Entropy harvest and key derivation from the image sensors in IP camera

Structure of IP camera

The basic configuration of an IP camera for communication with encrypted video data is shown in Figure 1. In this figure, the image sensor module receives analog video data and digitizes it, and the camera application performs video data processing and overall camera control. The cryptographic module provides random bits for key derivation and encrypts digitized data. In addition, the RNG of the cryptographic module may use an external hardware randomness source. The network module performs the process of transmitting encrypted video data over the network.

Figure 1. Structure of IP camera.

The encryption process of the secure IP camera is as follows. When a user establishes IP communication with a camera through a device, the user device and the camera have to share a symmetric key for encrypting and decrypting video data. In general, the encryption key is shared using key agreement protocol or public key cryptography. The data can be encrypted with a symmetric encryption algorithm using their shared key. The following steps show a typical process using public key cryptography.

Step 1)   Public key generation for user device: The user's device generates a private key $$ sk $$ based on the user ID and PW or the device information, and a corresponding public key $$ pk $$.

Step 2)   Symmetric key generation on IP camera: The camera generates a secret symmetric key $$ k $$ using RNG.

Step 3)   Encrypting and sending the symmetric key: When communication is established, the IP camera encrypts the symmetric key $$ k $$ using the public key $$ pk $$, and sends the encrypted key $$ E_{pk}(k) $$ to the recipient (user device).

Step 4)   Symmetric key decryption: The user device decrypts $$ E_{pk}(k) $$ into $$ k $$ using the private key $$ sk $$ and stores it.

Step 5)   Video data encryption: The IP camera encrypts video data $$ P $$ into $$ C $$ using the symmetric key $$ k $$ and sends it to the user device.

Step 6)   Video data decryption: The user device decrypts received data $$ C $$ into $$ P $$ using the symmetric key $$ k $$ to obtain video data.

The symmetric key can be updated whenever the user device establishes communication. In this case, we can consider several methods to share a new symmetric key $$ k' $$ and encrypt the video data. One method is that the IP camera encrypts the new symmetric key $$ k' $$ with $$ pk $$ and sends $$ E_{pk}(k') $$ to the user device, and then encrypts the video data with $$ k' $$. Instead of sending them separately, the encrypted key $$ E_{pk}(k') $$ and video data $$ C $$ can be concatenated as $$ E_{pk}(k')|| C $$.

Security threat model for IP cameras

Regardless of the encryption process adopted, the IP cameras still have vulnerable points. Figure 1 shows these points as numbers 1, 2, 3, and 4. Unfortunately, these vulnerabilities come from network functionality, which is the main aim of the IP camera. For example, some malicious attackers may insert their IP addresses as another destination of IP communication and receive the camera data at the same time as legitimate users. The IP addresses for this attack are generally concealed in the network-enabled camera module. Also, secret messages such as the location of the camera can be embedded using steganography. Therefore, IP cameras with black-box components have potential vulnerabilities.

Moreover, if the module associated with the encryption process is also kept as a black box, it may contain hidden paths such as the covert or subliminal channel. Butler Lampson and Gustavus Simmons showed that even in the cryptographic communication, it is possible for certain communicating parties to establish a hidden channel among them without revealing information to anyone else. In addition to confidentiality, availability, non-repudiation, and integrity, they noted that there are additional conditions that a cryptosystem must satisfy^[23]. The hidden channel that can appear in an IP camera whose internal structure is unknown to the public is called the covert channel or the subliminal channel. The subliminal channel is a kind of covert channel that uses cryptographic techniques.

Covert channel, introduced by Lampson in 1973, is a channel "not intended for information transfer at all, such as the service program's effect on system load", which is distinguished from a legitimate channel that controls the communication access according to computer security policies^[24]. An example of an attack using this channel is steganography in which the attacker hides a secret message in an original message so that other participants are unaware of the existence of the hidden channel. Therefore, it is possible for a malicious camera manufacturer to create covert channels on the image sensor module and network module to perform a steganography attack^[25–27].

