Reconfigurable ADC/True-RNG for Secure Sensor Networks Sergio Callegari∗
Riccardo Rovatti#
Gianluca Setti§
∗
ARCES and DEIS, University of Bologna, Forlì, Italy (
[email protected]) ARCES and DEIS, University of Bologna, Bologna, Italy (
[email protected]) DI, University of Ferrara, Italy and ARCES, University of Bologna, Italy (
[email protected])
Abstract— A novel circuit configurable either as an Analog to Digital Converter (ADC) or as a true Random Number Generator (RNG) is presented. The architecture derives from pipeline ADCs and its operating mode can be changed on the fly. When used as an ADC, it pairs the performance of normal pipeline converters; otherwise it is capable of tens random Mbit/s and to pass standard randomness tests, including NIST SP800-22, as proved by extensive simulation. Applications include (wireless) sensor networks where RNGs represent an indispensable primitive in the implementation of many security schemes. Since the strength of cryptographic techniques depends on the unpredictability of the RNGs they employ, it has recently been proposed that security related applications should favor true-RNGs, over pseudo-RNGs. With sensor interfaces always including ADCs, the proposed technique makes a true-RNG available at sensor nodes at virtually no hardware/power consumption costs.
I. I NTRODUCTION Sensor Networks (SNs) and Wireless Sensor Networks (WSNs) can be invaluable in many applications to collect, process, and disseminate wide ranges of complex environmental data. Their ambitious aim is to join sensing, computing, and communication capabilities. Consequently, typical sensor nodes comprise at least four subsystems as shown in figure 1: a processing unit (e.g. microcontroller, DSP or microprocessor); a communication unit (e.g. short range RF transceiver for wireless communication); a sensor/actuator unit (linking the node to the physical world and connected to the processing unit by its ADCs converters); and a power supply unit (possibly including batteries, e.g. for autonomous operation of wireless nodes). Clearly, important requirements in the quest for SNs are: 1) the ability to tightly integrate the above elements to enable low-cost production of tiny sensor nodes; 2) the ability to operate on frugal energy budgets, particularly when battery operation determines sensor node lifetimes; 3) the ability to guarantee data security, as the individual sensor nodes are typically anonymous and communicating among unconfined (wireless or merely unsupervised) links [1]. The above requirements are inherently contrasting. Specifically, security measures require more code to be run (cryptographic algorithms), more data transfers (the overheads of secure communication protocols), and possibly additional specific hardware, thus impacting both the power and the part-list budget. In this regard, it is worth mentioning that cryptographic techniques depend on the availability of fast, reliable RNGs, which can be regarded as fundamental cryptographic primitives. For instance, random numbers are inherent in algorithms such 0-7803-9056-3/05/$20.00 © 2005 IEEE.
Processing unit
Sensing unit ADC
Power supply unit
S2
Communication unit transciever
Fig. 1.
S1
External link
§
External stimuli
#
Subsystems of a typical sensor node.
as the DSA, in the synthesis of confidential keys, and in many communication protocols [2]. Typically, RNGs are implemented in software as pseudo-RNGs (thus at no impact on the partlist budget). However, the ability of cryptographic techniques to foil pattern analysis is critically dependent on the unpredictability of the RNGs they employ [3]. Since pseudo-RNGs are by definition finite state machines expanding an initial seed into long irregular sequences, they can actually offer no real unpredictability. Consequently, they are recently deprecated as potentially insecure by big actors of information technology [3], [4]. Clearly, SNs and WSNs would better use true-RNGs, but these would typically have a prohibitive cost for sensor nodes. The reason lies in their conventional implementation as physicalRNGs exploiting thermal noise or other irregular processes inherent in electronic components. Not only a physical-RNG requires a further subsystem to be added to those of figure 1: their nature makes them very tied to low-level technological details. As such physical-RNGs are often slow, hard to design, and hard to integrate at the sensor node and to optimize in energy consumption. Here, we present a novel approach that makes it affordable to design secure sensor nodes including true-RNGs. The proposal is based on a building block capable of operating either as an ADC or a true-RNG, being reconfigurable on-the-fly. When this block is substituted for the ADC in figure 1, true random number generation can be obtained without any extra subsystem: impact on the part-list and energy budget is thus virtually canceled. The approach is based on chaotic dynamics and delivers higher throughput than most physical-RNGs. When operated as an ADC the proposed block has virtually no penalty with regard to conventional pipeline ADCs. II. O N - THE - FLY RECONFIGURABLE ADC/RNG Figure 2 shows a block diagram of the analog core of the proposed circuit which derives from a recent chaos based RNG
1072
built upon the stages of a pipeline ADC [5], [6]. As visible,
For each stage i, one has: u = M(vi,n ) stage analog-input to analog-output i,n X i,n = Q(vi,n ) stage analog-input to digital-output vi,n = ui−1,n−1 stage delay
/G C C /G C /G
A
B
Σ
S/H
V in /G C
SUB ADC
A
B
Σ
S/H
SUB DAC
SUB ADC
S/H
A SUB DAC
SUB ADC
A
SUB DAC
X k ,0 , , X k , m
X 2, 0 , , X 2, m
X 1,0 , , X 1, m
Σ
Fig. 2. Analog signal processing chain of the proposed ADC/RNG circuit. An even number of identical stages is controlled by opposite clock phases.
