A Mathematical and Physical Analysis of Circuit Jitter with Application to Cryptographic Random Bit Generation

Home , Pink noise

WJM-6500 BS2-0501

A Major Qualifying Project Report:

submitted to the Faculty

of the

WORCESTER POLYTECHNIC INSTITUTE

in partial fulfillment of the requirements for the

Degree of Bachelor of Science

______Wayne R. Coppock

______Colin R. Philbrook

Submitted April 28, 2005

1. Random Number Generator Approved:______Professor William J. Martin 2. Cryptography ______3. Jitter Professor Berk Sunar

1 Abstract In this paper analysis of jitter is conducted to determine its suitability for use as an entropy source for a true random number generator. Efforts are taken to isolate and quantify jitter in ring oscillator circuits and to understand its relationship to design specifications. The accumulation of jitter via various methods is also investigated to determine whether there is an optimal accumulation technique for sampling the uncertainty of jitter events. Mathematical techniques are used to analyze the accumulation process and an attempt at modeling a signal with jitter is made. The physical properties responsible for the noise that causes jitter are also briefly investigated.

2 Acknowledgements We would like to thank our faculty advisors and our mentors at GD, without whom this project would not have been possible. Our advisors, Professor Bill martin and

Professor Berk Sunar, were indispensable in keeping us focused on the tasks ahead as well as for providing background to help us explore new questions as they arose. Our mentors at GD were also key to the project’s success, and we owe them much for this.

Gerardo Orlando took large amounts of time out of his busy schedule to keep us moving along and give us new avenues to explore. Nichols Paul was extremely helpful with the insight he provided into noise measurements, as well as the general support he offered us.

Tucker Evans was quite helpful in setting up and programming in the GD CAD environment and without him no new hardware designs would have been possible.

Robert Hosford was always willing to help us out and was a big help getting our test setup in working order.

3 Table of Contents

Abstract...... 2 Acknowledgements...... 3 Table of Figures ...... 5 Table of Tables ...... 5 1 Background...... 6 1.1 Cryptography ...... 6 1.2 Random Number Generators ...... 7 1.3 Jitter...... 9 2 Methodology...... 10 2.1 Development Environment ...... 10 2.1.1 Hardware...... 10 2.1.2 Software Design Flow...... 10 2.2 Testing Environment and Procedures ...... 11 2.2.1 Jitter Measurement...... 11 2.2.2 Oscilloscope...... 14 3 Results and Analysis...... 15 3.1 Ring Oscillator...... 15 3.2 Theoretical Analysis...... 18 3.2.1 Central Limit Theorem ...... 19 3.2.2 Correlated Noise Sources...... 20 3.3 Experimental Analysis...... 21 3.3.1 Basic Jitter Statistics...... 21 3.3.2 N-Cycle Accumulation ...... 22 3.3.3 Jitter Density...... 27 3.3.4 Periodic Noise and Filtering ...... 29 3.4 Modeling...... 32 4 Future Work...... 34 5 Conclusion ...... 35 References...... 36

4 Table of Figures

Figure 1: Basic Jitter Diagram ...... 9 Figure 2: Design Flow ...... 11 Figure 3: Jitter Measurement Techniques [3] ...... 12 Figure 4: Simple 3-Inverter Ring...... 15 Figure 5: Timing Diagram ...... 16 Figure 6: Comparison of 57 and 151 Inverter Waveforms...... 17 Figure 7: Normal Distribution ...... 19 Figure 8: Log-Log Plot of Standard Deviation vs. Measurement Period [6]...... 21 Figure 9: Standard Deviation vs. Number of Inverters...... 22 Figure 10: N-Cycle Accumulations ...... 23 Figure 11: First Fifty Cycles...... 24 Figure 12: Log-Log plot of N-Cycle Data ...... 24 Figure 13: Period Measurements for 67 Inverter Ring ...... 25 Figure 14: Period Measurements for 101 Inverter Ring ...... 25 Figure 15: N-Cycle Histogram Comparison for 67 Inverter Ring...... 26 Figure 16: TIE Time Trend...... 29 Figure 17: TIE Spectrogram ...... 30 Figure 18: Filtered TIE Time Trend ...... 31 Figure 19: TIE Histogram Improvement ...... 31 Figure 20: Signal / Model Comparison...... 33 Table of Tables Table 1: Jitter Density Results ...... 28

1 Background

1.1 Cryptography Cryptography is a pervasive element in modern life, the importance of which can

hardly be overstated. It is nothing less than the modern application of technology

(though its origins date back to the beginnings of civilization) to the problem of keeping

secrets secret. In a modern sense, cryptography mostly involves the use of algorithms to

keep electronic data secure. In a broader context, there are various ways which

cryptography can keep data secure. It can keep data secure from someone for whom it

was not intended, it can confirm that data not become corrupted or altered in transit, and

it can ensure that the data comes from a trustworthy source. These are called confidentiality, data integrity, and authentication respectively. Although they differ in their application of it, all use the basic cryptographic system of encryption and decryption.

