FIPS 140-3 TRNG Requirements: Expert Analysis for Security Engineers | Technical Leadership

30 min read Hardware Security

Table of Contents

Introduction to FIPS 140-3 TRNG Requirements

The Federal Information Processing Standard (FIPS) 140-3 represents a significant evolution in the requirements for cryptographic modules, with particular emphasis on True Random Number Generators (TRNGs). As a hardware security engineer with over two decades of experience in secure element design, I've witnessed firsthand how these evolving standards have shaped the development of cryptographic hardware. True Random Number Generators are critical components in modern cryptographic systems. Unlike their deterministic counterparts (Pseudo-Random Number Generators or PRNGs), TRNGs derive their randomness from physical processes that are inherently unpredictable. This fundamental difference makes TRNGs essential for applications requiring high security assurance, such as key generation, nonce creation, and secure communications.

The security of many cryptographic protocols fundamentally depends on the quality of random numbers used. Weak or predictable random numbers have led to numerous security breaches in the past, including compromised encryption keys, predictable session identifiers, and vulnerable authentication tokens. FIPS 140-3 addresses these concerns by establishing rigorous requirements for TRNGs used in cryptographic modules that protect sensitive information in federal systems. These requirements ensure that random numbers generated have sufficient entropy and statistical quality to withstand sophisticated cryptanalytic attacks.

Evolution from FIPS 140-2 to FIPS 140-3

The transition from FIPS 140-2 to FIPS 140-3 marks a substantial shift in how random number generation is evaluated and validated. While FIPS 140-2 provided a foundation for TRNG requirements, FIPS 140-3 introduces more rigorous testing methodologies and statistical requirements. This evolution reflects the growing sophistication of attacks against cryptographic systems and the increasing importance of high-quality random number generation in security applications.

FIPS 140-2 established basic requirements for random number generators, including statistical testing and periodic health checks. However, it lacked specific guidance on entropy estimation and validation methodologies. FIPS 140-3 addresses these limitations by incorporating ISO/IEC 19790:2012 and explicitly referencing NIST Special Publication 800-90B for entropy source testing and validation. This alignment with international standards represents a significant advancement in the standardization of security requirements for cryptographic modules.

The new standard introduces more comprehensive requirements for entropy sources, conditioning components, and health testing. It requires detailed documentation of entropy estimation methods, statistical justification, and continuous monitoring of entropy sources. These changes reflect a deeper understanding of the critical role that random number generation plays in cryptographic security and the need for more rigorous validation methodologies.

Mathematical Foundations of TRNGs

Information Theory and Shannon Entropy

The mathematical foundation of random number generation is rooted in Claude Shannon's information theory. Shannon introduced the concept of entropy as a measure of information content or uncertainty in a random variable. For a discrete random variable X with possible values {x₁, x₂, ..., xₙ} and probability mass function P(X), the Shannon entropy H(X) quantifies the average information content or uncertainty:

The entropy estimation for a True Random Number Generator (TRNG) can be expressed as:

H(X) = -∑i=1n p(xi) log2 p(xi)

Where p(xi) is the probability of occurrence for each possible output value.

In the context of random number generation, entropy quantifies the unpredictability of the generated values. A perfect random number generator would produce outputs with maximum entropy, meaning each possible value is equally likely and independent of previous outputs. For a binary random number generator producing bits, the maximum entropy is 1 bit per output bit, achieved when the probability of generating a 0 or 1 is exactly 0.5 for each bit, and each bit is independent of all others.

For cryptographic applications, Shannon entropy alone is insufficient because it represents the average case rather than the worst case. Cryptographic security requires considering the worst-case scenario, which leads to the concept of min-entropy.

The min-entropy, which provides a conservative estimate of unpredictability, is defined as:

H(X) = -log2(maxi p(xi))

This represents the worst-case scenario for entropy estimation.

Min-entropy represents the worst-case (most predictable) outcome and provides a conservative estimate of unpredictability. It is always less than or equal to Shannon entropy, making it a more appropriate metric for cryptographic applications where security guarantees must hold even in the worst case.

Probabilistic Models of Entropy Sources

Entropy sources in TRNGs are typically modeled using probabilistic frameworks that capture the stochastic nature of the physical processes involved. These models help in analyzing the entropy production rate, potential biases, and correlations in the output.

