Invited Paper

Quantum random number generators and their applications in

cryptography
Mario Stipčević *ab
a
University of California Santa Barbara, Santa Barbara, CA 93106-9530, USA;
b
Rudjer Boskovic Institute, HR-10002 Zagreb, Croatia, EU
*[email protected]

ABSTRACT

Random number generators (RNG) are an important resource in many areas: cryptography (both quantum and classical),
probabilistic computation (Monte Carlo methods), numerical simulations, industrial testing and labeling, hazard games,
scientific research etc. Because today's computers are deterministic, they can not create random numbers unless
complemented with a physical RNG. Randomness of a RNG can be defined and scientifically characterized and
measured. Especially valuable is the information-theoretic provable RNG which, at state of the art, seem to be possible
only by harvest of randomness inherent to certain (simple) quantum systems and such a generator we call Quantum RNG
(QRNG). On the other hand, current industry standards dictate use of RNGs based on free running oscillators (FRO)
whose randomness is derived from electronics noise present in logic circuits and which, although quantum in nature,
cannot be strictly proven. This approach is currently used in FPGA and ASIC chips. We compare weak and strong
aspects of the two approaches for use in cryptography and in general. We also give an alternative definition of
randomness, discuss usage of single photon detectors in realization of QRNGs and give several examples where QRNG
can significantly improve security of a cryptographic system.
Keywords: random numbers, cryptography, randomness definition, quantum randomness, free running oscillator, noise
generator

1. INTRODUCTION
Random numbers and random number generators (RNGs), seem to be of an ever increasing importance. Random
numbers are essential in cryptography (mathematical, stochastic and quantum), Monte Carlo calculations and numerical
simulations [1], statistical research, randomized algorithms, industrial testing, lottery etc. Today, random numbers are
most critically required in cryptography and its numerous applications in our everyday life: mobile communications, e-
mail access, online payments, cashless payments, ATMs, e-banking (TAN numbers), internet trade, point of sale, PINs
for prepaid cards, wireless keys, general cyber-security, secure file erasing on the computer, industrial control of
distributed systems SCADA (power grid, …), etc. Since beginning of mankind until roughly the end of the Cold War,
cryptography was generally perceived as something interesting only to rulers, secret services and spies, however, with
proliferation of secure cashless payment smart-cards, cash dispensers, points of sale, the birth of computer age and
Internet in early 1990's and finally recent explosion of mobile communications, cryptography flourished as an
indispensable ingredient of modern life. Now, suddenly, everyone has willingly or unwillingly, knowingly or
unknowingly became a user of cryptographic products. This also boosted research of randomness and random number
generators.
There is a general tendency, in both research community and industry, to take random numbers for granted and give
them the least attention in proving or designing a system. However, generation of random numbers is extremely non-
trivial and so are assessment and proving of their randomness. The situation in the field is such that there is even no
widely accepted definition of random numbers, and there probably never will be one. The fundamental problem here is
that randomness itself is not compatible with deterministic concept of definition. Knuth [2] discusses 14 definitions of
randomness without definitive conclusion, but giving a recipe that useful definition should contain a short list of
properties desirable for random sequences. One of the 14 definitions claims that a sequence of random numbers is a set
of independent numbers obeying a specified probability density function, which actually exchanges the definition of
"randomness" for the definition of "probability". According to Schneier [3], sequence of random numbers is
unpredictable and cannot be reliably reproduced. Maurer demonstrates that randomness tests are equivalent of finding an
algorithm to compress a sequence [4], leading to the idea that if a given sequence can be compressed then it is not

Advanced Photon Counting Techniques VI, edited by Mark A. Itzler, Joe C. Campbell, Proc. of SPIE
Vol. 8375, 837504 · © 2012 SPIE · CCC code: 0277-786X/12/$18 · doi: 10.1117/12.919920

Proc. of SPIE Vol. 8375 837504-1

random. In our view, definitions of random numbers can be divided into two categories: 1) circulus vitiosus – a recursive
definitions which define randomness of numbers by using very term or concept of randomness; 2) whish list –
definitions that contain a preferably short list of desirable statistical properties of random sequences, usually a set that
pleases their author(s). Neither category is satisfactory. Recursive definitions say really nothing and are impossible to
check. For the second category, it has already been conjectured by some researchers (e.g. J.N. Franklin, 1962) that for a
satisfactory definition wish list would probably have to be no shorter than infinite. That is random sequence has to
satisfy infinitely many statistical criteria. But the situation is not hopeless, on the contrary, as we will demonstrate in
Section 2.4 where we talk about quantum random number generators, randomness can be precisely defined and
measured through a different approach.
Anyway, in applications where provability is essential, randomness sources (if involved) must also be provably random
otherwise the whole chain of proofs collapses. In cryptography, for example, where due to the Kerckhoffs' principle [5]
all details of a cryptographic protocol are publicly known, the only part of the protocol that is different from one instance
to another is a set of random data. This data may constitute the secret key or some other data that may not need to be
secret (eg. challenge-response data, one-time passwords, etc.) but must not be calculable or otherwise guessable by an
eavesdropper i.e. must be random. We discuss this point in greater detail in Section 3 where we talk about cryptography.
Lottery is yet another serious business where random numbers are essential. Due to the large sum of money involved
(estimated $6 billion annually only for online poker and only in the US [6]), some countries have set explicit
requirements for random number generators for use in online gambling and lottery machines and have set certificate
issuing authorities. For example, the Lotteries and Gaming Authority (LGA) of Malta prescribes a list of requirements
for RNGs, stipulated in the Remote Gaming Regulations act [7]. A RNG that doesn't conform to this act may not be
legaly used for gambling business. These rules have been put forward in order to ensure fair game and to prevent
possibility that gamers manipulate the system by foreseeing outcomes.
Finally, in Monte Carlo calculations and simulations multiple researchers have found that widely accepted "good"
pseudo random number generators may produce wrong results [8-16].
These examples clearly illustrate that random number generators are essential in many areas and should not be taken for
granted.

2. RANDOM NUMBER GENERATORS AND RANDOMNESS TESTING

Generation of random numbers has been an occupation of mathematicians, scientists and inventors for a long time.
Whole new branch of mathematics has been invented out of the need to understand random numbers and ways to obtain
them [2,17-26]. Fig. 1 shows (by no means exhaustive) classification tree of random number generators. Historically,
there are two approaches to random number generation: algorithmic (pseudorandom) and by a physical process
(nondeterministic). In this work we are going to visit selected branches which we find most important or promising.
RNG

pseudo random physical

IIuI aaaa l. . a Ia .1. .

Ud1ILUI1I

FRO 1-bit digitalization

Figure 1. Classification of random number generators.