No matter how secure from attacks the algorithm used for the encryption process is, this system is only as strong as the key used to encode the information. In many modern systems the assumption is made that the key is unknown and unable to be guessed. This assumption has lead to the widespread use of random (mostly pseudorandom) numbers as keys, meaning that a system is now only as secure as the random number generator used to produce the key. A weak random number generator whose output can be easily guessed provides no security for the data being encrypted. In cryptographic applications, random numbers must be completely unpredictable to any form of attack, including an attacker who has great computing power and a large sample of random numbers from the source being used.

1.2 Random Number Generators A “random number generator” (RNG) is a device or system which produces an unpredictable sequence of numbers or bits that cannot be reproduced. RNGs are widely used today in a variety of applications including simulation, modeling, computer games, and cryptographic systems. For many of these applications a pseudorandom number generator (PRNG) is sufficient to meet the demands, however for cryptographic applications a very strong random number generator is needed. In order to ensure a completely reliable source of random numbers, true (physical) random number generators

(TRNGs) should be used.

For less demanding applications, a set of algorithms (PRNGs) are typically used that, when seeded with random input from some entropy source, can generate a sequence which may be computationally infeasible to distinguish from the output of a TRNG [2].

Since PRNG algorithms are deterministic, the entropy of the output will be at most that of the seed input. This makes them typically inadequate for use in secure communications, especially in the face of ever-increasing computing power, which may make currently infeasible calculations quite easy in the near future. In cryptographic applications the concept of an ‘attacker’ is often used to discern weaknesses in the unpredictability of random number generators. With PRNGs an attacker need only to discover the seed and algorithm to generate the exact same sequence of ‘random’ numbers, thus compromising the security of the system. Additionally since PRNGs use deterministic algorithms, the sequence of numbers generated will eventually repeat, so an attacker with a large amount of computing power could check every possible output that the algorithm can generate, again compromising the system.

7 With TRNGs an internal physical source of entropy is identified and used to

generate random numbers, usually involving a conversion of analogue noise of some kind

to a digital signal [1]. In a well-designed TRNG this source of entropy is sampled to

obtain a sequence of statistically independent bits which may undergo post-processing

and result in a string of truly random bits. TRNGs are completely reliant on their source

of entropy being truly random, and any amount of deterministic input that may influence

the output puts the system at risk of attack. However it is difficult to exclude all

deterministic input from systems whose entropy is easily isolated, and so a robust design

should take deterministic elements in this source into account.

Several sources of entropy are available, however many are plagued with

problems of practical implementation and strength against attack. Proposed sources such

as the interval between user keystrokes or device interrupts, network traffic, least

significant bits of analog input, and atmospheric radio noise are all vulnerable to either

being biased from an outside attack or by an attacker’s ability to measure the same events. A few sources not vulnerable to these attacks such as radioactive decay and the photoelectric effect are difficult and costly to implement, especially for use in a portable environment. Currently the most promising source of entropy seems to be noise in electronic components. This noise has a basis in quantum effects yet is easily implemented with existing semiconductor technology.

8 1.3 Jitter Physical limitations in the implementation of circuit designs often give rise to

unexpected problems, such as a timing problem known as “jitter.” Jitter is a phenomenon

which arises in oscillators and thereby any circuit with a timing clock. In an ideal

oscillator the time between state transitions is constant; however in real application this

time is always variable. A rather concise, albeit useful, definition of jitter is “the short-

term variations of a digital signal’s significant instants from their ideal positions in time,”

[5] where the “significant instants” are the state transitions. Since every state transition

has some uncertainty in its timing and the uncertainty from each transition affects later

transitions, these small amounts of uncertainty accumulate as the observed timeframe

grows larger.

Figure 1: Basic Jitter Diagram

In many cases the term “jitter” is used to refer to all phase noise within a signal.

In this framework jitter is broken up into two varieties: random and deterministic.

