DEVICE AND METHOD FOR TESTING A SEQUENCE GENERATED BY A

RANDOM NUMBER GENERATOR

TECHNICAL FIELD

The invention generally relates to a device and a method for testing a sequence generated by a Random Number Generator.

BACKGROUND

Random Number Generators are used to generate a set of random numbers (in the form of bit streams) for use in a number of systems. For example, a Random Number Generator can be used in a cryptographic system to generate random cryptographic keys which are used to transmit data securely.

Random number generators comprise Hardware Random Number Generators, also called True Random Number Generators (TNRG), which generate a set of numbers from a physical process, rather than a computer program (non-deterministic source), and Pseudorandom Number Generators which generate numbers from a deterministic source such as a deterministic algorithm.

TNRG can be based on microscopic phenomena that generate low-level, statistically random "noise" signals, such as thermal noise or a shot noise, the photoelectric effect, involving a beam splitter, and other quantum phenomena. A TNRG generally comprises a transducer which converts quantities or data derived from the physical phenomena into an electrical signal, an amplifier, additional components configured to increase the amplitude of the random fluctuations up to a measurable level, and an analog to digital converter configured to convert the output thus obtained into a digital number (for example a binary digit 0 or 1 ). The TRNG then repeatedly samples the randomly varying signal to obtain a series of random numbers.

The quality of random numbers generation is paramount for implementation of cryptographic systems (for example for key generation, authentication protocols,

padding, digital signature, encryption algorithms). In such applications, security closely depends on the quality of the generated random numbers.

Indeed, many attacks target weaknesses in the implementation of the cryptographic system. Such weaknesses can result from the quality of the generated random numbers and be exploited by attackers to try to break the system.

Several testing methods and systems exist for testing the quality (in particular the randomness) of generated random numbers, most of them being based on the statistical tests.

Such tests are applied to check whether a sequence of randomly acquired numbers has two main statistical properties:

- the generated values should be uniformly distributed and,

- the generated values should be independent from previously generated values.

In recognition of this, standardization entities like NIST and BSI has established a statistical test suite given a binary sequence of 20000 bits. The aim of this document is to provide a mathematical interpretation of the tests and to establish generalized mathematical formulas given a sequence of N bits, an error probability and other parameters.

There is currently a need to test the set of random number generated by the TNRG as it may affect the performance of the system using such random numbers such as the AIS31 , FIPS140-1 , NIST, and DIEHARD tests.

Standardization entities like NIST and BSI has established a statistical test suite given a binary sequence of a fixed number of bits (20000 bits).

In existing approaches, the statistical tests are thus applied each time the TRNG produces a sequence of 20000 bits, the test calculating different sums based on the sequence. Such sums are then compared to predefined and fixed threshold, and depending on the result of the comparison it is decided whether to accept or reject the sequence. The thresholds used to perform the comparison are predefined as a function of a fixed error probability.

Existing testing methods and devices introduce incontrollable latency. Further, they cannot be adapted to address a target error probability.

There is accordingly a need for improved method and devices for testing the sequence of bits generated by a Random Number Generator.

SUMMARY OF THE INVENTION

To address these and other problems, there is provided a device for testing a bit sequence generated by a Random Number Generator, the device being configured to apply one or more statistical tests to the bit sequence, in response the detection of N bits generated by the Random number generator, each statistical test providing at least one sum value derived from the bits of the sequence. The testing device may comprise:

- a comparator for comparing at least one test parameter related to each statistical test to one or more thresholds;

- a validation unit configured to determine if the bit sequence is valid depending on the comparison made by the comparator for each statistical test;

the at least one of the test parameter and the at least one threshold is determined from N and from a target error probability.

In some embodiments, the at least one or more statistical tests applied to the sequence may comprise a set of statistical tests providing at least one sum value derived from the bits of the sequence, which provides the at least one test parameter for each statistical test, the device further comprising:

- a threshold determination unit for determining, for each statistical test of the set of statistical test, a lower threshold and a higher threshold from N and from the target error probability in association with each sum value;

the comparator being configured to compare, for each statistical test, each sum value to the associated lower threshold and higher threshold.

