On Entropy and Bit Patterns of Ring Oscillator Jitter

Markku-Juhani O. Saarinen PQShield Ltd. Prama House, 267 Banbury Rd., Oxford OX2 7HT, UK Email: [email protected]

Abstract—Thermal jitter (phase noise) from a free-running Timing jitter is a relatively well-understood phenomenon ring oscillator is a common, easily implementable physical ran- for many reasons. It is an important limiting factor to the domness source in True Random Number Generators (TRNGs). synchronous operating frequency of any digital circuit. We show how to evaluate entropy, autocorrelation, and bit pattern distributions of such entropy sources, even when they An example of a detailed physical model for ring oscillator have low jitter levels or some bias. Our numerical evaluation phase noise and jitter is provided by Hajimiri et al [13]–[15], algorithms vastly outperform simple Monte Carlo simulations which we recap here. The randomness of timing jitter has in speed and accuracy. This helps in choosing the most appro- a strongly Gaussian character. The jitter accumulates in the priate parameters for TRNG self-tests and cryptographic post- phase difference against the reference clock, with variance σ2 processing. We also propose a new, safer lower bound estimation t formula for the entropy of such randomness sources. growing almost linearly from one cycle to the next. Under common conditions, the transition length standard I.INTRODUCTION:RING OSCILLATOR JITTER deviation (uncertainty) σt after time t can be estimated for Free-running (ring) oscillators are widely used as physical CMOS ring oscillators as (after [14, Eqns. 2.6,5.18]): noise sources in True Random Number Generators (TRNGs). 2 2 8 kT VDD In many ways, these designs are direct descendants of the σt = κ t ≈ · · · t (1) 3η P Vchar oscillator-based “electronic roulette wheel” used to generate the RAND tables of random digits in the late 1940s [1]. In this derivation of physical jitter κ2 we note especially A typical design (Fig. 1) has two oscillators; an unsynchro- the Boltzmann constant k and absolute temperature T ; other nized ring oscillator and a reference oscillator that is used to variables include power dissipation P , supply voltage VDD, sample bits from the free-running oscillator. Spontaneous and device characteristic voltage Vchar, and a proportionality con- naturally occurring phase shifts between the oscillators will stant η ≈ 1. The number of stages (N) and frequency f affect cause unpredictability of output bits. These random oscillator power P via common dynamic (switching) power equations. period variations are known as oscillator jitter [2]. As noted in [14, Sect. 5.2.1], such derived models only A pioneering Ring Oscillator RNG chip was described and express “inevitable noise sources” – not “extra disturbance, patented in 1984 by Bell Labs researchers [3], [4]. This such as substrate and supply noise, or noise contributed type of noise source can be realized with “standard cells” by extra circuitry or asymmetry in the waveform” – which in HDL and requires no special manufacturing processes, will increase jitter. Many of these factors are difficult to making it a popular choice. More modern versions are used model individually or are beyond digital designers’ control. as noise sources for cryptographic key generation in common In practice κ2 is measured experimentally, and existence of microchips from AMD [5] and ARM [6]. jitter (and hence, fresh thermal noise entropy) is continuously Physical entropy sources are regulated in cryptographic monitored by auxiliary circuits that are a part of the TRNG. arXiv:2102.02196v3 [cs.CR] 25 Feb 2021 security standards such as NIST’s SP 800-90B [7] (for FIPS 140-3) and BSI’s AIS 31 [8] (for Common Criteria). These mandate health monitoring (built-in statistical tests) and appro- EN “raw” D Q entropy priate post-processing. Cryptographic post-processing methods bits zi such as the SHA2 hash [9] completely mask statistical defects Latch (D-FF) while still allowing guessing attacks. Noise source entropy evaluation is therefore crucial for determining the sampling (external xtal or system) CLK Q rate and “compression ratio” of the conditioner. σ2 =21012 A. Physical Models and Their Limits An important contributor to the randomness of jitter in time a ring-oscillator inverter loop (Fig. 1) is Johnson-Nyquist thermal noise [10], [11], which occurs spontaneously in any Fig. 1. A ring oscillator consists of an odd (here N = 3) number of inverters connected into a free-running loop. The output is sampled using conductor (regardless of quality) as a result of thermal agita- an independent reference clock, such as a crystal oscillator. Transition times tion of free electrons. Jitter is a macroscopic manifestation of are affected by jitter (largely from Johnson-Nyquist thermal noise), whose this quantum-level [12] Brownian effect. accumulation causes samples to become increasingly unpredictable. B. From Statistical Random Tests to Entropy Evaluation D. Our Goals: FIPS 140-3 and More Generic ROs A 1948 report by RAND [16] describes the statistical tests Prior works generally state that the frequency of the free- performed on