Implementing and Testing Self-Timed Rings on a FPGA as Entropy Sources

(1)

Institutionen för systemteknik

Department of Electrical Engineering

Examensarbete

Implementing and Testing Self-Timed Rings on a FPGA

as Entropy Sources

Examensarbete utfört i Datorteknik vid Tekniska högskolan vid Linköpings universitet

av Marcus Einar LiTH-ISY-EX--15/4845--SE

Linköping 2015

Department of Electrical Engineering Linköpings tekniska högskola

Linköpings universitet Linköpings universitet

(2)

(3)

Implementing and Testing Self-Timed Rings on a FPGA

as Entropy Sources

Examensarbete utfört i Datorteknik

vid Tekniska högskolan vid Linköpings universitet

av

Marcus Einar LiTH-ISY-EX--15/4845--SE

Handledare: Jonathan Jogenfors

isy, Linköpings universitet

Johan Hedström

Sectra Communications

Examinator: Jan-Åke Larsson

isy, Linköpings universitet

(4)

(5)

Avdelning, Institution Division, Department

Avdelningen för Systemteknik Department of Electrical Engineering SE-581 83 Linköping Datum Date 2015-06-25 Språk Language Svenska/Swedish Engelska/English Rapporttyp Report category Licentiatavhandling Examensarbete C-uppsats D-uppsats Övrig rapport

URL för elektronisk version

http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-XXXXX

ISBN — ISRN

LiTH-ISY-EX--15/4845--SE Serietitel och serienummer Title of series, numbering

ISSN —

Titel Title

Implementation och Testning av Self-Timed Rings på en FPGA som Entropikällor Implementing and Testing Self-Timed Rings on a FPGA as Entropy Sources

Författare Author

Marcus Einar

Sammanfattning Abstract

Random number generators are basic building blocks of modern cryptographic systems. Usually pseudo random number generators, carefully constructed deterministic algorithms that generate seemingly random numbers, are used. These are built upon foundations of thorough mathematical analysis and have been subjected to stringent testing to make sure that they can produce pseudo random sequences at a high bit-rate with good statistical prop-erties.

A pseudo random number generator must be initiated with a starting value. Since they are deterministic, the same starting value used twice on the same pseudo random number gener-ator will produce the same seemingly random sequence. Therefore it is of utmost importance that the starting value contains enough entropy so that the output cannot be predicted or re-produced in an attack. To generate a high entropy starting value, a true random number generator that uses sampling of some physical non-deterministic phenomenon to generate entropy, can be used. These are generally slower than their pseudo random counterparts but in turn need not generate the same amount of random values.

In field programmable gate arrays (FPGA), generating random numbers is not trivial since they are built upon digital logic. A popular technique to generate entropy within a FPGA is to sample jittery clock signals. A quite recent technique proposed to create a robust clock signals, that contains such jitter, is to use self-timed ring oscillators. These are structures in which several events can propagate freely at an evenly spaced phase distribution. In this thesis self-timed rings of six different lengths is implemented on a specific FPGA hardware. The different implementations are tested with the TestU01 test suite. The results show that two of the implementations have a good oscillatory behaviour that is well suited for use as random number generators. Others exhibit unexpected behaviours that are not suited to be used in a random number generator. Two of the implemented random generators passed all tests in the TestU01 batteries Alphabit and BlockAlphabit. One of the generators was deemed not fit for use in a random number generator after failing all of the tests. The last three were not subjected to any tests since they did not behave as expected.

Nyckelord

(6)

(7)

Abstract

Random number generators are basic building blocks of modern cryptographic systems. Usually pseudo random number generators, carefully constructed deter-ministic algorithms that generate seemingly random numbers, are used. These are built upon foundations of thorough mathematical analysis and have been subjected to stringent testing to make sure that they can produce pseudo random sequences at a high bit-rate with good statistical properties.

A pseudo random number generator must be initiated with a starting value. Since they are deterministic, the same starting value used twice on the same pseudo random number generator will produce the same seemingly random sequence. Therefore it is of utmost importance that the starting value contains enough en-tropy so that the output cannot be predicted or reproduced in an attack. To gen-erate a high entropy starting value, a true random number generator that uses sampling of some physical non-deterministic phenomenon to generate entropy, can be used. These are generally slower than their pseudo random counterparts but in turn need not generate the same amount of random values.

In field programmable gate arrays (FPGA), generating random numbers is not trivial since they are built upon digital logic. A popular technique to generate entropy within a FPGA is to sample jittery clock signals. A quite recent technique proposed to create a robust clock signals, that contains such jitter, is to use self-timed ring oscillators. These are structures in which several events can propagate freely at an evenly spaced phase distribution.

In this thesis self-timed rings of six different lengths is implemented on a spe-cific FPGA hardware. The different implementations are tested with the TestU01 test suite. The results show that two of the implementations have a good oscilla-tory behaviour that is well suited for use as random number generators. Others exhibit unexpected behaviours that are not suited to be used in a random num-ber generator. Two of the implemented random generators passed all tests in the TestU01 batteries Alphabit and BlockAlphabit. One of the generators was deemed not fit for use in a random number generator after failing all of the tests. The last three were not subjected to any tests since they did not behave as ex-pected.

(8)

(9)

Acknowledgments

During the work of this thesis I have gained a lot of new knowledge and experi-ence and it would not have been possible if it were not for the help and support i have had along the way.

I would like to thank all the employees at SECTRA communications who has helped me and shared their experience. Especially my supervisor Johan Hedström who has given me a lot of his time to discuss my problems and thoughts through-out the work.

I would also like to thank my examiner Jan-Åke Larsson and my supervisor Jonatan Jogenfors at the department of electrical engineering.

Many, many thanks goes to my girlfriend, my family and my friends who has supported me throughout the course of my education. Without you I would not have made it this far.

A special thought goes out to my mother whom I wish could have seen me grad-uate. She always supported me and helped me, in so many ways, become who I am today.