One common approach is to model the entropy source as a stochastic process with specific statistical properties. For example, a ring oscillator-based entropy source might be modeled as a process with phase noise following a Gaussian distribution. The entropy production rate can then be estimated based on the parameters of this distribution.

Another approach is to use Markov models to capture potential dependencies between consecutive outputs. A Markov chain of order k models the probability of the next output as dependent only on the previous k outputs. This allows for analyzing and quantifying the impact of correlations on entropy production.

For metastability-based entropy sources, the probabilistic model typically involves the resolution time constant and the probability of entering a metastable state. The probability of remaining in metastability for time t follows an exponential decay:

For metastability-based entropy sources, the probability of remaining in metastability follows:

P(t) = P0e(-t/τ)

Where P0 is the initial probability, τ is the metastability resolution time constant, and t is the time elapsed.

Differential Equations for Noise Circuits

The behavior of electronic circuits used in TRNGs can be described using differential equations that capture the dynamics of the system. For example, the behavior of a ring oscillator with N stages can be modeled using a system of differential equations that describe the voltage at each stage as a function of time.

For a simple ring oscillator with N inverters, the propagation delay of each inverter can be modeled as a random variable with a mean value and a variance due to thermal noise. The oscillation frequency f is related to the propagation delay τ by:

The oscillation frequency of a ring oscillator with N inverters is given by:

f = 1/(2Nτ)

Where N is the number of inverters and τ is the average propagation delay per inverter.

The phase noise in the oscillator, which is the primary source of entropy, can be modeled using a stochastic differential equation. The phase φ(t) evolves according to:

The phase noise in ring oscillators can be modeled as:

dφ(t)/dt = ω0 + ξ(t)

Where ω0 is the nominal angular frequency and ξ(t) is a white noise process representing the phase noise.

The variance of the phase grows linearly with time, a property known as phase diffusion:

The variance of the phase grows linearly with time:

σ2φ(t) = K·t

Where K is a constant dependent on the oscillator design and t is the time interval.

These mathematical models provide a foundation for analyzing the entropy production in TRNGs and for designing circuits that maximize entropy while minimizing power consumption and area.

Entropy Source Requirements

FIPS 140-3 places greater emphasis on entropy source analysis, requiring detailed documentation of entropy estimation methods and statistical justification. The standard now explicitly references NIST SP 800-90B for entropy source testing and validation. According to NIST SP 800-90B, which is referenced by FIPS 140-3, an entropy source consists of three main components:

First, a noise source that contains some unpredictability. This is the physical process that generates the randomness, such as thermal noise, metastability, or quantum effects. The noise source must be well-characterized, and its entropy production rate must be estimated using appropriate statistical methods.

Second, an optional conditioning component that processes the noise source output. Conditioning can involve debiasing, decorrelation, or other transformations that improve the statistical properties of the raw entropy. The conditioning component must be designed to maintain or increase the entropy rate, and its effect on entropy must be quantified.

Third, a health test component that verifies the noise source operates correctly. Health tests are crucial for detecting failures or degradation in the entropy source during operation. They include startup tests, on-demand tests, and continuous runtime monitoring.

FIPS 140-3 requires that the entropy source provide sufficient entropy for the security strength of the cryptographic algorithms it supports. For example, a TRNG used for generating 256-bit AES keys must provide at least 256 bits of entropy. This requirement ensures that the random numbers generated have sufficient unpredictability for their intended cryptographic applications.

Advanced Statistical Evaluation Methods

NIST SP 800-90B Statistical Tests

NIST SP 800-90B mandates comprehensive statistical testing of entropy sources through a series of tests designed to evaluate the quality of the entropy produced. These tests are more rigorous than those required under FIPS 140-2 and provide a more comprehensive assessment of the entropy source.

The first category of tests determines if samples are independent and identically distributed (IID). These tests include the excursion test, number of directional runs, length of directional runs, number of increases and decreases, number of runs based on the median, and length of runs based on the median. If the entropy source passes these tests, it can be considered IID, and simpler entropy estimation methods can be used.

If the entropy source does not pass the IID tests, non-IID entropy estimation methods must be applied. These include the most common value estimate, collision estimate, compression estimate, Markov estimate, and prediction estimate. Each of these estimators targets different aspects of potential non-randomness in the entropy source.