In such embodiments, the comparator may be configured to output a validation bit for a statistical test, if each sum value is strictly superior to the associated lower threshold and strictly inferior to the higher threshold.

Further, the validation unit may be configured to reject the bit sequence if at least one sum value for a statistical test is inferior or equal to the associated lower threshold or superior or equal to the corresponding higher threshold.

In one embodiment, the statistical tests may comprise the AIS Monobit Test which provides a sum value T_{x} , the corresponding lower threshold L_{x} and the higher threshold H_{x} being equal to:

with a representing the target error probability.

In one embodiment, the statistical tests may comprise the AIS Poker Test, the testing device determining a sum value T_{2}. The corresponding lower threshold L_{2} and the higher threshold H_{2} are equal to:

with M representing the length of the contiguous blocks in the bit sequence and a representing the error probability.

In an embodiment, the statistical tests may comprise the AIS runs Test, the testing device determining a sum value T_{3(N k)} for each run of length k, for the runs test, the lower threshold L_{3 k} and the higher threshold H_{3 k} for each run of length k being equal to:

with a representing the target error probability and

In some embodiments, the at least one or more statistical tests applied to the sequence comprise an additional set of statistical tests, the testing device determining, for each statistical test, a test parameter determined from N and from the error probability.

In particular, the statistical tests may comprise the AIS Longest Run Test, the test parameter being a run length k , the length k being determined according to the following equation:

where a designates the long run probability. The comparator may then compare the test parameter k to the run of maximal length.

In one embodiment, the bit sequence length N may be changed between one or more clock cycles.

A new value for the error probability and the number N may be received at different times or simultaneously.

There is further provided a system implemented on at least one integrated circuits, the system comprising a device using a random bit sequence generated by a random number generator, wherein the device further comprises a testing device according to any of the preceding embodiments, for testing each random bit sequence generated by the random number generator before using it.

There is further provided a method for testing a bit sequence generated by a Random Number Generator, wherein the method comprises applying one or more statistical tests to the bit sequence, in response the detection of N bits generated by the Random number generator, each statistical test providing at least one test parameter from the bits of the sequence, the testing method comprising comparing at least one test parameter related to each statistical test to one or more thresholds; determining if the bit sequence is valid depending on the comparison performed for each statistical test in the comparing step. At least one of the test parameter and the at least one threshold is determined from N and from a target error probability.

The invention accordingly enables control of the latency/debit of Random Number Generator implemented in a given system.

Embodiments of the invention thus provide a flexible and fully latency-controllable RNG throughout all stages of operation.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate various embodiments of the invention and, together with the general description of the invention given above, and the detailed description of the embodiments given below, serve to explain the embodiments of the invention:

- Figure 1 depicts a device for testing a random number sequence generated by a Random Number Generator, according to some embodiments.

- Figure 2 illustrating the probability of a run used in a Longest Test, according to some embodiments.

- Figure 3 is a flowchart depicting a method of testing a random number sequence generated by a Random Number Generator, according to some embodiments.

Additionally, the detailed description is supplemented with Exhibit E1. This Exhibit is placed apart for the purpose of clarifying the detailed description, and of enabling easier reference. It nevertheless forms an integral part of the description of the present invention.

DETAILED DESCRIPTION

Embodiments of the present invention provide a device and a method for testing the sequence of random numbers generated by a Hardware Random Number Generator such as a TRNG (True Random Number Generator). In the following description, the Random Number Generator will be also referred to as a RNG.

Referring to figure 1 there is shown an exemplary operational environment 100 of the testing device 10 comprising a cryptosystem 12 using sequences of random numbers generated by a Hardware Random Number Generator 1 1 for generating keys, performing authentication, generating signatures, and/or performing encryption, etc.

