GB2594929A - Random number generator - Google Patents

Abstract

A method for generating random numbers comprises: generating one or more random numbers from one or more sources of noise, where at least one random number is generated from a source of quantum noise, the at least one random number being a quantum random number comprising quantum noise; providing the generated one or more random numbers to a pseudo random number generator (PRNG); and using at least the quantum random number as a seed in the PRNG to generate a sequence of pseudo random numbers. A corresponding system 10 comprises a quantum random number generator 1 and means 2 such as an entropy stream or pool to feed quantum random numbers to a pseudo random number generator 3. The source of noise may be keyboard or mouse activity by a user, or thermal or auditory noise from hardware, and the source of quantum noise may be a source of photons.

Description

Intellectual Property Office Application No. GII2006658.5 Rum Date:6 August 2020 The following terms are registered trade marks and should be read as such wherever they occur in this document: Raspberry Pi Chameleon Sony Intellectual Property Office is an operating name of the Patent Office www.gov.uk/ipo

RANDOM NUMBER GENERATOR

TECHNICAL FIELD

[1] This invention relates to a system and method for generating pseudo random numbers.

BACKGROUND

[2] Random number generators are devices that produce a series of numbers that lack a predictable pattern. There are a number of areas for which random numbers play a crucial role, including games of chance. Al and cryptography. There are two fundamental bases for cryptography: the use of random numbers for creating encryption keys, and the encryption protocol used. If either is weak, the cryptographic security is vulnerable. -Security" can be defined either mathematically or computationally.

Mathematically -theorem proves that the random number cannot be attacked e.g. one time pad encryption.

Computationally -it is too difficult to solve within a reasonable time e.g. RSA.

[3] In general, the objective of cryptography is to provide a high level of computational security so that the cryptographic method is not vulnerable to attacks in any practical timescalc. Thus, in the preceding, when "security" is discussed, we will in general be referring to computational security.

[4] High quality random numbers are hard to produce. Here "high quality" can be understood to mean random numbers that are generated with a high level of security. In general, these will be random numbers that 1) look random to an external observer, 2) have forward secrecy -the history of random numbers cannot be used to predict future random numbers -and 3) have backward secrecy -current random numbers cannot be used to reveal previous random numbers to hack previous communications.

[5] There are currently three methods of generating random numbers -pseudo-random number generators, physical (or 'true') random number generators and quantum random number generators. In general, there is a trade-off between security and speed of generating random numbers between these methods.

[6] Pseudo-Random Number Generators (PRNG), also known as a deterministic random bit generator, use an algorithm for generating a sequence of numbers which approximates the properties of random numbers. Mathematically, a PRNG is defined as the following. A pseudo-random number generator G is a structure (S, p, f, U, g), where S is a finite set of states, p is the probability distribution on S for the initial state called seed, f: S S is the transition function, U is the output space and g: S U is the output function. The generator G generates the numbers in the following way: I. Select the seed so E S based on p. The first number is uo = g(s0).

2. At each step i > 1, the state of the PRNG is si = f(si_i) and output is m = g(si).

[7] These outputs us of the PRNG are the pseudo random numbers.

[8] Since a PRNG is a finite state machine with a finite number of states, after a finite number of steps, eventually it will come back to the same state and the sequence will be repeated. This repeating cycle is known as the period of the sequence.

[9] Many PRNGs exist which have more than one cycle. Thus, depending on the seeds, a completely different sequence of number of distinct cycles may be generated. This is shown in figure 1. Some PRNGs use sources of noise such as a computer clock or user inputs to a computer keyboard or mouse to generate random numbers to seed the PRNG.

[10] The PRNG generated sequence is not truly random because it is deterministic -the sequence of numbers generated follow a defined pattern determined by the seed. Problems with deterministic generators include shorter than expected periods for seed states, lack of uniformity of distribution for large numbers, and correlation of successive values. This makes them vulnerable to direct cryptanalytic attacks, input-based attacks and state compromise extension attacks. Further, the sources that may be used to generate the seeds do not produce the seeds in an entirely random way, which further reduce the security of the PRNG.

[11] However, PRNGs come with the advantage that they are able to generate a sequence of pseudo random numbers from a single seed, which may reduce latency relative to other systems. Typically, PRNGs are the lowest latency method but at the cost to security. That said, the rate at which the seeds are generated for the PRNG may be low. This may greatly limit the rate of pseudo random number generation and introduce latency into the system as the PRNG may have to wait for seeds to be generated.

[12] "True" Random Number Generators (TRNG) are based on 'random' physical phenomenon. TRNGs generally have higher security that PRNGs, but are still vulnerable to attacks such as external mechanical or electromagnetic influences. For low latency devices a key issue is blocking in the random numbers due to a lack of change in the environmental input. Blocking results when the environmental input changes insufficiently between the production of two random numbers. As a result, in the case of non-cryptographic grade applications, the TRNG or PRNG may produce blocks of the same "random" numbers, and so these are not true random numbers. Alternatively, in cryptographic-grade applications, the TRNG or PRNG may not output any numbers due to the blocking, therefore halting the cryptographic process. Effectively, the source or noise being used to generate the random numbers does not contain sufficient noise to generate random numbers at the rate required by the application. Thus, while TRNGs generally produce random numbers with a higher degree of security relative to PRNGs, they may suffer from high latency and a low rate of random number generation.

[13] The only way to produce truly random numbers is by random phenomena governed by the laws of quantum mechanics -quantum random number generators.

[14] However, development of quantum-based devices are associated with a host of difficulties. Many such devices are required to operate within a set of ideal conditions. These conditions can include very low temperatures, complete isolation from external environmental influences, minimal movement or vibration, and no ambient light, which may be unsuitable for the commercial setting. For example, there is a need for the generation of random numbers from a quantum origin that works at the range of temperatures where technology can be used globally (-60 degrees Celsius to +90 degrees Celsius).

[15] A particular problem is that new Internet of Things (loT) devices, like smart cars, are expected to be communicating ten times a second (10 Hz) with other vehicles or with infrastructure. This requires a high rate of random number generation. There are also issues with size and the power consumption of existing quantum-based devices.