The subliminal channel, proposed by Simmons in 1984, differs from a typical covert channel in that "even if the monitor knows what to look for, he can't discover either the message or the usage of the channel"^[28]. This channel guarantees computational concealment based on cryptographic techniques. When a backdoor is created or when a hidden message is sent through the channel, the channel's existence is less likely to be detected or the hidden message revealed compared to a typical covert channel. The kleptographic attack is an exquisite example of the attack using a subliminal channel, which creates an asymmetric backdoor. In the SETUP attack, using the backdoor in the RNG related to the key generation, the attacker can extract the private key from the corresponding public key^[29]. This attack is hardly detected by the security evaluation of black-box modules without a thorough investigation of the internal components.

In the aforementioned structure, as shown in Figure 1, backdoors can be found in several components. Table 1 summarizes the hidden channels established by backdoors that can be found in IP cameras.

To prove the absence of the backdoors, architectures and components should be investigated thoroughly by the validation programs. This would enable users to conduct thorough security assessments, including validation through recognized programs such as the Cryptographic Module Validation Program (CMVP) or the Common Criteria (CC). Such an approach would significantly contribute to mitigating the potential threats of IP cameras.

Dark shot noise

Without any additional hardware noisesources, IPcamerascan utilize darkshot noiseasa physical noisesource because each optical black pixel (OBP) in the image sensor can be regarded as an independent noise source^[32]. A shot noise-based quantum RNG (QRNG) proposed in 2014 by Sanguinetti et al. extracts raw random data in parallel from multiple pixels in a single image sensor^[33]. According to the noise source classification of RNGs presented at the NIST International Cryptographic Module Conference in 2021, the shot noise from image sensors is classified as a quantum random number, and image sensors can be used to generate quantum random numbers by taking photon shot noise or dark shot noise. While a photon shot noise-based RNG requires a dedicated light source, a dark shot noise-based RNG uses pixels on the boundary of the image sensor. However, the speed of the random number generation of dark shot noise is relatively slower due to the smaller number of pixels and noise bits.

Entropy pools in LRNG

The LRNG has three types of entropy pools: input, blocking, and non-blocking pools, as shown in Figure 3^[35]. The input pool is a 512-byte pool that accumulates entropy to deliver high entropy when the noise source data is requested from the blocking or non-blocking pool. The blocking pool and non-blocking pool are both 128-byte output pools. When data is accumulated in the pool through the mixing function, the entropy of the pool increases and the entropy counter goes up. Conversely, when a random number is extracted, the entropy of the pool decreases and the counter goes down. The blocking pool would not produce any output when it does not hold enough entropy.

Figure 3. Structure of the Linux kernel RNG.

As shown in Figure 3, all three pools have counters that indicate the amount of entropy in the pool. With these entropy counters, which interoperate with the entropy estimation function and extract function, LRNG roughly and empirically estimates the entropy. We describe the details of the entropy evaluation further.

Entropy pools in WRNG

The entropy pools of WRNG consist of an input pool and an output pool as shown in Figure 4. The input pool accumulates data collected from various noise sources, and the output pool stores data with high entropy for output generation^[36]. The data from noise sources are accumulated in the input pool through a win-reseed function that consists only of bit shift and exclusive-or (XOR) operation. In 2020, Dodis et al. proved that this function theoretically guarantees the lower bound of min-entropy^[37]. The hash function SHA-512 is used to transfer data from the input pool to the output pool and the cascade of deterministic random bit generators (DRBG) using the Advanced Encryption Standard (AES) block cipher generates random bits from the output pools.

Figure 4. Structure of the Windows 10 RNG.