The testing device 10 is configured to test the quality of the random number sequences generated by the Random Number Generator 1 1 a set of statistical tests 103 comprising one or more statistical tests T-i, T_{2},...,Tp, with P being at least equal to one.

It should be noted that the invention is not limited to the use of the testing device 10 in a cryptosystem 12 but may be used generally in any system or device using a sequence of random numbers generated by a Hardware RNG 11. The system 100 and/or the system 12 can be implemented on one or more integrated circuits.

The following description of some embodiments will be made with reference to a cryptosystem 12 for illustration purpose only.

The statistical test TestJ may be configured to test the statistical properties that are required by the cryptosystem, including backward and forward unpredictability property of the Random Number Generator 1 1.

Exemplary statistical tests Tj include for example AIS, tests testing entropy increase per generated number, etc.

More specifically, the testing device 10 may be configured to receive, during operation of the system 100, a desired error probability a and a frequency number N defining a number of bits of a sequence generated by the RNG 11. N may be inferior to the maximal number of bits M that the RNG 1 1 can generate. In particular, N can be adjusted during the operation of the system depending on a number of criteria. Accordingly, N may be changed between one or more clock cycles. Advantageously, the value N may be different from a predefined fixed value and may accordingly take a value different from the value N’=20000 conventionally used to activate the statistical tests. A new value for the error probability a and the frequency number N may be received at different times or simultaneously.

As used herein, the desired error probability (also referred to herein as the “significance level” or“target error probability”) refers to the probability of error of the test made on a sequence generated by the RNG 1 1 , that is the probability that the test made by the testing device on a given sequence generated by the RNG 1 1 , using the set of statistical tests 103, returns an erroneous result. The desired error probability a is thus defined as the probability of the test rejecting a sequence generated by the RNG 1 1 , given that it was truly random.

The RNG 1 1 may be activated to generate a sequence of random numbers comprising a number of bits from an entropy source, using the current value of the desired error probability t and the frequency number N for use by the cryptosystem 12 (for example for key generation).

The testing device 10 may be configured to test a bit sequence generated by a Random Number Generator 1 1 , by applying one or more statistical tests 103 to the bit sequence, in response the detection of N bits generated by the Random number generator. Advantageously the number N and the target probability may be varied depending on the application of the invention (N may be defined as small as possible if fast processing time is needed or increased if the test is required to limit false positive as much as possible).

Each statistical test 103 provides at least one test parameter derived from the bits of said sequence.

The testing device may comprise a comparator 102 configured to compare the test parameter(s) related to each statistical test to one or more thresholds and a Random Number sequence validation unit 105 configured to determine if the N-bit sequence is valid depending on the comparison made by the comparator 102 for the statistical tests.

The Random Number sequence validation unit 105 may be configured to reject or validate the N-Bit Random Number Sequence using the results of the statistical tests 103 applied to the sequence. In such embodiment, the comparator 102 may return the resulting values O_{j} to the Random Number sequence validation unit 105.

In one embodiment, the Random Number sequence validation unit 105 may be configured to validate the N-Bit Random Number Sequence only if, for all the P statistical tests, condition (1 ) applied to each sum value obtained by the execution of the statistical test is satisfied for the considered N-bit sequence (i.e. O_{j} = O_{l2} for j= 1 to K).

Each statistical test 103 may be a statistical test for testing randomness in the N-bits binary sequence generated by the RNG 1 1.

Advantageously, at least one of the test parameter and the threshold(s) is determined from N and from a target error probability.

The testing device 10 thus executes a set of P statistical tests (P being at least equal to 1 ), in response to the generation of a N-bit random number sequence (that is in response to the detection of a number of bit equal to N in the random number sequence), as the random bit are received from the Random Number Generator 1 1. The set of P statistical tests may be stored in a storage unit 103.

In some embodiments, the set of statistical tests 103 comprise a set of statistical tests, which each are used to determine one or more sum values (several values if the test comprises several runs) derived from the N bits of the random number sequence and the error probability a.