[16] Thus, there is a need to develop a high performance random number generator that can operate in a commercial setting and generate secure random numbers at a high rate. Such a device would preferably be robust and inexpensive to produce so it can be broadly distributed. Preferably it would also fit into the parent device or infrastructure without putting additional strain on the power source. Attempts have been made to provide solutions to these problems. However, these present solutions have various issues.

[17] Accordingly, there is still a need to provide a random number generator able to produce high quality random numbers quickly and efficiently.

[18] The embodiments described below are not limited to implementations which solve any or all of the disadvantages of the known approaches described above.

SUMMARY OF INVENTION

[19] The inventors of the invention described herein have appreciated the need to improve upon the existing random number generators and accordingly have provided an invention, embodiments of which may have benefits including the production of computationally secure pseudo random numbers, which may have both forward and backward secrecy. Embodiments of the invention may improve upon the security of existing pseudo random number generators (PRNGs), and may allow for a greatly enhanced rate of pseudo random number generation.

[20] The system and method for generating pseudo random numbers according to the invention is defined in the appended claims, to which reference is now directed. Preferred features are set out in the dependent claims.

[21] According to a first aspect of the invention, a method for generating pseudo random numbers is provided. The method comprises generating one or more random numbers from one or more sources of noise. At least one random number is generated from a source of quantum noise. The at least one random number is a quantum random number -e.g. a string of bits -comprising quantum noise. The method further comprises providing the generated one or more random numbers to a pseudo random number generator (PRNG) for generating sequences of pseudo random numbers, and using at least the quantum random number as an initial value in the PRNG to generate a sequence of pseudo random numbers. The sequence of pseudo random numbers may be a sequence of one or more pseudo random numbers.

[22] The use of a quantum random number as the initial value -i.e. the "seed value" -for the PRNG enhances the security of the pseudo random numbers generated by the PRNG relative to arrangements that solely use seed values generated from sources of noise such as the computer clock or user keyboard or mouse inputs. This is because these traditional sources of noise are not truly random. Only a quantum random number generated from a QRNG is truly random. In fact, using a quantum random number as the seed for the PRNG enhances the PRNG to the point that it is indistinguishable from a TRNG. The enhanced PRNG according to the invention a) generates pseudo random numbers that appear random externally, and b) have forward and backward secrecy. Thus, the PRNG produces random numbers in a way that is computationally secure. It is noted that the quantum random numbers being fed into the PRNG may be raw quantum random numbers obtained from the quantum source, or quantum random numbers that have been post processed (for example in the manner described below with respect to figures 4 and 5) and then fed into the PRNG. In the latter case, the post processing is to improve the uniformity in the raw quantum random numbers. The passing of the quantum random numbers (either raw or post processed) into the PRNG is to enhance the performance of the PRNG.

[23] Further, a single true random number (the quantum random number) can be used to generate a large number of these security enhanced pseudo random numbers. Thus, the typical trade-off that has existed between TRNGs and PRNGs -the TRNGs providing high security but low bit rate and high latency vs the PRNG providing high bit rate and/or low latency at the cost of security -no longer applies; computationally secure random numbers can be produced at a low latency and/or high bit rate.

[24] Multiple quantum random numbers may be generated and provided to the PRNG. Each quantum random number may be used as a different initial value in the PRNG to generate a different sequence of pseudo random numbers.

[25] A quantum source of noise allows the generation of highly random numbers at a much higher rate than traditional sources of noise such as keyboard and mouse inputs. A reason for this is that a source of quantum noise exhibits randomness (in the form of quantum noise) at a higher rate than other sources of noise such as keyboard inputs, in which the environmental inputs change at a relatively slow rate. Thus, using a quantum source of noise, a greater number of random numbers can be generated from the randomness in a given period of time without producing blocks of random numbers having the same value. This may allow the PRNG to re-seed (using high quality seeds) at a higher rate and thus generate a greater number of pseudo random numbers within a Oven timescale without sacrificing any level of security. In other words, the latency of the PRNG may be reduced as the system does not have to wait as long for a random seed before generating a sequence of pseudo random numbers.

[26] Alternatively or in addition, random numbers are generated from multiple sources of noise. For example, the one or more sources of noise further comprise environmental noise such as keyboard or mouse activity by a user and/or thermal or auditory noise from hardware. The invention can be seamlessly used alongside traditional sources of noise. This further increases the rate at which the initial values, the seed values, for the PRNG can be provided without blocking occurring, as additional sources of noise are available for the generation of seed values. This may further increase the number of computationally secure pseudo random numbers that can be generated in a given timeframe and/or reduce the latency of the system.

In some arrangements, the multiple sources of noise are arranged such that certain proportion (e.g. at least 2%) of the seeds are provided by the source of quantum noise. By ensuring that enough of the overall seed pool is made up from the source of quantum noise, the performance of the system can be improved. In particular, Quantum random numbers cannot be predicted, so ensuring a certain proportion of the seeds that are of a quantum origin may limit the ability of attackers predicting the PRNG. For example, ensuring a certain proportion of quantum seeds are used can avoid collision in which two entropy streams providing input into the PRNG have the same number. In one example, ensuring approximately 200 bits are derived from a quantum source is sufficient for most use cases, although it will be appreciated that the numbers may vary depending on the use case. Further, as discussed above, quantum seeds can be generated at a higher rate without blocking occurring. Thus, ensuring a certain proportion of quantum seeds may be advantageous, as it allows a low latency PRNG to be provided whilst maintaining high quality pseudo random number generation. As discussed above, a reason for this is that the source of quantum noise provides randomness at a high rate, which in turn allows high quality seeds to be provided to the PRNG at low latency without blocking. The exact proportion chosen for the system will depend on the use case and can be set as appropriate.

[27] Alternatively or in addition, the one or more random numbers may be provided to the PRNG in one or more entropy streams that feed the PRNG. Here, the one or more entropy streams feed the one or more random numbers that are generated by the one or more sources of noise directly -"on the fly" -into the PRNG. Alternatively, providing the one or more random numbers may comprise storing the one or more random numbers in one or more entropy pools and providing the stored random numbers to the PRNG from the one or more entropy pools. Further, the generated random numbers may be provided in entropy streams, or entropy pools, according to the source of noise used to generate the random number. This provides partitioning of seed values according to the source of noise generating the values, for example, each entropy stream represents a partition according to the source of noise. In other words, an entropy stream may represent a partitioned entropy sequence in which the random numbers are partitioned, for example by a data transfer interface used to transfer the numbers, according to the source of noise. This allows flexibility for the PRNG to generate pseudo random numbers from appropriate seeds depending on the use case.

