Transcript Kvantna kriptografija - Ruđer Bošković Institute

QUANTUM RANDOM NUMBER
GENERATOR FOR APPLICATIONS IN
CRYPTOGRAPHY, MONTE CARLO
SIMULATIONS AND RESEARCH
dr. Mario Stipčević
Institut Ruđer Bošković, Zagreb
Talk given at Universitaet Muenchen, 09. February 2006.
1
What are Random Numbers ?
•
It is not possible to define randomness in purely mathematical
terms, consequently there is no accepted definition of random
sequences (numbers).
For example, D. Knuth [1] lists a dozen of mathematical definitions.
Most definitions fall into 3 categories:
•
Emphasize one or a set of specific statistical properties that a
sequence should obey in the limit of infinite length
•
Circulum viciosus (define “random” through a similar term like
“unpredictable”, “stochastic”, “pattern-less” etc.)
•
Define random sequence using a notion of physical random process
It seems that randomness cannot be separated from physical reality. 2
Random Bit Generator
Random Bit Generator is a device which, upon request, produces
either one (“1”) or zero (“0”), randomly.
The result is similar to flipping a fair coin, where we assign “1” to
the head and “0” to the tail.
->
1
0
1 . . .
Random bits are gold-plated form of random numbers because they
can be easily and efficiently converted into any other form, whereas
vice versa is not always efficient and/or straightforward.
101101000101
. 101101000101
= 2885
= 0.7043456  -ln(x) 
3
Why do we need random numbers ?
1. It is believed that the ultimate Universal computing machine is a
Turing machine + random number generator. Some of the fastest
computing algorithms (ex. Solovay-Strassen primality test) require
random numbers
2. Monte Carlo simulations & calculations
3. In classical cryptography: one-time keys, challenge-response
data, public key cryptography - for example Diffie-Hellman protocol:
The main setback of practical imlementatios of RSA and PGP is
that they use PR instead of true random numbers [2]
4
4. Quantum cryptography. All known QKD protocols assume a local
RNG at each end of the communication channel
Picture from: www.univie.ac.at
Randomness of local generators may be used to enhance key rate [11] !?
5. PIN numbers for pre-paid services like mobile and public phones,
sattelite TV etc.
6. One-time transaction numbers (TAN) used for e-banking
7. Randomized algorithms which make use of random
numbers/decisions and can be very fast
8. Statistical research
9. Industrial labeling, lottery & gambling, psi factor research ...
5
Pseudo-random generators
•
•
PR generator is a mathematical algorithm which produces numbers
which seem random but are not.
Sequence of produced numbers is deterministic  two identical
PR generators can be synchronized.
LCG: X n1  (aXn  b) modm ;
BBS:
X 0  S is the “seed”
X n1  X n2 mod p1 p2 ; X 0  S 2 mod p1 p2 ; p1 , p2 primes [2]
Note: unpredictability is NOT equivalent to randomness !
Most PR generators have been cryptanalyzed. They tend to grow old quickly.
A common feature of all PR generators is that they must be provided
with a seed, a sort of initial state, which completely determines
(enumerate) the subsequent output.
6
Non-deterministic generators
If the physical process is provably random, and
If the method of extraction of bits can be proven to yield perfect random
numbers when fed with truly random events,
Then we have a scientifically provable random number generator.
This is probably the only way to realize provable RNG.
However, practical realizations of ND RNG may exhibit imperfections introduced by electronics
and detectors  know-how is important !
ND generators can not accept a seed and cannot be synchronized.
7
Quantum random number generator
Quantum random number generator relies on a physical process
whose randomness is guaranteed by laws of Quantum Mechanics.
Examples of such processes are: splitting the train of photons by a
semi-transparent mirror or a polarizing beam splitter, nuclear decay,
photoelectric effect etc. [7,8,9]:
• Scientifically provable randomness
• Bias cannot be made/maintained very small and is caused by
differences in detectors and imperfections of splitters
8
Our method
Our approach is to use a single detector for detecting both 0’s and 1’s,
in order to achieve low bias, easy assembly and long term stability.
General idea has been picked up from radioactivity-based RNG’s [10]
Basic idea: T2  T1  0; T2  T1  1; T2  T1  skip
When time is discrete, and detector has a dead-time > 0 one needs to:
1. Omit cases when T1 = T2 in order to avoid bias
2. Synchronize time cells with beginning of each interval in order to
avoid correlations
3. Time intervals must not overlap  max. effic. = 0.5 bit/event
This works fine only when events are independent of each other (as in
case of nuclear decay) or equivalently, when the time intervals between
9
neighbouring events are exponentially distributed.
Our generator relies on photon emission and subsequent single photon
detection by photoelectric effect.
~ ~
~
~
~
PMT
Fast Poissonian random events generator
The photon emission is a Poissonian process as long as the time
between two emission is much longer than the coherence time Tcohr
Spectral width + Heisenberg uncertainty  photon coherence time
10
Assuming Gaussian spectrum:
Tcohr
2

4c
Low efficiency red LED diode: λ=688nm, FWHM ~ 83nm
 Tcohr~3.6fs
 νcohr ~ 1.8 • 1015 Hz
• Operation at frequencies of about ~ 107 Hz  a large safety margin
• Low efficiency of the PMT detector for red light improves the statistics
• We use multiple LED sources to further improve the safety margin
11
Measured distribution of time
Intervals between subsequent
Detected photons (ie. photoelectrons).
