GM/T 0078-2020 English PDF (GMT0078-2020)
GM/T 0078-2020 English PDF (GMT0078-2020)
GM/T 0078-2020: The design guidelines for cryptographic random number generation module
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
CCS L 80
The Design Guidelines for Cryptographic Random
Number Generation Module
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 1, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Abbreviations ... 5
5 General Model of Random Number Generation Module ... 5
6 Design Principle of Physical Random Source Circuit ... 6
6.1 Principle of Chaotic Dynamical System ... 6
6.2 Principle of Phase Jitter ... 8
6.3 Principle of Direct Thermal Noise Amplification ... 9
6.4 Synthesis of Multi-channel Physical Random Sources ... 11
7 Failure Detection of Physical Random Sources ... 12
8 Randomness Detection of Physical Random Sources ... 12
9 Design Method of Post-processing Algorithm ... 12
9.1 Design Requirements for Post-processing Algorithm ... 12
9.2 Cryptographic Function Method ... 12
9.3 Lightweight Post-processing Methods ... 14
Appendix A (informative) Circuit Examples of Physical Random Sources ... 16 Foreword
This Standard was drafted in accordance with the rules in GB/T 1.1-2020 Directives for Standardization - Part 1: Rules for the Structure and Drafting of Standardizing Documents.
Please be noted that certain content of this document might involve patents. The institution issuing this document does not undertake the responsibility of identifying these patents.
This Standard was proposed by and shall be under the jurisdiction of Cryptography Standardization Technical Committee.
The drafting organizations of this Standard: Beijing HSEC Technology Co., Ltd.; Commercial Cryptography Testing Center of State Cryptography Administration; Institute of Software Chinese Academy of Sciences; Institute of Information Engineering, CAS; Nations Technologies Inc.; CEC Huada Electronic Design Co., Ltd.; Beijing Smartchip Microelectronics Technology Co., Ltd.
The main drafters of this Standard: Zhang Wenjing, Luo Peng, Yu Qunhui, Fan Limin, Ma Yuan, Yang Xianwei, Li Dan, Gan Jie, Xia Luning.
The Design Guidelines for Cryptographic Random
Number Generation Module
This Standard specifies the design requirements for cryptographic hardware random number generation module.
This Standard is applicable to the guidance on the research, development and test of random number generation module.
2 Normative References
The content of the following documents constitutes indispensable clauses of this document through normative references in the text. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document.
GM/T 0005 Randomness Test Specification
GM/T 0008 Cryptography Test Criteria for Security IC
3 Terms and Definitions
What is defined in GM/T 0005 and GM/T 0008, and the following terms and definitions are applicable to this document.
3.1 Random Number Generation Module
Random number generation module refers to a circuit that utilizes the natural randomness of the real world to extract random quantities from random physical processes and undergoes transformation processing to output random numbers. 3.2 Thermal Noise
Thermal noise, which is also known as white noise, is caused by thermal vibration of electrons in the conductor. It exists in all electronic devices and transmission media. It is the result of temperature changes but is not affect by frequency changes. Thermal noise is distributed in the same form in all frequency spectra, and it cannot be eliminated.
3.3 Chaos Theory
The physical random source circuit utilizes the uncertainty of the physical process in the circuit, and samples and quantifies the uncertainty in the physical process to obtain the random source sequence. The commonly used design principles of the physical random source circuit include: the principle of chaotic dynamical system, the principle of phase jitter and the principle of direct thermal noise amplification. The physical random source failure detection circuit detects the output of the physical random sources, judges whether the physical random sources fail through the detection and controls the random number sequence output of the random number generation module. Only the random number sequence detected by the physical random sources can be output. When the physical random sources detect a failure, the random number generation module shall provide an alarm signal.
The post-processing circuit utilizes certain algorithms to generate a random number sequence that complies with the statistical test. There are many post-processing algorithms. In practice, they shall be designed in accordance with the characteristics of the physical random sources.
