Hardware random number generator

(Redirected from Entropy pool)

In computing, a hardware random number generator (HRNG), true random number generator (TRNG), non-deterministic random bit generator (NRBG),[1] or physical random number generator[2][3] is a device that generates random numbers from a physical process capable of producing entropy (in other words, the device always has access to a physical entropy source[1]), unlike the pseudorandom number generator (PRNG, a.k.a. "deterministic random bit generator", DRBG) that utilizes a deterministic algorithm[2] and non-physical nondeterministic random bit generators that do not include hardware dedicated to generation of entropy.[1]

A USB-pluggable hardware true random number generator

Many natural phenomena generate low-level, statistically random "noise" signals, including thermal and shot noise, jitter and metastability of electronic circuits, Brownian motion, and atmospheric noise.[4] Researchers also used the photoelectric effect, involving a beam splitter, other quantum phenomena,[5][6][7][8][9] and even the nuclear decay (due to practical considerations the latter, as well as the atmospheric noise, is not viable).[4] While "classical" (non-quantum) phenomena are not truly random, an unpredictable physical system is usually acceptable as a source of randomness, so the qualifiers "true" and "physical" are used interchangeably.[10]

A hardware random number generator is expected to output near-perfect random numbers ("full entropy").[1] A physical process usually does not have this property, and a practical TRNG typically includes a few blocks:[11]

  • a noise source that implements the physical process producing the entropy. Usually this process is analog, so a digitizer is used to convert the output of the analog source into a binary representation;
  • a conditioner (randomness extractor) that improves the quality of the random bits;
  • health tests. TRNGs are mostly used in cryptographical algorithms that get completely broken if the random numbers have low entropy, so the testing functionality is usually included.

Hardware random number generators generally produce only a limited number of random bits per second. In order to increase the available output data rate, they are often used to generate the "seed" for a faster PRNG. DRBG also helps with the noise source "anonymization" (whitening out the noise source identifying characteristics) and entropy extraction. With a proper DRBG algorithm selected (cryptographically secure pseudorandom number generator, CSPRNG), the combination can satisfy the requirements of Federal Information Processing Standards and Common Criteria standards.[12]

Uses

edit

Hardware random number generators can be used in any application that needs randomness. However, in many scientific applications additional cost and complexity of a TRNG (when compared with pseudo random number generators) provide no meaningful benefits. TRNGs have additional drawbacks for data science and statistical applications: impossibility to re-run a series of numbers unless they are stored, reliance on an analog physical entity can obscure the failure of the source. The TRNGs therefore are primarily used in the applications where their unpredictability and the impossibility to re-run the sequence of numbers are crucial to the success of the implementation: in cryptography and gambling machines.[13]

Cryptography

edit

The major use for hardware random number generators is in the field of data encryption, for example to create random cryptographic keys and nonces needed to encrypt and sign data. In addition to randomness, there are at least two additional requirements imposed by the cryptographic applications:[14]

  1. forward secrecy guarantees that the knowledge of the past output and internal state of the device should not enable the attacker to predict future data;
  2. backward secrecy protects the "opposite direction": knowledge of the output and internal state in the future should not divulge the preceding data.

A typical way to fulfill these requirements is to use a TRNG to seed a cryptographically secure pseudorandom number generator.[15]

History

edit

Physical devices were used to generate random numbers for thousands of years, primarily for gambling. Dice in particular have been known for more than 5000 years (found on locations in modern Iraq and Iran), and flipping a coin (thus producing a random bit) dates at least to the times of ancient Rome.[16]

The first documented use of a physical random number generator for scientific purposes was by Francis Galton (1890).[17] He devised a way to sample a probability distribution using a common gambling dice. In addition to the top digit, Galton also looked at the face of a dice closest to him, thus creating 6*4 = 24 outcomes (about 4.6 bits of randomness).[16]

Kendall and Babington-Smith (1938)[18] used a fast-rotating 10-sector disk that was illuminated by periodic bursts of light. The sampling was done by a human who wrote the number under the light beam onto a pad. The device was utilized to produce a 100,000-digit random number table (at the time such tables were used for statistical experiments, like PRNG nowadays).[16]