Pseudo random number generator (PRNG) is a mathematical formula or algorithm implementable in Boolean logic
which accepts an initial state and produces sequence of numbers thereof in a completely deterministic way. No matter
how well designed, it remains fundamentally non-random and predictable. A PRNG it is usually a piece of software
residing in a compiler program library. It is therefore readily available, easy to use, cheap and generally fast.
In contrast to PRNGs, physical (hardware) random number generators extract randomness form physical processes that
behave in a fundamentally nondeterministic way which makes them better candidates for true random number

Proc. of SPIE Vol. 8375 837504-2

generation. A physical RNG is a piece of hardware separate from the computer, usually connected to it via USB or PCI
bus. It is therefore not always available, requires installation of generator-specific drivers, there is no rule how it appears
in the program library and no general way of specification in the user program, is typically slower than a PRNG, and
much, much more expensive.
Our definition of a physical RNG is not to be confused with a PRNG implemented in CMOS logic or similar hardware:
such generator is still a PRNG.
Without loss of generality in the rest of the article we will assume that generators produce random binary numbers, bits
(binary values 0 or 1).
2.1 Pseudo random number generators
Pseudo random number generators (PRNG) are well known in the art [2] and we are not going to address them here in
great detail. A PRNG produces deterministic, periodic sequence of numbers which is completely determined by the
initial state called seed. By definition such generators are not provably random. In practice, PRNGs usually feature
perfect balance between 0's and 1's (zero bias) but also strong long-range correlations which undermine cryptographic
strength and can show up as unexpected errors in Monte Carlo calculations and modeling. There is an extensive list of
complaints of getting wrong results in Monte Carlo methods by using "best" of PRNGs [8-16].
In any case, due to strict determinism of PRNG algorithms no PRNG is random by any reasonable definition of
randomness. Let us illustrate this by a true anecdote involving fictious characters. Alice is an expert on testing
randomness. Bob wanted to impress Alice by his own version of Mersenne Twister PRNG [27] for which he claimed to
produce true random numbers so he asks her to test it. Alice agrees but asks a minimum of 50 Mega bytes of random
data to be sent to her via e-mail. Bob produced the huge file but his mailing program refuses to send such a big file.
Cutting a file into small pieces and sending multiple e-mails etc. was an option but too big a nuisance for both of them.
Finally, Bob sends Alice a 1 kilo byte long e-mail containing the following short notice: "Dear Alice, please find
attached a program in C++. Compile it, use the following seed: 12345678 and stop the program after producing 50 Mega
bytes of data. That is what I wanted to send you.". Instead of doing that and running on her computer very time
consuming randomness tests, Alice shortly replied: "Dear Bob, you have just proven that your numbers are not random.
If, however, you think that 50 Mega bytes of truly random data can, under any circumstances, be losslessly compressed
to just 1 kilo byte, than I have nothing more to say to you!".
Pseudo random sequences are deterministic: every bit is precisely related to some bits downstream in the sequence and
such relationship exists throughout the whole sequence no matter how long. Still, due to the complexity of algorithms it
is hard to find statistical tests that would show deficiencies and usually none is known. Consequently some can be lured
into belief that there exist PRNGs which are undistinguishable from true randomness for any practical purpose. But this
is a huge mistake. Let us imagine any PRNG that receives for example 32 bit initial state and let it produce 1.000.000
bits. The generator can produce only 232 (~109) different 1Mbit, each belonging to the different seed, sequences out of
total of 21.000.000 (~10300.000) sequences, which is an extremely small subset of possibilities. Even worse, every single
1Mbit sequence in this small subset has the property of strong auto-correlations such that it can be drastically
compressed. Now why would anyone like to use such a generator? Remember this is true for any PRNG. On the other
hand even a modest quality physical generator which produces one bit at the time repeating some measurement will,
with each new bit produce almost a full bit of entropy, thus having roughly equal chance to produce ANY of ALL
10300.000 1Mbit long sequences! And that's a huge difference, especially for cryptographic purposes.
There is an illusion that certain PRNGs may be good for creating cryptographic keys. The truth is that: 1) most important
classes of PRNG's have been publicly cryptanalyzed [24,28-31] meaning that knowing a fistful of bits one can calculate
the rest of the sequence; 2) that a PRNG is an ideal place for implementation of secret backdoors into any cryptographic
system [21]; and 3) that even if we would have a secure PRNG such as Blum Blum Schub [32] attackers can anyway
target the seed itself (like in the Nestcape example that will be discussed in Sect. 3.1) by guessing a part or a whole seed
thus obtaining a huge head start in cracking the system no matter what the quality of the PRNG is.
Advantages of PRNGs, for the present time, remain their low cost, ease of implementation and user friendliness,
especially in a CPU-available environment such as a PC computer. They are best suited for extensive Monte Carlo
simulations and calculations because of their speed, but one has to be cautious because results may be inaccurate.

Proc. of SPIE Vol. 8375 837504-3

2.2 Physical generators
Due to the Kerckhoffs' principle, the definition of a random number generator suitable for cryptography must include
that even if every detail is known about the generator (schematic, algorithms etc.) it still must produce totally
unpredictable bits. In early seventies, at the dawn of modern computing era, John Von Neumann was one the first to note
that deterministic Turing computers, due to their deterministic nature, are not able of producing true random numbers
and put it in is famous saying "Any one who considers arithmetical methods of producing random digits is, of course, in
a state of sin".
If computers cannot produce random numbers, what can? Random numbers can only be produced by performing
measurements on physical systems that behave randomly (enough) and some care is needed to ensure accuracy. Physical
random number generators are one of the hottest topics of research in the last decade. There have been about 83 patent
applications per year during the last decade, 1418 in total since 1970 and countless scientific articles published regarding
physical random number generators. Still, a sharp discrepancy between number of publications and very modest number
of products (only 4 commercial quantum RNGs and a handful of noise based, mostly phased-out RNGs) that ever made
it to the market [33-39] clearly indicates immaturity of most of the art. In our view main problems are lack of
randomness proofs and poor reproducibility of majority of solutions presented so far. Importing random numbers into a
user program is complicated and requires original drivers. Prices range from 1k$ to 25k$ for bit production rates from 1
to 150 Mega bits per second.
Examples of physical processes used to generate randomness include: Johnson's noise [37], Zener noise [40], radioactive
decay [41-42], photon path splitting at the two-way beam splitter, photon arrival times etc. [43-51]. Unlike the PRNGs,
which feature no bias but very long and very strong correlations, physical RN generators suffer from uneven
probabilities of zeros and ones, that is bias (b) defined as the deviation from ideal probability of ones p(1):
1
∑i =1 bi
N
b = p(1) − 0.5 = −0.5 + (1)
N
and generally only short-range correlations which are best captured by serial autocorrelation coefficients ak [2]:

∑i =1 (bi − b )(bi + k − b ) ∑i =1 (bi − b )

N −k N 2
ak = (2)

where {b1 ... bN} in an N bits long random string.

2.3 Noise & chaos based random number generators
Electronics noise, and more recently utilized laser noise are natural sources of randomness that can be exploited for
random number generation. Random thermal motion of electric carriers (Johnson's effect [52]) creates random
instantaneous voltage on terminals of any resistive material which is held at a temperature higher than absolute zero.
However, long-range carrier correlations in conductors cause correlations in movements of electric charges and therefore
the resulting voltage is not completely random [53].
Zener noise (in semiconductor Zener diodes) is caused by tunneling of carriers through quantum barrier of ideally
constant height and width. If current is sufficiently low, individual "jumps" of carriers through barrier will be a
consequence of uncertainty relation of quantum mechanics and individual tunneling completely random. With help of
some avalanche gain, tunneling jumps will be seen as voltage peaks across the diode forming a pink noise of perfect
randomness. However, Zener effect is never found well isolated in physical devices from other effects which may be
mutually correlated, nor is the quantum barrier constant due to the field screening. Most of the fore mentioned processes
in resistors and Zener diodes have some memory effect. This means that an instantaneous voltage across the device
depends on voltages in the (near) past and this in turn leads to a correlation among random numbers extracted there
from. In most cases there is a good reason to believe that correlations would not extend very long in time.
Other popular sources of noise include: inverse base-emitter breakdown in bipolar transistors, laser phase noise [54],
chaos noise [55], activated escape in self-feed back lasers [56] etc. The biggest problem with all kinds of noises is that
they are a collective effect of dubious theoretical understanding and that resulting randomness of numbers can not be
brought into convincing relationship with physical parameters, nor well characterized, measured or controlled during
fabrication of the device. Furthermore, noise sources usually produce rather tiny voltages that need to be strongly
amplified before conversion to digital form. The strong amplification introduces further deviations from randomness due

