DE102008033162A1 - Physical random number generator - Google Patents

Abstract

The present invention relates to a method and apparatus for generating random physical numbers whereby true random numbers can be represented very efficiently. The generation is based on the comparison of two events (f _(Q1) , F _(Q2) of at least two independent physical event generators.) The essential thing is that the first physical event has two identical but different states Then, the second event retrieves the random and maps the random on the first event by determining whether the first event has a substantially first or second state when in the second event, there is a substantially first or second state.

Description

The The present invention relates to a method and an apparatus for the generation of physical random numbers according to the generic terms of claims 1 and 11.

random numbers are necessary in many ways today. For the Generating random numbers there are many different methods to generate the random numbers more or less high quality are able. However, while qualitative for many procedures high quality, d. H. real random numbers not necessary, or even are harmful (such as slot machines, where the bank too to win a certain percentage) are for some Procedure requires true random numbers, e.g. For procedures cryptography, statistics, simulation and randomization.

For example is to ensure a high quality (ie not unauthorized decipherable) enciphering the use of true random numbers indispensable requirement. A real random number or in other words each generated bit has a probability from 0.5 to. This ensures that no bit is calculated in advance can not, even if the predecessor bits known are. Conversely, not even the predecessor bits calculate if all successor bits are known.

Such true random numbers can not, however, be mathematical Produce method, but only by a natural Process, generated by the so-called physical random numbers become.

In addition to the probability of a generated random number, there is another important quantity in the entropy of the generated binary number sequences. For entropy, according to Shannon: H = - (plog 2 p + qlog 2 q) and H = 1

There however, in general, statistical calculations of entropy internationally uneven and also partly controversial will be in the present assessment of quality of random numbers not on the entropy, but on the application proven mathematical statistical tests, which indirectly also consider the entropy of a binary sequence, resorted.

The Basis for this mathematical test, namely the Monobit test, the poker test, the run test and the long run test forms: [FI 140-1] FIPS PUB 144-1, NIST, Security Requirement for Cryptographic Modules.

For the generation of physical random numbers, various methods are known, but so far can not produce almost real random numbers at a reasonable cost. For example, one uses analog noise signals for digitizing random bits. In this case, a constant c in the noise spectrum is fixed to derive random bits. One then compares the measured value U at the time t _n with the constant c (cf. 1 ). The generation of a random bit Z _i is now performed by assigning a "1" if the measured voltage U _{(tn) is} less than c, and _assigning a "0" if the measured voltage U _{(tn) is} greater than or equal to c is. However, a disadvantage of this method is that on the one hand the generated bits are random, but not evenly distributed. Namely, it is impossible to place the constant c in the statistical mean of a noise signal. Since the probabilities of both random bits are therefore not equal to 0.5, the entropy generated is also significantly below the value 1 per bit. Therefore, a mathematical post-processing of the bits is necessary.

Farther the noise signal remains due to aging processes of the electronic Components not constant in its parameters. This shifts the constant c relative to the signal and the entropy decreases. Elaborate control and Nachjustierarbeiten are therefore necessary. In addition, external influences go such as temperature, humidity, air pressure, supply voltage etc. on the electronic components in the measured values, lead but not to an increase in entropy. After all is about controlling the external factors a manipulation of the generated bits possible.

Other known methods are described in WO 97/43709 . US 4,855,690 and DE 101 18 495 C1 , Again, however, there are the principal disadvantages that the random numbers generated either are not nearly true random numbers and / or the generation itself is ineffective.

task the present patent application is therefore a method and a device for generating physical random numbers indicate, where at reasonable cost true random numbers are very effective produce bar. This task is solved with the features of claims 1 and 11. Advantageous Further developments are in the respective dependent subclaims contain.

In the method according to the invention for generating physical random numbers, physical events of at least two independent event transmitters are compared with each other, wherein the physical events have different temporal behavior. The first event has two times equally distributed different states high _(Q1) and low _(Q1) and the second event two states not equally distributed high _(Q2) and low _(Q2) . Then, from the second event, the random is obtained and randomly mapped on the first event by determining whether the first event has a substantially first or second state, when in the second event a substantially first or second Condition exists. For the presence of a first or second state in the first event, a predetermined bit value is assigned. For example, for the first state the "1" and for the second state the "0" or vice versa.

