阅读说明：本技术 用于测试由随机数生成器生成的序列的设备和方法 (Device and method for testing sequences generated by a random number generator ) 是由 Y·埃尔霍斯尼 F·洛扎克 于 2019-12-20 设计创作，主要内容包括：本发明的实施例提供了一种用于测试由随机数生成器(11)生成的位序列的设备(100),其中该设备被配置为响应于检测到由随机数生成器(11)生成的N个位,对位序列应用一个或多个统计测试(103),每个统计测试提供从所述序列的位导出的至少一个总和值,该测试设备包括：-比较器,用于将与每个统计测试相关的至少一个测试参数与一个或多个阈值进行比较；-验证单元(105),其被配置为取决于比较器针对每个统计测试进行的比较来确定所述位序列是否有效；其中,测试参数和至少一个阈值中的至少一个是根据N和根据目标错误概率确定的。(An embodiment of the invention provides a device (100) for testing a sequence of bits generated by a random number generator (11), wherein the device is configured to apply one or more statistical tests (103) to the sequence of bits, each statistical test providing at least one sum value derived from the bits of the sequence, in response to detecting N bits generated by the random number generator (11), the testing device comprising: -a comparator for comparing at least one test parameter associated with each statistical test with one or more thresholds; -a verification unit (105) configured to determine whether the bit sequence is valid depending on a comparison by a comparator for each statistical test; wherein at least one of the test parameter and the at least one threshold is determined based on N and on the target error probability.)

1. A device (10) for testing a bit sequence generated by a random number generator (11), wherein the device is configured to apply one or more statistical tests (103) to the bit sequence in response to detecting N bits generated by the random number generator (11), each statistical test providing at least one sum value derived from the bits of the sequence, the testing device comprising:

-a comparator for comparing at least one test parameter associated with each statistical test with one or more thresholds;

-a verification unit (105) configured to determine whether the bit sequence is valid depending on the comparison performed by the comparator for each statistical test;

wherein at least one of the test parameter and the at least one threshold is determined from N and from a target error probability.

2. The apparatus of claim 1, wherein the at least one or more statistical tests (103) applied to the sequence comprise a set of statistical tests providing at least one sum value derived from bits of the sequence, the at least one sum value providing the at least one test parameter for each statistical test, the apparatus further comprising:

-a threshold determination unit (101) for determining, for each statistical test of the set of statistical tests, a lower threshold and an upper threshold from N and from a target error probability associated with each sum value;

wherein the comparator (102) is configured to compare each sum value with an associated lower threshold and upper threshold for each statistical test.

3. The apparatus of claim 2, wherein the comparator is configured to output a validation bit for statistical testing if each sum value is strictly above the associated lower threshold and strictly below the upper threshold.

4. The device according to claim 3, wherein the verification unit is configured to reject the bit sequence if at least one sum value for a statistical test is lower than or equal to an associated lower threshold or higher than or equal to a corresponding upper threshold.

5. The device according to any of the preceding claims 2-4, wherein the statistical test (103) comprises providing a sum value T₁AIS unit test of (a), corresponding lower threshold L₁And an upper threshold value H₁Equal to:

and

wherein α represents the target error probability.

6. The apparatus according to any of the preceding claims 2-5, wherein the statistical test (103) comprises providing a sum valueT₂The corresponding lower threshold value L of the AIS poker test₂And an upper threshold value H₂Equal to:

and

where M represents the length of consecutive blocks in the bit sequence and a represents the error probability.

7. The apparatus of any preceding claim 2-6, wherein the statistical test (103) comprises an AIS run test that provides a sum value T for each run of length k_3(N,k)Lower threshold L for each run of length k_3,kAnd an upper threshold value H_3,kEqual to:

wherein α represents the target error probability and

8. the device of any one of the preceding claims, wherein the at least one or more statistical tests (103) applied to the sequence comprise an additional set of statistical tests, for each statistical test the testing device determining a test parameter determined from N and from a probability of error.

9. The apparatus of claim 8, wherein the statistical test (103) comprises an AIS longest run test, the test parameter being a run length k, the length k being determined according to the following equation:

where alpha represents the long operating probability,

wherein the comparator compares the test parameter k with a maximum length of operation.

10. The apparatus of any preceding claim, wherein the length N of the bit sequence varies between one or more clock cycles.

11. The apparatus according to any of the preceding claims 1-10, wherein new values for the error probability and the number N can be received at different times or at the same time.

12. A system implemented on at least one integrated circuit, the system comprising a device using a random bit sequence generated by a random number generator (11), wherein the device further comprises a testing device for testing each random bit sequence generated by the random number generator according to any of the preceding claims 1-11.

