QUANTUM RANDOM NUMBER GENERATOR ON A MOBILE PHONE Bruno Sanguinetti, Anthony Martin, Hugo Zbinden and Nicolas Gisin
THE SECURITY OF A CYPHER MUST RESIDE ENTIRELY IN THE KEY AUGUSTE KERCKHOFFS [] [] A. Kerckho s. Journal des sciences militaires, vol. IX:38, 883.
COMPROMISING THE SECURITY OF THE KEY COMPROMISES THE SYSTEM [] L. Bello. openssl predictable random number generator. Debian security advisory 57-, 28. [2] Bushing, Marcan, Segher, and Sven. PS3 epic fail. 27th Chaos Communication Congress, 2. [3] R. Chirgwin. Android bug batters bitcoin wallets. The Register, 23. [4] L. Dorrendorf, Z. Gutterman, and B. Pinkas. Cryptanalysis of the random number generator of the windows operating system. ACM Trans. Inf. Syst. Secur., 3(): 32, 29. [5] A. K. Lenstra, H. J. P., M. Augier, J. W. Bos, T. Kleinjung, and C. Wachter. Ron was wrong, Whit is right. Cryptology eprint Archive, 22.
COMPROMISING THE SECURITY OF THE KEY COMPROMISES THE SYSTEM [] L. Bello. openssl predictable random number generator. Debian security advisory 57-, 28. [2] Bushing, Marcan, Segher, and Sven. PS3 epic fail. 27th Chaos Communication Congress, 2. [3] R. Chirgwin. Android bug batters bitcoin wallets. The Register, 23. [4] L. Dorrendorf, Z. Gutterman, and B. Pinkas. Cryptanalysis of the random number generator of the windows operating system. ACM Trans. Inf. Syst. Secur., 3(): 32, 29. [5] A. K. Lenstra, H. J. P., M. Augier, J. W. Bos, T. Kleinjung, and C. Wachter. Ron was wrong, Whit is right. Cryptology eprint Archive, 22.
CURRENT COMMERCIAL RNG IMPLEMENTATIONS Software (not random) Microphone (can be controlled) PLL (no one knows ) Shot noise in diode (slow) Quantis ( large and expensive )
SIMPLIFIED PRINCIPLE OF OPERATION
SIMPLIFIED PRINCIPLE OF OPERATION
SIMPLIFIED PRINCIPLE OF OPERATION
CONCEPT Camera LED OR Fibre Extractor Random numbers
CONCEPT Camera LED OR Fibre Extractor Random numbers
CONCEPT Camera LED Extractor Random numbers OR Fibre 9 4,5 2 3
FUNDAMENTAL RESEARCH COOL APPLICATIONS
MOBILE PHONE SENSORS ARE EXCELLENT! Low noise (< e-), linear, small pixels, low capacitance before amp Fast ( Gpixel/s ~ GBits/s) for video Cheap (~$); market for billions of sensors (I have 3 at home) CMOS technology: source, detector and processing on a single chip. pentaxforum.com
TESTED WITH TWO CAMERAS Astronomy CCD (ATIK 383L+) Phone CMOS (Nokia N9) Noise: e - Noise: 3 e -
detector model e V d digital ADC Light source loss detector amp converter output
detector model e Light source loss V ADC d digital output detector amp converter! ATIK Nokia
detector model.4.2. 2 e Photon number n Light 4 V 6 ADC d FIG. 5. Statistics of the number of photons detected by a single-photon (ID Quantique ID)converter in ms, which, source lossdetectordetector amp as expected for most sources, follow a Poisson distribution. ATIK 383L Nokia N9 Noise, t (e ) 3.3 Saturation (e ) 2 4 5 Illumination (e ).5 4 4 Quantum uncertainty, q (e ) 22 2 O set (e ) 44 6 Output bits per pixel 6 Quantum entropy per pixel 8.3 bits 5.7 bits Quantum entropy per raw bit.52.57 TABLE I. Experimental parameters for the two cameras em- digital output P(n).6 FIG. 6. Meas our ATIK (a) ditions quantu
NON-IDEAL CAMERA: STILL OK Eve Technical noise Quantum noise Alice Even if Eve has full knowledge of the technical noise, the best she can do is recover the quantum noise.
NON-IDEAL CAMERA: STILL OK Eve Technical noise Quantum noise Alice Even if Eve has full knowledge of the technical noise, the best she can do is recover the quantum noise.
NON-IDEAL CAMERA: STILL OK Eve Technical noise Quantum noise Alice Even if Eve has full knowledge of the technical noise, the best she can do is recover the quantum noise.