Linköping, June 2015 Marcus Einar

(10)

(11)

viii Contents 5 Implementation 21 5.1 Configurations . . . 21 5.2 Logic design . . . 21 5.2.1 Muller-gate . . . 21 5.2.2 Gate placement . . . 22 5.2.3 Synchronization chain . . . 22 5.3 Fabric layout . . . 23 5.3.1 Combinatorial loops . . . 23 5.3.2 Floor plan . . . 23 6 Results 25 6.1 Method . . . 25

6.1.1 Method of sampling randomness . . . 25

6.1.2 Method of measuring period time and jitter . . . 25

6.2 Measurements . . . 26

6.2.1 Unexpected behaviour . . . 26

6.2.2 Stable oscillation . . . 28

6.2.3 Oscillation period . . . 30

6.3 Test results . . . 30

6.3.1 Alphabit battery test results . . . 30

6.3.2 BlockAlphabit battery . . . 31

7 Conclusion 35 7.1 Self-timed ring as random number generator . . . 35

7.2 Implementation . . . 36

7.3 Testing . . . 36

7.4 Future work . . . 37

A Test result summaries 41 A.1 Alphabit battery . . . 41

A.1.1 STRNG length 255 . . . 41

A.1.2 STRNG length 511 . . . 41

A.1.3 STRNG length 1535 . . . 42

A.2 BlockAlphabit battery . . . 42

A.2.1 STRNG length 255 . . . 42

A.2.2 STRNG length 511 . . . 44

A.2.3 STRNG length 1535 . . . 45

(13)

Notation

Mathematical notation and variables Notation Meaning

∆ϕ Phase resolution ρ Jitter magnitude

NT Number of tokens in an STR

NB Number of bubbles in an STR

Df f Forward delay of a Muller-gate

Drr Reverse delay of a Muller-gate

H(x) Shannon entropy of variable x T Oscillation period time L Number of stages in a STR

N Number of events propogating in a STR

Abbreviations

Abbreviation Meaning

rng Random Number Generator

prng _{Pseudo Random Number Generator} trng _{True random Number Generator}

str _{Self-Timed Ring}

strng _{Self-Timed Ring Random Number Generator} fpga _{Field-Programmable Gate array}

fifo _{First In, First Out} iro Inverter Ring Oscillator lut Look-Up Table

(14)

(15)

1

Introduction

This chapter contains a short historical background on random number genera-tion, the purpose of this project, the methods used in this thesis, the delimitations of the project and the structure of this report.

1.1 History of random number generation

The concept of randomness has been used in different contexts for ages. An-cient civilizations threw bones to determine fate and foresee the future, lots were drawn to settle disputes over distribution of land, dice have been used in games and decision making as early as circa 2750 B.C [7]. Whether the belief was that luck, divine will or something else governed the outcome, all of the mentioned types of randomness had a common purpose: to eliminate the possibility of hu-man hu-manipulation when trying to produce an unpredictable outcome.

The uses of random numbers has expanded since. Examples that are relevant today are simulations of natural phenomena, sampling data, solving numerical problems, testing software design and, most relevant for this thesis, generation of cryptographic keys. For such scientific applications the classical ways of gen-erating randomness were too slow.

In 1927 L. H. C. Tippett published "Random Sampling Numbers", a table of more than 40.000 "random" numbers taken from census reports. Random number ta-bles were developed even further. Machines where used to mechanically generate larger amount of numbers. These tables were used as a fast way to get random numbers.

When computers came into use, memory size and input time were factors that

(16)

2 1 Introduction

made random number tables impractical to use. Ever since, methods for gener-ating random numbers within the systems have been sought after. Today there exists a multitude of alternatives for generating random numbers for use in com-puter science.

1.2 Background

Random number generators (RNG ) are one of the basic building blocks of mod-ern cryptographic systems. Examples of usages for the random numbers gener-ated are cryptographic keys, authentication challenges, one-time-pads and salt for protecting database hashes of passwords.

There are two main categories of RNG s. Pseudo random number generators (PRNG ) produce numbers that seem random from algorithms. PRNG s usually have a high output bit rate and the statistical properties of the generated data often has good statistical properties. Since algorithms are inheritable determin-istic, the output can be reproduced if the initial value, also called seed, and the algorithm is known. Usually only the key is secret and chosen at random. True random number generators (TRNG ) utilizes physical phenomena to generate ran-dom numbers. The bit-rate and statistical properties of the output are often lower than that of PRNG s. However the values are more unpredictable and importantly, they can not be reproduced. TRNG s are usually used to seed PRNG s.

Field-programmable gate arrays FPGA s are programmable digital integrated cir-cuits that can be used to implement cryptographic systems. There are no natural sources of entropy within such circuits which makes it non-trivial to seed a PRNG implementation. One solution is to use an external source of entropy. Another way is to implement some digital structure that uses the properties of the internal components to generate randomness. A popular technique is using clock timing jitter as a source of entropy.

Cherkaoui et al. has proposed and analysed self-timed rings (STR ) as a jittery clock that can be used to generate random numbers at a high bit rate [8][9] [10][11]. They showed that STR based RNGs can be used as an alternative to the popular inverter ring oscillator (IRO )since it has shown to be more robust against voltage variations. A model for evaluating a lower bound of entropy was also shown.

1.3 Purpose

FPGA s generally do not have any built in way to generate random data. Sampling jittery clocks is a common technique for doing so. Relatively recently, self-timed rings has been proposed to work as a way of generating jittery clock signals, but also robust, clock signals to be used in such random number generators.

The work of this thesis was requested by SECTRA Communications, a company that provides secure communication solutions. All secure communication

(17)

chan-1.4 Method 3

nels are protected by cryptographic systems and all such systems need randomly generated numbers. The purpose of this thesis is to create an implementation of a self-timed ring random number generator on a specific FPGA and to test how well it works.

1.4 Method

Self-timed ring random number generators (STRNG ) have been successfully im-plemented by the authors of [10] [8] [9] [11]. Both the theory and the performance have been well documented and this thesis does not seek to prove the concept of a self timed ring based random number generator. The focus lies on studying the core concepts of the self-timed ring structure and implementing it on a specific hardware assigned by SECTRA.

The implementation, which builds upon the theoretical study done on self-timed rings, is tested using the test suite TestU01 which contains batteries for testing the statistical properties of a random number generator. The choice of test suite is based upon the analysis of test suites done by the Jakobsson in 2014 in [17], where several test suites were compared and tested. TestU01 is recommended as a state of the art RNG test suite that allows testing of as large random values as needed.

1.5 Delimitations

The focus of this thesis is to describe the theory of STRNG s, implementing a STRNG on a specific FPGA followed by testing it. Different lengths of the rings are tested to see if the lengths has any impact on the tests carried out on sam-pled data. The tests are carried out with the test suite TestU01, which seems best suited for testing a STRNG, based on the analysis of test suites in[17]. The Alphabit and BlockAlphabit batteries are the only ones in the suite created specif-ically to test hardware based random number generators and therefore the only ones used during the testing.

Some important aspects of implementing a TRNG is omitted in this thesis: Data sequences from RNG s that are based on a physical phenomena are often subject to bias in the data. Post processing methods are the usually the solution to these problems but this thesis will not cover these methods.

