Post on 13-Sep-2020
Quantum Quantum RandomRandom NumberNumber GeneratorsGenerators22ndnd ETSI QuantumETSI Quantum--SafeSafe CryptographyCryptography WorkshopWorkshop
Grégoire RibordyID Quantique
Random Numbers
� Very useful in a variety of applications
� Difficult to produce• Computers cannot produce random numbers without special hardware
� Impossible to proove randomness of a finite sequence a posteriori� When generating random numbers, understanding the methodused is important
Games Cryptography Numerical Simulations Web Applications(e-commerce, etc.)
OutlineOutline
� Challenges with Random Number Generators
� Example of a Quantum Random Number Generator
� Security Evaluation and Certification
� New Approach to QRNG
FindingFinding WeakWeak RNG’SRNG’S
� Collecting public keys on the Internet• Lenstra: 5 million PGP keys• Heninger: 22 million keys in
network devices
� Look for matching keys
� Heninger’s finding:• Keys served more than once: 60%• Weak keys: 5.6%
– 5.3%: Default keys– 0.3%: Weak keys
• Vendors:Cisco, Dell, IBM, etc.
� Use of software RNG’s• Gathering of entropy and post-
� Identify weak keys• Keys sharing one factor with
another key
� Finding the GCD is easier than factoring
• Gathering of entropy and post-processing
• Poor implementation (key generation too early in boot process)
• Not enough entropy due to isolation of devices
4
A. Lenstra et al., « Ron was wrong, Whit is right. » IACR Cryptology ePrint Archive 2012: 64 (2012)
N. Heninger et al., « Mining your Ps and Qs: Detection of widespread weak keys in network devices », Usenix Security 2012
Hardware Hardware TrojanTrojan HorseHorse
� Modification functionality of chips by change of dopant polarity (n or p)• Inverter
0 � 1 & 1 � 00 ���� 1 & 1 ���� 1
� Change of dopant masks
� Illustration of possible vulnerability: RNG in Intel Ivy Bridge Processors• Metastable Entropy Source• Generation of blocks of 128 bits of
randomness
� Change of dopant masks
� Chip validation• Pre-manufacturing: code review• Post-manufacturing
– Optical inspection– Built-in tests
5
G. Becker et al., « Stealthy Dopant-Level Hardware Trojans », CHES 2013
TRNG ModelTRNG Model
Total Failure
Test
Dopant Trojan Attack Possibility
Controlled reduction of entropy (n bits out of 128)
Passing Tests
6
W. Killmann and W. Schindler, « A proposal for: Functionality classes for random number generators », AIS31
EntropySource
DigitisationOnline Tests
Post-processing
(DRNG) Passes Statistical Tests if n
large enough (n =
32)
BullrunBullrun and Dual EC DRBGand Dual EC DRBG
� NSA: "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets”
� Example: Dual EC DRBG� Example: Dual EC DRBG• Slow• Backdoor known since 2007
• Generator used by prominent vendors until 2013
7
True Random Number Generatorbased on Classical Physics
� Physical Random Number Generator exploiting a phenomenon described by classical physics• Coin tossing, Roulette ball, electronic noise signal,
etc.
� Not random but « difficult » to predict
� Origin of Impredictability• Initial conditions (Chaos)• Environment
� Example: Sampling of Noise Signal 0
1Difficulties• Speed• Influence of environment• Detection of « partial » total failure
True Random Number Generatorbased on Quantum Physics
� Physical Random Number Generator exploiting a phenomenon described by quantum physics
� Truly random
Photons
Detectors
Semi-transparentMirror
Advantages• Speed• Simple process that can be modeled � influence of environment can be ruled out• Live monitoring of elementary components possible to detect total failure
Source of photons
Quantis Quantis (Q)TRNG I(Q)TRNG Implementationmplementation
� Complex Programmable Logic Device (CPLD) to implement the logic� Low EMI oscillator spread spectrum clock oscillator� Two voltage regulators� Micropower DC/DC converter (for the detectors bias voltage)� Passive electrical components� Optical Sub-System
10
Optical SubsystemOptical Subsystem
� Emitter: printed-circuit board and LED� Receiver: printed-circuit board and detectors� Packaging: black aluminum cube
11
Technology qualified for automotive applications � High reliability
QRNG Solution
� Random bit rate:• 4 Mbps or 16 Mbps
� Applications• Security and cryptography• Security and cryptography• Scientific research• Gaming
RandomnessRandomness ExtractionExtraction
� ~2 x 1096 before a deviation is observed
� Bit rate reduction: 25%
[1] D. Frauchiger, R. Renner, and M. Troyer. True randomness from realistic quantum devices. arXiv preprint arXiv:1311.4547, 2013.