Instead of the determination of a bit in the determination of a substantially first state of the second event can of course also the bit in the presence of the second state in the second Event are generated. Or alternatively, both at the first and generates a bit at the second state of the second event become. A series of such bits can then become long random numbers be assembled.

The Inventors started from the knowledge that two of each other independent physical events never at the same time appear, even if the difference in time still is so small. Therefore, it is better to have two independent physical ones Relate events, not a variable with one To compare constants.

Important is that the first physical event is two temporally similar, d. H. equally distributed, but different states to verify a bit at all. These states must therefore be equally distributed because only then bits with a probability of 0.5 can be generated. The second physical event must again show a temporally unsteady behavior, so two have states that are not equally distributed over time. ever bigger is the discontinuous behavior, all the more it is better for the quality of the random numbers, since chance is won from the second event.

Thereby each has yet to be both events of physical origin so slight change known and unknown physical parameter has an effect on chance, however always the entropy of coincidence is increased, what with previous ones Procedure was not the case. The parameters to be determined go then even back to quantum mechanical processes and are not more comprehensible. Influential external factors increase the entropy additionally.

From the DE 101 18 495 C1 Although the comparison of two frequencies is already known, the amplitude value of the second oscillation is always first determined upon detection of a minimum amplitude value of an oscillation and only when this amplitude value of the second oscillation changes from an initially determined amplitude value to an opposite amplitude value Bit generated. Thus, this method is much more complicated and slower, thus less effective than the inventive method. In addition, neither of the two events, namely the vibrations, has a temporally unsteady behavior. As a result, the bits are not provided with the same generation probability, which is why a mathematical post-processing to improve the random numbers generated with it is necessary to correct the skewed, ie unequally distributed digitized noise signal sequence.

However, this mathematical post-processing often leads to a deterioration of the quality of the random numbers, such as the memorandum "A suggestion on: Functionality classes and evaluation methodology for physical random number generators", Version 3.1 of 25.09.2001, by Wolfgang Killmann, T-Systems debis Systemhaus Information Security Services, Bonn, and Prof. Priv.-Doz. Dr. Werner Schindler, Federal Office for Information Security (BSI), Bonn , shows. In addition, it is apparent from this document that even with the same random generators of previous design with identical nominal sizes of the components under the same experimental conditions random numbers are generated with different statistical behavior. This reduces the entropy of the random numbers, which is considered a sign of lower quality.

With On the other hand, the process according to the invention is generates directly outputable random numbers that are not mathematical have to be reworked and at the every manipulation attempt of outside in the form of an action on known physical Parameter increases the entropy of the random numbers. natural Have aging processes or unknown physical parameters also no adverse, but positive influence on the Entropy.

Advantageous becomes essentially one at each transition and / or second state of the second event generates one bit. Then you can generate true random numbers for any length of time.

expedient the first event is a first physical vibration and that second event a second physical vibration, each minimum and maximum amplitude values, since such vibrations can be displayed relatively easily.

Prefers then the determination of the amplitude value of the first oscillation takes place at the transition to a substantially maximum amplitude value the second vibration.

In a particularly expedient embodiment, the first oscillation (f _(Q1) ) is a higher-frequency oscillation than the second oscillation (f _(Q2) ), advantageously f _(Q1) > 50 f _(Q2) , preferably f _(Q1) > 80 f _(Q2) , in particular f _(Q1) > 100 f _(Q2) . As a result of this high oscillation ratio, in the first oscillation a very large number of periods are passed through between two determination times controlled via the first oscillation, so that the quality of the number of declines is increased. Preferably, for the first oscillation (f _(Q1) ) ≥ 0.5 MHz, preferably ≥ 2 MHz, in particular ≥ 10 MHz. Due to the high oscillation frequency, random bits can be generated in a very fast sequence.

