Quantum Quantum RandomRandom NumberNumber GeneratorsGenerators22ndnd ETSI QuantumETSI Quantum--SafeSafe CryptographyCryptography WorkshopWorkshop

Grégoire RibordyID Quantique

Random Numbers

� Very useful in a variety of applications

� Difficult to produce• Computers cannot produce random numbers without special hardware

� Impossible to proove randomness of a finite sequence a posteriori� When generating random numbers, understanding the methodused is important

Games Cryptography Numerical Simulations Web Applications(e-commerce, etc.)

OutlineOutline

� Challenges with Random Number Generators

� Example of a Quantum Random Number Generator

� Security Evaluation and Certification

� New Approach to QRNG

FindingFinding WeakWeak RNG’SRNG’S

� Collecting public keys on the Internet• Lenstra: 5 million PGP keys• Heninger: 22 million keys in

network devices

� Look for matching keys

� Heninger’s finding:• Keys served more than once: 60%• Weak keys: 5.6%

– 5.3%: Default keys– 0.3%: Weak keys

• Vendors:Cisco, Dell, IBM, etc.

� Use of software RNG’s• Gathering of entropy and post-

� Identify weak keys• Keys sharing one factor with

another key

� Finding the GCD is easier than factoring

• Gathering of entropy and post-processing

• Poor implementation (key generation too early in boot process)

• Not enough entropy due to isolation of devices

4

A. Lenstra et al., « Ron was wrong, Whit is right. » IACR Cryptology ePrint Archive 2012: 64 (2012)

N. Heninger et al., « Mining your Ps and Qs: Detection of widespread weak keys in network devices », Usenix Security 2012

Hardware Hardware TrojanTrojan HorseHorse

� Modification functionality of chips by change of dopant polarity (n or p)• Inverter

0 � 1 & 1 � 00 ���� 1 & 1 ���� 1

� Change of dopant masks

� Illustration of possible vulnerability: RNG in Intel Ivy Bridge Processors• Metastable Entropy Source• Generation of blocks of 128 bits of

randomness

� Change of dopant masks

� Chip validation• Pre-manufacturing: code review• Post-manufacturing

– Optical inspection– Built-in tests

5

G. Becker et al., « Stealthy Dopant-Level Hardware Trojans », CHES 2013

TRNG ModelTRNG Model

Total Failure

Test

Dopant Trojan Attack Possibility

Controlled reduction of entropy (n bits out of 128)

Passing Tests

6

W. Killmann and W. Schindler, « A proposal for: Functionality classes for random number generators », AIS31

EntropySource

DigitisationOnline Tests

Post-processing

(DRNG) Passes Statistical Tests if n

large enough (n =

32)

BullrunBullrun and Dual EC DRBGand Dual EC DRBG

� NSA: "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets”

� Example: Dual EC DRBG� Example: Dual EC DRBG• Slow• Backdoor known since 2007

• Generator used by prominent vendors until 2013

7

True Random Number Generatorbased on Classical Physics

� Physical Random Number Generator exploiting a phenomenon described by classical physics• Coin tossing, Roulette ball, electronic noise signal,

etc.

� Not random but « difficult » to predict

� Origin of Impredictability• Initial conditions (Chaos)• Environment

� Example: Sampling of Noise Signal 0

1Difficulties• Speed• Influence of environment• Detection of « partial » total failure

True Random Number Generatorbased on Quantum Physics

� Physical Random Number Generator exploiting a phenomenon described by quantum physics

� Truly random

Photons

Detectors

Semi-transparentMirror

Advantages• Speed• Simple process that can be modeled � influence of environment can be ruled out• Live monitoring of elementary components possible to detect total failure

Source of photons

Quantis Quantis (Q)TRNG I(Q)TRNG Implementationmplementation

� Complex Programmable Logic Device (CPLD) to implement the logic� Low EMI oscillator spread spectrum clock oscillator� Two voltage regulators� Micropower DC/DC converter (for the detectors bias voltage)� Passive electrical components� Optical Sub-System

10

Optical SubsystemOptical Subsystem

� Emitter: printed-circuit board and LED� Receiver: printed-circuit board and detectors� Packaging: black aluminum cube

11

Technology qualified for automotive applications � High reliability

QRNG Solution

� Random bit rate:• 4 Mbps or 16 Mbps

� Applications• Security and cryptography• Security and cryptography• Scientific research• Gaming

RandomnessRandomness ExtractionExtraction

� ~2 x 1096 before a deviation is observed

� Bit rate reduction: 25%

[1] D. Frauchiger, R. Renner, and M. Troyer. True randomness from realistic quantum devices. arXiv preprint arXiv:1311.4547, 2013.

