Empirical test examples for binary sequences

Frequency Test

A test that counts the number of ones in a sequence is an example of an empirical test based on the random walk. The random walkY_nis the sum of independent Bernoulli random variablesX_i. It can be written:

Y_n=

∑

ⁿ

i=1

X_i (4.11)

Using the Central Limit Theorem and the De Moivre-Laplace Theorem, a binomial sum, normalized by√

n, follows a normal distribution if the sample sizenis large. This can be written as:

nlim→∞P Y_n

√n ≤y

= 1

√2π

_y

−∞e^−h22dh= f(y) (4.12) This theory is the basis for one of the simplest but most important statistical tests, the fre-quency (monobit) test. The null hypothesis for this test states that a sequence of independent, identically distributed Bernoulli variables has a probability:

P(X_i=1) =0.5

As mentioned in previous sections this statistical test is based on the model for a binary memoryless source. An implementation of this theory into a statistical test is presented in Sec-tion 5.1.1.

Another implementation of the random walk is a variation on the previous frequency test called thefrequency block test. This test performs multiple frequency tests on smaller, equally distributed subsequences of the main sample sequence. This detects localized deviations from randomness. The sample sequence is divided intonsets ofmbits. The number of ones in eachm sequence is counted,πi. A test characteristic is then calculated by using the following formula:

X_obs=4m

∑

ⁿ

i=1

πi

m−1 2

2

(4.13) The observed characteristic is compared to a theoretical limit to determine if the sequence is acceptable as random. The implementation of this test is presented in Section 5.1.2.

4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 45 Runs Test

The runs test is a group of tests based on the bit oscillation in a sequence. There are many published definitions of runs (see [Knu97, Feh68, AJJ⁺, APS96, And00, Ent98]). The data type, binary or real, determines the runs definition that should be used. One of the earliest definitions of runs for randomness testing has been published in 1944 by Wolfowitz. Given a sequence X₁ = (x₁,...,x_n), a second sequence X₂ can be formed by taking the sign of the difference between two adjacent numbersx_i+1−x_i,1≤i≤n−1. An example of this is:

X₁= (7,4,1,0,5,2,8,9,6,0) which converts to

X₂= (−,−,−,+,−,+,+,−,−).

A ”+” is treated as a run up, while a ”−” is considered a run down, with lbeing the length of each run subsequence. Various statistical tests for real numbers use this definition.

Another definition of a run has been published by Knuth [Knu97]. He examines real number sequences and defines a run as the lengthlof a trend in a sequenceX, with the trend being either increasing or decreasing. Given a sequenceX = (x₁,...,x_n), each neighboring number, x_i and x_i+1, is compared, and a vertical line is used to divide each number group whenever x_i>x_i+1. Using the previous example sequenceX₁, we obtain:

|7|4|1|0,5|2,8,9|6|0|.

Counting the runs for lengths one to three, there arefive runs of length 1, one run of length 2, and one run length 3. Adjacent runs arenot independent, since a long run tends to be followed by a short run; therefore, theχ² test cannot be applied at this point. A new random variable needs to be defined. The random variableZ_li with 1≤i≤ncounts the number of runs in a sequence.

VariableZ_liis defined as follows:

Z_li =

⎧⎪

⎨

⎪⎩

1 if positioniis the beginning of an ascending run of lengthlor more,

0 otherwise.

Using this new variable, the number of runs of length≥lis:

R_l=Z_l1+...+Z_ln, and the number of runs equal to lengthlis:

R_l=R_l−R_l+1.

46 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING

The statistical test counts the occurrence of runs up to a given lengtht and any run longer thant is classified as a run of lengtht. The derivationQ_l with 1≤l≤tis calculated by subtracting the resulting run countsR_l from the expect run countsμ(R_l):

Q₁ = R₁−μ(R₁) ... ...