Particularly advantageously, the first oscillation (f _(Q1) ) is a vibration stabilized with respect to the duty cycles. The stabilization of the first oscillation enables a duty factor of 50%, which advantageously influences the quality of the random numbers. Furthermore, it is preferable if the first oscillation (f _(Q1) ) is inverted after a certain number of periods. As a result, any deviations from a duty cycle of 50% which may still occur are compensated for even with stabilized oscillations. This inversion can be done after one or more periods and is more likely to be done for less well-stabilized vibrations.

Suitably, the first vibration (f _(Q1) ) is essentially a square wave. As a result, the points for determining the amplitude values can be set very precisely. Of course, however, other defined vibrations, such as sawtooth, sinusoids, etc. can be used.

The second oscillation (f _(Q2) ) is according to a particularly advantageous embodiment, a non-stabilized oscillation, which is generated in particular by a free-running generator, the deviation from the stability advantageously ≥ 5%, preferably ≥ 7.5% and in particular ≥ 10%. It is thereby achieved that the number of periods of the first oscillation passing through between two bit generation instants is always different, whereby the quality of the random number is further increased.

It is to emphasize that by the optional Measures increases the quality of random numbers so that under the verification options true random numbers are available. If, however, physical random numbers Sufficient, which are not 100% true random numbers, does not have to necessarily a quality improvement with the help of one or several of these measures are taken.

Independent protection is claimed for a physical random number generator having first generator (f _(Q1) ) and a second generator for generating second oscillation (f _(Q2) ) and adapted according to the method of the invention to work. In this case, the first generator is preferably a quartz generator and the second generator is a voltage-controlled oscillator.

In an advantageous embodiment, the input of the voltage-controlled generator is connected to a resistor-capacitor combination. Advantageously, the resistor-capacitor combination has a switch which is connected by the output signals of a pulse shaper and the input of the pulse shaper to the output of a third generator for generating a third oscillation (f _(Q3) ) is connected. As a result, an unstabilized second vibration is generated in a simple manner. Suitably, the third generator is adapted to generate substantially a square wave, wherein the frequency of the square wave is preferably not stabilized. As a result, the stabilization of the second vibration is further reduced. The switch is preferably adapted to switch at a substantially maximum or minimum amplitude value of the pulse shaper.

Also independent protection is claimed for use the inventive method and / or the Device according to the invention in one of the following Methods: cryptographic methods, statistical methods, simulation methods, Randomization.

The inventive method and the invention Device will go through with its features and advantages the preferred embodiments described with reference to the drawing described. Show it:

1 a known technique for generating physical random numbers,

2 the first vibration used in the method according to the invention,

3 the comparison of the first and second vibration used in the method according to the invention,

4 the unit for generating the second Vibration in the device according to the invention,

5 the form of in the unit after 4 used needle pulse,

6 a first listing of exemplary results for the poker and monobit test and

7 A second listing of exemplary poker, monobit, run, and long run test results.

2 shows the first vibration used in the method according to the invention f _(Q1) , wherein the amplitude U is plotted against time. It can be seen that this is a stabilized square wave f _(Q1) , ie the condition t ₂ -t ₁ = t ₃ -t _{2 should} apply. In this way, there is a maximum and minimum amplitude duty cycle of 50% and random bits can be generated with a probability of 0.5. In practice, however, it is not possible to realize this condition accurately and to keep it stable. For example, the real duty cycle is 49.995% for the minimum amplitude value (low) and 50.005% for the maximum amplitude value (high) of f _(Q1) . This error is corrected hardware-based by inverting the square-wave signal after the expiration of one or more periods. The stabilization error is thus also inverted and there are the inverse ratios for low and high. In total, the probabilities are set to 0.5. The shape of the square wave signal (including the amplitude height) itself is now of minor importance, as long as the duty cycle 0.5 itself is maintained.

How out 3 As can be seen, the second oscillation is also a square wave f _(Q2) , where the mean frequency f _{(Q2) is} 20 kHz and f _(Q1) = 10 MHz. However, the vibration f _{(Q2) is} completely unstabilized. This applies to the frequency, as well as the amplitude and especially for the duty cycle. To generate this oscillation, a free-running generator is used without any stabilization measures, as related to 4 will be explained. Between the frequency of the first oscillation f _(Q2) and the mean frequency of the second oscillation f _{(Q2) there} is the relationship f _(Q2) > 100 f _(Q2) .

