to bring this requirement down and achieve an optimized de-

sign for the poker test. Another method to improve the test unit is to increase the number studied

tests from the current eight. There are hundreds of tests available in literature, and with new

circuit technology, it becomes possible to implement these tests in smart card hardware.

Another area of study is the implementation of another standard as the measuring point. The

FIPS 140-2 is only one possible standard available. Another common and often quoted test suite

is the Diehard suite. The empirical tests in the suite can also be implemented in Matlab and

integrated into the simulator. This would allow for the user to select between the two standards

when selecting a test or test combinations comparisons.

The random number generator tests may have a wider use than just testing random number

generators. Another idea that has not been explored in this thesis but may be a new application

for RNG tests is as a quick post-encryption test for units that store long term data, or as an

intermittent test to check that the data has not changed significantly. Data stored in memory

for long periods of time may become corrupted and unusable. However, this is not possible

to determine with encrypted data until the data is decrypted. Encrypted data, however, has the

property that it mimics random data. A quick random test maybe run on the data to see if it

possesses any regular structure. If it does, then there is a strong indication that the data has been

changed or damaged and further examination is required. A randomness test is quick, requires

less power than the decryption or signature methods currently used, plus the random method

does not require the secret key and can be performed at any time.

The application of the test unit is wider than just for smart cards. There are many applications

that require low power consumption, fast initialization time and secure random number genera-

tors; for example, on satellites or embedded systems. Cryptography is finding itself integrated

into more and more applications and each of these applications need to test the full encryption

path for full functionality. Therefore, in the future RNG testing will be included in more appli-

cations as well.

130 CHAPTER 8. CONCLUSION

131

Chapter 9

Appendix A

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

F_R_FIPS

F_L_FIPS

F_P_FIPS

F_T_FIPS

F_A_FIPS

F_FB_FIPS

F_S_FIPS

R_L_FIPS

R_P_FIPS

R_T_FIPS

R_A_FIPS

R_FB_FIPS

R_S_FIPS

L_P_FIPS

Figure 9.1: Test combination percent matching with FIPS 140-2 results for the Frequency Add Nar-row generator with 90% interference showing the combinations Frequency/Runs to LongestRuns/Poker.

132 CHAPTER 9. APPENDIX A

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Lengths

Per

cen

tM

atch

ing

L_T_FIPS

L_A_FIPS

L_FB_FIPS

L_S_FIPS

P_T_FIPS

P_A_FIPS

P_FB_FIPS

P_S_FIPS

T_A_FIPS

T_FB_FIPS

T_S_FIPS

A_FB_FIPS

A_S_FIPS

FB_S_FIPS

Figure 9.2: Test combination percent matching with FIPS 140-2 results for the Frequency Add Narrowgenerator with 90% interference showing the combinations Longest Runs/Turning Point toFrequency Block/Serial.

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing

F_R_FIPS

F_L_FIPS

F_P_FIPS

F_T_FIPS

F_A_FIPS

F_FB_FIPS

F_S_FIPS

R_L_FIPS

R_P_FIPS

R_T_FIPS

R_A_FIPS

R_FB_FIPS

R_S_FIPS

L_P_FIPS

Figure 9.3: Test combination percent matching with FIPS 140-2 results for the Frequency Add Widegenerator with 90% interference showing the combinations Frequency/Runs to LongestRuns/Poker.

133

0

10

20

30

40

50

60

70

80

90

100

25 50 75 100

250

500

1000

2500

5000

1000

0

1500

0

2000

0

3000

0

5000

0

1000

00

Sequence Length

Per

cen

tM

atch

ing

L_T_FIPS

L_A_FIPS

L_FB_FIPS

L_S_FIPS

P_T_FIPS

P_A_FIPS

P_FB_FIPS

P_S_FIPS

T_A_FIPS

T_FB_FIPS

T_S_FIPS

A_FB_FIPS

A_S_FIPS

FB_S_FIPS

Figure 9.4: Test combination percent matching with FIPS 140-2 results for the Frequency Add Widegenerator with 90% interference showing the combinations Longest Runs/Turning Point toFrequency Block/Serial.