13. A method for testing a bit sequence generated by a random number generator (11), wherein the method comprises applying one or more statistical tests (103) to the bit sequence in response to detecting N bits generated by the random number generator (11), each statistical test providing at least one test parameter according to the bits of the sequence, the testing method comprising:

-comparing at least one test parameter associated with each statistical test with one or more thresholds;

-determining whether the bit sequence is valid depending on the comparison performed for each statistical test in the comparing step;

wherein at least one of the test parameter and the at least one threshold is determined from N and from a target error probability.

Technical Field

The present invention relates generally to an apparatus and method for testing sequences generated by a random number generator.

Background

Random number generators are used to generate a set of random numbers (in the form of a bit stream) for use in many systems. For example, a random number generator may be used in a cryptographic system to generate a random cryptographic key for securely transmitting data.

The random number generator includes: a hardware random number generator, also known as a true random number generator (TNRG), which generates a set of numbers from a physical process rather than a computer program (a non-deterministic source); and a pseudo-random number generator that generates numbers from a deterministic source (e.g., a deterministic algorithm).

TNRG can be based on microscopic phenomena that generate low-level, statistically random "noise" signals, such as thermal or shot noise, photoelectric effects, involving beam splitters and other quantum phenomena. TNRG typically includes a transducer that converts quantities or data derived from physical phenomena into electrical signals, an amplifier, additional components configured to increase the amplitude of random fluctuations to a measurable level, and an analog-to-digital converter configured to convert the output so obtained into a number (e.g., a binary digit of 0 or 1). The TRNG then repeatedly samples the randomly varying signal to obtain a series of random numbers.

The quality of random number generation is crucial for implementing cryptographic systems (e.g. key generation, authentication protocols, padding, digital signatures, encryption algorithms). In such applications, security is closely dependent on the quality of the generated random numbers.

In fact, many attacks address vulnerabilities in the implementation of cryptographic systems. Such vulnerabilities may stem from the quality of the random numbers generated and exploited by attackers in an attempt to disrupt the system.

There are several test methods and systems for testing the quality (in particular the randomness) of the generated random numbers, most of which are based on statistical tests.

This test is applied to check whether the randomly acquired digital sequence has two main statistical properties:

the generated values should be evenly distributed, an

The generated value should be independent of the previously generated value.

Recognizing this, standardization bodies such as NIST and BSI have established a statistical test suite given binary sequences of 20000 bits. The purpose of this document is to provide a mathematical interpretation of the test and to build a general mathematical formula given the sequence of N bits, the probability of error and other parameters.

It is currently desirable to test the set of random numbers generated by TNRG because it may affect the performance of systems using such random numbers, such as AIS31, FIPS140-1, NIST, and DIEHARD tests.

Standardization bodies such as NIST and BSI have established a statistical test suite for binary sequences of a given fixed number of bits (20000 bits).

In the prior art method, therefore, a statistical test is applied each time the TRNG generates 20000 bit sequences, which calculates different sums based on the sequence. These sums are then compared to a predefined and fixed threshold and depending on the comparison result it is decided whether to accept or reject the sequence. The threshold for performing the comparison is predefined as a function of the fixed error probability.

Existing test methods and devices introduce uncontrolled delays. Furthermore, they are not suitable for solving the target error probability.

Accordingly, there is a need for improved methods and apparatus for testing bit sequences generated by random number generators.

Disclosure of Invention

To address these and other problems, an apparatus for testing a sequence of bits generated by a random number generator is provided, the apparatus being configured to apply one or more statistical tests to the sequence of bits in response to detecting N bits generated by the random number generator, each statistical test providing at least one sum value derived from the bits of the sequence. The test apparatus may include:

-a comparator for comparing at least one test parameter associated with each statistical test with one or more thresholds;

-a verification unit configured to determine whether the bit sequence is valid depending on the comparison of each statistical test by the comparator;

wherein the at least one test parameter and the at least one threshold are determined according to N and according to a target error probability.

In some embodiments, the at least one or more statistical tests applied to the sequence comprise a set of statistical tests providing at least one sum value derived from bits of the sequence, the at least one sum value providing at least one test parameter for each statistical test, the apparatus further comprising:

-a threshold determination unit for determining, for each statistical test of the set of statistical tests, a lower threshold and an upper threshold from N and from the target error probability associated with each sum value;

the comparator is configured to compare each sum value with an associated lower threshold and upper threshold for each statistical test.

In such embodiments, the comparator may be configured to output a validation bit for the statistical test if each sum value is strictly above the associated lower threshold and strictly below the upper threshold.