UP TO RANDOM BITS PER PIXEL 8 H min (X q )= log 2 [max (P q (n))] () e n n = log 2 applemax n 6 4 n! = log 2 apple e n n b nc b nc! Hmin(bits) 2 4 5 n
DETECTOR LINEARITY Random numbers When saturation occurs, the Fano factor decreases, as the output is a constant. At low illumination intensities, we measure a Fano factor much greater than, due to detector technical noise. IS IMPORTANT ra is fully aw binary nd passed r outputs dy to be Variance/mean 2..5..5 ATIK 383L Classical noise Nokia N9 Saturation ply with operating of quanerested in does not and that. 5 5 Absorbed photons n 2 3 4 5 Absorbed photons n FIG. 4. Fano factor (Variance/mean) of the devices employed in this experiment. We operate in the region where the Fano
) in ms, which, n distribution. R ANDOMNESS EXTRACTOR 3L Nokia N9 detector model loss wo cameras em- Raw data in 4 3.3 5 4 2 6 5.7 bits Light source.57 Extractor matrix d digital e V ADC (actually 2x5) output FIG. 6. Measurement of the quantum and classical noise detector amp converter our ATIK (a) and Nokia (b) detectors. At the operating co ditions quantum noise strongly dominates. H L Random bits out it would take an impossible 2 96 trials to notic trials before a deviation from a perfectly random bita string. If ever deviation is found at Gbp body on earth used such a device constantly it would take 6 times the age of the universe for on [] D. Frauchiger, R. Renner, and M. Troyer. True randomness from realistic quantum devices. arxiv preprint arxiv:3.4547, 23.! [2] M. Troyer and R. Renner. A randomness extractor for the quantis device. Id Quantique technical report, 22.! on
TESTS, DIEHARDER 5 5,-. $,-. $ $!,,-. *! +,! ) $ * % &( '! + ) $ % &( '!"# & ' $ % $ % & '!"#!"# $!,,-. *! +!, ) $ % &( ' *! + " ) ///% //% $ % & ' //% $ % &( ' /% $ % & ' /% FIG. 8. Test results for some of the Diehard battery of tests for random number generators. The represented p-value is ///% the result of a Kolmogorov-Smirnov test of p-values. The " suite also performs a large number of other tests, which our RNG passes, e.g. have a. < p-value <.99.!"# A simplistic test to check that the generator does not su er from a problem is to check the autocorrelation of the output bitstring. We plot this in Fig. 7, showing no domness is maintained. correlation. A simplisticfinally, test towecheck thatthe the generator does not performed die harder battery of ransu er from adomness problem to both check autocorrelation testsis on thethe extracted bit strings. of This set of tests contains NIST tests the output bitstring. We plotthethis intest, Fig.the 7,diehard showing noand % FIG. 7. Autocorrelation of the output bitstring, the value of domness is maintained. the correlation is limited by the finite sample size. 2 4 6 8 2 4 6 8 2 FIG. 7. Autocorrelation bits of the output bitstring, the value of the correlation is limited by the finite sample size. 8 2 4 6 8 2 bits 6 4 2 ///%% e-8 e-7 ///% e-7 //% e-6 e-6 e-8 e-5 //% e-5. /% /%..... %. Autocorrelation coefficient Autocorrelation coefficient. Atik Atik Nokia Nokia #23 #23 %
SPEED Control Clock Image sensor CPU/DSP/FPGA Data (x) 3 MHz MHz Sensor: 8 Megapixels x 3 frames/s x 3 bits = 72 Mbit/s Extractor: software ~ Mbps; PFGA ~.25 Gbps Mobile phone: limited memory
MOST CALIBRATED SOURCES ARE USABLE, WITH CERTAIN ASSUMPTIONS. Theory (Poisson dist.) Experiment.4.2. detector model e omlightinsource a *** loss hotel) detector V ADC 2 4 6 Photon number n d amp converter lity of the participant. Test of LED photon number distribution with single photon detector P(n).6 digital FIG. 5. Statistics of the number of photons detected by a output single-photon detector (ID Quantique ID) in ms, which, ATIK 383L Nokia N9 Noise, t (e ) 3.3 Saturation (e ) 2 4 5 Illumination (e ).5 4 4 Quantum uncertainty, q (e ) 22 2 O set (e ) 44 6 Output bits per pixel 6 Quantum entropy per pixel 8.3 bits 5.7 bits Quantum entropy per raw bit.52.57! as expected for most sources, follow a Poisson distribution. unt, see below).8 FIG. 6. Measurement of the quantu our ATIK (a) and Nokia (b) detector ditions quantum noise strongly domi
CAN BE COMPLETELY INTEGRATED ON CHIP waveguide LED Sensor Extractor Random numbers
CONCLUSION Cheap image sensors really work at the quantum level QRNG can be made cheaply and integrated, using existing technology Still some work on the theory required
THANKS FOR YOUR ATTENTION Hugo! Zbinden Anthony! Martin Nicolas! Gisin
7TH ID QUANTIQUE WINTER SCHOOL 8 JAN -22 JAN 25 Tutorial by: Whitfried Diffie Colin Williams (D-Wave) Nicolas Gisin Eleni Diamanti Tracy Northup Sandu Popescu Mikael Afzelius Renner Renato ant (Early booking discount, see below) dation (6 nights, single room in a *** hotel)