Proc. of SPIE Vol. 8375 837504-4

to the limited amplifier bandwidth and gain non-linearity and makes circuits sensitive to electrical interference and
manipulation of noise based RNGs by external electromagnetic fields which can be exploited for cryptographic attacks.
The most obvious idea for noise based physical RNG is the following. The random voltage is sampled periodically and
compared to a certain pre-defined threshold (VBIAS ): if higher then „1“ is generated, otherwise „0“ is generated (Fig. 2a).
It is obvious that threshold can be set so that the probabilities of 1's and 0's are roughly the same. However, fine tuning
of the threshold poses an insurmountable time-consuming problem and can never be done properly. For example, if
tuning of bias to value of 0.1 requires 10 seconds, then tuning to n times lower value would take n2 longer time leading
quickly to a prohibitive duration. And then there is a problem of stability: even the smallest drift of the threshold mean
value (due to temperature, supply voltage change, aging...) will create a large bias.
Noise gen. Level
Level
comparator comparator
A A

Output
TO DO Output
>cP >cP
V
(f)
I

0 0
VBIAS VBIAS
Request
-= -= Input
(a) (b)

Figure 2. (a) Basic noise based RNG principle. Analog noise is brought to a threshold comparator whose output is either 0
or 1 depending whether its input is below or above certain adjustable threshold, VBIAS.; (b) Improved version which
theoretically features zero bias. Upon Request, fresh new random bit will be generated on the Output.
Going from this basic circuit, researchers have proposed many circuits whose aim is to improve the randomness.
Probably the best one has been discovered by C. H. Vincent in 1970 [46], generalized by Chevalier & Menard in 1974
[47] and independently re-discovered much later by Bagini and Bucci [57] and Stipčević [44]. Fig. 2b shows a zero-bias
noise based RNG. The biased output produced by imperfect threshold principle is divided by 2 by a toggling T-type flip-
flop. The output of the T flip-flop spends exactly 50% of the time in either logic state and is sampled periodically by a
pulse generator. The idea is that when sampled (by the D flip-flop) it will yield either 0 or 1 with perfectly equal
probabilities. However, in practice non-negligible deviation from randomness will occur due to two effects: 1) too fast
sampling will produce positive autocorrelation; 2) uneven rise and fall times of the logic involved will produce bias. This
holds true even if T flip-flop is fed by perfectly random, mutually non correlated triggers. On top of that analog noise
usually contains correlations by itself which enhances errors. Indeed this method even in theory produces random
numbers only in the limit of slow sampling [40].
Following is the most popular way of realizing physical RNGs on a chip. When output of a logical inverter circuit is fed
to its input, the circuit turns to an oscillator, so called free running oscillator (FRO), Fig 3.

_-o-i 0 -[>0-.- 0
H H '2n-i-1

Figure 3. Margins and print area specifications.

An inverting gate is in practice a very high gain inverting amplifier. Connecting its output to the input cerates the Zeno
paradox: if output is in logical HIGH state then the input will be as well and the NOT action will drive the output to go
LOW. Theoretical Boolean logic analysis will yield that the output state is undetermined but in practice due to the finite
propagation delay of the NOT element, the circuit will oscillate. The electronic noise present at inputs of invertors adds to
the signal fed back from the output and thus causes very fast, random jitter of frequency and phase of oscillations. This
noise induced jitter is the main source of randomness of FRO. In that sense, FRO RNG can be regarded as a special case
of a noise-based generator. Since the electronic noise of each such circuit is individual it is reasonable to assume that the
multiple oscillators even when on the same chip have different frequencies and that their mutual phases walk off randomly
in time. Basic principle of random number generation with FRO's is that output of a fast FRO (which can be either logical
0 or logical 1) is sampled by a slow FRO. This is an equivalent of abrupt stopping of a quickly turning wheel of fortune.
Unfortunately, when multiple FRO oscillators are physically close to each other (for example on a chip) they tend to
synchronize through electromagnetic interaction facilitated by high gain of FRO amplifiers. In effect, the immense gain of

Proc. of SPIE Vol. 8375 837504-5

NOT gates required to amplify tiny electronic noise to a noticeable level also helps to pick up any other nearby
interference. This effect known as "phased interlock" [58] may adversely affect the performance of the design and is a
major problem inherent with FROs. Interlocked rings have waveforms that share the same phase an this will lead to near-
PRNG operation. The same effect makes FROs vulnerable to attacks with external electromagnetic radiation. Interlocking,
EMI pickup, low entropy and latch-up are major technical problems with FRO's which lead to necessity of heavy post
processing. Because of all that, making a FRO RNG is more art than science.
In spite of all these problems, current security standards [59] practically dictate use of RNGs based on free FROs. The
NIST standard FIPS140-2 [60] says: "There are no FIPS Approved nondeterministic random number generators.".
Consequently, the FRO approach, currently is used in 3-rd and 4-th generation FPGA, CPLD and ASIC hardware for
various cryptographic purposes. One real-life example that illustrates well the combinatorial cuisine typically needed to
obtain a decent RNG is entropy source for PadLock "quantum" RNG implemented in VIA C3 processors [61-62]. It
consists of 4 FROs, 3 fast (450-810MHz) and 1 slow (20-68MHz). Wide tolerance on the frequencies already shows
problems that we mentioned before: it is very hard to control parameters of FROs during fabrication. In this topology
fast FRO (A) is sampled by a slow FRO (D) as discovered in the patent application [44]. At least one of the two FROs
must be of good randomness and since it is easier to achieve with slower one VIA went for that option. The slow
generator is made of FROs B, C and D. First, B and C are slowed down by 1/8 dividers and their XORed outputs are
used to disturb slow FRO D (which is the only one featuring digital input). Resulting bits appear at the output Q of the
D-type flip-flop in synchronization with pulses from the FRO D. Optionally, output is filtered through Von Neumann
corrector [63] which cuts the bit production rate roughly by a factor of 4. Looking at this schematic it is clear that it is
impossible to arrive to a proof of its randomness. The analog bias voltage injected to this otherwise digital circuitry (!)
"may (or may not!) improve the statistical characteristics of the random bits" according to VIA [64]. The bottom line is
that the random numbers are still of low quality and in order to pass tests must be corrected (Section 2.7) by a full-blown
secure hash algorithm SHA1 which is hardwired into the logic circuits on the same chip [64].