Furthermore, the verification unit may be configured to reject the bit sequence if at least one sum value for the statistical test is lower than or equal to the associated lower threshold or higher than or equal to the corresponding upper threshold.

In one embodiment, the statistical test may include providing a sum value T₁AIS unit test of (a), corresponding lower threshold L₁And an upper threshold value H₁Equal to:

and

where alpha represents the target error probability.

In one embodiment, the statistical test may include an AIS poker test, the testing device determining a sum value T₂. Corresponding lower threshold value L₂And an upper threshold value H₂Equal to:

and

where M represents the length of consecutive blocks in the bit sequence and α represents the error probability.

In an embodiment, the statistical tests may include AIS run tests, the test equipment determining a sum value T for each run of length k_3(N,k)For each run of length k, the lower threshold L_3,kAnd an upper threshold value H_3,kEqual to:

wherein α represents a target error probability and

in some embodiments, the at least one or more statistical tests applied to the sequence comprise an additional set of statistical tests, for each of which the test device determines test parameters determined from N and from the error probability.

In particular, the statistical tests comprise AIS longest run tests, the test parameter being a run length k, the length k being determined according to the following equation:

where alpha represents the long operating probability. The comparator then compares the test parameter k with the maximum length of operation.

In one embodiment, the bit sequence length N may vary between one or more clock cycles.

New values for the error probability and the number N may be received at different times or at the same time.

There is also provided a system implemented on at least one integrated circuit, the system comprising a device for using a random bit sequence generated by a random number generator, wherein the device further comprises a testing device according to any of the preceding embodiments for testing each random bit sequence generated by the random number generator prior to use.

There is also provided a method for testing a sequence of bits generated by a random number generator, wherein the method comprises applying one or more statistical tests to the sequence of bits in response to detecting N bits generated by the random number generator, each statistical test providing at least one test parameter from the bits of the sequence, the testing method comprising: comparing at least one test parameter associated with each statistical test to one or more thresholds; determining whether the bit sequence is valid depending on the comparison performed for each statistical test in the comparing step. At least one of the test parameter and the at least one threshold is determined based on N and based on the target error probability.

The invention thus enables to control the delay/debit of the random number generator implemented in a given system.

Thus, embodiments of the present invention provide a flexible and fully delay-controllable RNG throughout all phases of operation.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate various embodiments of the invention and, together with a general description of the invention given above, and the detailed description of the embodiments given below, serve to explain the embodiments of the invention:

figure 1 depicts an apparatus for testing a sequence of random numbers generated by a random number generator according to some embodiments.

Figure 2 shows the probability of operation used in the longest test according to some embodiments.

Fig. 3 is a flow diagram depicting a method of testing a sequence of random numbers generated by a random number generator, in accordance with some embodiments.

Further, the detailed description is supplemented by show E1. The display is separated for clarity of description and ease of reference. However, it forms an integral part of the description of the invention.

Detailed Description

Embodiments of the present invention provide an apparatus and method for testing a sequence of random numbers generated by a hardware random number generator, such as a TRNG (true random number generator). In the following description, the random number generator will also be referred to as RNG.

Referring to fig. 1, an exemplary operating environment 100 of a test device 10 is shown that includes a cryptographic system 12, the cryptographic system 12 using a sequence of random numbers generated by a hardware random number generator 11 for generating keys, performing authentication, generating signatures and/or performing encryption, and so forth.

The test device 10 is configured to test the quality of the random number sequence generated by the random number generator 11. The set of statistical tests 103 includes one or more statistical tests T₁、T₂、…、T_PWherein P is at least equal to one.

It should be noted that the present invention is not limited to the use of the test device 10 in the cryptographic system 12, but may be used generally in any system or device that uses a sequence of random numbers generated by the hardware RNG 11. System 100 and/or system 12 may be implemented on one or more integrated circuits.

For purposes of illustration only, the following description of some embodiments will be made with reference to cryptographic system 12.

The statistical Test _ j may be configured to Test statistical characteristics required by the cryptosystem, including backward and forward unpredictability characteristics of the random number generator 11.

Exemplary statistical tests Tj include, for example, AIS, tests to test for an increase in entropy per generation number, and the like.

More specifically, the test equipment 10 may be configured to receive, during operation of the system 100, a desired error probability α and a frequency number N, the frequency number N defining the number of bits of the sequence generated by the RNG 11. N may be lower than the maximum number of bits M that RNG 11 can generate. In particular, N may be adjusted during system operation depending on a number of criteria. Thus, N may change between one or more clock cycles. Advantageously, the value N may be different from a predefined fixed value and may therefore take a value different from the value N' 20000 that is normally used for activating statistical tests. New values for the error probability a and the frequency number N may be received at different times or at the same time.

