Hardware random number generator
4 stars based on
In computinga hardware random number generator true random number generatorTRNG is a device that generates random numbers from a physical process, rather than a computer program. Such devices are often based on microscopic phenomena that generate low-level, statistically random "noise" signals, such as thermal noisethe photoelectric effectinvolving a beam splitterand other quantum phenomena.
These stochastic processes are, in theory, completely unpredictable, and the theory's assertions of unpredictability are subject to experimental test. A hardware random number generator typically consists of a transducer to convert some aspect of the physical phenomena to an electrical signal, an amplifier and other electronic circuitry to increase the amplitude of the random fluctuations to a measurable level, and some type of analog to digital converter to convert the output into a digital number, often a simple binary digit 0 or 1.
By repeatedly sampling the randomly varying signal, a series of random numbers is attained. The main application for electronic hardware random number generators is in cryptographywhere they are used to continuing on binary input and output of random number random cryptographic keys to transmit data securely.
Random number generators can also be built from "random" macroscopic processes, using devices such as coin flippingdiceroulette wheels and lottery machines. The presence of unpredictability in these phenomena can be justified by the theory of unstable dynamical systems and chaos theory.
Even though macroscopic processes are deterministic under Newtonian mechanicsthe output of a well-designed device like a roulette wheel cannot be predicted in practice, because it depends on the sensitive, micro-details of the initial conditions of each use. Although dice have been mostly used in gamblingand as "randomizing" elements in games e. Hardware random number generators generally produce a limited number of random continuing on binary input and output of random number per second.
In order to increase the data rate, they are often used to generate the "seed" for a faster cryptographically secure pseudorandom number generatorwhich then generates the pseudorandom output sequence.
Unpredictable random numbers were first investigated in the context of gamblingand many randomizing devices such as diceshuffling playing cardsand roulette wheels, were first developed for such use. Fairly produced continuing on binary input and output of random number numbers are vital to electronic gambling and ways of creating them are sometimes regulated by governmental gaming commissions.
Random numbers are also used for non-gambling purposes, both where their use is mathematically important, such as sampling for opinion pollsand in situations where fairness is approximated by randomizationsuch as selecting jurors and military draft lotteries. The major use for hardware random number generators is in the field of data encryptionfor example to create random cryptographic keys to encrypt data. They are a more secure alternative to pseudorandom number generators PRNGssoftware programs commonly used in computers to generate "random" numbers.
PRNGs use a deterministic algorithm to produce numerical sequences. Although these pseudorandom sequences pass statistical pattern tests for randomness, by knowing the algorithm and the conditions used to initialize it, called the "seed", the output can be predicted. Because the sequence of continuing on binary input and output of random number produced by a PRNG is predictable, data encrypted with pseudorandom numbers is potentially vulnerable to cryptanalysis.
Hardware random number generators produce sequences of numbers that are assumed not to be predictable, and therefore provide the greatest security when used to encrypt data. One early way of producing random numbers was by a variation of the same machines used to play keno or select lottery numbers.
These mixed numbered ping-pong balls with blown air, perhaps combined with mechanical agitation, and used some method to withdraw balls from the mixing chamber U. This method gives reasonable results in some senses, but the random numbers generated by this means are expensive.
The method is inherently slow, and is unusable for most computing applications. On 29 AprilRAND Corporation began generating random digits with an "electronic roulette wheel", consisting of a random frequency pulse source of aboutpulses per second gated once per second with a constant frequency pulse and fed into a five-bit binary counter.
Twenty of the 32 possible counter values were mapped onto the 10 decimal digits and the other 12 counter values were discarded. The results of a long run from the RAND machine, filtered and tested, were converted into a table, which was published in in the book A Million Random Digits withNormal Deviates.
The RAND table was a significant breakthrough in delivering random numbers because such a large and carefully prepared table had never before been available. It has been a useful source for simulations, modeling, and for deriving the arbitrary constants in cryptographic algorithms to demonstrate that the constants had not been selected maliciously. Nothing up my sleeve numbers. There are two fundamental sources of practical quantum mechanical physical randomness: Quantum mechanics predicts that certain physical phenomena, such as the nuclear decay of atoms, are fundamentally random and cannot, in principle, be predicted for a discussion of empirical verification of quantum unpredictability, see Bell test experiments.
And, because we live at a temperature above absolute zeroevery system has some random variation in its state; for instance, molecules of continuing on binary input and output of random number composing air are constantly bouncing off each other in a random way see statistical mechanics. This randomness is a quantum phenomenon as continuing on binary input and output of random number see phonon. Some quantum phenomena used for random number generation include:.
Thermal phenomena are easier to detect. They are somewhat vulnerable to attack by lowering the temperature of the system,  though most systems will stop operating at temperatures low enough to reduce noise by a factor of two e. Some of the thermal phenomena used include:. In the absence of quantum effects or thermal noise, other phenomena that tend to be random, although in ways not easily characterized by laws of physics, can be used.
When several such sources are combined carefully as in, for example, the Yarrow algorithm or Fortuna CSPRNGsenough entropy can be collected for the creation of cryptographic keys and noncesthough generally at restricted rates.