On 29 April 1947, the RAND Corporation began generating random digits with an "electronic roulette wheel", consisting of a random frequency pulse source of about 100,000 pulses per second gated once per second with a constant frequency pulse and fed into a five-bit binary counter. Douglas Aircraft built the equipment, implementing Cecil Hasting's suggestion (RAND P-113)[19] for a noise source (most likely the well known behavior of the 6D4 miniature gas thyratron tube, when placed in a magnetic field[20]). Twenty of the 32 possible counter values were mapped onto the 10 decimal digits and the other 12 counter values were discarded.[21] The results of a long run from the RAND machine, filtered and tested, were converted into a table, which originally existed only as a deck of punched cards, but was later published in 1955 as a book, 50 rows of 50 digits on each page[16] (A Million Random Digits with 100,000 Normal Deviates). The RAND table was a significant breakthrough in delivering random numbers because such a large and carefully prepared table had never before been available. It has been a useful source for simulations, modeling, and for deriving the arbitrary constants in cryptographic algorithms to demonstrate that the constants had not been selected maliciously ("nothing up my sleeve numbers"). [22]

Since the early 1950s, research into TRNGs has been highly active, with thousands of research works published and about 2000 patents granted by 2017.[16]

Physical phenomena with random properties

edit

A lot of different TRNG designs were proposed over time with a large variety of noise sources and digitization techniques ("harvesting"). However, practical considerations (size, power, cost, performance, robustness) dictate the following desirable traits:[23]

  • use of a commonly available inexpensive silicon process;
  • exclusive use of digital design techniques. This allows an easier system-on-chip integration and enables the use of FPGAs;
  • compact and low-power design. This discourages use of analog components (e.g., amplifiers);
  • mathematical justification of the entropy collection mechanisms.

Stipčević & Koç in 2014 classified the physical phenomena used to implement TRNG into four groups:[3]

  • electrical noise;
  • free-running oscillators;
  • chaos;
  • quantum effects.

Electrical noise-based RNG

edit

Noise-based RNGs generally follow the same outline: the source of a noise generator is fed into a comparator. If the voltage is above threshold, the comparator output is 1, otherwise 0. The random bit value is latched using a flip-flop. Sources of noise vary and include:[24]

The drawbacks of using noise sources for an RNG design are:[25]

  • noise levels are hard to control, they vary with environmental changes and device-to-device;
  • calibration processes needed to ensure a guaranteed amount of entropy are time-consuming;
  • noise levels are typically low, thus the design requires power-hungry amplifiers. The sensitivity of amplifier inputs enables manipulation by an attacker;
  • circuitry located nearby generates a lot of non-random noise thus lowering the entropy;
  • a proof of randomness is near-impossible as multiple interacting physical processes are involved.[26]

Chaos-based RNG

edit

The idea of chaos-based noise stems from the use of a complex system that is hard to characterize by observing its behavior over time. For example, lasers can be put into (undesirable in other applications) chaos mode with chaotically fluctuating power, with power detected using a photodiode and sampled by a comparator. The design can be quite small, as all photonics elements can be integrated on-chip. Stipčević & Koç characterize this technique as "most objectionable", mostly due to the fact that chaotic behavior is usually controlled by a differential equation and no new randomness is introduced, thus there is a possibility of the chaos-based TRNG producing a limited subset of possible output strings.[27]

Free-running oscillators-based RNG

edit

The TRNGs based on a free-running oscillator (FRO) typically utilize one or more ring oscillators (ROs), outputs of which are sampled using yet another oscillator. Since inverters forming the RO can be thought of as amplifiers with a very large gain, an FRO output exhibits very fast oscillations in phase in frequency domains. The FRO-based TRNGs are very popular due to their use of the standard digital logic despite issues with randomness proofs and chip-to-chip variability.[27]

Quantum-based RNG

edit

Quantum random number generation technology is well established with 8 commercial quantum random number generator (QRNG) products offered before 2017.[28]

Herrero-Collantes & Garcia-Escartin list the following stochastic processes as "quantum":

To reduce costs and increase robustness of quantum random number generators,[39] online services have been implemented.[28]

A plurality of quantum random number generators designs[40] are inherently untestable and thus can be manipulated by adversaries. Mannalath et al. call these designs "trusted" in a sense that they can only operate in a fully controlled, trusted environment.[41]

Performance test

edit

The failure of a TRNG can be quite complex and subtle, necessitating validation of not just the results (the output bit stream), but of the unpredictability of the entropy source.[10] Hardware random number generators should be constantly monitored for proper operation to protect against the entropy source degradation due to natural causes and deliberate attacks. FIPS Pub 140-2 and NIST Special Publication 800-90B[42] define tests which can be used for this.