Unlike the LRNG, which managesentropy usinga mixing functionandcounter witha hash function toensure the randomness of output random numbers, the WRNG uses simple bitwise operations for the input pool to accumulate entropy, and a hash function for the output pool. After accumulating entropy, the randomness of the output is guaranteed by RNG test, which determineswhether the data is sufficiently randomat the final step. WRNG does not use counters in either pool. Instead, it performs the RNG test before generating a random number for the user's request.

NIST SP 800-90B

SP 800-90B is a standard document for entropy source design and evaluation published by NIST in 2018. It measures the min-entropy of a source of randomness by applying conservative threshold^[38]. The entropy measurement process of SP 800-90B consists of checking whether the data is IID or not, estimating the entropy, reducing the overestimation of the entropy through a restart test, and estimating the entropy. NIST provides the estimation tool consisting of their track.

● Determine the track: The entropy estimation track depends on the type of data: IID or not. We set the null hypothesis ( $$ H_0 $$) as 'data is IID' and try to find counterevidence for it. In SP 800-90B, the process of finding counterevidence is called the Permutation test which consists of 11 tests. Furthermore, there are five Chi-square statistical tests to check for additional statistical problems.

● IID track estimate: For IID data, the entropy is estimated using the Most Common Value Estimate. The estimation calculates the maximum probability with the most frequently occurring sample, and calculates min-entropy as the upper bound using the 99% confidence interval estimation method.

● Non-IID track estimate: For non-IID data, the entropy is estimated by ten tests for non-IID track. Then, the smallest value among these is selected as min-entropy of the data.

● Restart test: The purpose of the restart test is to prevent overestimation of entropy. This test constructs a matrix with samples obtained from the RNG using the target noise source, calculates the minimum entropy for the rows and columns, and selects the minimum of them as min-entropy of the data.

● Conditioning component: The optional conditioning component uses a deterministic function to reduce the bias and increase the entropy rate of output.

ISO/IEC 20543

ISO/IEC 20543 (Testandanalysis methods for random bit generators with ISO/IEC 19790and ISO/IEC 15408) is a standard document published in 2019^[39]. It provides guidance on statistical testing and entropy evaluation referring to NIST's SP 800-90B, SP 800-22, and the Federal Office for Information Security (BSI)'s AIS.31. For this purpose, RNG should be designed based on a stochastic model and heuristic analysis of the noise source.

Fast entropy accumulation in WRNG ^[36]

In Windows 10, the entropy accumulation mechanism of WRNG uses bit permutations and bitwise XOR operations iteratively on digitized noise source $$ Y_1, Y_2, \ldots, Y_l $$. The security of the entropy accumulation in WRNG has not been fully explained yet, but Dodis et al. demonstrated that if the distribution of noise source satisfies certain conditions, the entropy accumulation through appropriate bit permutations guarantees the lower bound on min-entropy^[37]. To explain this precisely, they introduce two definitions: 2-monotone distribution and covering number.

Definition 3.1 (Covering number)    For a permutation$$ \pi :\left\{0, 1, \ldots , n-1\right\} \rightarrow \left\{0, 1, \ldots , n-1\right\} $$and an integer$$ t $$satisfying$$ 1\leq t \leq n $$, the covering number$$ C_{\pi, t} $$is the smallest integer$$ m $$that satisfies the following:

If such an integer$$ m $$does not exist, then$$ C_{\pi, t}:=\infty $$.

The covering number of a permutation refers to the minimum number of repetitions needed to output all possible elements of the permutation at least once. Therefore, the efficiency of the permutation increases as the covering number of the permutation decreases.

Definition 3.2 (two-monotone distribution)   A probability distribution$$ D_X$$of ann-bit random variableXover$$ \mathbb{Z}_{2^n} $$follows atwo-monotone distributionif its probability mass function$$ p $$on$$ \left\{0, \ldots, 2^n-1\right\}$$is a monotone function on both intervals$$ [ 0, i ] $$and$$ [ i+1 , 2^n-1] $$for some$$ 0 \leq i \leq 2^n-1 $$.