the output of the “million digit” oscillator device running oscillator is much higher than sampling frequency, [17]. The tests were based on work by Kendall and Smith [18], and that they do not have a harmonic relationship. The source [19] with their late 1930s electromechanical random number is also often taken to be unbiased and assumed to have a device: Frequency test, Serial test, Poker test, and Gap test. It relatively high amount of entropy per sample. In this work, we is remarkable that versions of these tests remained in use until show how to compute entropy, autocorrelation coefficients, and 2000s in the FIPS 140-2 cryptographic standard [20]. bit pattern probabilities also for less ideal parameters. Our goal While such “black box” statistical tests suites – including is to have guarantees for entropy and min-entropy in TRNG Marsaglia’s DIEHARD and its successors [21], [22] and designs as this is required in current cryptography standards NIST SP 800-22 [23] — may be useful when evaluating AIS 31 [8] and FIPS 140-3 [30] / NIST SP 800-90B [7]. pseudorandom generators for Monte Carlo simulations, they are poorly suited for security applications. It is illustrative that II.ASTOCHASTIC MODELANDITS DISTRIBUTIONS a test existed in NIST SP 800-22 even in 2010 to see if an We consider the jitter accumulation σ2 ∼ Q at sample LFSR is “long enough” to be “considered random” [23, Sect. time rather than the variance of (half) periods [28, Sect. 2.10]. Elementary cryptanalysis with finite field linear algebra 2.2]. We also ease analysis by using the sampling period shows that the internal state of an LFSR can be derived from a as a unit of time – sample zi is at “time” i and variance small amount of output, allowing both future and past outputs is defined accordingly. Our time-phase accumulation matches to be reproduced with little effort – a devastating scenario if with the physical model (κ2 of Eqn. 1) and also accounts for that output is to be used for cryptographic keying. spontaneous, purely Brownian transitions and ripple when the By 2001 at least the German AIS 20/31 [8], [24] Common relative frequency F of oscillators is very small or harmonic. Criteria IT Security evaluations had diverged from the purely For sampled, digital oscillator sources, we may ignore the black-box statistical approach and instead concentrated on signal amplitude and consider a pulse wave with period T and quantifying entropy produced by a noise source, evaluation relative pulse width (“duty cycle”) D. We assume a constant of its post-processing methods, and also considered imple- sampling rate and use the sample bits as a measure of time. ω−δ mentation security, cryptanalytic attacks, and vulnerabilities. We normalize the sinusoidal phase ω as x = 2π to range Current NIST security evaluation methodology of physical 0 ≤ x < 1, where δ is the rising edge location. Average noise sources [7] also acknowledges that general statistical frequency F ≈ 1/T mod 1 is a per-bit increment to the phase properties of raw noise are less important than evaluation of and σ2 is its per-bit accumulated variance (Eqn. 1). its entropy content, but at the time of writing do not require Definition 1 (Sampling Process): The behavior of a stochastic models or detailed analysis of physical sources. (F, D, σ2) noise source and its bit sampler is modeled as: For purposes of security engineering, pseudorandomness in 2 the output of the physical source is an unambiguously negative xi = xi−1 + N (F, σ ) mod 1 (3) ( feature as it makes the assessment of true entropy more 1 if xi < D, difficult. On the other hand, Redundancy from a well-behaved zi = (4) 0 if xi ≥ D. stochastic model is easily manageable via cryptographic post- processing. Once seeded, standard (Cryptographic) Determin- Here zi ∈ {0, 1} is an output bit, and xi ∈ [0, 1) is the istic Random Bit Generators (DRBGs [25]) guarantee indistin- normalized phase at sampling time. F is the frequency in guishability from random, in addition to providing prediction relation to the sampling frequency, and σ2 represents jitter. and backtracking resistance. Due to normalization (x mod 1 ≡ x − bxc), and negative 1 C. Ring Oscillators as Wiener Processes −F symmetry, F can be reduced to range [0, /2]. One may view this as a “harmonic” reduction but there is no restriction Pioneering work on modern Physical RNG Entropy Esti- for sampler to run faster than the source oscillator. mation was presented by Killmann and Schindler [26], whose The sampling process can be easily implemented to generate stochastic model uses independent and identically distributed 2 simulated bits z1, z2, z3, .. for given parameters (F, D, σ ). transition times (half-periods) to model jitter. Baudet et al. [27] This Wiener process is clearly only an idealized stochastic take a frequency domain (phase noise) approach. Our model model, and its applicability for modeling specific physical broadly follows these and also the one by Ma et al. [28]. random number generators must be individually evaluated. Baudet et al. propose a Shannon entropy lower bound [27, Eqn. 14], which has been used in engineering (e.g. [29]): A. Distance to Uniform

