Building and Testing a Modern TRNG/RBG: The RISC-V Entropy Source Interface (N32b)
The RISC-V Instruction Set Architecture (ISA) has emerged as a free and open challenger to proprietary ISAs in the semiconductor industry. An on-chip Entropy Source interface (for RBGs) is a part of its scalar cryptographic extension. With a separate Entropy Source Validation scope being introduced by CMVP, one of the lead authors (and prototype implementors) of this new open CPU cryptography standard describes how to obtain (and test) entropy on RISC-V processor chips and how to view it for FIPS 140-3 validation. The RISC-V True Random Number Generator (TRNG) architecture breaks with previous ISA TRNG practice by splitting the Entropy Source (ES) component away from cryptographic PRNGs into a separate interface, and in its use of polling. We describe the interface, its use in cryptography, and offer additional discussion, background, and rationale for various aspects of it. This design is informed by lessons learned from earlier mainstream ISAs, recently introduced SP 800-90B and FIPS 140-3 entropy audit requirements, AIS 31 and Common Criteria, current and emerging cryptographic needs such as post-quantum cryptography, and the goal of supporting a wide variety of RISC-V implementations and applications. Many of the architectural choices are a result of quantitative observations about random number generators in secure microcontrollers, the Linux kernel, and cryptographic libraries. We further compare the architecture to some contemporary random number generators.