The testing device 10 may further comprise a threshold determination unit 101 configured to determine at least one threshold pair comprising a lower threshold L_{j} and a higher threshold Hj, for each test TestJ, the lower threshold L_{j} and the higher threshold H_{j} depending on the parameter N and on a significant level parameter a.

The testing device 10 may be configured to check, for each statistical test TestJ, whether each value (sum result) returned by the considered statistical test TestJ, meets a condition related to a corresponding threshold pair (lower threshold L_{j} and higher threshold Hj) thus determined.

In such embodiments, the comparator 105 may be configured to compare each sum result returned by a statistical test TestJ with the lower threshold L_{j} and to the higher threshold H_{j} of the associated pair.

In one embodiment, the comparator 105 of the testing device may be configured to determine whether each value Tj (sum result) returned by a statistical test TestJ is strictly higher than the lower threshold Lj and strictly inferior to the higher threshold Hj of the associated threshold pair. The condition that is checked for the value Tj based on the corresponding threshold pair (lower threshold L_{j} and higher threshold H,) may be expressed as:

It should be noted that in some embodiments, a plurality of sum values may be determined for each statistical test (for example if the test comprises several runs), and for each value a corresponding threshold pair is determined, condition (1 ) being tested for each sum value and each corresponding threshold pair.

The comparator 105 may return a resulting value Oj for each test TestJ applied to the N-Bit sequence, set to the first value Oj_{,i} if the test condition of Equation (1 ) is not satisfied or a second value Oj_{,2} if the test condition of Equation (1 ) is satisfied.

To facilitate understanding of some embodiments of the invention, the following definitions are provided:

As used herein, a‘Null hypothesis H_{0}’ refers the statement that a provided sequence is truly random.

A‘test statistic S’ refers to a numerical summary that reduces the observed data to one value.

A‘p-value’ refers to the probability that, when H_{0} is true, the statistical test would be the same as or of greater magnitude than the actual observed results.

A‘significance level’ a (also referred to herein as the“error probability”) refers to the probability of rejecting H_{0}, given that it were true.

Given such definitions, a statistical test is conducted as follows:

- If p-value > a then H_{0} is accepted;

- If p-value < a then H_{0} is rejected.

The p-value may be computed given the statistical model of the test statistic s.

Such model may apply to all statistical tests used to link empirical data of a real-world RNG to a stochastic model.

The set of statistical test 103 may comprise for example one or more tests of the AIS31 Tests Suite which comprises:

- A Monobit Test;

- A Poker Test;

- A Runs Test;

- A Longest Run Test.

The following description of some embodiments will be made with reference to one or more tests of the AIS31 suite for illustration purpose only.

In the following description a random number sequence comprising bits bi and having a length N is considered.

In one embodiment, the set of statistical test 103 may comprise the Monobit Test. The Monobit Test is configured to determine the proportion of the number of ones and zeros in a given bit sequence. For a random sequence, it is expected that the average number of ones (and consequently zeros) in the sequence is ^.

According to one embodiment, the AIS31 Monobit test examines a sequence of N bits by calculating the sum T_{±} as follows:

According to one embodiment of the invention, a set of statistical parameters {H_{0}, S_{N}, a } may be defined to run the monobit test:

- H_{0}: The hypothesis is made that the generated bit sequence is random;

A parameter S_{N} is defined such that:

The error probability a is set to :

the observation to be tested:

Considering (observation to be tested), the reference distribution of such

observation is half normal for a large value of iV. As used herein, a half normal distribution refers to a normal distribution with mean 0 (zero). A definition of a normal distribution is provided in Exhibit E1.1. If the sequence is random, then the plus and minus ones will tend to cancel each other out so that the test statistic is about 0.

