A Hardware Random Number Generator

Thomas Tkacik, Motorola

TET 8/14/2002 CHES2002, Rev 0.1

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. Motorola, Inc. 2002.

Desired Properties of Random Numbers

Unpredictable Lack of bias Bit Independence Nonrepeatable Long cycle length

RNG Block Diagram

Oscillator 1

43 bit LFSR
32 bit select

32 bit select

Oscillator 2

37 bit CASR

Linear Feedback Shift Register

43 bit LFSR Characteristic polynomial

X43 + X41 + X 20 + X + 1 Cycle length = 243 - 1

-43
Oscillator 1

Maximal length

There is a slight bias

Bias ~ 2

43 bit LFSR
32 bit select

32 bit select Oscillator 2

37 bit CASR

Cellular Automata Shift Register

37 bit CASR CA90 ai(t+1) = ai-1(t) ^ ai+1(t) CA150 ai(t+1) = ai-1(t) ^ ai(t) ^ ai+1(t) CA150 is at bit 28, CA90 used elsewhere Maximal length

Cycle length = 237 - 1 Bias ~ 2-37

Oscillator 1

43 bit LFSR
32 bit select

There is a slight bias

32 bit select Oscillator 2

37 bit CASR

LFSR and CASR Combination

Combination is formed by permuting and XORing 32 bits of LFSR and CASR The combination has a cycle length of

Cycle length = 280 - 243 - 237 + 1 Bias ~ 2-80

Oscillator 1

The bias is reduced to

43 bit LFSR
32 bit select

32 bit select Oscillator 2

37 bit CASR

State-Time Diagram for LFSR, CASR and Combined Generator

Time

Oscillator 1

43 bit LFSR
32 bit select

32 bit select

LFSR

CASR

Combination

37 bit CASR

DIEHARD Results for LFSR, CASR and Combined Generator

Osc 1

43 bit LFSR

Osc 2

37 bit CASR

Summary
A Hardware Random Number Generator composed of simple components

43 bit LFSR 37 bit CASR Oscillators frequencys vary with voltage and temperature State registers are not reset at power-up

Written as RTL

The oscillators have instantiated inverters

The oscillator clocks can be turned off for low power applications