4 −4π2Q −6π2Q The Gaussian probability density function in Eqn. 3 be- H1 ≥ 1 − e + O e . (2) π2 ln 2 comes modularly wrapped (Fig. 2.) The classical assumption Here Q = σ2∆t (“quality factor”) corresponds to κ2 in the of ring oscillators is that if the accumulated variance σ2 physical model (Eqn. 1). We observe that the bound of Eqn. is large enough in relation to sampling rate, the modular 2 is never lower than 0.415 even when Q approaches zero – step density function will become essentially “ﬂat” in [0, 1); this estimate holds only under some additional assumptions. furthermore, if (xi − xi−1) mod 1 is uniformly random, then 2 Phase xi when previous xi 1 = 0, F = 12.3, D = 0.5, = 0.16 2 1.2 Theorem 1: With ﬁxed D and σ > 0 or F 6∈ Q we have 1.0 2 2 Ck(F, D, σ ) = C1(kF mod 1, D, kσ ) for k ≥ 1. (8) 0.8 0.6 Proof 1: The variance of independent random variables is 0.4 additive by induction in k, as is the mean. The difference 0.2 1 0 1 0 1 0 x − x will then have the distribution N (kF, kσ2) mod 1. 0.0 k 0 11.0 11.5 12.0 12.5 13.0 13.5 14.0 Only with either noisy or non-rational (non-harmonic) F we 2 Modular transition density fs in 0 x < 1; F mod 1 = 0.3, = 0.16 may take x0 in Equation 3 to be uniformly distributed in [0, 1). 1.2

1.0 C. Computing Ck to High Precision Without Simulation 0.8 0.6 Let p00, p01, p10, p11 be frequencies of adjacent bit pairs 0.4 p(zi,zi+1) present in bit sequence zi (Eqn. 4) in the model. 0.2 We’ll pick one, p11 = Pr(zi = 1 and zi+1 = 1). The 0.0 1.0 0.5 0.0 0.5 1.0 1.5 2.0 condition zi = 1 limits the density of xi to “boxcar” g1: ( Fig. 2. Gaussian phase transition and equivalent modular density. 1 if x ∈ [0,D) g1(x) = (9) 0 if x∈ / [0,D). the bit sequence zi is correlation-free. Some sources simply We also define g0(x) = 1 if x ∈ [D, 1) and zero elsewhere. state ad hoc criteria for decorrelation (e.g. that σ2 > 1). The addition of random variables corresponds to convolu- We will calculate the step function’s statistical distance to tion of their density functions; convolution f1 = g1 ∗ fs with the uniform distribution. The density of the unbounded step the step function fs (Eqn. 5) yields the probability density function (Eqn. 3) can be equivalentl y defined over domain of xi+1 conditioned on xi = 1. The probability mass of the 0 ≤ x < 1 or as a 1-periodic function in R/Z (See Fig. 2): second bit zi+1 = 1 is in range xi+1 ∈ [0,D) and we have 2 1 X − (x−F +i) Z D fs(x) = √ e 2σ2 . (5) 2πσ2 p11 = f1(x) dx. (10) i∈Z 0 a+1 R Convolution f1 = g1 ∗ fs density can be expressed as We have fs(a) = fs(a + 1) and a fs(x) dx = 1 for all a ∈ R. By choosing a tailcut value τ one can limit the sum to 1 X f1(x) = erf(ai) − erf(bi) (11) b−τσc ≤ i ≤ dτσe. This allows us to determine max at fs(F ) 2 i∈ and min at f (F + 1/2) for given σ. These are bounds for its Z s √ √ 2 2 statistical (total variation) distance to the uniform distribution Where ai = (x+i−F )/ 2σ and bi = (x+i−F −D)/ 2σ . R (See Table I.) We see that this idealized “1-dimensional lattice An indefinite integral S1 = f1(x) dx with the same ai,bi is Gaussian” would be cryptographically uniform at σ2 > 9.