The NIST SP 800-90B statistical model for entropy estimation:

Hest = min(H1, H2, ..., Hk)

Where H1 through Hk are different entropy estimators applied to the same data.

The collision entropy estimator, for example, measures the entropy based on the frequency of collisions (repeated values) in the output sequence:

The collision entropy estimator is defined as:

H2(X) = -log2(∑ P(xi)2)

This provides a measure between Shannon entropy and min-entropy.

Min-Entropy Calculation Formulas

Min-entropy is the primary metric used in FIPS 140-3 for quantifying the unpredictability of an entropy source. It represents the worst-case scenario, where an adversary has the best possible chance of guessing the next output. The min-entropy of a random variable X is defined as:

The min-entropy of a random variable X is defined as:

H(X) = -log2(maxi P(xi))

Where maxi P(xi) is the highest probability of any single outcome.

For a binary source, if the probability of the most likely outcome (0 or 1) is p, then the min-entropy per bit is -log₂(p). For example, if the probability of generating a 1 is 0.7 and the probability of generating a 0 is 0.3, then the min-entropy is -log₂(0.7) ≈ 0.515 bits per output bit. This is significantly less than the Shannon entropy, which would be -(0.7·log₂(0.7) + 0.3·log₂(0.3)) ≈ 0.881 bits per output bit.

NIST SP 800-90B requires that the min-entropy be estimated using multiple estimators, and the lowest estimate is used as the final min-entropy estimate. This conservative approach ensures that the entropy estimate is not overstated, which could lead to security vulnerabilities.

Markov Models for Sequence Analysis

Markov models are powerful tools for analyzing dependencies in sequences of random outputs. A Markov chain of order k models the probability of the next output as dependent only on the previous k outputs. This allows for capturing and quantifying short-term correlations in the entropy source output.

For a first-order Markov model, the transition probabilities are represented as a matrix P, where P(i,j) is the probability of transitioning from state i to state j. The entropy rate of a first-order Markov process can be calculated as:

The entropy rate of a first-order Markov process is:

H(X) = -∑i πij P(i,j) log2 P(i,j)

Where πi is the stationary probability of state i and P(i,j) is the transition probability from state i to state j.

Higher-order Markov models can capture more complex dependencies but require more data for accurate estimation. NIST SP 800-90B includes a Markov estimate that uses a variable-order Markov model to estimate the entropy of non-IID sources.

Markov models are particularly useful for analyzing entropy sources that exhibit correlations due to physical limitations or design constraints. For example, ring oscillator-based TRNGs often show correlations between consecutive samples if the sampling rate is too high relative to the oscillator frequency.

Health Tests and Continuous Monitoring

One of the most significant changes in FIPS 140-3 is the requirement for continuous health monitoring of entropy sources. This includes startup tests, on-demand tests, and continuous runtime monitoring to detect failures or degradation in entropy quality. Health tests are crucial for ensuring that the entropy source continues to provide sufficient entropy throughout the lifetime of the cryptographic module.

Repetition Count Test

The Repetition Count Test is a continuous health test that detects when the entropy source produces too many identical consecutive outputs. This could indicate a failure in the entropy source, such as a stuck bit or a loss of noise.

The false positive probability for the Repetition Count Test can be calculated as:

Pfalse_positive = (1/k)(Cmax-1)

Where k is the number of possible output values and Cmax is the maximum allowed number of consecutive identical samples.

The test works by maintaining a counter C that tracks the number of consecutive identical samples. If C exceeds a predefined threshold C_max, the test fails, indicating a potential problem with the entropy source. The threshold C_max is typically set based on the expected statistical properties of the entropy source and the acceptable false positive rate.

Adaptive Proportion Test

The Adaptive Proportion Test monitors the frequency of specific output values within a window of samples. It is designed to detect biases in the entropy source that might not be caught by the Repetition Count Test.

The threshold for the Adaptive Proportion Test is typically set based on the binomial distribution:

Amax = N·p + c·√(N·p·(1-p))

Where N is the window size, p is the expected probability of the value, and c is a constant determining the confidence level (typically 3-5).

The test works by maintaining a window W of N samples and counting the occurrences A of a specific value (typically the first value in the window). If A exceeds a predefined threshold A_max, the test fails. The threshold A_max is set based on the expected probability of the value and the desired false positive rate.

