True random number generator based on physical unclonable function and related method
阅读说明:本技术 基于物理不可复制功能的真随机数产生器以及相关方法 (True random number generator based on physical unclonable function and related method ) 是由 游钧元 刘用翔 庄恺莘 于 2021-05-26 设计创作,主要内容包括:本发明公开了一种基于物理不可复制功能(简称PUF)的真随机数产生器以及用于产生真随机数的方法。所述基于PUF的随机数产生器可包含第一混淆电路、耦接至所述第一混淆电路的密码电路、以及耦接至所述密码电路的第二混淆电路。所述第一混淆电路自所述电子装置的PUF池取得第一PUF值,并且基于所述第一PUF值对初步种子进行第一混淆功能以产生最终种子。所述密码电路利用所述最终种子作为密码功能的金钥以产生多个初步随机数。所述第二混淆电路自所述PUF池取得第二PUF值,并且基于所述第二PUF值对所述多个初步随机数进行第二混淆功能以产生多个最终随机数。本发明能改善基于物理不可复制功能的真随机数产生器的安全性以及输出随机性。(The invention discloses a Physical Uncloneable Function (PUF) based true random number generator and a method for generating a true random number. The PUF-based random number generator may include a first garbled circuit, a cryptographic circuit coupled to the first garbled circuit, and a second garbled circuit coupled to the cryptographic circuit. The first obfuscation circuit takes a first PUF value from a PUF pool of the electronic device and performs a first obfuscation function on a preliminary seed based on the first PUF value to produce a final seed. The cryptographic circuit generates a plurality of preliminary random numbers using the final seed as a key for a cryptographic function. The second garbled circuit takes a second PUF value from the pool of PUFs and performs a second garbled function on the plurality of preliminary random numbers based on the second PUF value to produce a plurality of final random numbers. The invention can improve the safety and output randomness of the true random number generator based on the physical unclonable function.)
1. A physical unclonable function-based true random number generator for an electronic device, the physical unclonable function-based true random number generator comprising:
a first obfuscation circuit configured to obtain a first physically unclonable function value from a physically unclonable function pool of the electronic device, and perform a first obfuscation function on a preliminary seed based on the first physically unclonable function value to generate a final seed;
a cryptographic circuit, coupled to the first obfuscation circuit, for generating a preliminary random number sequence using the final seed as a key of a cryptographic function; and
a second obfuscation circuit, coupled to the cryptographic circuit, for obtaining a second physically unclonable function value from the physically unclonable function pool and performing a second obfuscation function on the preliminary random number sequence based on the second physically unclonable function value to generate a final random number sequence.
2. The physical unclonable function-based true random number generator of claim 1, wherein the first garbled circuit concatenates the preliminary seed with the first physical unclonable function value to generate the final seed.
3. The physical unclonable function-based true random number generator of claim 1, wherein the physical unclonable function-based true random number generator further comprises an entropy circuit to provide the preliminary seed, and wherein the entropy circuit comprises:
an oscillator for outputting a plurality of random single bit values; and
a collecting circuit for collecting the plurality of random single-bit values to generate the preliminary seed.
4. The physically unclonable function-based true random number generator of claim 1, wherein the physically unclonable function-based true random number generator further comprises a non-volatile memory to provide the preliminary seed, wherein a feedback random number is written to the non-volatile memory at one or more predetermined points in time to update the preliminary seed stored in the non-volatile memory, and wherein the feedback random number is derived from the preliminary random number sequence or the final random number sequence.
5. The physical unclonable function-based true random number generator of claim 1, wherein the physical unclonable function-based true random number generator further comprises:
an entropy circuit for providing an entropy seed;
a non-volatile memory for providing a non-volatile memory seed, wherein a feedback random number is written to the non-volatile memory at one or more predetermined points in time to update the non-volatile memory seed stored in the non-volatile memory, and the feedback random number is derived from the preliminary random number sequence or the final random number sequence;
a test circuit, coupled to the entropy circuit, for testing the entropy seed to generate a test result; and
a multiplexer, coupled to the entropy circuit, the non-volatile memory, and the test circuit, for selecting one of the entropy seed and the non-volatile memory seed for output as the preliminary seed in response to the test result.
6. The physically unclonable function based true random number generator of claim 5, wherein the test circuit is a health test on the entropy seed, the multiplexer selects the entropy seed as the preliminary seed when the test result indicates that the entropy circuit is in a healthy state, and the multiplexer selects the non-volatile memory seed as the preliminary seed when the test result indicates that the entropy circuit is in an unhealthy state.
