



UNIVERSITY OF  
CAMBRIDGE

Department of Engineering

# Compiling Physical Invariants to Hardware for a Secure & Private Sensor Interface

Author Name: Gregory Brooks

Supervisor: Phillip Stanley-Marbell

Date: 29 May 2019

I hereby declare that, except where specifically indicated, the work submitted herin is my own original work.

*Signed* \_\_\_\_\_ *date* \_\_\_\_\_



# IIB Project Report:

## Compiling Physical Invariants to Hardware for a Secure & Private Sensor Interface

Gregory Brooks, gb510, Christ's College

29 May 2019

## Contents

|          |                                                         |           |
|----------|---------------------------------------------------------|-----------|
| <b>1</b> | <b>Technical Abstract</b>                               | <b>1</b>  |
| <b>2</b> | <b>Introduction and Background</b>                      | <b>3</b>  |
| 2.1      | Differential Privacy . . . . .                          | 3         |
| 2.2      | The Newton Language . . . . .                           | 5         |
| 2.3      | Random Number Generation . . . . .                      | 6         |
| <b>3</b> | <b>Theoretical Development</b>                          | <b>8</b>  |
| 3.1      | Brainstorming Example Applications . . . . .            | 8         |
| 3.1.1    | Digital Camera/Viola-Jones Facial Detection . . . . .   | 8         |
| 3.1.2    | Microphone . . . . .                                    | 9         |
| 3.1.3    | <i>Intelligent</i> Noising . . . . .                    | 9         |
| <b>4</b> | <b>System Design and Implementation</b>                 | <b>10</b> |
| 4.1      | Privacy Budget Management System Architecture . . . . . | 10        |
| 4.2      | FPGA . . . . .                                          | 12        |
| 4.3      | Hardware Entropy Source . . . . .                       | 13        |
| 4.4      | Uniform Random Number Generator . . . . .               | 14        |
| 4.5      | Inversion Method Random Number Generator . . . . .      | 16        |

|                                                                                             |           |
|---------------------------------------------------------------------------------------------|-----------|
| <b>5 Technologies and Techniques Used</b>                                                   | <b>18</b> |
| 5.1 Git/GitHub . . . . .                                                                    | 18        |
| 5.2 FPGA Synthesis Toolchain . . . . .                                                      | 20        |
| 5.3 Main Project Repository Structure and Build System . . . . .                            | 20        |
| <b>6 Evaluation and Characterisation</b>                                                    | <b>22</b> |
| 6.1 Evaluation of Hardware Entropy Source . . . . .                                         | 22        |
| 6.1.1 Method . . . . .                                                                      | 22        |
| 6.1.2 Results . . . . .                                                                     | 23        |
| 6.1.3 Discussion . . . . .                                                                  | 28        |
| 6.2 Randomness Testing . . . . .                                                            | 28        |
| 6.2.1 $i = 80, S = 25000$ . . . . .                                                         | 29        |
| 6.2.2 $i = 2, S = 1000000$ . . . . .                                                        | 29        |
| 6.3 Scaling of Logic Implementations . . . . .                                              | 30        |
| 6.3.1 Method . . . . .                                                                      | 30        |
| 6.3.2 Results . . . . .                                                                     | 30        |
| 6.3.3 Discussion . . . . .                                                                  | 33        |
| <b>7 Conclusions</b>                                                                        | <b>35</b> |
| 7.1 Future Work . . . . .                                                                   | 35        |
| <b>A Risk Assessment Retrospective</b>                                                      | <b>40</b> |
| <b>B Derivation of an Upper Bound on <i>Indirect</i> Differential Privacy Loss</b>          | <b>40</b> |
| <b>C Hardware Entropy Source Schematic and PCB</b>                                          | <b>44</b> |
| <b>D EuroSys 2019 Poster: Safeguarding Sensor Device Drivers Using Physical Constraints</b> | <b>46</b> |
| D.1 Derivation of Bimodal Beta Distribution . . . . .                                       | 47        |

# 1 Technical Abstract

## Compiling Physical Invariants to Hardware for a Secure & Private Sensor Interface

Gregory Brooks, gb510, Christ's College

---

This project investigates the idea of using the Newton [1] physics description language as part of a multi-sensor embedded local differential privacy system implemented on a small, low power iCE40 FPGA [2]. The aim of such a system is to allow for quantitative control over the amount of information released about private data such sensor measurements. Differential privacy [3] can be described as a technique whereby information about an individual is obscured whilst still providing useful information about a statistical population as a whole. For example, adding zero mean noise to datapoints in a database obscures individual entries but preserves the mean of those entries.

Such a system would require knowledge of the relationships between the measurements it takes; this information could be provided using the *Newton* physics description language [1]. A backend for the Newton language compiler could then use this information to generate a logic circuit description (in a hardware description language such as Verilog) to implement this differential privacy system on an FPGA. Existing work focuses on embedded systems with a single sensor [4].

Over the course of this project, the author has proposed a multi-sensor differential privacy algorithm and begun implementing it as a system consisting of a Verilog HDL template filled in by a C program that modifies the resulting hardware description based on a variety of privacy related parameters supplied to the program by a user — this software represents the compiler backend in the system proposed above. The author has also performed a detailed mathematical analysis of the differential privacy problem applied to a multi-sensor system, basing work off the state of the art for a single sensor embedded system [4] — this work has yielded both an exact expression and a more easily calculated upper bound on the quantitative privacy *loss* experienced by a private signal when information is revealed about related signals.

Over the course of this project, research efforts have focused on implementing a true random number generator on the iCE40 FPGA, a critical component of the proposed differential privacy system. The author has designed and evaluated a hardware entropy source (providing amplified avalanche noise from a PNP transistor acting as an avalanche diode), as well as Verilog code that extracts both uniformly and nonuniformly distributed random numbers from this noise source, using the iCE40's input comparator hardware to digitise the analog entropy source.

Analysis of the random number generator system indicates that the output does indeed appear random (when run through the NIST statistical test suite[5] [6]), and simulations of the uniform (URNG) and nonuniform (RNG) random number generators appear to behave as intended. The logic circuits synthesised from the URNG and RNG hardware descriptions have been implemented in a hardware efficient manner (i.e. use relatively few of the limited hardware resources present in the iCE40 FPGA) combining several ideas from the existing state of the art [7] [8] — the rate at which hardware resource usage scales with URNG/RNG output bit width was investigated as part of this project.

To conclude, this project has investigated the use of an iCE40 FPGA and the Newton physics description language as part of a differential privacy system for a multi-sensor embedded system. The author has derived both exact and upper bound expressions for quantifying *privacy loss* in this context, and has proposed an architecture for this differential privacy system. The random number generation component of this architecture has been implemented in Verilog and C; statistical testing suggests that its output is indeed random and the hardware implementation appears to scale well with URNG bit width, indicating efficient use of the iCE40 FPGA's hardware resources (though the use of the iCE40s hardware DSP blocks for performing arithmetic could reduce resource usage even further).

## 2 Introduction and Background

### 2.1 Differential Privacy

*Differential privacy* can be thought of as a constraint applied to queries for information from a database whereby information about individual members of the database is obscured whilst still releasing useful aggregate information about a population/demographic as a whole. A simple method of implementing this would be the addition of zero mean noise to database entries — whilst the noise would obscure the *true* value of individual data points, the mean value of the dataset would remain intact. More formally,  $\epsilon$ -*differential privacy* is defined by Dwork and Smith [3] as follows:

“A randomized function  $K$  gives  $\epsilon$ -*differential privacy* if for all data sets  $x$  and  $x'$  differing on at most one element, and all  $S \subseteq Range(K)$ ,

$$Pr[K(x) \in S] \leq \exp(\epsilon) \times Pr[K(x') \in S], \quad (1)$$

where the probability space in each case is over the coin flips of the mechanism  $K$ . ”

Throughout this project, the chosen randomised function  $K$  is the Laplace mechanism i.e. the addition of zero mean Laplace distributed random noise to *private* data such as a measurement from a sensor<sup>1</sup> to produce a *noised output* that can be released to untrusted observers (the outside world). This technique provides privacy by ensuring that every possible measurement value (i.e. any value within the sensor measurement range) has a similar posterior probability of being the *true private* value given the observed *noised output*. An outside observer can use the *noised output* to estimate the value of *private* data with some uncertainty but should never be able to deduce it with complete certainty.

The Laplace distribution used by this method has parameter  $\frac{\lambda}{\epsilon}$ .  $\lambda$  refers to the *global sensitivity* of the database query function; in this scenario this is simply the maximum difference between possible sensor measurements i.e. a sensor’s measurement range.  $\epsilon$  is a privacy scaling parameter, where a smaller  $\epsilon$  value results in greater privacy by applying noise with a greater variance, thereby reducing the amount of information each *noised output* value reveals about the *private* data. For a particular application, deciding on an  $\epsilon$  value is

---

<sup>1</sup>The *databases* in this scenario are simply single sensor measurements hence any two *databases* will always differ by at most a single element.

a tradeoff between utility and privacy since, in the limiting case, an  $\epsilon$  value of zero means that the system outputs no useful information (just random noise), consequently keeping the *private* data completely private.

