Kein Folientitel

True Random Number Generation
Using Quantum Mechanical Effects
Luděk Smolík
April 2003
Where do we need random numbers ?




Science, technology, business
(MC-simulation), period 2800
Secure communication protocols
( SSL, IPSec, ISDN, GSM, .... )
Cryptography (Inet-Api e.q.
PGP, home banking, ..... )
„Strong“ cryptography ( ES-Act,.....)
DRNG
„TRNG“- seed
+ DRNG
„commercial
TRNG“
TRNG, QNG
unpredictable !!
Communication Protocols + Cryptography





„Seeds“ for DRNG (e.q. Challenge Response).
„Padding Bits“, fill the empty bits in data blocks.
„Blinding Bits“ , overwrite the bits during erasing.
Generation of Symmetric and Asymmetric Keys.
Random Prime Numbers as a source for keys for
electronic signature (prototype for the highest
security application at all).
Commercial Definition of a realistic TRNG (CC, ITSEC)
TRNG
Source
Source
of
of
noise
noise
DRNG
Seed
Sampling
Sampling
DigitiDigitising
sing
Cryptographic
post-processing
Inernal
state
Internal random
sequence
Output
Random numbers sequence
Output
State function
Types of Noise Sources
 Many kinds of macroscopic collective phenomena:
stochastic movement of particles in a volume,
trajectories of small planetoids or asteroids,
......
electronic noise (Thermal-Noise, Shot-Noise,
pn-Noise, Zener-Diodes, Josephson-junction...).
 Single quantum mechanical effects in the
microscopic dimension :
Radioactive decay
(number of decay in a particular time interval,
decay time spectrum...).
Quantum effects of single elementary particles
(photon, electron, K ....), EPR-phenomenon.
?
Electronic Noise
V
Z-Diode
Amplifier
Filter
Huge number of
charge carrier
p
-
-
-
+
+
+
Discriminator
I
Avalanche noise
im pn-junction
n
U
-6V
BUT !!! Autocorrelation in the
output sequence
T< T
I
kT
RD 
eI DC
Noise with Splitting Single Photon Beam
Smart source for QM noise are single photons or other
elementary particles !
Wave-particle duality at single photons
Source of
light
50:50 mirror
or PBS
PM
LED driven by max.
a few hundred μA ...
low coherence length tc < 1ps
Flip Flop
„1“ and „0“
...0010011...
PM
Rate of mostly single photons
with few MHz is achievable
BUT!!! the guarantee for single photons rate is not absolute sure,
50:50 mirror or PBS not perfect .
Noise with Radioactive Decay
R
C
A
HV
D
Anode (wires)
L&C
HV
PWC
Cathode (radioactive source)
Th-232
Radioactive source incandescent mantle with Thorium-232 :
α-decays with 4.083 MeV, few β-decays and γ-transitions
Ra-228
(the exemption limit for Th-232 is 10 kBq and the dose limit is 6 mSv/yr)
Sampling and Digitizing
Detector signal after
amplification
Electronic threshold
Discriminator signal
Time
Toggle f lip-f
lip-flop running with 15 MHz
“0”
“1”
Output register
0110 0111001010010011010010111001
Output rate: 200Bq .... 2kBq (varied with HV, threshold and source activity)
Where is the randomness hidden?
The time between two decays is exponentially distributed,
p(t) is the probability of time interval t between two successive events.
p(t )  p0e t / t0
Measurement of really single quantum mechanical effects which
behave as perfect random source.
There is no deterministic prediction for the time t .
More !!! There is no theoretical need for such a prediction.
Unfortunately, the toggle flip-flop and the consecutive .
electronics can not be perfect.
This part of the apparatus is responsible for the occurrence.
of systematic effects for all TRNG !
Check of the Randomness
0001010110110011101010010101111010010010010110110010111010100010010100100
 100% sure demonstration is de facto impossible, because the
examined
sequence stays always finite !