FROs
450-810MHz
A
DO Shift register
op Von Neumann
'orreeLor

FRO
XOR 'ilJ-uQIvI
tORAU-, .1
FIL.
V

Dr1J
I I

] 101. I
1 bit
discard

f FIFO

Figure 4. VIA C3 PadLock random number generator samples fast FRO (A) by slow FRO (D).
FROs are so popular only because they can be made using conventional digital logic chip infrastructure which is
otherwise unsuitable for realization of a quantum RNG (Sect. 2.4). However, caveat with FROs is that the semiconductor
industry is making a continuous effort to make the electronics noise as small as possible and it generally goes down with
newer generations of chips making such generators ever harder to make. The jitter can become very small and cause the
FRO based RNG to operate in nearly PRNG regime. Therefore implementation details of a FRO based RNG most often
have to be tailored for each specific type or generation and type chip and uniformity of operation cannot be guaranteed
from batch to batch but has to be tested. Unfortunately, due to the very nature of operation of a FRO based RNG, present
solutions described in the scientific journals and patents, not only lack proof of randomness but in most cases even an
attempt of proof of the theoretical framework within which they operate [61-62,64-67]. An excellent further reading on
FRO based RNGs is given in [68].
2.4 Quantum random number generators
Quantum random number generators typically utilize just one intrinsically random quantum effect realized as close as
possible to its theoretical idealization. We reserve this name, quantum random number generator, for a device operating
upon a “clean”, isolated, non-collective effect, a few examples of which we describe here. The beauty of a quantum

Proc. of SPIE Vol. 8375 837504-6

RNG is that by determining the characteristics of active and passive components independently of random number
generation, reasonable randomness proof can be made.
Some things in Nature come in the smallest amounts known as quanta. For example an electromagnetic field of
frequency ν cannot be arbitrarily faint. It comes in small portions of energy equal to hν. Similarly, there is the smallest
quantity of information, called qubit. Conveniently, a single quantum of light (photon) can be used as a carrier of one
qubit, but there are many other possible qubit carriers and they are by no means limited only to elementary particles. But
photons are easy to produce, transport, manipulate and detect so they are an ideal choice for experiments. Qubit can be
thought of as a linear superposition of two orthogonal pure quantum states:
ψ = α 0 + exp(iϕ ) β 1 (3)

When the projection measurement is performed in orthogonal base (|0>, |1>) on a qubit it will "project" to either |0> or
|1> with probabilities α2 and β2 respectively. To illustrate this theoretical concept let us consider a circularly polarized
photon entering polarizing beam splitter Fig. 5. The beam splitter projects the photon into one of the basis states,
horizontal or vertical, following which photon exits the corresponding port and hit one of the detectors thus signifying
binary value "0" or "1" respectively.

ti t2

Figure 5. Spatial and temporal quantum random bit generating principles. Spatial prnciple (left): Circularly polarized photon splits onto a
linear horizontal/vertical analyzer with 50% chance to finish in either of the two output ports. Timing principle QRBG (right): photons from
a single photon Poissonian source fall onto a single photon detector. Time intervals t1 and t2 spanned by three subsequent photon detections
are compared: if t1>t2 then produce "0", if t2>t1 then produce "1", if t1=t2 then produce nothing (skip).

Let us imagine that a photon has been emitted from a single photon emitter, such as atom, that was previously in an
appropriate excited state. After the emission of the single photon atom is exhausted and there are no more emissions.
But, if we “recharge” it to the same excited state it will "fire" again. Since everything is (ideally) equal to the previous
case, the next photon will again randomly choose one of the two paths. "Randomly" here means that previous photon left
no trace in the setup.
We have noted earlier that it is very difficult, probably impossible, to define sequence of random bits. Instead it is better,
and possible, to define a random bit generator. A random bit generator, by the definition, is a physical device that
produces a sequence of classical bits in such a way that a bit does not contain any information on any other bit produced
by the same machine. It is really fascinating that quantum physics permits existence of such a device and we have just
discussed one: the beam splitter. There are two novelties in this definition: 1) instead of defining a mathematical
abstraction we define a physical object; and 2) instead of defining what randomness is (listing of infinite number of
properties) we defined what randomness isn't. To explain this let us imagine that we have a perfect generator of random
bits (we know that quantum physics allows it) and that we want to make them non-random by some kind of post
processing. The only way of doing that would be to flip values of certain bits under control of some function of values of
some other bits. No matter how complicated this procedure may be, the bottom line is that bit values must "interact". If
our generator does not allow them to interact (like in the above beam splitter device) bit values will be random. The
worst thing that can happen to the bit values is bias because for that bits do not need to communicate. Bias can be
property imprinted into the generator itself (for example in beamsplitter probabilities of H and V outcomes may differ).
But our intuition of randomness tolerates bias: an unfair coin is still random, except that its entropy is not maximal. This
definition is powerful because it allows us to actually check whether our generator (not bits!) complies with it. Once the
generator complies with the definition, we know that it will produce random sequence of bits and thus we do not have to
care anymore about the elusive definition of random numbers.
The biggest problem in realization of perfect quantum RNG is that it is hard to realize setups very close the theoretical
idealization. Beam splitter method is theoretically perfect but practically it is very sensitive to smallest imperfections.
First, detector dead times and afterpulsing will generate correlations while the beam splitter in conjunction with

Proc. of SPIE Vol. 8375 837504-7

efficiencies of detectors (which may vary in time) defines bias whose adjustment faces the same prohibitive difficulties
already discussed for noise generators in Sect. 2.3.
Therefore especially valuable are QRNGs that do not need or even do not allow any adjustments. A variant of the time
interval method shown in Fig. 5 right, which is particularly immune to hardware imperfections, has been proposed in
[44-45]. Photon emission from a low gain LED and photo detection processes (Fig. 6) form a highly perfect Poisonian
process and are used for the first time in this work instead of much slower (and more unhealthy !) radioactive decay [41].
Light Source: Photomultiplier Amplifier Window Comparator
LED, LD,... tube

rr Timing & trPfl(IIP

tiprocessor ,/
Figure 6. A general processing scheme of the temporal principle QRBG. Time-random photons fall onto the single photon
detector consisting of a photomultiplier, amplifier and a comparator, such that each detected photon generates one logical
pulse. Pulses are then processed according to the desired bit extraction principle and transmitted to a computer.
The crucial notion made in [45] is that clock measuring photon time intervals ti must be started in synchronization with
beginning of each interval, otherwise the method would produce correlated bits even if fed by perfectly random events.
This was not understood in previous works and patents [41,42,71] which consequently must have yielded correlated
output but this was not detected at the time because clock frequency (~10MHz) was much higher than the source mean
frequency (~10kHz) in which case correlations are small. The improved method is theoretically exact regardless of the
relation of clock and random event frequencies. It is also independent of actual distribution of random interval times, as
long as events are independent of each other. Note that there is nothing to adjust. Furthermore, random bit production is
self-clocked so if either source or detector dies there will be no bits at the output.
Another successful temporal method implemented in a commercial RNG [35,51] (described also in [44]) counts number
of pulses in a fixed-length period and attributes value of the bit as number of counts modulo 2.
Yet another temporal method implemented in commercial RNG [36] uses digitized exponential waiting times of photons
from a LED source as input to resilient functions corrector (see Section 2.7) achieving 152 Mbit/sec rate using only one
photon detector.
2.5 Randomness tests
The most important notion about statistical testing is the following: if a generator passes all known statistical tests this
does not prove that it is random. We already noted that random sequence should pass infinitely many different random
tests. It still may fail any new test, or some Monte Carlo simulation.
Individual randomness test checks one or more statistical properties of long sequences of random numbers, for example
bias, serial autocorrelation, FFT spectrum etc. There are several well known and recognized compilations of tests. Some
are more oriented towards problems in PRNG's (eg. DIEHARD[69], Dieharder[70]) some more to physical RNG's (eg.
ENT [71]) while some are of general nature (eg. Maurer's Universal Test [4], NIST STS [72], L'Ecuyer's TestU01 [73]).
The unfortunate fact is that there is an infinite number of statistical properties which truly random numbers must satisfy
and therefore passing all known tests does not prove randomness. Indeed, most contemporary PRNGs pass all of the
above tests.
Tests themselves are not perfect: some contain errors [55,59] or constants of questionable precision obtained by
simulation using "trusted" random number generators.
Nevertheless, randomness testing is important for constructors of RNG's. In some cases (especially for quantum RNG's)
one can reasonably expect only certain types of imperfections and use tests sensitive to those only. However, if one
wants to make business, satisfying randomness tests by itself is not enough and certification is needed.
2.6 Recommendation and certification authorities
Since random number generators may be used in commercial applications, matters of national security or multi-billion
businesses (such as the fore mentioned lottery) it is natural that certain authorities develop and impose a set of specific
requirements and certification procedures.