Random jitter is considered to be unbounded, while deterministic jitter is considered to be bounded [3]. Furthermore, deterministic jitter is broken down into various varieties of deterministic noise which may affect signal timing. For the purposes of this paper only

“random jitter” will be referred to as jitter and all varieties of “deterministic jitter” will be

referred to as deterministic noise. Although as a random noise source it may have any

probability distribution, jitter is generally assumed to have a Gaussian (normal)

distribution.

2 Methodology

2.1 Development Environment

2.1.1 Hardware The hardware used for our designs is a Nallatech Ballyneuy 2 Virtex PCI card. It

houses the Virtex XCV800 Field Programmable Gate Array (FPGA), which was used to run our oscillator ring designs. The FPGA uses look up tables (LUTs) to simulate

function generators. These LUTs require current and voltage to function. Floorplanning

was used to minimize any electric field effects by placing high frequency components as

far apart as possible on the board.

2.1.2 Software Design Flow The Exceed program was used to access the following tools used: Modelsim,

Synopsys FPGA Compiler II, Xilinx Floorplanner, and Xilinx Design Manager. The

design flow used is shown in Figure 2. The VHDL design is first loaded into the FPGA

compiler. The FPGA compiler creates a design hierarchy for the Virtex FPGA. The Pin

Constraints is the ucf file used for pin to signal assignments. The floorplanner is run to create a layout for where the components are to be placed physically on the Virtex chip.

This design is then loaded into the Xilinx Design Manager, where by translating the design constraints, a bit file is produced. A C program is then used to upload the bit file to the FPGA to the PCI board.

10 VHDL Synopsys FPGA VHDL File Design Compiler II

Xilinx Xilinx Design Pin Constraints ucf file floorplan Floorplanner Manager

Virtex XCV800 upload design C program

Figure 2: Design Flow

2.2 Testing Environment and Procedures

2.2.1 Jitter Measurement In order to gain a better understanding of jitter, it is important to first quantify it.

Although jitter has seen a fair share of attention in recent times as it has become

increasingly problematic for high-speed communications design, much of the

investigation conducted upon it has sought to minimize its impact on circuit designs.

Many of the tools and methods for measuring jitter and its effects reflect this and are more concerned with its effects than its underlying causes. For this reason, only a few techniques are of interest to the topic being investigated in this paper.

Figure 3: Jitter Measurement Techniques [3]

Period

Because jitter events are directly manifested as changes in a signal’s period, measuring these variations in the period is a good way to gauge the effects of these events. Period jitter measurements consist simply of taking repeated measurements of the signal’s period (either from one rising edge to the next or one falling edge to the next, but rising is generally preferred) and compiling the data to obtain statistical results. Although the standard deviation is typically the most interesting numerical result, the mean of the period can also be useful for determining an idealized waveform. The distribution of these results is typically assumed to be normal and a histogram can confirm this visually.

Cycle-Cycle

Cycle to cycle (or cycle-cycle) jitter is another measurement built upon the basic period measurement. Through the application of a first-order difference equation on the period measurements the differences between adjacent cycles can be calculated. These differences can show the actual amount of phase-shift caused by jitter events on a per-

12 cycle basis. Since this is a difference function applied to what should be a normally

distributed dataset, its mean should be zero, or very close thereto. Its standard deviation is

generally the only result of interest, although plotting cycle-cycle jitter versus time

(typically done on a per-cycle scale) can yield interesting results about the period

growing consistently longer or shorter for spans of time.

Time Interval Error (TIE)

While not able to be directly observed, time interval error provides some useful

information about the results of jitter events on a signal. The measurement technique requires an idealized clock signal for comparison against the measured signal, making it impossible to directly observe due to the lack of physical jitter-less clock circuits.

However, it is possible to compute the TIE via post-processing by subtracting the ideal clock period (determined through measurement) from each period measurement and then integrating the differences [3]. Although it does require post-processing, several jitter- related applications for commercial oscilloscopes are able to compute the TIE from data as it is collected. The TIE can be used to observe the cumulative effects of jitter over time, and when plotted versus time it can show deterministic modulation on the signal’s

phase. Because it is based upon differences from the ideal, the TIE should have a mean of

zero, or something close thereto. Additionally, the histogram of TIE data can show the

distribution of deviations from the idealized signal to help identify whether the measured

signal is biased towards being slow or fast.