134 CHAPTER 9. APPENDIX A

BIBLIOGRAPHY 135

Bibliography

[18600] FIPS 186-2. Digital signature standard. Federal Information Processing Standards

Publication 186-2, February 2000.

[19701] FIPS 197. Advanced encryption standard (AES). Federal information processing stan-

dards publication 197, 2001.

[AJJ+] Andrew Rukhin, Juan Soto, James Nechvatal, Miles Smid, Elaine Barker, Stefan Leigh,

Mark Levenson, Mark Vangel, David Banks, Alan Heckert, James Dray, and San Vo.

A Statisitical Test Suite for Random and Pseudorandom Number Generators for Cryp-

tographic Applications. NIST Special Publication 800-22, http://csrc.nist.gov/rng/.

[And00] Andrew Rukhin. Testing Randomness: A Suite of Statistical Procedures. Theory

Probab. Appl., 45(1):111–131, 2000.

[APS96] Alfred Menezes, Paul Van Oorschot, and Scott Vanstone. Handbook of Applied Cryp-

tography. CRC Press, 1996.

[BBS86] L. Blum, M. Blum, and M. Shub. A simple unpredictable pseudo-random number

generator. SIAM Journal on Computing, 15:364–383, May 1986.

[Car94] E. F. Carter. The generation and application of random numbers. Forth Dimensions,

XVI(1 & 2), 1994.

[Coh05] H. Cohen. Handbook of Elliptic and Hyperelliptic Curve Cryptography (Discrete

Mathematics and Its Applications). CRC Press, 2005.

[Cor98] Certicom Corp. The elliptic curve cryptosystem for smart cards: The seventh in a series

of ecc white papers. A Certicom White Paper, May 1998.

[CR03] Inc. Cryptographic Research. Evaluation of via c3 nememiak random number genera-

tor. Technical report, Cryptographic Research, Inc., 2003.

[Dah00] J. López R. Dahab. An overview of elliptic curve cryptography.

http://citeseer.ist.psu.edu/333066.html, May 2000.

136 BIBLIOGRAPHY

[Dav00] R. Davies. Hardware random number generators. New Zealand Statistics Conference,

2000.

[Ent98] K. Entacher. Bad subsequences of well-known linear congruential pseudorandom num-

ber generators. ACM Transactions on Modeling and Computer Simulation, 8(1), Jan-

uary 1998.

[Feh68] W. Fehler. An Introduction to Probability Theory and Its Application. J. Wiley, New

York, 3rd edition, 1968.

[Gal01] S. Galbraith. Supersingular Curves in Cryptography. Lecture Notes in Computer Sci-

ence, 2248:495, 2001.

[Gjø00] Kristian Gjøsteen. Hasse’s theorem. Website:

http://www.item.ntnu.no/ kristiag/notes/hasse-short.pdf, September 2000. Last

Viewed: April 3, 2006.

[Gop93] K. Gopal. 100 Statistical Tests. Sage Publications Ltd., London, 1st edition, 1993.

[gro95] ISO group. International Standard ISO 7810 identification cards - physical character-

istics. Technical report, ISO/IEC Copyright Office, 1995.

[gro00] ISO group. International standard ISO/IEC 14443: Identification cards - contactless

integrated circuit(s) cards - proximity cards. Technical report, ISO/IEC Copyright,

2000.

[gro99a] ISO group. Part 1: Physial characterisitics, international standard ISO/IEC 7816: Iden-

tification cards - integrated circuit(s) cards with contacts. Technical report, ISO/IEC

Copyright Office, 1995-99.

[gro99b] ISO group. Part 2: Dimensions and location of the contacts, international standard

ISO/IEC 7816: Identification cards - integrated circuit(s) cards with contacts. Technical

report, ISO/IEC Copyright Office, 1995-99.

