7.6.5.11.1 Introduction
The deterministic random number generator is constructed with two deterministic random bit generators (DRBG), as shown in the following figure.
DRBG 1 uses the entropy from the PUF SRAM. This is done once per power cycle. During initialization (after every power cycle and after every reset), DRBG 2 uses entropy from DRBG 1.
During Reseed operation, DRBG 2 also uses entropy from DRBG 1 and in addition can accept entropy from external random entropy sources (1024 bits per source) via PUF_DIR. The Reseed operation can be started at any time that DRBG operations can be performed.
As defined by the NIST SP 800-90 recommendations, the maximum number of random requests between reseeds is 248. This is tracked internally with an internal reseed counter. Each DRBG has its own counter. For normal operations, DRBG 2 is used to generate random. DRBG 1 is only used during initialization.
The reseed counters track the number of executed internal (DRBG) Generate operations. Requests for random by means of the Generate Random operation can require multiple internal Generate operations.
Therefore, the reseed counter may be increased multiple times for each Generate Random operation.
Additionally, internal processes might also consume random data (e.g. to mask sensitive data or clear buffers) and thus increase the reseed counter.
The PUF controller guarantees that a started operation can always be completed without reaching the reseed counter limit. To this end, at least 256 ticks must be available on the reseed counter for any normal operation to be allowed.
If less than 256 ticks are available, i.e. the counter value is larger than 248 - 257, then the flag PUF_ISR.RESEEDR=1. Only the Reseed and Zeroize operations can be performed once the counter reaches this limit and, depending on the PUF controller state, also BIST operations. Alternatively, the PUF controller or the entire device can also be reset or power-cycled to trigger a reinitialization.
Because BIST, reset and power-cycling transition the PUF controller to the Uninitialized state, DRBG 2 is reinitialized with a different value (using entropy from DRBG 1) and no reseed is required anymore. However, if external random entropy (PUF_DIR) is desired, a Reseed operation can be started after initialization has finished.
To make sure that no reseed will be required at an inconvenient moment, the PUF controller provides a warning when the internal reseed counter approaches the maximum value by 232 or less. This is indicated with 1 on the PUF_ISR.RESEEDW flag. Although about 4 * 109 random requests can still be made, the Reseed command must be activated at the first convenient moment.
Parameter | Value | Equivalent in Years at 1 Random Request per Second |
---|---|---|
Absolute maximum number of internal random requests | 248 - 2 | 8.9 * 106 |
Maximum value of reseed counter to begin an operation | 248 - 257 | 8.9 * 106 |
Warning level for number of random requests | 248 - 232 | 8.9 * 106 - 136 |
The limit to the number of requests for DRBG 1 is also 248 - 257. In the unlikely event that its reseed counter reaches this value, the PUF controller enters the Locked state. This is persistent over resets. Only the Zeroize operation can be performed, or the PUF controller or the device can be power-cycled.