[28] Alternatively or in addition, the method of the invention may further comprise while the PRNG is generating the sequence of pseudo random numbers, continuing to generate random numbers from the one or more sources of noise, and providing these random numbers to the PRNG. The method may further comprise terminating the generation of the sequence of pseudo random numbers before the PRNG regenerates the first pseudo random number generated from the initial value, and providing a second random number to use as a replacement initial value for the PRNG to generate another sequence of pseudo random numbers. This may be done dynamically on the fly by providing random numbers to the PRNG directly as they are generated (e.g. through entropy streams feeding the PRNG) or from storage using random numbers stored in entropy pools. This aspect provides further details of how the bit rate of pseudo random number generation may be increased, and/or latency reduced. If a PRNG cycles back to its first generated value and starts generating the same sequence of numbers again, an outside attacker will be able to determine the pattern of the PRNG and thus predict the numbers the PRNG will generate. Thus, for the PRNG to continue to generate computationally secure random numbers, it must "re-seed" before the end of this period -it must terminate the sequence and start generating a new sequence using a new initial value -a new seed. The rate at which random number seeds are being generated and provided to the PRNG limits the re-seed rate of the PRNG -if the PRNG is needing to re-seed more quickly than the rate at which seeds are being provided, the PRNG will not be able to re-seed in a secure way (the PRNG may reseed using a repeated seed value). Thus, by continuing to generate random numbers from the source of quantum noise, which generates randomness at a high rate, new seeds can be generated without blocking at a higher rate, and the re-seed rate of the PRNG is improved. This reduces latency.

[29] Alternatively or in addition, the source of quantum noise is a source of photons. The quantum random number may be generated from the source of photons by converting a property of the emitted one or more photons into a quantum random number. For example, the property may comprise any one of a number of received photons, the energy of the one or more photons, the spin of the one or more photons, or the position of the one or more photons. This demonstrates the flexibility of the invention which can use a number of different sources of quantum noise depending on the use case.

[30] Alternatively or in addition, the PRNG is a software based PRNG, for example one of a linear-feedback shift register (LFSR), Mersenne Twister or Salsa20.

[31] Alternatively or in addition, generating the quantum random number comprises emitting, by at least one light source, photons such that one or more photon detector elements are illuminated; receiving, by the one or more photon detector elements, incident photons, wherein photons from the at least one light source are incident at random on the one or more photon detector elements; generating a value corresponding to the cumulative energy of any incident photons received by the one or more photon detector elements within a pre-set period of time; and converting each value in the set of values into a random number comprising quantum noise. The specific set of the plurality of photon detector elements may comprise the central photon detector elements of the array of photon detector elements. The one or more photon detector elements may be either a CCD sensor or a CMOS sensor. The one or more photon detector elements may be incorporated into a digital camera. The at least one light source may be a flash of the mobile computing device. The mobile computing device may be a smartphone. Further, an optical diffuser element may be provided between the one or more light sources and the one or more photon detector elements. These features provide further details of how a quantum random number may be generated according to aspects of the invention.

[32] According to a second aspect of the invention a system for generating pseudo random numbers is provided comprising means for providing one or more sources of noise, wherein at least one of the one or more sources of noise is a source of quantum noise. Further, the system comprises a means for generating one or more random numbers from the one or more sources of noise, wherein at least one random number is generated from the source of quantum noise, the at least one random number being a quantum random number comprising quantum noise. Further, the system comprises a means for providing the one or more random numbers to the pseudo random number generator (PRNG); and a means for using at least the quantum random number as the initial value to generate a sequence of pseudo random numbers.

[33] Multiple quantum random numbers may be generated and stored in the one or more entropy pools. Each quantum random number may be used as a different initial value in the PRNG to generate a different sequence of pseudo random numbers.

[34] Alternatively or in addition, random numbers are generated from multiple sources of noise. For example, the one or more sources of noise further comprise environmental noise such as keyboard or mouse activity by a user and/or thermal or auditory noise from hardware.

[35] Alternatively or in addition, the means for providing the one or random numbers comprises either one or more entropy streams feeding the PRNG, or one or more entropy pools in which the one or more random numbers are stored. The generated random numbers may be provided to the PRNG in entropy streams or stored in entropy pools according to the source of noise used to generate the random number.

[36] Alternatively or in addition, the means for generating one or more random numbers is configured so that while the PRNG is generating the sequence of pseudo random numbers, the means for generating one or more random numbers is continuing to generate random numbers from at least the source of quantum noise, and providing these random numbers to the PRNG. The method may further comprise terminating the generation of the sequence of pseudo random numbers before the PRNG regenerates the first pseudo random number generated from the initial value, and providing a second random number to use as a replacement initial value for the PRNG to generate another sequence of pseudo random numbers.

[37] Alternatively or in addition, the source of quantum noise is a source of photons. The quantum random number may be generated from the source of photons by converting a property of the emitted one or more photons into a quantum random number. For example, the property may comprise any one of a number of received photons, the energy of the one or more photons, the spin of the one or more photons, or the position of the one or more photons.

[38] Alternatively or in addition, the PRNG is a software based PRNG, for example one of a linear-feedback shift register (LFSR), Mersenne Twister or Salsa20.

[39] Alternatively or in addition, the means for generating the quantum random number comprises: means for emitting, by at least one light source, photons such that one or more photon detector elements are illuminated; means for receiving, by the one or more photon detector elements, incident photons, wherein photons from the at least one light source are incident at random on the one or more photon detector elements; means for generating a value corresponding to the cumulative energy of any incident photons received by the one or more photon detector elements within a pre-set period of time; and means for converting each value in the set of values into a random number comprising quantum noise. The specific set of the plurality of photon detector elements may comprise the central photon detector elements of the array of photon detector elements. The one or more photon detector elements may be either a CCD sensor or a CMOS sensor. The one or more photon detector elements may be incorporated into a digital camera. The at least one light source may be a flash of the mobile computing device. The mobile computing device may be a smartphone. Further, an optical diffuser element may be provided between the one or more light sources and the one or more photon detector elements.