the circuit is composed of k identical units built as the typical fractional-resolution stages of conventional pipeline ADCs using Redundant Sign Digit (RSD) coding [7, chapter 3]. Each stage comprises a coarse (sub)-ADC, a corresponding (sub)-Digital to Analog Converter (DAC), a gain block and a sample and hold circuit. Each stage has an analog input, an analog output and an (m + r) bit digital output X i = (Xi,0 , . . . , Xi,m+r−1 ), where m is the effective stage resolution and r is the stage redundancy (1 for stages employing RSD coding). Here, for simplicity, only the case m = 1, r = 1 is considered (also known as 1 + 1/2 bit-perstage), even if a generalization to arbitrary m is easy to obtain. Thanks to the pass transistors, the control signal C/G can be used to select the desired operating mode. Particularly: C (convert) signal asserted: the left pass transistor is close and the top one is open, so that the circuit stages are cascaded and the architecture of a conventional pipeline ADC becomes recognizable. To complete the ADC, the digital output vectors X i need to be passed to a Digital Correction Logic (DCL) block which assembles them to deliver an overall (m · k + 1) bit conversion output B = (B0 , . . . , Bm·k ) (a signed number).
where ui,n is the stage i input at timestep n, vi,n is the stage i internal state at time n, X i,n is the m-bit binary array representing the digital output of stage i at time n and the operation i − 1 is in modulus arithmetic, i.e. if there are k stages for i = 1 one has i − 1 ≡ k. By definition, all ui,n and vi,n span the same range. Let us now introduce a normalization function f taking this range in [−1, 1], namely f (vi,n ) ∈ [−1, 1], and apply a couple of simple substitutions: ( x i,n = f (vi+n,n ) (2) X i,n = X i+n,n where the subscript operations i + n should again be taken in modulus arithmetic. One gets: = f (vi+(n+1),n+1 ) = f (ui+n,n ) = f (M(vi+n,n )) x i,n+1 = f (M( f −1 (x i,n ))) = M(x i,n ) (3) X = Q(v −1 ) = Q( f (x )) = Q(x ) i,n
Input clocks (2-phases) B
A
Δ
v 1, n
u k , n−1
M(V) u Q(V)
1, n
Δ
v 2, n
u1, n−1
X 1, n= X 1, 0 , , X 1, m n
Fig. 3.
M(V) u Q(V)
2, n
X 2, n= X 2, 0 , , X 2, m n
Δ
vk ,n
u k −1, n−1
M(V) u Q(V)
k ,n
X k , n= X k , 0 , , X k , m n
Simplified view of the architecture of figure 2 when G is asserted.
i,n
i,n
ΦA if i is odd, ΦB if i is even Sw2
analog IN (ui-1)
C1
VR /4
-VR /4
+ -
Sw3
CMP1
C2
L A CMP2 T + C H -
MUX
VR Xi,1
Xi,0
Sw1
- OA1 + analog OUT (ui)
0 -VR digital OUT
Fig. 4. A possible switched capacitor implementation of the stages in the schematic of figure 2. Here, the S/H is implied by the switched capacitor operation.