As used herein, a desired error probability (also referred to herein as a "significance level" or "target error probability") refers to the error probability of a test performed on a sequence generated by RNG 11, i.e., the probability that a test device returns an erroneous result using a set of statistical tests 103 on a given sequence generated by RNG 11. Thus, the expected error probability α is defined as the probability of the test rejecting the sequence generated by RNG 11, assuming that the sequence is truly random.

The RNG 11 may be activated to generate a sequence of random numbers (e.g., for key generation) comprising multiple bits from an entropy source using the desired error probability τ and the current value of the number of frequencies N used by the cryptosystem 12.

The test device 10 may be configured to test the sequence of bits generated by the random number generator 11 by applying one or more statistical tests 103 to the sequence of bits in response to detecting the N bits generated by the random number generator. Advantageously, the number N and the target probability may vary depending on the application of the invention (N may be defined as small as possible if a fast processing time is required, or may be defined as increasing if a test is required to limit false positives as much as possible).

Each statistical test 103 provides at least one test parameter derived from a bit of the sequence.

The test apparatus may include: a comparator 102 configured to compare the test parameters associated with each statistical test to one or more thresholds; and a random number sequence verification unit 105 configured to determine whether the sequence of N bits is valid depending on the comparison made by the comparator 102 for the statistical test.

The random number sequence verification unit 105 may be configured to reject or verify the N-bit random number sequence using the results of the statistical test 103 applied to the sequence. In such an embodiment, comparator 102 may compare the resulting value O_jAnd returns to the random number sequence verification unit 105.

In one embodiment, the random number sequence verification unit 105 may be configured to only if, for all P statistical tests, the condition (1) applied to each sum value obtained by performing the statistical test is satisfied for the sequence of N bits under consideration (i.e., O for j ═ 1 to K_j＝O_j,2)。

Each statistical test 103 may be a statistical test for testing randomness in the N-bit binary sequence generated by RNG 11.

Advantageously, at least one of the test parameter and the threshold is determined from N and from a target error probability.

In response to the generation of an N-bit random number sequence (i.e. in response to detecting that the number of bits in the random number sequence is equal to N), the test device 10 thus performs a set of P statistical tests (P being at least equal to 1) as the random bits are received from the random number generator 11. A set of P statistical tests may be stored in the storage unit 103.

In some embodiments, the set of statistical tests 103 includes a set of statistical tests, each statistical test to determine one or more sum values (or multiple values if the test includes multiple runs) derived from the N bits of the random number sequence and an error probability α.

The test device 10 may further comprise a threshold determination unit 101 configured to determine to include the lower threshold L_jAnd an upper threshold value H_jAt least one pair of thresholds, for each Test _ j, a lower threshold L_jAnd an upper threshold value H_jDepending on the parameter N and on the significance level parameter a.

The testing device 10 may be configured to check, for each statistical Test _ j, whether each value (sum result) returned by the statistical Test _ j under consideration satisfies the corresponding threshold value pair (lower threshold value L) thus determined_jAnd an upper threshold value H_j) The relevant conditions.

In such an embodiment, the comparator 105 may be configured to correlate each sum result returned by the statistical Test _ j with the lower threshold value L of the associated pair_jAnd an upper threshold value H_jA comparison is made.

In one embodiment, the comparator 105 of the Test device may be configured to determine whether each value Tj (sum result) returned by the statistical Test _ j is strictly higher than the lower threshold Lj and strictly lower than the upper threshold H of the associated threshold pair_j. Based on the corresponding threshold value pair (lower threshold value L)_jAnd an upper threshold value H_i) The condition checked for the value Tj may be expressed as:

L_j＜T_j＜H_j (1)

it should be noted that in some embodiments, condition (1) may be tested for each sum value and each corresponding threshold pair by determining a plurality of sum values for each statistical test (e.g., when the test includes multiple runtimes) and determining a corresponding threshold pair for each value.

The comparator 105 may return a result value O for each Test _ j applied to the sequence of N bits_jIf the test condition of equation (1) is not satisfied, it is set to a first value Oj_,1Or set to a second value Oj if the test condition of equation (1) is satisfied_,2。

To facilitate an understanding of some embodiments of the invention, the following definitions are provided:

as used herein, "null hypothesis H₀"means the following statement: the sequence provided is truly random.

"test statistic S" refers to the following numerical summary: the observed data is reduced to a value.

"p value" means when H₀When true, statistical tests and actual observationsThe result is the same or greater probability.

"significance level" α (also referred to herein as "error probability") refers to the hypothesis H₀Refusing H when true₀The probability of (c).

