Document 331214

Quantum Random Number Generators
Quantum-Safe Cryptography Workshop
2nd ETSI QuantumGrégoire Ribordy
ID Quantique
Random Numbers
Very useful in a variety of applications
Games
Cryptography
Numerical Simulations
Web Applications
(e-commerce, etc.)
Difficult to produce
•
Computers cannot produce random numbers without special hardware
Impossible to proove randomness of a finite sequence a posteriori
When generating random numbers, understanding the method
used is important
Outline
Challenges with Random Number Generators
Example of a Quantum Random Number Generator
Security Evaluation and Certification
New Approach to QRNG
Finding Weak RNG’S
Collecting public keys on the
Internet
•
•
Lenstra: 5 million PGP keys
Heninger: 22 million keys in
network devices
Look for matching keys
Heninger’s finding:
•
•
–
–
•
Identify weak keys
Keys sharing one factor with
another key
•
•
Finding the GCD is easier than
factoring
A. Lenstra et al., « Ron was wrong, Whit is
right. » IACR Cryptology ePrint Archive 2012: 64
(2012)
5.3%: Default keys
0.3%: Weak keys
Vendors:Cisco, Dell, IBM, etc.
Use of software RNG’s
•
•
Keys served more than once: 60%
Weak keys: 5.6%
Gathering of entropy and postprocessing
Poor implementation (key
generation too early in boot process)
Not enough entropy due to isolation
of devices
N. Heninger et al., « Mining your Ps and Qs:
Detection of widespread weak keys in network
devices », Usenix Security 2012
4
Hardware Trojan Horse
Modification functionality of
chips by change of dopant
polarity (n or p)
Illustration of possible
vulnerability: RNG in Intel Ivy
Bridge Processors
•
•
•
Inverter
0
1&1
0
1&1
0
1
Metastable Entropy Source
Generation of blocks of 128 bits of
randomness
Change of dopant masks
Chip validation
•
•
Pre-manufacturing: code review
Post-manufacturing
–
–
Optical inspection
Built-in tests
G. Becker et al., « Stealthy Dopant-Level Hardware Trojans », CHES 2013
5
TRNG Model
Dopant Trojan Attack Possibility
Total
Failure
Test
Entropy
Source
Controlled reduction
of entropy (n bits out
of 128)
Passing Tests
Digitisation
Online
Tests
Postprocessing
(DRNG)
Passes
Statistical
Tests if n
large
enough (n =
32)
W. Killmann and W. Schindler, « A proposal for: Functionality classes for random number
generators », AIS31
6
Bullrun and Dual EC DRBG
NSA: "Insert vulnerabilities into
commercial encryption systems,
IT systems, networks, and
endpoint communications
devices used by targets”
Example: Dual EC DRBG
•
•
Slow
Backdoor known since 2007
•
Generator used by prominent
vendors until 2013
7
True Random Number Generator
based on Classical Physics
Physical Random Number Generator exploiting a
phenomenon described by classical physics
•
Coin tossing, Roulette ball, electronic noise signal,
etc.
Not random but « difficult » to predict
Origin of Impredictability
•
•
Initial conditions (Chaos)
Environment
Example: Sampling of Noise Signal
Difficulties
• Speed
• Influence of environment
• Detection of « partial » total failure
0
1
True Random Number Generator
based on Quantum Physics
Physical Random Number Generator exploiting a
phenomenon described by quantum physics
Detectors
Truly random
Photons
Semi-transparent
Mirror
Source of photons
Advantages
• Speed
• Simple process that can be modeled
influence of environment can be ruled out
• Live monitoring of elementary components possible to detect total failure
Quantis (Q)TRNG Implementation
Implementation
Complex Programmable Logic Device (CPLD) to implement the logic
Low EMI oscillator spread spectrum clock oscillator
Two voltage regulators
Micropower DC/DC converter (for the detectors bias voltage)
Passive electrical components
Optical Sub-System
10
Optical Subsystem
Emitter: printed-circuit board and LED
Receiver: printed-circuit board and detectors
Packaging: black aluminum cube
Technology qualified for automotive applications
High reliability
11
QRNG Solution
Random bit rate:
•
4 Mbps or 16 Mbps
Applications
•
•
•
Security and cryptography
Scientific research
Gaming
Randomness Extraction
~2 x 1096 before a deviation is
observed
Bit rate reduction: 25%
[1] D. Frauchiger, R. Renner, and M. Troyer.