Here, Xi,0,n = 1 if ui−1,n−1 > −VR/4 and Xi,1,n = 1 if ui−1,n−1 > where VR is a reference voltage. The capacitor ratio C1/C2 is unitary, so that ui,n = 2ui,n−1 +Voff where Voff is −VR if X i,n = (0, 0), +VR if X i,n = (1, 1) and 0 otherwise. The resulting M and Q are thus as in figure 5. These functions occur for any 1 + 1/2 bit-per-stage converter and are not specific of the stage in figure 4. The shape of M is such that it is a measure preserving and exact map, following the definitions in [10]. Hence systems +VR/4
B
i+n,n
where M and Q are normalized versions of M and Q respectively. In other terms, the substitution (2) reveals the nature of the system (1) as an array of k uncoupled, 1st order, 1-D, nonlinear systems whose outputs shift one-stage to the right at each timestep. To further understand the system behavior, one needs to look at the nature of the functions M and Q. As an example, figure 4 shows a possible switched capacitor implementation of a 1 + 1/2 bit ADC stage, as recently proposed in the Literature [8].
G (generate) signal asserted: the left pass transistor opens and the top one closes, to make the system autonomous and the stages organized in a loop. For further details on the ADC operating mode, which follows well established lines, the reader is invited to check the scientific and technical Literature [7]–[9]. Conversely, the RNG operating mode is less obvious and deserves consideration. In this condition, the system is equivalent to that in figure 3 where the input-output relationships of the pipeline ADC stages are made evident together with the delays introduced by the synchronous operation.
(1)
1073
x i , n1=M x i , n
1/2
1/2
+1
"head"
-1
-½
+½
+1
(1,0)
(1,1)
xi , n
xi , n
Fig. 5. State update and output function relative to the model defined in equation (3).
based on its recursive application, such as x i,n = M(x i,n−1 ) in (3), show chaotic behavior. Furthermore, M is a Piece-Wise Affine Markov (PWAM) map, this property implying that such chaotic behavior embeds a symbolic dynamics representable by a Markov chain [11]. Leaving out some details (that can anyway be found in [5], [11]), it is here worth mentioning that the symbols of such dynamics are associated with the existence of an interval partition P of the domain [−1, 1] such that: 1) M is affine on every interval I j of P; 2) partition points are mapped by M into partition points; It is evident that for the particular M, there are 4 partition intervals I0 = [−1, −1/2[, I1 = [−1/2, 0[, I2 = [0, 1/2[, and I3 = [1/2, 1]. One follows the symbolic dynamic by looking at the presence of the state variable xi in the various I j and by associating symbols (e.g. “A”, “B”, etc.) to such conditions. It can be proved that the probability of hopping from Ia into Ib between timesteps n and n + 1 is given uniquely by the fraction of Ia that is mapped into Ib by M. Hence, the symbolic dynamic of M is represented by the Markov chain in figure 6. “A”
½
xi ∈ I 0 ½
Fig. 6.
½
xi ∈ I 1
½
½
“C”
xi ∈ I 2 ½
“B”
½
“D”
½
1/2
"tail"
Fig. 7. Markov chain describing the dynamics of the C i variables and equivalence to the coin toss chain.
-1 X i , n1=Q x i , n (0,0)
1/2 Ci=1
Ci=0
xi ∈ I 3
Markov chain embedded in the map M of figure 5.
It is worth noticing that the quantized outputs X i are strictly related with the states of the above chain. Particularly, system is in state “A” if X i = (0, 0); in state “B” or in state “C” if X i = (0, 1); in state “D” if if X i = (1, 1). With this, it can easily be proved that the evolution of the quantity C i = X i,0 ⊕ X i,1 (where ⊕ indicates exclusive or) can also be represented by a Markov chain, and precisely by that in figure 7 [5], [6].