The random number generation module has two outputs, one is the random number sequence output, and the other is the random source detection output that provides detection. The randomness of the output random number sequence shall comply with the stipulations of GM/T 0005. Random source detection output is mainly used to detect the basic randomness of physical random sources.
6 Design Principle of Physical Random Source Circuit
6.1 Principle of Chaotic Dynamical System
6.1.1 Typical model of principle
Utilizing the characteristics of chaotic function to design a chaotic system is to take random noise as minor disturbance of the chaotic system. Since the output of the system is affected by the random noise in the system, the output sequence of the system is unpredictable, and random sequence may be generated. The realization of the physical random sources based on the principle of the chaotic dynamical system mainly considers the circuit realization of the chaotic function and the realization of random noise.
The chaotic system includes two types, namely, discrete chaos and continuous chaos. From the perspective of engineering realization, this Standard provides a typical physical random source model based on discrete chaotic system, as it is shown in Figure 2.
In Formula (1), Q is the quality factor, , in which,
. Thus, the following can be seen: when it is assumed that the
slow sampling signal does not include jitter (i.e., ???1 = 0), then, ; when it is assumed that the fast oscillating signal does not include jitter (i.e., ???2 = 0), then, In design, it is required that the entropy per bit must be higher than a certain threshold, then, in accordance with the oscillating frequency and jitter parameters of the oscillating clock, the safe sampling frequency can be inversely solved. See A.2.1 for a specific example. It needs to be noted that Formula (1) merely considers the entropy estimation under the influence of white noise. In design, if the sampling frequency is relatively low, the influence of low-frequency related noise also needs to be considered. 6.2.3 Working environment conditions for the realization of circuit design principle
Since the oscillating clock jitter is usually sensitive to changes in the external environment, the frequency interference introduced by the power supply end will make the jitter also deterministic, which may affect the quality of the output random bits. Therefore, in design, a voltage stabilization of filter circuit shall be added to the power supply end of the physical random source circuit, so as to reduce the influence of deterministic interference; or the structure of the oscillator shall be improved to make it resistant to deterministic interference.
6.2.4 Example of circuit
A circuit example of physical random sources based on the principle of phase jitter is shown in A.2 in details.
6.3 Principle of Direct Thermal Noise Amplification
6.3.1 Typical model of principle
The principle of direct thermal noise amplification is to adopt an amplifying circuit to directly amplify the thermal noise in the circuit, and then, output a random source sequence through comparison.
Thermal noise is a continuous time of random white noise. Within a given frequency bandwidth, white noise with uniform noise spectral density has a normal distribution (or Gaussian distribution) in its output amplitude. Therefore, in any given time, the probability that the noise voltage value is higher or lower than the average value is the same. If an ideal comparator is used to quantify the noise, and the white noise output is compared with the average value, then, the obtained binary output sequence will be perfectly random. A typical model of generating physical random sources based on the are cascade amplifier and differential amplifier.
The design of the noise amplifier requires high gain and high bandwidth, so as to obtain an output signal that can be recognized by the comparator.
22.214.171.124 Offset voltage and speed of comparator
The method of noise quantization is realized by using a comparator. The comparator compares two analog inputs and generates a corresponding logic level at the output in accordance with the comparison result, which realizes the conversion from analog signal to digital signal. The value of the comparator?€?s reference voltage shall be the average value of the output noise; the sampling of the binary output sequence can be realized by a latch or trigger.
The comparator circuit has an offset voltage, and the offset voltage shall be designed to be small enough.
The time delay between the input excitation of the comparator and the output conversion is called the transmission delay of the comparator. The transmission delay of the comparator generally varies with the input amplitude, and a relatively large input will shorten the time delay. The transmission delay of the comparator shall be designed to be small enough.
6.3.3 Working environment conditions for the realization of circuit design principle
Circuits that generate physical random sources based on the principle of direct thermal noise amplification are susceptible to the coupling noise of the power supply and the substrate, process deviations, aging and temperature drift. Hence, the circuits shall try to shield the noise of the power supply and the substrate.