The p-value (probability that, when H_{0} is true, the statistical test would be the same as or of greater magnitude than the actual observed results) is the given by:

In Equation represents the complementary Gauss error function:

For a random variable X that is half-normally distributed, er is the probability of

X falling out of the range

According to the testing method, H_{0} is accepted if:

According to Equations (4) and (5), equation (7) can be rewritten:

Equation (10) can be then rewritten as:

By dividing equation (12) by two, the following inequality is obtained:

Given N, the length of the sequence:

Accordingly, the condition of Equation (1 ) for the Monobit Test can be rewritten as:

With:

and

The testing device 10 may be then configured to execute the Monobit test on the random number sequence of N bits generated by the RNG 1 1 and test if the resulting sum Ti is comprised between the lower threshold L_{x} and the higher H_{1;} which both depend on N and on the error probability a.

The comparator 105 will return a resulting value Oi for the Monobit test applied to the N-Bit sequence set to the first value Oi_{,i} if the test condition of Equation (1 ) is not satisfied or a second value Oi_{,2} if the test condition of Equation (1 ) is satisfied.

It should be noted that for N = 20000 and a = 9.6 x 10^{-7}, the condition (1 ) for the Monobit test is:

In contrast, in a conventional approach, the AIS31 Monobit test examines a sequence of 20000 bits by calculating the sum

and considering a fixed lower threshold and a fixed higher threshold (such thresholds being defined statically independently of the selected value N and of the error probability a ).

Conventionally, the test fails if 7\ falls outside the range defined by the fixed thresholds.

In some embodiments, the set of statistical test 103 may comprise the Poker Test.

In one embodiment, to estimate the condition (1 ) for the Poker Test, the following statistical parameters used to run the Poker test are defined:

- H_{0 \} The hypothesis is made that the generated bit sequence is random;

- The test statistic defined as:

In Equation (17), N represents the length of the sequence, M represents the length of the contiguous blocks and /(/) denotes the numbers of occurrences of each of the possible M bit values. Given a real number x, [xj denotes the integer part of x.

Further, for the Poker Test, the error probability a is defined as

The Poker test consists in determining the proportion of ones within each M bit block.

The frequency of ones in every M bit block should be as would be expected for a

random sequence. The numbers of occurrences /(/) are normally distributed, so

follows a“chi square” (c^{2}) distribution of

degrees of freedom. A definition of a chi square distribution is provided in Exhibit E1.2.

To determine whether there is a significant difference between the expected frequencies and the observed frequencies, the observation to be tested

can be limited within two critical values of degrees of freedom,

given an error probability or. In AIS31 , the error probability may be chosen equal to 30% x a and to 70% x a. Accordingly, the inferior boundary is and

the superior boundary is which leads to the general formula

of T given N and M:

The“chi square” c^{2} distribution has only one parameter which determines its degree of freedom. This means that the boundaries are the same whatever N is, unless M changes.

Accordingly, the condition of Equation (1 ) for the Monobit Test can be rewritten as:

With the lower threshold L_{2} and the higher threshold H_{2} being given defined as follow:

As shown by Equation (19) and (20), the lower threshold L_{2} and the higher threshold H_{2} also depend on N and on the error probability a. In the case of the Poker test, the lower threshold L_{2} and the higher threshold H_{2} further depend on M (M represents the length of the contiguous blocks).

The testing device 10 may be accordingly configured to execute the Poker test on the random number sequence of N bits generated by the RNG 1 1 and test if the resulting sum T_{2} is comprised between the lower threshold L_{2} and the higher H_{2}, which both depend on N and on the error probability a.

The comparator 105 will return a resulting value O1 for the Poker test applied to the N-Bit sequence set to the first value Oi_{,i} if the test condition of Equation (1 ) is not satisfied or a second value 0-i_{,2} if the test condition of Equation (1 ) is satisfied.

For example, according to the testing device and method applied to the Poker test, for M = 4 and

And:

In contrast, in a conventional approach, the Poker test:

- starts by dividing the sequence of N=20000 bits into a fixed number of 5000 contiguous 4 bit segments, then counts and store the number of occurrences of each of the possible 4 bit values.