 Try to compress the sequence by algorithmic procedure !
 Shannon (1948) : Entropy as a measure for information content.
n
H (n)   pi log 2 pi
i 1
!
p1 ->
p2 ->
p3 ->
p4 ->
„00“
„01“
„10“
„11“
n = 4,
theoretical pi = 1/4
H ( 4)  2
01 10 00 11 01 10 00 11 01 10 00 11 01 10 00 11 01 10 00 11 01 10 00 11
 There is a number of statistical tests on the market.
(Test-Batteries)
Experimental Data and Results
Input are many gigabits data from recorded radioactive decays,
data were divided into sequences of 4kB (32768 bits) length.
010101110100010100100010010010101..............................................1010010011110010100100110101
111001001010001001111001011110101..............................................1000101111010101101010110101
.
.
.
0101011101000101111110010010010101..............................................1010011110010101001010110101
Each 4kB sequence contributes with a χ2 number to the histogram of the
particular test.
Each χ2 histogram is then fitted by a one-parameter χ2 function and
the statistical significance can be checked.
Applied tests
I. Golomb criterion tests the ration between states „0“ and „1“ .
II. Golomb tests the occurrence of identical consecutive bits (runs).
…..0001010000010010101010101010000011111……
3 111
5
1
2 11.................................
5
5
III. Golomb tests the autocorrelation function by shift from 1 to max. 16 bits.
010010001001100101100010…………. 0010010001001
010010001101001100100010…………. 0010010001001
check the occurrence of pairs 00, 01, 10, 11
shift by 4
2 Poker tests the occurrence of pairs „00“, „01“, „10“, and „11“.
3 Poker the same for series „000“, „001“, „010 .... „111“.
4 Poker the same for series „0000“, „0001“, ...... „1111“ .
Example for 2 Poker Test
4
ni  40962
i 1
4096
 j2  
theory: 32768 / 4 • ½ = 4096
measured numbers: n1 „00“, n2 „01“, n3 „10“, n4 „11“,
0,254
Theory for
„0“ =„1“ = 0,5
0,253
0,252
0,251
p0 p0 = p0 p1 =
p1 p0 = p1 p1 = 0,25
0,25
0,249
0,248
0,247
0,246
00
01
10
11
2 poker pattern
Example χ2 Distribution for 2 Poker Test
0,25
fit by 1 parameter χ2 function
0,2
experiment
0,15
0,1
0,05
Chi**2
χ2
34
31
28
25
22
19
16
13
10
7
4
1
0
2 poker test
Results for Theory „0“ =„1“ = 0,5
Test Criterion
Mean Value
(Experiment)
Degree of Freedom
(Theory)
χ2 /
ndf
1st Golomb
2,0
1
59
2nd Golomb
11,3
11
2,4
3nd Golomb
16,1
16
0,95
2-Bit Poker
4,2
3
59
?
3-Bit Poker
8,1
7
30
?
4-Bit Poker
16,2
15
18
?
?
Non-equilibrium in the Occurrence between
States “1” and “0”
V
Defined area
„0“
2V
Undefined area
„1“
133 ns
0.8V
Time
~ 1ns + 1ns per cycle
Discussion
The result shows an about 0,28% (± 0,000001) higher chance for one
of the logical levels.
I. Golomb: p0 = 0,4972
p1 = 0,5028
theory predicts : p0 = p1 = 0,5
Probability
This corresponds to an overall difference of 0,4 ns between the duration
of both clock half-waves
0,254
0,253
Theory for
p0 = 0,4972
p1 = 0,5028
0,252
0,251
0,25
0,249
0,248
0,247
0,246
00
01
10
11
2 poker pattern
The same is true for 3 and 4 poker test
Conclusions
Memoryless QM-phenomenon are well suited as a random source in experiments.
Always present systematic effects in the apparatus (DAQ) disturb such
perfect randomness or make it in the practice a hardly achievable task.
The results agree well with the simulation.
The basic systematic effect derives from the asymmetric duty cycle
which of course can be improved but scarcely eliminated completely.
Improvement expected for „1 ps accuracy“ (0.001% shift in duty cycle)
“Anyone who considers arithmetical methods of producing
random digits is, of course, in state of sin.”
John von Neuman (1903-1957)
Is a perfect TRNG just a dream ?!

Download Report