That is, a probability distribution $$ D $$ is defined as a two-monotone distribution if it has at most one local extremum point.

One of the main findings of Dodis et al.^[37] is that entropy can be accumulated for independent n-bit random variables $$ Y_1, Y_2, \ldots, Y_l $$ through bitwise XOR operations and bit permutations. Specifically, given that the probability distributions \(D_{Y_1}, D_{Y_2}, \ldots, D_{Y_l} \) of $$ Y_1, Y_2, \ldots, Y_l$$ have a min-entropy of at least $$ k $$ and are two-monotone distributions, the number $$ l $$ of iterations required to ensure a lower bound $$ h $$ on the min-entropy per bit of output is directly proportional to $$ h $$ and $$ k $$, and inversely proportional to the covering number $$ C_{\pi, t} $$ of bit permutation $$ \pi $$. Theorem 3.1 states this precisely.

Theorem 3.1   ^[37]Suppose that the$$ n $$-bit random variables$$ Y_{1}, Y_{2}, \ldots, Y_{l} $$satisfy the following three conditions:

ⅰ) The distributions$$ D_{Y_1}, D_{Y_2}, \ldots, D_{Y_l} $$are two-monotone distributions.

ⅱ) The distributions$$ D_{Y_1}, D_{Y_2}, \ldots, D_{Y_l} $$have a min-entropy of at least$$ k $$ ( $$ k \geq 2 $$).

ⅲ)$$ Y_1, Y_2, \ldots, {Y_l} $$are independent.

For a bit permutation$$ \pi : \left\{ 0, 1, \ldots, n-1 \right\}\rightarrow \left\{0, 1, \ldots, n-1 \right\} $$and$$ k'=\left\lfloor \dfrac{k}{2} \right\rfloor $$, define the covering number$$ m $$as$$ m=C_{\pi, k'} $$and the linear transformation corresponding to the bit permutationπasA_π. Then, if we define$$ \Lambda_\pi^{(l)}:=A_\pi^{l-1}\left(Y_1\right) \oplus A_\pi^{l-2}\left(Y_2\right) \oplus \ldots \oplus Y_l$$, the following holds forl ≥ m:

The following Algorithm 1 is based on WRNG entropy accumulation mechanism and utilizes a sequence of n-bit input data $$ Y_1, Y_2, \ldots$$, which satisfy the three conditions of Theorem 3.1, to accumulate entropy. Given an algorithm, it is guaranteed that the accumulated Rn-bit data $$ \left(X_1, X_2, \ldots, X_R\right)$$ have an entropy at least h per bit.

Figure 5 represents the process of accumulating entropy using a permutation that shifts $$ 8 $$-bit data to the left by $$ 1 $$ bit.

Figure 5. WRNG entropy accumulation.

XOR entropy accumulation^[41]

In 2023, the XOR-based entropy accumulation mechanism was proposed by Choi et al^[41]. The following mechanism accumulates entropy using only XOR operations without hash functions.

Assume that the n-bit random variables $$ Y_1, Y_2, \ldots, Y_l$$ from the noise source are independent. Denote the bit vector representation of each $$ Y_i$$ by $$ Y_i=\left(Y_{i 1}, Y_{i 2}, \ldots, Y_{i n}\right)$$. Also, define $$ \Gamma^{(l)}=\sum_{j=1}^l Y_j$$. For n=1, by Theorem 3.2, the probability that $$ \Gamma^{(l)}=Y_1 \oplus Y_2 \oplus \cdots \oplus Y_l=0$$ converges to 1/2 as l increases ^[42]. However, if $$ Y_1, Y_2, \ldots, Y_l$$ are extended to n ≥ 2 bits, while the probability of each bit being zero converges to 1/2, the min-entropy of $$ \Gamma^{(l)}$$ does not converge to n since the independence between the bits $$ Y_{i j}$$ of each random variable $$ Y_i$$ cannot be guaranteed. One of the primary results from Choi et al.^[41] is that if the distribution of n-bit random variables $$ Y_1, Y_2, \ldots, Y_l$$ satisfies specific conditions, the probability distribution $$D_{\Gamma^{(l)}} $$ converges to a uniform distribution as l increases. Based on this result, Theorem 3.3 guarantees the lower bound on the min-entropy of $$D_{\Gamma^{(l)}} $$.