13 N-Cycle

In order to investigate the accumulated effects of jitter events it is necessary to utilize a so-called ‘N-cycle’ jitter measurement technique. This technique again relies upon a form of idealized clock period, however instead of calculating for every period like the TIE, it waits for N-cycles of the signal and measures the difference between the expected Nth-cycle rising edge and the actual rising edge. As with TIE measurement, commercial jitter-measurement applications are able to calculate N-cycle measurements on data as it is collected. The standard deviation of these results is useful to examine the effects of this accumulation, as well as viewing the histogram to investigate the distribution it generates. As with the TIE, N-cycle jitter distributions should be centered about a mean at or near zero.

Data Captures and Post-Processing

Although much of the data relevant to measuring jitter can be collected directly through oscilloscopes and jitter measurement software packages for them, for the purposes of this paper it was desirable to investigate other aspects of jitter not typically measured in industrial design. It was necessary to use an oscilloscope to save waveform capture data that could be appropriately post-processed to analyze these aspects.

2.2.2 Oscilloscope The oscilloscope used was a Tektronix 5104B. The sampling rate is 5 Gigasamples

per second. Most of the measurements taken used the TDSJITv3 software. The period and standard deviation of the period measurements were taken by acquiring data from one million waveform captures. The scope measures the period between rising edges of

14 the waveform. The ideal period for the TIE measurements was synthesized by the

software through clock recovery. Clock recovery is performed by averaging the period for the waveform and then using the mean of the period to fit the clock to the measured

data. Another source of data extracted from the TIE measurement is the random and

deterministic jitter (Rj/Dj) analysis performed by the software. The TDSJIT3 software

decomposes the total jitter into deterministic and random components. It does this

analysis by using an industry-standard technique involving deconvolving the distribution

for the total jitter. This is done by assuming the random jitter uses a Gaussian

distribution [7]. The software was also used to calculate the N-cycle jitter. The software

first calculates the ideal N-cycle period and compares it to the time between the first

measured clock edge and the Nth clock edge. The difference is the result of the N-cycle

measurement.

3 Results and Analysis

3.1 Ring Oscillator The design used was a ring oscillator. The oscillator formed through chaining

together an odd number of inverters, with the last inverter fed back to the first. The odd

number of inverters ensured a clock signal will be produced on the output of each

inverter. Each oscillator ring design had one output from the first inverter in the chain.

A very simple ring oscillator design is shown in Figure 4 below.

Figure 4: Simple 3-Inverter Ring

Figure 5: Timing Diagram

The switching effect of these inverters is demonstrated in Figure 5. The timing

diagram has ideal clock transitions. The propagation delays have been exaggerated for demonstration purposes. The gray areas in the diagram represent the possible locations at

which transitions may occur due to uncertainty in gate delay. In Figure 5, the uncertainty for jitter for Inverter 1 would affect the transition of each inverter following. Each transition edge has its own timing uncertainty, so the phase shift contribution by three inverters is cumulative.

The oscillator rings used had 57, 67, 79, 83, 101, and 151 inverters. The designs were created by modifying the VHDL design files from previous years. A large number of inverters were used due to the physical limitations of the hardware. With too few inverters the hardware could not swing the voltage transition quickly enough. As the number of inverters increases, the period increases, so the voltage transition is a much

smaller portion of the period. This is why the square wave output for a larger number of

inverters appears to have faster transitions. Additionally, as more inverters are added, the

waveform more closely represents an idealized square wave (Figure 6).

Figure 6: Comparison of 57 and 151 Inverter Waveforms

17 Sources of random noise within the ring oscillator designs were essential to their operation. However, most of the stronger noise sources were deterministic, and undesired. The noise that contaminated the output waveforms would make the deviations of the waveform periods appear periodic. Potential sources of noise included the host

PC’s PCI bus, the switching power supply of the PC, and power regulators on the FPGA board. These sources of noise would interfere with measurements of the shot and thermal noise. Shot noise arises from the movement of carriers between negative and positively doped silicon regions. Carriers move randomly and independently across the barriers [4].

It is to be the main source of entropy within our designs. Thermal noise is another random noise source, it was caused by the random movement of current carriers. The spectra of the noise events for thermal and shot noise are white noise. Another noise source investigated was 1/f, or pink noise. Pink noise is intrinsic to all electronic designs and the exact cause is as of yet unknown. It has a power spectrum that takes the form of

1/f, hence the name. Pink noise is defined by the frequency at which it crosses the shot noise, the corner frequency. By finding this frequency, the effect of pink noise on random noise could be determined.