• 1 LED diode
• Mean frequency 1.05 MHz
• Time resolution 0.4ns
• Dead time 25ns
Exponential fit (solid line) gives an excellent match to the measured data
over more than 3 orders of magnitude.
Of all possible distributions the exponential distribution has maximal
entropy and characterizes memoryless system
Our method uses independent time intervals for generating different bits
 bits do not know of each other  perfect randomness
12
Block scheme of QRBG121
13
Comparison with beam splitter RNG’s
Splitter RNG:
• Requires two (expensive !)
photon detectors
• Photon traverses different
path for 0’s and 1’s, and
• The use of different detectors
for 0’s and 1’s leads to bias
• Requires time-consuming
nulling of bias
• Bias gets worse with
temperature changes and
aging of the detectors and
components
QRBG121:
• Requires only one photon
detector
• Photons undergoes the same
path for 0’a and for 1’s
• The same detector used for
both 0’s and 1’s
• Bias is stable at zero without
any adjusting whatsoever
• Insensitive to components
tolerance and aging
Splitter RNG yields ~1 bit per event (detected photon).
QRBG121 yields ~0.5 bit per event, which is the same efficiency per detector.
14
Testing randomness
There is no such thing as universal randomness test.
There are many tests of certain statistical properti(es). Each such test
is just a small patch in an infinite surface of possible tests.
Useful 1-D and 2-D
randomness tests exploit
power oh human brain to
quickly spot patterns
In constructing and final testing of the QRBG we have used three
“batteries” of tests: J. Walker’s ENT [4], G. Marsaglia’s DIEHARD [5]
and NIST’s STS [6], as well as some tests of our own. Typical test file
size ~ 300MB.
QRBG121 has passed all statistical tests known to us. It has been
independently tested by R. Davies [12].
15
Technical specifications of QRBG121
*b
Generating speed
12,000,000 bits/sec ± 3%
Bias (b)*
< 0.00005
Autocorrelation (a)**
< 0.00005
Thermal noise
< 0.0005% (5ppm)
Outputs
USB2 and OEM
OEM output
5V CMOS level, serial
Operating systems
Win98/Me/2000/Xp, Linux
Power supply
+5V from USB or OEM
Dimensions
55(h) x 65(w) x 90(d) mm
Casing
elox aluminum
Weight
370 g
= |p(1)-0.5|
**a
= serial autocorrelation coefficient [1]
16
Further research
1. Replace PMT with APD. We are finishing our first prototype of a
solid state single photon detector, based on a silicon SPAD. The
“active quenching” circuit can be, along with the APD, completely
made on a single silicon chip. This circuit could be used in future
random number generators as well as in quantum communication.
2. Our next goal is to build a simple 2-photon polarization
entanglement machine for use in quantum experiments.
3. We are interested in quantum cryptography, especially in research
of possibilities to extend the range and enlarge the throughput of
quantum key distribution schemes.
17
Picture galery
The very first prototype (April 2004) on a breadboard
Final product in a typical environment
Generator’s interior
18
Current view of the lab
APD based single photon detector prototype
19
Signal over noise for a as a
function of the voltage above
breakdown at various
temperatures (15.6 C, 5.6 C,
-4.3C, -13.5C)
For the EG&G Si SPAD
C30902E with our active
quenching circuit
20
Breakdown voltage, noise and signal as a function of temperature for the
EG&G Si SPAD C30902E. Noise and signal measured at Vbr+3V (15%)
21
Dead time of the single photon detector prototype
22
“Anyone who considers arithmetical methods of producing
random digits is, of course, in a state of sin."
J. von Neumann
The
End
23
Bibliography
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
D. E. Knuth, The art of computer programming, Vol. 2, Third edition, (Addison-Wesley,
Reading, 1997)
I. Goldberg, D. Wagner, Dr. Dobb’s, January 1996
Blum, L.; Blum, M.; Schub, M.: A Simple Unpredictable Pseudo-Random Number Generator,
SIAM J. Computing, 15(1986)364-383
J. Walker, A Pseudorandom Number Sequence Test Program,
http://www.fourmilab.ch/random/
G. Marsaglia, Diehard Battery of Tests of Randomness, http://stat.fsu.edu/pub/diehard/
Andrew Rukhin et al., Statistical Test Suite for Random and Pseudorandom Number
Generators for Cryptographic Applications, NIST publication, http://csrc.nist.gov/rng/
IdQuantique, Quantis white paper, http://www.idquantique.com/products/files/quantiswhitepaper.pdf
T. Jennewein et al, A Fast and Compact Quantum Random Number Generator, arXiv:quantph/9912118 v1 28 Dec 1999
Ma Hai-Qiang et al, A Random Number Generator Based on Quantum Entangled Photon
Pairs, Chinese Phys. Lett. 21(2004)1961-1964
J. Walker, Hotbits, http://www.fourmilab.ch/hotbits/how.html
H. Böhm, Exploiting the randomness of the measurement basis in quantum cryptography:
Secure Quantum Key Growing without Privacy Amplification, arXiv:quant-ph/0408179
R. Davies, Random number generator links, http://www.robertnz.net/rng_links.htm
Our preprint
24