The minimal set of real-time tests mandated by the certification bodies is not large; for example, NIST in SP 800-90B requires just two continuous health tests:[43]

  1. repetition count test checks that the sequences of identical digits are not too long, for a (typical) case of a TRNG that digitizes one bit at a time, this means not having long strings of either 0s or 1s;
  2. adaptive proportion test verifies that any random digit does not occur too frequently in the data stream (low bias). For bit-oriented entropy sources that means that the count of 1s and 0s in the bit stream is approximately the same.

Problems

edit

Designing hardware or software devices to generate random numbers is challenging, as improper construction can lead to systems that degrade over time, producing less random outputs without obvious signs of failure. These silent failures are complex, slow, and difficult to detect. To mitigate such risks, combining multiple entropy sources can enhance robustness.

Continuous statistical testing of RNG outputs is essential due to the fragility of many entropy sources Level 3 and below (see next list) and their tendency to fail without warning. While some devices include built-in tests, not all do, underscoring the need for vigilant monitoring.

According to Quside and Deloitte, RNGs are classified into four levels based on their entropy quality and source:

  • Level 1 RNGs: Utilize deterministic algorithms, such as linear congruential generators, to produce sequences that appear random but are inherently predictable. These generators are unsuitable for cryptographic applications due to their vulnerability to prediction and manipulation.
  • Level 2 RNGs: Rely on non-dedicated entropy sources, including system events like mouse movements or keyboard timings. While they offer more unpredictability than Level 1, their randomness is limited and can be influenced or observed by attackers, compromising security.
  • Level 3 RNGs: Utilize dedicated entropy sources like ring oscillators, avalanche diodes, or basic Quantum Random Number Generators (QRNGs). These engineered sources offer improved entropy quality and unpredictability compared to lower levels. However, they still require careful management and verification to ensure consistent randomness.
  • Level 4 RNGs: Represent the highest standard, employing advanced RNGs such as those leveraging quantum phenomena to produce true randomness. These generators provide superior entropy quality and are less susceptible to prediction or manipulation, making them ideal for high-security applications. Additionally, Level 4 RNGs incorporate continuous observability and metrology, allowing real-time monitoring and verification of entropy quality to ensure consistent and reliable randomness.[44]

Implementing Level 4 RNGs can significantly reduce the risk of silent failures and enhance the reliability of random number generation. However, continuous monitoring and testing remain crucial to maintain the integrity of these systems.

Attacks

edit

Just as with other components of a cryptography system, a cryptographic random number generator should be designed to resist certain attacks. Defending against these attacks is difficult without a hardware entropy source.[citation needed]

The physical processes in HRNG introduce new attack surfaces. For example, a free-running oscillator-based TRNG can be attacked using a frequency injection.[45]

Estimating entropy

edit

There are mathematical techniques for estimating the entropy of a sequence of symbols. None are so reliable that their estimates can be fully relied upon; there are always assumptions which may be very difficult to confirm. These are useful for determining if there is enough entropy in a seed pool, for example, but they cannot, in general, distinguish between a true random source and a pseudorandom generator. This problem is avoided by the conservative use of hardware entropy sources.