7. The physical unclonable function-based true random number generator of claim 1, wherein the physical unclonable function-based true random number generator further comprises an entropy circuit to provide an entropy seed, and wherein the entropy circuit comprises:
an oscillator for outputting a random control bit; and
a collecting circuit coupled to the oscillator, wherein the collecting circuit determines whether to update the entropy seed by a feedback random number in response to the random control bit, and the feedback random number is obtained from the preliminary random number sequence or the final random number sequence.
8. The physical unclonable function-based true random number generator of claim 7, wherein the collection circuit comprises:
a third obfuscating circuit for performing a third obfuscating function on the entropy seed based on the feedback random number to generate an updated entropy seed; and
a first multiplexer, coupled to the oscillator, for selecting one of the pre-update entropy seed and the post-update entropy seed in response to the random control bit to output a latest entropy seed.
9. The physical unclonable function-based true random number generator of claim 8, wherein the physical unclonable function-based true random number generator further comprises:
a non-volatile memory for providing a non-volatile memory seed, wherein the feedback random number is written to the non-volatile memory at one or more predetermined points in time to update the non-volatile memory seed stored in the non-volatile memory; and
a second multiplexer, coupled to the non-volatile memory and the gather circuit, for selecting one of the non-volatile memory seed and the entropy seed as the preliminary seed;
wherein when the second multiplexer selects the non-volatile memory seed, the feedback random number is generated based on the non-volatile memory seed and the updated entropy seed is generated based on the feedback random number.
10. The physically unclonable function-based true random number generator of claim 1, wherein the physically unclonable function-based true random number generator further comprises an entropy circuit for providing the preliminary seed, and wherein the entropy circuit comprises:
an oscillator for outputting a plurality of random single bit values, wherein the oscillator generates a periodic signal that varies between a first logic value and a second logic value at an oscillation frequency, and the periodic signal is sampled at a sampling frequency such that the first logic value and the second logic value randomly appear among the plurality of random single bit values;
wherein the sampling frequency is different from the oscillation frequency.
11. A method for generating true random numbers, applicable to an electronic device, comprising:
performing a first obfuscation function on a preliminary seed based on a first physically unclonable function value by using a first obfuscation circuit to generate a final seed;
using a cryptographic circuit to generate a preliminary random number sequence using the final seed as a key for a cryptographic function; and
performing a second obfuscation function on the preliminary random number sequence based on a second physically unclonable function value by using a second obfuscation circuit to generate a final random number sequence;
wherein the first and second physically unclonable function values are obtained from a pool of physically unclonable functions of the electronic device.
12. The method of claim 11, wherein performing, with the first obfuscation circuit, the first obfuscation function on the preliminary seed based on the first physically unclonable function value to generate the final seed comprises:
stitching, with the first garbled circuit, the preliminary seed with the first physically unclonable function value to generate the final seed.
13. The method of claim 11, further comprising:
generating a plurality of random single-bit values; and
and obtaining the preliminary seed according to the plurality of random single bit values.
14. The method of claim 11, further comprising:
obtaining the preliminary seed from a non-volatile memory, wherein a feedback random number is written to the non-volatile memory at one or more predetermined points in time to update the preliminary seed stored in the non-volatile memory, and the feedback random number is obtained from the preliminary random number sequence or the final random number sequence.
15. The method of claim 11, further comprising:
obtaining an entropy seed from an entropy circuit;
obtaining a non-volatile memory seed from a non-volatile memory, wherein a feedback random number is written to the non-volatile memory at one or more predetermined points in time to update the non-volatile memory seed stored in the non-volatile memory, and the feedback random number is obtained from the preliminary random number sequence or the final random number sequence;
testing the entropy seed by using a test circuit to generate a test result; and
selecting one of the entropy seed and the non-volatile memory seed for output as the preliminary seed in response to the test result using a multiplexer.
16. The method of claim 15, wherein the testing circuit tests the entropy seed for health, the step of selecting one of the entropy seed and the non-volatile memory seed comprising:
selecting the entropy seed as the preliminary seed when the test result indicates that the entropy circuit is in a healthy state; and
selecting the non-volatile memory seed as the preliminary seed when the test result indicates that the entropy circuit is in an unhealthy state.
17. The method of claim 11, further comprising:
generating a random control bit; and
determining whether to update an entropy seed with a feedback random number in response to the random control bit, wherein the feedback random number is obtained from the preliminary random number sequence or the final random number sequence.
18. The method as claimed in claim 17, wherein the step of determining whether to update the entropy seed by means of the feedback random number in response to the random control bit comprises:
performing a third obfuscation function on the entropy seed based on the feedback random number to generate an updated entropy seed; and
selecting one of the entropy seed before and after updating in response to the random control bit to output a latest entropy seed.