√ " 2 2 # 2 −ai −bi TABLE I 2σ X e − e S1(x) = ai erf(ai) − bi erf(bi) + √ . EXTREMAOFTHEPROBABILITYDENSITYFUNCTION fs(x) FORSOME σ. 2 π i∈Z (12) σ fs min fs max σ fs range Again, one can choose a tailcut bound τ for desired precision 0.10 0.000030 3.989423 1.00 1 ± 2−27.47766 √ 0.20 0.175283 1.994726 1.50 1 ± 2−63.07473 ≈ erfc(τ/ 2) (via Gaussian CDF) and compute the sums 0.30 0.663191 1.340089 2.00 1 ± 2−112.9106 just over the integer range b−τσc ≤ i ≤ dτσe. A typical 0.50 0.985616 1.014384 2.50 1 ± 2−176.9854 choice for IEEE floating point is τ = 10 (“ten sigma”). 0.75 0.999970 1.000030 3.00 1 ± 2−255.2989 R D Choosing p11 = 0 f1(x) dx = S1(D) − S1(0) has some computational advantages. From p11 we can derive other B. Autocorrelation and Sampling Intervals parameters p01 = p10 = D − p11, p00 = 1 − 2D + p11, We define a scaled, binary delay-k autocorrelation measure and C1 = 4(p11 −D)+1. To compute arbitrary Ck, substitute 0 02 2 −1 ≤ C ≤ +1: parameters F = kF mod 1 and σ = kσ (Thm. 1). We then k 0 have Ck as C1 = 4[S1(D) − S1(0) − D] + 1. Ck = 2 Pr(zi = zi+k) − 1. (6) Figure 3 shows the density functions g for the four bit pair frequencies when F = 0.1, D = 0.625, σ2 = 0.04 (σ = 0.2). We may estimate Ck, k ≥ 1 for a finite m-bit sequence as The dotted line on upper boxes corresponds to shape of f0 m−k 0 1 X and lower row to f1; these have been chopped (shaded area) C = (2zi − 1)(2zi+k − 1). (7) k m − k to g00, g01, g10, g11. Note that even though g10 has a different i=1 shape from g01, they have equivalent area and hence frequency 0 1 Pm 1−C1 For convenience, we set C0 = m i=1(2zi − 1) to represent p01 = p10 = 4 . This is natural since the frequency of 0 simple bias in the same vector; C0 approximates 2D − 1. rising edges must match the frequency of falling edges. p00 = 0.204492 p01 = 0.170508 Algorithm 1 Evaluate bit pattern probability p 1.0 1.0 z 2 0.8 0.8 1: function PZFFT(F , D, σ , z1z2 ··· zn)

0.6 0.6 2: for j ← 0, 1, ··· , m − 1 do . Init: Approximation. j 3: s ← 1 f ( ) . Eqn. 5 for F and σ2. 0.4 0.4 j m s m 4: g1,j ← max(min(mD − j, 1), 0) . Eqn. 9 for D. 0.2 0.2 5: g0,j ← 1 − g1,j . Select zero – inverse. 0.0 0.0 1 0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0 6: vj ← m . Start with uniform distribution.

p10 = 0.170508 p11 = 0.454492 7: end for 1.0 1.0 8: for i ← 1, 2, ··· , n do . For each bit. 0.8 0.8 9: for j ← 0, 1, ··· , m − 1 do . Chop half. 0.6 0.6 10: tj ← vjgzi,j . Note bit select index zi. 0.4 0.4 11: end for 0.2 0.2 12: v ← t ∗ s mod (xm − 1) . Convolution (FFT). 0.0 0.0 13: end for 0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0 Pm−1 14: return pz = i=0 vi . Probability mass. Fig. 3. Bit pair probabilities for F = 0.1, D = 0.625, σ2 = 0.04. 15: end function