[40] In a third aspect of the invention a computer program is provided that, when executed, causes the second aspect of the invention carry out the first aspect of the invention.

[411In a fourth aspect of the invention a computer-readable medium is provided having stored thereon the third aspect of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

[42] The invention will be described in more detail by way of example, with reference to the accompanying drawings, in which: [43] Fig. 1 illustrates the periodic structure of a pseudo random number generator; I44-1 Fig. 2 is a schematic representation illustrating a system according to the invention; [45] Fig. 3 is a schematic representation illustrating a quantum random number generator according to an embodiment of the invention; [46] Fig. 4 is a flow chart illustrating a post-processing process for converting raw quantum random numbers into output quantum random numbers; [47] Fig. 5 is an illustrative example of a matrix vector multiplication process used during the post processing of raw quantum random numbers; [48] Fig. 6 is a flow chart illustrating a pseudo random number generator method according to an embodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

System Overview [49] Figure 2 shows a schematic representation of a system suitable for implementing the principles of the invention. Specific implementations of the invention are then discussed, each applying the principles set out in relation to Figure 2. It will be appreciated that any particular piece of hardware or software suitable for fulfilling the functions discussed in relation to Figure 2 may be used.

[50] Figure 2 illustrates a system 10 for generating an enhanced pseudo random number generating according to the invention.

[51] In Figure 2, there are three functional components -the quantum random number generator (QRNG) 1, a means 2 for providing quantum random numbers to the PRNG, and the pseudo random number generator (PRNG) 3, here a software based PRNG.

[52] The QRNG 1 is configured to generate quantum random numbers from a source of quantum noise. Here, a quantum random number is a value produced by the QRNG 1 as a random result of quantum mechanical effects. The values generated comprise quantum noise (in other words, entropy having a quantum origin). In the sections below, three embodiments are described which use different QRNGs. It will be appreciated, however, that any suitable QRNG utilising any appropriate source of quantum noise may be used as the QRNG 1 to generate quantum random numbers. For example, the source of quantum noise may be a source of photons. The quantum random number may be generated from the source of photons by converting a property of the emitted one or more photons into a quantum random number. For example, the property may comprise any one of a number of received photons, the energy of the one or more photons, the spin of the one or more photons, or the position of the one or more photons. Alternatively, or in addition, the quantum random number may be generated using an optical beam splitter, Quantum Tunnelling or radioactive decay of an atom, or any other appropriate method for generating a quantum random number as would be clear to a person skilled in the art.

[53] The QRNG I may generally be a mix of hardware and software components and is described in greater detail below.

1541 Once the QRNG 1 has generated one or more quantum random numbers, the numbers are provided to the PRNG by an appropriate means 2. This may be in the form of one or more entropy feeds which directly feed the quantum random numbers into the PRNG as they are output by the QRNG -i.e. "on the fly". Alternatively, the means 2 may be one or more entropy pools -i.e. the generated quantum random numbers are stored in memory for use by the system in implementing the invention.

[55] The quantum random numbers are then used by the PRNG 3 as initial values -as seeds -to generate sequences of pseudo random numbers. It will be appreciated that at a minimum a single quantum random number is generated by the system and used by the PRNG 3 to generate a single sequence of pseudo random numbers. In other cases, multiple quantum random numbers are generated with each one being used as a different seed in the PRNG 3 to generate different sequences of pseudo random numbers. A sequence of pseudo random numbers generated by the PRNG may be made up of any number of pseudo random numbers, for example one or more pseudo random numbers.

[56] Here. the QRNG 1 is configured such that, while the PRNG 3 is generating the sequence of pseudo random numbers, the QRNG 1 continues to generate random numbers from at least the source of quantum noise, and means 2 provides these random numbers to the PRNG. Further, the PRNG 3 terminates the generation of the sequence of pseudo random numbers before the PRNG 3 regenerates the first pseudo random number generated from the initial value. In other words, the PRNG terminates the sequence part way through the sequence's period. Upon termination, the PRNG 3 is provided with a second random number from means 2 to use as a replacement initial value for the PRNG 3 to generate another sequence of pseudo random numbers. This process of terminating the generation of the sequence of pseudo random numbers and using a new random number to generate another sequence may be termed as "re-seeding".

[57] This process of re-seeding maybe performed dynamically. For example, the system may dynamically determine to terminate the generation of a sequence of random numbers before the sequence has completed a full period to prevent repeated numbers being generated, which would provide an attacker with information on the pattern being generated. This could allow the attacker to predict both past and future numbers generated by the PRNG. Upon this determination, the PRNG may be provided, on the fly, with a new seed generated from, for example, the source of quantum noise. Here, the new seed is dynamically provided to the PRNG in an entropy stream.

[58] It is also possible that, even before a completed period of a sequence, an attacker may be able to obtain enough information to predict past and future numbers generated by the PRNG. This may be due to -collisions" -i.e. repeated numbers -in the sequence, which gives away information about the pattern of the sequence. Alternatively, for sequences without collisions, it may simply be due to the sequence getting sufficiently far through the period so that it is uniquely identifiable amongst the other sequences that can be generated by the PRNG. For example, after reading enough outputs from a PRNG, an attacker may be able to use outputs, along with knowledge of the PRNG algorithm itself, to determine the initial seed. Once the initial seed value is known, the attacker can predict all following numbers.

[59] Thus, in such cases, the sequence should be terminated before it becomes vulnerable to attacks (for example, to a "birthday attack" based on the well-known "birthday paradox"). However, if the re-seed rate is set very high, this can reduce the rate at which pseudo random numbers can be generated (as this will be limited by the seed generation rate). Thus, a balance should be struck between security on the one hand and rate of number generation on the other.

[60] In general, if a PRNG does not have any collisions, it is usually recommended that the maximum length of a sequence before termination is either the square root/200 or the cubed root of the period or sequence length. However, it will be appreciated that the point of termination can he set differently based on the particular use case. For example, a range of termination length may be defined, in which the point of termination is constrained to be between a preselected length from the start of sequence generation and the maximum recommended termination length. The particular length within the range may then be dynamically determined based on the use case.