3.2 Theoretical Analysis Since jitter events are assumed to be random, they may be represented in a theoretical framework by random variables. A “jitter event” is taken to mean the timing uncertainty present in a single cycle of the waveform. The random variables representing this jitter event are then defined as a value Xi representing the difference between the mean (idealized) period T0 and the actual observed i-th period, such that the observed

period can be expressed as a function in the form T(i) = T0 + X i . When histograms of

18 jitter events are viewed they may be assumed to be the distribution of a sampling from

these random variables. This distribution may take various forms depending on the

underlying mechanics of the random variable itself, including Gaussian (normal),

Poisson, Bernoulli, geometric, exponential and a variety of others. It is generally assumed

that jitter events follow a Gaussian distribution, known alternatively as a normal

distribution or a ‘bell curve.’ A normal distribution (Figure 7) with mean µ and variance

1 2 2 σ2 has the probability function P(x) = e −(x−µ ) /(2σ ) . σ 2π

Figure 7: Normal Distribution

3.2.1 Central Limit Theorem

Since jitter events can be represented by random variables, the Central Limit

Theorem (CLT) should provide some insight into how these accumulate. In order to

apply the CLT, the jitter events first must be assumed to be independent random variables

with identical distributions. While independence of events is difficult to prove empirically, the distribution of events is typically assumed to be normal based on

observation. Next the assumption must be made that the effects of these events are

19 additive. This is easy to justify, as each phase shift caused by a jitter event persists

indefinitely, and so the overall phase shift at any time is merely the sum of the previous

phase shifts.

With these assumptions accounted for, the CLT can be applied. Let, X1, X 2 ,..., X n

be a sequence of independent identically distributed random variables representing jitter

n events, and Sn = ∑ X i be their summation, then the CLT states that as n → ∞ the i=1

distribution of Sn approaches the normal (Gaussian) distribution. Furthermore, if each

random variable X i has mean µ and standard deviationσ , the normal distribution which

Sn approaches will have mean µn and standard deviation σ n . This indicates that,

should the assumptions hold, measured standard deviations of jitter should grow proportionally to n .

3.2.2 Correlated Noise Sources Unfortunately in practice jitter events are the result of both independent noise

sources and correlated noise sources within a device. As a result of this correlation in jitter events, the standard deviation may also grow proportionally to n, rather than to n .

Hajimiri et al [6] have shown that both rates of growth can appear in circuits, with the

n growth for shorter measurement periods and linear growth for longer measurement

periods. On a log-log plot of σ vs. measurement period ( ∆T ) these growth rates appear

as lines of slope 0.5 and 1 respectively.

Figure 8: Log-Log Plot of Standard Deviation vs. Measurement Period [6]

This result indicates that unless the independent noise source can be isolated from the

correlated sources, the jitter measurements may be correlated when measured with ∆T beyond a certain value. It should be noted that the ∆T at which this shift occurs depends

upon the particular technology on which the circuit is implemented.

3.3 Experimental Analysis

3.3.1 Basic Jitter Statistics Basic observations were taken of rings of length 57, 67, 79, 83, 101, and 151

inverters. As expected the period grew linearly with the number of inverters. A simple

linear regression yielded:

P(x) = 1.734×10−9 x + 5.155×10−10

Where P(x) is the period, and x is the number of inverters. This is fairly close to previous

test results on this platform. The standard deviation was also found to follow a linear

trend. This could potentially be because the measurement periods were long enough for

21 the correlated noise to significantly affect the results. With this in mind, a plot and linear

regression for this data is presented in Figure 9.

Figure 9: Standard Deviation vs. Number of Inverters

3.3.2 N-Cycle Accumulation

The accumulation of jitter events is of particular interest because as the

uncertainty due to their combined phase shifts grows it becomes easier to capture for use

as an entropy source. One of the simplest methods of accumulation is simply increasing

the sampling period. Measuring N-cycle jitter is analogous to measuring the jitter of the

signal stepped down N-times (i.e. a signal with frequency f measured N-cycle would be

similar to measuring a signal with frequency f/N cycle to cycle). In order to analyze the

manner in which jitter accumulates via this method it was necessary to choose a couple

rings and conduct a large set of N-cycle test on them. For this experiment, rings of length

67 and 101 inverters were chosen and tests were conducted with N ranging from 1 to 950,

incremented at increasing rates.

