[Cryptography] Generate Random Data From Sound Card

Jon Callas jon at callas.org
Thu Mar 5 18:25:55 EST 2026 


> On Mar 5, 2026, at 06:53, Theodore Tso <tytso at mit.edu> wrote:
> 
> On Thu, Mar 05, 2026 at 02:14:52AM +0000, Peter Gutmann via cryptography wrote:
>> Jon Callas <jon at callas.org> writes:
>> 
>>> Same principle as the camera with a lens cap on.


Replying to both Peter and Ted:

>> 
>> Cameras (proper ones, not cellphones) already take advantage of this
>> in dark- frame subtraction, with long exposures or high ISO shots
>> they take images with the shutter closed to capture sensor noise and
>> then subtract that from the actual image.

What do you mean by "proper" camera? I don't understand what it is that suddenly makes a bunch of photons running through a complex physics experiment suddenly not proper.

> 
> The better camera do capture the output of the senor when the shutter
> close to try to reduce noise from high ISO shots --- but the fact that
> this *does* work means that it's not true quantuum noise.  

Why? Denoising algorithms are just math correcting quantum data. What is not quantum there? Photons are quantum objects to me, and that's what we're talking about.

> If there
> are characteristics sensor quirks that are there between successive
> sensor grabs, then you can't really use this as unpredictable
> randomness for cryptographic purposes.  Fortunately there is *some*
> quantuum noise, but that's not why dark-frame substraction works.

Again, I don't understand. What I'm asserting is that the data coming off of the sensor -- in my case of taking pictures in nigh-total darkness -- has somewhere in the range of 512-1024 totally unguessable bit in it from quantum noise -- and the noise from a high-ISO setting is precisely quantum noise. 

There's a similar thing going on in audio hiss; it's quantum noise, just at a far lower bitrate.

Let us also note that in a typical modern sensor, each pixel is 12-14 bits of depth on three channels. There's a lot of room for something usable in there.

> 
> Put another way, if you take two successive sensor captures with lens
> cap on, there will be a component which is the same across the two
> captures (which is the bit that is helpful for dark-frame
> subtraction), and bits that differ between successive sensor grabs.

Well, sure -- it's going to be mostly black. You're also inserting into the discussion dark frame subtraction which is not the same.

> 
> All of this is why there's a lot of verification and experimentation
> which is needed before assuming that everything that you get is
> something that can be relied upon for random number generation.

I want to call out here "assuming" and "everything" where are not at all what I'm saying at all. I'm not assuming, I'm arguing. And I never said everything. One of my arguments is that a dark picture is as good as picture of lava lamps, because there's enough sensor noise that when you hash it, it'll be random enough.

If you're asserting that lavarand isn't random enough for cryptographic purposes, I'm cool with that -- I'm only arguing that the dark frame is as good as lavarand. I also think that hashing a picture of just about anything is good enough, because the requirements for cryptography are so low (512-1024 bits of unguessable stuff in the many megapixels). Nonetheless, this is a delightful argument (that none of it is good enough) and I want to explore.

	Jon

More information about the cryptography mailing list