19. The method of claim 18, further comprising:
obtaining a non-volatile memory seed from a non-volatile memory, wherein the feedback random number is written to the non-volatile memory at one or more predetermined points in time to update the non-volatile memory seed stored in the non-volatile memory; and
selecting one of the non-volatile memory seed and the entropy seed as the preliminary seed;
wherein when the non-volatile memory seed is selected, the feedback random number is generated based on the non-volatile memory seed and the updated entropy seed is generated based on the feedback random number.
20. The method of claim 17, wherein the step of generating the random control bits comprises:
generating a periodic signal by using an oscillator, wherein the periodic signal changes between a first logic value and a second logic value under an oscillation frequency; and
sampling the periodic signal at a sampling frequency such that the first and second logic values randomly appear in a plurality of random single-bit values of the oscillator output to generate the random control bit;
wherein the sampling frequency is different from the oscillation frequency.
Technical Field
The present invention relates to a true random number generator, and more particularly, to a true random number generator based on a physical unclonable function and a method for generating a true random number.
Background
The physically unclonable function may be considered a fingerprint on a wafer, and may be used as a static entropy (entropy) value for a qualification-related application because the physical characteristics of different wafers may differ slightly due to some uncontrollable factors in the manufacturing process, which cannot be duplicated or predicted. In some related art, the pool of physical unclonable functions requires a storage space in the electronic device, and in particular, in order to improve the randomness of the output values based on the physical unclonable functions, the required hardware resources are increased accordingly. Therefore, a novel architecture and associated method are needed to improve the output randomness of a physically unclonable function-based true random number generator with no or less side effects.
Disclosure of Invention
Therefore, the present invention is directed to a physical unclonable function-based true random number generator and a method for generating true random numbers, which can improve the overall performance of the physical unclonable function-based true random number generator without significantly increasing the overall hardware cost.
At least one embodiment of the present invention provides a Physical Unclonable Function (PUF) -based true random number generator for an electronic device. The physically unclonable function based true random number generator may include a first obfuscation (obfuscation) circuit, a cryptographic circuit coupled to the first obfuscation circuit, and a second obfuscation circuit coupled to the cryptographic circuit. The first obfuscation circuit is configured to obtain a first physically unclonable function value from a physically unclonable function pool of the electronic device, and perform a first obfuscation function on a primary seed based on the first physically unclonable function value to generate a final seed. The cryptographic circuit is configured to generate a preliminary random number sequence using the final seed as a key for a cryptographic function. The second obfuscation circuit is configured to obtain a second physically unclonable function value from the physically unclonable function pool, and perform a second obfuscation function on the preliminary random number sequence based on the second physically unclonable function value to generate a final random number sequence.
At least one embodiment of the present invention provides a method for generating true random numbers, wherein the method is applicable to an electronic device. The method may include: performing a first obfuscation function on a preliminary seed based on a first physically unclonable function value by using a first obfuscation circuit to generate a final seed; using a cryptographic circuit to generate a preliminary random number sequence using the final seed as a key for a cryptographic function; and performing a second obfuscation function on the preliminary random number sequence based on a second physically unclonable function value by using a second obfuscation circuit to generate a final random number sequence. In particular, the first and second physically unclonable function values are obtained from a physically unclonable function pool of the electronic device.
Embodiments of the present invention provide true random number generators and related methods based on physical unclonable functions that can improve overall performance with various characteristics such as cryptographic functions (e.g., good security and good pseudo-randomness), dynamic entropy (e.g., providing "live" (live) entropy to systems, particularly electronic devices), and static entropy (e.g., physical unclonable functions, which can be considered as fingerprints on a chip). Thus, embodiments of the present invention can improve the security and output randomness of a physically unclonable function-based true random number generator with no or less side effects.
Drawings
Fig. 1 is a schematic diagram of an electronic device according to an embodiment of the invention.
Fig. 2 is a schematic diagram of an electronic device according to an embodiment of the invention.
Fig. 3 is a schematic diagram of an electronic device according to another embodiment of the invention.
Fig. 4 is a schematic diagram of an electronic device according to an embodiment of the invention.
Fig. 5 is a schematic diagram of an electronic device according to an embodiment of the invention.
FIG. 6 is a workflow of a method for generating true random numbers according to an embodiment of the invention.