Within the context of embedded electronic systems, recent work (for example, this project builds heavily on the work of Choi et al. [4]) has investigated the implementation of differential privacy techniques on low power hardware such as the processors found in smartphones and Internet-of-Things devices. In contrast to the conventional differential privacy model, where a trusted database stores *private* data collected from local hardware, a local differential privacy architecture involves *private* data being masked at the source (e.g. an embedded sensor system) before being sent to an untrusted database [9]. This local approach can result in a more secure system since *private* data does not need to be recorded anywhere nor transmitted from local hardware to a remote server.

One of the key advantages of generating random noise with known parameters is that it allows a quantitative *privacy loss* [4] to be calculated for each piece of information revealed to the outside world (e.g. with the release of each *noised output* value). Privacy losses can be deducted from a total *privacy budget* allocation — once the budget has been depleted, a differential privacy system will not release further information to the outside world. An intuitive justification for such a system comes from the fact that if an attacker were allowed to obtain an unlimited number of noised values, they would be able to take the mean of these responses to gain an arbitrarily accurate estimate for the private data value being masked by zero-mean random noise.

One challenge associated with implementing local differential privacy is that the randomised function  $K$  used to mask *private* data can be difficult to implement on low power hardware — one of the findings presented by Choi et al. [4] is that a finite precision implementation of the Laplace mechanism can lead to infinite privacy loss, since certain specific values for *noised output* data can reveal the *true* values for *private* unnoised data with complete certainty. This problem is most apparent on low power hardware utilising low precision fixed point arithmetic. This problem can be overcome by ensuring *noised output* remains within a safe range so that privacy loss can never be infinite; this can be achieved by truncating values if they fall outside the range or by resampling the random noise if it would result in a *noised output* value outside the acceptable range [4].

Existing research regarding embedded systems has focused on single sensor systems [4]. Introducing multiple related sensors introduces complications when quantifying privacy loss, since releasing a noised value of one particular measurement can indirectly reveal information about others. For example, if a particular embedded system contains a GPS and accelerometer, accelerometer measurements can be integrated over time to gain an estimate for GPS position — some privacy loss quantity would have to be deducted from the privacy budget allocated to the GPS as a result of releasing noised acceleration values. One of the aims of this project was to analyse this problem in detail — Appendix B presents a detailed mathematical analysis of the problem, whilst Section 4.1 presents a potential architecture for a hardware solution.

## 2.2 The Newton Language

*Newton* is a physics description language developed by Jonathan Lim and Phillip Stanley-Marbell [1]. A Newton description can specify dimensionally annotated *signals* i.e. physical quantities such as measurements from a sensor, and invariants/constraints relating these signals (such as the physical laws governing a particular system). Figures 1 and 2 and Equation 2 illustrate a basic example of the langage being used to describe the physical resonance of a circuit board.

```

1 include "NewtonBaseSignals.nt"
2 board : invariant(Q:dimensionless, d:distance, f:frequency, a:acceleration, t:time) = {
3     a ~ Q*d*(2*kNewtonUnitfree_pi*f)**2*((2*kNewtonUnitfree_pi*f*t)
4         - (2*kNewtonUnitfree_pi*f*t)**3/6 + (2*kNewtonUnitfree_pi*f*t)**5/120)
5 }
```

Figure 1: Example of a Newton description for a physically resonating circuit board (modelled in two dimensions) governed by Equation 2. Figure sourced from a poster produced in parallel to this project [10].

$$a = Q_{bd}d_{bd}\omega^2 \sin(\omega t), \quad (2)$$

where:

- $a$  represents board acceleration,
- $Q_{bd}$  represents quality factor,

- $d_{bd}$  represents board displacement amplitude,
- $\omega$  represents angular resonant frequency,
- $t$  represents time.



Figure 2: The system modelled by Equation 2. Figure sourced from a poster produced in parallel to this project [10].

At the time of writing the Newton language and compiler is still under development by the Physical Computation Laboratory [11]; the Newton compiler frontend is able to transform a human-readable Newton description into an intermediate representation, a tree structure that can be easily traversed by a computer. The motivation for this project was the idea that this information could be used by a compiler backend to generate a hardware description (e.g. Verilog). Within the context of this project, Newton provides the ability to describe the relationships between the sensors in a multi-sensor embedded system. This information is necessary to be able to quantify privacy losses in a multi-sensor system.

### 2.3 Random Number Generation

One important component of a local differential privacy system is a true random number generator (TRNG) to generate the random noise used to obscure *private* data<sup>2</sup>. The Laplace mechanism requires random noise to be Laplace distributed, introducing additional complexity compared to uniform or Gaussian distributed RNGs. The resource constraints imposed by the iCE40 FPGA dictated the need to implement a hardware efficient RNG to generate this Laplace distributed noise.

---

<sup>2</sup>In a security related application, pseudorandom number generators such as linear feedback shift registers are unsuitable since an attacker would be able to predict their output

A research article by De Schryver et al. [7] outlines a possible architecture for such a system, based on a lookup table indexed by a floating point representation of the output of a uniform random number generator. This architecture was implemented in Verilog and analysed as part of this project (see Section 4.5). It is important to note that his architecture requires a uniform random number generator (URNG) input (uniform random numbers are transformed to an output from the target distribution e.g. the Laplace distribution) — Sections 4.3 and 4.4 present a URNG implemented as part of this project.

## 3 Theoretical Development

The early stages of the project involved brainstorming and investigating potential research problems that would involve compiling Newton descriptions into a hardware description language. It soon became apparent that the Newton language was well suited to describing the relationships between sensors in a multi-sensor embedded system, thereby providing a basis to build upon the single-sensor state-of-the-art [4] [12].

### 3.1 Brainstorming Example Applications

Below are some examples of security/privacy related applications of compiling a Newton description into Verilog that eventually led to the project’s focus on differential privacy for multi-sensor systems.

#### 3.1.1 Digital Camera/Viola-Jones Facial Detection

iCE40 FPGAs are able to drive digital cameras and perform facial recognition, as illustrated by the iCE40 Ultraplus Mobile Development Platform [13]. In this context a differential privacy system might aim to apply random noise to an image in such a way that the identity of an individual can be obscured whilst still preserving enough information for facial detection algorithms to function correctly. A Python script available in this report’s GitHub repository<sup>3</sup> demonstrates this idea using OpenCV [14] — the script converts a photo of a face to greyscale and subsamples to 32x32 size (effectively low pass filtering to remove high spatial frequencies) before Laplace distributed random noise ( $\lambda = 25$ , mean = 0) is added to the pixel intensity values, similarly to the Laplace method described in Section 2.1. The script then uses a Viola-Jones [15] classifier to detect faces in the images before and after the application of noise, demonstrating that a face can be detected in both cases provided the variance of the noise distribution is not too great to drown out all relevant information (analogous to the  $\epsilon$  value in Section 2.1 being too small).

The results of running this script can be observed in Figure 3; the addition of random noise somewhat obscures the identity of the subject in the photo whilst still allowing a Viola-Jones facial detection to function. The demonstration featured here is a simple proof-of-concept; random distortion could be applied to the image in many different ways e.g. random displacement of pixels.

---

<sup>3</sup>See Section 5.1.



Figure 3: Proof-of-concept demonstration of Laplace distributed random noise being used to obscure an individual’s identity whilst preserving a detectable facial structure. A square has been drawn around the faces detected by the pre-trained Viola-Jones classifier bundled with OpenCV. The photo features, and was taken by the author.

The Viola-Jones classifier works by applying rectangular filters to detect facial features. A Newton description could contain invariants to describe these filters in terms of pixel values; this information could, for example, be used by a noising system to ensure that random noise is applied in a way that does not significantly impact an image’s response to the facial detection filters (i.e. if an image contains a face, then the Viola-Jones classifier described in Newton should still detect the face after the noising process, and vice versa if no face is present in the un-noised *private* image).

### 3.1.2 Microphone

In a similar manner to the camera example above, noise could be added to audio data in such a way that a person’s voice can be masked whilst still preserving features, such as mel-frequency cepstral coefficients, that allow speech recognition algorithms to function. The Newton language would be used to describe invariants in the time and/or frequency domains that must be held during the noising process.

### 3.1.3 *Intelligent* Noising

This project investigates a system which allows a user to specify which measurement signals they wish to add random noise to. It is possible to generalise this idea to a hypothetical system which has control over how it applies random noise to measurement data in order to mask

a more abstract form of information. One concrete example of this would be when working with images (e.g. the Viola-Jones example above) — given the requirement that individuals' identities should be obscured whilst still providing enough information for facial detection algorithms to work reliably, a system might choose to apply noise using, for example:

- Random noise added to pixel intensities.
- Convolution with a random filter.
- Random rearrangement of pixels.
- A combination of multiple techniques.