- Compute the T_{2} sum:

- Check if the sum T_{2} is strictly comprised between a fixed lower threshold and a fixed higher threshold, both defined statically independently of the selected value N and of the target error probability a.

Conventionally, the test fails if T_{2} falls outside the range defined by the fixed thresholds.

In some embodiments, the set of statistical test 103 may comprise the Runs Test.

The purpose of the Runs test is to determine whether ones and zeros are not changing too fast (0101010101) or too slow (0000011111).

A run is defined as a maximal sequence of consecutive bits of either all ones or all zeros.

The incidences of runs (for both consecutive zeros and consecutive ones) of all lengths (> 1 ) in the sample stream can be counted and stored. The Runs test is passed if the number of runs that occur (of lengths 1 through 6) is each within the corresponding interval specified below. This holds for both the zeros and ones; that is, all 12 counts must lie in the specified interval. For the purpose of this test, runs of greater than 6 are considered to be of length 6.

denotes a run of length k of either the bit 0 or 1 , occurring in a sequence of

length N.

To estimate the condition according to formula (1 ) for the runs Test, the following statistical parameters used to apply the Runs test are defined:

- H_{0} : The hypothesis is made that the generated bit sequence is random;

- S which designates the number of runs of length k denoted ) where n the sequence length; and

- A error probability

where 1.33; 0.85; 0.40; 0.10).

Assuming that the sequence bits are identically distributed, the test statistic for the Runs Test is considered normally distributed. The mean of such

distribution is because the probability of each run of zeros or ones is the

same. Accordingly, in there are /e -runs of zeros or ones and each bit has a

probability of - to occur. The mean value expected is thus The sum of all

the fc-runs if the experience is done an infinite number of times is

Considering the observation the p-value is:

The quantity of Equation (22) may be then compared to the error probability a. The Runs test passes if:

Condition (23) can be rewritten, according to Equation (22):

Equation (23) can be further formulated as follows:

Accordingly, the condition of Equation (1 ) for the Run Test for each run k can be rewritten as:

With the lower threshold L_{3 k} and the higher threshold H_{3 k} being given defined as follows:

As shown by Equation (28) and (29), the lower threshold L_{3 k} and the higher threshold H_{3 k} also depend on N and on the error probability a (as m_{N}^ =

The testing device 10 may be accordingly configured to execute the Runs test on the random number sequence of N bits generated by the RNG 1 1 and test if the resulting sum for each run of length k is comprised between the lower threshold L_{3 k} and the higher H_{3 k}, which both depend on N and on the error probability a. The comparator 105 will return a resulting value Oi for the Runs test applied to the N-Bit sequence set to the first value Oi_{,i} if the test condition of Equation (1 ) is not satisfied for at least one run of length k or a second value Oi_{,2} if the test condition of Equation (1 ) is satisfied for each of the considered runs of length k.

For example, for N = 20000 , k e [1, 2, 3, 4, 5, 6] and a = K x 10^{-6} where k e {3.25; 1.33; 0.85; 0.40; 0.10), the following results indicated in Table 1 are obtained:

Table 1

In contrast, in a conventional approach, a run is defined as a maximal sequence of consecutive bits of either all ones or all zeros, which is part of the 20,000 bit sample stream, the interval being given by the following Table 2:

Table 2

In some embodiments, the statistical tests 103 may include one or more additional statistical tests providing a sum value 7), but instead of testing the sum value 7), the testing device 10 may be configured to test the N-bit sequence by comparing a test parameter determined from the frequency number N and from the error probability a to a threshold.

For example, the set of statistical test 103 may comprise the Longest Run Test.

In a conventional approach, on a sample of 20000 bits, the Longest Run Test is passed if there are NO long runs.