Given these definitions, the following statistical tests were performed:

-accepting H if the value of p ≧ α₀；

If p is a value<α, then refuse H₀。

Given a statistical model of the test statistic S, a p-value may be calculated.

This model may be applied to all statistical tests used to link empirical data of real-world RNGs to random models.

The set of statistical tests 103 may include, for example, one or more tests of the AIS31 test suite, which includes:

-unit Test (a Monobit Test);

-Poker Test (a Poker Test);

-running a Test (a Runs Test);

longest Run Test (a Longest Run Test).

For illustrative purposes only, the following description of some embodiments will be made with reference to one or more tests of AIS31 kit.

In the following description, the inclusion of bit b is considered_iAnd has a random number sequence of length N.

In one embodiment, the set of statistical tests 103 may include unit tests. The unit test is configured to determine the ratio of the number of 1's and 0's in a given bit sequence. For random sequences, the average number of 1's (and thus 0's) in the expected sequence is 1/2.

According to one embodiment, the AIS31 unit test calculates the sum T by₁To check the sequence of N bits:

according to one embodiment of the invention, statistical parameters may be definedSet { H₀,S_Nα } to run the unit test:

-H₀: the following assumptions were made: the generated bit sequence is random;

-parameter S_NIs defined as:

the error probability α is set to:

α＝9.6×10^-7 (3)

-observation to be tested:

in view of(observations to be tested) for large values of N, the reference distribution for such observations is a semi-normal distribution. As used herein, a semi-normal distribution refers to a normal distribution with a mean of 0 (zero). The definition of normal distribution is provided in presentation E1.1. If the sequence is random, then adding one and subtracting one will tend to cancel each other out, making the test statistic about 0.

p value (when H₀The probability that the statistical test is the same or greater than the actually observed result when true) is given by:

pvalue＝erfc(S_obs) (5)

in equation (1), erfc (z) represents a complementary gaussian error function:

for a semi-normal distributed random variable X, erfc (X) is the probability that X falls outside the [ -X, X ] range.

According to the test method, H is accepted if the following occurs₀：

pvalue≥α (7)

From equations (4) and (5), equation (7) can be rewritten as:

due to erfc^-1Is a decreasing function:

according to equation (2):

equation (10) can be rewritten as:

by dividing equation (12) by two, the following inequality is obtained:

given N, the length of the sequence:

thus, for a unit test, the condition of equation (1) can be rewritten as:

L₁＜T₁＜H₁

wherein:

and

the test device 10 may then be configured to perform a unit test on the sequence of N-bit random numbers generated by the RNG 11, and test the resulting sum T₁Whether or not to be included in the lower threshold value L₁Upper threshold value H₁Both of which depend on N and the error probability a.

Comparator 105 will return a result value O for the unit test applied to the N-bit sequence₁If the test condition of equation (1) is not satisfied, the result value O is₁Is set to a first value O_1,1Or if the test condition of equation (1) is satisfied, the resulting value O₁Is set to a second value O_1,2。

It should be noted that for N20000 and α 9.6 × 10^-7The condition (1) for the unit test is:

9653.54133637＜T₁＜10346.4586636

in contrast, in the conventional method, AIS31 units test by passing the sum T₁Is calculated asAnd the sequence of 20000 bits is checked taking into account a fixed lower threshold and a fixed upper threshold (such thresholds are statically defined, independent of the selected value N and independent of the error probability a). Generally, if T₁Falling outside the range defined by the fixed threshold, the test fails.

In some embodiments, the set of statistical tests 103 may include poker tests.

In one embodiment, to evaluate the conditions (1) for the poker test, the following statistical parameters for running the poker test are defined:

-H₀: intoThe row assumptions are: the generated bit sequence is random;

-test statistics S_N,MIs defined as:

in equation (17), N denotes the length of the sequence, M denotes the length of the continuous block, and f (i) denotes the number of occurrences of each of the possible M-bit values. Given a real number x, the real number x,representing the integer part of x.

Further, for the poker test, the error probability α is defined as α ═ 1.014 × 10^-6。

The poker test involves determining the ratio of 1 in each M-bit block. The frequency of 1 in each block of M bits should be M/2, as expected from the random sequence. The number of occurrences f (i) is normally distributed, so that S_N,MFollowing a degree of freedom of 2^M"chi square" (χ) of-1²) And (4) distribution. Exhibit E1.2 provides a definition of chi-squared distribution.

To determine if there is a significant difference between the expected frequency and the observed frequency, the observation to be tested may beRestricted to degree of freedom 2^M-1 ofGiven an error probability of a. In AIS31, the error probability may be selected to be equal to 30% x α and 70% x α. Thus, the lower bound isAnd the upper bound isTo obtain T₂Given N and M:

chi-square²The distribution has only one parameter which determines its degree of freedom. This means that the boundaries are the same regardless of N, unless M changes.

