240 likes | 269 Views
QUANTUM RANDOM NUMBER GENERATOR FOR APPLICATIONS IN CRYPTOGRAPHY, MONTE CARLO SIMULATIONS AND RESEARCH. dr. Mario Stipčević Institut Ruđer Bošković, Zagreb Talk given at Universitaet Muenchen, 0 9 . February 200 6. What are Random Numbers ?.
E N D
QUANTUM RANDOM NUMBER GENERATOR FOR APPLICATIONS IN CRYPTOGRAPHY, MONTE CARLO SIMULATIONS AND RESEARCH dr. Mario Stipčević Institut Ruđer Bošković, Zagreb Talk given at Universitaet Muenchen, 09. February 2006.
What are Random Numbers ? • It is not possible to define randomness in purely mathematical terms, consequently there is no accepted definition of random sequences (numbers). • For example, D. Knuth [1] lists a dozen of mathematical definitions. • Most definitions fall into 3 categories: • Emphasize one or a set of specific statistical properties that a sequence should obey in the limit of infinite length • Circulum viciosus (define “random” through a similar term like “unpredictable”, “stochastic”, “pattern-less” etc.) • Define random sequence using a notion of physical random process • It seems that randomness cannot be separated from physical reality.
Random Bit Generator Random Bit Generator is a device which, upon request, produces either one (“1”) or zero (“0”), randomly. The result is similar to flipping a fair coin, where we assign “1” to the head and “0” to the tail. -> 1 0 1 . . . Random bits are gold-plated form of random numbers because they can be easily and efficiently converted into any other form, whereas vice versa is not always efficient and/or straightforward. 1 0 1 1 0 1 0 0 0 1 0 1 = 2885 . 1 0 1 1 0 1 0 0 0 1 0 1 =0.7043456 -ln(x)
Why do we need random numbers ? • Itis believed that the ultimate Universal computing machine is a Turing machine + random number generator. Some of the fastest computing algorithms (ex. Solovay-Strassen primality test) require random numbers • Monte Carlo simulations & calculations • In classical cryptography: one-time keys, challenge-response data, public key cryptography - for example Diffie-Hellman protocol: • The main setback of practical imlementatios of RSA and PGP is that they use PR instead of true random numbers [2]
4.Quantum cryptography. All known QKD protocols assume a local RNG at each end of the communication channel • Randomness of local generators may be used to enhance key rate [11] !? • PIN numbersfor pre-paid services like mobile and public phones, sattelite TV etc. • 6. One-time transaction numbers (TAN) used for e-banking • 7. Randomized algorithms which make use of random numbers/decisions and can be very fast • 8. Statistical research • 9. Industrial labeling, lottery & gambling, psi factor research ... Picture from: www.univie.ac.at
Pseudo-random generators • PR generator is a mathematical algorithm which produces numbers which seem random but are not. • Sequence of produced numbers is deterministic two identical PR generators can be synchronized. • LCG: ; is the “seed” • BBS: ; ; primes[2] • Note: unpredictability is NOT equivalent to randomness ! • Most PR generators have been cryptanalyzed. They tend to grow old quickly. A commonfeature of all PR generators is that they must be provided with a seed, a sort of initial state, which completely determines (enumerate) the subsequent output.
Non-deterministic generators If the physical process is provably random, and If the method of extraction of bits can be proven to yield perfect random numbers when fed with truly random events, Then we have a scientifically provable random number generator. This is probably the only way to realize provable RNG. However, practical realizations of ND RNG may exhibit imperfections introduced by electronics and detectors know-how is important ! ND generators can not accept a seed and cannot be synchronized.
Quantum random number generator • Quantum random number generator relies on a physical process whose randomness is guaranteed by laws of Quantum Mechanics. • Examples of such processes are: splitting the train of photons by a semi-transparent mirror or a polarizing beam splitter, nuclear decay, photoelectric effect etc. [7,8,9]: • Scientifically provable randomness • Bias cannot be made/maintained very small and is caused by • differencesin detectors and imperfections of splitters
Our method • Our approach is to use a single detector for detecting both 0’s and 1’s, • in order to achieve low bias, easy assembly and long term stability. • General idea has been picked up from radioactivity-based RNG’s [10] • Basic idea: • When time is discrete, and detector has a dead-time > 0 one needs to: • Omit cases when T1 = T2 in order to avoid bias • Synchronize time cells with beginning of each interval in order to avoid correlations • Time intervals must not overlap max. effic. = 0.5 bit/event • This works fine only when events are independent of each other (as in • case of nuclear decay) or equivalently, when the time intervals between • neighbouring events are exponentially distributed.