See also

edit

References

edit
  1. ^ a b c d Turan et al. 2018, p. 64.
  2. ^ a b Schindler 2009, p. 7.
  3. ^ a b Stipčević & Koç 2014, p. 279.
  4. ^ a b Sunar 2009, p. 56.
  5. ^ Herrero-Collantes & Garcia-Escartin 2017, p. 8.
  6. ^ Jacak, Marcin M.; Jóźwiak, Piotr; Niemczuk, Jakub; Jacak, Janusz E. (2021). "Quantum generators of random numbers". Scientific Reports. 11 (1): 16108. Bibcode:2021NatSR..1116108J. doi:10.1038/s41598-021-95388-7. PMC 8352985. PMID 34373502.
  7. ^ Ma, Xiongfeng; Yuan, Xiao; Cao, Zhu; Qi, Bing; Zhang, Zhen (2016). "Quantum random number generation". npj Quantum Information. 2 (1): 16021. arXiv:1510.08957. Bibcode:2016npjQI...216021M. doi:10.1038/npjqi.2016.21.
  8. ^ Kollmitzer, Christian; Petscharnig, Stefan; Suda, Martin; Mehic, Miralem (2020). "Quantum Random Number Generation". Quantum Random Number Generation: Theory and Practice. Springer International Publishing. pp. 11–34. doi:10.1007/978-3-319-72596-3_2. ISBN 978-3-319-72596-3.
  9. ^ Mannalath, Mishra & Pathak 2023.
  10. ^ a b Herrero-Collantes & Garcia-Escartin 2017, p. 4.
  11. ^ Turan et al. 2018, p. 6.
  12. ^ Saarinen, Newell & Marshall 2020.
  13. ^ Templ 2016, p. 90.
  14. ^ Herrero-Collantes & Garcia-Escartin 2017, p. 6.
  15. ^ Herrero-Collantes & Garcia-Escartin 2017, p. 7.
  16. ^ a b c d e L'Ecuyer 2017.
  17. ^ Galton, Francis (1890). "Dice for statistical experiments" (PDF). Nature. 42 (1070): 13–14. Bibcode:1890Natur..42...13G. doi:10.1038/042013a0. S2CID 4038609. Archived (PDF) from the original on 4 March 2016. Retrieved 14 May 2014.
  18. ^ Kendall, M. G., and B. Babington-Smith. 1938. “Randomness and other random sampling numbers”. Journal of the Royal Statistical Society 101:147–166.
  19. ^ Brown, George W. (January 1949), P-113, Papers, Rand Corporation, archived from the original on 2007-06-05, retrieved 2009-05-10.
  20. ^ Cobine, Curry (1947), "Electrical Noise Generators", Proceedings of the I.R.E. (September 1947): 875–9
  21. ^ Monograph report, Rand Corporation, January 2001, archived from the original on 2018-04-15, retrieved 2009-01-29.
  22. ^ Schneier, Bruce (1995-11-01). "Other Stream Ciphers and Real Random-Sequence Generators". Applied Cryptography (Second ed.). John Wiley & Sons, Inc. p. 423. ISBN 978-0-471-11709-4.
  23. ^ Sunar 2009, p. 57.
  24. ^ Stipčević & Koç 2014, pp. 279–280.
  25. ^ Stipčević & Koç 2014, p. 280.
  26. ^ Stipčević & Koç 2014, p. 286.
  27. ^ a b Stipčević & Koç 2014, pp. 288–289.
  28. ^ a b Herrero-Collantes & Garcia-Escartin 2017, p. 2.
  29. ^ Herrero-Collantes & Garcia-Escartin 2017, pp. 10–13.
  30. ^ Herrero-Collantes & Garcia-Escartin 2017, pp. 13–14.
  31. ^ Herrero-Collantes & Garcia-Escartin 2017, p. 15.
  32. ^ Herrero-Collantes & Garcia-Escartin 2017, p. 17.
  33. ^ Herrero-Collantes & Garcia-Escartin 2017, p. 20.
  34. ^ Herrero-Collantes & Garcia-Escartin 2017, pp. 20–21.
  35. ^ Herrero-Collantes & Garcia-Escartin 2017, pp. 21–22.
  36. ^ Herrero-Collantes & Garcia-Escartin 2017, pp. 23–24.
  37. ^ Herrero-Collantes & Garcia-Escartin 2017, pp. 24–25.
  38. ^ Herrero-Collantes & Garcia-Escartin 2017, pp. 27–28.
  39. ^ Huang, Leilei; Zhou, Hongyi; Feng, Kai; Xie, Chongjin (2021-07-07). "Quantum random number cloud platform". npj Quantum Information. 7 (1). Springer Science and Business Media LLC: 107. Bibcode:2021npjQI...7..107H. doi:10.1038/s41534-021-00442-x. ISSN 2056-6387.
  40. ^ Mannalath, Mishra & Pathak 2023, p. 4.
  41. ^ Mannalath, Mishra & Pathak 2023, p. 9.
  42. ^ Turan et al. 2018.
  43. ^ Turan et al. 2018, pp. 25–27.
  44. ^ "Exploring RNG Types: Level 1 to Level 4 Random Number Generators" (in Spanish). 2024-11-08. Retrieved 2024-11-16.
  45. ^ Markettos, A. Theodore; Moore, Simon W. (2009). "The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators". Lecture Notes in Computer Science (PDF). Berlin, Heidelberg: Springer Berlin Heidelberg. pp. 317–331. doi:10.1007/978-3-642-04138-9_23. ISBN 978-3-642-04137-2. ISSN 0302-9743.

Sources

edit

General references

edit
edit