Thus, the condition of equation (1) for the unit test can be rewritten as:

L₂＜T₂＜H₂

wherein the lower threshold value L₂And an upper threshold value H₂The definition is as follows:

and

the lower threshold value L is shown in equations (19) and (20)₂And an upper threshold value H₂Also on N and on the error probability a. In the case of the poker test, the lower threshold value L₂And an upper threshold value H₂But also on M (M denotes the length of the contiguous block).

The testing device 10 may thus be configured to perform a poker test on the sequence of N-bit random numbers generated by the RNG 11, and to test the resulting sum T₂Is included in the lower threshold L₂And an upper threshold value H₂Both of which depend on N and on the error probability a.

For a poker test applied to a sequence of N bits, the comparator 105 will return a result value O₁If the test condition of equation (1) is not satisfied, the result value O is₁Is set to a first value O_1,1Or if the test condition of equation (1) is satisfied, the resulting value O₁Is set to a second value O_1,2。

For example, according to the test device and method applied to poker testingFor M ═ 4 and α ═ 1.014 × 10^-6：

And:

1 562 820,6684439≤T₂(N,M)≤1 580 428,499198625

in contrast, in the conventional method, the poker test:

-first dividing the sequence of N20000 bits into a fixed number of 5000 consecutive 4-bit fragments, then counting and storing the number of occurrences of each possible 4-bit value.

-calculating T₂Sum of all:

checking the sum T₂Whether strictly comprised between a fixed lower threshold and a fixed upper threshold, both of which are statically defined independently of the chosen value N and the target error probability a.

Generally, if T₂Falling outside the range defined by the fixed threshold, the test fails.

In some embodiments, the set of statistical tests 103 may include a running test.

The purpose of running the test is to determine if the changes in 1 and 0 are too fast (0101010101) or too slow (0000011111).

A run is defined as the maximum sequence of consecutive bits of all 1's or all 0's.

The incidence of runs of all lengths (≧ 1) in the sample stream (for consecutive zeros and consecutive ones) can be counted and stored. The running test passes if each of the number of runs (1 to 6 in length) that occurred is within the corresponding interval specified below. This holds for both zeros and ones; that is, all 12 counts must be within a specified interval. For the purposes of this test, runs greater than 6 are considered to be 6 in length.

T₃(N, k) represents a k-length run of bits 0 or 1, occurring in a length N sequence.

To estimate the conditions according to equation (1) for the running test, the following statistical parameters for applying the running test are defined:

-H₀: the following assumptions were made: the generated bit sequence is random;

s specifies the number of runs of length k, denoted T3(N, k), where N is the sequence length; and

-error probability α ═ k × 10^-6Where k ∈ { 3.25; 1.33; 0.85; 0.40; 0.10}.

Test statistics for running tests T assuming that the sequence bits are equally distributed₃(n, k) is considered to be normally distributed. The mean value of the distribution isSince the probability of running zero or one at a time is the same. Thus, in N/2, there are k runs of 0 or 1, and each bit has a probability of 1/2 occurring. Thus, the expected mean isIf the experiment is performed an unlimited number of times, the sum of all k runs is N/2.

As a resultCan be written as:

consider the observationThe p-value is:

the quantity of equation (22) may then be compared to the error probability α. The running test passes if the following occurs:

p-value≥α (23)

from equation (22), condition (23) can be rewritten as:

equation (23) may be further formulated as follows:

thus, for each run k, the condition of equation (1) for the run test can be rewritten as:

L_3,k＜T_3(N,k)＜H_3,k (27)

wherein the lower threshold value L_3,kAnd an upper threshold value H_3,kThe definition is as follows:

the lower threshold value L is shown in equation (28) and equation (29)_3,kAnd an upper threshold value H_3,kAlso on N and on the error probability a (because). The test apparatus 10 may thus be configured to perform a run test on a sequence of N-bit random numbers generated by the RNG 11, and to test the resulting sum T for each run of length k_3(N,k)Whether or not to be included in the lower threshold value L_3,kAnd an upper threshold value H_3,kThey both depend on N and on the error probability a. Comparator 105 will return a result value O for the run test applied to the N-bit sequence₁If the test condition of equation (1) is not satisfied for at least one run of length k, the resulting value O₁Is set to a first value O_1,1Or if the test condition of equation (1) is satisfied for each considered run of length k, the resulting value O₁Is set to a second value O_1,2。