These health tests, along with startup tests and on-demand tests, form a comprehensive monitoring system that ensures the entropy source continues to function correctly. FIPS 140-3 requires that the cryptographic module take appropriate action if any health test fails, such as entering an error state or switching to an alternative entropy source.

Hardware Implementations

Ring Oscillator Circuits and Equations

Ring oscillators are among the most common entropy sources used in hardware TRNGs due to their simplicity and effectiveness. A ring oscillator consists of an odd number of inverters connected in a loop, creating an unstable system that oscillates at a frequency determined by the propagation delay of the inverters.

TRNG Hardware Architecture

Figure 1: Hardware architecture of a True Random Number Generator showing entropy source, conditioning circuit, and health tests

The oscillation frequency of a ring oscillator with N inverters is given by:

The oscillation frequency of a ring oscillator is:

f = 1/(2Nτ)

Where N is the number of inverters and τ is the average propagation delay per inverter.

The randomness in a ring oscillator-based TRNG comes from the jitter or phase noise in the oscillator. Jitter is caused by various noise sources, including thermal noise, flicker noise, and supply voltage variations. The jitter accumulates over time, causing the phase of the oscillator to drift randomly.

A common implementation uses two or more ring oscillators with different frequencies. One oscillator (the fast oscillator) is sampled using the other oscillator (the slow oscillator) or an external clock. The randomness comes from the unpredictable phase relationship between the oscillators due to accumulated jitter.

The entropy generation rate of such a system depends on the jitter-to-period ratio of the fast oscillator and the sampling rate. If the sampling period is T_s and the standard deviation of the jitter is σ_j, then the entropy generation rate can be approximated as:

The entropy generation rate for a ring oscillator-based TRNG can be approximated as:

H ≈ log2(Tsj)

This assumes that the jitter follows a Gaussian distribution and that consecutive samples are independent.

Thermal and Quantum Noise Modeling

Thermal noise, also known as Johnson-Nyquist noise, is a fundamental source of randomness in electronic circuits. It arises from the random thermal motion of charge carriers in a conductor. The voltage noise across a resistor R at temperature T over a bandwidth Δf follows:

The thermal noise voltage across a resistor follows:

Vnoise = √(4kTRΔf)

Where k is Boltzmann's constant, T is the absolute temperature, R is the resistance, and Δf is the bandwidth.

This thermal noise can be amplified and digitized to create a TRNG. However, the noise must be significantly larger than the quantization noise of the analog-to-digital converter (ADC) to ensure sufficient entropy.

Quantum noise sources, such as those based on photon detection or quantum tunneling, offer potentially higher-quality randomness because they are based on inherently unpredictable quantum phenomena. For example, a quantum random number generator based on the detection of single photons can generate true random bits based on which path a photon takes when encountering a beam splitter.

The entropy of such a quantum system is directly tied to the quantum uncertainty principle and can be modeled using quantum mechanics. For a quantum state |ψ⟩ that is a superposition of basis states, the entropy is:

The entropy of a quantum system is:

Hquantum = -∑ii|2 log2(|ψi|2)

Where |ψi|2 represents the probability of measuring the quantum state ψi.

Detailed TRNG Architectures

Modern TRNG architectures typically combine multiple techniques to achieve high entropy generation rates while maintaining robustness against environmental variations and attacks. A comprehensive TRNG architecture includes:

An entropy source or multiple entropy sources that generate raw random bits. These can include ring oscillators, metastability circuits, thermal noise amplifiers, or quantum sources. Using multiple diverse entropy sources increases resilience against failures and attacks.

A conditioning component that processes the raw entropy to improve its statistical properties. This can include debiasing techniques like the Von Neumann corrector, cryptographic hash functions, or linear feedback shift registers (LFSRs). The conditioning component must be carefully designed to maintain or increase entropy.

A health testing module that continuously monitors the entropy source and conditioning component. This includes the Repetition Count Test, Adaptive Proportion Test, and other tests specified in NIST SP 800-90B. The health testing module must be able to detect failures quickly and trigger appropriate responses.

A control unit that manages the operation of the TRNG, including startup testing, on-demand testing, and error handling. The control unit must ensure that random bits are only output when the TRNG is functioning correctly and providing sufficient entropy.