Q_t−1 = R_t−1−μ(R_t−1) Q_t = R_t−μ^R_t

These values are used to calculate the test statistic for aχ^{2test witht} degrees of freedom X_obs =

∑

^t

i,j=1

Q_i·Q_j·a_{i j}, (4.14)

where the matrix A=ai j is the inverse matrix ofC=covar(R_l,Rm), with 1≤ {l,m} ≤t. The covariance matrix C and the meanμ(R_l)are calculated using the following relations

μ(R_l) = μ^R_l−μ^R_l+1 covar

R_l,R_m

= covar

R_l,R_m

−covar

R_l+1,R_m covar(R_l,R_m) = covar

R_l,R_m

−covar

R_l,R_m+1 To calculateμ^R_l^andcovarR_l,R_m

the following holds:

μ^R_l = (n+1)·l

(l+1)! −l−1

l! 1≤l≤n

covar

R_l,R_m

=

μ(R_t) +f(l,m,n), ifl+m≤n μ(R_t)−μ^R_l·μ(R_m), ifl+m>n where

s=l+m, t=max(l,m), and

f(l,m,n) = (n+1)

s(1−lm) +lm

(l+1)!(m+1)!− 2s (s+1)!

+2

2s s!

+ (4.15)

s²−s−2

lm−s²−l²m²+1 (l+1)!(m+1)!

Another definition of a run is found in [Feh68]. Fehler provides a definition for runs with

4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 47 Bernoulli trials.

Definition 4.8.1. A sequence of n bits contains as many runs of ones with a length ofras there are non-overlapping uninterrupted blocks containing exactlyrbits [Feh68]. Each run length is counted from the beginning of the sequence.

An example runs count using this definition is seen in the following sample sequence

1,1,1,1,0,1,1,1,1,1,1,0. (4.16) This sequence has ten runs of length one,five runs of length two, three runs of length three, two runs of length four, one run of lengthfive, and one run of length six or more. Using Defini-tion 4.8.1, a test statistic for analyzing the randomness of the sequences is

X_obs=√μμ·N_r(obs)−n

σ^{√n (4.17)}

withN_r being the number of runs of lengthrin a sequence ofnnumber of bits. The statistic for Fehler’s definition follows a normal distribution asn→∞.

The runs test used in this thesis comes from the [APS96]. This runs test has been used in the thesis (see Section 5.1.3) due to its ease of implementation in hardware and software. The definition of a run in [APS96] is similar to Definition 4.8.1. However, the number of runs is only counted once during the sequence. Also, the number of runs of zeroGapand oneBlkare used in the calculation of the test statistic. For example, from sequence 4.16 the number of runs of one are: one run of length four and one run of length six, while for the runs of zero there are two runs of length one. This statistical test examines the difference between the expected run lengths e_r= ⁽ⁿ⁻₂r^r+⁺2³⁾ with 1≤r<kand the sampled run lengths,Blk_r andGap_r:

X_obs=

∑

^k

r=1

(Blk_r−e_r)² er +

∑

^k

r=1

(Gap_r−e_r)²

er (4.18)

which approximately follows aχ²distribution with 2k−2 degrees of freedom.

The turning point test is another type of runs test, found in [Gop93]. This test counts the number of turning points (peaks and troughs) in a sequence. To calculate the test statistic the number of samples tested needs to be large. The large sample allows for the assumption of a normal distribution with a mean of μ = ²₃(n−2), and a variance of σ²= ^(16n−29)₉₀ . The test characteristic can be calculated as follows:

X_obs= x¯−μ

σ

(4.19)

The hardware and software implementation of the turning point test is presented in Sec-tion 5.1.7.

48 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING

0 5 10 15 20 25 30 35 40 45 50

0 200 400 600 800 1000 1200 1400

Figure 4.3:Longest runs at 20000 bits sample probability distribution using 5000 samples.

Longest runs test

This test is included in the FIPS 140-2 testing group, where a maximum run length of 26 is given for 20000 bits. However, only this value and a significance level of 0.0001 are given without any other background information. This presents a problem when trying to determine the maximum lengths for sequences other than 20000 bits. To overcome this problem an experiment has been performed to determine the maximum run length distributions for different test sequence lengths.

This experiment was programmed in Matlab^TMwith a sample of 50000 sequences ranging in length from 25 to 100000 (the lengths used in the simulator from Chapter 6). After programming the experiment, the program was run and the probability distribution was calculated for each of the different sample lengths. The sample sequences required a random number source, in this case the pseudorandom generator provided by Matlab^TM (see Section 6.2.2 for a description of this generator). A sample size of 50000 sequences was used and the longest run from each sample was calculated. The probability for the longest run of a given sequence length was calculated and plotted, see Figure 4.3 for an example probability distribution at 20000 bits and 5000 samples.

Figure 4.3 shows a zoomed-in result for the probability distribution. Using this distribution it was possible to calculate the pointxwhere the probabilityP(X ≤x) =1−α^.