For example, for N20000, k ∈ [1,2,3,4,5,6]And α ═ K × 10^-6Where k ∈ { 3.25; 1.33; 0.85; 0.40; 0.10}, the results shown in table 1 below were obtained:

run length	Required interval
		1	2267.04399878–2732.45600122
2	1078.99101268–1420.88398732
		3	501.911931832–748.088068168
4	222.906024885–402.125225115
		5	89.678247301–222.853002699
6+	89.678247301–222.853002699

TABLE 1

In contrast, in the conventional method, a maximum sequence of consecutive bits, defined as all 1's or all 0's, is run, which is a portion of a 20,000 bit sample stream, the interval of which is given by table 2 below:

run length	Required interval
		1	2267–2733
2	1079–1421
		3	502–748
4	223–402
		5	90–223
6+	90–223

TABLE 2

In some embodiments, statistical test 103 may include providing a sum value T_iBut instead of testing the sum value T_iThe test device 10 may be configured to test the sequence of N bits by comparing a test parameter determined from the number of frequencies N and the error probability a to a threshold value.

For example, the set of statistical tests 103 may include the longest run test.

In the conventional method, for the sample of 20000 bits, if there is no long run, the longest run test passes.

According to embodiments of the present invention, the longest run test may be used by determining a run length k (which in the case of the longest run test corresponds to a long run probability P) corresponding to the target error probability α_N(k) And then comparing the value k to a threshold value to test the bit sequence. If the integer part of the determined value k is less than the longest length of operationThe test passes. Otherwise, the test fails.

More specifically, it may be based on a long operating probability P_N(k) To determine the index k, the long running probability P_N(k) Representing the probability that a run (zero or one) of length greater than or equal to k occurs in the sequence of N bits under consideration.

P_N(k) Can be represented by the addition of two mutually exclusive event probabilities. One of the event probabilities represents the probability that a run longer than k occurs at N-1 bits, while the other event probability represents the probability that no run longer than k occurs at N-1 bits but at the rightmost k bits of N, as shown in fig. 2. This means that:

equations (30) and (31) yield a general expression given k and N:

this corresponds to the type of arithmetic and geometric sequence (progression):

U_N＝a×U_N-1+b (33)

thus:

U_N＝a^N×(U₀-r)+r (34)

in the case of the equation (34),thus:

in equation (35), U₀0 and r 1.

Equation (35) may be rewritten as:

in equation (36), k can thus be found as follows:

when P is present_N(k) When α, equation 36.4 may be rewritten as a function of N and α:

for example, for N2000 and P_N(k)＝10^-6，

The following table provides examples of test parameters calculated for the unit test (T1), the poker test (T2), the run test and the longest run test according to the previous equations providing the lower/upper thresholds Li and Hi as a function of N and a (for T1, T2, T3) or the longest run parameter k as a function of a for N e {5000,10000,20000,40000}, the value N20000 being a fixed value (defined by the standards NIST FIPS 140-2 and BSI AIS 31) typically used for testing bit sequences generated by RNG 11. In the following example table, a given value of α is chosen for illustration purposes, but α may vary:

TABLE 3

FIG. 3 is a flow diagram of a method of testing a random bit sequence generated by RNG 11 using a set of tests that provide a sum test Ti (e.g., T1, T2, and T3) against which condition (1) is checked, the condition being defined by a lower threshold Li and an upper threshold Hi, both of which depend on N and a, according to some embodiments.

In step 300, the error probability and the bit sequence length N are received.

In step 302, a random number sequence generated by the RNG 11 is detected.

In step 304, it is checked whether the RNG 11 has generated N bits.

If so, then in step 306, each of the P statistical tests 103 is applied to the sequence of k-bit random numbers received from RNG 11. Otherwise, the process returns to step 302. The execution of each statistical test provides at least one sum Ti. In the case of a running test, each considered run k provides the sum T_i,k。

In step 310, the sum T is summed for each statistical test obtained for the statistical test_i(or T for each run k of the run test_i,k) Determining a lower threshold L in association with the statistical test sum_i(or L for each run k of the run test_i,k) And an upper threshold value H_i(or H for each run k of the run test_i,k) The lower and upper thresholds depend on N and on the error probability a.

In step 312, the associated lower threshold L is used_i(or L)_i,k) And associated upper threshold H_i(or H)_i,k) For each statistical test sum T provided by each statistical test_i(or T for each run k of the run test_i,k) Condition (1) was tested.

In step 314, the random bit sequence may be rejected if the at least one statistical test does not satisfy condition 1 (block 312). Otherwise, steps 310 and 312 are repeated for other statistical tests, since not all statistical tests have been processed (step 313). In step 316, if all the statistical test sums satisfy condition 1, the random bit sequence is verified and N random bits may be transmitted to the target system 12.