D. Use of Ck in Modeling of Physical Sources These probability density functions f(x) correspond to real- valued m-degree polynomials v = Pm xiv in Algorithm 1. The output from bit generation simulations agrees with these i=0 i The unit interval domain x ∈ [0, 1) is mapped to coefficients explicit autocorrelation values as expected. Analytic Ck is of via v ≈ R (i+1)/m f(x) dx. For the step function of we course much faster to compute. i i/m 1 C0 approximate this as si = m fs(i/m) and for chop functions so Since autocorrelation estimates k (Eqn. 7) may also be P P easily derived from the output of physical ring oscillators, that i g1,i = D and i g0,i = 1 − D. We write the circular we can find a good approximate (F, D, σ2) model for a convolution using polynomial product and reduction modulo m physical source by matching their autocorrelation properties. x − 1, which can be very efficiently computed with FFT. We use least-squares minimization of few initial entries of The chopping operation is a point-by-point multiplication autocorrelation vectors for this type of modeling. with g0 or g1 in the normal (time) domain, while step ˆ We can also experimentally derive parametrized models convolution is a point-by-point multiplication with fs in the where frequency F and jitter σ2 are functions of environmental transformed (complex, frequency) domain, and hence each additional bit zi requires one forward and one inverse transform aspects such as temperature or aging of circuitry; this, in ˆ turn, allows us to extrapolate and assign safe bounds for as fs remains the same. Our open-source, FFTW3-based [31] portable C implementation allows fast and accurate computa- statistical health tests parameters and entropy output (yield 1 of conditioner) over the lifetime of the device. tion of probabilities of almost arbitrarily long patterns . III.ENTROPY EVALUATION E. Bit Pattern Probabilities via FFT Convolutions Let Zn be a random variable representing n-bit sequences To compute probabilities of bit triplets and beyond, we may z = (z1, z2, ..zn) which are sequentially generated by the “chop” a density function to zero the part which we know to stochastic process of Sect. II characterized by stationary parameters (F, D, σ2). Each of 2n possible outcomes z can be be conditioned out; g10(x) = (f1 · g0)(x), is f1 chopped to ∞ R assigned a probability pz = Pr(Zn = z). zero outside [D, 1) range so we have −∞ g10(x) dx = p10. Let z be a sequence of bits for which conditional distribution The NIST SP 800-90B [7] entropy source standard focuses on min-entropy H∞, a member of the Rényi family of fz is known; “chopping” with g0 or g1 and convoluting with entropies [32]. Min-entropy (or “worst-case entropy”) has a step function fs we obtain distributions of one additional simple definition in case of a discrete variable, based on the bit: fz,0 = (fz · g0) ∗ fs and fz,1 = (fz · g1) ∗ fs. This chop-and-convolute process can be continued to determine the likelihood of the most likely outcome of Zn: probability and phase distribution of an arbitrary bit pattern. H∞(Zn) = min(− log2 pz) = − log2(max pz) (13) Direct probability distribution integration formulas such as z z Eqn. 12 become cumbersome for more generic bit patterns. The AIS 31 [8] Common Criteria evaluation method addition- We instead perform numeric computations on probability ally uses the traditional Shannon entropy metric X density functions fz represented as real-valued polynomial H1(Zn) = − pz log2 pz. (14) coefficients. This approach is attractive since the Fast Fourier z Transform offers an especially efficient way to compute cyclic For Shannon entropy we consider its entropy rate H(Z). convolutions of polynomials, as is required by our 1-periodic 1 This is a [0, 1]-valued limit H(Z) = limn→∞ n H1(Zn). step function fs (Eqn. 5). Unlike unbounded Gaussians our 1 random variables xi ∈ [0, 1) have a strictly limited range. Reference source code: https://github.com/mjosaarinen/bitpat A. Entropy Upper Bounds 1.0

Probabilities pz obtained via Algorithm 1 and related tech- niques in Sect. II-E can be substituted to Eqns. 13 and 14 to 0.8

evaluate H (Z ) and H (Z ), respectively. .

∞ n 1 n y p o r

Shannon entropy H1(Zn) provides increasingly accurate t

n 0.6 e - upper bounds since we have H∞(Zn) ≤ H1(Zn) and n i m

t i

1 1 b - r

H(Z) ≤ ... ≤ H1(Z3) ≤ H1(Z2) ≤ H1(Z1). (15) e 0.4 P

3 2 :

This relationship follows from subadditivity of joint entropy H in case of Shannon entropy H1; the monotonic relationship of 0.2 Z100: From 100-bit depth-first max pz.