[61] The combination of the QRNG feeding quantumly random seed values into the PRNG, and the PRNG terminating the generation of pseudo random numbers at an appropriate stage in its period and selecting a new seeds, provides secure random number generation at low latency. Utilising a quantum random number as a seed for a PRNG in itself improves secmity of the PRNG as the seed is a true random number. Further, QRNGs such as those described later are able to generate high quality random numbers at a higher rate than traditional methods allowing a higher rate of pseudo random number generation.

[62] It will be appreciated that any suitable PRNG may be used to implement the techniques of the invention. In the embodiments discussed below a linear-feedback shift register (LFSR) is used. However, other suitable PRNGs could be used such as the Salsa20 PRNG Mersenne Twister, for example. It will be appreciated that the principles discussed in relation to figure 2 are not limited to specific combinations of QRNGs and PRNGs -the invention could be implemented using any suitable QRNG paired with any suitable PRNG.

[63] Although Figure 2 only shows a single source of noise -a source of quantum noise -multiple sources of noise may be used. For example, the one or more sources of noise may comprise environmental noise such as keyboard or mouse activity by a user and/or thermal or auditory noise from hardware. The one or more sources of noise may even comprise the PRNG 3 (or a separate PRNG) which feeds one or more pseudo random numbers generated by the system back to the means 2 to act as a new seed for the PRNG. The invention can thus be seamlessly used alongside traditional sources of noise.

[64] The multiple sources of noise may, while the PRNG 3 is generating the sequence of pseudo random numbers, continue to generate random numbers to use to reseed the PRNG in the same manner discussed in relation to the QRNG 1. In some arrangements, the multiple sources of noise are arranged such that a certain proportion of seeds, for example, at least 2% of the seeds, are provided by the source of quantum noise. By ensuring that a certain contribution to the overall seed pool is made up from the source of quantum noise, the performance of the system can be improved. In particular, Quantum random numbers cannot be predicted, so the larger the proportion of the seeds that are of a quantum origin, the smaller the proportion of seeds that can be predicted, which limits the ability of attackers predicting the PRNG. Further, new quantum seeds can be provided at a faster rate without producing blocking compared to other sources. Thus, quantum seeds may lower the latency of the PRNG.

[65] Further, the generated random numbers may, in some embodiments, be provided to the PRNG in entropy streams, or stored in entropy pools, according to the source of noise used to generate the random number. This provides partitioning of seed values according to the source of noise generating the values Embodiment I [66] In this section, we will describe a first embodiment of the invention. We will start by describing the QRNG of the first embodiment in relation to Figures 3 to 5, before describing the process by which a quantum random number is provided to the PRNG of the first embodiment in relation to Figure 6. In this embodiment, the one or more sources of noise is a source of quantum noise. It will be appreciated, however (as discussed above), that multiple sources of noise may be used.

[67] The QRNG used in the first embodiment is shown schematically in Figure 3.

I681 In Figure 3, a quantum random number generating system 30 is illustrated. Here, a source for emitting photons -i.e. any suitable light/radiation source -31 is arranged to emit photons 32. For example, the light source 31 may be an LED. The photons 32 emitted by the light source 31 are incident on one or more photon detecting elements 34. In this embodiment, the one or more photon detecting elements 34 are arranged in an array 33 of photon detector elements 34, though it will be appreciated that other numbers of photon detecting elements 34 or other arrangements of photon detecting elements 34 could be used. The light source 31 and the array 33 are arranged so that the photons 32 are incident at random on the array 33 of photon detector elements 34.

[69] The mean rate at which the light source 31 emits photons 32 corresponds to the light flux emitted by the light source 31, or in other words, the amount of illumination or amount of light energy it produces, and for an LED this is generally dependent on the electrical current used to drive the LED Further, the mean rate at which the array 33 receives photons 32 corresponds to the light flux of the incident light received at the array 33. This received light flux is related to the emitted light flux by the geometry of the light source 31 and the array 33 and any optical components in the light path between them, and by any light losses along the light path between the light source 31 and the array 33.

[70] The photon detector dements 34 of the array 33 are arranged in relation to the light source 31 so that the photons 32 are incident at random on the photon detector elements 34. This results in the mean rate at which each photon detector element 34 detects photons 32 corresponding to the mean rate at which the array 33 receives photons 32 multiplied by the proportion of the illuminated area of the array occupied by that photon detector element 34. For arrays where the photon detector elements 34 each have the same size and take up substantially all of the surface area of the array 33, the mean rate at which each of the photon detector elements 34 of the array 33 receives photons 32 corresponds to the mean rate at which the array 33 receives photons 32 divided by the number of photon detector elements 34 in the array 33.

[71] The random number generating system 30 also comprises a means for generating a value for each photon detector element 34 in the array 33. The generated value corresponds to the total cumulative energy of all of the incident photons 32 received by the photon detector element 34 within a pre-set period of time. The value may be generated by the photon detector elements 34 themselves, or by another component, such as a microcontroller or microprocessor. In some embodiments, the value is a voltage value. In other embodiments, this value may be a digital value.

[72] The directions of emission of individual photons 32 are random and uncorrelated. These directions of emission are the random result of quantum mechanical effects. This means that the particular photon detector elements 34 of the array 33 that receives a given individual photon 32 is also the random result of quantum mechanical effects. Accordingly, the value generated corresponding to each photon detector element 34 after receiving one or more photons 32 in a pre-set period of time is a truly random, or quantum random, effect which cannot be predicted in any way.

[73] During operation of the random number generating system 30, the light source 31 is driven to emit light with a selected light flux such that the photon detector elements 34 of the array 33 are illuminated with a desired incident or received light intensity. The relationship between the light flux emitted by the light source 31 and the light intensity received at the array 33 will depend on the properties of the optical path between them, and the light detector arrangement being used. This is a known, fixed relationship.

[74] The light source 31 is driven to emit light with a selected light flux by a controller of the random number generating system 30 driving the light source 31 with a corresponding drive voltage. The controller may be a microprocessor.