[2] M. Troyer and R. Renner. A randomness extractor for the quantis device. Id Quantique technical report, 2012.

Happy Happy BirthdayBirthday QRNG!QRNG!

� Quantis is 10 years old!

14

Addition of Quantis to the collection of the National Museum of Computing at Bletchley Park UK, as an illustration of emerging quantum technologiesSpecial Gold Plated Edition

Evaluation and Certification

� National Metrology Laboratory• Focus: Physical Principle, Statistical Properties• Products covered: PCI, PCIe, USB (+ component)

� Gaming Test Houses• Focus: Statistical Properties, Software, Scaling• Products covered: PCI, PCIe, USB (+ component)• Products covered: PCI, PCIe, USB (+ component)

� National Security Government Agencies• Focus: Physical Principle, Implementation• Products covered: Component

AIS31 - Context

“A proposal for: Functionality classes for random nu mber generators”, Version 2.0, 18 September 2011

Bundesamt für Sicherheit in der Informationstechnik (BSI), Bonn

Deterministic (Pseudo) RNG• DRG.1• DRG.2• DRG.3

Non-Deterministic (Physical) RNG• PTG.1Physical RNG with internal tests that detect a total failure of the entropy source and non-tolerable statistical defects of the internal random • DRG.3

• DRG.4• NTG.1

tolerable statistical defects of the internal random numbers

• PTG.2PTG.1, additionally a stochastic model of the entropy source and statistical tests of the raw random numbers

• PTG.3PTG.2, additionally with cryptographic post-processing (hybrid PTRNG)

TRNG ModelTRNG Model

Entropy Online Post-

Total Failure

Test

Bit rate0/1 RatioDetector Dark Counts

Evaluation completed in Aug. 2014

17

W. Killmann and W. Schindler, « A proposal for: Functionality classes for random number generators », AIS31

EntropySource

DigitisationOnline Tests

Post-processing

(DRNG)

Binary Single-Photon

Detection

Not Needed AIS 31 AES

Optical SubsystemOptical Subsystem

APD’s in Geiger Mode- Bias of 25V- Power consumption

18

Technology qualified for automotive applications � High reliability

New New ApproachApproach for QRNGfor QRNG

19

� Bruno Sanguinetti, Anthony Martin, Hugo Zbinden and Nicolas Gisin

PracticalPractical TestsTests

Astronomy CCD(ATIK 383L+)

Noise: 10 e-

20

Phone CMOS(Nokia N9)

Noise: 10 e

Noise: 3 e-

RealReal--World ImperfectionsWorld Imperfections

21

Even if Eve has full knowledge of the technical noise, the best she can do is recover the quantum noise.

Alice can extract randomness from quantum noise.

IntegrationIntegration PossibilityPossibility

22

Sensor: 8 Megapixels x 30 frames/s x 3 bits = 720 Mbit/s

Extractor:software ~10 Mbps;FPGA ~ 1.25 Gbps

Thank you for you attentionThank you for you attention

• 7th Winter school on practical quantum communications• January 2015• In Les Diablerets, Switzerland

– Whitfield Diffie– Nicolas Gisin– Dr. Colin P Williams, D-Wave, – Sandu Popescu– Eleni Diamanti– Eleni Diamanti

• New – Track on Security Evaluation andCertification

Website: http://www.idquantique.com/instrumentation/training.htmlContact: info@idquantique.com or gregoire.ribordy@idquantique.com

Physical Principle ExplanationPhysical Principle Explanation

Gaussian beam

Probability of detection almost constant in the centre of the beam

24

Random bit stream generationby association of a bit valueto each detectors