The experimental significance level was initially published asα=0.0001 by NIST; however, further study by FDK Corp. [Vit03] revealed that the actual significance level used was α = 0.000298. This new value was used as the limit in the experiment (see Table 4.4 for the maximum run lengths). The results from this table were used in the software and hardware implementation of the longest runs test presented in Section 4.8

There are a variety of ways to calculate the longest run, the method used in this thesis is to keep track of the longest run of either zero or one in the sequence. Another method published by the FDK Corp. [Vit03] looks at the probabilityPy(η) of a run longer thanη appearing in a bit

4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 49 Sequence Length P(x≥y)

25 14

50 15

75 16

100 17

250 19

500 19

1000 21

2500 21

5000 22

10000 23

15000 23

20000 25

30000 26

50000 26

100000 27

Table 4.4: Maximum run length for the given sample sequence length.

stream. This information can be used to calculate the probability of longest runM_nof lengthη appears innbits:

Mn(η) =Pn(η)−Pn(η+1).

Further information on this second method for calculating the longest runs can be found in [Vit03].

Autocorrelation

Visually, it is possible to detect regular waveforms as non-random. How can this property be automated for randomness testing in applications? One method is to compare the signal with a shifted copy of itself, which is the autocorrelation function. A random sequence has the property that a sample random sequence has very little correlation with any copy of itself.

The autocorrelation test, as described in [APS96], checks for the correlation between the current sequence and a shifted version. A sample sequence is XORed with ad delayed version.

With a large sample,n, andn−d≥10, the test statistic is assumed to follow a normal distribution.

The test characteristic is calculated using the following formulas:

A(d) =ⁿ⁻

∑

^d−1

i=0

s_i⊕s_i+d (4.20)

X_obs=2

A(√d)−ⁿ⁻₂^d n−d

(4.21)

50 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING

Pattern Matching Tests

A non-overlapping test using pattern matching is thepoker test, also called thek-tuple test. There are many variations of this test with the two best known published in [APS96] and [Knu97]. More focus is placed on the poker test from [APS96], since it is ideally suited for binary data.

The poker test is modeled on theχ²distribution. In general, the poker test takeskindependent observations and sorts them intog categories. The probability of a particular category being observed is indicated by p_swithx_sbeing the actual number of observations for each categorys.

This allows the building of the statistic from theχ^2formula:

X_obs=

∑

g s=1

(x_s−kp_s)²

kps . (4.22)

This is the general form of theχ²statistic; however, this thesis uses a modified form for binary data.

The number of categoriesg for a binary sequence is selected to match a subsequence of bit lengthm, this givesg=2^mcategories. A sequence is subdivided intokindependent observations withk=_n

m

andn the number bits in the full sequence. For a random binary sequence, each category has an equal probability of appearingp_s= ₂¹m. Expanding(x_s−kp_s)²=x²_s−2kp_sx_s+ k²p²_s plus using the relation:

x₁+x₂+...+x_s=k p₁+p₂+...+p_s=1 this allows the Equation 4.22 to be rewritten:

X_obs= ²

m

s

∑

=1

x_s−₂^km2 2k^m

and then to

X_obs= 2^m k

2^m s=1

∑

x²_s−k.

There are 2^m space categories; therefore, the statistic X_obs follows a χ² distribution with υ =2^m−1 degrees of freedom. If the test subsequence m is reduced to 1 then the test is the frequency test [APS96].

The overlapping m-tuple test is another pattern counting test. However, in this case the counted patterns are overlapping and the pattern counted is selected by shifting the vector one bit with each new input. The particular test implemented and studied in this thesis is the 2-tuple test or theserial test.

In general, for a vectori₁,...,i_m, which has a length ofm, there are 2^mpossible binary values.

