tillitis-key/hw/application_fpga/core/trng
Joachim Strömbergson de668a0244
Clean up code and silence warnings after linting
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-03-20 16:39:53 +01:00
..
rtl Clean up code and silence warnings after linting 2024-03-20 16:39:53 +01:00
tb Add an initial testcase. Hard to simulate entropy 2023-07-04 09:04:28 +02:00
toolruns Fix spelling of toolruns dir 2023-07-04 09:04:29 +02:00
README.md Minor fix of ackronyms in the README 2023-07-04 09:04:29 +02:00

trng

Implementation of the Tillitis True Random Number Generator (TRNG).

Introduction

Applications running on the Tillitis TKey device may have a need of random numbers. For unpredictable initial vectors, challnges, random tokens etc.

The Tillitis TRNG supports these applications by providing a hardware based source of entropy (digital noise) with a uniform distribution.

Note that the data provided by the TRNG is entropy, not processed random numbers. The data should NOT be used directly, but used as seed for a (cryptographically safe) random number generator (CSPRNG) algorithm.

Status

First version of TKey completed. The TRNG has been tested and provides good entropy suitable as seed for a CSPRNG (also known as a Digital Random Bit Generator - DRBG).

API

The TRNG API provides to readable addresses:

	ADDR_STATUS:      0x09
	STATUS_READY_BIT: 0
	ADDR_ENTROPY:     0x20

The STATUS_READY_BIT in the status register indicates that there is a new word of entropy available to read out. When the word is read from ADDR_ENTROPY register, the ready bit is cleared.

Applications requiring multiple words of entropy MUST wait for the ready bit to be set again before reading ut subseqent words. Not waiting for the ready bit to be set will lead to reading out (at least parts of) the same entropy data more than once.

Applications that need cryptographically safe random number should use the output from the TRNG as seed to a CSPRNG, , for example a Hash_DRBG.

Implementation details

The implementation is based on free running digital oscillators. The implementation creates two sets of oscillators by instantiating a number if LCs configured as one bit inverter gates, where the output of the inverter is connected to its own input. The oscillators will have a toggle rate based on the given internal gate delay and the wire delay through given by the feedback circuit.

After a given number of clock cycles (4096) the outputs from the oscillators in each group are XOR combined and sampled into two separate registers. This process is repeated a second time, producing two more bits, one for each group. These two sets of two bits are then XOR combined to produce a single entropy bit. This means that an entropy bit is the XOR combined result from two oscillator groups over two sampling events.

Entropy bits are collected into an entropy word. When at least 32 bits have been collected, the ready bit is set, indicating to SW that a new entropy word is available.

Note that the entropy word is not held for the SW to read out. Sampling and collection is running continuosly, and the word read by SW will contain the latest 32 bits collected. Entropy bits not read by SW will be discarded at the same rate as new bits are collected.

Currently the following build time parameters are used to configure the implementation:

  • 4096 cycles between sampling
  • 16 oscillators in each group
  • 64 bits collected before setting the ready flag

With the TKey device running at 18 MHz this means that we sample bits at 4.3 kbps. Since we sample twice to produce a single bit, the effective raw bitrate is 2.1 kbps.

The 64 bits collected means that there is a separation of at least 32 collected entropy bits between bits in the words read out.