Eqn. 15 does not hold for min-entropy H∞. NIST SP-90B: Horiginal (simulated). All Rényi entropies are upper bounded by max-entropy Lower estimate from pe = 4 S1(1/2). 0.0 (Hartley entropy) H0, i.e. the number (cardinality) of n-bit 0.0 0.1 0.2 0.3 0.4 0.5 : Per-bit accumulated jitter (std. deviation). z with nonzero probability; H0(Zn) = log2 |pz > 0|. If an m-bit encoding exists for all elements with pz > 0 of Zn, Fig. 4. Min-entropy from distribution of Z100 with depth-first z selection, m then its cardinality is at most 2 and H(Z) ≤ H0(Zn) ≤ m. NIST SP 800-90B estimates, and our pe bit-prediction lower bound. Experi- This leads to limit H(Z) → 0 for a noiseless (σ2 = 0) mental data is represented as a scatter plot, with a line at the average. source, regardless of F oscillation. A simple , δ argument n z σ2 = 0 shows that each -bit sequence i with can be encoded While max p can usually be found with subexponential z F,D x O(log n) z by expressing , and 0 with asymptotic bits of guesses, worst-case complexity of this problem remains open. precision. Claim follows from lim 1 log n → 0. n→∞ n Certainly, a simple depth-first search will not always work. 2 1 2 B. Entropy Lower Bounds as a function of σ Consider max pz for source (D = 2 ,F = 0.15, σ = 0.04): 1 For an entropy lower bound we consider the entropy con- 3 H∞(Z3) = 0.844807, p000 = p111 = 0.172609. 1 tribution of jitter to an individual bit zi when all of the 4 H∞(Z4) = 0.849297, p0000 = p1111 = 0.0949171. 2 1 parameters (F, D, σ ) and the previous phase xi−1 are known 5 H∞(Z5) = 0.846341, p00011 = p00111 = 0 (in addition to previous bit zi−1). Let pe = Pr(zi = zi) where p11000 = p11100 = 0.0532267. 0 the expected bit value zi is deterministic (from xi−1 + F ). We observe that F cancels out in this case and we have We first note that the entropy increase from Z3 violates subadditivity (and would not be possible for H1; Eqn. 15). pe = p00 + p11 with F = 0 for equations of Section II-C. In 1 Furthermore, the maximum-probability bit strings of Z4 are case of an unbiased source D = 2 , a further simplification yields frequency-independent bounds as a function of σ2: not substrings of those for Z5; not reachable via iteration.