An output buffer that stores generated random bits for use by cryptographic algorithms. The buffer must be protected against unauthorized access and must not leak information about the internal state of the TRNG.

These components must be carefully integrated to create a TRNG that meets the requirements of FIPS 140-3 while minimizing power consumption, area, and cost.

Implementation Challenges

Implementing FIPS 140-3 compliant TRNGs presents several challenges, particularly in resource-constrained environments like secure elements. These challenges include balancing entropy quality with power consumption, implementing efficient health tests, and ensuring resilience against environmental variations.

Power consumption is a critical concern for TRNGs in battery-powered devices. High-quality entropy sources often require significant power, which can be problematic for low-power applications. Designers must find ways to generate sufficient entropy while minimizing power consumption, such as duty-cycling the entropy source or using more efficient circuit designs.

Area constraints are another challenge, especially in secure elements where silicon area is at a premium. The entropy source, conditioning component, and health testing module all require silicon area, and designers must optimize the design to minimize area while meeting the security requirements.

Environmental variations, such as temperature changes, supply voltage fluctuations, and electromagnetic interference, can affect the performance of TRNGs. FIPS 140-3 requires that TRNGs maintain their security properties across the full range of operating conditions. This requires careful characterization of the entropy source under various conditions and the implementation of compensation mechanisms where necessary.

Side-channel attacks, such as power analysis, electromagnetic analysis, and timing attacks, can potentially extract information about the internal state of a TRNG. FIPS 140-3 requires that TRNGs be resistant to such attacks, which adds another layer of complexity to the design.

Startup behavior is also a concern, as many entropy sources require time to stabilize before they can produce high-quality random bits. FIPS 140-3 requires that TRNGs perform startup testing to ensure that the entropy source is functioning correctly before outputting random bits. This can introduce delays in the availability of random numbers after power-on or reset.

Validation Process and Documentation

The validation process for FIPS 140-3 requires extensive documentation, including entropy justification, implementation details, and test results. This documentation burden has increased significantly compared to FIPS 140-2, requiring more resources during the development and certification phases.

The entropy justification document must provide a detailed description of the entropy source, including its physical basis, circuit implementation, and expected behavior. It must also include a rigorous analysis of the entropy production rate, supported by theoretical models and empirical evidence.

The implementation details must cover the entire TRNG, including the entropy source, conditioning component, health testing module, and control unit. This includes circuit diagrams, state machines, and algorithms used in the implementation.

Test results must demonstrate that the TRNG meets all the requirements of FIPS 140-3 and NIST SP 800-90B. This includes results from statistical tests, health tests, and environmental testing. The tests must be performed by an accredited laboratory, and the results must be documented in a format acceptable to the validation authority.

The mathematical confidence level for entropy estimation is typically set at 99%, requiring a large number of samples for accurate estimation:

The number of samples required for entropy estimation with a 99% confidence level is:

n ≥ log(0.01)/log(1-ε)

Where n is the number of samples and ε is the probability of detecting a specific failure mode.

The validation process culminates in the issuance of a FIPS 140-3 certificate by the Cryptographic Module Validation Program (CMVP), which is jointly operated by NIST and the Canadian Centre for Cyber Security (CCCS). This certificate confirms that the cryptographic module, including its TRNG, meets all the requirements of FIPS 140-3.

Case Study: FIPS 140-3 Compliant TRNG Design

In a recent project, I designed a FIPS 140-3 compliant TRNG for a secure element targeting financial applications. The design incorporated multiple entropy sources, sophisticated health monitoring, and adaptive sampling techniques to maintain entropy quality across operating conditions.

The primary entropy source was a set of ring oscillators with different frequencies, implemented in a way that maximized their sensitivity to thermal noise while minimizing their susceptibility to external interference. The ring oscillators were carefully placed and routed to minimize coupling between them and to isolate them from other digital circuits that could introduce deterministic noise.

A secondary entropy source based on metastability was included to provide diversity and resilience. This source used a flip-flop clocked with data that violated setup and hold times, creating a metastable state with an unpredictable resolution. The probability of resolving to a 0 or 1 was carefully balanced to maximize entropy.