True randomness from realistic quantum
devices. arXiv preprint arXiv:1311.4547, 2013.
[2] M. Troyer and R. Renner. A randomness
extractor for the quantis device. Id Quantique
technical report, 2012.
Happy Birthday QRNG!
Quantis is 10 years old!
Special Gold Plated Edition
Addition of Quantis to the collection
of the National Museum of
Computing at Bletchley Park UK, as
an illustration of emerging quantum
technologies
14
Evaluation and Certification
National Metrology Laboratory
•
•
Focus: Physical Principle, Statistical Properties
Products covered: PCI, PCIe, USB (+ component)
Gaming Test Houses
•
•
Focus: Statistical Properties, Software, Scaling
Products covered: PCI, PCIe, USB (+ component)
National Security Government Agencies
•
•
Focus: Physical Principle, Implementation
Products covered: Component
AIS31 - Context
“A proposal for: Functionality classes for random number
generators”, Version 2.0, 18 September 2011
Bundesamt für Sicherheit in der Informationstechnik (BSI), Bonn
Deterministic (Pseudo) RNG
• DRG.1
• DRG.2
• DRG.3
• DRG.4
• NTG.1
Non-Deterministic (Physical) RNG
• PTG.1
Physical RNG with internal tests that detect a
total failure of the entropy source and nontolerable statistical defects of the internal random
numbers
• PTG.2
PTG.1, additionally a stochastic model of the
entropy source and statistical tests of the raw
random numbers
• PTG.3
PTG.2, additionally with cryptographic postprocessing (hybrid PTRNG)
TRNG Model
Total
Failure
Test
Bit rate
0/1 Ratio
Detector Dark Counts
Evaluation completed in Aug. 2014
Entropy
Source
Binary SinglePhoton
Detection
Digitisation
Online
Tests
Not Needed
AIS 31
Postprocessing
(DRNG)
AES
W. Killmann and W. Schindler, « A proposal for: Functionality classes for random number
generators », AIS31
17
Optical Subsystem
APD’s in Geiger Mode
- Bias of 25V
- Power consumption
Technology qualified for automotive applications
High reliability
18
New Approach for QRNG
Bruno Sanguinetti, Anthony Martin,
Hugo Zbinden and Nicolas Gisin
19
Practical Tests
Astronomy CCD
(ATIK 383L+)
Noise: 10 ePhone CMOS
(Nokia N9)
Noise: 3 e20
Real--World Imperfections
Real
Even if Eve has full knowledge of the
technical noise, the best she can do is
recover the quantum noise.
Alice can extract randomness from
quantum noise.
21
Integration Possibility
Sensor:
8 Megapixels x 30 frames/s x 3 bits
= 720 Mbit/s
Extractor:
software ~10 Mbps;
FPGA ~ 1.25 Gbps
22
Thank you for you attention
•
•
•
7th Winter school on practical quantum communications
January 2015
In Les Diablerets, Switzerland
–
–
–
–
–
•
Whitfield Diffie
Nicolas Gisin
Dr. Colin P Williams, D-Wave,
Sandu Popescu
Eleni Diamanti
New – Track on Security Evaluation and
Certification
Website: http://www.idquantique.com/instrumentation/training.html
Contact: info@idquantique.com or gregoire.ribordy@idquantique.com
Physical Principle Explanation
Gaussian beam
Probability of detection
almost constant in the
centre of the beam
Random bit stream generation
by association of a bit value
to each detectors
24