Another problem which is not considered in this report is that a hardware based random number generator might stop working correctly during usage. To de-tect flaws, live-tests can be implemented to assure that an implementation keeps working as intended.

Trying to actively attacking the RNG can be a method of assuring robustness of the implementation. This area will not be covered in thesis.

(18)

4 1 Introduction

The specific FPGA used to implement the STRNG cannot be disclosed due to confidentiality reasons.

1.6 Structure

Chapter 2 discusses randomness, entropy and random number generators in gen-eral. It also explains the theory behind sampling jittery clocks as a mean to har-vest entropy.

In chapter 3 oscillator based TRNG s are described as well as the theory behind STRNG s.

Chapter 4 mentions the tests used to test the implementation used in this thesis which is described in Chapter 5.

(19)

2

Random number generators

This chapter discusses the concepts of randomness and entropy as the unit for measuring unpredictability. It also discusses the difference between pseudo- and true random number generators. The theoretical model for the self-timed ring random number generator is also described.

2.1 Randomness

Before discussing random number generators it may be good to look at some defi-nitions of randomness. Here follows a few defidefi-nitions from different dictionaries: Random, adj.

Oxford Dictionaries[4] - Made, done, or happening without method or conscious decision

Camebridge Dictionaries[2] - Happening, done, or chosen by chance rather than according to a plan

The American Heritage Dictionary[1] - Having no specific pattern, purpose, or objective

Dictionary.com[3] - Proceeding, made, or occurring without definite aim, reason, or pattern

These definitions describes the core aspects of randomness. There is no pattern, no choice and no reason. In other words, a process of which the outcome cannot be predicted or controlled. These definitions are neither scientific nor mathemat-ical, but they provide a grasp of what is meant when speaking of randomness. In fact, if an event is random depends on the scope and the environment. In

(20)

6 2 Random number generators

fact, dice rolls, coin tosses and the break at the beginning of a billiard game are examples of processes that might seem random. However, the outcome of all the mentioned physical processes could be predicted or perhaps even controlled given enough information on their initial state. This illustrates a problem with defining what randomness really is. One might argue that randomness is based on the ignorance of how a system, that produces random values, really works.

2.2 Entropy

The unit for measuring randomness is called entropy. Entropy is the measure-ment of how much uncertainty there is about the value of a random variable. Before formally defining entropy it might be good to look at an example first. This example is inspired by [14]:

Example 2.1

Consider the output of a RNG consisting of 32 bits where every bit is completely random. The output value then has 32 bits of entropy.

Example 2.1 shows that if every bit is completely random the entropy measured in bits is the same as the length of the random variable. But what if the entire output was not completely random? This is illustrated in another example:

Example 2.2

Consider a RNG where each byte of a 32-bit output only had two possible values, say all zeroes or ones for example. The second RNG s output would now have only 4 bits of entropy.

Example 2.2 illustrates that entropy is not about the length of the random se-quence, but how much uncertainty there is about the next value. In this case it is known that all the first eight bits are all the same. Therefore the entropy of the first byte is equal to one bit.

An informal way of describing what it means that a value has n-bits entropy, is if someone would try to guess the value, there would be a probability of 1/2n that the guess was right. The entropy would change if more was known about the value. For example if the distribution of ones and zeroes were known, the amount of possible values could be reduced, and in turn the uncertainty of the bits.

A more formal and perhaps the most common definition is the Shannon entropy[12] [14].

Definition 2.1 (Shannon entropy). The Shannon entropy for a random variable X where P (X = x) is the probability mass function.

H(X) = −X

x

(21)

2.3 Pseudo Random Number Generators 7

The result of H(X) is the entropy of the variable X in bits, where P(X=x) is the probability of X taking the value x. This is then summarized over all possible values of X.

When b = 2 the entropy is measured in bits. From this we can define the binary entropy as:

Definition 2.2 (Binary entropy). For any random variable X with the probabil-ity mass function P (X = x) where x = {0, 1} such that: P (X = x) =

       p if x = 1 1 − p if x = 0 The binary entropy measured in bits is then defined as:

H(p) = −p log p − (1 − p) log (1 − p) (2.2)

2.3 Pseudo Random Number Generators

PRNGs algorithmically generate seemingly random numbers from an initiation value called a seed. Since algorithms are naturally deterministic, anyone knowing the exact algorithm and seed can reproduce the same pseudo random sequence. RNG s of this type are usually both fast and have good statistical properties in the sense that they pass most statistical tests.

2.4 True Random Number Generators

A TRNG utilizes some non-deterministic physical phenomenon to produce ran-domness. STRNG utilizes phase jitter in digital signals as a source of entropy. Other examples of TRNG s are thermal noise, quantum mechanics, atmospheric noise and nuclear decay. TRNG s are usually slower than PRNG s and also have worse statistical properties, but they are in turn more unpredictable. This makes them suitable for seeding PRNG s since an unpredictable seed gives good quality pseudo randomness.

2.5 Jittery clock true random number generators

Clock jitter can be used as a source of randomness. This section defines jitter and describes how entropy can be gained from sampling jittery signals.

2.5.1 Jitter

Jitter is the difference in time between the ideal signal would appear appear in time and when it appears in reality. An ideal clock would have a fixed frequency where each clock cycle would be exactly the same length. In reality, this is not the case. Jitter is mostly an unwanted phenomenon as it can cause timing error in syn-chronous digital systems[6]. All jitter can be divided into two components[15],

(22)

8 2 Random number generators

Figure 2.1:A clock signal with jitter boundaries marked in gray.

deterministic and Gaussian (random) jitter. Self-timed rings utilizes the latter to gather entropy.

Deterministic Jitter

Deterministic jitter is both predictable and reproducible. These are properties that are unwanted and threatening to RNG s since they could provide a way to attack a cryptographic system implementing it. If the deterministic portion of the total jitter is much greater than the Gaussian jitter it might make it more challenging to measure and determine the size of the Gaussian jitter [11]. Deterministic jitter comes from global sources that produce noise. Examples of these sources are: temperature variations and power supply voltage. Both of these variables are rather easy to manipulate for an attacker.

Gaussian Jitter

Gaussian jitter is a completely random variation in time that comes from thermal white noise generated locally inside electrical components. This kind of jitter is unavoidable and it is not affected by any external noise sources nor is it pre-dictable or reproducible. The random variable produced from Gaussian jitter has a normal distribution N (T , σ2_{), where σ is the standard deviation in time}

from the ideal time T [9].