22 Because the only known modes of growth for the standard deviation of jitter

events were linear and N , one or both of these were expected to be observed when

these tests were applied. The results, however, were quite surprising. In Figure 10 the

results are plotted for each ring.

Figure 10: N-Cycle Accumulations

Although the values do seem to be following a N growth pattern for smaller

values of N, once N goes beyond 50 or so they wildly diverge and begin oscillating in a

seemingly sinusoidal manner. A closer look at the first 50 cycles along with a N curve in Figure 11 shows that oscillations are present in the lower values as well, but their amplitudes are relatively small in this range.

Figure 11: First Fifty Cycles

By examining a log-log plot of the data from one ring against the N curve from before in Figure 12, evidence that the oscillations may be based around a N curve can be seen. This could indicate that the standard deviation does indeed grow at the expected

N rate and is being modulated by some noise source.

Figure 12: Log-Log plot of N-Cycle Data

Since the independent variable N is simply an abstraction of the time domain, it is relatively simply to convert back to it by multiplying N by the mean value of the period.

Care must be taken to note that since each ring has a different period, its scaling will be handled differently. Once the data has been converted back to the time domain, the frequency of the noise oscillation can easily be determined. In Figure 13 and Figure 14 below the peaks of the sinusoidal oscillation in the time domain are shown for the 67- and

101-inverter ring respectively.

Figure 13: Period Measurements for 67 Inverter Ring

Figure 14: Period Measurements for 101 Inverter Ring

25 Taking the inverse of the difference of the two peak time values yields the frequency of the oscillations. In the 67-inverter ring the noise was calculated to be 15.117 kHz and in the 101-inverter ring 14.577 kHz. This seems to indicate that there is an external noise source somewhere around 15 kHz which is modulating the jitter events.

An interesting correlation between the observed histogram distributions of the N- cycle jitter tests and this 15 kHz modulation was observed in the course of data collection. Two distinct types of distributions were identified in the tests for larger values of N. While the standard deviation was increasing one type of distribution was seen, and another was seen while the value was decreasing. The histograms of several values of N are seen in Figure 15 (note: not to scale with one another), where these two distribution types can be identified.

Figure 15: N-Cycle Histogram Comparison for 67 Inverter Ring

Here the first type of distribution can be seen for N equal to150, 450 and 500. The second type is seen for N equal to 250, 300, and 350. A quick look at Figure 10 shows

26 that in the 67 inverter ring for N equal to 150, 400, 450 and 500 the standard deviation is increasing, while for N equal to 250, 300 and 350 it is decreasing. This pattern also appears upon inspection of other results. These varying distributions seem to be tied to the 15 kHz modulation and do not seem to be converging to a normal distribution, although it should be noted that central limit theorem convergence can be very slow.

While the modulation from an outside noise source is troublesome, the fact that it is modulating what appears to be a N growth function is good evidence that the central

limit theorem may apply. Furthermore, since the jitter follows this function and not a

linear function, the noise sources responsible for it are likely to be independent and not

correlated when accumulated in this manner.

3.3.3 Jitter Density To better understand the accumulation of jitter events, it became important to

examine whether the method in which they are accumulated affects the distribution of the

final accumulation. It was hypothesized that for a set number of inverter switching events

and therefore a set number of jitter events the distribution of the final timing uncertainty

would be identical regardless of the accumulation method. In order to test this hypothesis

an experiment was designed using N-cycle testing to ensure that the same number of

switching events was accumulated in different ways. First a ring with P inverters would

be tested Q-cycle, then a ring with Q inverters would be tested P-cycle so that each set of test results would be the accumulation of P × Q jitter events. Making use of existing ring

designs, a set of tests were done with rings of length 67, 79, 101 and 151 inverters. N-

cycle testing was conducted on each ring where N was varied across the numbers of

27 inverters in the other rings. Table 1 shows the resulting standard deviations from this set of tests.