Wherein the reference numerals are as follows:
10. 20, 40, 50 electronic device
15 pool of physical unclonable functions
100. 200, 400, 500 true random number generator based on a pool of physical unclonable functions
110 garbled circuit
120 cipher circuit
130 garbled circuit
140 entropy circuit
141 oscillator
142 exclusive OR logic circuit
143 multiplexer
144 entropy collector
145 selective entropy collector
150 non-volatile memory
160 health test circuit
170 multiplexer
180 multiway distributor
PUF1, PUF2 physically uncloneable function value
SEEDDYNDynamic entropy seeding
SEEDNVMNon-volatile memory seed
SEEDPREPreliminary seed
SEEDFINALFinal seed
{RNPREPreliminary random number sequence
{RNFINALFinal random number sequence
TEST results of TEST
610. 620, 630, 640, 650 steps
Detailed Description
Fig. 1 is a schematic diagram of an electronic device 10 according to an embodiment of the invention, in which the electronic device 10 may include a Physical Unclonable Function (PUF) pool 15 and a PUF-based true random number generator 100 coupled to the PUF pool 15. As shown in fig. 1, the PUF-based true random number generator 100 may include a first obfuscation (obfuscation) circuit such as obfuscation circuit 110, a cryptography circuit 120, and a second obfuscation circuit such as obfuscation circuit 130, wherein the cryptography circuit 120 is coupled to the obfuscation circuit 110, and the obfuscation circuit 130 is coupled to the cryptography circuit 120. In this embodiment, the garbled circuit 110 may obtain a first PUF value, such as PUF value PUF1, from the PUF pool 15 and perform a first garbled function on a preliminary SEED based on PUF value PUF1 to generate a final SEEDFINAL. The cryptographic circuit 120 may be used to utilize the final SEED SEEDFINALGenerating a preliminary random number sequence { RN ] as a key for a cryptographic functionPRE}. For example, the cryptographic circuit 120 may perform the cryptographic algorithm of DES, AES, RSA, or MD 5. The garbled circuit 130 may retrieve a second PUF value, such as PUF value PUF2, from the PUF pool 15 and pair the preliminary sequence of random numbers { RN } based on PUF value PUF2PREPerforming a second obfuscation function to generate a sequence of final random numbers RNFINALIn which the final random number sequence { RN }FINALEach random number in the (f) is used as an output random number of the PUF-based true random number generator 100, if necessary.
In this embodiment, the PUF-based true random number generator 100 may further compriseAn entropy (entropy) circuit 140 is provided for providing an entropy SEED such as a dynamic entropy SEEDDYNAs the preliminary seed. For example, the entropy circuit 140 may comprise an oscillator for outputting a plurality of random single bit (bit) values. In detail, the oscillator can generate a periodic signal that varies between a logic value "0" and a logic value "1" at an oscillation frequency, and the value of the periodic signal is sampled at a sampling frequency (e.g., by a sampler built at an output terminal of the oscillator, wherein the sampler is controlled by the sampling frequency) to output the plurality of random single-bit values, wherein the sampling frequency is different from the oscillation frequency (e.g., the sampling frequency may be lower than the oscillation frequency). Because of factors such as temperature, noise, etc., the logic values "1" and "0" generated by the periodic signal are sampled in a random manner, so that the logic values "1" and "0" appear randomly in the plurality of random single-bit values. In addition, the physical characteristics of different wafers may differ slightly due to certain uncontrollable factors during the manufacturing process, which cannot be replicated or predicted, and the differences may be reflected in the PUF values (e.g., PUF1 and PUF2) in the PUF pool 15 of the electronic device 10. These PUF values can therefore be considered as fingerprints on the wafer, whereas in this embodiment these PUF values provide static entropy. In certain embodiments, the first PUF value may be different from the second PUF value (e.g., PUF1 ≠ PUF 2).
To determine whether a random number sequence is available (available), the random number sequence requires certain test items defined by the National Institute of Standards and Technology (NIST) -800-22. Although based on a dynamic entropy SEED SEED generated by an oscillator SEEDDYNWith some degree of randomness, but dynamic entropy seedingDYNIt may still be difficult to pass all of the test items of NIST-800-22. For example, dynamic entropy SEEDDYNPerhaps by a binary matrix rank test (binary matrix rank test), a non-overlapping template matching test (n)on-overlapping template matching test), linear complexity test (linear complexity test), and random offset variance test (random offset variance test), but may not pass frequency tests such as single bit test (monobit test), intra-block frequency test (frequency with a block test), run-through test (run test), intra-block run-time longest test (change run in a block test), discrete Fourier transform test (discrete Fourier transform) such as discrete Fourier transform spectrum test (discrete Fourier transform spread test), Overlapping template matching test (Overlapping template matching test), mauer's general statistical test (main's statistical test), serial test (serial test), approximate entropy test, cumulative sum test (cumulative sum test), and random offset test (random offset test). However, after the processing of the obfuscation circuit 110 and the encryption circuit 120, the initial random number sequence { RN }PREAll test items listed above can be passed. Frequency (single bit) tests are used to detect whether the occurrence rates of "0" and "1" are close to each other, serial tests are used to detect whether the longest consecutive "0" and the longest consecutive "1" are reasonable (e.g., below a predetermined threshold), and non-overlapping template matching tests are used to detect whether the repeating pattern of a random number sequence is reasonable (e.g., whether the pattern repeats regularly or randomly). Since the test items are defined in the NIST-800-22 standard, which is well known, a person of ordinary skill in the art should understand the meaning of the test items, and the details thereof are not repeated herein for the sake of brevity.