1 1 D. Comparison to SP 800-90B Estimation pe = 2 · [S1( /2) − S1(0)] = 4 · S1( /2) (16) Current SP 800-90B min-entropy evaluation methodology H1(Z) ≥ −pe log2 pe − (1 − pe) log2(1 − pe) (17) [7, Section 6.3] used by FIPS 140-3 [30] does not use H (Z) ∼ − log p . (18) ∞ 2 e stochastic models, but proceeds by taking the minimum of ten 1 where S1 is Eqn. 12 with F = 0, D = 2 . From Eqn. 16 we conservative, standardized entropy tests. The results of this 1 can show a looser approximate bound pe ≤ 1 − 2 tanh(πσ). methodology plateau below H∞ ≈ 0.9 even for completely These estimates are lower than some previously proposed random (cryptographically generated) test data. lower bounds (See Eqn. 2) as they are based on fewer We generated 16,000 simulated sequences of 8 ∗ 106 bits 2 assumptions. Crucially they cover the entire range of σ – with random σ and F ∈ [0, 1/2], and subjected them to the and are therefore safer to use in cryptographic engineering. official NIST SP 800-90 Entropy Assessment2. Fig. 4 contrasts these results with min-entropy estimate for Z where z is C. Min-Entropy Estimates 100 chosen to follow maximum probability mass (Section III-C). One part of min-entropy estimation of H∞(Zn) is to find As expected, the black-box heuristic which has been de- a maximum-likelihood bit sequence z, and the second is to signed to “lean toward a conservative underestimate of min- determine its probability pz. The second part can be accom- entropy” [7, Sect G.2] reports less entropy than our estimates. 1 plished with Algorithm 1 – we have H∞(Zn) = − log pz. n 2 Fig. 4 also shows H∞(Z) ∼ − log2 pe min-entropy derived A reasonable z string “guess” is to select x0 at random from the bit-prediction bound of Eqns. 16 and 18. This and use the peak probability path xi = xi−1 + F (mod 1) curve mostly traces the lower reaches of the stochastic model to determine z1, z2, ··· , zn. This approach is asymptotically estimates (which are scattered here due to randomness of F ). sound, but overestimates entropy for small n. We suggest that this is a safe min-entropy engineering estimate 2 A practical depth-first approach is to proceed as in Alg. 1 but from variance σ , assuming an unbiased source (D = 1/2). Pm−1 Pm−1 evaluate weights q0 = j=0 vjg0,j and q1 = j=0 vjg1,j 2 at each step i, and select zi with the higher probability mass. NIST: https://github.com/usnistgov/SP800-90B_EntropyAssessment ACKNOWLEDGMENTS [21] George Marsaglia. The Marsaglia random number CDROM including the diehard battery of tests of randomness. CDROM and Online Thanks to Joshua E. Hill for helpful comments. This work Publication, 1995. has been supported by Innovate UK Research Grant 105747. [22] Robert G. Brown, Dirk Eddelbuettel, and David Bauer. Dieharder: A random number test suite. Software distribution, accessed January 2021, REFERENCES 2003. URL: https://webhome.phy.duke.edu/~rgb/General/dieharder.php. [1] George W. Brown. History of RAND’s random digits – summary. [23] Andrew Rukhin, Juan Soto, James Nechvatal, Miles Smid, Elaine Research Paper P-113, RAND Corporation, June 1949. Also appeared Barker, Stefan Leigh, Mark Levenson, Mark Vangel, David Banks, Alan in: Monte Carlo Method, Nat. Bur. Stand., Appl. Math. Series 12 (1951), Heckert, JamesDray, and San Vo. A statistical test suite for random and pp. 31-32. URL: https://www.rand.org/pubs/papers/P113.html. pseudorandom number generators for cryptographic applications, April [2] John A. McNeill and David S. Ricketts. The Designer’s Guide 2010. doi:10.6028/NIST.SP.800-22r1a. to Jitter in Ring Oscillators. Springer, 2009. doi:10.1007/ [24] Werner Schindler and Wolfgang Killmann. Evaluation criteria for true 978-0-387-76528-0. (physical) random number generators used in cryptographic applications. [3] Robert C. Fairfield, Robert L. Mortenson, and Kenneth B. Coulthart. In Burton S. Kaliski Jr., Çetin Kaya Koç, and Christof Paar, editors, An LSI random number generator (RNG). In Advances in Cryptol- Cryptographic Hardware and Embedded Systems - CHES 2002, 4th ogy, Proceedings of CRYPTO ’84, Santa Barbara, California, USA, International Workshop, Redwood Shores, CA, USA, August 13-15, 2002, August 19-22, 1984, Proceedings, volume 196 of Lecture Notes in Revised Papers, volume 2523 of Lecture Notes in Computer Science, Computer Science, pages 203–230. Springer, 1984. doi:10.1007/ pages 431–449. Springer, 2002. doi:10.1007/3-540-36400-5\ 3-540-39568-7_18. _31. [4] Kenneth B. Coulthart, Robert C. Fairfield, and Robert L. Mortenson. [25] Elaine Barker and John Kelsey. Recommendation for random number Random number generator. U.S. Patent 4,641,102 A, August 1984. generation using deterministic random bit generators. NIST Special URL: https://patents.google.com/patent/US4641102A. Publication SP 800-90A Revision 1, June 2015. doi:10.6028/ [5] AMD. AMD random number generator. AMD TechDocs, NIST.SP.800-90Ar1. June 2017. URL: https://www.amd.com/system/files/TechDocs/ [26] Wolfgang Killmann and Werner Schindler. A design for a physical amd-random-number-generator.pdf. RNG with robust entropy estimators. In