The raw outputs from both entropy sources were combined and conditioned using a cryptographic hash function to remove bias and correlations. The conditioning component was designed to be conservative, ensuring that the entropy rate of the output was at least as high as the estimated entropy rate of the input.

Comprehensive health testing was implemented, including the Repetition Count Test and Adaptive Proportion Test as required by NIST SP 800-90B. Additional custom health tests were included to monitor specific aspects of the entropy sources, such as the oscillation frequency of the ring oscillators and the metastability characteristics of the flip-flops.

The TRNG was extensively characterized across the full range of operating conditions, including temperature (-40°C to 85°C), supply voltage (±10%), and electromagnetic interference. The entropy estimation was performed using the methods specified in NIST SP 800-90B, and the results showed that the TRNG consistently provided more than 0.9 bits of entropy per output bit, exceeding the requirements for most cryptographic applications.

The validation process was rigorous, involving detailed documentation of the design, implementation, and testing. The entropy justification document alone was over 100 pages, including theoretical analysis, circuit descriptions, and statistical test results. The validation was successful, resulting in a FIPS 140-3 certificate for the secure element.

Future Directions and Quantum Considerations

Looking ahead, the emergence of quantum computing will likely drive further evolution in TRNG requirements. Future standards may need to address quantum-resistant random number generation and more sophisticated entropy estimation techniques.

Quantum random number generators (QRNGs) are an emerging technology that leverages quantum phenomena to generate true random numbers. These generators are based on inherently unpredictable quantum processes, such as photon path superposition or quantum tunneling. QRNGs have the potential to provide higher-quality randomness than traditional TRNGs based on classical physics.

Post-quantum cryptography will require high-quality random numbers for key generation and other cryptographic operations. The security of post-quantum algorithms often depends on the unpredictability of certain parameters, making the quality of random number generation even more critical.

Machine learning attacks on TRNGs are an emerging threat that future standards may need to address. These attacks use neural networks or other machine learning techniques to predict the output of a TRNG based on environmental factors or previous outputs. Countermeasures against such attacks may include more sophisticated conditioning components and health tests.

Standardization efforts are ongoing to address these and other challenges in random number generation. The NIST Randomness Beacon, for example, provides a public source of verifiable randomness that can be used as a reference for testing and validation. The development of new standards and guidelines for random number generation will continue to evolve as technology advances and new threats emerge.

Conclusion

FIPS 140-3 represents a significant advancement in the security requirements for TRNGs in cryptographic modules. While these requirements present implementation challenges, they ultimately lead to more robust and secure random number generation, which is fundamental to cryptographic security.

The mathematical foundations of TRNGs, including information theory, probabilistic models, and differential equations, provide a rigorous framework for designing and analyzing entropy sources. The statistical evaluation methods specified in NIST SP 800-90B ensure that TRNGs produce high-quality random numbers with sufficient entropy for cryptographic applications.

Hardware implementations of TRNGs must balance multiple competing requirements, including entropy quality, power consumption, area, and resilience against environmental variations and attacks. The validation process for FIPS 140-3 is rigorous, requiring extensive documentation and testing to demonstrate compliance with the standard.

As technology evolves and new threats emerge, the requirements for TRNGs will continue to evolve. Future standards may address quantum random number generation, post-quantum cryptography, and machine learning attacks. However, the fundamental principles of entropy, unpredictability, and statistical testing will remain central to the security of random number generation.

In conclusion, FIPS 140-3 provides a comprehensive framework for ensuring the security of TRNGs in cryptographic modules. By understanding and implementing these requirements, hardware security engineers can design TRNGs that provide the high-quality random numbers essential for cryptographic security in an increasingly complex and threatening digital environment.