2.5.2 Sampling jittery signals for entropy

A jittery signal can be used to harvest entropy. Assume that the signal is sampled at a time t and that the jittery signal ideally has a positive edge at time T .

Jittery signal Sample clock

t

Figure 2.2:Sampling of jittery signal at time t.

Assume that the random variable X is the actual time of the edge in time. The probability that sampled bit at time t is 0 can be calculated with equation 2.3,

P (X < t) = Φ(t − T

(23)

2.5 Jittery clock true random number generators 9

where Φ is the cumulative distribution function defined by equation 2.3. Φ(x) =

x

Z

−∞

(24)

(25)

3

Oscillator based true random number

generators

Sampling jitter from clock signals is a common technique used in many TRNG s to harvest entropy. Classically IRO s has been a popular way of doing so. STR s has been compared to IRO s by the authors of [10] where it is proposed as a more robust way of generating jittery clocks that are less susceptible to global deter-ministic interferences.

Section 3.1 describes the basic structure of IRO s as a way to describe the most simple form of ring based oscillators. Section 3.2 describes STR s structure and behaviour.

3.1 Inverter Ring Oscillators

The simplest form of ring oscillator is the IRO. An IRO can be implemented by serially connecting an uneven number of inverters to form a loop as illustrated in figur 3.1.

Figure 3.1:Inverter Ring Oscillator with an uneven number of inverters con-nected in series to form a loop.

A signal measured at the output of any inverter will oscillate. Since the digi-tal signal eventually will propagate around the uneven number of inverters and eventually cause the signal to switch. By extension, all other inverter outputs

(26)

12 3 Oscillator based true random number generators

will also switch values when the signal propagates. A more general definition of an IRO is an inverter serially connected to a number of buffers or delay elements (see figur 3.2).

Figure 3.2: A general Inverter Ring Oscillator connecting an inverter to a number of delay elements in series to form a loop.

The principle is the same as in figure 3.1. It makes it easier to imagine an event, travelling from the inverter’s output around the ring, eventually ending up at the same inverter’s input causing the output to switch. It also makes it easier to explain the mechanics behind the oscillation and the frequency. Each buffer or delay element has an internal propagation delay, i.e. the time it takes for a signal to pass from the elements input to its output signal. The frequency of the IRO is governed by the collected propagation delays in the loop (including the inverters). The frequency decreases linearly as the number of delay elements increases [10].

3.2 Self-Timed Rings

The STR structure is a micropipline FIFO as proposed by I.E. Sutherland [20] where the last and first elements are connected to form a loop. As opposed to IRO s, several events can propagate independently within the structure. STR s has been proposed as a more robust alternative to IRO s to produce jittery clocks. Cherkouai et al. has successfully implemented the proposed RNG, described the stochastic model and shown the benefits gained from it [8] [9][10] [11].

3.2.1 Muller-gate

The Muller-gate, also known as Muller C-Element or just C-Element is the core component of the STR. It is an asynchronous logic gate with two inputs and one output [19]. The behaviour of the Muller-gate corresponds to table 3.1.

A B C

0 0 0

0 1 C−1 1 0 C−1

1 1 1

Table 3.1:Truth table for standard Muller-gate.

When both inputs are 0, the output becomes 0 and when both inputs are 1, the output changes to 1. When the inputs have different values the previous value is

(27)

3.2 Self-Timed Rings 13

preserved. In [19] it is noted that it is assumed that the inputs should not change before the output does when they become 0. No special means has been taken to assure this in the STR. However, it is not a practical problem, since the handshake protocol used between stages described in section 3.2.3 prevents such behaviour.

3.2.2 Structure

A STR consists of a chain of L stages forming a loop. The structure mimics that of Sutherlands proposed micropipeline FIFO [20], where the last stage’s output is connected to the first stage’s forwarding input and the reverse input of the last stage is fed by the first stage’s output. The structure is depicted in figure 3.3. Each stage of the STR structure consist of a Muller-gate with an inverter on the

Figure 3.3:Structure of a Self-Timed Ring.

reverse input. The addition of an inverter produces a new altered Muller-gate that corresponds to the behaviour table 3.2. If the forward and reverse inputs

F R C

0 0 C−1

0 1 0

1 0 1

1 1 C−₁

Table 3.2:Truth table for the altered Muller-gate used as a stage in a STR. takes different values (F = 0, R = 1 or vice versa), the output equals F. When F = R the output stays unchanged.

3.2.3 Behaviour

2-phase handshake protocol

The author of [20] describes that the micropipeline stages communicate in two phases: request and acknowledgement.

In the first phase, a stage signals to the next stage, through the output signal, that there is new data available.

The second phase is when the second stage acknowledges that the data has been received and used. This is done by switching the output value and thereby chang-ing the value returned to the first stage on its reverse input.

(28)

The handshake protocol prevents the problem described in section 3.2.1 where it is assumed that a Muller-gates inputs are not changed before the output does. The previous stage’s output can not change before it receives a changed reverse signal. Likewise the stage cannot receive a changed reverse signal before the following stage has received and processed a new value on its forward input. The loop feedback value only changes with the output signal. The set/reset signal resets the whole structure and is therefore never a problem.

Tokens and bubbles

To understand how events propagate in the ring, the concept of tokens and bub-bles is usually used[10]. At any moment in time a STR stage carries either a token or a bubble. Tokens and bubbles are defined as:

Definition 3.1 (Tokens and bubbles). A stage at position i in a self-timed ring with the output signal Ci carries a token if the stage before it has an output Ci−1

so that Ci , Ci−1.

The stage is said to carry a bubble if the stage before it has Ci−1so that Ci = Ci−1.

Given definition 3.1 and the truth table of every stage (table 3.2) the propagation pattern of tokens can be derived. A token propagates from a stage with index i if and only if the next stage i + 1 contains a bubble. As seen in figure 3.4, when a token propagates to the next stage it leaves behind a bubble. One might say that bubbles propagate backwards while events propagates forward.

(a) State of stages C_i−1, C_iand C_i+1at time T₁

(b) State of stages Ci−1, Ci and Ci+1at time T2

Figure 3.4:Token propagating between stages.

Burst or evenly spaced modes

A STR may exhibit two modes of event oscillation: evenly spaced mode and burst mode. Both are illustrated in figure 3.5. Only the evenly spaced mode is of inter-est in this thesis.

(29)

3.2 Self-Timed Rings 15 Burst

Evenly-spaced

Figure 3.5:Burst and oscillation modes.

