GM/T 0078-2020 PDF English
Search result: GM/T 0078-2020
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
| GM/T 0078-2020 | English | 230 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
The design guidelines for cryptographic random number generation module
| Valid |
PDF Preview: GM/T 0078-2020
GM/T 0078-2020: PDF in English (GMT 0078-2020) GM/T 0078-2020
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
The Design Guidelines for Cryptographic Random
Number Generation Module
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 1, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Abbreviations ... 5
5 General Model of Random Number Generation Module ... 5
6 Design Principle of Physical Random Source Circuit ... 6
6.1 Principle of Chaotic Dynamical System ... 6
6.2 Principle of Phase Jitter ... 8
6.3 Principle of Direct Thermal Noise Amplification ... 9
6.4 Synthesis of Multi-channel Physical Random Sources ... 11
7 Failure Detection of Physical Random Sources ... 12
8 Randomness Detection of Physical Random Sources ... 12
9 Design Method of Post-processing Algorithm ... 12
9.1 Design Requirements for Post-processing Algorithm ... 12
9.2 Cryptographic Function Method ... 12
9.3 Lightweight Post-processing Methods ... 14
Appendix A (informative) Circuit Examples of Physical Random Sources ... 16
Foreword
This Standard was drafted in accordance with the rules in GB/T 1.1-2020 Directives
for Standardization - Part 1: Rules for the Structure and Drafting of Standardizing
Documents.
Please be noted that certain content of this document might involve patents. The
institution issuing this document does not undertake the responsibility of identifying
these patents.
This Standard was proposed by and shall be under the jurisdiction of Cryptography
Standardization Technical Committee.
The drafting organizations of this Standard: Beijing HSEC Technology Co., Ltd.;
Commercial Cryptography Testing Center of State Cryptography Administration;
Institute of Software Chinese Academy of Sciences; Institute of Information
Engineering, CAS; Nations Technologies Inc.; CEC Huada Electronic Design Co., Ltd.;
Beijing Smartchip Microelectronics Technology Co., Ltd.
The main drafters of this Standard: Zhang Wenjing, Luo Peng, Yu Qunhui, Fan Limin,
Ma Yuan, Yang Xianwei, Li Dan, Gan Jie, Xia Luning.
The Design Guidelines for Cryptographic Random
Number Generation Module
1 Scope
This Standard specifies the design requirements for cryptographic hardware random
number generation module.
This Standard is applicable to the guidance on the research, development and test of
random number generation module.
2 Normative References
The content of the following documents constitutes indispensable clauses of this
document through normative references in the text. In terms of references with a
specified date, only versions with a specified date are applicable to this document. In
terms of references without a specified date, the latest version (including all the
modifications) is applicable to this document.
GM/T 0005 Randomness Test Specification
GM/T 0008 Cryptography Test Criteria for Security IC
3 Terms and Definitions
What is defined in GM/T 0005 and GM/T 0008, and the following terms and definitions
are applicable to this document.
3.1 Random Number Generation Module
Random number generation module refers to a circuit that utilizes the natural
randomness of the real world to extract random quantities from random physical
processes and undergoes transformation processing to output random numbers.
3.2 Thermal Noise
Thermal noise, which is also known as white noise, is caused by thermal vibration of
electrons in the conductor. It exists in all electronic devices and transmission media. It
is the result of temperature changes but is not affect by frequency changes. Thermal
noise is distributed in the same form in all frequency spectra, and it cannot be
eliminated.
3.3 Chaos Theory
The physical random source circuit utilizes the uncertainty of the physical process in
the circuit, and samples and quantifies the uncertainty in the physical process to obtain
the random source sequence. The commonly used design principles of the physical
random source circuit include: the principle of chaotic dynamical system, the principle
of phase jitter and the principle of direct thermal noise amplification.
The physical random source failure detection circuit detects the output of the physical
random sources, judges whether the physical random sources fail through the
detection and controls the random number sequence output of the random number
generation module. Only the random number sequence detected by the physical
random sources can be output. When the physical random sources detect a failure,
the random number generation module shall provide an alarm signal.