For such a system, a Newton description could be used to define constraints on the noised image's response to the Haar-like features used by a particular Viola-Jones facial detection algorithm; the system would then randomise the image in such a way that the constraints are not violated i.e. both the unnoised and noised images exhibit similar features, producing similar results when the face detection algorithm is applied.

## 4 System Design and Implementation

### 4.1 Privacy Budget Management System Architecture

The following section proposes a privacy management system architecture that could be used to manage multi-sensor privacy on an FPGA. Due to project time constraints, the system has not been completely implemented, since this would divert time and attention away from investigating the more important research questions posed by the project. The progress made so far by the author is documented in Sections 5 and 6.

The proposed system architecture is as follows:

- The FPGA acts as a sensor interface, allowing external circuitry to request noised sensor values. Noised measurement signals are referred to as *protected*, as their true value has been masked by the addition of zero-mean Laplace distributed random noise to preseve privacy; the system also allows *unprotected* signals to be forwarded to the outside world with no random noise added.
- A *privacy file* (e.g. a YAML file) is used to specify protected measurement signals for a particular embedded system.

- In order to apply random noise to a particular signal, a range of parameters must be defined for each protected signal:
  - Range of possible sensor outputs.
  - *Privacy budget* value allocated to the sensor.
  - *Privacy budget* replenishment rate.
  - Value of  $\epsilon$ , a measure of privacy where a smaller value results in greater privacy by increasing the variance of applied noise [4].

These values can be provided for each protected signal within the *privacy file*.

- The FPGA maintains a differential privacy *budget* for each protected signal. Querying a value for a protected signal (i.e. requesting a noised measurement from the FPGA) causes that signal to incur a privacy loss. The FPGA quantifies this loss (a function of the random noise sample added to the raw measurement [4]) and subtracts it from the signal’s privacy budget. Once the budget is depleted, further queries of the signal in question are ignored — a nonzero budget replenishment rate can be specified in the privacy file so that the signal can eventually be queried again once the budget has replenished sufficiently.
- Invariants in the Newton description define relationships between signals. This is important as privacy is lost if a measurand’s value is calculated by taking measurements from related sensors, without directly measuring the measurand. The system must account for this *indirect* privacy loss:
  - Each Newton invariant containing protected measurement signals has an associated bitfield register on the FPGA. Each bit in the register acts as a read flag for each measurement signal contained in the associated invariant — the flag is set when the sensor is queried (i.e. when a measurement is taken and the noised measurement value becomes *known* to the outside world) and is not cleared until the sensor’s privacy budget is completely replenished some time after a query (at which point the measurement value can be considered *unknown* to the outside world).
  - As long as any two flags remain unset, there are two variables in the equation that are *unknown* to an attacker. The equation cannot be solved and so no information<sup>4</sup>

---

<sup>4</sup>This assumes that the probability distributions of sensor outputs are independent, see Appendix B for an investigation into correlated measurements.

can be gained about the *unknown* values.

- If only one bit remains unset, then the remaining *unknown* value can be calculated using the other *known* values with set flags — the *unknown* signal incurs a privacy loss. If all flag bits are set then responding to a measurement query results in a privacy loss for every other signal in the invariant. These scenarios can be summarised by saying that, for signals contained within a particular Newton invariant, a signal experiences an indirect privacy loss if any of the other signals in the invariant are queried *and* all other signals are *known* i.e. have been recently queried.
- If responding to a query would exceed the privacy budget for any protected signal (not just the one being queried) then a response should not be granted.
- The mathematics behind the calculation of a quantitative value for privacy loss is investigated in Appendix B; whilst calculation of an exact value for privacy loss (Equation 6 in Appendix B) requires the use of a mathematical optimisation technique such as Lagrange multipliers, a simpler calculation can be used to obtain an upper bound on the value. This simpler calculation can be performed more easily on a small FPGA such as the iCE40, and can even be pre-calculated during compile-time since it is a function of the random noise output only.

## 4.2 FPGA

This system is based on the iCE40 UP5K FPGA [2], selected for its small size and low power consumption. These qualities make it ideal for inserting into an embedded device without significantly impacting the size or power consumption/battery life. Using FPGA hardware rather than a software implementation running on a processor has several advantages:

- Increased speed, to the point where data rate is limited by the SPI/I2C bus clock rather than the privacy system.
- Increased energy efficiency.
- Potential for integration into a sensor’s package (due to the FPGAs small size).
- Security - a hardware implementation is difficult for an attacker to manipulate or modify.

### 4.3 Hardware Entropy Source

As discussed in section 2.3, one of the key components of a security/privacy application is a true random number generator (TRNG). Unlike a pseudorandom number generator (PRNG), which produces a predictable deterministic outcome, a true random number generator's output cannot be anticipated by an attacker, preserving system security and users' privacy. The output bit rate of TRNGs is often limited so can be used to seed a cryptographically secure PRNG (CSPRNG) algorithm to increase output bit rate without significantly compromising security. This extra step was not required for this project, since the rate at which random numbers are consumed is relatively low.

Initial investigations focused on using the iCE40 FPGA's differential I/O hardware to generate random bits which could be fed into a TRNG to generate random samples from an arbitrary distribution. Initially, it was hoped that simply leaving two comparator inputs floating would cause the output to fluctuate randomly — in practice this did not occur as the comparator hardware requires one of the inputs to be biased within a narrow common mode voltage range (roughly half the I/O supply voltage, allowing the other input to swing about this reference voltage) [16]. The author decided to design a PCB to set this bias voltage, as well as provide an alternative entropy source in the form of a reverse biased avalanche diode producing avalanche noise. In theory, this circuit would provide a better i.e. less predictable source of entropy since, unlike the floating input pin, the avalanche noise (and therefore random number output) produced is independent of the device's external environment<sup>5</sup>.

The circuit used in this noise generator is based on a design by Professor Paul Horowitz [17, p. 984], modified to operate at 3.3V and 0V power rails (rather than  $\pm 5V$ ). Avalanche noise produced by a reverse biased base-emitter junction of a 2N4401 transistor is amplified through a dual op-amp amplifier stage before being modulated about a 1.65V DC bias ( $\frac{V_{cc}}{2}$ ); this output can then be fed into one of the iCE40's comparator inputs. A second output on the PCB comes from a simple potentiometer circuit to set the common mode reference voltage on the second comparator input (with series resistors to allow for fine control about  $\frac{V_{cc}}{2}$ ). Since the comparator output depends on whether the instantaneous voltage of the noise waveform lies above or below this reference voltage, this reference point can be adjusted to set the ratio of ones to zeros in the random comparator output.

---

<sup>5</sup>A floating input pin can easily be influenced by its external environment e.g. picking up 50Hz noise from nearby electrical mains, resulting in a non-uniform frequency spectrum for random output.

The Art of Electronics [17, p. 984] describes the avalanche noise produced by the circuit as being spectrally white up to around 50MHz, whilst the output signal has a 100mV RMS voltage.



Figure 4: 3D renders of PCB (in KiCad).

The full circuit schematic and PCB layout can be found in Appendix C, as well as the GitHub repository listed in Section 5.1.

#### 4.4 Uniform Random Number Generator



Figure 5: Block diagram of URNG logic circuit.

Figure 5 shows the logic circuit for the uniform random number generator described in Verilog as part of this project (see Section 5.1 for the GitHub repository containing the code). Random bits are supplied to this logic circuit, such as those produced by the hardware entropy source described in Section 4.3. These are fed into a von Neumann debiasing module

that uses a simple algorithm, invented by John von Neumann, to remove bias from the input bits, so that the probability of receiving a 1 bit from the debiasing module's output is equal to the probability of receiving a 0. This is achieved by taking two input bits at a time — if both bits are equal (received sequence 0,0 or 1,1), they are discarded; if the received sequence is 1,0 then the output bit is 1; if the received sequence is 0,1 then the output bit is zero. The module's behaviour can be described more formally: for random input bits modelled by random variable  $X$  with a distribution  $p()$  such that  $p(X = 1) \neq p(X = 0)$  but  $p(X_i = 1, X_{i+1} = 0) = p(X_i = 0, X_{i+1} = 1)$ , the debiasing module outputs random bits modelled by random variable  $Y$  with distribution  $q()$  where  $q(Y = 0) = q(Y = 1)$ .

The additional logic in this URNG module is used to store  $n$  bits output by the extractor in an  $n$  bit output register (providing a fixed point  $n$  bit uniform random number). Each bit in the register is associated with a valid signal (stored in the *valid* output register) that goes high once the associated output bit takes on a value from the extractor output.