[2] M. Troyer and R. Renner. A randomness extractor for the quantis device. Id Quantique technical report, 2012.
Happy Happy BirthdayBirthday QRNG!QRNG!
� Quantis is 10 years old!
14
Addition of Quantis to the collection of the National Museum of Computing at Bletchley Park UK, as an illustration of emerging quantum technologiesSpecial Gold Plated Edition
Evaluation and Certification
� National Metrology Laboratory• Focus: Physical Principle, Statistical Properties• Products covered: PCI, PCIe, USB (+ component)
� Gaming Test Houses• Focus: Statistical Properties, Software, Scaling• Products covered: PCI, PCIe, USB (+ component)• Products covered: PCI, PCIe, USB (+ component)
� National Security Government Agencies• Focus: Physical Principle, Implementation• Products covered: Component
AIS31 - Context
“A proposal for: Functionality classes for random nu mber generators”, Version 2.0, 18 September 2011
Bundesamt für Sicherheit in der Informationstechnik (BSI), Bonn
Deterministic (Pseudo) RNG• DRG.1• DRG.2• DRG.3
Non-Deterministic (Physical) RNG• PTG.1Physical RNG with internal tests that detect a total failure of the entropy source and non-tolerable statistical defects of the internal random • DRG.3
• DRG.4• NTG.1
tolerable statistical defects of the internal random numbers
• PTG.2PTG.1, additionally a stochastic model of the entropy source and statistical tests of the raw random numbers
• PTG.3PTG.2, additionally with cryptographic post-processing (hybrid PTRNG)
TRNG ModelTRNG Model
Entropy Online Post-
Total Failure
Test
Bit rate0/1 RatioDetector Dark Counts
Evaluation completed in Aug. 2014
17
W. Killmann and W. Schindler, « A proposal for: Functionality classes for random number generators », AIS31
EntropySource
DigitisationOnline Tests
Post-processing
(DRNG)
Binary Single-Photon
Detection
Not Needed AIS 31 AES
Optical SubsystemOptical Subsystem
APD’s in Geiger Mode- Bias of 25V- Power consumption
18
Technology qualified for automotive applications � High reliability
New New ApproachApproach for QRNGfor QRNG
19
� Bruno Sanguinetti, Anthony Martin, Hugo Zbinden and Nicolas Gisin
PracticalPractical TestsTests
Astronomy CCD(ATIK 383L+)
Noise: 10 e-
20
Phone CMOS(Nokia N9)
Noise: 10 e
Noise: 3 e-
RealReal--World ImperfectionsWorld Imperfections
21
Even if Eve has full knowledge of the technical noise, the best she can do is recover the quantum noise.
Alice can extract randomness from quantum noise.
IntegrationIntegration PossibilityPossibility
22
Sensor: 8 Megapixels x 30 frames/s x 3 bits = 720 Mbit/s
Extractor:software ~10 Mbps;FPGA ~ 1.25 Gbps
Thank you for you attentionThank you for you attention
• 7th Winter school on practical quantum communications• January 2015• In Les Diablerets, Switzerland
– Whitfield Diffie– Nicolas Gisin– Dr. Colin P Williams, D-Wave, – Sandu Popescu– Eleni Diamanti– Eleni Diamanti
• New – Track on Security Evaluation andCertification
Website: http://www.idquantique.com/instrumentation/training.htmlContact: info@idquantique.com or gregoire.ribordy@idquantique.com
Physical Principle ExplanationPhysical Principle Explanation
Gaussian beam
Probability of detection almost constant in the centre of the beam
24
Random bit stream generationby association of a bit valueto each detectors