[75] In the present embodiment, when the array 33 is illuminated by the light source 31, photons 32 are absorbed by each photon detector element 34 and converted into electrical charge. The light source 31 and the array 33 are arranged so that some of the photon detector elements 34 of the array 33 receive one or more photons 32 in a pre-set period of time. That is, some, but not necessarily all, of the photon detecting elements 34 have a number of photons 32 incident upon them. Different photon detecting elements 34 may have different numbers of photons 32 incident upon them. This number is limited by the pre-set period of time and the flux of photons 32 emitted by the light source 31. A longer pre-set period of time will, on average, increase the number of photons 32 received by a photon detector element 34, while a shorter pre-set period of time will, on average, decrease the number of photons 32 received by a photon detector element 34. Similarly, a higher flux of photons 32 from the light source 31 will, on average, increase the number of photons 32 received by a photon detector element 34, while a lower flux of photons 32 from the light source 31 will, on average, decrease the number of photons 32 received by a photon detector element 34.

[76] As previously explained, over a single pre-set period of time, a value is generated in respect of each photon detector element 34 which absorbs a set of photons. The values correspond to the cumulative energy of the photons incident upon each photon detector element 34 within the pre-set period of time. In the present embodiment, this value is a voltage value, which is then converted into a digital value.

[77] For example, the array 33 may convert the voltage value corresponding to each photon detector clement 34 to a corresponding digital value to generate a set of digital values. The voltage values may be converted into digital values by one or more analogue to digital converters of the array 33.

[78] Accordingly, each value in the set of values is the random result of quantum mechanical effects. The values generated contain both non-quantum technical noise from the system, and quantum noise (in other words, entropy having a quantum origin). Thus, the values in the set of values are random numbers 35 comprising quantum noise. These random numbers 35 comprising quantum noise are referred to as raw quantum random numbers herein.

[79] The invention can use a wide range of light sources. The light source may be monochromatic. in which each photon 32 has the same energy and so the cumulative energy received by a photon detector element 34 corresponds to the number of photons 32 incident upon the photon detector element 34. Alternatively, the light source may be non-monochromatic. In this case, photons 32 may be incident upon the array 33 with different energies, and the cumulative energy received by a photon detector element 34 does not necessarily correspond to the number of photons 32 incident upon the photon detector element 34. A non-monochromatic light source may be white light, but may also not just be in the visible region but also Infrared or ultraviolet, for example. Such lights sources contain higher entropy than monochromatic light sources, which allows the system to obtain higher rates of random number generation. Further, these light sources are easier to source, easier to manufacture and are typically less complex and smaller in physical size than monochromatic light sources. In some embodiments, the light source may be an LED.

[80] Alternatively, or in addition, a light source that is not white, but produces photons of varying wavelengths could be used. Alternatively, more than once light source could be used, for example a white light source could be used in combination with one or more or an ultraviolet and an infrared light source. The embodiments described above use one or more LEDs as a light source. In some examples one or more lasers may be used as the light source. In other examples other light sources may be used. This list is not intended to be exhaustive.

[81] As will be appreciated, the ranges of the wavelengths of the photons emitted will depend on the light source(s) used. For example, in some embodiments a white light source may be used, corresponding to a range of photon wavelengths of 360 nm to 760 nm. However, this range could vary if a different source is used. For example, if an ultraviolet light source is used, the range of wavelengths would be between 10 nm and 360 nm. For infrared, this range would be 760 nm to lmm. It will be appreciated that any combination of wavelengths could be used. An advantage of the present invention is that the system can generate high entropy random numbers from any range of wavelengths -the invention is not limited to any particular range, and the specific range used will depend on the specific use case.

[82] In the illustrated first embodiment the array 33 is a CMOS camera sensor and the preset period of time is the exposure time of a single picture frame taken by the CMOS camera sensor. Of course, it will be appreciated that other suitable hardware and/or software may be used, such as a CCD camera sensor, or any of the software of hardware discussed in relation to embodiments two, three or four).

[83] The components of the embodiment of the invention could be integrated into existing commercial products such as mobile phones, PCs or laptops, or could form a standalone system on a chip (SoC) device.

[84] Each time the CMOS camera sensor takes a single picture frame the array 33 generates a set of N-bit integer digital values as an output, where N is the bit depth of the camera sensor, or in other words, the bit depth of each pixel of the camera sensor. The number of digital values in the set of digital values is equal to the number of photon detector elements 34 in the array 33.

[85] Accordingly, subject to the use of suitable operating parameters as discussed below, each time the CMOS camera sensor takes a single picture frame the array 3 generates a set of raw quantum random numbers 35 as an output.

[86] The pixel values of a raw image output from the CMOS camera sensor may be used as the values that are selected to be in the set of values, which can then be used as the raw quantum random numbers 35.

[87] The set of raw random numbers 35 generated by the array 33 as an output will comprise a set of N-bit values, where N is the bit depth of the camera sensor. These raw random numbers 35 will be distributed about a mean value, with the distance of each raw random number value from the mean value being determined by random noise. For correct operating parameters, as discussed in more detail below, this random noise may be dominated by noise of quantum origin (i.e. photonic shot noise).

[88] The set of raw random numbers 35 generated by the array 33 may be stored or output for subsequent use, or for further processing. In the illustrated embodiment the output set of raw random numbers 35 is stored in a buffer memory for subsequent processing by a post-processing system, as will be discussed in more detail below.

[89] The intensity of the light source and the gain of the photon detector elements can be set to values such that the change in voltage value caused by a photon detector element 34 receiving a photon having the lowest enemy (longest wavelength) that can be generated by the light source 31 results in a change in the digital value output by that photon detector element 34. It will be understood that in addition to the charge corresponding to incident photons, there will also be some fluctuation or noise having a non-quantum technical origin. This noise of non-quantum origin can be addressed by appropriate setting of parameters of the system, as discussed previously. The exact nature of the parameters can be set as appropriate for a given use case, as would be clear to the skilled person.

[90] In some examples a self-testing algorithm or procedure may be used to determine and set the right parameters for use for the array 33 and light source 31 to generate raw random numbers 35 based on the results of test runs and/or measurements of system parameters and/or comparisons with intended baseline values. The self-testing algorithm or procedure may be carried out by the controller.