The circuit runs until the output register is filled, at which point the internal enable (*en*) register is set from 1 to 0; to generate a new random number the module must be reset.

The GitHub repository for the URNG contains a Verilog testbench that can be run with the command `make simurng` to successfully simulate and test this logic circuit. The circuit has also been successfully synthesised for an iCE40 UP5K FPGA; a detailed analysis is presented in Section 6.3.

## 4.5 Inversion Method Random Number Generator



Figure 6: Block diagram of RNG logic circuit.

This module contains the URNG described in Section 4.4, transforming uniformly distributed random numbers into random numbers distributed according to an arbitrary (e.g. Laplace) distribution. This is achieved by implementing the hardware efficient system described by De Schryver et al. [7].

The module *rng\_uniform\_to\_float* takes the uniform random numbers produced by the URNG and transforms them into a floating point representation using the algorithm described by De Schryver et al. [7]. The production of a single floating point number may require more than one uniform random number to be consumed, so this module is capable of resetting the URNG to generate as many uniform random numbers as it needs to produce a floating point output number. This module requires an internal block of combinational logic to count the number of leading zeros within a particular region of the bit vector coming from the URNG; the author implemented this logic module using a hardware-efficient recursively<sup>6</sup> instantiated tree structure proposed by Oklobdzija [8].

---

<sup>6</sup>The finite recursion depth when instantiating this module means that the resulting logic circuit is still synthesisable i.e. can be realised as a physical circuit on an FPGA.

The floating point number produced by the *rng\_uniform\_to\_float* module is used as the input address to a block RAM lookup table, allowing two coefficients ( $c_0$  and  $c_1$ ) to be read out of the RAM. The contents of this RAM is generated by a C program written by the author (described in Section 5.3) which obtains  $c_0$  and  $c_1$  coefficients by taking discrete samples of a continuous probability distribution such as the Laplace distribution. The final output number is calculated at  $c_0 + c_1 \times m$  where  $m$  consists of a certain number<sup>7</sup> of the least significant bits from the mantissa part of the floating point number produced by *rng\_uniform\_to\_float*. This final random number output is accompanied by a valid flag signal; this signal must be delayed using the *valid\_pipe* register to synchronise it with the associated random number at the output. As with the URNG, the logic circuit runs until a valid random number appears at the output; it must then be reset to produce a new random number.

A simulation of this module can be tested by running the `make simrng` command; a Verilog testbench supplies the simulated module with a random bit input, allowing internal signals and output to be observed. Figure 7 shows an example of the simulation results. Simulation was performed using Icarus Verilog [18].



Figure 7: Screenshot demonstrating RNG simulation, when the simulated module is supplied with an alternating stream of zeros and ones through the random bit input.

---

<sup>7</sup>Details of this random number generator architecture can be found in the paper [7] on which this implementation is based; they are not repeated in this report.

## 5 Technologies and Techniques Used

### 5.1 Git/GitHub

Below is a list of GitHub repositories containing work done as part of this project:

- Main project repository containing Python simulations/tests, Verilog templates, Verilog hardware descriptions (e.g. the nonuniform random number generator) and C code:  
<https://github.com/Gregox273/Newton-Verilog-Compiler>
- Verilog repository for the iCE40 differential I/O based uniform random number generator:  
<https://github.com/physical-computation/iCE40-LVDS-RNG>
- Schematic and PCB design for hardware random noise generator:  
<https://github.com/Gregox273/hardware-rng>
- Physical Computation Laboratory measurement repository, containing measurements taken when characterising the hardware random number generator (Sections 6.1 and 6.2):  
<https://github.com/physical-computation/measurement-data>  
Measurement Number: 33 Branch: issue-33

Over the course of this project, GitHub provided a remote location to store/backup work and transfer it between computers. Git's version control functionality facilitated development of software, Verilog firmware and documentation by allowing work to be divided up into commits that could be merged/rolled back/compared when necessary. The Git commit history also provides a timeline of project progress — an example is shown in Figure 8.

```

commit 24ebf237082df41ef72321b00d26b4ceeab103e4
Author: Gregory Brooks <gregox273@gmail.com>
Date:   Mon Feb  4 21:52:41 2019 +0000

    Begin rng testbench & document clk modules

commit 95f9c3d059be53ccfb0b9234f7a5dd222218de64
Author: Greg Brooks <gregox273@gmail.com>
Date:   Sat Feb  2 22:51:29 2019 +0000

    Begin adding testbenches (clk testbenches)

commit 915af56dd5276e0b3893286984e1087056f6360c
Author: Greg Brooks <gregox273@gmail.com>
Date:   Fri Dec 28 21:44:18 2018 +0000

    Add examples of hardware LUT4s being used as programmable delay lines (for uniform TRNG)

commit 704fb18cdca2f4c0e92dce716eebbb948ca0d2cc
Author: Greg Brooks <gregox273@gmail.com>
Date:   Tue Dec 25 16:55:54 2018 +0000

    Update Python script to match lookup generation algorithm used in C code

commit d282e5796ed1e389b5e7e7fb4e76fa57d3e3217d
Author: Greg Brooks <gregox273@gmail.com>
Date:   Sun Dec 23 21:04:55 2018 +0000

    Add type aliases to help debug/fix in event of overflow

commit c14812dceefaf52619859d4a082eb8972363f83b
Author: Greg Brooks <gregox273@gmail.com>
Date:   Sun Dec 23 02:59:03 2018 +0000

    Add to compiler so that it autogenerates some .vh files and lookup table values

commit 3dfe2b486f849a9d2c59065d7d9212d5b45d2bc7
Author: Greg Brooks <gregox273@gmail.com>
Date:   Fri Dec 21 13:08:56 2018 +0000

    Begin Newton compiler backend (in C)

commit 5af1b34e1fa9560fb6be94f7817e210506306fd7
Author: Greg Brooks <gregox273@gmail.com>
Date:   Tue Dec 18 16:53:14 2018 +0000

    Create directory for c compiler code

commit 456140cf474682fc7d8e156da219e3b87a2bf07c
Author: Greg Brooks <gregox273@gmail.com>
Date:   Tue Dec 18 16:39:06 2018 +0000

```

Figure 8: Example of the commit history for the main project repository (Newton-Verilog-Compiler).

## 5.2 FPGA Synthesis Toolchain

The author used the open source Project IceStorm [19] toolchain to synthesise Verilog code and to program the iCE40 FPGA. The following tools in the toolchain were used over the course of the project:

- Yosys: synthesises Verilog to a logic circuit representation.
- Arachne-pnr: place and route tool that maps a logic circuit to physical hardware within the FPGA.
- Icepack: tool for converting ASCII format file (e.g. the arachne-pnr output) to a binary file (bitstream) for programming the iCE40 FPGA.
- Icetime: tool used to analyse signal timings in the circuit to be programmed. One of the useful parameters output by this tool is a value for the maximum clock speed a circuit can be expected to operate at.
- Iceprog: a program used to program an iCE40 FPGA over USB, using an FTDI based programmer present on the board to be programmed.

## 5.3 Main Project Repository Structure and Build System

This section describes the layout of the *Newton-Verilog-Compiler* main project repository, as well as the method used to compile/synthesise code contained within. This repository contains a significant amount of the work carried out as part of this project, but not all of it (see Section 5.1).

At the start of the project, the author decided to use Python scripts to prototype algorithms that would later be implemented in C or Verilog. This was done to aid debugging and testing due to the ease with which a Python script can be paused, inspected and restarted during execution (though it could be argued that a debugger such as `gdb` allows compiled C programs to be manipulated in a similar way). This Python script can be found in the `python-diff-priv` directory within the main repository.

All Verilog modules written over the course of this project are parameterised so that wire/register bit widths can be easily changed without having to rewrite any code. In this repository, parameter values are taken from `.vh` Verilog header files which can be supplied manually or generated using the C program in the `c_compiler` directory — this program

takes the privacy file `privacy.yaml` (a partial implementation of the *privacy file* described in Section 4.1) as an input and uses it to generate Verilog header files, by populating a template file. The program also generates the data to be stored in the FPGA’s block RAM as part of the random number generator’s BRAM lookup table; this data is stored in `.mem` files that are read in Verilog using the `$readmemh` command.

The `c_compiler` directory also contains the Verilog code for the nonuniform random number generator.

Throughout this project, the author made extensive use of the `make` tool for Linux, simplifying the compilation/synthesis process:

- The C program is compiled by running `make` in the `c_compiler` directory. It can then be run with `build/c_compiler`.
- Once the C program has been run to generate the necessary Verilog header files and `.mem` BRAM initialisation value, the Verilog code for the nonuniform random number generator can be synthesised by running `make synthrng` in the `c_compiler/verilog` directory. Alternatively `make simrng` can be used to simulate it, running a Verilog testbench. Similar commands (`make synthclz`/ `make simclz`) can be used to synthesise/test the leading zero counter logic in isolation.