The evenly spaced mode is a direct consequence of a phenomenon called Charlie effect. Muller-gates have a propagation delay that is a function of the separation time between its two inputs [11]. The effect of this is that if the request and ac-knowledge signals are close in time, the propagation delay gets higher. However, the propagation delay will get shorter if the request and acknowledge signals ap-pear as further separated in time. This causes events that are close to push away from each other. Eventually the events will spread out evenly throughout the ring structure.

In [16], the authors describes that if equation 3.1 is fulfilled evenly spaced mode can be guaranteed. NT NB ≈ Df f Drr (3.1) Where NT is the number of tokens, NBis the number of bubbles, Df f is the static

propagation delay on the forwarding input of the Muller-gate and Drrthe reverse

input delay.

For the rest of this thesis it is assumed that Df f = Drr since all stages each are

implemented in a single look-up table, as described in section 5.2.1.

Phase distribution

The phase difference between two stages that are n stages apart in a ring of L stages populated by N evenly spaced events is specified by (3.2)[13].

ϕn= n ×

N L ×180

◦

(3.2) The phase difference, ϕn, between stages is not only governed by the length of

the chain, but also the event occupancy of the ring. Equation (3.2) shows that if L is a multiple of N, some stages will share phase. Also if NB = NT, that is when

the number of bubbles are equal to the number of tokens, and the propagation delays of each stage are such that Df f = Drr there will be only four equidistant

phases. If N and L are co-prime there will be as many equidistant phases as there are stages. This is preferable when using STRs for generating entropy. The more individual phases there are, the better the phase resolution gets.

∆ϕ = T

2L (3.3)

The phase resolution ∆ϕ of a STR where, the number of stages and events are co-prime and the period T as calculated as equation 3.3. To guarantee that sampling

(30)

occurs within at least one jitter boundary the phase difference should be such that ∆ϕ ≤ σ .

3.2.4 Entropy extraction

A STRNG with the length of L stages, configured with N events spread evenly across the ring structure, where L and N are co-prime, will deliver L jittery sig-nals Ci, (1 ≤ i ≤ L). All of the signals will have equidistant phases as described

in section 3.2.3. All signals are sampled at the same time t. The signals are then XORed to form the collected signal ψ = C1⊕C2⊕ · · · ⊕CL. ψ is the output signal

of the STRNG. The structure of the sampling is depicted in figure 3.6.

Figure 3.6:Structure of sampling logic of an STRNG.

In figure 3.7 shows a timing diagram of the sampling, where the outputs have been sorted the order of edge arrival time.

Cj Cj+1 Cj+2 Clock Jitter boundaries ∆ϕ t

Figure 3.7: Equidistant phases ordered after mean arrival time sampled at time t.

(31)

3.2 Self-Timed Rings 17

Each sampling takes place at most ∆₂ϕ from an event. That is for every sample at time t, there exists a stage Cj with a mean arrival time tj so that |t − tj| ≤

∆ϕ

2 . From this we learn that if ∆ϕ ≤ ρ, where ρ is the jitter magnitude, at least

one signal will have been sampled within the jitter boundaries. Thus when all sampled signals are XORed together, the entropy of the sampled signal ψ has at least the entropy of the sampled signal sj. The entropy can therefore be denoted

(32)

(33)

4

Testing the randomness

This chapter briefly describes which tests are used to evaluate the STRNG in this thesis.

4.1 Random number testing

Testing if a sequence of random numbers really is random is impossible. To prove that a RNG ’s output is random, an infinite sequence would have to be tested since a subsequence could be part of a repeating sequence. However, RNG s can be tested to assert if it is "random enough" for the environment it is used in.

4.2 Batteries and tests used in this studie

In 2014 the author of [17] described and evaluated several modern frameworks for testing random number generators. The one test-suite recommended is also the one best fitted for this thesis: the TestU01 suite. It is a modern, state of the art, test-suite which can be configured according to the user’s needs. Of all of the evaluated frameworks, it was the one best suited for this thesis since it was the only one that featured a battery specifically made to test true random number generators.

4.2.1 Framework: TestU01

TestU01 is a software library created by Pierre L’Ecuyer at Université de Montreal[18]. The library contains several, state of the art, tools to perform statistical tests on RNG s. It is designed so that anyone, with basic C-programming knowledge, can

(34)

20 4 Testing the randomness

customize the tests to fit the specific needs of the user. To simplify testing fur-ther, the library contains batteries with preconfigured tests that are built to test a specific aspect of a RNG. These are useful to users that are not sure which tests to use. One of the batteries is even designed to test TRNGs. Apart from testing tools TestU01 also contains several pre-implemented PRNGs.

4.2.2 Batteries

The test batteries used in this thesis are Alphabit and BlockAlphabit which are designed specifically to test hardware random number generators.

Alphabit

The Alphabit test battery has been created specifically to test hardware based random number generators, which makes it well suited for testing the STRNG implemented in this thesis. The tests included in the battery are:

1. Binary overlapping serial 2. Hamming independence 3. Hamming correlation 4. Random walk

The binary overlapping test is run in four different configurations, where it tests overlapping blocks of 2, 4, 8 and 16 bits. The hamming independence tries to detect correlations between overlapping blocks of 16 and 32 bits. The Hamming correlation test tests for correlations between 32 bit overlapping blocks. The ran-dom walk tests use walk lengths 64 and 320 bits.

BlockAlphabit

The BlockAlphabit runs the Alphabit battery after reordering the bits in block sizes of 1, 2, 4, 8, 16 and 32 bits.

(35)

5

Implementation

This chapter describes how the STRNG was implemented in this thesis, using the structure described in 3.2.2.

5.1 Configurations

One part of this thesis is to empirically compare different configurations of a STRNG. Since the wanted behaviour is the evenly spaced event propagation mode, the ratio between the number of tokens and the number of bubbles, NT

NB

≈_{1, can} not be changed. The length of the STR, however, can be altered to change the phase resolution. A STR with more elements gets a finer phase resolution while maintaining the oscillation period time.

Six different STRs have been implemented with different lengths: 127, 255, 511, 1023, 1535 and 2047.

5.2 Logic design

The STRNG structure is designed, using two components: look up tables (LUT ) and registers, both housed in the logic blocks on the FPGA. This section specifies the implementation used for the Muller-gates and the circuits sued to sample them.

5.2.1 Muller-gate

Each Muller-gate is implemented in one of the FPGA s LUT s. Each LUT has 4 inputs and one output. The first two inputs are used as the forward and reverse

(36)

22 5 Implementation

inputs, one as a feedback loop from the output and one used for resetting the gate. The feedback loop is used to keep the previous value (see table 3.2). If the feedback loop is internal the risk is that an unwanted latch is created.