Theorem 3.2 (Piling-up Lemma)  Let$$ Y_i$$$$ (1 \leq i \leq n)$$be 1-bit random variables that are independent of each other, with the probability of being 0 as$$ p_i$$and the probability of being 1 as 1 - p_i. Then, the following holds.

Theorem 3.3   Let$$ Y_{1}, Y_{2}, \ldots, Y_{l} $$be independent$$ n $$-bit random variables, and define$$ \Gamma^{(l)} := Y_{1} \oplus Y_{2} \oplus \ldots \oplus Y_{l} $$and$$ \omega := \min\{ {\| D_{Y_1}\Vert}_{\min}, {\| D_{Y_2}\Vert}_{\min}, \ldots, {\| D_{Y_l}\Vert}_{\min} \} $$. Then for$$ \omega > 0 $$, the following holds:

Algorithm 2 is based on the XOR entropy accumulation mechanism and uses n-bit noise sources $$ Y_1, Y_2, \ldots$$ that satisfy the conditions of Theorem 3.3 to accumulate entropy. The algorithm in Figure 6 guarantees that all R accumulated n-bit data have an entropy of at least h per bit.

Figure 6. XOR entropy accumulation.

Basically, both algorithms require the independence of n-bit noise sources $$ Y_1, Y_2, \ldots$$ and additional conditions. The noise sources used in WRNG entropy accumulation should be two-monotone distributions. Additionally, the corresponding covering number for the permutation used must be finite. On the other hand, the noise sources used in the XOR entropy accumulation must have a minimum probability greater than zero. If an element with a probability of zero exists in some distribution, it has to be eliminated from the sample space to apply the XOR entropy accumulation mechanism. However, if the intersection of the supports of all distributions is an empty set, the mechanism cannot be employed. Therefore, depending on the nature of the distribution, one of both entropy accumulation mechanisms can be chosen.

Figure 7 represents the distributions suitable for each mechanism. In distribution 7a, the minimum probability is greater than or equal to $$ 0.02 $$ allowing the application of the XOR entropy accumulation mechanism, but it is not a 2-monotone distribution, so the Window entropy accumulation mechanism cannot be applied. Additionally, the distribution 7b follows a 2-monotone distribution, allowing the application of the WRNG entropy accumulation. However, XOR entropy accumulation cannot be employed since its minimum probability is zero.

Figure 7. Pixel entropy distribution: (a) and (b) are examples of distributions suitable for applying XOR entropy accumulation and WRNG entropy accumulation, respectively.

Health Tests for each OBP

Health tests for each OBP are performed at the pixel level and consist of two types of tests:

ⅰ. Repetition Count Test: This test is designed to assess whether a specific bit value appears continuously at a particular OBP position. If the same bit value appears consecutively beyond a predetermined threshold, the OBP is excluded from the noise source.

ⅱ. Adaptive Proportion Test: This test is designed to evaluate the repetition frequency of the initial input bit value at a specific OBP position. If the bit value occurs more than a predetermined threshold, the OBP is excluded from the noise source.

These tests are designed based on NIST SP 800-90B, and any OBP that returns a failure in the test is excluded from the noise source. If the ratio of error pixels to the total number of OBPs exceeds the threshold, the image sensor is considered unsuitable as a noise source and the entropy harvesting process is inhibited.

Health Tests for entire OBP

The health test for the entire OBP is conducted on a frame-by-frame basis upon user request. Whereas the previous tests are health tests for each OBP, this health test considers the data from entire OBPs as a single frame and performs the health test on this aggregated data. This test consists of two types of evaluations, each specifically designed for parallel noise sources.