Proc. of SPIE Vol. 8375 837504-8

In United States National Institute of Standards (NIST) has put forward list of approved pseudo-random number
generators for cryptographic modules FIPS 140-2 [60] and other documents pertaining to pseudo random number
generator validation and recommendation [3,74], as well as A Statistical Test Suite for Random and Pseudorandom
Number Generators for Cryptographic Applications STS [17]. Interestingly, there are no approved ones nor NIST
certifies any physical RNGs.
In Germany, standards issued by BSI (Bundesamt für Sicherheit in der Informationstechnik) regulate mandatory
certification schemes for deterministic (AIS 20, since 1999) [91] and non deterministic (AIS 31, since 2001) [18] for
random number generators for use in cryptographic and other applications.
Already mentioned LGA authority in Malta issues certificates physical random number generators for remote gaming
purposes [7]. National metrology institute of Switzerland (METAS) can also issue certificates for random number
generators.
2.7 Randomness amplification
Physical random number generators generally suffer from unavoidable bias and correlations and therefore some post
processing is usually required. The idea is to sacrifice a certain fraction of bits in order to arrive to a smaller but more
random set. There are basically four techniques: 1) ad hoc simple correctors like Von Neumann or XORing two adjacent
bits [63,75-76]; 2) whitening with cryptographic hash functions; 3) extractor algorithms [77-78]; and 4) resilient
functions [79-80]. The most important notion is that there is no general (blind) amplification algorithm. Being
deterministic, randomness amplification cannot cope with rectifying any type of irregularity. Choosing of the right
method and proving that it reduces the targeted imperfection to the desired level is crucial for otherwise this last step in
bit production may ruin provability of the random number generator. Good random number generators should either be
post processing free or use minimal and provable randomness amplification.

3. RANDOM NUMBER GENERATORS AND CRYPTOGRAPHY

For purpose of this survey we have divided art of cryptography into 3 branches: 1) mathematical cryptography; 2)
information theoretic statistical cryptography and 3) quantum cryptography. Even though of uneven popularity, all three
branches crucially depend on availability of random numbers.

3.1 Mathematical cryptography

What we call here "mathematical cryptography" is what is widely known as just "cryptography". It is the contemporary
cryptography based on deterministic algorithms that utilize one-way properties of discrete logarithms, prime factoring,
operations on elliptic curves, secure hash functions etc. and of course, use of random data (an excellent short survey is
given in [81]). Since all such security protocols are by definition deterministic and therefore at least in principle
reversible, the only true security resource is the application or user-specific part – a key, one-time data etc. which is
supposed to be "random". Quality and provability of randomness are therefore crucial for security and provabiliy of the
whole system. Mathematical cryptography follows so called Shannon's model [82].
It is the fact that the mathematical cryptography is the only one in the wider use and that most cryptographers are not
aware of or do not care of existence of either quantum cryptography or information theoretic statistical cryptography
(described below) because apparently they are not yet practical and/or trusted enough. Therefore it is important to
explore what makes contemporary commercial-grade protocols secure and what could be done to get the maximum
security out of them. Our hypothesis is that if a protocol requires random numbers then use of a high entropy, physical
RNG maximizes its security. Without ambition to make a strict proof or to give a comprehensive review here let us have
a look at several examples supporting this hypothesis.
1. Diffie-Hellman protocol (DH) [83] enables two parties, connected by an insecure channel such as Internet, who
initially share no secret (or some small secret required for authentication) to establish a common secret key that enables
them to subsequently continue communication in secrecy. The DH protocol is used in well known secure internet
protocol (HTTPS) to establish a session key which is used to turn the insecure Internet connection into secure one. The
secured line can then be used for exchange of sensitive data such as bank card numbers for online payment or Internet
banking sessions. The DH protocol requires from both parties (Alice and Bob) to generate private random data, and after
some operations send them to each other. More resistant version of DH requires further random data used for digital
signatures. An attack on the PRNG of an early version of Netscape featuring 40 bit RC4-40 cipher [84] challenge data

Proc. of SPIE Vol. 8375 837504-9

and encryption keys, was able to break HTTPS protocol in a minute or so, as described in [85]. The authors of that
article suspect that 128 bit version RC4-128 would not be much harder to break if seeding is done in a similar fashion.
2. RSA public key protocol relies on generation of public and private keys separately by Alice and Bob. In order to
create a private/public pair of keys it is necessary to generate two unique, large prim numbers. Already calculating prim
number candidates involves random numbers. After that, candidates need to be tested for primality using fast Miller-
Rabin test which only works properly if fed by random numbers. Additional one-time random numbers may be used in
the process of actual communication. Where high-entropy physical random bits are not available or are time-expensive
(like on a typical PC computer) there is a tendency to "expand" a short random string to a long one by pseudo-random
methods. This approach can create serious cryptographic weaknesses because an attacker must guess much smaller
number of bits than he would in case of use of truly random numbers.
3. Similarly, a research of cryptographic attack on partially pseudo-random number generator of an AES based
commercial cryptographic system is described in [86].
To conclude, in mathematical cryptography random numbers are the only part of the protocol which is different from
instance to instance and furthermore their true randomness is a prerogative for maximum security. Therefore, even
though most primitives of mathematical cryptography are not IT proven secure, using true random numbers ensures
highest achievable security with these methods.
3.2 Information theoretic statistical cryptography
Information theoretic statistical cryptography has been invented by Maurer in 1991 [87]. The protocol named "Secret
Key Agreement by Public Discussion" (SKAPD) enables Alice and Bob to expand their initial shared secret key to a key
of arbitrary length by communication over public (not secret) channel. At the same time, they are able to limit the
leakage of the information about the key to an eventual Eavesdropper below any desirable limit, for example <0.001 bit.
By using thus obtained long secret key as one time pad (OTP) Alice and Bob can share messages in perfect secrecy. The
whole protocol has been information theoretically proven, and also several variants of it that appeared later. This
seemingly impossible result is made possible by loosening two premises of Shannon's cryptographic model (model of
mathematical cryptography): 1) All three parties do not necessarily share the same information; 2) The adversary is
allowed to have limited but non-zero information about the secret key. This multi-phase, iterative protocol relies heavily
on existence of random numbers and of binary noise which is equivalent to random numbers.
In the first phase a long sequence of random bits S0 is created and Alice, Bob and Eve all obtain their imperfect copies
(SA, SB, SE) of the sequence S0 for example through individual binary channels with noise (BCN) which have individual
error rates α, β, γ respectively (Fig. 7). As long as γ>0 Alice and Bob can initiate Advantage Distillation protocol during
which they evaporate their bits at a generally high rate, which depends on (α, β, γ) and eventually obtain shorter
sequences which are almost equal but largely known to Eve due to the information leakage. Subsequent two protocols
named Information Reconciliation and Privacy Amplification allow them to correct for any discrepancies and arrive to
shorter common key of desired level of privacy against Eve.
Eve

Alice Bob

Figure 7. Margins and print area specifications.