In order to start the implementation with the correct numbers of events and bub-bles, two separate Muller-gates ares implemented. When they are fed with a reset signal they put out the logical value 0, respectively 1 (see table 5.1).

Muller-gate 0 FB F R RST C 0 0 0 0 0 0 0 1 0 0 0 1 0 0 1 0 1 1 0 0 1 0 0 0 1 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 - - - 1 0 Muller-gate 1 FB F R RST C 0 0 0 0 0 0 0 1 0 0 0 1 0 0 1 0 1 1 0 0 1 0 0 0 1 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 - - - 1 1

Table 5.1:Truth tables for Muller-gates with reset respectively set function-ality.

5.2.2 Gate placement

To fulfil equation 3.1 where it is assumed that Df f = Drr the Muller-gates are

distributed by the following equation where Mi is the Muller-gate at position i

where a 0 and 1 represents a Muller-gate with reset respectively set capabilities: Mi =        0, if i mod 4 < 2 1, if i mod 4 ≥ 2 (1 ≤ i ≤ L) (5.1) This creates a chain where every second stage carries a token and every other second a bubble. For all implementation lengths in this thesis it means that NB=

NT −1.

5.2.3 Synchronization chain

As described in 3.2.4, each stage’s output signal is sampled using a D-type flip-flop. Since the STR structure is completely asynchronous there is no guarantee that the signal might change during the flip-flop’s minimal set-up or hold time. Both of these cases might cause the flip-flop to end up in a metastable state that resolves neither to a logical high or low[5]. This undefined state would then be XORed with the other sampled values and cause the output of the STRNG to end up in an undefined state.

(37)

5.3 Fabric layout 23

second flip-flop is placed in series with the sampling flip-flop creating a synchro-nization chain of length one as depicted in figure 5.1.

Figure 5.1:Synchronization chain at the sampling flip-flop.

The second flip-flop allows for extra time for any eventual metastable signals before it to resolve fully before it is sent to the XOR.

5.3 Fabric layout

This section describes the specializations made to override the compilers default layout.

5.3.1 Combinatorial loops

The implementation of STR contains a combinatorial loop in each stage of the ring: the loop feedback signal. This is a problem since the compiler will try to optimize the structure to not have any combinatorial loops. The problem with this is that each element may get unpredictable and unwanted properties. A problem with the theoretical model would be that Df f = Drr no longer could be

assumed.

To make sure the design stays the way it is intended, constraints are put to pre-serve the signals of every stage element. This way each element can be imple-mented in one LUT.

5.3.2 Floor plan

The compiler automatically plans where each component goes on the FPGA s fab-ric if not specified. A problem with this might be that propagation delays be-tween logical elements might differ from stage transition to transition. Although the STRNG structure should be able to handle delay variations between stages [9], the implementation uses a custom floor plan to minimize the risk of errors, caused by events gathering at a slower stage of the ring.

(38)

24 5 Implementation

Logical elements are housed in logical blocks. Adjacent blocks have less propaga-tion delay between them than between others. To minimize the delay difference between different stages, logical elements are placed in adjacent blocks as far as possible. Since it is a loop structure there has to be at least two slower transitions between logical blocks that are not adjacent. This structure is illustrated in figure 5.2.

Figure 5.2:Logical elements are placed in adjacent blocks as far as possible.

To make sure that all LUTs’ outputs are sampled at the same time, each flip-flop that samples an output signal is placed at the same distance from their LUT coun-terparts. The idea behind this structure is to make sure that the delay between stage and flip-flop does not cause any timing errors that leads to loss of entropy. The structure of the STRNG demands that all signals are sampled at the same time to guarantee a lowest bound of entropy.

(39)

6

Results

This chapter describes the results of the measurements of performance and sta-tistical testing results.

6.1 Method

This section 6.1 describes the methods and tools used to measure performance and to sample data.

6.1.1 Method of sampling randomness

The sampling of bits was done using an USBee SX logic analyser. The internal XOR tree was clocked with an on-board 12MHz clock. The same clock was con-nected to the logic analyser, which was set to trigger on the negative edge to guarantee that the sampled signal had reached a stable state.

According to the USBee SX specifications, it should be able to sample data at 24MHz. However when this was tested, the sample tools would for some reason not function all the time. Therefore, the sample rate was lowered to half of the specified limit to make sure that it would function with the set sample rate. Each sample file gathered and tested contains 640 Million samples.

6.1.2 Method of measuring period time and jitter

An Agilent Infiniium 54832D MSO 1GHz 4GSa/s oscilloscope was used. Unfor-tunately this was the fastest oscilloscope that was available during the work of this thesis. It did not have the capabilities to measure the period jitter needed to calculate the individual LUT jitter. However, the oscilloscope had capabilities

(40)

26 6 Results

to measure and calculate the mean period time of a signal. Knowing the pe-riod time of the STR can be used to calculate the lowest jitter magnitude which guarantees that a sampled bit is sampled within the jitter boundaries. The out-put signals measured, were connected through low-voltage differential signalling connections.

6.2 Measurements

This section covers the results of the measurements.

6.2.1 Unexpected behaviour

When measuring the mean oscillation period, three of the STRNG implementa-tions behaved unexpectedly. The implementaimplementa-tions with lengths 127 and 2047 did not lock in to the evenly spaced propagation mode and the one with length 1023 showed no evidence of any oscillations. The implementation with 1535 showed a measurement with an anomaly during the measurements but it didn’t appear again when it was re examined.

All implementations had the same token to bubble ratio, NT

NB

≈_{1. The only} dif-ference between the implementations were the length of the STR. Theoretically, all implementations should behave as each other withs the only major difference being the phase resolution.

Non stable oscillations

In this section, screen captures from the oscilloscope shows the unexpected oscil-lation behaviour. Each implementation has a coloured graph, showing frequency of occurrence at a certain time, and a normal graph showing a snapshot of non-oscillatory behaviour. Figure 6.1 shows the strange behaviour of the smallest

Figure 6.1:Non stable oscillation from STR with 127 stages.

STR. A stable oscillatory wave can be seen within the coloured graph. However, the occurrence of other waveforms seems to be equally frequent. The right image shows a strange wave shape occurring between the regular oscillations.

(41)

6.2 Measurements 27

Figure 6.2 shows less oscillatory behaviour than 6.1. The coloured graph does not have the hinting oscillations of the previous observation and the normal graph shows more irregular waveforms than in the 127 case.

Since no stable oscillation could be achieved, neither of the implementations men-tioned in this section have been used in the statistical testing. They were omitted from testing since the theory does not cover any other mode than the one with evenly spaced event propagation.