## 6 Evaluation and Characterisation

### 6.1 Evaluation of Hardware Entropy Source



Figure 9: The physical PCB, assembled by the CUED Dyson Centre’s Electronics Development Group.

#### 6.1.1 Method

This section presents measurements taken at several test points in the assembled circuit, analysing the noise signal at each stage in the amplifier circuit. A schematic is available in Appendix C, showing the locations of these test points within the circuit. The author measured and recorded voltage waveforms at each of the testpoints listed below using a Tektronix MDO4104C oscilloscope with both AC and DC probe coupling — DC coupling was used for the waveform screenshots shown below, (as well as for taking the average voltage measurements shown in the screenshots), whilst AC coupling was used for  $V_{RMS}$  measurements. When displaying the FFT of signals on the oscilloscope, the author used a rectangular window function since the noise spectrum was predicted to be fairly wide (The Art of Electronics describes the avalanche noise as being white up to 50MHz [17, p. 984], whilst the op-amps used in this circuit have a gain-bandwidth product of 23MHz [20]).

### 6.1.2 Results

#### TP2: Avalanche breakdown noise source

$$V_{RMS} = 8.79mV.$$



(a) Time domain



(b) Frequency domain

Figure 10: TP2

#### TP4: Input to first op-amp

$$V_{RMS} = 8.92mV.$$



(a) Time domain



(b) Frequency domain

Figure 11: TP4

TP8: Output of first op-amp/input to second op-amp

$$V_{RMS} = 38.4mV.$$



(a) Time domain



(b) Frequency domain

Figure 12: TP8

### TP9: Output of second op-amp

$$V_{RMS} = 363mV.$$



(a) Time domain



(b) Frequency domain

Figure 13: TP9

## TP10: Circuit noise output

$$V_{RMS} = 343mV.$$



(a) Time domain



(b) Frequency domain

Figure 14: TP10

### 6.1.3 Discussion

These measurements suggest that at lower frequencies, the circuit behaves as intended:

- From TP2 to TP4, the signal has similar  $V_{RMS}$  whilst the DC bias voltage goes from 7.85V to 6V. This is expected since the signal has passed through an AC coupling capacitor, with a 6V bias set on the output side by a potential divider.
- The transition from TP4 to TP8 shows the effect of the first op-amp stage;  $V_{RMS}$  increases whilst the DC bias voltage remains at 6V.
- The second op-amp stage lies between test points 8 and 9. Again  $V_{RMS}$  increases whilst  $V_{av}$  remains at 6V.
- Between TP9 and TP10, there is a final AC coupling stage to modulate the AC noise signal about a 1.65V DC voltage ( $V_{cc}/2$  for connecting to one of the iCE40 comparator inputs). This appears to have little impact on  $V_{RMS}$ .

The frequency domain plots (Figures 12 and 13) show that the op-amp gain falls to unity at around 10MHz — this agrees with the plot of voltage gain vs frequency in the device's datasheet [20]. The output  $V_{RMS}$  unexpectedly appears much higher than the 100mV stated in The Art of Electronics [17, p. 984].

## 6.2 Randomness Testing

The author used an improved version of the NIST Statistical Test Suite, developed by Cisco [6], to assess the randomness of the bits produced when the hardware entropy source was connected to a comparator input on an iCE40 FPGA (on a Warp-FPGA board [21]). The comparator output was sampled using a Digilent Analog Discovery 2, allowing 2 million random bits to be recorded (at 10kilobits per second, clocked by the iCE40's low frequency oscillator) for analysis.

When running the test suite [5], the input data is split into  $i$  *iterations* of length  $S$  bits, where a greater  $i$  value leads to a more accurate result<sup>8</sup>, but also a smaller  $S$  value for a given amount of sample data (which can prevent some tests from running; a recommended [6]  $S$  value is  $2^{20}$ ). Each test run as part of the suite consists of two *analyses*; a test is said to have passed if:

---

<sup>8</sup>The accompanying NIST report [5] suggests at least 55 iterations.

- Proportion analysis: the proportion of the  $i$  iterations which pass the test falls within a certain confidence interval.
- Uniformity analysis: the distribution of test P-values for each of the  $i$  iterations is sufficiently uniformly distributed.

Different  $i, S$  combinations were used to obtain the following results:

### 6.2.1 $i = 80, S = 25000$

The following tests were not run due to  $S$  being too small: Rank, Overlapping Template, Universal, Approximate Entropy, Random Excursions, Random Excursions Variant, Serial, Linear Complexity.

150/155 tests passed both analyses:

| Test Failed                                | Proportion | Uniformity |
|--------------------------------------------|------------|------------|
| Runs                                       | X          |            |
| 3/148 of Non-overlapping Template Matching | X          |            |
| 1/148 of Non-overlapping Template Matching | X          | X          |

Table 1: Tests failed when using a valid number of iterations. Failures are denoted by an X.

### 6.2.2 $i = 2, S = 1000000$

155/188 tests passed both analyses:

| Test Failed                                | Frequency | Proportion |
|--------------------------------------------|-----------|------------|
| Frequency                                  | X         |            |
| Cumulative Sums (forward)                  | X         |            |
| Cumulative Sums (backward)                 | X         |            |
| Runs                                       | X         | X          |
| 3/148 of Non-overlapping Template Matching | X         |            |
| 8/8 of Random Excursions                   | X         | X          |
| 18/18 of Random Excursions Variant         | X         | X          |

Table 2: Tests failed when using enough bits per iteration to run the entire test suite. Failures are denoted by an X.

A detailed analysis of these results, and the mathematics behind the test suite, is beyond the scope of this report; the fact that the majority of tests appear to have passed suggests that the hardware entropy source is likely to be sufficient for the requirements of this project. Additionally, as  $i$  (and hence test accuracy) increased, the proportion of tests passed increased.

One area for further investigation would be to gather a larger sample of random bits ( $\gtrsim 60$  Megabits<sup>9</sup>), both with and without the hardware entropy source attached to the FPGA. This would allow for comparison of test results, whilst a larger sample size would allow the entire test suite to be run with a sufficient number of iterations. The speed at which the above data could be acquired was significantly limited by the low clock frequency used to clock the random bit generator — the iCE40’s 48MHz high frequency oscillator could be used instead to overcome this limitation, though it is likely that this frequency would have to be divided down to a few MHz or less to minimise edge distortion due to low bandwidth in PCB traces and flying wires leading to a logic analyser, as well as to reduce cross talk between wires.

## 6.3 Scaling of Logic Implementations

### 6.3.1 Method

This section presents the results of investigating the effect of random number generator bit width (the number of bits in the output) on the size and complexity of the resulting FPGA implementation. The author used Yosys, a program from the Project IceStorm [19] toolchain, to synthesise Verilog RTL on a desktop computer<sup>10</sup>. The terminal commands used are contained within the Makefiles in the URNG/RNG repositories, allowing these measurements to be repeated by running `make synthurng`/`make synthrng` within the appropriate repository (see Section 5.1 for a list of repositories). At the end of the synthesis process, yosys prints statistics for the resulting logic circuit — this information is displayed in Section 6.3.2.

### 6.3.2 Results

The following results are taken from Yosys’ output. Terminology is defined here [22]:

- Wires: The number of wires in the circuit where the multibit WIRE[X:0] counts as a

---

<sup>9</sup>The Analog Discovery 2 can only record 10 million samples at a time, so such a measurement would require several samples to be taken and concatenated later for testing.

<sup>10</sup>AMD Ryzen 5 2600X Six-Core Processor 3.60GHz, 16GB RAM.

single wire.

- Bits: The number of wire bits in the circuit where the multibit WIRE[X:0] consists of X+1 wire bits.
- CARRY: The number of logic cells used for their carry logic circuits (a combinational logic circuit useful for arithmetic operations).
- DFFE: The number of logic cells used as D flip-flops with clock enable input.
- DFFESR: The number of logic cells used as D flip-flops with clock enable and synchronous reset inputs.
- LUT4: The number of logic cells used as ROM 4 input look-up tables.
- U, S CPU Time: Time taken for synthesis to complete (user time, system time).
- Mem: Total RAM used by Yosys to synthesise design.

| N  | No. of Wires |      | No. of Cells |      |        |      | Synthesis       |        |
|----|--------------|------|--------------|------|--------|------|-----------------|--------|
|    | Wires        | Bits | CARRY        | DFFE | DFFESR | LUT4 | U, S CPU Time/s | Mem/MB |
| 1  | <i>29</i>    | 30   | 0            | 6    | 4      | 12   | 0.27, 0.113     | 28.93  |
| 2  | 33           | 37   | 0            | 5    | 7      | 16   | 0.30, 0.05      | 29.00  |
| 3  | <i>44</i>    | 58   | 3            | 6    | 9      | 25   | 0.34, 0.08      | 29.01  |
| 4  | 41           | 56   | 1            | 7    | 10     | 24   | 0.34, 0.08      | 29.02  |
| 5  | <i>49</i>    | 73   | 5            | 8    | 12     | 31   | 0.33, 0.06      | 29.04  |
| 8  | 46           | 76   | 2            | 11   | 15     | 30   | 0.33, 0.17      | 35.29  |
| 16 | 60           | 117  | 3            | 19   | 24     | 45   | 0.52, 0.14      | 29.27  |
| 32 | 85           | 193  | 4            | 35   | 41     | 71   | 0.73, 0.19      | 29.55  |
| 48 | 108          | 273  | 7            | 51   | 58     | 93   | 1.38, 0.33      | 29.95  |
| 64 | 119          | 326  | 5            | 67   | 74     | 106  | 1.14, 0.25      | 30.50  |

Table 3: Effect of varying uniform RNG bit width, BX, on logic circuit size. Odd numbered bit widths are printed in italics.