The advantage is that this approach needs, in principle, no special hardware. The disadvantage is that a sufficiently knowledgeable attacker can surreptitiously modify the software or its inputs, thus reducing the randomness of the output, perhaps substantially.
This last approach must be implemented carefully and may be subject to attack if it is not. For instance, the forward-security of the generator in Linux 2. Another variable physical phenomenon that is easy to measure is clock drift.
There are several ways to measure and use clock drift as a source of randomness. A thermal noise source non-commonmode noise from two diodes is used to modulate the frequency of the slow oscillator, which then triggers a measurement of the fast oscillator.
That output is then debiased using a von Neumann type decorrelation step see below. This chip was an optional continuing on binary input and output of random number of the chipset family that supported an earlier Intel bus. It is not included in modern PCs. Instead of using thermal noise, raw bits are generated by using four freerunning oscillators which are designed to run at different rates.
The output of two are XORed to control the bias on a third oscillator, whose output clocks the output of the fourth oscillator to produce the raw bit. Minor variations in temperature, silicon characteristics, and local electrical conditions cause continuing oscillator speed variations and thus produce the entropy of the raw bits.
To further ensure randomness, there are actually two such RNGs on each chip, each positioned in different environments and rotated on the silicon. The final output is a mix of these two generators. The raw output rate is tens to hundreds of megabits per second, and the whitened rate is a few megabits per second. User software can access the generated random bit stream using new non-privileged machine language instructions. A software implementation of a related idea on ordinary hardware is included in CryptoLib,  a cryptographic routine library.
The algorithm is called truerand. Most modern computers have two crystal oscillators, one for the real-time clock and one for the primary CPU clock; truerand exploits this fact. It uses an operating system service that sets an continuing on binary input and output of random number, running off the real-time clock.
Another then enters a while loop waiting for the alarm to trigger. Since the alarm will not always trigger in exactly one tick, the least significant bits of a count of loop iterations, between setting the alarm and its trigger, will vary randomly, possibly enough for some uses.
Truerand doesn't require additional hardware, but in a multi-tasking system great care must be taken to avoid non-randomizing interference from other processes e. The RdRand opcode will return values from an onboard hardware random number generator. The bit-stream from such systems is prone to be biased, with either 1s or 0s predominating. The first is to design the RNG to minimize bias inherent in the operation of the generator.
One method to correct this feeds back the generated bit stream, filtered by a low-pass filter, to adjust the bias of the generator. By the central limit theoremthe feedback loop will tend to be well-adjusted ' almost all the time '. Ultra-high speed random number generators often use this method. Even then, the numbers generated are usually somewhat biased. A second approach to coping with bias is to reduce it after generation in software or hardware.
Even if the above hardware bias reduction steps have been taken, the bit-stream should still be assumed to contain bias and correlation. There are several techniques for reducing bias and correlation, often called " whitening " algorithms, by analogy with the related problem of producing white noise from a correlated signal. There is another way, the dynamic-statics test, which makes a statics randomness check in each random number block dynamically.
This can be done usably in a short time, 1 gigabyte per second or more. In this method, if one block shall be determined as a doubtful one, the block is disregarded and canceled. John von Neumann invented a simple algorithm to fix simple bias and reduce correlation.
It considers two bits at a time non-overlappingtaking one of three actions: It thus represents a falling edge with a 1, and a rising edge with a 0. This eliminates simple bias, and is easy to implement as a computer program or in digital logic.
This technique works no matter how the bits have been generated. It cannot assure randomness in its output, however. What it can do with significant numbers of discarded bits is transform a continuing on binary input and output of random number random bit stream into an unbiased one. Another technique for improving a near random bit stream is to exclusive-or the bit stream with the output of a high-quality cryptographically secure pseudorandom number generator such as Blum Blum Shub or a strong stream cipher.
This continuing on binary input and output of random number improve decorrelation and digit bias at low cost; it can be done by hardware, such as an FPGA, which is faster than doing it by software. A related method which reduces bias in a near random bit stream is continuing on binary input and output of random number take two or more uncorrelated near random bit streams, and exclusive or them together.
Then e is the bias of the bitstream. This may be repeated with more bit streams see also the Piling-up lemma. This is attractive, partly because it is relatively fast compared to some other methods, but depends significantly on qualities in the hash output for which there may be little theoretical basis. Many physical phenomena can be used to generate bits that are highly biased, but each bit is independent from the others. A Geiger counter with a sample time longer than the tube recovery time or a semi-transparent mirror photon detector both generate bit streams that are mostly "0" silent or transmission with the occasional "1" click or reflection.
If each bit is independent from the others, the Von Neumann strategy generates one random, unbiased output bit for each of the rare "1" bits in such a highly biased bit stream. Whitening techniques continuing on binary input and output of random number as the Advanced Multi-Level Strategy AMLS  can extract more output bits — output bits that are just as random and unbiased — from such a highly biased bit stream.
Other designs use what are believed to be true random bits as the key for a high quality block cipher algorithm, taking the encrypted output as the random bit stream. Care must be taken in these cases to select an appropriate block modehowever. In some implementations, the PRNG is run for a limited number of digits, while the hardware generating device produces a new seed. Software engineers without true random number generators often try to develop them by measuring physical events available to the software.