Letni₁,...,i_m be the count for each pattern (i₁,...,im). Since each count ni_x is dependent on the

4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 51 other countsni₁,...,i_m, the standard Pearson’sχ^2statistic

ψm² = 2^m n_m

2^m i=1

∑

n²_i1,...,im−n_m

is not appropriate as a random generator test. However, L’Ecuyer et al. [L’E02] and Rukhin [And00]

show that

ψ_m² = ψ_m²−ψ_m−1²

= 2^m

n_m

2^m

∑

j=1

n²_j1,...,jm−n_m

−

2^m−1 n_m−1

2^m−1 i

∑

=1

n²_i1,...,im−n_m−1

approximately follows a χ²-distribution with 2^m−1 degrees of freedom. For the specific serial test implemented in this thesis the vector length is set tom=2, which gives

ψ2²=ψ2²−ψ1²

with

n₂=n₀₀+n₀₁+n₁₀+n₁₁=n−1 and

n₁=n. Using these values theχ²test statistic can be found

X_obs=ψ₂²= 4 n−1

n²₀₀+n²₀₁+n²₁₀+n²₁₁

−2 n

n²₀+n²₁ +1

with 2 degrees of freedom. This form of the serial test can be found in [APS96] and is the version implemented in hardware in the next chapter.

Example 4.8.2. Random Number Generator Test Example

The eight tests described in the previous paragraphs are used here in an example for testing a random number generator. The input string is a binary sequence of 100 bits that is the result of the following sequence being concatenated four times together:

1010110010111100110100100.

1. Frequency test: n₀=48 andn₁=52.

2. Serial test:n₀=48,n₁=52,n₀₀=16,n₀₁ =32,n₁₀=31,n₁₁=20 gives aX_obs=7.54.

3. Longest Runs test: Longest run is 4.

52 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING

4. Autocorrelation test:d=4,sum=61 andX_obs=2.65.

5. Poker test: m=4 with the following patterns

Pattern #o f Occurances

0000 0

0001 0

0010 3

0011 1

0100 2

0101 3

0110 2

0111 1

1000 0

1001 4

1010 2

1011 2

1100 2

1101 1

1110 1

1111 1

giving aX_obs=12.76.

6. Frequency Block test:m=4 (block length)

∑

n i=1

πi

m−1 2

2

=0.87 givingX_obs=14.

7. Turning Point test: μ=6.67,σ²=1.81 χ_obs² =

x¯−μ σ

=1.98.

8. Runs test: X_obs=34.25

Runs of 0 Runs of 1

Length Occurrence Length Occurrence

1 16 1 20

2 16 2 8

3 0 3 0

4 0 4 4

5 0 5 0

6+ 0 6+ 0

4.8. EMPIRICAL TEST EXAMPLES FOR BINARY SEQUENCES 53 The following table shows each of the test’s threshold value, the observedχ²value or test

result, and if the test has passed or failed the generator:

Test Observed Value Threshold Value Pass / Fail

X_obs<X_threshold Frequency n₁=52 n_{1_lower}=35 ,n_{1_upper}=64 Pass

Serial X_obs=7.54 X_threshold=9.21 Pass Longest Runs longest run = 4 max. run length = 17 Pass Autocorrelation X_obs=2.65 X_threshold=2.57 Fail

Runs X_obs=34.25 X_threshold =23.21 Fail

Poker X_obs=12.76 Xthreshold_lower=4.60 Pass Xthreshold_upper =32.80

Frequency Block X_obs=14 X_threshold =44.31 Pass Turning Point X_obs=1.98 X_threshold=2.58 Pass

The empirical tests presented here are only a small fraction of what is available in litera-ture. Three popular test suites that incorporate the tests presented here plus many more are:

NIST Statistical Test Suite [AJJ⁺], The Diehard Battery of Stringent Statistical Randomness Tests [Mar95], and the ENT: A Pseudorandom Number Sequence Test Program [Wal98]. Some of these tests are not practical for a smart card environment. Only the tests that are possible on a smart card have been studied further.

54 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING

55

Chapter 5

Hardware Implementation

5.1 Hardware Design

The theory behind each of the selected tests has been extensively covered in the preceding chap-ters (see Chapter 4.8). For most designers a software implementation of each of the RNG tests is perfectly acceptable; however, for some applications this is not the case. For example, smart cards need to perform the tests while the processor is being initialized. Therefore, the test pack-age needs to run while the rest of the processor is also being initialized. The RNG and the testing unit has to be a self-sufficient unit. Since most of the published RNG test have been designed for a software implementation or if they do have a hardware implementation, their requirements far exceed what is possible on modern smart cards.

From Chapter 2.3.2 we see that the area requirements for the complete smart card circuit is approximately 25 mm². Most of the area is required for memory cells; therefore, area is a premium characteristic. Even though area is very important to smart card processor designers, they are more concerned with the power consumption of the design. With the advent of the wireless smart card, which supplies its voltage through induction, any card design requires a very low power consumption. Additional security modules must also have a low power consumption.