According to an embodiment of the invention, a longest run test may be used to test a bit sequence by determining the length k of a run corresponding to the target error probability a which correspond in the case of the longest run test to the long run probability P_{N}(k ), and then comparing the value k to a threshold. The test is passed if the integer part of the determined value of k is inferior to the run of longest length Long_run_max ([k\ < Long_run_max). Otherwise the test fails.

More specifically, the index k may be determined based on a long run probability P_{N}(k), representing the probability of a run (zeros or ones) of length longer than or equal to k, appearing in a sequence of N bits is considered.

P_{N}(k) may be expressed by the addition of two mutually exclusive event probabilities. One of the event probability represents the probability that the run longer than k appears in N - 1 bits and the other event probability represents the probability that no run longer than k appears in N - 1 bits but appears in right most k bits of N, as depicted in figure 2. This means that:

Equations (30) and (31 ) lead to the general expression given k and N:

This correspond to an arithmetic-geometric progression of the type:

Hence :

In Equation

Equation (35) can be thus rewritten as:

In Equation can be accordingly found as follows:

As equation 36.4 may be rewritten as a function of N and a\

For example, for N = 2000 and

The table below provides examples of test parameters calculated for the Monobit Test (T1 ), the Poker Test (T2), the Runs Test, and the Longest run Test, according to the preceding equations which provides the lower/higher thresholds Li and Hi as a function of N and a (for T1 , T2, T3) or the longest run parameter k as a function of a for N e {5000, 10000, 20000, 40000} , the value N=20000 being the fixed value conventionally used for testing a bit sequence generated by the RNG 1 1 (as defined by the standard NIST FIPS 140-2 and BSI AIS 31 ). In the exemplary table below, a given value of a is chosen for illustrative purpose, although a can be varied:

Table 3

Figure 3 is a flowchart of the method of testing a random bit sequence generated by a RNG 1 1 , using a set of tests providing a sum test Ti (such as T1 , T2 and T3) for which the condition (1 ) is checked, the condition being defined by a lower and higher thresholds Li and Hi, which both depend on N and a , according to some embodiments.

In step 300, the error probability and the bit sequence length N are received.

In step 302, generation of a random number sequence by the RNG 1 1 is detected.

In step 304, it is detected if N Bits have been generated by the RNG 1 1.

If so, each of the P statistical tests 103 are applied to the k-bit random number sequence received from the RNG 1 1 in step 306. Otherwise, the process returns to step 302. The execution of each statistical test provides at least one sum Ti. In the case of a runs test, each considered run k provides a sum T_{i k}.

In step 310, for each statistical test sum T_{t} (or T_{i k} for each run k of the runs test) obtained for a statistical test (block 308), a lower threshold L_{t} (or L_{i k} for each run k of the runs test) and a higher threshold H_{t} (or H_{i k} for each run k of the runs test) are determined in association with the statistical test sum, the lower threshold and the higher threshold depending on N and on the error probability a.

In step 312, condition (1 ) is tested for each statistic test sum T_{t} (or T_{i k} for each run k of the runs test) provided by each statistical test, using the associated lower threshold L_{t} (or L_{i k}) and the associated higher threshold

In step 314, if at least one statistical test does not satisfy condition 1 (block 312), the random bit sequence may be rejected. Otherwise, steps 310 and 312 are repeated for the other statistical tests, in not all statistical test have been processed (step 313). In step 316, the random bit sequence is validated and the N-random bits may be delivered to the target system 12 if all the statistical test sums meet condition 1.

Exhibit E1.3 provides a testing method for testing a bit sequence generated by a RNG, as random bits arrive, in pseudo-code format, according to one embodiment, using the statistical tests:

-Monbit Test (T1 );

-Poker Test (T2);

-Runs Test (T3);

- Longest Run test (T4).

The testing method of Exhibit E.1.3 has an optimized latency and is particularly adapted to testing a N-bit sequence in a testing device 10 embedded in a chip.

Embodiments of the invention accordingly enable a dynamic selection of the number N of raw bits to test given the targeted debit/latency. They also provide a dynamic error probability t given the targeted application and fully controllable latency throughout all stages (in contrast to the prior art which, by waiting for a fixed number of raw bits, generate uncontrollable latency).

