Quantum Random Number Generators Quantum-Safe Cryptography Workshop 2nd ETSI QuantumGrégoire Ribordy ID Quantique Random Numbers Very useful in a variety of applications Games Cryptography Numerical Simulations Web Applications (e-commerce, etc.) Difficult to produce • Computers cannot produce random numbers without special hardware Impossible to proove randomness of a finite sequence a posteriori When generating random numbers, understanding the method used is important Outline Challenges with Random Number Generators Example of a Quantum Random Number Generator Security Evaluation and Certification New Approach to QRNG Finding Weak RNG’S Collecting public keys on the Internet • • Lenstra: 5 million PGP keys Heninger: 22 million keys in network devices Look for matching keys Heninger’s finding: • • – – • Identify weak keys Keys sharing one factor with another key • • Finding the GCD is easier than factoring A. Lenstra et al., « Ron was wrong, Whit is right. » IACR Cryptology ePrint Archive 2012: 64 (2012) 5.3%: Default keys 0.3%: Weak keys Vendors:Cisco, Dell, IBM, etc. Use of software RNG’s • • Keys served more than once: 60% Weak keys: 5.6% Gathering of entropy and postprocessing Poor implementation (key generation too early in boot process) Not enough entropy due to isolation of devices N. Heninger et al., « Mining your Ps and Qs: Detection of widespread weak keys in network devices », Usenix Security 2012 4 Hardware Trojan Horse Modification functionality of chips by change of dopant polarity (n or p) Illustration of possible vulnerability: RNG in Intel Ivy Bridge Processors • • • Inverter 0 1&1 0 1&1 0 1 Metastable Entropy Source Generation of blocks of 128 bits of randomness Change of dopant masks Chip validation • • Pre-manufacturing: code review Post-manufacturing – – Optical inspection Built-in tests G. Becker et al., « Stealthy Dopant-Level Hardware Trojans », CHES 2013 5 TRNG Model Dopant Trojan Attack Possibility Total Failure Test Entropy Source Controlled reduction of entropy (n bits out of 128) Passing Tests Digitisation Online Tests Postprocessing (DRNG) Passes Statistical Tests if n large enough (n = 32) W. Killmann and W. Schindler, « A proposal for: Functionality classes for random number generators », AIS31 6 Bullrun and Dual EC DRBG NSA: "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets” Example: Dual EC DRBG • • Slow Backdoor known since 2007 • Generator used by prominent vendors until 2013 7 True Random Number Generator based on Classical Physics Physical Random Number Generator exploiting a phenomenon described by classical physics • Coin tossing, Roulette ball, electronic noise signal, etc. Not random but « difficult » to predict Origin of Impredictability • • Initial conditions (Chaos) Environment Example: Sampling of Noise Signal Difficulties • Speed • Influence of environment • Detection of « partial » total failure 0 1 True Random Number Generator based on Quantum Physics Physical Random Number Generator exploiting a phenomenon described by quantum physics Detectors Truly random Photons Semi-transparent Mirror Source of photons Advantages • Speed • Simple process that can be modeled influence of environment can be ruled out • Live monitoring of elementary components possible to detect total failure Quantis (Q)TRNG Implementation Implementation Complex Programmable Logic Device (CPLD) to implement the logic Low EMI oscillator spread spectrum clock oscillator Two voltage regulators Micropower DC/DC converter (for the detectors bias voltage) Passive electrical components Optical Sub-System 10 Optical Subsystem Emitter: printed-circuit board and LED Receiver: printed-circuit board and detectors Packaging: black aluminum cube Technology qualified for automotive applications High reliability 11 QRNG Solution Random bit rate: • 4 Mbps or 16 Mbps Applications • • • Security and cryptography Scientific research Gaming Randomness Extraction ~2 x 1096 before a deviation is observed Bit rate reduction: 25% [1] D. Frauchiger, R. Renner, and M. Troyer. True randomness from realistic quantum devices. arXiv preprint arXiv:1311.4547, 2013. [2] M. Troyer and R. Renner. A randomness extractor for the quantis device. Id Quantique technical report, 2012. Happy Birthday QRNG! Quantis is 10 years old! Special Gold Plated Edition Addition of Quantis to the collection of the National Museum of Computing at Bletchley Park UK, as an illustration of emerging quantum technologies 14 Evaluation and Certification National Metrology Laboratory • • Focus: Physical Principle, Statistical Properties Products covered: PCI, PCIe, USB (+ component) Gaming Test Houses • • Focus: Statistical Properties, Software, Scaling Products covered: PCI, PCIe, USB (+ component) National Security Government Agencies • • Focus: Physical Principle, Implementation Products covered: Component AIS31 - Context “A proposal for: Functionality classes for random number generators”, Version 2.0, 18 September 2011 Bundesamt für Sicherheit in der Informationstechnik (BSI), Bonn Deterministic (Pseudo) RNG • DRG.1 • DRG.2 • DRG.3 • DRG.4 • NTG.1 Non-Deterministic (Physical) RNG • PTG.1 Physical RNG with internal tests that detect a total failure of the entropy source and nontolerable statistical defects of the internal random numbers • PTG.2 PTG.1, additionally a stochastic model of the entropy source and statistical tests of the raw random numbers • PTG.3 PTG.2, additionally with cryptographic postprocessing (hybrid PTRNG) TRNG Model Total Failure Test Bit rate 0/1 Ratio Detector Dark Counts Evaluation completed in Aug. 2014 Entropy Source Binary SinglePhoton Detection Digitisation Online Tests Not Needed AIS 31 Postprocessing (DRNG) AES W. Killmann and W. Schindler, « A proposal for: Functionality classes for random number generators », AIS31 17 Optical Subsystem APD’s in Geiger Mode - Bias of 25V - Power consumption Technology qualified for automotive applications High reliability 18 New Approach for QRNG Bruno Sanguinetti, Anthony Martin, Hugo Zbinden and Nicolas Gisin 19 Practical Tests Astronomy CCD (ATIK 383L+) Noise: 10 ePhone CMOS (Nokia N9) Noise: 3 e20 Real--World Imperfections Real Even if Eve has full knowledge of the technical noise, the best she can do is recover the quantum noise. Alice can extract randomness from quantum noise. 21 Integration Possibility Sensor: 8 Megapixels x 30 frames/s x 3 bits = 720 Mbit/s Extractor: software ~10 Mbps; FPGA ~ 1.25 Gbps 22 Thank you for you attention • • • 7th Winter school on practical quantum communications January 2015 In Les Diablerets, Switzerland – – – – – • Whitfield Diffie Nicolas Gisin Dr. Colin P Williams, D-Wave, Sandu Popescu Eleni Diamanti New – Track on Security Evaluation and Certification Website: http://www.idquantique.com/instrumentation/training.html Contact: [email protected] or [email protected] Physical Principle Explanation Gaussian beam Probability of detection almost constant in the centre of the beam Random bit stream generation by association of a bit value to each detectors 24