[91] In the illustrated example the raw quantum random numbers 35 are subjected to post-processing to generate uniform quantum random numbers having one bit of quantum noise per bit.

[92] The raw quantum random numbers 35 output from the random number generating system 30 are quantum random numbers containing quantum noise. However, because the raw quantum random numbers 35 have been generated based on the random number of photons and the total cumulative energy received at different photon detector elements 34, these raw quantum random numbers will be distributed about a mean value, with the distance of each raw quantum random number value from the mean value being determined by random noise. This mean value may be regarded as a bias in the raw quantum number values, with the value of the bias being determined by the operating parameters of the random number generating system.

[93] In many applications for random numbers, such as some cryptographic functions, it is desirable, or essential, to have random numbers which are unbiased, and evenly distributed across a range of values. Further, in some applications it may be desirable, or essential, to have random numbers which have an entropy of 1. Further, it may be desirable, or essential, to have random numbers with a specific bit length, which may not be the same as the bit length of the raw random numbers 35.

[94] In a post-processing method 40, shown in Figure 4, first the raw quantum random numbers 35 are obtained in a block 41. In the illustrated embodiment the post-processing system obtains the raw quantum random numbers 35 by extracting them from the buffer memory, although it will be appreciated that in other embodiments a buffer memory may not be used and the random numbers may be processed as they are received within the post processing mechanism itself. Each of the raw quantum random numbers 35 has a digital length of a predetermined number of bits. Where the random number generating system 30 comprises a CMOS camera sensor, this digital length may be the pixel depth of each of the camera pixels, for example 8 bits. Alternatively, the digital length may he less than the bit length of each pixel value.

[95] The raw quantum random numbers 35 are then converted to a desired bit length by concatenating groups of the raw random numbers to form intermediate random numbers having the desired bit length in a block 42. In the present embodiment, the concatenation mechanism is a linear combination of the groups of the raw random numbers. In other arrangements, the groups may be combined in other ways, such as combing high and low order bits of different raw random numbers.

[96] In one illustrative example where the raw quantum random numbers 35 have a bit length of 8 and the desired bit length of the intermediate random numbers was 24 bits it would be necessary to concatenate 3 raw quantum random numbers 35 to produce each intermediate random number, because 24/8 = 3. In this example, where three raw quantum random numbers 35 with respective values of 15 (binary 00001111), 911 (binary 11010011) and 33 (binary (00111111) were concatenated the resulting intermediate 24-bit random number would be binary 000011111101001100111111.

[97] In another example where the raw quantum random numbers 35 have a bit length of 8 and the desired bit length of the concatenated random numbers was 1584 bits it would be necessary to concatenate 198 raw quantum random numbers 35 to produce each intermediate random number, because 1584/8 = 198.

[98] The intermediate random numbers are then each subject to a matrix-vector multiplication process in a block 43. In this matrix-vector multiplication process the bit string X of each intermediate random number is subject to a matrix vector multiplication with a matrix M of random bits to produce an output string Y, where: (1) [99] The matrix M of random bits may be obtained from a memory associated with the post-processing system, which may be used to store a number of suitable matrices. Such matrices of random bits can be readily calculated by known methods.

[100] Each output string Y is then subject to a modulo 2 process to form a string Ymod2 in a block 44.

[101] Each string Ymod2 is then output by the post-processing system as an output quantum random number in a block 45. The output quantum numbers may be supplied to a memory and stored for subsequent use.

[102] The matrix M of random bits has equal numbers of one and zero values randomly distributed across the matrix, and as a result, the matrix-vector multiplication with the matrix M of random numbers and modulo 2 process produce output quantum random numbers which are evenly distributed, and specifically are not distributed about the mean value of the Poisson distribution.

[103] The matrix-vector multiplication and modulo 2 processes of blocks 43 and 44 are shown in Figure 5.

[104] Where the output quantum random numbers each have a bit length of p, the output string Y of the matrix-vector multiplication process and the string Ymod2 output by the modulo 2 process will both have this same bit length p. Accordingly, where the intermediate random numbers have a bit length of n, the matrix M of random bits must be a p by n matrix. This relationship is shown in Figure 5.

[105] In the illustrated example of Figure 5 the p by n matrix M is a matrix having p rows by n columns and the intermediate random numbers are each arranged in a vector of n rows and 1 column, so that the output string Y has p rows and 1 column. In an alternative example the output string Y can be obtained by changing the order of the different factors, for example, the p by n matrix M is a matrix having n rows by p columns and the intermediate random numbers are each arranged in a vector of n columns and I row, so that the output string Y has p columns and 1 row.

[106] If the raw quantum random numbers have an entropy per bit value E, in order for the output quantum random numbers to contain purely quantum noise the relationship between p and n must be that p/n = E. [107] In any specific implementation of the random number generating system 30 the entropy per bit value E corresponding to each set of possible suitable operating parameters of the array 33 can be calculated or determined by experimentation and stored. These values may conveniently be stored in a memory, for example in the form of a look-up table or tables.

[108] Accordingly, when it is desired to produce output quantum random numbers having a particular bit length, for example where this bit length is required by a function using quantum random numbers, such as a security application, the system will know that this required bit length of the quantum random numbers to be produced is the required value of p. [109] The system can determine from the current or intended operating parameters of the array 33 what the entropy per bit value E of the raw random numbers 35 will be. The value of n which will be required in order to satisfy the relationship p/n = E can then be readily calculated.

[110] Once the required value of n has been calculated, the required dimensions of the p by n matrix M, and the required degree of concatenation in order to convert the raw random numbers into the intermediate random numbers, can be determined. A suitable p by n matrix M can then he obtained.

[111] As a result, the produced output quantum random numbers can be arranged to be wholly quantum random numbers with an entropy per bit of 1, or as close to 1 as possible based upon the statistical significance of the sample size, in addition to being unbiased and evenly distributed.

[112] It will be understood that the values of p and n must be integer values so that it may not be possible to precisely satisfy the relationship p/n = E for some values of E. In such cases, since the value of p is generally fixed by the desired bit length of the output quantum random numbers, it may be preferred to select the value of n to be the lowest (integer) value of n for which p/n < E. [113] Once the required value of n has been calculated, the required dimensions of the p by n matrix M and the required degree of concatenation in order to convert the raw random numbers into the intermediate random numbers can be determined. A suitable p by n matrix M can then be obtained.