Based on 3 now also the extraction of random bits is illustrated purely schematically. A comparison of the amplitudes of both oscillations f _(Q1) and f _{(Q2) takes place} at time t (n), wherein the time t (n) is the time at which a low / high transition of the second oscillation f _{(Q2 )} takes place. Alternatively, of course, could also be switched to the high / low transition of f _(Q2) . The following procedure is used for bit generation:
At time t ₁ , an amplitude transition from low to high takes place at f _(Q2) . This time thus sets a determination time for the bit generation. At time t ₁ , a transition from low to high is taking place at f _(Q1) . Thus, the amplitude value of f _{(Q1) is} indeterminate. To avoid these uncertainties, such a transition is assigned a bit value, namely "1". Conversely, a high / low transition is assigned the value "0". On the occasion of a subsequent determination time t ₂ , a low exists for the amplitude value of f _(Q1) , whereby a bit value of "0" is generated. On the occasion of the next determination time t ₃ , because of the presence of high at f _(Q1), a bit value of "1" is generated. Finally, a bit value of "1" is generated at t ₄ , since f _(Q1) also has a high. The generated random bit sequence is thus 1011.

To generate sufficiently true random physical numbers, the deviation from the stability of f _{(Q2) is} about 10%, that is, the nominal frequency of f _(Q2) oscillates around this amount. This inevitably results in time differences from period to period for f _(Q2) . Through this time window, of about 5 × 10 ⁶ s, there are about 10 periods of the first oscillation f _(Q1) . Whether then at the low / high transition of f _(Q1) for f _{(Q1) is} verified as an amplitude value low or high and thus a bit value is assigned a "0" or a "1" is pure coincidence.

To ensure or increase this stability deviation of f _(Q2) , a freewheeling generator is generated for the generation of the second oscillation f _(Q2) 1 used purely schematically in 4 is shown. This is the free-running third generator 2 not directly used for frequency comparison. Rather, it serves as a link and as a control source for a second generator 3 , which is a voltage controlled oscillator. For example, as a second generator 3 a commercial PLL (phase-locked-loop) CMOS circuit 4046 are used, in which case only the VCO part is used.

The functioning of the free-running generator 1 is now the following:
The third generator 2 generates a square wave f _(Q3) and feeds a pulse shaper 4 which generates needle pulses. These needle pulses are fed to a switch S, which is always closed when the amplitude of the applied pulse is high. By closing the switch S is located at the entrance 6 of the second generator 3 the voltage U on.

The resulting output frequency f _(Q2) then results from the technical data of the second generator 3 , Since it is the second generator 3 is a voltage controlled oscillator, the magnitude of the input voltage U determines the magnitude of the output frequency f _(Q2) . At the same time, the capacitor C is charged to the rated voltage of U.

Whenever the amplitude of the needle pulses is low, the switch S opens. As a result, the capacitor C discharges via the resistor R in the specific time t _x . The voltage at the input of the second generator 3 goes to zero in the time t _x until the switch S is closed again. Since the amount of generated frequency f _(Q2) from the input voltage at the second generator 3 At the same time, this means that the frequency f _(Q2) decreases in the time t _x . If now the switch S is closed again, the process is repeated. It creates a kind of siren signal.

How the output signal looks exactly, in particular the time course between t ₁ , t ₂ , t ₃ , etc., ultimately depends on all physical influencing factors. These include the external influencing factors: temperature, humidity, air pressure, electromagnetic radiation and other unknown factors.

Farther this includes the internal influencing factors. So for one Stability and ripple of voltage U. The voltage U becomes directly (with mains operated devices) from the mains voltage derived and thus subject to the fluctuations of the public Network.

Furthermore, the capacitance and quality of C and the resistance and nature of R, wherein the capacitor C is not charged abruptly, but has a rise time, which in turn has an effect on f _(Q2) and thus on the generation of the random bit.