[gro99c] ISO group. Part 3: Electronic signals and transmission protocols, international standard

ISO/IEC 7816: Identification cards - integrated circuit(s) cards with contacts. Technical


[gro99d] ISO group. Part 4: Interindustry commands for interchange, international standard

iso/iec 7816: Identification cards - integrated circuit(s) cards with contacts. Technical


[Han04] A. J. Vanstone S. A. Hankerson, D. Menezes. Guide to Elliptic Curve Cryptography.

Springer-Verlag, 2004.

BIBLIOGRAPHY 137

[Har03a] L. Hars. Functional gap average on-line randomness test. United States Patent Appli-

cation Publication, October 2003. Pub. No.: US2003/0187889 A1.

[Har03b] L. Hars. Gap average on-line randomness test. United States Patent Application Pub-

lication, October 2003. Pub. No.: US2003/0187890 A1.

[Har03c] L. Hars. Gap histogram on-line randomness test. United States Patent Application

Publication, October 2003. Pub. No.: US2003/0200239 A1.

[Har03d] L. Hars. Hadamard-transform on-line randomness test. United States Patent Applica-

tion Publication, October 2003. Pub. No.: US2003/0200238 A1.

[Har03e] L. Hars. Monobit-run frequency on-line randomness test. United States Patent Appli-

cation Publication, October 2003. Pub. No.: US2003/0187598 A1.

[Har03f] L. Hars. On-line randomness test through overlapping word counts. United States

Patent Application Publication, August 2003. Pub. No.: US2003/0158876 A1.

[Har03g] L. Hars. Randomness test utilizing autocorrelation. United States Patent Application

Publication, August 2003. Pub. No.: US2003/0158875 A1.

[Kae04] M. Kaeo. Designing Network Security. Cisco Press, 2nd edition, 2004.

[Kel00] S. Keller. ANSI X9.42 Agreement of Symmetric Keys Using Discrete Logarithm Cryp-

tography. Website: http://csrc.nist.gov/CryptoToolkit/kms/x942.pdf, February 2000.

Last Viewed: April 5, 2006.

[Kne02] S. Kneip. Entwicklung, Optimierung und Hardware-Realisierung von parametrierbaren

Arithmetik-Modulen zur Anwendung in der Kryptographie auf der Basis elliptischer

Kurven. Master’s thesis, Universität Bremen, 2002.

[Knu97] D. Knuth. The Art of Computer Programming, volume 2. Addison-Wesley, 3rd edition,

1997.

[Lab02] RSA Laboratories. Pkcs ’1 v2.1: RSA cryptography standard. Website,

http://ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf, June 2002.

[L’E98] P. L’Ecuyer. Uniform Random Number Generators. Proceedings of the 1998 Winter

Simulation Conference, pages 97–104, 1998.

[L’E01] P. L’Ecuyer. Software for Uniform Random Number Generation: Distinguishing the

Good and the Bad. Proceedings of the 2001 Winter Simulation Conference, pages 95–

105, 2001.

138 BIBLIOGRAPHY

[L’E02] R. Wegenkittl S. L’Ecuyer, P. Simard. Sparse serial tests of uniformity for random

number generators. SIAM J. Sci. Comput., 24(2):652–668, 2002.

[LeR00] J. Lop and e Ricardo. An overview of elliptic curve cryptography. Website:

http://citeseer.ist.psu.edu/lop00overview.html, 2000. Last Viewed: March 28, 2006.

[Lub] D. Lubicz. Sur les tests statistiques de générateurs aléatoires. Sur les tests statistiques

de générateurs aléatoires.

[Mar95] G. Marsaglia. The diehard battery of stringent statistical randomness tests. Website:

http://stat.fsu.edu/ geo/diehard.html, 1995. Last Viewed: April 4, 2006.