The embodiments of the invention apply to both embedded statistical tests (the tests are performed within the chip of the system or device using the random number sequence) and online statistical tests.

In some application requiring fast processing, the value of N can be chosen to be smaller than 20000 so that the overall time needed to text a bit sequence. In contrast, for applications requiring that the generated random number be evaluated more strictly, in order to reduce the number of false positive detections, the sequence size N can be increased.

The embodiments of the invention thus enable a flexible adjustment of N in accordance with the needs of the application.

The testing device according to the embodiments of the invention may be used in various applications such as:

- simulation applications which simulate and model complex phenomena (e.g. in Monte Carlo integration used in finance and in engineering fields);

- in random sampling applications which select random samples from larger data sets;

- in cryptographic applications such as authentication, signing, encryption, digital signature generation, encryption key generation systems, or internet encryption protocols applications;

- in chip manufacturing and seeding of device-specific keys, e.g. for Near Field

Communication or device IDs;

- In machine learning and statistical learning applications (true random number generators may be used to obtain samples from random distributions).

Exemplary target systems 12 include cryptographic systems that implement cryptographic functions based on one or more cryptographic keys to ensure data and/or signals security, authentication, protection, and privacy such as:

- smart cards, devices that store keys such as wallets, smart cards readers such as Automated Teller Machines (ATM) used for example in financial applications;

- digital electronic devices such as RFID tags;

- embedded secure elements;

- computers (e.g. desktop computers and laptops), tablets;

- routers, switches, printers;

- mobile phones such as smart-phones, base stations, relay stations, satellites;

- Internet of Thing (loT) devices, robots, drones; and

- recorders, multimedia players, mobile storage devices (e.g. memory cards and hard discs) where logon access monitored by cryptographic mechanisms, etc.

In certain alternative embodiments, the functions, acts, and/or operations specified in the flow charts, sequence diagrams, and/or block diagrams may be re-ordered, processed serially, and/or processed concurrently consistent with embodiments of the invention. Moreover, any of the flow charts, sequence diagrams, and/or block diagrams may include more or fewer blocks than those illustrated consistent with embodiments of the invention.

In particular, it should be noted that the statistical tests 103 may be tested in any order, sequentially or in parallel.

While all of the invention has been illustrated by a description of various embodiments and while these embodiments have been described in considerable detail, it is not the intention of the applicant to restrict or in any way limit the scope of the appended claims to such detail. Additional advantages and modifications will readily appear to those skilled in the art. The invention in its broader aspects is therefore not limited to the specific details, representative apparatus and method, and illustrative examples shown and described. In particular, it should be noted that the invention is not limited to statistical test of the AIS31 test set and may use other types of statistical tests used to test sequences generated by a RNG 1 1 , such as for example:

- other tests from the AIS31 set including for instance the auto-correlation test (test 5), the uniform distribution test (test 6), the homogeneity test or the comparative test for multinomial distributions (test 8), the entropy estimation test (test 8).

- tests from the NIST test suite, according for example to the NIST SP800-22 test suite, such as for example the Serial test, the Frequency (Monobit) test, etc.

Exhibit E1

Definitions

E1.1. Normal Distribution

A (continuous) random variable X has a normal distribution with mean m and variance its probability density function is:

The density function of a continuous random variable X satisfies:

E1.2 The“Chi square” c^{2} Distribution

The x^{2} distribution may be used to compare the goodness-of-fit of the observed frequencies of events to their expected frequencies under the hypothesized distribution. The c^{2} distribution with k degrees of freedom arises when the squares of k independent random variables having standard normal distributions are summed.

Let k ³ 1 be an integer. A continuous random variable X has a c^{2} distribution of k degrees of freedom if its density function is:

where G(c) is the gamma function defined for t > 0 as:

E.1.3: Testing Method