| 1 |
60 |
zero_gravi |
<<<
|
| 2 |
|
|
:sectnums:
|
| 3 |
|
|
==== True Random-Number Generator (TRNG)
|
| 4 |
|
|
|
| 5 |
|
|
[cols="<3,<3,<4"]
|
| 6 |
|
|
[frame="topbot",grid="none"]
|
| 7 |
|
|
|=======================
|
| 8 |
|
|
| Hardware source file(s): | neorv32_trng.vhd |
|
| 9 |
|
|
| Software driver file(s): | neorv32_trng.c |
|
| 10 |
|
|
| | neorv32_trng.h |
|
| 11 |
|
|
| Top entity port: | none |
|
| 12 |
|
|
| Configuration generics: | _IO_TRNG_EN_ | implement TRNG when _true_
|
| 13 |
|
|
| CPU interrupts: | none |
|
| 14 |
|
|
|=======================
|
| 15 |
|
|
|
| 16 |
|
|
**Theory of Operation**
|
| 17 |
|
|
|
| 18 |
|
|
The NEORV32 true random number generator provides _physical true random numbers_ for your application.
|
| 19 |
|
|
Instead of using a pseudo RNG like a LFSR, the TRNG of the processor uses a simple, straight-forward ring
|
| 20 |
|
|
oscillator as physical entropy source. Hence, voltage and thermal fluctuations are used to provide true
|
| 21 |
|
|
physical random data.
|
| 22 |
|
|
|
| 23 |
|
|
[NOTE]
|
| 24 |
|
|
The TRNG features a platform independent architecture without FPGA-specific primitives, macros or
|
| 25 |
|
|
attributes.
|
| 26 |
|
|
|
| 27 |
|
|
**Architecture**
|
| 28 |
|
|
|
| 29 |
|
|
The NEORV32 TRNG is based on simple ring oscillators, which are implemented as an inverter chain with
|
| 30 |
|
|
an odd number of inverters. A **latch** is used to decouple each individual inverter. Basically, this architecture
|
| 31 |
|
|
is some king of asynchronous LFSR.
|
| 32 |
|
|
|
| 33 |
|
|
The output of several ring oscillators are synchronized using two registers and are XORed together. The
|
| 34 |
|
|
resulting output is de-biased using a von-Neumann randomness extractor. This de-biased output is further
|
| 35 |
|
|
processed by a simple 8-bit Fibonacci LFSR to improve whitening. After at least 8 clock cycles the state of
|
| 36 |
|
|
the LFSR is sampled and provided as final data output.
|
| 37 |
|
|
|
| 38 |
|
|
To prevent the synthesis tool from doing logic optimization and thus, removing all but one inverter, the
|
| 39 |
|
|
TRNG uses simple latches to decouple an inverter and its actual output. The latches are reset when the
|
| 40 |
|
|
TRNG is disabled and are enabled one by one by a "real" shift register when the TRNG is activated. This
|
| 41 |
|
|
construct can be synthesized for any FPGA platform. Thus, the NEORV32 TRNG provides a platform
|
| 42 |
|
|
independent architecture.
|
| 43 |
|
|
|
| 44 |
|
|
**TRNG Configuration**
|
| 45 |
|
|
|
| 46 |
|
|
The TRNG uses several ring-oscillators, where the next oscillator provides a slightly longer chain (more
|
| 47 |
|
|
inverters) than the one before. This increment is constant for all implemented oscillators. This setup can be
|
| 48 |
|
|
customized by modifying the "Advanced Configuration" constants in the TRNG's VHDL file:
|
| 49 |
|
|
|
| 50 |
|
|
* The `num_roscs_c` constant defines the total number of ring oscillators in the system. num_inv_start_c
|
| 51 |
|
|
defines the number of inverters used by the first ring oscillators (has to be an odd number). Each additional
|
| 52 |
|
|
ring oscillator provides `num_inv_inc_c` more inverters that the one before (has to be an even number).
|
| 53 |
|
|
* The LFSR-based post-processing can be deactivated using the `lfsr_en_c` constant. The polynomial tap
|
| 54 |
|
|
mask of the LFSR can be customized using `lfsr_taps_c`.
|
| 55 |
|
|
|
| 56 |
|
|
**Using the TRNG**
|
| 57 |
|
|
|
| 58 |
64 |
zero_gravi |
The TRNG features a single register for status and data access. When the _TRNG_CTRL_EN_ control register (`CTRL`)
|
| 59 |
|
|
bit is set, the TRNG is enabled and starts operation. As soon as the _TRNG_CTRL_VALID_ bit is set, the currently
|
| 60 |
|
|
sampled 8-bit random data byte can be obtained from the lowest 8 bits of the `CTRL` register
|
| 61 |
|
|
(_TRNG_CTRL_DATA_MSB_ : _TRNG_CTRL_DATA_LSB_). The _TRNG_CTRL_VALID_ bit is automatically cleared
|
| 62 |
60 |
zero_gravi |
when reading the control register.
|
| 63 |
|
|
|
| 64 |
|
|
[IMPORTANT]
|
| 65 |
|
|
The TRNG needs at least 8 clock cycles to generate a new random byte. During this sampling time
|
| 66 |
|
|
the current output random data is kept stable in the output register until a valid sampling of the new byte has
|
| 67 |
|
|
completed.
|
| 68 |
|
|
|
| 69 |
|
|
Randomness "Quality"
|
| 70 |
|
|
I have not verified the quality of the generated random numbers (for example using NIST test suites). The
|
| 71 |
|
|
quality is highly effected by the actual configuration of the TRNG and the resulting FPGA mapping/routing.
|
| 72 |
|
|
However, generating larger histograms of the generated random number shows an equal distribution (binary
|
| 73 |
|
|
average of the random numbers = 127). A simple evaluation test/demo program can be found in
|
| 74 |
|
|
`sw/example/demo_trng`.
|
| 75 |
|
|
|
| 76 |
64 |
zero_gravi |
.TRNG register map (`struct NEORV32_TRNG`)
|
| 77 |
60 |
zero_gravi |
[cols="<2,<2,<4,^1,<7"]
|
| 78 |
|
|
[options="header",grid="all"]
|
| 79 |
|
|
|=======================
|
| 80 |
|
|
| Address | Name [C] | Bit(s), Name [C] | R/W | Function
|
| 81 |
64 |
zero_gravi |
.3+<| `0xffffffb8` .3+<| `NEORV32_TRNG.CTRL` <|`7:0` _TRNG_CTRL_DATA_MSB_ : _TRNG_CTRL_DATA_MSB_ ^| r/- <| 8-bit random data output
|
| 82 |
|
|
<|`30` _TRNG_CTRL_EN_ ^| r/w <| TRNG enable
|
| 83 |
|
|
<|`31` _TRNG_CTRL_VALID_ ^| r/- <| random data output is valid when set
|
| 84 |
60 |
zero_gravi |
|=======================
|