[Mau92] U. M. Maurer. A universal statistical test for random number generators. Journal of

Applied Cryptography, 5(2):89–105, 1992.

[Mil96] J.S. Milne. Elliptic curves. Math 679 Course Notes, University of Michigan, August

1996.

[Mis95] Frederick C. Mish. Merriam-Webster’s Collegiate Dictionary. Merriam-Webster, Inc.,

Springfield, Massachusetts, USA, 10th edition, 1995.

[Mol95] Cleve Moler. Random thoughts 10435 years is a very long time. Matlab News & Notes,

1995.

[Mol04] C. Moler. Numerical Computing with Matlab. Society for Industrial and Applied

Mathematic, 2004.

[Mur01] J. Murphy, S. White. Security evaluation of nessie first phase. Technical report, Com-

mission of the European Communities IST-1999-12324, 2001.

[N. 87] N. Koblitz. Elliptic Curve Cryptosystems. Mathematics of Computation, 48(177):203–

209, January 1987.

[NIS99a] NIST. Data encryption standard (des). Technical report, U.S Department of Com-

merce/National Institute of Standards and Technology, 1999.

[NIS99b] NIST. FIPS PUB 140-2: Security Requirements for Cryptographic Modules. Techni-

cal report, National Institute of Standards and Technology, 1999.

[oST02] National Institute of Standards and Technology. Fips 198a: The keyed-hash message

authentication code (hmac). Technical report, U.S. Department of Commerce, 2002.

[PM98] S.K. Park and K.W. Miller. Random Number Generators: Good Ones are Hard to Find.

Communications of the ACM, 31(10):1192–1201, October 1998.

BIBLIOGRAPHY 139

[Rit02] T. Ritter. Randomness tests: A literature survey. Website:

http://www.ciphersbyritter.com/RES/RANDTEST.HTM, September 2002. Last

Viewed: March 26, 2006.

[Ros99] M. Rosing. Implementing Elliptic Curve Cryptography. Manning Publications Co.,

Greenwich, 1999.

[Sch95] J. T. Scheaffer, R. L. McClave. Probability and Statistics for Engineers. Duxbury

Press, 1995.

[Sis02] F. Sischka. 1/f noise modeling for semiconductors. Website:

http://eesof.tm.agilent.com/docs/ iccap2002/ MDLGBOOK/ 7DEVICE_MODELING/

6NOISE/NOISEdoc.pdf, April 2002. Last Viewed March 26, 2006.

[SS91] A. S. Sedra and K.C. Smith. Microelectronic Circuits. Oxford University Press, New

York, 1991.

[Vit03] T. Vithanage, A. Shimizu. Fips 140-2(change notice 1) random number tests. Web-

site: http://www.fdk.co.jp/cyber-e/pdf/HM-RAE103.pdf, October 2003. FIPS 140-

2(Change Notice 1) Random Number Tests.

[V.S86] V.S. Miller. Use of Ellitptic Curves in Cryptography. In H.C. Williams, editor, Lecture

Notes in Computer Science, volume 218, pages 417–426. Springer-Verlag, 1986.

[Wal98] John Walker. Ent: A pseudorandom number sequence test program. Website:

http://www.fourmilab.ch/random/, October 1998. Last Viewed: March 28, 2006.

[Wei] Eric W. Weisstein. Countably infinite. From MathWorld - A Wolfram Web Resource

http://mathworld.wolfram.com/CountablyInfinite.html. Last Viewed: March 28, 2006.

[Whi99] Robin Whittle. Dsp generation of pink (1/f) noise. Website:

http://www.firstpr.com.au/dsp/pink-noise/, October 1999. Last Viewed: March

26, 2006.

[WW00] Wolfgang Rankl and Wolfgang Effing. Smart Card Handbook. John Wiley & Sons,

Ltd., 2nd edition, 2000.

Improving Security For Elliptic Curve Implementations on...

Documents

Transcript of Improving Security For Elliptic Curve Implementations on...