In addition, stability, pulse shape and duty cycle of the needle pulses. In this case, in particular the duty cycle plays a decisive role and also the edge steepness (cf. 5 ) is included in the generation of the random bit. It is important in this context that the electronic switch S closes at high potential of the needle pulse. However, this time is on the pulse edge within the time t _flank in the vicinity of the impulse roof and is not determinable, but goes into the duty cycle of the switch S. For good results, the width of t _{roof is} as short as possible, but on the other hand sufficient to keep the capacitor C fully charged.

Finally, there are other unknown internal factors of the second generator 3 , that is, the CMOS circuit 4046.

following explained statistical test, which were made using the FIPS PUB 144.4 guideline and the also in the Federal Office for Security and Information Technology (BSI).

1. Monobit test

. Die Bitfolge b₁, ..., b₂₀₀₀₀₀ passiert dann den Monobit-Test, wenn 9654 < X < 10346.It applies

, The bit sequence b ₁ , ..., b ₂₀₀₀₀₀ then passes the monobit test if 9654 <X <10346.

2. Poker test

, wobei für j = 1, ..., 5000 c_j = 8·b_4j-3 + 4·b_4j-2 + 2·b_4j-1 + b_4j sei und f[i]: = |{j: c_j = i}| bezeichnet. Die Bitfolge b₁, ..., b₂₀₀₀₀ passiert dann den Pokertest, falls 1,03 < Y < 57,4.It applies

where j = 1, ..., 5000 c _j = 8 · b _4j-3 + 4 · b _4j-2 + 2 · b _4j-1 + b _4j and f [i]: = | {j: c _j = i} | designated. The bit sequence b ₁ , ..., b ₂₀₀₀₀ then passes the poker test if 1.03 <Y <57.4.

3rd run test

Here "run" is the name for a maximum subsequence of consecutive equal bits, ie "0" or "1". The bit sequence b ₁ , ..., b ₂₀₀₀₀ then passes the run test if the number of occurring run lengths lie within the permissible intervals defined below, whereby "0" and "1" runs are evaluated separately: Run-length allowed interval 1 2267-2733 2 1079-1421 3 502-748 4 233-402 5 90-223 ≥ 6 90-233

4. Long Run Test

The bit sequence b ₁ , ..., b ₂₀₀₀₀ passes the long run test if no run ≥ 34 occurs.

On this basis, computer programs were written for testing the method according to the invention and the device according to the invention, and thus the random numbers generated were examined. The results are shown in the two examples of results compiled in 6 and 7 shown are shown.

6 shows that both the Po Both the ker test and the monobilt test were passed generating 20000 random bits and the poker test determined the distribution of all 4-bit segments within the 20,000 random bits. As can be seen, the poker test yielded a value of Y = 4.972673 and the monobit test a value of X = 10043.

In 7 The results of the run and long run tests combined with the results of the monobit and poker tests are presented for a different set of generated 20000 random bits. It can be seen again that both the monobit and the poker test were passed. the determined runs did not only stay within the given intervals, they are also without exception in the center, so they are distributed very evenly. Since no runs greater than or equal to 13 could be determined, not only the run but also the long run test was passed.

This in 6 and 7 Examples of listed results are representative of several 1000 tested sequences of generated 20000 random bits. Since all the test criteria have always been met, it has been sufficiently proven that real physical random numbers of high quality can be very effectively produced with the presently described inventive method and device, which are also used in particularly sensitive methods of cryptography, statistics, simulation and randomization to let.

QUOTES INCLUDE IN THE DESCRIPTION

This list The documents listed by the applicant have been automated generated and is solely for better information recorded by the reader. The list is not part of the German Patent or utility model application. The DPMA takes over no liability for any errors or omissions.