No oscillations behaviour

The STR with the length of 1023 stages showed no evidence of oscillatory be-haviour at all. Figure 6.3 shows a screen capture from the oscilloscope.

Even though no oscillation is apparent, the STRNG output exhibited alternating logical highs and lows. To further investigate this strange behaviour the STRNG output was sampled and subjected to the statistical tests.

Anomaly on stable oscillation

The implementation of length 1535 showed an anomaly once. As seen in figure 6.4, a long logical low appeared during period measurements.

(42)

28 6 Results

Figure 6.4:A long logical low appeared in the STR with 1535 stages.

The green lines under the stable oscillation represents only a few occurrences where the anomaly appeared.

6.2.2 Stable oscillation

The STR s with lengths 255, 511 and 1535 all exhibited stable oscillations as the theory prescribes. A screen shot of the behaviour can be seen in figure 6.5.

(43)

6.2 Measurements 29

(a) STR of 255 stages.

(b) STR of 511 stages.

(c) STR of 1535 stages.

Figure 6.5:Screen captures from measuring oscillation period. Each picture shows that the stages oscillates with a stable period.

(44)

30 6 Results

6.2.3 Oscillation period

The oscilloscope’s built in functionality for measuring the mean oscillation period time was used to learn each stage’s features. Table 6.1 shows the resulting mean

L N T ∆ϕ

255 128 2.98ns 4.66ps 511 256 2.41ns 2.36ps 1535 768 2.62ns 0.85ps

Table 6.1:Results after measuring period time.

phase resolution ∆ϕ for each implementation that gave a signal in the stable oscillating mode. This gives a value for the minimum jitter magnitude σ that can be used in an implementation to guarantee the sampling of a random bit, ∆ϕ ≤ σ .

6.3 Test results

Implementations with lengths 127, 1023 and 2047 was left out when conducting the tests since they did not produce a steady oscillation. Although sampling of these signals might have generated good results in statistical testing, it would have been hard to back up the results with any theory.

This section shows the results from testing the implementations of lengths 255, 511 and 1535. Each test was run on 640 million sampled bits.

6.3.1 Alphabit battery test results

Test Stages

255 511 1535 MultinomialBitsOver with L = 2 pass pass fail MultinomialBitsOver with L = 4 pass pass fail MultinomialBitsOver with L = 8 pass pass fail MultinomialBitsOver with L = 16 pass pass fail HammingIndep with blocks of L = 16 bits pass pass fail HammingIndep with blocks of L = 16 bits pass pass fail HammingCorr with blocks of L = 32 bits pass pass fail RandomWalk1 with walks of length L = 64 pass pass fail RandomWalk1 with walks of length L = 320 pass pass fail

(45)

6.3 Test results 31

6.3.2 BlockAlphabit battery

BlockAlphabit block size 1 bit

Test Stages

255 511 1535 MultinomialBitsOver with L = 2 pass pass fail MultinomialBitsOver with L = 4 pass pass fail MultinomialBitsOver with L = 8 pass pass fail MultinomialBitsOver with L = 16 pass pass fail HammingIndep with blocks of L = 16 bits pass pass fail HammingIndep with blocks of L = 16 bits pass pass fail HammingCorr with blocks of L = 32 bits pass pass fail RandomWalk1 with walks of length L = 64 pass pass fail RandomWalk1 with walks of length L = 320 pass pass fail Table 6.3:Test results from BlockAlphabit tests with block size 1.

Test Stages

(46)

32 6 Results

Test Stages

(47)

6.3 Test results 33

Test Stages

(48)

(49)

7

Conclusion

This chapter contains conclusions drawn during the thesis work and also recom-mends what needs to be done in the future of the development of the STRNG.

7.1 Self-timed ring as random number generator

Generating truly random numbers is no trivial task. Especially not when imple-menting for FPGA hardware. Most secure systems rely on pseudo random num-ber generators to provide random sequences. Most of them have long periods before they start to repeat themselves, have good statistical properties and gener-ates seemingly random bits at a high rate. But for any PRNG to truly be useful, they need to have a good source of entropy to seed them. This is especially true in cryptographic systems where predictable or manipulatable random numbers could pose as a back door to breach security.

Implementing cryptographic functions on FPGA hardware is faster to develop, cheaper and more maintainable than using specially built hardware. Flaws, if detected, can be patched and fixed without the need of having to change any hardware.

It has been shown that a self-timed ring structure could work as a good alter-native to jittery clocks based on inverter ring oscillators. Inverter rings are very sensitive to temperature which might cause problems since it is an environmental variable that is rather hard to control. Especially if the system implementing it is used in a shifting environment or is close to other systems that tend to emit vary-ing temperatures. Voltage changes is also a factor that inverter rvary-ings are sensitive to. The authors of [10] showed that self-timed rings can be made less sensitive to voltage variations by increasing the length of the ring stage.

(50)

36 7 Conclusion

7.2 Implementation

In this paper it has been shown that self-timed ring random number generators seems to work quite well on the FPGA hardware that was used. Although some of the implementations showed unexpected behaviour, two of the implemented STRNG s exhibited stable oscillations that seemed to generate random data with good features.

The implementation featuring 1535 stages showed an anomaly in one measure-ment of the oscillation period. This might have been caused by a measuremeasure-ment error caused by the equipment used. It might also be proof of some events grouping-up where a transition delay between two stages were higher than av-erage in the structure. If so this could be the effect of the transition between two logical blocks that were not next to each other in the hardware.

The implementations of lengths 127 and 2047 showed no evidence of locking in to a steady oscillation. This suggests that events were not spread out evenly across the structure and instead a burst-like mode appeared. However, according to the theories should the Charlie effect should be equally strong in all the imple-mentation, causing the events to lock into a steady oscillation. A possible reason for the strange behaviour could be that these specific lengths might have caused the logical blocks to use a slower transition, than the other implementations, be-tween blocks that are not adjacent.

The behaviour of the implementation of length 1023 is the strangest of the mea-surements. The output of the STRNG showed both logical highs and lows when no oscillation was seen on the measurements. A possible explanation for this could be that all stages somehow locked themselves in an undefined logical value which caused the output to vary. What may have caused this behaviour is un-known.

7.3 Testing

Testing of random number generators can never be done to prove that it is com-pletely random. To do that the RNG would have to undergo tests for an infinitely long sequence. This is true since all finite sequences could be part of a larger repeating sequence. However, testing of RNG s can be used as a tool to make sure that the output is random "enough", meaning that the properties of the RNG fulfil the requirements needed in the context of which it is used.

