Luděk Smolík

April 2003

True Random Number Generation Using Quantum Mechanical Effects

Science, technology, business (MC-simulation), period 2800

Secure communication protocols ( SSL, IPSec, ISDN, GSM, .... )

Cryptography (Inet-Api e.q. PGP, home banking, ..... )

„Strong“ cryptography ( ES-Act,.....)

Where do we need random numbers ?

DRNG

„TRNG“- seed+ DRNG

„commercial TRNG“

TRNG, QNG

unpredictable !!

Communication Protocols + Cryptography

„Seeds“ for DRNG (e.q. Challenge Response).

„Padding Bits“, fill the empty bits in data blocks. „Blinding Bits“ , overwrite the bits during erasing. Generation of Symmetric and Asymmetric Keys.

Random Prime Numbers as a source for keys for electronic signature (prototype for the highest security application at all).

Commercial Definition of a realistic TRNG (CC, ITSEC)

Source of

noise

SamplingDigiti-sing

Crypto-graphic

post-processing

Output

Seed

Inernalstate

Output

TRNG DRNG

Internal random sequence

Random numbers sequence

State function

Source of

noise

SamplingDigiti-sing

Source of

noise

SamplingDigiti-sing

Source of

noise

SamplingDigiti-sing

Source of

noise

SamplingDigiti-sing

Source of

noise

SamplingDigiti-sing

Types of Noise Sources

Many kinds of macroscopic collective phenomena:

stochastic movement of particles in a volume,trajectories of small planetoids or asteroids,......

electronic noise (Thermal-Noise, Shot-Noise, pn-Noise, Zener-Diodes, Josephson-junction...).

Single quantum mechanical effects in the microscopic dimension :

Radioactive decay (number of decay in a particular time interval,

decay time spectrum...).

Quantum effects of single elementary particles (photon, electron, K ....), EPR-phenomenon.

Chaos

huge nu

mber

of D

OF

?

QM is

a n

on-lo

cal

and n

on-c

ausa

l

theo

ry

No nee

d for

pre

dicta

bility

Unque

ssab

le

unkn

owna

ble

Electronic Noise

V

Avalanche noise im pn-junction+

+

+

n

p- -

-

AmplifierFilter

Discrimi-nator

U

I

-6V

T < T

DCD eI

kTR

BUT !!! Autocorrelation in the output sequence

Z-Diode

Huge number of charge carrier

I

Noise with Splitting Single Photon Beam

Smart source for QM noise are single photons or other elementary particles !

Wave-particle duality at single photons

PM

PM

Source oflight

50:50 mirror or PBS

Flip Flop„1“ and „0“

...0010011...

LED driven by max.a few hundred μA ...low coherence length tc < 1ps

Rate of mostly single photonswith few MHz is achievable

BUT!!! the guarantee for single photons rate is not absolute sure, 50:50 mirror or PBS not perfect .

A D L&C

CR

HV

PWC

Cathode (radioactive source)

Anode (wires) HV

A D L&C

CR

HV

PWC

Cathode (radioactive source)

Anode (wires) HV

Noise with Radioactive Decay

Radioactive source incandescent mantle with Thorium-232 : α-decays with 4.083 MeV, few β-decays and γ-transitions

Th-232

Ra-228

(the exemption limit for Th-232 is 10 kBq and the dose limit is 6 mSv/yr)

Time

Detector signal after amplification

“0”

“1”

Discriminator signal

Toggle flip-flop

01100111001010010011010010111001Output register

Electronic threshold

Time

Detector signal after amplification

“0”

“1”

Discriminator signal

Toggle flip-f running with 15 MHz

01100111001010010011010010111001Output register

Electronic threshold

Sampling and Digitizing

Output rate: 200Bq .... 2kBq (varied with HV, threshold and source activity)

The time between two decays is exponentially distributed, p(t) is the probability of time interval t between two successive events.

Measurement of really single quantum mechanical effects which behave as perfect random source.

There is no deterministic prediction for the time t .

More !!! There is no theoretical need for such a prediction.

Unfortunately, the toggle flip-flop and the consecutive .electronics can not be perfect.

This part of the apparatus is responsible for the occurrence. of systematic effects for all TRNG !

Where is the randomness hidden?

0/0)( tteptp

Check of the Randomness

0001010110110011101010010101111010010010010110110010111010100010010100100

100% sure demonstration is de facto impossible, because the examined sequence stays always finite !

