[Cryptography] Photon beam splitters for "true" random number generation ?

[sebastien riou]

> On Dec 13, 2015, at 1:19 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
>
>> At 11:48 AM 12/13/2015, Bill Cox wrote:
>>> On Sat, Dec 12, 2015 at 11:19 PM, Ron Garret <ron at flownet.com> wrote:
>>>
>>>> Perhaps such a device has already been built & tested?
>>>
>>> Probably not.  The reason is that there are much easier ways to avail yourself of (essentially) the same physics.  Thermal noise, for example, gives you just as much “true randomness† as quantum measurements (because thermal noise is, at root, a quantum effect) but it's much (much!) easier to obtain.
>>>
>>> If I understand their technology correctly, this company has been selling them for years.
>>>
>>> http://www.idquantique.com/random-number-generation/quantis-random-number-generator/
>>
>> Very interesting; ~ $1100 - $3300 for 4Mbits/sec to 16Mbits/sec.
>>
>> 9 hours to fill up a 64GByte USB flash drive @ 16Mbits/sec.
>>
>> Next question: how in the world could such a device ever be certified not to have a 'quantum insert' from our TAO friends?  The sales of these devices probably number in the tens per month, so purchasing even *one* would raise a flag at GCHQ.
>>
>> After all, at $1/GB, you could put 3.3TBytes into a $3300 device; how could one ever certify that a device that incorporate 3TBytes was "truly random" ?
>>
>> Even w/o memory, a microscopic radio receiver could modify the device output to be no longer random, or an undocumented USB command could do the same thing.
>>
>> And you thought that testing a VW emissions control system was hard!
>>
>
> This is exactly right.  The quantis device is pure marketing hype, designed for the PHB who needs to be able to say that s/he’s using something “certified.”  It might work as advertised, or it might not.  The only way to tell is 1) trust the certification or 2) audit the device yourself.  And option 1 requires an awful lot of trust: you have to trust not only that the people doing the certification knew what they were doing, but also that the particular device you’re using was constructed according to the certified design.
>
> It’s really all marketing hype.  A properly configured op-amp will give you every bit as much true randomness as the quantis device for a tiny, tiny fraction of the cost, and will be much more difficult to attack.  I can think of a dozen way the quantis device could be compromised, but to attack a thermal noise source you would have to do something like dunk it in liquid nitrogen.
>
> rg
>

For those who can't afford idquantique stuff and can't want higher
rates than few kb/s, there are methods to generates hundreds of mega
bytes per second on FPGAs. I came up with one and implemented it on a
25$ board from Lattice, in the end the FTDI chip used to do the USB
connection was the bottleneck, even after applying AES128 CMAC on 3
blocks to output 1 (more info on http://kidekin.nimp.co.uk/ , I can
share the source on request). A 100$ spartan6 board programming
directly a SDcard may well take less than 9 hours, basically you can
go as fast as the write speed of the card because you can add an awful
lot of TRNGs in parallel in a single spartan6, potentially each of
them of a different type...
With FPGAs you get not only speed but also a pretty good garantee that
your numbers are not compromised in some way, assuming you generate
your own bitfile (and review the source or write your own). Sure
that's some work but that's a piece of cake compared to the analog
approaches, you don't need to do your own PCB for one...

If the purpose of programming flash drives is to use as one time pad,
you can even write 2 or more cards at the same time if you have some
soldering skills :-)

Sebastien