The practical problems of SKAPD are all in the first phase. Namely if γ→0 so does the achievable secret key. In that
phase Alice and Bob (and Eve) obtain their partially correlated initial strings of bits SA, SB (and SE) which must satisfy
the above condition and they must figure out the lower bound on γ. There is no known practical and plausible way to
realize the initial distribution of sequences in the star-like topology depicted in Fig. 7 in a way that Eve does not have
direct access to S0 and that Alice and Bob are able to estimate α, β and γ, although multiple scenarios have been
proposed which clearly utilize randomness present in physical world (scanning surface of the Moon, listening to noise
from far-away galaxies, taking big chunks of internet data, download data from public randomness source via private

Proc. of SPIE Vol. 8375 837504-10

noisy binary channels etc.). It is possible that further research will lead to resolution of these problems. Indeed,
researchers from University of Twente in Netherlands clam to have similar system in operation. The system is named
Free Move Quantum Exchange, but its critical details have not been released [88].
3.3 Quantum cryptography
Quantum cryptography or quantum key distribution (QKD) is a collective name for several protocols that have the
functionality identical to the above discussed Maurer's protocol: the secret key growing. Probably the best known in the
family is the BB84 [92-93] which appeared first, in 1884. Quantum cryptography is the only system for establishing a
secret key between two parties, who initially share only a small secret that has so far been proven unconditionally secure
against an active attacker [94-96]. It features yet another unique characteristics that is not possible with any other
cryptographic system: legitimate parties are able to detect (attempt of) eavesdropping.

With time, QKD moved from scientific laboratories to the market. In 2004 Swiss spin-off company IdQuantique
presented world's first QKD system having a key rate of 1k bit/sec at distances up to 69km, while the newest model
Clavis2 has extended the range to 100km. Soon after that USA based company MagiQ Technologies presented its QPN
system followed latter by SmartQuantum (France) and Quintessence Labs (Australia). Several big companies such as
Toshiba, NEC, IBM and HP are experimenting with their own QKD systems. As a part of maturing of this technology,
in recent years researchers gave more effort to study of security proofs and attacks rather than to invention of new
protocols. While most of the proposed attacks had at best symbolic success in recovering the information about the
secret key, in 2010 Norwegian group led by V. Makarov conceived and demonstrated an attack having catastrophic
consequences. The attacker was able to recover 100% of the (not anymore) secret key generated between Alice and Bob
without being detected ! Better yet, the attack was experimentally tested not only on one scientific BB84-like setup [97]
but on two most trusted commercial systems: QPN 5505 of MagiQ and id3110 Clavis2 of IdQuantique [90].

But how is this possible when all these systems operate upon scientifically proven principle? Authors' explanation is that
they used technological weakness in single photon detectors, so called "blindability", that was not considered (nor
known) in the security proof, thus effectively realizing a setup that does not conform to the assumptions of the proof.
However our notion (that has eluded researchers so far) is that blindability is only a technological aspect while the
essence is attack to the random number generator (RNG).

In the following we assume reader's familiarity with BB84 protocol where Alice and Bob are linked by one quantum and
one public but authenticated classical channel. Over the quantum channel Alice sends to Bob qubits randomly chosen in
one of the four polarizations (0o, 45o, 90o, 135o). Eve cuts the quantum channel (usually a fiber) and measures qubits in a
randomly chosen base (0o, 90o) or (45o, 135o), just as Bob would. In order for her to be completely invisible and get the
same information as Bob she "only" has to make sure that Bob chooses the same base and gets the same measurement
result. But how can she do that when Bob's base is chosen randomly? There comes the trick.

I LI1%..A
u'J

a) b)

Fig. 8. a) Receiver with a passive random number generator: measurement basis is chosen randomly by means of a first,
polarization insensitive beamsplitter; b) receiver with active random number generator: basis is determined by the
random bit which controls the phase electro-modulator (ΦEM), for example a Pockels cell.

Bob's receiving station (un)fortunately utilizes passive RNG scheme shown in Fig. 8a. This part is the same in all QKD
systems that have been broken by the blinding attack. In order to manipulate Bobs choice of bases Eve blinds
simultaneously all four detectors by shining strong continuous (CW) circularly polarized light of a carefully chosen

Proc. of SPIE Vol. 8375 837504-11

intensity. In that state, detectors are sensitive only to strong pulses of light brighter than some threshold value. It is
therefore straightforward for Eve to make any of the 4 detectors fire at her will by superimposing to the circular CW
light a strong pulse of appropriate polarization (0o, 45o, 90o, 135o) that matches her measurement result, so that Bob gets
exactly the same result as she did. For the rest, Eve passively listens to the classical channel between Alice and Bob and
does whatever they in order to arrive to exactly the same "secret" key.

Even though authors in [97] claim that Eve exploits technological weaknesses in detectors, that is their blindability, our
finding is that Eve's success relies entirely on the fact that she is able to manipulate Bob's local random number
generator which determines Bob's detection base. If she could get control over Bobs choosing of bases in any other way,
she could achieve the same result without blinding detectors. More importantly, should Bob replace his passive setting
with a setting where choice or receiving bases is under control of an electronic random number generator which cannot
be manipulated by Eve (as shown in Fig. 8b) blindability would not help Eve to achieve anything beyond the standard
(sterile) intercept-resend attack [93] and moreover she would be discovered by Alice and Bob.

Although passive (Fig. 8a) and active (Fig. 8b) receiving schemes are seemingly functionally equivalent, the scheme
with explicit, electronic random number generator is secure against random number attacks. Namely, even though an
information-theoretically perfect random number generator required in the active setup can be made in exactly the same
way as a part of the Bob's receiving station, namely using a photon source, a beam splitter and two detectors (Fig. 5 left),
a subtle difference between passive and active schemes is that electronic RNG internally collapses wave function and
outputs only classical information (random bits) in one (outward) direction. Such generator does not receive any
information from communication channels and consequently cannot be manipulated by Eve.

4. CONCLUSION
In this work, an overview of physical random number generators and their use in cryptography and other applications is
given. Our conclusion is that quantum random number generators (QRNG) possess the most plausible link between
randomness of numbers and laws of physics and therefore stand the best chance of strict scientific proof of randomness.
Accordingly we gave a new, physical definition of randomness, against which QRNGs can be easily tested. Furthermore,
vulnerabilities of key establishing cryptographic protocols that arise from bad random number generators have been
explored with conclusion that use of a QRNG in these protocols would maximize their resilience against random number
generator attacks. However, the quest for provable, fast and affordable random number generators will continue.

This work was supported by Ministry of science education and sports of Republic of Croatia, contract number 098-
0352851-2873.