Try to compress the sequence by algorithmic procedure ! Shannon (1948) : Entropy as a measure for information content.

There is a number of statistical tests on the market. (Test-Batteries)

i

n

ii ppnH 2

1

log)(

p1 -> „00“p2 -> „01“p3 -> „10“p4 -> „11“

n = 4,theoretical pi = 1/4

2)4( H

01 10 00 11 01 10 00 11 01 10 00 11 01 10 00 11 01 10 00 11 01 10 00 11!

Experimental Data and Results

Input are many gigabits data from recorded radioactive decays,data were divided into sequences of 4kB (32768 bits) length.

Each 4kB sequence contributes with a χ2 number to the histogram of the particular test.

010101110100010100100010010010101..............................................1010010011110010100100110101

111001001010001001111001011110101..............................................1000101111010101101010110101

.

.

.

0101011101000101111110010010010101..............................................1010011110010101001010110101

Each χ2 histogram is then fitted by a one-parameter χ2 function and the statistical significance can be checked.

I. Golomb criterion tests the ration between states „0“ and „1“ . II. Golomb tests the occurrence of identical consecutive bits (runs). …..0001010000010010101010101010000011111……

III. Golomb tests the autocorrelation function by shift from 1 to max. 16 bits.

010010001001100101100010…………. 0010010001001 010010001101001100100010…………. 0010010001001 check the occurrence of pairs 00, 01, 10, 11

shift by 4 2 Poker tests the occurrence of pairs „00“, „01“, „10“, and „11“.3 Poker the same for series „000“, „001“, „010 .... „111“.4 Poker the same for series „0000“, „0001“, ...... „1111“ .

3 111 5 1 2 11................................. 5 5

Applied tests

Example for 2 Poker Test

4

1

22

4096

4096

i

ij

n

measured numbers: n1 „00“, n2 „01“, n3 „10“, n4 „11“,

0,246

0,247

0,248

0,249

0,25

0,251

0,252

0,253

0,254

theory: 32768 / 4 • ½ = 4096

Pro

bab

ilit

y

00 01 10 11

2 poker pattern

Theory for „0“ =„1“ = 0,5

p0 p0 = p0 p1 =p1 p0 = p1 p1 = 0,25

0

0,05

0,1

0,15

0,2

0,25

1 4 7 10 13 16 19 22 25 28 31 34

Chi**2

Pro

bab

ilit

y

χ2 2 poker test

fit by 1 parameter χ2 function

experiment

Example χ2 Distribution for 2 Poker Test

 

Test Criterion Mean Value (Experiment)

Degree of Freedom (Theory)

χ2 / ndf

1st Golomb 2,0 1 59

2nd Golomb 11,3 11 2,4

3nd Golomb 16,1 16 0,95

2-Bit Poker 4,2 3 59

3-Bit Poker 8,1 7 30

4-Bit Poker 16,2 15 18

Results for Theory „0“ =„1“ = 0,5

?

?

?

?

Time

V

133 ns

2V

0.8V

„0“

„1“Undefined area

Time

V

133 ns

2V

0.8V

„0“

„1“Undefined area

Non-equilibrium in the Occurrence between States “1” and “0”

Defined area

~ 1ns + 1ns per cycle

The result shows an about 0,28% (± 0,000001) higher chance for one of the logical levels.

I. Golomb: p0 = 0,4972 p1 = 0,5028 theory predicts : p0 = p1 = 0,5

This corresponds to an overall difference of 0,4 ns between the durationof both clock half-waves

Discussion

0,246

0,247

0,248

0,249

0,25

0,251

0,252

0,253

0,254

Pro

bab

ilit

y

00 01 10 11

2 poker pattern

Theory forp0 = 0,4972p1 = 0,5028

The same is true for 3 and 4 poker test

“Anyone who considers arithmetical methods of producing random digits is, of course, in state of sin.” John von Neuman (1903-1957)

Conclusions

Improvement expected for „1 ps accuracy“ (0.001% shift in duty cycle)

Is a perfect TRNG just a dream ?!

Always present systematic effects in the apparatus (DAQ) disturb such perfect randomness or make it in the practice a hardly achievable task.

The results agree well with the simulation. The basic systematic effect derives from the asymmetric duty cycle which of course can be improved but scarcely eliminated completely.

Memoryless QM-phenomenon are well suited as a random source in experiments.