Since the Markov chain is identical to that modeling the dynamics of an ideal coin toss, from the above it is obvious and formally proved that for each i the bit streams C i,n are perfectly random i.e. they have a balanced distribution and C i,n˜ is independent from C i,nˆ for every n˜ and nˆ [5], [6], [12]. Furthermore, given that the k dynamical systems in equation 1 have no reciprocal coupling, there are k chaotic systems independent from each other. Thanks to the property that independent chaotic systems like the one being considered have trajectories diverging from each other at an exponential rate [11], in normal operating conditions C i,n must also be independent from C j,n for every i, j. This completes the formal proof that in ideal conditions the binary words C n = (C1,n , . . . ,C k,n ) are perfectly random. Let us now abandon the variables introduced for notation convenience and noted by an underline and go back to the real circuit quantities. Particularly, consider the introduction of combinatorial logic block called Markov State Recognition Logic (MSRL) to compute for every i = 1, . . . , k the quantity Ci = Xi,0 ⊕Xi,1 , in order to obtain a binary word C = (C1 , . . . ,Ck ). The relationship between C n and C n is worth considering: thanks to the way in which the convenience underlined variables where introduced in equation (2), C n is clearly a time-varying permutation of C n . Hence, in ideal conditions C n is also a perfectly random digital stream. In the last sentence, the requirement of ideal conditions deserves some consideration. The above formal proof that the analog pipeline of figure 2 can generate perfectly random bitstreams is clearly valid only if the pipeline blocks follow their nominal behavior. In practice, this condition cannot be strictly met as analog parts do inevitably deviate from their specifications. In this case, it can be experimentally verified that only minor residual bias and correlations come to affect the C n stream. These can be easily removed by the introduction of a De-bias De-correlation Logic (DBDCL) block, capable of scrambling the output data and possibly to apply some decimation on it. Depending on the robustness to parameter deviations that one wants to achieve and on the amount of residual correlation that can be tolerated the DBDCL complexity may vary. In any case the DBDCL can always remain very lightweight thanks to the fact that the output of the MSRL always conserves a very high quality. As an example, we have considered algorithms as simple as the parity computation of groups of 4 bits. With the introduction of the MSRL and the DBDCL, the overall architecture of the digital part of the proposed building block is as shown in figure 8. The multiplexer enables the selection of a data path comprising either a DCL for operation as an ADC or a MSRL and a DBDCL for operation as an RNG.
1074
X 1,0 , , X 1, m
X 2,0 , , X 2, m
X k ,0 , , X k , m
TABLE I E STIMATED YIELD FOR THE 15 TESTS IN NIST SP800-22 TEST SUITE . ACCEPTABLE YIELD MEASURE FOR THE 1000 BIT STRINGS TESTED SHOULD LIE IN [0 : 981; 0 : 999]. U - VALUES ABOVE 10− 4 ARE CONSIDERED ACCEPTABLE . T HE SYSTEM ALSO PASSES THE NIST FIPS TESTS . F URTHERMORE , IN IDEAL CONDITIONS A FORMAL PROOF OF THE SYSTEM OPERATION AS A TRUE -RNG CAN BE PROVIDED .
DCL
MSRL C=C 1, ,C k
A B
DBDCL Y ADC ,1 , ,Y ADC , k 1 /G C
Y RNG ,1 , , Y RNG , k
Multiplexer Y1
Y2
Y3
Yk
Y k 1
Fig. 8. Basic arrangement of the digital blocks processing the outputs of the analog chain of figure 2. In RNG, the output line Yk+1 is unused.