In this embodiment, any one (e.g., each) of the first obfuscation function and the second obfuscation function may include an addend (e.g., an addition), a multiplicative (e.g., a multiplication), a permutation (multiplication), a substitution (substitution), a one-way function (encryption), or a combination thereof. For example, either (e.g., each) of the obfuscation circuits 110 and 130 may be exclusive-OR (XOR) logic circuits to implement an addition arithmetic function. Those skilled in the art will understand how to implement the above-described embodimentsThe logic circuits corresponding to the obfuscating functions of other types are not described in detail herein for the sake of brevity. In some embodiments, the first obfuscation function may be the same as the second obfuscation function (e.g., obfuscation circuits 110 and 130 may be implemented by the same type of logic circuit). In some embodiments, the first obfuscation function may be different than the second obfuscation function (e.g., obfuscation circuits 110 and 130 may be implemented by different types of logic circuits). When each of the garbled circuits 110 and 130 is an exclusive OR logic circuit, the garbled circuit 110 performs a dynamic entropy SEED onDYNExclusive OR operation with PUF value PUF1 to generate final SEED SEEDFINALThe aliasing circuit 130 is used to alias the preliminary random number sequence { RNPREMutually exclusive OR operation with PUF value PUF2 to generate the final random number sequence RNFINAL}。
In an embodiment, the garbled circuit 110 may use the preliminary SEED such as the dynamic entropy SEEDDYNConcatenating (concatenating) with PUF values PUF1, e.g. by arranging dynamic entropy SEEDs SEED sequentiallyDYNWith PUF value PUF1 to generate the final SEED SEEDFINAL. For example, assume a dynamic entropy SEED SEEDDYNFor M-bit digital values and the PUF value PUF1 for N-bit digital values, and the garbled circuit 110 may SEED the dynamic entropyDYNSEED as final SEEDFINALAnd additionally takes the PUF value PUF1 as the final SEEDFINALTo generate a final SEED of M + N bitsFINAL。
In one embodiment, the cryptographic function may comprise a cipher function (e.g., stream cipher such as a Trivium cipher) or a hash function (hash function). When a specific key (e.g., final SEED SEED)FINAL) Is input to the cryptographic circuit 120, a corresponding bit stream is output and the bit stream has good security and good pseudo-randomness. If the key is constant every time the electronic device 10 is powered on, the corresponding bitstream is also constant every time. To further improve security and randomness, the key used by the cryptographic circuit 120 may be dynamic. Due to the final seed SEEDFINALBased on dynamic entropy SEED SEEDDYNAnd a sequence of preliminary random numbers { RN } generated by the PUF value PUF1PREThere may be a benefit of using the dynamic entropy seed with the PUF value PUF1, thereby improving security and randomness. Furthermore, even if the cryptographic functions are implemented by well-known methods or standards, it is still difficult for a person of ordinary skill in the art to self-evaluate the final random number sequence { RNFINALTrace back to decrypt the cryptographic function (decripher) because of the final output (i.e. { RN)FINAL} is generated by the garbled circuit 130 based on the unpredictable PUF value PUF 2. Thus, the final random number sequence RNFINALThe security performance of is further improved. It is noted that the cryptographic functions are not limited to a particular type of cryptographic function, and that certain well known algorithms can be employed for the cryptographic functions of the present invention.