5293 Events 67 Inverters / 79-Cycle 79 Inverters / 67-Cycle 4.9523 (ns) 3.2538 (ns)

6767 Events 67 Inverters / 101-Cycle 101 Inverters / 67-Cycle 7.8965 (ns) 4.459 (ns)

7979 Events 79 Inverters / 101-Cycle 101 Inverters / 79-Cycle 5.6997 (ns) 5.4876 (ns)

10117 Events 67 Inverters / 151-Cycle 151 Inverters / 67-Cycle

7.4659 (ns) 7.3099 (ns)

11929 Events 79 Inverters / 151-Cycle 151 Inverters / 79-Cycle 8.8781 (ns) 8.756 (ns)

15251 Events 101 Inverters / 151-Cycle 151 Inverters / 101-Cycle 10.486 (ns) 10.734 (ns)

Table 1: Jitter Density Results

Although the results of the different accumulation techniques do not agree for smaller numbers of jitter events, they draw closer as the number of events grows. Based on this it is certain that the original hypothesis does not hold in its current form; however it may hold for sufficiently large numbers of jitter events. Why the choice of accumulation method affects the standard deviation so much for smaller numbers of events is unclear and perhaps merits further investigation.

28 3.3.4 Periodic Noise and Filtering In the process of collecting measurements for this paper, several problems were

encountered with deterministic noise. While there were deterministic noise sources at

several frequencies, by far the most troublesome was a signal at 15 kHz that continued to drastically skew results. This was first encountered whilst taking TIE measurements in

the TDSJIT3 application. Although the distribution of the collected data appeared

somewhat normal, the plot of TIE vs. time showed a strong periodic modulation where

random noise should have been appearing. While random noise was present, it was

overpowered by the deterministic signal (see Figure 16: TIE Time Trend).

Figure 16: TIE Time Trend

A spectrogram was then generated in the application to help identify the periodic

components present in the TIE measurements (Figure 17: TIE SpectrogramFigure 17).

Figure 17: TIE Spectrogram

Several noise components can be identified via spectral analysis, but the dominant

frequency can be clearly identified at 15 kHz. While the other components were certainly

undesirable, the 15 kHz component was most vexing. Indeed, the 15 kHz noise appeared

again modulating the deviations of N-cycle test results. This was found to be somewhat undesirable and various filtering methods were investigated.

Initially it was easiest to simply implement a software highpass filter within the jitter application itself to eliminate all the problematic low-frequency noise sources. This proved to be quite effective with a 3rd order 1MHz highpass filter, turning the TIE time

plot into the random noise it should have been (Figure 18). Better still, it removed a

deterministic convolution resulting in a clean normal distribution of TIE measurements

(Figure 19).

Figure 18: Filtered TIE Time Trend

Figure 19: TIE Histogram Improvement

Unfortunately this filtering was only useful for collecting a few types of measurements and could not be applied to the actual signal output. Due to time constraints it was deemed unfeasible to design and construct a hardware filter. Efforts to implement software filters on waveform captures obtained from the oscilloscope also proved fruitless as the filters distorted the waveform too much for useful measurements to be obtained from the output. Attempts were also made to emulate ideal filters by removing portions of the frequency spectrum and performing an inverse Fourier

31 transform to generate a waveform free of deterministic noise. These attempts were

unsuccessful in reproducing a recognizable waveform. Regrettably, further investigation

into this line of experimentation was unable to proceed due to more pressing matters.

Ideally the noise sources could be isolated and removed from the system, because

any filter applied to the signal will inevitably distort it. A few theories in regards to the

ultimate source of the 15 kHz noise was that it may come from either a noisy power supply in the hardware setup or a CRT sweeping circuit, both of which are known to produce noise at this frequency and its harmonics. An attempt was made at exchanging the power supply used in the experimental setup, however it did not seem to significantly alter results. The 115 kHz could very likely have come from a power regulator component on the FPGA board (EL7556ACM) which contained an oscillator whose operating range included this frequency.

3.4 Modeling A simple idealized model of a signal with jitter events was developed using the

SIMULINK package in MATLAB. This model consisted simply of a signal generator

block and an output block to capture the waveform. The signal generator was set to

generate a square wave the frequency of which was specified to have a jitter component.

In order to generate a signal emulating a ring oscillator with jitter the frequency is set to a

1 function of a random variable: f (X i ) = (where T is the period). In terms of T + X i

SIMULINK and MATLAB, this is expressed as 1/(T + randn*σ ) with T the period and

σ the standard deviation of the ring being simulated. This technique provides a rather

good model of the signal for its relative simplicity, as seen in Figure 20.

Figure 20: Signal / Model Comparison

Additionally, this model could easily be modified to incorporate deterministic noise by adding a periodic function into the denominator of the function.