The post-processing circuit utilizes certain algorithms to generate a random number
sequence that complies with the statistical test. There are many post-processing
algorithms. In practice, they shall be designed in accordance with the characteristics
of the physical random sources.
The random number generation module has two outputs, one is the random number
sequence output, and the other is the random source detection output that provides
detection. The randomness of the output random number sequence shall comply with
the stipulations of GM/T 0005. Random source detection output is mainly used to
detect the basic randomness of physical random sources.
6 Design Principle of Physical Random Source Circuit
6.1 Principle of Chaotic Dynamical System
6.1.1 Typical model of principle
Utilizing the characteristics of chaotic function to design a chaotic system is to take
random noise as minor disturbance of the chaotic system. Since the output of the
system is affected by the random noise in the system, the output sequence of the
system is unpredictable, and random sequence may be generated. The realization of
the physical random sources based on the principle of the chaotic dynamical system
mainly considers the circuit realization of the chaotic function and the realization of
random noise.
The chaotic system includes two types, namely, discrete chaos and continuous chaos.
From the perspective of engineering realization, this Standard provides a typical
physical random source model based on discrete chaotic system, as it is shown in
Figure 2.
In Formula (1), Q is the quality factor, , in which,
. Thus, the following can be seen: when it is assumed that the
slow sampling signal does not include jitter (i.e., 1 = 0), then, ; when it is
assumed that the fast oscillating signal does not include jitter (i.e., 2 = 0), then,
In design, it is required that the entropy per bit must be higher than a certain threshold,
then, in accordance with the oscillating frequency and jitter parameters of the
oscillating clock, the safe sampling frequency can be inversely solved. See A.2.1 for a
specific example. It needs to be noted that Formula (1) merely considers the entropy
estimation under the influence of white noise. In design, if the sampling frequency is
relatively low, the influence of low-frequency related noise also needs to be considered.
6.2.3 Working environment conditions for the realization of circuit design
principle
Since the oscillating clock jitter is usually sensitive to changes in the external
environment, the frequency interference introduced by the power supply end will make
the jitter also deterministic, which may affect the quality of the output random bits.
Therefore, in design, a voltage stabilization of filter circuit shall be added to the power
supply end of the physical random source circuit, so as to reduce the influence of
deterministic interference; or the structure of the oscillator shall be improved to make
it resistant to deterministic interference.
6.2.4 Example of circuit
A circuit example of physical random sources based on the principle of phase jitter is
shown in A.2 in details.
6.3 Principle of Direct Thermal Noise Amplification
6.3.1 Typical model of principle
The principle of direct thermal noise amplification is to adopt an amplifying circuit to
directly amplify the thermal noise in the circuit, and then, output a random source
sequence through comparison.
Thermal noise is a continuous time of random white noise. Within a given frequency
bandwidth, white noise with uniform noise spectral density has a normal distribution
(or Gaussian distribution) in its output amplitude. Therefore, in any given time, the
probability that the noise voltage value is higher or lower than the average value is the
same. If an ideal comparator is used to quantify the noise, and the white noise output
is compared with the average value, then, the obtained binary output sequence will be
perfectly random. A typical model of generating physical random sources based on the
are cascade amplifier and differential amplifier.
The design of the noise amplifier requires high gain and high bandwidth, so as to obtain
an output signal that can be recognized by the comparator.
6.3.2.3 Offset voltage and speed of comparator
The method of noise quantization is realized by using a comparator. The comparator
compares two analog inputs and generates a corresponding logic level at the output in
accordance with the comparison result, which realizes the conversion from analog
signal to digital signal. The value of the comparator’s reference voltage shall be the
average value of the output noise; the sampling of the binary output sequence can be
realized by a latch or trigger.
The comparator circuit has an offset voltage, and the offset voltage shall be designed
to be small enough.
The time delay between the input excitation of the comparator and the output
conversion is called the transmission delay of the comparator. The transmission delay
of the comparator generally varies with the input amplitude, and a relatively large input
will shorten the time delay. The transmission delay of the comparator shall be designed
to be small enough.
6.3.3 Working environment conditions for the realization of circuit design
principle
Circuits that generate physical random sources based on the principle of direct thermal
noise amplification are susceptible to the coupling noise of the power supply and the
substrate, process deviations, aging and temperature drift. Hence, the circuits shall try
to shield the noise of the power supply and the substrate.