Fig. 2 is a schematic diagram of an electronic device 20 according to an embodiment of the invention, wherein the electronic device 20 may include the PUF cell 15 and a PUF-based true random number generator 200 coupled to the PUF cell 15. The embodiment of fig. 2 is similar to that of fig. 1, but the main difference is that the PUF-based true random number generator 200 may include a non-volatile memory (NVM) 150 (denoted as "NVM" in the figure for simplicity) for providing the preliminary SEED, and in particular, a non-volatile memory SEED (NVM SEED) SEED stored in the NVM 150NVMTo serve as the preliminary seed. In addition, a feedback random number may be written to the non-volatile memory 150 at one or more predetermined points in time to update the NVM SEED stored in the non-volatile memory 150NVM. In one embodiment, the feedback random number may be derived from a preliminary random number sequence { RNPREGet, as shown in fig. 2. In another embodiment, the feedback random number may be derived from a final random number sequence { RNFINALGet as shown in fig. 3. Similar to the embodiment of FIG. 1, the final random number sequence { RN }FINALEach random number in the (f) is available as an output random number of the PUF-based true random number generator 200, if desired.
Note that the updates are stored inNVM SEED SEED in non-volatile memory 150NVMThe point in time of (a) is not a limitation of the invention. For example, the feedback random number may be a preliminary random number sequence { RNPRE} or a final random number sequence RNFINALThe first random number after the electronic device 20 is powered on, and once the first random number is generated, the first random number can be written into the non-volatile memory 150. As another example, the feedback random number may be written to the non-volatile memory 150 at predetermined time intervals to update the NVM SEEDNVM. For another example, when the electronic device 20 receives a power-off command, the feedback random number may be a preliminary random number sequence { RNPRE} or a final random number sequence RNFINALThe latest random number after the electronic device 20 is powered on can be written into the non-volatile memory 150 to update the NVM SEED before the electronic device 20 is powered offNVM。
Fig. 4 is a schematic diagram of an electronic device 40 according to an embodiment of the invention. As shown in fig. 4, the electronic device 40 may include the PUF pool 15, and a PUF-based true random number generator 400 coupled to the PUF pool 15, wherein the PUF-based true random number generator 400 may be considered a combination of the PUF-based true random number generator 100 shown in fig. 1, the PUF-based true random number generator 200 shown in any one of fig. 2 and 3, and one or more additional circuits. Specifically, the PUF-based true random number generator 400 may include the obfuscation circuit 110, the cryptographic circuit 120, the obfuscation circuit 130, the entropy circuit 140, and the non-volatile memory 150 mentioned in the above embodiments, and may further include a test circuit such as a health test circuit 160, and a Multiplexer (MUX) 170 (labeled "MUX" in the figure for simplicity). In the present embodiment, the health test circuit 160 is coupled to the entropy circuit 140, and the multiplexer 170 is coupled to the entropy circuit 140, the nonvolatile memory 150 and the health test circuit 160. For example, the health test circuit 160 may be used to test dynamic entropy SEED SEEDDYN(or any data/signals associated with the operation of the entropy circuit 140) to generate a TEST result TEST, and in particular, the health TEST circuit 160 is dynamicEntropy SEED SEEDDYNHealth TESTs are performed and the multiplexer 170 may be used to derive the dynamic entropy SEED SEED from the TEST result TESTDYNWith NVM SEEDNVMSelecting one of them for use as the preliminary SEED (e.g., SEED)PRE) Is output to the garbled circuit 110.
Specifically, the multiplexer 170 may select the dynamic entropy SEED SEED when the TEST result TEST indicates that the entropy circuit 140 is in a healthy stateDYNSEED as preliminary SEEDPREWhen the TEST result TEST indicates that the entropy circuit 140 is in an unhealthy state, the multiplexer 170 may select the NVM SEED SEEDNVMSEED as preliminary SEEDPRE. For example, the health test circuit 160 can collect a certain number of random single-bit values from the oscillator in the entropy circuit 140 at intervals of a predetermined time interval as a set of data. If the health TEST circuit 160 detects that the coverage of a logic value "0" (or a logic value "1") within a set of data falls within a predetermined range (e.g., from 20% to 80%), the health TEST circuit 160 may output a TEST result TEST with a first logic state (e.g., "0") to indicate that the entropy circuit 140 is "healthy", and the multiplexer 170 may select the dynamic entropy SEED SEEDDYNSEED as preliminary SEEDPRE. If the health TEST circuit 160 detects that the coverage of a logic value "0" (or a logic value "1") in a set of data does not fall within the predetermined range (e.g., greater than a predetermined upper limit such as 80% or below a predetermined lower limit such as 20%), the health TEST circuit 160 may output a TEST result TEST with a second logic state (e.g., "1") to indicate that the entropy circuit 140 is "unhealthy", and the multiplexer 170 may select the NVM SEED SEEDNVMSEED as preliminary SEEDPRE. It should be noted that the detailed operations related to the at least one test are for illustrative purposes only and are not intended to limit the present invention, and that one or more of the test items defined in, for example, the NIST-800-22 standard may also be employed in the at least one test.
