[Cryptography] Photon beam splitters for "true" random number generation ?

dj at deadhat.com dj at deadhat.com
Mon Dec 14 14:40:13 EST 2015


> Now you've done it.
>
> First it was the Easter Bunny.  Then it was Santa Claus.
>
> Now the Nevada Gaming Commission.
>
> My world is shattered.
>
> About the only people left whom I can still trust are the NSA & the FBI.
>

I apologize. I'll try to put it back in the bag.

The 'quantum' RNG thing is interesting in that people are actually doing it.

I got to see a quantum RNG product at a conference a few weeks ago. It was
using a module maybe 2cm x 4cm soldered to the board, where magic
happened, but this was on a very large PCIe card, full of other stuff. I
think (a lot of) power conditioning, some CPU to do the post processing,
support logic for the CPU and a PCIe interface chip.

On questioning, it appears the sampled events are not idealized individual
unbiased quantum events, they are 'a few' events. So you get the expected
binomial distribution of summing binary events and then it gets put
through an extractor in the traditional style to get 'more random'
numbers.

So I failed to see the difference between this and any other noise source
beyond the number of quantum events being summed over to give a typical
noise distribution.

The vendor was happy to tell me it was the world's fastest RNG at (if
remember correctly) 400Mbit/s. Not withstanding all the others that are a
lot faster than that including the ones in every modern desktop PCs.

More interestingly there is a lot of work going on on quantum secure
entropy extractors some even with side-channel goodness. Just google it.
There are lots of papers. This is worthwhile work and I hope we can deploy
it in real products the future.

If you saw my talk at ICMC2015, you'd see I'm happy to lose the DRBGs and
make entropy source and entropy extractors fast enough. They're faster per
watt and faster per unit area of silicon than DRBGs. OHTs are comparably
small. DRBGs are a band aid for slow sources and poor extractors. Today we
have fast sources and good, small, efficient extractors. It's the DRBGs
that still take 10s of thousands of gates.





More information about the cryptography mailing list