We have mentioned that area and power consumption are very important to the designer;

however, there is one last hardware characteristic that needs to be examined, the time delay of the circuit. This detail indicates how quickly the test is able to run. With the known sequence length and the time delay of the circuit, the processing time for the full test can be calculated.

The initialization phase in a smart card lasts two seconds, and during that time the RNG test unit must have the RNG produce a sequence of bits and also test the resulting sequence.

This chapter begins by presenting the hardware implementation for each of the RNG tests.

Using Synopsys^TM

and VHDL each of the tests has been simulated and synthesized. The results from the analysis of area, power consumption and time delay are presented.

56 CHAPTER 5. HARDWARE IMPLEMENTATION

Comparator

Counter Clk

Din Start Reset

Result Bits_Over

Figure 5.1:Test unit input and output.

5.1.1 Frequency Test

Thefirst test that has been implemented in hardware is the frequency test. The basic test unit (see Figure 5.1) has as input the test dataD_in, the clockClk, the reset signalReset, and a start signal Start. There are two output signals: theBits_oversignal tells the rest of the test unit when it has finished testing, and a pass or fail is waiting at the outputResult signal.

The internal diagram of the frequency test can be seen in Figure 5.2. The resulting test circuit is a four state device, which begins counting when the start signal goes high. There is an asynchronous reset built in the device should it need to be reset at any stage along the state diagram. The third state is achieved once the count reaches its limit, which is 20000 bits in this example. This number can be adjusted at the design stage tofit the required test length. In the third state, a test is performed to check if the count of ones is in range. If so, a ’1’ is outputted to indicate a pass, otherwise a ’0’ is outputted for a fail.

With a sufficient test length the frequency test models aχ²distribution withυ =1 degree of freedom. Using this information it is possible to precalculate the limits for a given bit length, in this examplen=20000. The limits calculation is as follows:

x=F⁻¹(p|υ) ={x:F(x|υ) =p} where

p=F(x|υ) = ^x

0

t^υ−22 ·e^−t2 2^υ2 ·Γ_υ

2

dt and

Γ(a) = ^∞

0 t^a−1·e^−t.

Using these formulas it is the characteristic limitX_lim for a probability of p=1−α =1− 0.0001 with one degree of freedom:

X_lim=F⁻¹(1−0.0001|1) =19.5114

5.1. HARDWARE DESIGN 57

States

1) WAIT_FOR_START 2) READ_BITS 3) OUTPUT 4) HALT 4

1

2

3

Reset = ’1’

Reset = ’1’

Reset = ’1’

Start = ’1’

Reset = ’1’

Count > 20000

Figure 5.2:State diagram for the Frequency test.

X_lim=(n₀−n₁)² n

∴9688<X_pass<10312

5.1.2 Frequency Block Test

The frequency block test is very similar to the frequency test, since it calculates for each given block the frequency test. The state diagram for the internal frequency test on each block is the same as the frequency test with only one large block for the full test sequence. The input and output signals for this test are also the same as the frequency test (see Figure 5.1).

The design difference between the frequency and the frequency block test is how it handles the frequency test results of the subsequences. Figure 5.3 shows theflowchart for the frequency block test, and Figure 5.4 shows the outputflowchart. A bit counter (Count) keeps track of the full test sequence length, and for this implementation as long as the sequence is less than or equal to 20000 the testing can continue. The next counter is for the subsequence (Blockcount). When the 100th bit is reached it can be tested, and its result is added to a running sum. After the full bit sequence is processed a total sum value is calculated and compared to a precalculated value.

If the sum is less than the value, the result signal is set to ’1’, and if it is over the value, it is set to ’0’.

The precalculated value depends on the significance level and the bit sequence length and can

58 CHAPTER 5. HARDWARE IMPLEMENTATION

Increment π_i Input = ’1’ ? Start

Calculate

Σ (π − 50 )i

200 2

i = 1

Sum =

Reset π

End

Nextstate

<=

Output Nextstate

<=

Read_Bits

Increment Count

? Blockcount = 99

? Count < 20000

No Yes

Yes

No

Yes No

Figure 5.3:Frequency block testflowchart.

Start

No Yes

Result = ’0’ Result = ’1’

Next State 9725 <

Rcount

< 10275

Figure 5.4:Frequency block test outputflowchart.