In some cases, either the entropy circuit 140 or the non-volatile memory 150 may be hacked from or into the electronic device 40Risk of hacking or destruction, leading to security problems. Since the garbled circuit 110 has two sources for obtaining the preliminary SEEDPREIf one of the entropy circuit 140 and the non-volatile memory 150 is hacked or corrupted, the other can be replaced to provide the preliminary SEED SEEDPRE. Thus, the robustness and security of the PUF-based true random number generator 400 is improved.
In some embodiments, the health test circuit 160 may be omitted and the multiplexer 170 may be enabled to respond to another control signal to SEED from the dynamic entropyDYNWith NVM SEEDNVMSelecting one of them for output as a preliminary SEED SEEDPREWherein this control signal can be taken from outside the electronic device 40. For example, by controlling the logic state of this control signal, the user can manually control the multiplexer 170 to slave the dynamic entropy SEEDDYNWith NVM SEEDNVMSelecting one of them for output as a preliminary SEED SEEDPREAnd the health test circuit 160 may be omitted, but the present invention is not limited thereto.
Fig. 5 is a schematic diagram of an electronic device 50 according to an embodiment of the invention. As shown in fig. 5, the electronic device 50 may include the PUF cell 15 and a PUF-based true random number generator 500 coupled to the PUF cell 15, wherein the PUF-based true random number generator 500 may be considered as an example of the PUF-based true random number generator 400 shown in fig. 4, and the health test circuit 160 is not shown in fig. 5 for simplicity. In particular, FIG. 5 shows implementation details of the entropy circuit 140. In the present embodiment, the entropy circuit 140 may include an oscillator 141, and a collecting circuit such as a selective entropy collector (selective entropy collector)145 coupled to the oscillator 141, wherein the oscillator 141 may be used to output a random control bit SEL (e.g., each of the random single-bit values), and the selective entropy collector 145 may determine whether to utilize a feedback random number RN according to the random control bit SELFBTo update the dynamic entropy SEED SEEDDYN. In the embodiment of fig. 5, the random number RN is fed backFBIs a self-terminating random number sequence RNFINALThe acquisition is carried out by the following steps,but the invention is not limited thereto. In some embodiments, a random number RN is fed backFBIs derived from a preliminary random number sequence RNPREBut the present invention is not limited thereto. In detail, the selective entropy collector 145 may include a third garbled circuit such as the exclusive-or logic 142 (labeled "XOR" for simplicity), a multiplexer 143 (labeled "MUX" for simplicity) coupled to the oscillator 141 and the exclusive-or logic 142, and an entropy collector 144 coupled to the multiplexer 143 and the exclusive-or logic 142. For example, the third garbled circuit such as the XOR logic 142 may be used to base the feedback random number RN onFBFor dynamic entropy SEED SEEDDYNA third obfuscating function such as an exclusive-or operation is performed to generate an updated entropy SEED, and the multiplexer 143 may be used to select one of the pre-updated entropy SEED (i.e., the entropy SEED from the output of the entropy collector 144) and the updated entropy SEED to output a latest entropy SEED (e.g., the dynamic entropy SEED) due to the random control bit SELDYNThe latest version of (d). In addition, entropy collector 144 may receive and output the latest entropy SEED as a dynamic entropy SEED SEEDDYNAnd dynamic entropy SEED SEEDDYNIs a feedback entropy seed to be transmitted to the multiplexer 143 and the exclusive or logic 142. Thus, the XOR logic 142 performs the XOR operation to generate the updated entropy SEED (which is a dynamic entropy SEED)DYNAnd feedback random number RNFBExclusive or result of) and the multiplexer 143 may select the updated entropy SEED or the pre-updated dynamic entropy SEED according to the random control bit SELDYNThe output is provided to entropy collector 144, wherein entropy collector 144 may be implemented by flip-flop (flip-flop), but the invention is not limited thereto. Since the random control bit SEL is randomly switched between logic states "0" and "1", the dynamic entropy SEED SEED is updatedDYNCan be performed randomly. For example, when the random control bit SEL is "0", the dynamic entropy SEED SEEDDYNWill not change; when the random control bit SEL is '1', the dynamic entropy SEED SEEDDYNIt is updated. It is noted that mutual exclusion isThe OR logic 142 is not limiting to the third garbled circuit embodiment, in which the dynamic entropy SEED can be changedDYNAre within the scope of the present invention.