ⅰ. Monobit Test per Frame: This test is designed to examine whether all bits in the output data from the noise source are uniformly distributed. If the distribution of bits from the noise source is skewed towards a particular value beyond a predetermined threshold, the noise source for the entire OBP is deemed inappropriate.

ⅱ. Poker Test per Frame: This test checks whether all values output from entire OBP within a frame are uniformly distributed across intervals classified by distribution characteristics. If the output data is heavily concentrated in a specific interval, the noise source for the entire OBP is considered inappropriate.

If an OBP fails either of these evaluations consecutively beyond a predetermined threshold, the noise source is deemed unsuitable for the random number generation.

When a health test designed for a single noise source is directly applied to parallel noise sources, the examination proceeds to the next OBP only after completing the check for one OBP. Consequently, the test must continue until a certain number of malfunctioning OBPs are discovered. If the malfunctioning OBPs are clustered towards the end of the testing sequence, the detection of the noise source malfunction is delayed until reaching that position. In contrast, a health test designed using the characteristics of parallel noise sources can determine the malfunction of the entire noise source at once without checking each OBP individually, allowing for a quicker halt in the random number generation. Thus, applying these health tests on an IP camera image sensor can detect noise source malfunctions more rapidly than applying a single noise source health test while ensuring a similar assurance level of noise source. The two types of health tests were executed on a PC environment with an Intel(R) Core(TM) Ultra 7 155H CPU. For an input size of 20MB, both tests recorded an execution time of 0.005 seconds, which is sufficient to execute health tests on-the-fly even in an embedded environment.

Lightweight block Cipher LEA

The block cipher Lightweight Encryption Algorithm (LEA) is an efficient encryption algorithm in constrained environments. LEA-128 is about 1.7 times faster than AES-128 on ARM platform^[44]. It was established as a national standard of South Korea (KS X 3246) in 2013 and as an ISO/IEC standard for lightweight block ciphers (ISO/IEC 29192-2:2019) in 2019. LEA is designed with the ARX (Addition, Rotation, XOR) operation to manage resources efficiently in a software environment. The modular addition is the only non-linear part, replacing the S-box of AES. The ARX structure allows the use of basic instructions provided by the processor, resulting in fast computation speeds, and does not require additional memory to store non-linear substitution tables. Depending on the key size for the required security level, the specifications of LEA are categorized as LEA-128, LEA-192, or LEA-256, as shown in Table 2^[44].

Figure 10 illustrates the structure of the LEA round function used in the encryption and decryption processes. The input to the round function is utilized in the internal operations as an array of 32-bit words. The internal operations constituting the round function are defined as follows: $$ \boxplus $$ denotes 32-bit addition, $$ \oplus $$ represents bitwise exclusive OR (XOR), and $$ {\rm ROL}_n $$ ( $$ {\rm ROR}_n $$) indicates n-bit left (right) rotation operations, respectively.

Figure 10. Structure of one round of the block cipher LEA: (a) represents the one round encryption and (b) represents the one round decryption. These algorithms are inverses of each other^[44].

PRNG

A PRNG is a deterministic algorithm to generate pseudorandom numbers^[45]. The input seed of a PRNG should contain sufficient entropy to generate secure random bits. A PRNG takes an input seed from the entropy pool which is preferably close to full entropy. To condense data from the pool to a seed, we can apply one of the six vetted conditioning functions specified in NIST SP 800-90C to ensure the entropy level in the seed^[46]. Considering the cryptographic moduleand its operating environment, wechoose one of three PRNG mechanisms specified in NIST SP 800-90A.

Considering the efficient implementation of the cryptographic module using block ciphers, we choose the Counter Mode Deterministic Random Bit Generator (CTR-DRBG) with LEA as its primitive. It has a small memory footprint, making it well-suited for lightweight environments such as IP cameras. Additionally, it can achieve speed enhancements through parallel implementation.