Elisabeth Oswald and Pankaj [6] ARM. ARM TrustZone true random number generator (TRNG): Rohatgi, editors, Cryptographic Hardware and Embedded Systems - Technical reference manual. ARM 100976_0000_00_en (Second release CHES 2008, 10th International Workshop, Washington, D.C., USA, r0p0 0000-01), May 2020. URL: http://infocenter.arm.com/help/index. August 10-13, 2008. Proceedings, volume 5154 of Lecture Notes in jsp?topic=/com.arm.doc.100976_0000_00_en. Computer Science, pages 146–163. Springer, 2008. doi:10.1007/ [7] Meltem Sönmez Turan, Elaine Barker, John Kelsey, Kerry A. McKay, 978-3-540-85053-3\_10. Mary L. Baish, and Mike Boyle. Recommendation for the entropy [27] Mathieu Baudet, David Lubicz, Julien Micolod, and André Tassiaux. On sources used for random bit generation. NIST Special Publication SP the security of oscillator-based random number generators. J. Cryptol- 800-90B, January 2018. doi:10.6028/NIST.SP.800-90B. ogy, 24(2):398–425, 2011. doi:10.1007/s00145-010-9089-3. [8] Wolfgang Killmann and Werner Schindler. A proposal for: Functionality [28] Yuan Ma, Jingqiang Lin, Tianyu Chen, Changwei Xu, Zongbin Liu, classes for random number generators. AIS 20 / AIS 31, Version 2.0, and Jiwu Jing. Entropy evaluation for oscillator-based true random English Translation, BSI, September 2011. URL: https://www.bsi.bund. number generators. In Lejla Batina and Matthew Robshaw, editors, de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_ Cryptographic Hardware and Embedded Systems - CHES 2014 - 16th 31_Functionality_classes_for_random_number_generators_e.html. International Workshop, Busan, South Korea, September 23-26, 2014. [9] NIST. Secure hash standard (SHS). Federal Information Processing Proceedings, volume 8731 of Lecture Notes in Computer Science, pages Standards Publication FIPS 180-4, August 2015. doi:10.6028/ 544–561. Springer, 2014. doi:10.1007/978-3-662-44709-3\ NIST.FIPS.180-4. _30. [10] John Bertrand Johnson. Thermal agitation of electricity in conductors. [29] Oto Petura, Ugo Mureddu, Nathalie Bochard, Viktor Fischer, and Lilian Phys. Rev., 32(1):97–109, July 1928. doi:10.1103/PhysRev.32. Bossuet. A survey of AIS-20/31 compliant TRNG cores suitable 97. for FPGA devices. In Paolo Ienne, Walid A. Najjar, Jason Helge [11] Harry Nyquist. Thermal agitation of electric charge in conductors. Phys. Anderson, Philip Brisk, and Walter Stechele, editors, 26th International Rev., 32(1):110–113, July 1928. doi:10.1103/PhysRev.32.110. Conference on Field Programmable Logic and Applications, FPL 2016, [12] Herbert B. Callen and Theodore A. Welton. Irreversibility and gen- Lausanne, Switzerland, August 29 - September 2, 2016, pages 1–10. eralized noise. Phys. Rev., 83(1):34–40, July 1951. doi:10.1103/ IEEE, 2016. URL: https://ieeexplore.ieee.org/xpl/conhome/7573873/ PhysRev.83.34. proceeding, doi:10.1109/FPL.2016.7577379. [13] Ali Hajimiri and Thomas H. Lee. A general theory of phase noise in [30] NIST and CCCS. Implementation guidance for FIPS 140- electrical oscillators. IEEE Journal of Solid-State Circuits, 33(2):179– 3 and the cryptographic module validation program. CMVP, 194, 1998. doi:10.1109/4.658619. September 2020. URL: https://csrc.nist.gov/CSRC/media/Projects/ [14] Ali Hajimiri and Thomas H. Lee. The Design of Low Noise Oscillators. cryptographic-module-validation-program/documents/fips%20140-3/ Kluwer, 1999. doi:10.1007/b101822. FIPS%20140-3%20IG.pdf. [15] Ali Hajimiri, Sotirios Limotyrakis, and Thomas H. Lee. Jitter and [31] Matteo Frigo and Steven G. Johnson. The design and implementation of phase noise in ring oscillators. IEEE Journal of Solid-State Circuits, FFTW3. Proc. IEEE, 93(2):216–231, 2005. Special issue on “Program 34(6):790–804, June 1999. URL: https://authors.library.caltech.edu/ Generation, Optimization, and Platform Adaptation”. doi:10.1109/ 4916/1/HAJieeejssc99a.pdf, doi:10.1109/4.766813. JPROC.2004.840301. [16] Bernice B. Brown. Some tests on the randomness of a million digits. [32] Alfréd Rényi. On measures of entropy and information. In Jerzy Research Paper P-44, RAND Corporation, October 1948. URL: https: Neyman, editor, Proc. Fourth Berkeley Symp. on Math. Statist. and //www.rand.org/pubs/papers/P44.html. Prob., Vol. 1, pages 547–561. University of California Press, 1961. URL: [17] RAND Corporation. A Million Random Digits with 100,000 Normal De- https://projecteuclid.org/euclid.bsmsp/1200512181. viates. Free Press, 1955. URL: https://www.rand.org/pubs/monograph_ reports/MR1418.html. [18] Maurice G. Kendall and Bernard Babington-Smith. Randomness and random sampling numbers. Journal of the Royal Statistical Society, 101(1):147–166, 1938. doi:10.2307/2980655. [19] Maurice G. Kendall and Bernard Babington-Smith. Second paper on random sampling numbers. Supplement to the Journal of the Royal Statistical Society, 6(1):51–61, 1939. doi:10.2307/2983623. [20] NIST. Security requirements for cryptographic modules. Federal Information Processing Standards Publication FIPS 140-2 (With change notices dated October 10, 2001 and December 3, 2002), May 2001. doi:10.6028/NIST.FIPS.140-2.