In the embodiment of FIG. 5, when the multiplexer 170 selects the NVM SEED SEEDNVMAnd the multiplexer 143 selects the updated entropy SEED, the dynamic entropy SEEDDYNCan be based on NVM SEED SEEDNVMIs generated. In detail, when the multiplexer 170 selects the NVM SEED SEEDNVMSEED as preliminary SEEDPRETime, feedback random number RNFBIs based on the preliminary SEED SEEDPREGeneration (representing feedback random number RN)FBIs based on NVM SEED SEEDNVMGenerated), and the exclusive-or logic circuit 142 is based on the feedback random number RNFBGenerating the mutex or result. Then, the multiplexer 143 outputs the exclusive OR result as the updated entropy SEED, since the updated entropy SEED is based on the NVM SEED SEEDNVMGeneration, and therefore entropy collector 144, can be based on NVM SEED SEEDNVMGeneration of dynamic entropy SEED SEEDDYN。
Additionally, the embodiment of FIG. 5 is not limiting of the invention. In some embodiments, the entropy circuit 140 shown in fig. 1 and 4 can be implemented by different architectures. For example, the entropy circuit 140 may comprise an oscillator and a collecting circuit coupled to the oscillator, wherein the oscillator may be used to output a plurality of random single-bit values, and the collecting circuit may be used to collect the random single-bit values to generate the dynamic entropy SEEDDYN(e.g., by concatenating, such as sequentially arranging, a predetermined number of random single-bit values from the random single-bit values to produce a dynamic entropy SEED SEEDDYN) However, the present invention is not limited thereto.
In addition, the final random number sequence { RNFINALEach final random number in the } is preferably sent to only one object. For example, the PUF-based true random number generator 500 may further include a de-multiplexer (DEMUX) 180 (labeled "DEMUX" in the figure for simplicity) coupled to the garbled circuit 130. In this embodiment, the final random number sequence{RNFINALThere may be three possible paths, including a first path for providing an output random number to the PUF-based true random number generator 500, a second signal path for updating the NVM SEED SEEDNVMAnd a third signal path for updating the dynamic entropy SEEDDYNWherein the demultiplexer 180 controls only one of the signal paths to be enabled at a single point in time. Thus, from the final random number sequence RNFINALAny single final random number taken is not reused by different elements, thus ensuring the security of the PUF-based true random number generator 500. For example, the final random number sequence RNFINALThe first final random number after the electronic device 50 is powered up may be programmed into the non-volatile memory 150 (e.g., the second signal path is enabled during the first operation cycle after the electronic device 50 is powered up); then, the NVM SEED stored in the non-volatile memory 150 is SEEDNVMAfter being updated, the second signal path is disabled and the third signal path is enabled; the first signal path is enabled only when another component within the electronic device 50 requests a random number. It should be noted that the above-mentioned scheduling for enabling the first signal path, the second signal path and the third signal path is only for illustrative purposes and is not meant to limit the present invention.
Fig. 6 is a flowchart of a method for generating a true random number according to an embodiment of the present invention, wherein the method is applicable to an electronic device such as the electronic devices 10, 20, 40 and 50 shown in fig. 1 to 5. It should be noted that the workflow shown in fig. 6 is for illustrative purposes only and is not limiting to the present invention. One or more steps may be added, deleted or modified in the workflow of fig. 6 without affecting the overall result, and the steps need not be performed exactly in the order shown in fig. 6.
In step 610, the garbled circuit 110 obtains a first PUF value (e.g., PUF1) from the PUF pool 15.
In step 620, the power is obfuscatedWay 110 pairs a preliminary SEED (e.g., SEED) based on the first PUF value (e.g., PUF1)PRE) Performing a first obfuscation function to generate a final SEED (e.g., SEED)FINAL)。
At step 630, the cryptographic circuit 120 utilizes the final SEED (e.g., SEED)FINAL) As a key for a cryptographic function to generate a preliminary random number sequence (e.g., { RN })PRE})。
At step 640, the garbled circuit 130 obtains a second PUF value (e.g., PUF2) from the PUF cell 15.
At step 650, garbled circuit 130 couples the sequence of primary random numbers (e.g., { RN) based on the second PUF value (e.g., PUF2)PRE}) perform a second obfuscating function (e.g., XOR) to generate a final random number sequence (e.g., RNFINAL})。
The PUF-based true random number generator and the related method can control related operations by matching with the characteristics of a cryptographic function, dynamic entropy and static entropy. In addition, the invention can reduce the size requirement of the PUF pool under the condition of not reducing the randomness and the safety. The invention thus enables an improvement of the overall performance of a PUF-based true random number generator without or with less side effects.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
- 上一篇:一种医用注射器针头装配设备
- 下一篇:一种随机数产生装置和方法