KDF

The KDF is the final step in creating an encryption key. When mapping such data into bitstrings of the required length through truncation or other heuristic methods, entropy loss may occur, potentially amplifying bias. Therefore, there is a need for a KDF to generate keys of desired length with high entropy^[47]. The KDF mechanisms are specified as one-step key derivation, or two-step key derivation by NIST^[48].

Entropy harvest from image sensors

The FHD image sensor PV4209K utilizes the top eight rows, comprising $$ 1920 \times 8 $$ OBPs, as noise sources, while encrypting the image of $$ 1920 \times 1080 $$ pixels excluding the OBPs. The image sensor of the IP camera that we use in the experiment cannot directly extract dark shot noise but outputs only the luminance information $$ Y $$ data of the image. The $$ Y $$ data is a linear combination of information from adjacent pixels as described in Section ''ENTROPY HARVEST''. In the environments, the process of generating random numbers and deriving keys proceeds as follows: First, we estimate the probability distribution of 15,360 OBPs from the top eight rows of the image sensor used as noise sources. To estimate the OBP distribution, we utilized 8-bit data from 15,000 frames, satisfying two specific properties from 7,513 OBPs.

1. The distribution follows a 2-monotone distribution.

2. The distribution has a min-entropy of at least 2.

$$ Y $$ data depends on adjacent OBPs, so independence testing is necessary. Based on the independence test in Section ''ENTROPY HARVEST'', we select 3,782 OBPs with stride of 2 among the 7,513 OBPs.

The distribution of $$ Y $$ data obtained from discriminated OBPs satisfies all three assumptions of WRNG entropy accumulation mechanism but does not satisfy those of XOR entropy accumulation mechanism. Therefore, we employ Algorithm 1 as the entropy accumulation mechanism. Higher min-entropy of the noise source distribution contributes to the efficiency of entropy accumulation. In this experiment, we statistically check the min-entropy of each OBP to be at least 2. With $$ k'=\left\lfloor \dfrac{k}{2} \right\rfloor=1 $$, we use the permutation $$ \pi=rot_{(1, 8)} $$ where the covering number $$ m=C_{\pi, k'}=8 $$.

We aim to achieve entropy per bit of $$ 0.99 $$ or higher, and Algorithm 1 performs 62 XOR operations for accumulation with

Table 3 presents the experimental results of entropy accumulation speed. Iterating seven times, we confirm that random numbers are generated at an average speed of 7.3 kbps.

The camera used in the experiment outputs 15 frames per second, allowing for the generation of 915 8-bit random numbers that satisfy a min-entropy of 0.99. When these outputs are used as the seeds for the PRNG, considering the operation speed of the RNG, it is sufficient to provide random bits without delay for updating symmetric keys every minute. Furthermore, using the entropy estimation algorithm from NIST SP 800-90B, we confirmed that the min-entropy per bit in the entropy pool, generated using the accumulation mechanism, is greater than 0.99, as shown in Figure 12^[38].

Figure 12. Min-entropy test result.

On the other hand, it was demonstrated that when utilizing a noise source that satisfies the conditions of Theorem 3.3, the output from the XOR entropy accumulation algorithm has a min-entropy exceeding 7.86 per byte^[41].

Video encryption

We have selected LEA-CTR-GCM as encryption algorithm for the video data. Galois/Counter Mode (GCM) is a block cipher mode of operation that provides authenticated encryption using a binary Galois field for universal hashing. GCM mode ensures confidentiality, integrity, and authentication altogether. Using CTR mode enables parallel implementation even in a constrained environment such as IP cameras.

Figure 13 illustrates the demonstration of video encryption in an IP camera. It shows both the encrypted video received from the camera and the decrypted video.

Figure 13. Demonstration of video encryption.