Exhibit E1.3 provides a testing method for testing a sequence of bits generated by an RNG upon arrival of random bits in a microcode format, using statistical testing, according to one embodiment:

-unit test (T1);

-poker testing (T2);

-running a test (T3);

-longest run test (T4).

The test method of exhibit e.1.3 has an optimized delay and is particularly suitable for testing sequences of N bits in a chip-embedded test device 10.

Embodiments of the present invention are thus able to dynamically select a number N of raw bits to test given a target debit/delay. They also provide a dynamic error probability τ for a given target application and provide a fully controllable delay (by waiting for a fixed number of raw bits) at all stages (compared to the prior art, which generates an uncontrollable delay).

Embodiments of the present invention apply to both embedded statistical testing (where testing is performed within a system or device chip using a sequence of random numbers) and online statistical testing.

In some applications requiring fast processing, the value of N may be chosen to be less than 20000, thereby reducing the overall time required to test the bit sequence. In contrast, for applications that require a more stringent evaluation of the generated random numbers, the sequence size N may be increased in order to reduce the number of false positive detections.

Thus, embodiments of the present invention can flexibly adjust N according to the needs of the application.

Test equipment according to embodiments of the invention may be used in various applications, such as:

simulation applications, which simulate and model complex phenomena (e.g. monte carlo integrals used in the financial and engineering fields);

-a random sampling application that selects random samples from a larger data set;

-cryptographic applications, such as authentication, signing, encryption, digital signature generation, encryption key generation systems or internet encryption protocol applications;

chip manufacturing and seeding of device-specific keys, e.g. for near field communication or device ID; machine learning and statistical learning applications (true random number generators can be used to obtain samples from random distributions).

Exemplary target systems 12 include cryptographic systems that implement cryptographic functions based on one or more cryptographic keys to ensure data and/or signal security, authentication, protection, and privacy, such as:

-a smart card, a device storing a secret key (e.g. a wallet), a smart card reader (e.g. an Automatic Teller Machine (ATM) used in financial applications);

-digital electronic devices such as RFID tags and the like;

-an embedded secure element;

computers (e.g., desktop and laptop computers), tablet computers;

-routers, switches, printers;

mobile phones, e.g. smart phones, base stations, relay stations, satellites;

-internet of things (IoT) devices, robots, drones; and

recorders, multimedia players, mobile storage devices (e.g. memory cards and hard disks), where login access is monitored by encryption mechanisms, etc.

In certain alternative embodiments, the functions, acts and/or operations specified in the flowcharts, sequence diagrams and/or block diagrams may be reordered, processed serially and/or processed concurrently consistent with embodiments of the invention. Further, any of the flow diagrams, sequence diagrams and/or block diagrams may include more or fewer blocks than those shown consistent with an embodiment of the invention.

In particular, it should be noted that the statistical tests 103 may be tested in any order, sequentially, or in parallel.

While the present invention has been illustrated by a description of various embodiments and while these embodiments have been described in considerable detail, it is not the intention of the applicants to restrict or in any way limit the scope of the appended claims to such detail. Additional advantages and modifications will readily appear to those skilled in the art. The invention in its broader aspects is therefore not limited to the specific details, representative apparatus and method, and illustrative examples shown and described. In particular, it should be noted that the invention is not limited to statistical tests on AIS31 test sets and that other types of statistical tests for testing sequences generated by RNG 11 may be used, such as:

other tests from AIS31 pair, including for example an autocorrelation test (test 5), a uniform distribution test (test 6), a homogeneity test or a comparison test for multiple distributions (test 8), an entropy estimation test (test 8).

Tests from the NIST test suite, e.g. according to the NIST SP800-22 test suite, e.g. serial tests, frequency (units) tests, etc.

Exhibit E1

Definition of

E1.1. Normal distribution

If the probability density function of a (continuous) random variable X is as follows, then this X has a mean value μ and a variance σ²Normal distribution of (a):

the density function of the continuous random variable X satisfies:

-(x)≥0 for all x∈]-∞,+∞[

-

for all

E1.2 "chi square²Distribution of

χ²The distribution can be used to compare the goodness of fit of the observed frequency of an event to the expected frequency under its hypothetical distribution. When the squares of k independent random variables with a normal distribution are added, χ with k degrees of freedom occurs²And (4) distribution.

Let k be an integer of 1 or more. If the density function is as follows, then it is continuousThe random variable X has a degree of freedom k%²Distribution:

where Γ (x) is a gamma function defined for t > 0:

e.1.3 test methods