6.3.4 Example of circuit
A circuit example of physical random sources based on the principle of direct thermal noise amplification is shown in A.3 in details.
6.4 Synthesis of Multi-channel Physical Random Sources
There are 2 or more physical random sources in the design, and the data from the multi-channel physical random sources can be XOR synthesized and output as the final physical random source.
The requirements for the synthesis of multi-channel physical random sources are: a) Each physical random source circuit is independent.
b) Mode of synthesis: XOR.
c) The synthesized multi-channel physical random sources can adopt the same principle, or different principles.
7 Failure Detection of Physical Random Sources
The failure detection of physical random sources is to detect the final output sequence of the circuit part of the physical random sources when the random number generation module is working.
The failure detection of physical random sources adopts the detection method of all ?€?0?€? and all ?€?1?€?. The sample length of all ?€?0?€? and all ?€?1?€? detection is 32 bits. If all ?€?0?€? and all ?€?1?€? samples appear in the detection, then, it can be determined that the physical random source circuit fails. When the physical random source circuit fails, an alarm signal shall be provided, and the result output of the random number generation module shall be controlled to close.
8 Randomness Detection of Physical Random Sources
The randomness detection of physical random sources is to detect the output signal of the physical random sources before post-processing when the random number generation module is working.
The randomness detection items of physical random sources are performed in accordance with the single-bit frequency detection, poker detection and total run length detection in GM/T 0005. Detect the output sequence of one set of physical random source with 2 ??? 104 bits, and the detection significance level is ??? = 0.0001. The final output sequence of the random number generation module is detected for randomness in accordance with GM/T 0005.
9 Design Method of Post-processing Algorithm
9.1 Design Requirements for Post-processing Algorithm
The basic principle of the post-processing algorithm is that the average entropy per bit cannot be reduced. In other words, the post-processing module inputs n bits and outputs m bits, and it must be guaranteed that n ??? m, in which, the premise of n = m is that the output sequence of the physical random sources passes the detection by GM/T 0005.
9.2 Cryptographic Function Method
9.2.1 Post-processing algorithm based on block ciphers
The post-processing algorithm based on block ciphers needs to adopt approved secure block cipher algorithms; CBC and OFB modes may be adopted; encryption and decryption operations may be adopted.
In the use of block cipher algorithm as the post-processing algorithm, its input includes key data, initial vector and plaintext / ciphertext data. When the post-processing algorithm starts the operation, the key data and initial vector shall be set by the output sequence of the physical random sources. The plaintext / ciphertext data of the post- processing algorithm shall be provided by the output sequence of the physical random sources, and the output of the post-processing algorithm is the ciphertext / plaintext data of the operation result of the corresponding algorithm.
9.2.2 Post-processing algorithm based on hash functions
The post-processing algorithm based on hash functions needs to adopt approved secure hash functions.
In the use of hash algorithm as the post-processing algorithm, its input is the message data, which is provided by the output data of the physical random sources, and the output of the post-processing algorithm is the message digest.
9.2.3 Post-processing algorithm based on m-sequence
The post-processing is realized by m-sequence with a length of K through linear feedback shift register or non-linear feedback shift register. The input of the physical random sources is synchronized with the cyclic shift of the shift register, and the feedback bit and the current bit of the digitized noise signal are XORed and output. The m-sequence method shall satisfy the following requirements:
a) The series of the linear feedback shift register cannot be lower than 32. b) The feedback polynomial of the linear feedback shift register must be a primitive polynomial.
c) The feedback polynomial of the linear feedback shift register cannot be a sparse polynomial.
d) The data input of the physical random sources of the linear feedback shift register shall be synchronized with the cyclic shift of the shift register. The compression rate of the shift register mode has a direct influence on the randomness. The independence of the input physical random source signal also has a direct influence on the independence of the output sequence. This post-processing method is not suitable for use in the random number generation module with poor independence of the generated physical random source signal. In addition, the output rate must be less than the input rate (in other words, the physical random source data can only be output after being compressed).