A generalization of this method not requiring the use of SIMULINK software involves using a Fourier-series approximation and modulating its frequency with random and deterministic functions. Let F(t) be a Fourier-series approximation for the square wave of ideal period, d(t) be a function representing any deterministic noise to be accounted for in the system, and j(t) be a random function representing the phase-shift caused by jitter, then the signal can be modeled by f (t) = F(t + d(t) + j(t)) . The random and deterministic functions serve to compress and expand the timescale of the waveform, imitating the minor phase-shifts caused by these sources.

One weakness of these methods is that the amount of random input in a real system may not be responsible for the entire standard deviation measured, and so basing the random function upon this variable is somewhat dangerous. However so long as the major sources of deterministic noise are accounted for in the model, it is relatively simple

33 to work backwards and modify the standard deviation which the random function is based upon until the total deviation of the model matches that of the system. Instead of having to deconvolve the distribution with the assumption that the random events are normally distributed as is done in Rj/Dj analysis, any more appropriate random distribution may be used to represent the jitter component.

4 Future Work Several ideas and questions arose during the course of this project which could not be undertaken in the time allotment, but may warrant further investigation. The idea for an N-cycle state machine design was a promising idea which may lead to a practical sampling technique, however certain design obstacles must first be overcome. Although the design seemed to be working properly, problems were encountered with the actual accumulation that made it not practical for use in testing. This problem possibly arose from the placement of the state machine in the floorplanning. Should it be rectified the design may work as intended. One other weakness of this design was that it could only generate outputs for an even value of N.

While the deterministic noise was problematic, a real-world implementation scheme would still include the possibility of an attacker using deterministic noise to bias the circuit. For this reason it should be important to investigate the ability of post-processing to still generate a random output from the underlying source of entropy. This would allow a final design to both account for deterministic noise inherent in its design as well as possibly define tolerances for noise inserted by an attacker.

A final idea involves the use of the empirical model in conjunction with spectral analysis to develop an alternative method for separation of random jitter from

34 deterministic noise. In current applications of “Rj/Dj decomposition” in software a deconvolution integral is used based upon the assumption that jitter is normally distributed. However, since jitter is likely the result of physical phenomenon such as shot noise which does not follow a normal distribution, but rather a Poisson distribution, this current technique may be inadequate for accurately gauging the amount of random noise present. The proposed method involves identifying the frequency and amplitude of deterministic noise sources present in the testing environment and then accounting for them in the model. When this is done, it will allow one to tweak the properties of the random component of the model until the distribution of its output matches that of the measured waveform. This may make it possible to investigate whether jitter truly follows a normal distribution.

5 Conclusion In the process of investigating the feasibility of jitter as an entropy source, numerous problems were encountered with deterministic noise overpowering the entropy of the circuit. Previous projects concluded that the entropy source was external to the ring design, however the noise seen there was the same deterministic noise seen here.

Although results indicated that the output from this scheme was normally distributed and random, this was likely due to accumulation of events via the central limit theorem. In this project the deterministic noise was isolated and the underlying entropy being amplified by the ring design was observed. This provides good evidence that jitter is indeed an entropy source, although its contribution to the total timing uncertainty in the test setup is very small. However, because deterministic noise is bounded large sampling periods allow the unbounded jitter to accumulate and its entropy to be more easily

35 collected. For this reason some stepped-down frequency sampling scheme analogous to

N-cycle testing seems to be ideal for capturing a maximal amount of the underlying entropy in the circuit, despite whatever deterministic modulations may interfere. The prospects for using jitter as a entropy source for a TRNG seem very promising, assuming an appropriate sampling and post-processing scheme is implemented to account for deterministic interference.

References [1] B. Jun and P. Kocher, "The Intel Random Number Generator," Cryptography Research, Inc., San Fransisco, California, 1999.

[2] W. Killman and W. Schindler, "A proposal for: Functionality classes and evaluation methodology for true (physical) random number generators," Version 3.1, Bonn, Germany, 2001.

[3] Tektronix Inc., “A Guide to Understanding and Characterizing Timing Jitter,” http://www.tektronix.com/jitter, 2002.

[4] van der Zeil, Aldert. Noise in Solid State Devices and Circuits, John Wiley and Sons, New York, 1986.

[5] Wavecrest Corporation, “Understanding Jitter,” 2001

[6] Hajimiri, Limotyrakis, and Lee. “Jitter and Phase Noise in Ring Oscillators” IEEE Journal of Solid-State Circuits Vol. 34. No. 6. June 1999.

[7] Agilent Techologies, Inc., “Jitter analysis: The dual-Dirac model, RJ/DJ, and Q-scale,” http://www.home.agilent.com, 2004.