REFERENCES

1. E. Gentle, "Random Number Generation and Monte Carlo Methods", Springer, 2002
2. D. E. Knuth, The art of computer programming, Vol. 2, Third edition, (Addison-Wesley, Reading, 1997)
3. T.A. Hall, "The NIST SP 800-90 Deterministic Random Bit Generator Validation System (DRBGVS)", Sept. 2011
4. U. M. Maurer, "A universal statistical test for random bit generators", J. Crypt. 5,89-105(1992)
5. A. Kerckhoffs, "La cryptographie militaire" Journal des sciences militaires, vol. IX, pp. 5–83, January 1883, pp.
161–191, February 1883, URL: http://www.petitcolas.net/fabien/kerckhoffs/
6. P. Jonsson, “Boom in Internet gambling ahead? US policy reversal clears the way”,
http://www.csmonitor.com/USA/2011/1226/Boom-in-Internet-gambling-ahead-US-policy-reversal-clears-the-way
7. Remote Gaming Regulations, Legal notice 176 of 2004, 110 of 2006, 2760& 426 of 2007 and 90 of 2011, Lotteries
and Gaming Authority, Malta
8. G. Parisi, F. Rapuano, "Effects of the random number generator on computer simulations", Physics Letters B 157
(1985) 301-302
9. A. Proykova, "How to improve a random number generator", Comp. Phys. Comm. 124 (2000) 125-131
10. T. Click, A. Liu, G. Kaminski, "Quality of Random Number Generators Significantly Affects Results of Monte
Carlo Simulations for Organic and Biological Systems", J. Comp. Chem. 32 (2011) 513-524

Proc. of SPIE Vol. 8375 837504-12

11. P. Coddington, "Tests of randomnumber generators using Isingmodel simulations", Int. J. Mod. Phys. C, 7 (1996)
295–303
12. A. De’Matteis, S. Pagnutti, "Long-range correlations in linear and non-linear randomnumber generators", Parallel
Comput., 14 (1990) 207–210
13. A.M. Ferrenberg, D.P. Landau, Y.J. Wong, "Monte Carlo simulations: hidden errors from “good” randomnumber
generators", Phys. Rev. Let., 69 (1992) 3382–3384
14. P. Grassberger, "On correlations in ‘good’ randomnumber generators", Phys. Lett. A, 181 (1993) 43–46
15. F. Schmid, N.B. Wilding, "Errors in Monte Carlo simulations using shift register randomnumber generators", Int. J.
Mod. Phys. C, 6 (1995) 781–787
16. I. Vattulainen, T. Ala-Nissila, K. Kankaala, "Physical tests for randomnumbers in simulations", Phys. Rev. Lett., 73
(1994) 2513–2516
17. A. Ruhkin et al., "NIST Special Publication 800-22rev1a: A Statistical Test Suite for the Validation of Random
Number Generators and Pseudo Random Number Generators for Cryptographic Applications", April 2010
18. "Functionality classes and evaluation methodology for physical random number generators, reference: AIS31
version 1, 25/09/2001", BSI (Bundesamt für Sicherheit in der Informationstechnik)
19. Goldberg, D. Wagner, "Randomness and the Netscape Browser ", Dr. Dobbs, Jan 1, 1996,
http://drdobbs.com/windows/184409807
20. B. Schneier, "Lousy Random Numbers Cause Insecure Public Keys", Schneier on Security Blog URL:
http://www.schneier.com/blog/archives/2012/02/lousy_random_nu.html?nc=47#comment-727264
21. B. Schneier, "Did NSA Put a Secret Backdoor in New Encryption Standard?", URL:
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
22. W. K. Wootters and W. H. Zurek, “A single quantum cannot be cloned,” Nature 299, 802-803 (1982)
23. D. Dieks, "Communication by EPR devices", Phys. Lett. A 92, 271 (1982)
24. Schneier, B., Applied Cryptography: Protocols, Algorithms, and Source Code in C, John Wiley & Sons, New York,
(1996).
25. P. Hellekalek, "Good random number generators are (not so) easy to find", Mathematics and Computers in
Simulation 46 (1998) 485-505
26. G. Marsaglia and W. W. Tsang, The ziggurat method for generating random variables, Journal of Statistical
Software, 5 (2000) 1-7, http://www.jstatsoft.org/v05/i08
27. Matsumoto, M.; Nishimura, T. (1998). "Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-
random number generator", ACM Transactions on Modeling and Computer Simulation 8 (1998) 3-30 URL:
http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/emt.html
28. J.L. Massey "Shift-register synthesis and BCH decoding", IEEE Trans. Information Theory IT-15(1969)122–127,
URL: http://crypto.stanford.edu/~mironov/cs359/massey.pdf
29. M. Krause, "BDD-Based Cryptanalysis of Keystream Generators", in proccednings of Advances in Cryptology -
EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques,
Amsterdam, The Netherlands, April 28 - May 2, 2002, pp. 222-237
30. Y. Shaked, and A. Wool, "Cryptanalysis of the Bluetooth E0 Cipher using OBDD's}, IACR Eprint archive}, 27.
Mar. 2006, URL: http://eprint.iacr.org/2006/072
31. E. Stegemann, "Extended BDD-based cryptanalysis of keystream generators", in Proceedings of the 14th
international conference on Selected areas in cryptography SAC'07, Ottawa, Canada, pp. 17-35
32. L. Blum, M. Blum, and M. Shub. "A Simple Unpredictable Pseudo-Random Number Generator", SIAM Journal on
Computing, 15(1986) 364–383
33. Quantis, ID Quantique SA, Geneve, Switzerland, URL: http://www.idquantique.com/true-random-number-
generator/products-overview.html
34. QRBG121, URL: http://qrbg.irb.hr/
35. quRNG50, qutools GmbH, Munich, Germany, URL: http://www.qutools.com/products/quRNG/
36. PQRNG 150, Pico Quant GmbH, Berlin, Germany, URL: http://www.picoquant.com/_products.htm
37. QNG Model R2000KU, ComScire - Quantum World Corp, Gainesville, FL 32602, USA, URL:
http://comscire.com/Downloads/
38. Entropy Key, Simtec Electronics, Avondale Drive, Tarleton, Lancashire, PR4 6AX, United Kingdom, URL:
http://www.entropykey.co.uk/
39. SG100 EVO-USB, Protego Information AB, Lund, Sweden, URL: http://www.protego.se/contact.htm