References

  1. Barker, E., & Kelsey, J. (2021). Recommendation for the Entropy Sources Used for Random Bit Generation. NIST Special Publication 800-90B. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf
  2. Turan, M. S., Barker, E., Kelsey, J., McKay, K. A., Baish, M. L., & Boyle, M. (2018). Recommendation for the Entropy Sources Used for Random Bit Generation. NIST Special Publication 800-90B. https://doi.org/10.6028/NIST.SP.800-90B
  3. Sunar, B., Martin, W. J., & Stinson, D. R. (2007). A Provably Secure True Random Number Generator with Built-In Tolerance to Active Attacks. IEEE Transactions on Computers, 56(1), 109-119. https://doi.org/10.1109/TC.2007.250627
  4. Baudet, M., Lubicz, D., Micolod, J., & Tassiaux, A. (2011). On the security of oscillator-based random number generators. Journal of Cryptology, 24(2), 398-425. https://doi.org/10.1007/s00145-010-9089-3
  5. Bochard, N., Bossuet, L., & Fischer, V. (2013). Entropy Assessment in Ring Oscillator-Based True Random Number Generators. 2013 Euromicro Conference on Digital System Design, 349-354. https://doi.org/10.1109/DSD.2013.45
  6. Wold, K., & Tan, C. H. (2008). Analysis and enhancement of random number generator in FPGA based on oscillator rings. International Journal of Reconfigurable Computing, 2008, 1-8. https://doi.org/10.1155/2008/259140
  7. Markettos, A. T., & Moore, S. W. (2009). The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators. Cryptographic Hardware and Embedded Systems - CHES 2009, 317-331. https://doi.org/10.1007/978-3-642-04138-9_23
  8. Dichtl, M., & Golić, J. D. (2007). High-Speed True Random Number Generation with Logic Gates Only. Cryptographic Hardware and Embedded Systems - CHES 2007, 45-62. https://doi.org/10.1007/978-3-540-74735-2_4
  9. Schellekens, D., Preneel, B., & Verbauwhede, I. (2006). FPGA Vendor Agnostic True Random Number Generator. International Conference on Field Programmable Logic and Applications, 1-6. https://doi.org/10.1109/FPL.2006.311206
  10. Vasyltsov, I., Hambardzumyan, E., Kim, Y. S., & Karpinskyy, B. (2008). Fast Digital TRNG Based on Metastable Ring Oscillator. Cryptographic Hardware and Embedded Systems – CHES 2008, 164-180. https://doi.org/10.1007/978-3-540-85053-3_11
  11. Killmann, W., & Schindler, W. (2011). A proposal for: Functionality classes for random number generators. BSI - German Federal Office for Information Security. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_31_Functionality_classes_for_random_number_generators_e.pdf
  12. Balasch, J., Gierlichs, B., Reparaz, O., & Verbauwhede, I. (2014). DPA, Bitslicing and Masking at 1 GHz. Cryptographic Hardware and Embedded Systems – CHES 2015, 599-619. https://doi.org/10.1007/978-3-662-48324-4_30
  13. Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigh, S., Levenson, M., Vangel, M., Banks, D., Heckert, A., Dray, J., & Vo, S. (2010). A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. NIST Special Publication 800-22 Rev. 1a. https://doi.org/10.6028/NIST.SP.800-22r1a
  14. Haddad, P., Fischer, V., Bernard, F., & Nicolai, J. (2015). A Physical Approach for Stochastic Modeling of TERO-Based TRNG. Cryptographic Hardware and Embedded Systems – CHES 2015, 357-372. https://doi.org/10.1007/978-3-662-48324-4_18
  15. National Institute of Standards and Technology. (2019). FIPS PUB 140-3: Security Requirements for Cryptographic Modules. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
  16. Kohlbrenner, P., & Gaj, K. (2004). An embedded true random number generator for FPGAs. Proceedings of the 2004 ACM/SIGDA 12th international symposium on Field programmable gate arrays, 71-78. https://doi.org/10.1145/968280.968292
  17. Fischer, V., & Drutarovský, M. (2003). True random number generator embedded in reconfigurable hardware. Cryptographic Hardware and Embedded Systems - CHES 2002, 415-430. https://doi.org/10.1007/3-540-36400-5_30
  18. Kwok, S. H. M., Ee, Y. L., Chew, G., Zheng, K., Khoo, K., & Tan, C. H. (2011). A comparison of post-processing techniques for biased random number generators. Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication, 175-190. https://doi.org/10.1007/978-3-642-21040-2_12
  19. Stipčević, M., & Koç, Ç. K. (2014). True Random Number Generators. Open Problems in Mathematics and Computational Science, 275-315. https://doi.org/10.1007/978-3-319-10683-0_12
  20. Herrero-Collantes, M., & Garcia-Escartin, J. C. (2017). Quantum random number generators. Reviews of Modern Physics, 89(1), 015004. https://doi.org/10.1103/RevModPhys.89.015004