Cited patent literature

• WO 97/43709 [0010]
• US 4855690 [0010]
• - DE 10118495 C1 [0010, 0017]

Cited non-patent literature

• - "A suggestion on: Functionality classes and evaluation methodology for physical random number generators", Version 3.1 of 25.09.2001, by Wolfgang Killmann, T-Systems debis Systemhaus Information Security Services, Bonn, and Prof. Priv.-Doz. Dr. Werner Schindler, Federal Office for Information Security (BSI), Bonn [0018]

Claims (17)

A method of generating physical random numbers wherein physical events (f _(Q1) , f _(Q2) ) are compared by at least two independent event generators, the physical events having different temporal behavior (f _(Q1) , f _(Q2) ) , characterized in that the first event (f _(Q1) ) has two different states (high _(Q1) , low _(Q1) ) distributed at the same time and the second event (f _(Q2) ) two states (high _{( H) Q2)} , low _(Q2) ), whereby from the second event (f _(Q2) ) the random is obtained and on the first event (f _(Q1) ) the random is mapped by determining whether the first Event (f _(Q1) ) is a substantially first (high _(Q1) ) or second state (low _(Q1) ), when in the second event (f _(Q2) ) is a substantially first (high _(Q2) ) or second state (low _(Q2) ) is present, and that the detected State (high _(Q1) , low _(Q1) ) of the first event (f _(Q1) ) is assigned to a particular bit (0, 1). A method according to claim 1, characterized in that at each transition to a substantially first (high _(Q2) ) and / or second state (low _(Q2) ) of the second event (f _(Q2) ) one bit (0, 1) is produced. Method according to one of claims 1 or 2, characterized in that the first event is a first physical oscillation (f _(Q1) ) and the second event is a second physical oscillation (f _(Q2) ), the respective minimum (low _{(Q1 )} , low _(Q2) ) and maximum (high _(Q1) , high _(Q2) ) amplitude values. A method according to claim 3, characterized in that the determination of the state of the first event (f _(Q1) ) takes place at the transition to a substantially maximum amplitude value of the second oscillation (f _(Q2) ). Method according to claim 3 or 4, characterized in that the first oscillation (f _(Q1) ) is a higher-frequency oscillation than the second oscillation (f _(Q2) ), advantageously f _(Q1) > 50 f _(Q2) , preferably f _(Q1) > 80 f _(Q2) , in particular f _(Q1) > 100 f _(Q2) . Method according to one of claims 3 to 5, characterized in that the frequency of the first oscillation (f _(Q1) ) ≥ 0.5 MHz, preferably ≥ 2 MHz, in particular ≥ 10 MHz. Method according to one of claims 3 to 6, characterized in that the first oscillation (f _(Q1) ) is a stabilized oscillation. Method according to one of claims 3 to 7, characterized in that the first oscillation (f _(Q1) ) is inverted after a certain number of periods. Method according to one of claims 3 to 8, characterized in that the first oscillation (f _(Q1) ) is substantially a square wave. Method according to one of claims 3 to 9, characterized in that the second oscillation (f _(Q2) ) is an unstabilized oscillation, which is generated in particular by a free-running generator, the deviation from the stability advantageously ≥ 5%, preferably ≥ 7.5% and in particular ≥ 10%. Device for generating physical random numbers, characterized by a first generator for generating a first oscillation (f _(Q1) ) and a second generator ( 1 ) for generating a second oscillation (f _(Q2) ), the device being adapted to operate according to a method according to one of the preceding claims. Apparatus according to claim 11, characterized in that the first generator is a quartz generator and the second generator ( 1 ) a voltage controlled oscillator. Apparatus according to claim 12, characterized in that the input of the voltage-controlled generator ( 1 ) is connected to a resistor (R) capacitor (C) combination. Device according to Claim 13, characterized in that the resistor (R) capacitor (C) combination has a switch (S) which is dependent on the output signals of a pulse shaper ( 4 ) and the input of the pulse shaper ( 4 ) with the output of a third generator ( 2 ) is connected to generate a third vibration (f _(Q3) ). Device according to claim 14, characterized in that the third generator ( 2 ) is adapted to produce substantially a square wave f _(Q3) and the frequency of the square wave f _{(Q3) is} preferably not stabilized. Apparatus according to claim 14 or 15, characterized in that the switch (S) is adapted, with a substantially maximum or minimum amplitude value of the pulse shaper ( 4 ) to switch. Use of the method according to one of claims 1 to 10 or the device according to one of claims 12 to 17 in one of the following methods: cryptographic methods, statistical ver drive, simulation method, randomization method.