Figure 15: Graph to illustrate how URNG logic cell usage increases with URNG bit width. The graph displays the data in Table 3.

| N(G,D)    | Wire bits | LUT4 | Total | BRAM/bytes | U, S CPU Time/s | Mem/MB |
|-----------|-----------|------|-------|------------|-----------------|--------|
| 7(2,1)    | 738       | 401  | 503   | 48         | 1.22,0.34       | 40.32  |
| 8(4,3)    | 812       | 441  | 548   | 112        | 1.42,0.19       | 60.49  |
| 9(8,7)    | 834       | 438  | 554   | 240        | 1.42,0.3        | 40.48  |
| 10(16,15) | 887       | 450  | 572   | 496        | 1.42,0.28       | 40.59  |
| 11(32,31) | 915       | 449  | 572   | 1008       | 1.73            | 0.25   |

Table 4: Effect of varying URNG bit width on nonuniform RNG synthesis. Varying URNG bit width is achieved by varying the number of *growing* and *diminishing octaves*, denoted by (G,D) in the table. These values were obtained using a 16 bit final random output, 3 bit floating point mantissa and a 2 bit *subsection* address. The paper on which this implementation is based describes the meaning of the *subsection*, *mantissa* and *octave* terms [7].

|    |           | No. of Cells |       |            |                 |        |
|----|-----------|--------------|-------|------------|-----------------|--------|
| N  | Wire bits | LUT4         | Total | BRAM/bytes | U, S CPU Time/s | Mem/MB |
| 8  | 494       | 148          | 224   | 56         | 1.02,0.22       | 91.90  |
| 16 | 812       | 441          | 548   | 112        | 1.42,0.19       | 60.49  |
| 32 | 1962      | 1483         | 1657  | 224        | 3.11,0.59       | 42.58  |

Table 5: Effect of varying the RNG output bit width. The following constant values were used: 4 growing octaves, 3 diminishing octaves, 2 bit subsection address, 3 bit mantissa.



Figure 16: Graph to illustrate how RNG logic cell usage increases with RNG bit width.

### 6.3.3 Discussion

Overall, these results suggest that the implementation so far scales well with URNG/RNG bit width, since the values in Tables 3 and 4 tend to scale logarithmically ( $O(\log_2(N))$ ). Interestingly, Table 5 appears to be an exception to this rule, with the number of wire bits and BRAM usage appearing to scale linearly with the RNG output's bit width, whilst the logic cell count appears to scale with order  $O(N^2)$ . This suggests that, within the RNG module, the final output stages (after the lookup table that perform arithmetic on the coefficients read from BRAM) account for a significant portion of the entire module's hardware complexity, since this is the only part of the module that is affected by output bit width (as opposed to URNG bit width). It is therefore likely that this hardware complexity

could be reduced by taking advantage of the iCE40 FPGA's dedicated DSP hardware blocks to perform arithmetic, rather than leaving Yosys to synthesise this logic using general purpose logic cells. Additional work would be required to implement this in a paramterised way that allows for an arbitary output bit width, since the DSP blocks contain 8 and 16 bit multipliers and accumulators.

## 7 Conclusions

This report has described investigations into an iCE40 FPGA based differential privacy system for a multi-sensor embedded system. Analysis of the mathematics behind this problem, presented in Appendix B, has revealed the need for such a system to have knowledge of the relationships between the measurements it takes — this information could be provided by a *Newton* description of the physical system relating these measurements.

The mathematical analysis of the multi-sensor differential privacy problem (presented in Appendix B) has yielded exact and upper bound expressions for quantifying privacy loss in the situation where a noised value for a particular measurement is released, thereby revealing some information about all other related measurement values.

Section 4.1 proposes an architecture for such a system, where a privacy *budget* is maintained for protected measurements and outside agents are able to query an FPGA for masked measurement values. The author produced a Verilog implementation of the random number generator required for such a system; it is presented in Sections 4.4 and 4.5 analysed in detail in Section 6.3. The author also designed a hardware entropy source for this RNG subsystem — it is described in Section 4.3 and evaluated in Section 6.1. Experimentation indicates that the output does indeed appear random and the synthesised logic circuit resulting from the URNG/RNG Verilog code makes relatively efficient use of FPGA resources (though this could potentially be improved further by utilising the iCE40’s hardware DSP blocks to perform arithmetic).

### 7.1 Future Work

The most obvious path for future work is to continue with the implementation of the system outlined above, in order to produce a working prototype. As a research project, the characterisation work described in Section 6 was prioritised over working towards a working prototype, for the purposes of inspiring future research. Future work could also optimise the existing hardware descriptions e.g. through use of hardware DSP blocks on the FPGA.

As discussed in Section 6.2, further research could focus on a more detailed analysis of the randomness of the output of the hardware RNG circuit. Improvements could be made to the circuit itself, for example to reduce size and power consumption or to increase the

output bandwidth. An improved circuit could be integrated into the Physical Computation department’s FPGA development platforms, providing a hardware TRNG for use with other research.

One potential area for future research is the application of the Newton language to safeguarding against *transduction attacks* (attacks on a computer system performed by manipulating transducers i.e. sensors in the system). This idea was briefly investigated by the author in parallel to this project, resulting in the publication of a poster [10] presented by the author at EuroSys 2019 in Dresden. The overall idea behind the poster was that Newton could be used to describe plausible system behaviour (e.g. constraints imposed by physical laws governing the system), thereby allowing implausible behaviour to be recognised and interpreted as a possible transduction attack in progress. The poster is summarised in Appendix D.

## References

- [1] Jonathan Lim and Phillip Stanley-Marbell. “Newton: A Language for Describing Physics”. In: *CoRR* abs/1811.04626 (2018). arXiv: 1811.04626. URL: <http://arxiv.org/abs/1811.04626>.
- [2] *iCE40 Ultraplus*. <http://www.latticesemi.com/Products/FPGAandCPLD/iCE40UltraPlus>. Accessed 2018-12-26.
- [3] Cynthia Dwork and Adam Smith. “Differential privacy for statistics: What we know and what we want to learn”. In: *Journal of Privacy and Confidentiality* 1.2 (2010).
- [4] Woo-Seok Choi et al. “Guaranteeing Local Differential Privacy on Ultra-Low-Power Systems”. In: *2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA)* (2018), pp. 561–574.
- [5] Lawrence E. Bassham III et al. *SP 800-22 Rev. 1a. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications*. Tech. rep. Gaithersburg, MD, United States, 2010.
- [6] *sts*. <https://github.com/arcetri/sts>. Accessed 2019-05-25.
- [7] Christian De Schryver et al. “A Hardware Efficient Random Number Generator for Nonuniform Distributions with Arbitrary Precision”. In: *Int. J. Reconfig. Comput.* 2012 (Jan. 2012), 12:12–12:12. ISSN: 1687-7195. DOI: 10.1155/2012/675130. URL: <http://dx.doi.org/10.1155/2012/675130>.
- [8] V.G. Oklobdzija. “An implementation algorithm and design of a novel leading zero detector circuit”. In: Nov. 1992, 391–395 vol.1. DOI: 10.1109/ACSSC.1992.269243.
- [9] Peter Kairouz, Sewoong Oh and Pramod Viswanath. “Extremal Mechanisms for Local Differential Privacy”. In: *Proceedings of the 27th International Conference on Neural Information Processing Systems - Volume 2*. NIPS’14. Montreal, Canada: MIT Press, 2014, pp. 2879–2887. URL: <http://dl.acm.org/citation.cfm?id=2969033.2969148>.
- [10] Gregory Brooks, Youchao Wang and Phillip Stanley-Marbell. *Safeguarding Sensor Device Drivers Using Physical Constraints*. Poster presented at EuroSys 2019, Dresden, Germany.
- [11] *Physical Computation Laboratory*. <http://physcomp.eng.cam.ac.uk/>. Accessed 2019-05-18.