Our generator relies on photon emission and subsequent single photon detection by photoelectric effect. ~ ~ ~ ~ ~ PMT Fast Poissonian random events generator The photon emission is a Poissonian process as long as the time between two emission is much longer than the coherence timeTcohr Spectral width + Heisenberg uncertainty photon coherence time
Assuming Gaussian spectrum: • Low efficiency red LED diode:λ=688nm, FWHM ~ 83nm • Tcohr~3.6fs • νcohr ~ 1.8 • 1015 Hz • Operation at frequencies of about ~ 107 Hz a large safety margin • Low efficiency of the PMT detector for red light improves the statistics • We use multiple LED sources to further improve the safety margin
Measured distribution of time • Intervals between subsequent • Detected photons (ie. photo- • electrons). • 1 LED diode • Mean frequency 1.05 MHz • Time resolution 0.4ns • Dead time 25ns Exponential fit (solid line) gives an excellent match to the measured data over more than 3 orders of magnitude. Of all possible distributions the exponential distribution has maximal entropy and characterizes memoryless system Our method uses independent time intervals for generating different bits bits do not know of each other perfect randomness
Comparison with beam splitter RNG’s • Splitter RNG: • Requires two (expensive !) photon detectors • Photon traverses different path for 0’s and 1’s, and • The use of different detectors for 0’s and 1’s leads to bias • Requires time-consuming nulling of bias • Bias gets worse with temperature changes and aging of the detectors and components • QRBG121: • Requires only one photon detector • Photons undergoes the same path for 0’a and for 1’s • The same detector used for both 0’s and 1’s • Bias is stable at zero without any adjusting whatsoever • Insensitive to components tolerance and aging Splitter RNG yields ~1 bit per event (detected photon). QRBG121 yields ~0.5 bit per event, which is the same efficiency per detector.
Testing randomness There is no such thing as universal randomness test. There are many tests of certain statistical properti(es). Each such test is just a small patch in an infinite surface of possible tests. In constructing and final testing of the QRBG we have used three “batteries” of tests: J. Walker’s ENT [4], G. Marsaglia’s DIEHARD [5] and NIST’s STS [6], as well as some tests of our own. Typical test file size ~ 300MB. QRBG121 has passed all statistical tests known to us. It has been independently tested by R. Davies [12]. Useful 1-D and 2-D randomness tests exploit power oh human brain to quickly spot patterns
Technical specifications of QRBG121 *b= |p(1)-0.5| **a = serial autocorrelation coefficient [1]
Further research • Replace PMT with APD. We are finishing our first prototype of a solid state single photon detector, based on a silicon SPAD. The “active quenching” circuit can be, along with the APD, completely made on a single silicon chip. This circuit could be used in future random number generators as well as in quantum communication. • Our next goal is to build a simple 2-photon polarization entanglement machine for use in quantum experiments. • We are interested in quantum cryptography, especially in research of possibilities to extend the range and enlarge the throughput of quantum key distribution schemes.
Picture galery The very first prototype (April 2004) on a breadboard Final product in a typical environment Generator’s interior
Current view of the lab APD based single photon detector prototype
Signal over noise for a as a function of the voltage above breakdown at various temperatures (15.6 C, 5.6 C, -4.3C, -13.5C)For the EG&G Si SPAD C30902E with our active quenching circuit
Breakdown voltage, noise and signal as a function of temperature for the EG&G Si SPAD C30902E. Noise and signal measured at Vbr+3V (15%)
The End “Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." J. von Neumann
Bibliography • D. E. Knuth, The art of computer programming, Vol. 2, Third edition, (Addison-Wesley, Reading, 1997) • I. Goldberg, D. Wagner, Dr. Dobb’s, January 1996 • Blum, L.; Blum, M.; Schub, M.: A Simple Unpredictable Pseudo-Random Number Generator, SIAM J. Computing, 15(1986)364-383 • J. Walker, A Pseudorandom Number Sequence Test Program, http://www.fourmilab.ch/random/ • G. Marsaglia, Diehard Battery of Tests of Randomness, http://stat.fsu.edu/pub/diehard/ • Andrew Rukhin et al., Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications,NIST publication, http://csrc.nist.gov/rng/ • IdQuantique, Quantis white paper, http://www.idquantique.com/products/files/quantis-whitepaper.pdf • T. Jennewein et al, A Fast and Compact Quantum Random Number Generator, arXiv:quant-ph/9912118 v1 28 Dec 1999 • Ma Hai-Qiang et al,A Random Number Generator Based on Quantum Entangled Photon Pairs, Chinese Phys. Lett. 21(2004)1961-1964 • J. Walker, Hotbits, http://www.fourmilab.ch/hotbits/how.html • H. Böhm, Exploiting the randomness of the measurement basis in quantum cryptography: Secure Quantum Key Growing without Privacy Amplification, arXiv:quant-ph/0408179 • R. Davies, Random number generator links,http://www.robertnz.net/rng_links.htm • Our preprint