6.3.4 Example of circuit
A circuit example of physical random sources based on the principle of direct thermal
noise amplification is shown in A.3 in details.
6.4 Synthesis of Multi-channel Physical Random Sources
There are 2 or more physical random sources in the design, and the data from the
multi-channel physical random sources can be XOR synthesized and output as the
final physical random source.
The requirements for the synthesis of multi-channel physical random sources are:
a) Each physical random source circuit is independent.
b) Mode of synthesis: XOR.
c) The synthesized multi-channel physical random sources can adopt the same
principle, or different principles.
7 Failure Detection of Physical Random Sources
The failure detection of physical random sources is to detect the final output sequence
of the circuit part of the physical random sources when the random number generation
module is working.
The failure detection of physical random sources adopts the detection method of all “0”
and all “1”. The sample length of all “0” and all “1” detection is 32 bits. If all “0” and all
“1” samples appear in the detection, then, it can be determined that the physical
random source circuit fails. When the physical random source circuit fails, an alarm
signal shall be provided, and the result output of the random number generation
module shall be controlled to close.
8 Randomness Detection of Physical Random Sources
The randomness detection of physical random sources is to detect the output signal of
the physical random sources before post-processing when the random number
generation module is working.
The randomness detection items of physical random sources are performed in
accordance with the single-bit frequency detection, poker detection and total run length
detection in GM/T 0005. Detect the output sequence of one set of physical random
source with 2 104 bits, and the detection significance level is = 0.0001.
The final output sequence of the random number generation module is detected for
randomness in accordance with GM/T 0005.
9 Design Method of Post-processing Algorithm
9.1 Design Requirements for Post-processing Algorithm
The basic principle of the post-processing algorithm is that the average entropy per bit
cannot be reduced. In other words, the post-processing module inputs n bits and
outputs m bits, and it must be guaranteed that n ≥ m, in which, the premise of n = m is
that the output sequence of the physical random sources passes the detection by GM/T
0005.
9.2 Cryptographic Function Method
9.2.1 Post-processing algorithm based on block ciphers
The post-processing algorithm based on block ciphers needs to adopt approved
secure block cipher algorithms; CBC and OFB modes may be adopted; encryption and
decryption operations may be adopted.
In the use of block cipher algorithm as the post-processing algorithm, its input includes
key data, initial vector and plaintext / ciphertext data. When the post-processing
algorithm starts the operation, the key data and initial vector shall be set by the output
sequence of the physical random sources. The plaintext / ciphertext data of the post-
processing algorithm shall be provided by the output sequence of the physical random
sources, and the output of the post-processing algorithm is the ciphertext / plaintext
data of the operation result of the corresponding algorithm.
9.2.2 Post-processing algorithm based on hash functions
The post-processing algorithm based on hash functions needs to adopt approved
secure hash functions.
In the use of hash algorithm as the post-processing algorithm, its input is the message
data, which is provided by the output data of the physical random sources, and the
output of the post-processing algorithm is the message digest.
9.2.3 Post-processing algorithm based on m-sequence
The post-processing is realized by m-sequence with a length of K through linear
feedback shift register or non-linear feedback shift register. The input of the physical
random sources is synchronized with the cyclic shift of the shift register, and the
feedback bit and the current bit of the digitized noise signal are XORed and output.
The m-sequence method shall satisfy the following requirements:
a) The series of the linear feedback shift register cannot be lower than 32.
b) The feedback polynomial of the linear feedback shift register must be a
primitive polynomial.
c) The feedback polynomial of the linear feedback shift register cannot be a
sparse polynomial.
d) The data input of the physical random sources of the linear feedback shift
register shall be synchronized with the cyclic shift of the shift register.
The compression rate of the shift register mode has a direct influence on the
randomness. The independence of the input physical random source signal also has
a direct influence on the independence of the output sequence. This post-processing
method is not suitable for use in the random number generation module with poor
independence of the generated physical random source signal. In addition, the output
rate must be less than the input rate (in other words, the physical random source data
can only be output after being compressed).
......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|