- [12] Cynthia Dwork et al. “Calibrating Noise to Sensitivity in Private Data Analysis”. In: *Theory of Cryptography*. Ed. by Shai Halevi and Tal Rabin. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 265–284. ISBN: 978-3-540-32732-5.
- [13] *iCE40 Ultraplus MDP*. <http://www.latticesemi.com/Products/DevelopmentBoardsAndKits/iCE40UltraPlusMobileDevPlatform>. Accessed 2019-05-18.
- [14] *opencv-contrib-python*. <https://pypi.org/project/opencv-contrib-python/>. Accessed 2019-05-19.
- [15] Paul Viola and Michael Jones. *Rapid object detection using a boosted cascade of simple features*. 2001.
- [16] Lattice Semiconductor. *Common Analog Functions Using an iCE40 FPGA*. Tech. rep. 2012.
- [17] Paul Horowitz and Winfield Hill. *The Art of Electronics*. 3rd ed. Cambridge University Press, 2015. ISBN: 978-0-521-80926-9.
- [18] *Icarus Verilog*. <http://iverilog.icarus.com/>. Accessed 2019-05-26.
- [19] *Project IceStorm*. <http://www.clifford.at/icestorm/>. Accessed 2019-05-24.
- [20] *LT1215/LT1216 23MHz, 50V/µs, Single Supply Dual and Quad Precision Op Amps*. LT1215/LT1216. 12156fb LT/TP 1101 1.5K REV B. Linear Technology. 1993.
- [21] Phillip Stanley-Marbell and Martin Rinard. “A Hardware Platform for Efficient Multi-Modal Sensing with Adaptive Approximation”. In: *arXiv preprint arXiv:1804.09241* (2018).
- [22] Lattice Semiconductor. *LATTICE ICE<sup>TM</sup> Technology Library*. Tech. rep. Version 3.0. Aug. 2016.
- [23] Kevin Fu and Wenyuan Xu. “Risks of Trusting the Physics of Sensors”. In: *Commun. ACM* 61.2 (Jan. 2018), pp. 20–23. ISSN: 0001-0782. DOI: [10.1145/3176402](https://doi.acm.org/10.1145/3176402). URL: <http://doi.acm.org/10.1145/3176402>.
- [24] J. Liu, C. Yan and W. Xu. *Can you trust autonomous vehicles: Contactless attacks against sensors of selfdriving vehicles*. In *DEFCON24* (Aug. 2016). URL: <http://bit.ly/2EQNOLs> (visited on 11/03/2019).
- [25] Analog Devices. *ANALOG DEVICES ADVISORY TO ICS ALERT-17-073-01*. Tech. rep. 14th Mar. 2017.

- [26] Gregory Brooks. *issue-25*, *Physical Computation Measurement Data Repository*. URL: <https://github.com/physical-computation/measurement-data/tree/issue-25> (visited on 11/03/2019).

## A Risk Assessment Retrospective

The risk assessment submitted at the start of the project does not mention any specific hazards besides office (computer) work, since the project is predominately software/firmware based (all project hardware operated at low voltages i.e. 12V or less). No other hazards were encountered during the course of the project, since the random noise generator PCBs were manufactured by the Dyson Centre’s Electronics Development Group. In retrospect, although not part of the initial project specification, the risk assessment could have anticipated the possibility of manufacturing PCBs for the project. The hazards associated with this activity include high temperatures (from a soldering iron/oven/hot air gun) as well as chemical hazards associated with solder, fume extraction etc.

## B Derivation of an Upper Bound on *Indirect Differential Privacy Loss*

Let  $\hat{X}$  be a random variable denoting a sensor measurement, including any measurement error.

Let  $N_{Laplace}^\lambda$  be a random variable following a Laplace distribution with parameter  $\lambda$ . This represents random noise added to sensor measurements.

Let  $X$  be a random variable representing a *noised* sensor measurement i.e. the masked value that the differential privacy system provides to the outside world after applying Laplace distributed noise to a measurement:

$$X = \hat{X} + N_{Laplace}^\lambda. \quad (3)$$

A measurement event comprises the variable  $\hat{X}$  taking on value  $\hat{x}$ . Similarly, a noising event can be defined by  $X$  taking value  $x = \hat{x} + n$ . We define an embedded system as having  $n$  sensors with measurements distributed as  $\hat{X}_i$ ,  $1 \leq i \leq n$ .

Let  $Y$  denote a variable derived from one or more *noised measurements*,  $X$ , such as measurements from different sensors in an embedded system:

$$\begin{aligned} Y &= f(X_1, X_2, \dots, X_n) = f(\mathbf{X}), \\ y &= f(x_1, x_2, \dots, x_n) = f(\mathbf{x}). \end{aligned}$$

This same mapping function  $f(\mathbf{x})$  can take unnoised measurements as arguments:

$$\begin{aligned}\hat{Y} &= f(\hat{X}_1, \hat{X}_2, \dots, \hat{X}_n) = f(\hat{\mathbf{X}}), \\ \hat{y} &= f(\hat{x}_1, \hat{x}_2, \dots, \hat{x}_n) = f(\hat{\mathbf{x}}).\end{aligned}$$

Using this function, an untrusted party can compute an instance value  $y$  by taking measurements  $x_1$  to  $x_n$  — variable  $\hat{Y}$  has experienced some privacy loss,  $l_{\hat{Y}}$ , since a noised instance value  $y$  has effectively been released to the outside world (i.e. untrusted parties), revealing some information about the private noise-free value  $\hat{y}$  taken by variable  $\hat{Y}$ . The privacy loss can be quantified using a log-likelihood ratio [4] (Equation 5). This privacy loss function requires two parameters,  $\hat{y}_a$  and  $\hat{y}_b$ , which are the possible *true* i.e. noise-free values for  $\hat{Y}$  that maximise the privacy loss (Equation 4).

$y_{obs} = f(\mathbf{x}_{obs})$  = value for  $y$  calculated from noised measurements  $\mathbf{x}_i$ ,

$$\hat{y}_a, \hat{y}_b = \underset{\hat{y}_a, \hat{y}_b}{\operatorname{argmax}} l_{\hat{Y}}(\hat{y}_a, \hat{y}_b), \quad (4)$$

$$l_{\hat{Y}}(\hat{y}_a, \hat{y}_b) = \log \left( \frac{Pr\{Y = y_{obs} | \hat{Y} = \hat{y}_a\}}{Pr\{Y = y_{obs} | \hat{Y} = \hat{y}_b\}} \right). \quad (5)$$

Equation 5 can be rewritten as follows, where  $\hat{\mathbf{x}}_a$  and  $\hat{\mathbf{x}}_b$  are chosen to maximise  $l_{\hat{Y}}$  as before, but subject to constraints  $\hat{\mathbf{x}}_a = f^{-1}(\hat{y}_a)$  and  $\hat{\mathbf{x}}_b = f^{-1}(\hat{y}_b)$ :

$$l_{\hat{Y}}(\hat{\mathbf{x}}_a, \hat{\mathbf{x}}_b) = \log \left( \frac{Pr\{\mathbf{X} = \mathbf{x}_{obs} | \hat{\mathbf{X}} = \hat{\mathbf{x}}_a\}}{Pr\{\mathbf{X} = \mathbf{x}_{obs} | \hat{\mathbf{X}} = \hat{\mathbf{x}}_b\}} \right). \quad (6)$$

This constrained optimisation problem could be solved to calculate an exact value for privacy loss. Alternatively, an upper bound on privacy loss can be determined using a far simpler calculation (the sum of privacy losses for each individual sensor):

$$\begin{aligned}l_{\hat{Y}}(\hat{\mathbf{x}}_a, \hat{\mathbf{x}}_b) &= \log \left( \prod_{u=1}^n \frac{Pr\{X_u = x_{u,obs} | \hat{X}_u = \hat{x}_{u,a}\}}{Pr\{X_u = x_{u,obs} | \hat{X}_u = \hat{x}_{u,b}\}} \right), \\ &\leq \log \left( \prod_{u=1}^n \frac{Pr\{X_u = x_{u,obs} | \hat{X}_u = \hat{x}_{u,c}\}}{Pr\{X_u = x_{u,obs} | \hat{X}_u = \hat{x}_{u,d}\}} \right),\end{aligned} \quad (7)$$

where:

$$\hat{x}_{u,c} = \underset{\hat{x}_{u,c}}{\operatorname{argmax}} Pr\{X_u = x_{u,obs} | \hat{X}_u = \hat{x}_{u,c}\},$$

$$\hat{x}_{u,d} = \underset{\hat{x}_{u,d}}{\operatorname{argmin}} Pr\{X_u = x_{u,obs} | \hat{X}_u = \hat{x}_{u,d}\},$$

i.e. the constraint  $f^{-1}(\hat{y})$  has been removed. Equation 7 can be interpreted as the sum of the privacy losses incurred by the  $X$  variables i.e.  $\sum_{u=1}^n l_{X_u}$ .  $Pr\{X_u = x_{u,obs} | \hat{X}_u = \hat{x}_u\}$  is simply the Laplace distribution of the noise applied to the measurement represented by  $\hat{X}$ , centred on value  $\hat{x}$ .

