[Cryptography] Photon beam splitters for "true" random number generation ?

Stephen Wood smwood4 at gmail.com
Tue Dec 15 15:56:53 EST 2015 

On Tue, Dec 15, 2015 at 5:59 AM, sebastien riou <seb.riou at nimp.co.uk> wrote:

> > On Dec 13, 2015, at 1:19 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
> >
> >> At 11:48 AM 12/13/2015, Bill Cox wrote:
> >>> On Sat, Dec 12, 2015 at 11:19 PM, Ron Garret <ron at flownet.com> wrote:
> >>>
> >>>> Perhaps such a device has already been built & tested?
> >>>
> >>> Probably not.  The reason is that there are much easier ways to avail
> yourself of (essentially) the same physics.  Thermal noise, for example,
> gives you just as much “true randomness† as quantum measurements
> (because thermal noise is, at root, a quantum effect) but it's much (much!)
> easier to obtain.
> >>>
> >>> If I understand their technology correctly, this company has been
> selling them for years.
> >>>
> >>>
> http://www.idquantique.com/random-number-generation/quantis-random-number-generator/
> >>
> >> Very interesting; ~ $1100 - $3300 for 4Mbits/sec to 16Mbits/sec.
> >>
> >> 9 hours to fill up a 64GByte USB flash drive @ 16Mbits/sec.
> >>
> >> Next question: how in the world could such a device ever be certified
> not to have a 'quantum insert' from our TAO friends?  The sales of these
> devices probably number in the tens per month, so purchasing even *one*
> would raise a flag at GCHQ.
> >>
> >> After all, at $1/GB, you could put 3.3TBytes into a $3300 device; how
> could one ever certify that a device that incorporate 3TBytes was "truly
> random" ?
> >>
> >> Even w/o memory, a microscopic radio receiver could modify the device
> output to be no longer random, or an undocumented USB command could do the
> same thing.
> >>
> >> And you thought that testing a VW emissions control system was hard!
> >>
> >
> > This is exactly right.  The quantis device is pure marketing hype,
> designed for the PHB who needs to be able to say that s/he’s using
> something “certified.”  It might work as advertised, or it might not.  The
> only way to tell is 1) trust the certification or 2) audit the device
> yourself.  And option 1 requires an awful lot of trust: you have to trust
> not only that the people doing the certification knew what they were doing,
> but also that the particular device you’re using was constructed according
> to the certified design.
> >
> > It’s really all marketing hype.  A properly configured op-amp will give
> you every bit as much true randomness as the quantis device for a tiny,
> tiny fraction of the cost, and will be much more difficult to attack.  I
> can think of a dozen way the quantis device could be compromised, but to
> attack a thermal noise source you would have to do something like dunk it
> in liquid nitrogen.
> >
> > rg
> >
>
> For those who can't afford idquantique stuff and can't want higher
> rates than few kb/s, there are methods to generates hundreds of mega
> bytes per second on FPGAs. I came up with one and implemented it on a
> 25$ board from Lattice, in the end the FTDI chip used to do the USB
> connection was the bottleneck, even after applying AES128 CMAC on 3
> blocks to output 1 (more info on http://kidekin.nimp.co.uk/ , I can
> share the source on request). A 100$ spartan6 board programming
> directly a SDcard may well take less than 9 hours, basically you can
> go as fast as the write speed of the card because you can add an awful
> lot of TRNGs in parallel in a single spartan6, potentially each of
> them of a different type...
> With FPGAs you get not only speed but also a pretty good garantee that
> your numbers are not compromised in some way, assuming you generate
> your own bitfile (and review the source or write your own). Sure
> that's some work but that's a piece of cake compared to the analog
> approaches, you don't need to do your own PCB for one...
>
> If the purpose of programming flash drives is to use as one time pad,
> you can even write 2 or more cards at the same time if you have some
> soldering skills :-)
>
> Sebastien
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>

I hope this isn't too off-topic, but for somebody looking for open-source,
hardware TRNG for real-world server use, the selection is abysmally low. In
fact I can only find two: a single person in San Francisco making them by
hand <https://www.tindie.com/products/WaywardGeek/infinite-noise/>, and the
onerng <http://onerng.info/>, which became available just *this month!*

I don't know how practical Mr. Baker's initial design would be to implement
on silicon, but my hope is the spitballing will eventually trickle down
into additional open-source TRNG designs.

-- 
Stephen Wood
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151215/b6d04648/attachment.html>

More information about the cryptography mailing list