IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 55, NO. 3, APRIL 2008 861 Fully Digital Random Bit Generators for Cryptographic Applications Marco Bucci and Raimondo Luzzi, Member, IEEE Abstract—This paper is devoted to the analysis, implementa- tion, and modeling of fully digital random bit generators based on recent research results on the design of stateless oscillator-based generators. A new approach to the data quality test is adopted where, instead of passing bunches of statistical tests on the raw data, the focus is on the veriﬁcation of a minimum entropy limit for the delivered random numbers after the digital post-processing. The architecture of the proposed generator (noise source and post-pro- cessing algorithm) is described in detail and experimental results in a 90-nm CMOS process are reported. The fabricated device reaches a throughput of 1.74 Mb/s after post-processing with an area of 13000 m and a power consumption of about 240 W when running at its maximum speed. A statistical model for the noise source is provided and the entropy of the post-processed data has been evaluated obtaining an entropy per byte higher than 7.999. Index Terms—Entropy, jitter, Markov chain, random bit gener- ator (RBG), ring oscillator, run test. I. INTRODUCTION R ANDOM numbers are extensively used in many crypto- graphic operations. Public/private key pairs for asymmetric algorithms are generated from random bit streams; random num- bers are also needed for key generation in symmetric algorithms, for generating challenges in authentication protocols, and for creating padding bytes and blinding values [1]. For random numbers used in cryptography, a ﬂat statistic is not sufﬁcient and their unpredictability is the main requirement. A random bit generator (RBG) is a system whose output con- sists of fully unpredictable (i.e., statistically independent and unbiased) bits. In security applications, the unpredictability of the output also implies that it must not be possible for an at- tacker to observe or manipulate the generator. An RBG basically differs from a pseudorandom generator be- cause the complete knowledge of the generator structure and of whatever previously generated sequence does not result in any knowledge of any following bit. In other terms, the entropy of an -bit output sequence should be ideally equal to . On the contrary, the entropy of a -bit output sequence from a pseudo- random generator cannot exceed the entropy of its seed, what- ever is. While pseudorandom generators are suitable in those applications where just a ﬂat statistic is needed [2], random number generators are required in security applications, where unpredictability is the main goal. A true RBG must be necessarily based on some kind of non- deterministic phenomena that could act as the source of the Manuscript received September 3, 2006; revised March 28, 2007. This paper was recommended by Associate Editor I. Verbauwhede. The authors are with Inﬁneon Technologies Austria AG, A-8020 Graz, Aus- tria (e-mail: raimondo.luzzi@inﬁneon.com) Digital Object Identiﬁer 10.1109/TCSI.2008.916446 system randomness. Electronic noises and time jitter are usually the only stochastic phenomena that are suitable for the integra- tion in embedded systems as chipcard integrated circuits (ICs). When designing an RBG for a chipcard IC, a wide spectrum of implementation issues has to be considered and fulﬁlled. Due to cost reasons and mechanical stress requirements, the silicon area is a limited resource in a chipcard microcontroller (a typ- ical area is 5–10 mm for a 8/16-bit card) and, at the same time, there is the demand to integrate nonvolatile memory blocks of ever-increasing size. As a consequence, the silicon area for in- tegrating the CPU core and its peripheral devices (including the RBG module) must be minimized. Furthermore, no external components can be used due to packaging constraints and se- curity reasons: any externally accessible circuit node seriously affects the chip tamper resistance [3]. To avoid complex power management policies, power con- sumption is another stringent constraint, especially in a contact- less chipcard IC. A related issue is the chip resistance against power analysis attacks [4]: when the RBG is employed in a key generation algorithm, a current consumption proﬁle highly cor- related to the RBGs output bit stream can be exploited by an attacker to infer the generated secret values. Four different techniques for generating random streams are reported in the technical literature: direct ampliﬁcation of a noise source [5]–[7], jittered oscillator sampling [8]–[12], discrete-time chaotic maps [13], [14] and metastable circuits [15], [16]. The direct ampliﬁcation of a white noise source has been proved to be an effective technique to obtain high-speed random streams. Nevertheless, the sampling of a jittered oscillator is the preferred method because of its higher robustness and lower sensitivity to external disturbances [10]. An oscillator-based RBG exploits the cycle-to-cycle time drift (jitter) in free running oscillators to produce a random bit sequence. In the basic scheme, a fast oscillator is sampled by a lower frequency oscillator in a D ﬂip-ﬂop and, under the hy- pothesis that the standard deviation of the slow oscillator period is greater than the fast oscillator period, the states of the latter in two successive sampling times can be assumed uncorrelated, thus generating a random bit stream. To fulﬁll the mentioned constraint and, at the same time, to have a high generation speed, in [11] the low frequency oscillator is provided with an ampliﬁed noise source. The main drawback of this solution is the increased power consumption which is a main constraint, especially for the integration in contact-less chipcards. To maximize the exploitation of the oscillator jitter when an explicit noise source is not employed, a new concept has been in- troduced in [17] where the fast oscillator phase is controlled to force the sampling close to one of its edges (offset-compensated 1549-8328/$25.00 © 2008 IEEE