III. R ESULTS AND C ONCLUSIONS The building block described in the above sections has been extensively simulated. The design was based on the stages of figure 4 and on the circuit solutions proposed in [8], employing 8 stages. As such, the circuit in ADC mode can operate at over 15 Mbit/s, with a 9 bit final resolution (8 data bits + 1 sign bit), which is surely suitable for most sensor nodes. When operation as an ADC is not needed, the circuit can be switched to its RNG mode. For this operating mode a DBDCL based on parity checking was employed, decimating the throughput by 4. Hence, the circuit in RNG mode is capable of over 28 random Mbit1 per second. Since the circuit with ideal components can always operate as an ideal RNG, quality assessment needs to be practiced by Montecarlo analysis and yield evaluation. In practice, one runs Montecarlo tests on the circuit, randomly varying the parameters of its analog building blocks and checks the fraction of circuits which are able to deliver true random numbers according to a randomness test suite. Table I illustrates the results of the proposed analysis for 1000 Montecarlo tests, practiced with very large deviations for the system parameters. The first column reports the various tests in the NIST SP800-22 suite [13], and the second column reports the yield as defined above2 . The third column is a further statistical indicator alternative to yield, deriving from the NIST SP800-22 suite. Details about the setup of Montecarlo tests are hard to summarize, and the reader is invited to check [5] for a deeper view. In any case, simulations indicate the ability of the proposed building block to correctly operate as a reconfigurable ADC/true-RNG. R EFERENCES [1] J. Hubaux, L. Buttyan, and S. Capkun, “The quest for security in mobile ad hoc networks,” in Proceedings of MobiHoc’01, 2001. 1 Here,
1 Mbit=220 bit. fact, in yield computations, circuits incapable to operate correctly as ADCs were not considered. With this, the yield number reported in the column is the fraction of circuits correctly operating as ADCs which also can correctly operate as RNGs. 2 In
SP800-22 test
yield
U-value
Frequency Block Frequency Runs Longest Runs Matrix Rank Spectral NOT Matching OT Matching Universal Lempel-Ziv Linear Complexity Serial Approximate Entropy Cumulative Sums Random Excursion
0.991 0.992 0.996 0.987 0.989 0.994 0.989 0.988 0.983 0.989 0.990 0.995 0.991 0.991 0.994
0.185 0.631 0.612 0.377 0.585 0.00974 0.504 0.492 0.627 0.000306 0.596 0.369 0.518 0.516 0.968
[2] J. A. Menezes, P. C. Oorschot, and S. A. Vandtone, Handbook of Applied Cryptography. New York: CRC International Press, 1997. [3] D. E. Eastlake, S. D. Crocker, and J. I. Shiller, “RFC 1750: Randomness recommendations for security,” in Internet Society Request for Comments. Internet Engineering Task Force, 1994, available at http://www.ietf.org/rfc/rfc1750.txt. [4] B. Jun and P. Kocher, “The Intel random number generator,” Cryptography Research Inc., Tech. Rep., Apr. 1999, white paper available at http://www.cryptography.com/resources/whitepapers. [5] S. Callegari, R. Rovatti, and G. Setti, “Embeddable ADC-based true random number generator for cryptographic applications exploiting nonlinear signal processing and chaos,” IEEE Transactions on Signal Processing, vol. 53, no. 2, pp. 793–805, 2005. [6] ——, “ADC-based design of chaotic truly random sources,” in Proceedings of NDES’02, Izmir, TR, June 2002, pp. 5/9–5/12. [7] L. Sumanen, “Pipeline analog-to-digital converters for wideband wireless communications,” Ph.D. dissertation, Helsinki University of Technology Department of Electrical and Communications Engineering, Dec. 2002, available at http://lib.tkk.fi/Diss/. [8] A. M. Abo and P. R. Gray, “A 1.5-V, 10-bit, 14.3-MS/s CMOS pipeline analog-to-digital converter,” IEEE Journal of Solid State Circuits, vol. 34, no. 5, pp. 599–606, May 1999. [9] Application Note 383: Understanding Pipelined ADCs, Maxim Semiconductors, Mar. 2001, available at www.maxim-ic.com. [10] A. Lasota and M. C. Mackey, Chaos, Fractals and Noise. Stochastic Aspects of Dynamics, 2nd ed. Springer-Verlag, 1995. [11] G. Setti, G. Mazzini, R. Rovatti, and S. Callegari, “Statistical modeling of discrete time chaotic processes: Basic finite dimensional tools and applications,” Proceedings of the IEEE, vol. 90, no. 5, pp. 662–690, May 2002. [12] T. Kohda and A. Tsundeda, “Information sources using chaotic dynamics,” in Chaotic Eletronics in Telecommunications, M. P. Kennedy, R. Rovatti, and G. Setti, Eds. Boca Raton, USA: CRC International Press, 2000, ch. 4. [13] A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, National Institute for Standards and Technology, May 2001, special publication 800-22, available at http://csrc.nist.gov/rnd/SP800-22b.pdf.
1075
