Software only, extremely compact, Keccak-based secure PRNG on ARM Cortex-M

Abstract

The ability to generate secure random numbers is fundamental to the security of cryptographic protocols. Random Number Generators (RNGs) start to appear in recent modern Intel CPUs as used in desktops and servers. Solutions for embedded devices, such as e.g. sensor nodes and wireless routers, are still severely lacking however. In this paper we present the implementation of a secure pseudo-random number generator (PRNG) for the ARM Cortex-M microcontroller family, one of the most popular embedded platforms at this moment. For compactness and compatibility reasons, our implementation is software only. It uses the start-up values of on-chip SRAM as random seed and uses the KECCAK hash function for both entropy extraction as well as pseudo-random number generation. Getting KECCAK very compact in terms of memory requirements is therefore essential. KECCAK is a tunable algorithm: in this paper we discuss the minimum security requirements and the storage costs as a function of the KECCAK variant. The KECCAK permutation of our choice, KECCAK-f[200], is implemented in only 400 bytes. To the best of our knowledge, this is the smallest KECCAK implementation published so far. With the addition of initialization, hashing, padding and output generation functions, our complete solution fits within 496 bytes of ROM and requires 52 bytes of RAM. One byte of pseudo-random data, with a security level of at least 128 bits, can be generated in 3337 cyles on an ARM CortexM3/4, i.e. 50 KiB/s on a development board, plenty fast for a cryptographic PRNG in an embedded setting.