Proc. of SPIE Vol. 8375 837504-13

40. M. Stipcevic, Fast nondeterministic random bit generator based on weakly correlated physical events, Rev. Sci.
Instrum. 75, 4442-4449 (2004)
41. A. Figotin et al..,"A random number generator based on spontaneous alpha-decay", Patent No. WO0038037A1
42. L. Gollub, "Radioactive random number generator", Patent No. DE19743856A1, Priority date 04.10.1997.
43. T. Ritter, "Random Number Machines: A Literature Survey",
http://www.ciphersbyritter.com/RES/RNGMACH.HTM (2002)
44. M. Stipcevic, "Quantum random bit generator", Patent No. WO2005106645 (A2), Priority date 30.04.2004.
45. M. Stipcevic, B. Medved Rogina, "Quantum random number generator based on photonic emission in
semiconductors", Rev. Sci. Instrum. 78, 045104:1-7 (2007)
46. C.H. Vincent, "The generation of trully random binary numbers", J. Phys. E: Scientific Instruments 3 (1970) 594-
598
47. P. Chevalier, C. Menard,B. Dorval, “Random number generator”, Patent No. US3790768A
48. Via rng aka quantum
49. P. Kanter, Y. Aviad, I. Reidler, E. Cohen and M. Rosenbluh, "An optical ultrafast random bit generator", Nature
Photonics 4, 58 - 61 (2010)
50. Thomas Jennewein, Ulrich Achleitner, Gregor Weihs, Harald Weinfurter, Anton Zeilinger, " A Fast and Compact
Quantum Random Number Generator", Rev. Sci. Instrum. 71, 1675–1680 (2000)
51. M. Fürst, H. Weier, S. Nauerth, D. G. Marangon, C. Kurtsiefer, H. Weinfurter, , "High speed optical quantum
random number generation," Opt. Express 18, 13029-13037 (2010)
52. H. Nyquist, "Thermal Agitation of Electric Charge in Conductors", Phys. Rev. 32, 110–113 (1928)
53. C.W.J. Beenakker, M. Büttiker, "Suppression of shot noise in metllic diffusive conductors", Phys. Rev. B 46 (1992)
1889-1892
54. H. Guo, W. Tang, Y. Liu, and W. Wei, “Truly random number generation based on measurement of phase noise of a
laser”, Phys. Rev. E 81, 051137 (2010)
55. P. Li, Y.C. Wang, J. Z. Zhang, “All-optical fast random number generator”, Opt. Express 18, 20360-20369 (2010)
56. J. Hales, A. Zhukov, R. Roy, and M. I. Dykman, "Dynamics of Activated Escape and Its Observation in a
Semiconductor Laser", Phys. Rev. Lett. 85(2000)78-81
57. V. Bagini and M. Bucci. A Design of Reliable True RandomNumberGenerator for CryptographicApplications. In C¸
.K.Koc¸ and C. Paar, editors,Workshop on Cryptographic Hardware and Embedded Systems—CHES 1999, pp.
204–218, Berlin, Germany, Lecture Notes in Computer Science, Vol. 1717. Springer- Verlag, 1999.
58. S-K. Yoo, D. Karakoyunlu, B. Birand, B. Sunar, "Improving the Robustness of Ring Oscillator TRNGsCorrect",
ACM Transactions on Reconfigurable Technology and Systems 3, (2010)
59. F. Rodriguez-Henriquez, N. A. Saqib, A. Diaz-Perez, and C. K. Koc. Cryptographic Algorithms on Reconfigurable
Hardware. Springer, 2007
60. R.J. Easter, C. French, "Annex C: Approved Random Number Generators for FIPS PUB 140-2, Security
Requirements for Cryptographic Modules", NIST, February 2012
61. "VIA PadLock Advanced Cryptography Engine", http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
62. VIA inc., "VIA PadLock Security Engine", URL: http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
63. J. von Neumann. Various techniques for use in connection with random digits, von Neumann’s Collected Works,
vol. 5, Pergamon, pp. 768–770, 1963.
64. VIA inc., "VIA Security Application Note", URL:
http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/security_application_note.pdf
65. R. Oelermans, V. Miche, "Digital true random number generator circuit", patent application US2002156819 (A1)
66. G. Laszlo, “Electronic circuit for random number generation” , US7315874(B2)
67. S. Takagi, Random Number Data Generator, US2003208517
68. B. Sunar, "True Random Number Generators for Cryptography", in Cryptographic Engineering, Ç. K. Koç (ed),
Springer Science + Business Media, LLC 2009
69. G. Marsaglia, "DIEHARD battery of stringent randomness tests", URL: http://www.stat.fsu.edu/pub/diehard/
70. R.G. Brown, "Dieharder: A Random Number Test Suite", URL:
http://www.phy.duke.edu/~rgb/General/dieharder.php
71. Walker, "Ent: A Pseudorandom Number Sequence Test Program", Fourmilab.ch. http://www.fourmilab.ch/random/
(accessed August 13, 2009).
72. A. Ruhkin et al., "A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic
Applications", NIST Special Publication 800-22rev1a, NIST April 2010

Proc. of SPIE Vol. 8375 837504-14

73. L’Ecuyer, P. and Simard, R., “Testu01: a C library for empirical testing of random number generators,” ACM
Trans. on Mathematical Software 33 (2007).
74. E. Barker, and J. Kelsey, "Recommendation for Random Number Generation Using DeterministicRandom Bit
Generators", NIST Special Publication 800-90A (A Revision of SP 800-90), NIST, January 2012
75. Y. Peres, "Iterating von Neumann's procedure for extracting random bits ", Ann. Stat. 20, (1992) 590—597
76. R.B. Davies, "Exclusive OR (XOR) and hardware random number generators", February 28, 2002, URL:
http://www.robertnz.net/pdf/xor2.pdf
77. R. Shaltiel, "Recent developments in explicit constructions of extractors", Bull. EATCS, 77, 67–95 (2002)
78. R. Shaltiel, "How to get more mileage from randomness extractors", Random Struct. Algorithms 33 (2008) 157-186
79. B. Sunar, W. J. Martin, and D. R. Stinson, "A Provably Secure True Random Number Generator with Built-in
Tolerance to Active Attacks", IEEE Transactions on Computers, 58(2007)109–119
80. D. Schellekens, B. Preneel, and I. Verbauwhede, "FPGA Vendor Agnostic True Random Number Generator", in
Proceedings of the 16th International Conference on Field Programmable Logic and Applications. pp. 1–6, August,
2006.
81. Post-Quantum Cryptography, Bernstein, Daniel J.; Buchmann, Johannes; Dahmen, Erik (Eds.) Springer 2009, IX,
245 p. 25 illus. ISBN 978-3-540-88701-0
82. C. E. SHANNON, "Communication Theory of Secrecy Systems", Bell System Technical Journal, 28(1949)656–715
83. W. Diffie, M.E. Hellman, "New directions in cryptography", IEEE Trans. Inform. Theory 22, 644-654 (1976)
84. R. L. Rivest, "The RC4 Encryption Algorithm", RSA Data Security Inc., Mar. 12, 1992.
85. J. Goldberg, D. Wagner, "Randomness in the Netscape Browser", Dr. Dobb's, January 1996
86. C. B. Roellgen, "Visualisation of potential weakness of existing cipher engine implementations in commercial on-
the-fly disk encryption software", Global IP Telecommunications, Ltd. & PMC Ciphers, Inc. August 15, 2008
87. U. Maurer, "Secret key agreement by public discussion from common information" IEEE Transactions on
Information Theory, 39, 733-742 (1993)
88. Free Move Qunatum Exchange (FMQE), URL: https://www.wuala.com/FreemoveQuantumExchange
89. D. Davis, R. Ihaka, and P. P. Fenstermacher, Cryptographic randomness from air turbulence in disk drives. In Y.
Desmedt editor, Advances in Cryptology (Crypto 94), vol. 839, pp. 114–120, Heidelberg, Germany: Springer-
Verlag, 1994.
90. J. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, V. Makarov, "Hacking commercial quantum
cryptography systems by tailored bright illumination", Nature Photonics 4, 686–689(2010)
91. "Application Notes and Interpretation of the Scheme (AIS): AIS20 version 1, 2 December,1999", BSI (Bundesamt
für Sicherheit in der Informationstechnik)
92. C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing,” in Proceedings of
IEEE International Conference on Computers, Systems and Signal Processing Bangalore India (1984) pp. 175-179
93. C.H. Bennett, F. Bessette, G. Brassard, L Salvail and J. Smolin, "Experimental Quantum Cryptography", J.
Cryptology, 5 (1992) 3-28
94. P. W. Shor and J. Preskill, “Simple proof of security of the BB84 quantum key distribution protocol,” Phys. Rev.
Lett. 85, 2, 441–444 (2000)
95. D. Mayers, "Unconditional security in quantum cryptography", JACM 48, 351-406 (2001)
96. Z. Quan and T. Chaojing, “Simple proof of the unconditional security of the Bennett 1992 quantum key distribution
protocol,” Phys. Rev. A 65, 062301 (2002)
97. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer and V. Makarov}, "Full-field implementation of a
perfect eavesdropper on a quantum cryptography system", Nat. Comm. 2, 349 (2011)

Proc. of SPIE Vol. 8375 837504-15