Power Analysis of a Chaos-Based Random Number Generator for Cryptographic Security Fabio Pareschi, ∗† Giuseppe Scotti, ‡ Luca Giancane, ‡ Riccardo Rovatti, §† Gianluca Setti ∗† and Alessandro Trifiletti ‡ ∗ ENDIF, University of Ferrara - via Saragat, 1 - 44100 Ferrara (ITALY) † ARCES, University of Bologna - via Toffano,2 - 40125 Bologna (ITALY) ‡ Dipartimento di Ingegneria Elettronica, Universit` a di Roma “La Sapienza” - Via Eudossiana 18, 00184 Roma (ITALY) § DEIS, University of Bologna - viale risorgimento, 2 - 40136 Bologna (ITALY) email: {fabio.pareschi, gianluca.setti}@unife.it, rrovatti@arces.unibo.it, {scotti, giancane, trifiletti}@die.uniroma1.it Abstract—In this paper we consider a side-channel attack on a chaos-based Random Number Generator (RNG) based on power consumption analysis. The aim of this attack is to verify if it is possible to retrieve information regarding the internal state of the chaotic system used to generate the random bits. In fact, one of the most common arguments against this kind of RNGs is that, due to the deterministic nature of the chaotic circuit on which they rely, the system cannot be truly unpredictable. Here we analyze the power consumption profile of a chaos-based RNG prototype we designed in 0.35 μm CMOS technology, showing that for the proposed circuit the internal state (and therefore the future evolution) of the system cannot be determined with a side-channel attack based on a power analysis. This property makes the proposed RNG perfectly suitable for high-security cryptographic applications. I. I NTRODUCTION By definition, a Random Number Generator (RNG) is a circuit capable of producing perfectly unpredictable bits, which means that it is impossible to predict its outcome with an accuracy greater than the one given by pure luck. These circuits represent a fundamental primitive in many engineering tasks. For instance they are used in all cryptographic applica- tions where they are of paramount importance in the synthesis of confidential keys. Indeed, it is commonly accepted that, in any cryptographic system, a perfect randomly generated key leads to the highest system security [1]. Testing unpredictability according to its definition is a hard task, even from a theoretical point of view. In common prac- tice, one can consider a generated (and supposed random) bit sequence in order to validate the quality of a RNG, and check it with a statistical test. Roughly speaking, this test analyzes the bit sequence looking for regularities or recurrent patterns. The outcome is the indication of whether the sequence can be considered random, as well as the margin of error of this decision [2]. In this paper we consider a prototype of a RNG designed in 0.35 μm technology employing a chaotic map [3], [4] as source of randomness. This prototype has been already presented by authors in [5], where it has been tested using the common statistical tests approach. Here we test the prototype from another point of view: we consider, along with the generated bitstream, the power consumption of the prototype, and verify if this additional information can be used to predict the future evolution of the RNG. This method is similar to the power analysis technique, introduced by Kocher in 1999 [6], to perform side channel attacks on cryptographic devices. Note that this analysis represents an important issue for any chaos-based random generator. A chaotic system is by definition a deterministic, non-linear system with a long-term unpredictability, i.e. its evolution cannot be predicted after a short time interval, whose length decreases as the error in the knowledge of the initial system state increases. Despite this property, a common argument against this architecture is the intrinsic deterministic nature of the system. Actually, if an external observer could gather information on the internal state of the chaotic map (which has to be, of course, inaccessible), a prediction of the short-term evolution of the system is possible. Even if it is possible to theoretically prove that, with the architecture used in the prototype, the generated bitstream does not contain information on the actual state of the chaotic map [7], the possibility of retrieving this information from a side- channel attack has not yet been analyzed. We show here that a power analysis of the prototype is not useful to obtain information on the internal state of the system, since the current profile of the designed chaotic system is independent of it. This effectively ensures the unpredictability of the system even under a side-channel attack based on power analysis, and it is perfectly suitable for chryptographic applications. The paper is organized as follows. In section II we describe the architecture of the RNG prototype in order to understand what is the expected current profile. In section III we analyze the RNG power consumption, showing that no relation can be found between the current profile and the internal state of the chaotic map, thus ensuring the effective unpredictability of the generated bitstream. Finally, we draw the conclusions. II. ARCHITECTURE OF THE DESIGNED RNG The RNG analyzed in this paper has been designed in a 3.3V0.35 μm CMOS technology. A detail microphotograph of it can be seen in Figure 1. The core of this RNG is a chaotic map, formally a 1D discrete-time dynamical system whose state evolution is described by: x k = M (x k-1 ) (1) with M : I → I while the random output bit D k is given through the quantization function Q : I →{0, 1} from the state of the map: D k = Q (x k-1 ) 978-1-4244-3828-0/09/$25.00 ©2009 IEEE 2858