The STRNG implementations that showed good properties in the measuring phase also showed good results in the tests. All tests were passed for the STRNG s of lengths 255 and 511. This indicates that the self-timed ring structure very well may work on the requested hardware. However, since the other four implemen-tations exhibited unwanted behaviour it cannot be concluded that the current implementation is suitable for implementation just yet.

(51)

7.4 Future work 37

7.4 Future work

A correct jitter measurement is needed to make an analysis of the entropy each sampled bit contains. The measured values gathered in this thesis could be used as hints towards fine tuning a final implementation so that the phase resolution fits the jitter magnitude as good as possible.

Biased data could be a problem in a real-world implementation of the STRNG. Some form of anti-biasing post processing should be examined.

Some implementations worked as described in the theory and others showed un-expected behaviour. It cannot be concluded that the implementation is perfectly suited for the specified hardware. The unexpected behaviour should be more thoroughly analysed to find out if there is anything about the implementation that makes the strange behaviour occur.

An important aspect of STRNG -security is resistance towards deterministic jitter sources. Tests should be carried out where bits are sampled while the tempera-tures and voltage sources are altered. STR s are proposed to be more robust than IRO s when it comes to such variations. This needs to be proven to make sure that attacks against the STRNG can be carried out through increasing the impact of deterministic jitter sources.

(52)

(53)

(54)

(55)

A

Test result summaries

This chapter contains the test result summaries from the Alphabit and Block-Alphabit batteries. Each section contains the result for a separate implementa-tions.

A.1 Alphabit battery

A.1.1 STRNG length 255

========= Summary results of Alphabit =========

Version: TestU01 1.2.3 File: short-random-bits Number of bits: 640024576

Number of statistics: 17 Total CPU time: 00:00:19.89

All tests were passed

A.1.2 STRNG length 511

Version: TestU01 1.2.3 File: long-random-bits Number of bits: 640024576

(56)

42 A Test result summaries

A.1.3 STRNG length 1535

Version: TestU01 1.2.3 File: longer2-random-bits Number of bits: 640024576

The following tests gave p-values outside [0.001, 0.9990]: (eps means a value < 1.0e-300):

(eps1 means a value < 1.0e-15):

Test p-value ---1 MultinomialBitsOver, L = 2 eps 2 MultinomialBitsOver, L = 4 eps 3 MultinomialBitsOver, L = 8 eps 4 MultinomialBitsOver, L = 16 eps 5 HammingIndep, L = 16 eps 6 HammingIndep, L = 32 eps 7 HammingCorr, L = 32 eps 8 RandomWalk1 H (L = 64) eps 8 RandomWalk1 M (L = 64) eps 8 RandomWalk1 J (L = 64) eps 8 RandomWalk1 R (L = 64) eps 8 RandomWalk1 C (L = 64) eps 9 RandomWalk1 H (L = 320) eps 9 RandomWalk1 M (L = 320) eps 9 RandomWalk1 J (L = 320) eps 9 RandomWalk1 R (L = 320) eps 9 RandomWalk1 C (L = 320) eps

---A.2

BlockAlphabit battery

A.2.1 STRNG length 255

Block size 1

(57)

A.2 BlockAlphabit battery 43

Block size 2

Block size 4

Block size 8

Block size 16

Block size 32

(58)

44 A Test result summaries

A.2.2 STRNG length 511

Block size 1

Block size 2

Block size 4

Block size 8

(59)

Block size 16

Block size 32

A.2.3 STRNG length 1535

Block size 1

Test p-value ---1 MultinomialBitsOver, L = 2 eps 2 MultinomialBitsOver, L = 4 eps 3 MultinomialBitsOver, L = 8 eps 4 MultinomialBitsOver, L = 16 eps 5 HammingIndep, L = 16 eps 6 HammingIndep, L = 32 eps

(60)

46 A Test result summaries 7 HammingCorr, L = 32 eps 8 RandomWalk1 H (L = 64) eps 8 RandomWalk1 M (L = 64) eps 8 RandomWalk1 J (L = 64) eps 8 RandomWalk1 R (L = 64) eps 8 RandomWalk1 C (L = 64) eps 9 RandomWalk1 H (L = 320) eps 9 RandomWalk1 M (L = 320) eps 9 RandomWalk1 J (L = 320) eps 9 RandomWalk1 R (L = 320) eps 9 RandomWalk1 C (L = 320) eps ---Block size 2

Test p-value ---1 MultinomialBitsOver, L = 2 eps 2 MultinomialBitsOver, L = 4 eps 3 MultinomialBitsOver, L = 8 eps 4 MultinomialBitsOver, L = 16 eps 5 HammingIndep, L = 16 eps 6 HammingIndep, L = 32 eps 7 HammingCorr, L = 32 eps 8 RandomWalk1 H (L = 64) eps 8 RandomWalk1 M (L = 64) eps 8 RandomWalk1 J (L = 64) eps 8 RandomWalk1 R (L = 64) eps 8 RandomWalk1 C (L = 64) eps 9 RandomWalk1 H (L = 320) eps 9 RandomWalk1 M (L = 320) eps 9 RandomWalk1 J (L = 320) eps 9 RandomWalk1 R (L = 320) eps 9 RandomWalk1 C (L = 320) eps ---Block size 4

(61)

File: longer2-random-bits Number of bits: 640024576

Test p-value ---1 MultinomialBitsOver, L = 2 eps 2 MultinomialBitsOver, L = 4 eps 3 MultinomialBitsOver, L = 8 eps 4 MultinomialBitsOver, L = 16 eps 5 HammingIndep, L = 16 eps 6 HammingIndep, L = 32 eps 7 HammingCorr, L = 32 eps 8 RandomWalk1 H (L = 64) eps 8 RandomWalk1 M (L = 64) eps 8 RandomWalk1 J (L = 64) eps 8 RandomWalk1 R (L = 64) eps 8 RandomWalk1 C (L = 64) eps 9 RandomWalk1 H (L = 320) eps 9 RandomWalk1 M (L = 320) eps 9 RandomWalk1 J (L = 320) eps 9 RandomWalk1 R (L = 320) eps 9 RandomWalk1 C (L = 320) eps ---Block size 8

Test p-value ---1 MultinomialBitsOver, L = 2 eps 2 MultinomialBitsOver, L = 4 eps 3 MultinomialBitsOver, L = 8 eps 4 MultinomialBitsOver, L = 16 eps 5 HammingIndep, L = 16 eps 6 HammingIndep, L = 32 eps 7 HammingCorr, L = 32 eps