5.1. HARDWARE DESIGN 59 Algorithm 2X_limcalculation for the runs test.

X_lim=gaminv(1−α,υ)whereυ =2∗k−2 and k is the number of runs groups (6) X_lim=gaminv(1−0.0001,10)

X_lim=35.56

be calculated as follows:

X_lim= F⁻¹(p|a,b) = {x:F(x|a,b) =p} X_lim

2 = gaminv

1−α,^N₂ X_lim= 2·gaminv

1−0.0001,²⁰⁰₂ X_lim= 249.4

Therefore, the observed test statistic needs to be below 249.4 in order for the test to determine it as a pass.

5.1.3 Runs Test

The runs test is a more complex test than the previous two tests. Its state diagram is shown in Figure 5.5. The runs test module has the same inputs and outputs as the other two tests (see Figure 5.1). However, internally it has many more states. Depending on thefirst bit in the run, either theS₁−S₆ (D_in =1) or theS₁₂−S₇ (D_in =0) branch is followed. If the next bit is the same as the last bit, then the state branch is followed until either the input bit changes or it reaches statesS₆orS₇. If it reaches either of these points, the input length is treated as a run of six even if it is longer. Whenever a change in the input bit occurs the counter for that state is incremented (z₁...z₆)and(e₁...e₆). A main counter (Count) is used to count the testing sequence length.

Thebits_oversignal is set high at the end of the test and the test unit can read the results from theresultsignal. Using Algorithm 2 theχ_obs² value is calculated and compared to a precalculated range. If it falls within this range, the test outputs a “pass” else a “fail” is outputted.

5.1.4 Longest Runs Test

The longest runs test is a variation on the runs test, in which case the longest run in the sequence is found and the counted length is saved. A precalculated boundary value for the given test sequence length is compared to the samples longest run. Should the samples sequence have a run longer than the boundary value, the test outputs a fail, else it outputs a pass. The boundary values are given in Table 4.4 in Section 4.8.

60 CHAPTER 5. HARDWARE IMPLEMENTATION

Start

S6 S5 S4

’111’S3 S2

’11’

’1’

S1

S7 S8

’11111’

’1111’

’111111’

’000000’

’00000’

’0000’S9

’000’

S10 S11

’00’

S12

’0’

Output

Halt

Count = 20000

Din=1 Din=1 Din=1 Din=1 Din=1 Din=1 Din=1

Din=0

Din=0

Din=0 Din=0

Din=0 Din=0 Din=0 Din=0

Din=0

Din=1

Din=0

Reset = 1

Start = 0

Start = 1 Start = 1

S1 S12

Din=1

Din=1 Din=1

Din=1 Din=1

Din=0 Din=0

Figure 5.5:Runs test state diagram.

5.1. HARDWARE DESIGN 61

Halt Count < 20000 Cnt_reg +1 < 4

Readbits

Readbits set Start = ’1’

Wait for Start Start = ’0’

Reset = ’1’

Reset = ’0’

Output Count >= 20000

Count >= 20000

Figure 5.6:Poker and autocorrelation test state diagram.

The external structure of the longest runs test is the same as for the previous tests, see Fig-ure 5.1. Internally, the test is started when theStart signal is set high. Thefirst input bit is read and if the bit is ’1’ then the next state isS1, else it goes toS0. If the same bit repeats itself, the counter for that bit type is incremented. However, if the new input is not the same as the previous bit, the counter is cleared and reset for the new bit value. The counter continues until the input bit changes. If the maximum run length is passed, an indicator registerINDis set high. After the full sample is examined, the test enters the next state and theINDregister is checked. If theIND is high, a fail is set on the output otherwise it is set to a pass.

5.1.5 Poker Test

The poker test is another part of the FIPS 140-2 test suite. Of the four tests in the suite it has the most complex hardware implementation. The theoretical details are found in Chapter 5.1 on page 56. As with the previous tests detailed in this chapter, the input and output entity for the poker test is as shown in Figure 5.1. This allows for easy substitution of the tests.

The poker test’s state diagram is shown in Figure 5.6. After a reset the process begins in the Wait_f or_start state. Once theStartsignal goes high the test begins by entering theRead_bits state and reading the first bit. The input bit is read and stored in the MSB of theReg register.

The counter registerCnt_regis checked to see if all the bit positions have been filled with new

Im Dokument Improving Security for Elliptic Curve Implementations on Smart Cards: A Random Number Generator Test Unit (Seite 54-77)