Note that this privacy loss is incurred when all values  $x_{1,obs}$  to  $x_{n,obs}$  are provided to the outside world (i.e. the event where an attacker transitions from having no information to the system to being provided with  $x_{1,obs}$  to  $x_{n,obs}$ ); for each subsequent individual query response  $x_{u,obs}$ , the resulting privacy loss is only:

$$l_{\hat{Y}}(\hat{\mathbf{x}}_a, \hat{\mathbf{x}}_b) = \log \left( \frac{Pr\{X_u = x_{u,obs} | \hat{X}_u = \hat{x}_{u,a}\}}{Pr\{X_u = x_{u,obs} | \hat{X}_u = \hat{x}_{u,b}\}} \right), \quad (8)$$

where values for  $\hat{\mathbf{x}}_a$  and  $\hat{\mathbf{x}}_b$  are the same as those used in Equation 6 (if calculating exact privacy loss) or Equation 7 (if calculating an upper bound).

Since the Newton language recently gained a mutual information operator, the author attempted to factor mutual information into this calculation. Unfortunately, it appears that mutual information alone does not provide enough information to calculate indirect privacy loss — the exact nature of the correlation between two (or more) random variables is required i.e. the conditional distribution for the unknown variable given known ones:

Define  $\hat{X}$  and  $X$  as before and let  $\hat{Y}$  be a random variable correlated with  $\hat{X}$ . Both  $\hat{X}$  and  $\hat{Y}$  can take values within some range (e.g. due to finite sensor precision):

$$\hat{X} \in R_{\hat{X}}, \hat{Y} \in R_{\hat{Y}},$$

The mutual information  $I(\hat{X}; \hat{Y})$  is defined as:

$$I(\hat{X}; \hat{Y}) = \int_{R_{\hat{Y}}} \int_{R_{\hat{X}}} p(\hat{X}, \hat{Y}) \log \left( \frac{p(\hat{X}, \hat{Y})}{p(\hat{X})p(\hat{Y})} \right) d\hat{X} d\hat{Y}, \quad (9)$$

where  $p()$  denotes the probability density function for a random variable. The author has been unable to insert this value into the privacy loss equation, however a value for privacy loss can be obtained if the conditional distribution of  $\hat{X}$  given  $\hat{Y}$  is known, as this allows the conditional distribution of  $X$  given  $\hat{Y}$  to be calculated:

$$Pr\{X = x | \hat{Y} = \hat{y}\} = \int_{R_{\hat{X}}} Pr\{X = x | \hat{X} = \hat{x}\} Pr\{\hat{X} = \hat{x} | \hat{Y} = \hat{y}\} d\hat{x}. \quad (10)$$

Equation 10 can be substituted into Equation 11, the formula for privacy loss incurred by  $\hat{Y}$  as a result of observing a value  $x_{obs}$  for  $X$ . This results in Equation 12:

$$l_{\hat{Y}}(\hat{y}_a, \hat{y}_b) = \log \left( \frac{\Pr\{X = x_{obs} | \hat{Y} = \hat{y}_a\}}{\Pr\{X = x_{obs} | \hat{Y} = \hat{y}_b\}} \right) \quad (11)$$

$$= \log \left( \frac{\int_{R_{\hat{X}}} \Pr\{X = x_{obs} | \hat{X} = \hat{x}\} \Pr\{\hat{X} = \hat{x} | \hat{Y} = \hat{y}_a\} d\hat{x}}{\int_{R_{\hat{X}}} \Pr\{X = x_{obs} | \hat{X} = \hat{x}\} \Pr\{\hat{X} = \hat{x} | \hat{Y} = \hat{y}_b\} d\hat{x}} \right), \quad (12)$$

for  $\hat{y}_a, \hat{y}_b = \text{argmax}_{\hat{y}_a, \hat{y}_b}(l_{\hat{Y}})$  as before.

## C Hardware Entropy Source Schematic and PCB





## D EuroSys 2019 Poster: Safeguarding Sensor Device Drivers Using Physical Constraints

This poster [10] was submitted to EuroSys 2019, to communicate the idea of using information about a physical system to condition electronic sensor measurements. The example discussed in the poster is the detection and safeguarding against transduction attacks [23], where an attacker manipulates a sensor’s output to gain control over a system. For example, research by Liu, Yan and Xu [24] has shown that the proximity sensors on a Tesla automobile can be fooled into providing erroneous (or even no) data using ultrasonic interference produced by a device built using off-the-shelf electronic components. An attacker is able to influence the system’s behaviour without needing to directly manipulate the execution of the vehicle’s firmware.

The poster illustrates how the Newton language can be used to describe a physical system, in this case an accelerometer mounted to a PCB without vibration isolation. In this scenario, vibrations of the PCB (e.g. due to a nearby loudspeaker or even, in the case of a smartphone, due to loudspeakers mounted to the PCB) are measured by the accelerometer, obscuring a *true* acceleration measurement i.e. acceleration of the entire system due to gravity. This effect is particularly pronounced if the board is driven at its resonant frequency, since the resulting oscillation will have a greater amplitude [25]. This phenomenon could, in theory, be used as part of a transduction attack e.g. where a smartphone’s loudspeaker is used to interfere with a software application’s estimate of the device’s physical orientation.

To test whether this phenomenon can be distinguished from regular measurement noise, the author performed an experiment [26] using an MMA8451Q accelerometer mounted on an FRDM-KL03Z board. With the sensor resting stationary on a horizontal surface, five minutes worth of accelerometer samples were recorded at 10Hz in order to obtain a probability distribution for the accelerometer’s measurement noise (along the z axis, aligned with the vertical); this data was empirically observed to fit a Laplace distribution. This measurement was then repeated with the board resting on top of a smartphone playing a 440Hz audio tone — in theory, this data (random samples from a sinusoid) would fit a bimodal beta distribution (see section D.1 for derivation) allowing a log likelihood ratio to be computed:

$$LLR = -2 \sum_{i=1}^N \frac{\frac{1}{\pi} \left| \frac{1}{\sqrt{A^2\omega^4 - \ddot{x}_i^2}} \right|}{\frac{1}{2b} \exp\left(-\frac{|\ddot{x}_i - \mu|}{b}\right)} \quad (13)$$

The value of this log-likelihood ratio indicates whether the audio tone based transduction attack described here is likely to be occurring. For the data collected in the experiment, the log-likelihood ratio was found to be around -24600.08 whilst the tone was playing, and +3731 when it was not; the negative value indicates that the measurements taken whilst the tone was playing were indeed more accurately described by the bimodal beta distribution, compared to the Laplace distribution of sensor noise, and vice versa for the positive value.

## D.1 Derivation of Bimodal Beta Distribution

Let  $T$  be a uniformly distributed random variable representing the time at which acceleration is sampled:

$$T \sim U\left(-\frac{\pi}{\omega}, \frac{\pi}{\omega}\right),$$

$$f_T(t) = \begin{cases} \frac{\omega}{2\pi} & -\frac{\pi}{\omega} \leq t \leq \frac{\pi}{\omega} \\ 0 & \text{otherwise} \end{cases}, \quad (14)$$

$$F_T(t) = \begin{cases} 0 & t < -\frac{\pi}{\omega} \\ \frac{\omega(t+\pi/\omega)}{2\pi} & -\frac{\pi}{\omega} \leq t \leq \frac{\pi}{\omega} \\ 1 & t > \frac{\pi}{\omega}. \end{cases} \quad (15)$$

Then let  $X = g(T)$  represent the acceleration value at time  $T$ . By considering the dynamics of the system, we know that:

$$g(t) = A\omega^2 \sin(\omega t), \quad (16)$$

where  $A$  is a frequency-dependent constant equal to the product of quality factor and board displacement at resonance. We can also define a monotonically increasing function  $h(x)$  as the inverse of  $g(t)$ :

$$h(x) = g^{-1}(x) = \frac{1}{\omega} \arcsin\left(\frac{x}{A\omega^2}\right). \quad (17)$$

The cumulative distribution function for  $X$  can therefore be written in terms of the cumulative

distribution function for T, accounting for the fact that  $g(t)$  is not monotonic:

$$F_X(x) = F_T(h(x)) + \left(1 - F_T(\pi/\omega - h(x))\right). \quad (18)$$

Taking the derivative results in the probability density function for X:

$$f_X(x) = \left(f_T(h(x)) - f_T(-h(x))\right) \frac{d(h(x))}{dx} \quad (19)$$

$$= \begin{cases} \frac{1}{\pi\sqrt{A^2\omega^4-x^2}} & |x| \leq A\omega^2 \\ 0 & \text{otherwise} \end{cases}. \quad (20)$$