[114] As a result, the produced output quantum random numbers can be arranged to be wholly quantum random numbers with an entropy per bit of 1, in addition to being unbiased and evenly distributed.

[115] Further, in examples where n must be an integer multiple of the bit length of the raw random numbers in order to allow the intermediate numbers to be formed by concatenation, it may be preferred to select the value of n to be the lowest value of n satisfying this integer multiple requirement for which p/n <E.

[116] In general, it is necessary that p/n < E in order for the output quantum random numbers to have an entropy per bit of 1. Having p/n as near as possible to equalling E. for example by selecting n to be as low as possible, will produce the maximum output of output quantum random numbers from each set of raw random numbers.

[117] The use of a buffer memory is not essential. However, providing a buffer memory to receive the set of raw random numbers output from the random number generator 30, and then carrying out the post-processing on the random numbers stored in the buffer memory may simplify the post-processing.

[118] In the example described above the raw random numbers are concatenated to form the intermediate random numbers. In other examples alternative or additional processes may be used to convert a number of raw random numbers into intermediate random numbers.

[119] In some examples further optical components may be present to direct and control the light for uniform illumination of the array 33. In some examples the further optical components may include one or more attenuators and/or one or more spectral filters and/or one or more diffusers. The use of attenuators and/or spectral filters and/or diffusers may assist in matching the emission characteristics of a light source to the desired illumination of an array. In some examples such further optical components may include light guides, mirrors, lenses, prisms and diffusers. This list is not intended to be exhaustive.

[120] In the embodiments described herein the whole of the array of sensor elements, or all pixels of the CMOS camera sensor, are uniformly illuminated and all of these sensor elements or pixels are used to populate the first set of values and to subsequently generate quantum random numbers. In some alternative examples only a part or parts of the array, or some of the pixels, are uniformly illuminated. In such examples only the outputs from the uniformly illuminated sensor elements or pixels should be used as quantum random numbers. In a CMOS camera sensor the outputs from the pixels which are not uniformly illuminated can be excluded by gating or other straightforward selection methods. For example, a crop of the resultant image may be taken. Similarly, any pixels known to be faulty may be excluded by gating or other straightforward selection methods.

[121] For example, in some embodiments a crop may be taken of the array, so that only a subset of the photon detector elements in the array are utilised..

[122] It will be understood that not. using some of the sensor elements or pixels reduces the output of the quantum random number generator in so far as this reduces the number of raw quantum random numbers produced by each pre-set period of time or frame. However, in some examples it may not be convenient to uniformly illuminate the whole of the array or camera sensor, for example for geometric reasons. Further, in some examples it may be preferred to use only a part of the available array or camera sensor so that only a required number of quantum random numbers produced by each pre-set period of time or frame, in order to avoid unnecessarily expending processin2, and other, resources in generating extra quantum random numbers which are not required. In other embodiments, a quantum random number generator arrangement that comprises a single photon detector element may be provided.

[123] It will be understood that the specific parameters of the system, such as the pre-set period of time, and the intensity of the light will depend upon the specific use case of the system. Appropriate values will vary on a case by case basis, and will be apparent to the skilled person for a given scenario. Furthermore, it will be understood that while a shorter pre-set period of time may result in quantum random numbers being generated more quickly, it may also use more power. Therefore, power usage may be balanced against other requirements, such as speed of quantum random number generation, when setting the parameters.

[124] The quantum random numbers generated by the QRNG are provided to the PRNG, as discussed in relation to Figure 2. In this embodiment, the PRNG is a Linear-feedback shift register (LFSR. As shown by the flow diagram of Figure 6, a quantum random number is generated as discussed above and fed into the LFSR. The quantum random number is then used in the LFSR as a seed value for the generation of sequences of pseudo random numbers.

The general operation of the LFSR itself, once provided with a seed, is well known in the art and will not be described in detail herein. It will be appreciated that the invention provides the LFSR with a quantumly random seed. The seed is then used by the LFSR to generate a sequence of pseudo random numbers as normal. The quantum seed may be provided to the LFSR either directly, for example through an entropy stream, or by storing the seeds in an entropy pool that the LFSR can access. This has been described in further detail above.

[125] When the system determines to re-seed the LFSR -for example by terminating generation of the sequence of pseudo random numbers at an appropriate point that has been dynamically generated -a further quantum random number, generated by the QRNG, is provided to the LFSR. This may be directly using an entropy stream, or by storing generated QRNs in an entropy pool for use by the LFSR.

Embodiment 2 [126] A second embodiment of the invention will now be described.

[127] An overview of this second embodiment is that the system operates in a similar manner to the first embodiment. The light source is a single while LED light source. However, as discussed above, any other monochromatic or non-monochromatic suitable light source, whether infrared, ultraviolet, etc., may be used. Alternatively, the system may comprise multiple light sources that may be a suitable combination of any of these types of light sources. Further, the post processing of the raw quantum random numbers is the same as described above. This post processing is performed in a post-processing block, which may be implemented in hardware such as processor -e.g. a mini PC like a Raspberry Pi -or in software. Further, this embodiment feeds the quantum random numbers into the entropy pools in the same manner as described in the first embodiment. Further, the PRNG is the same as that of the first embodiment although, as discussed previously, any suitable PRNG could be used.

[128] The second example utilises a Chameleon 3 CM3-113-50S5C camera with a Sony 1MX264 CMOS sensor. Furthermore, an ED1-550-MD optical diffuser is also used. The optical diffuser is placed between the light source and the sensor. The optical diffuser helps to ensure even illumination of the sensor. The brightness setting of the camera is set to 0, while the white balance (for red and blue) were set to 512. These values were chosen to avoid software modification of the raw image -i.e. so that data representing the original image detected by the detector is retained for quantum random number generation and not modified by built in software processing of the camera, for example. It will be appreciated that the particular values needed for different settings to avoid software modification of the raw image will be dependent upon the hardware and software used, and in some cases, avoiding software modification may not be necessary. The bit depth of the camera is 12 bits, and so the data is saved in the Raw-16 fonnat (which can store up to 16 bits per pixel). The shutter speed is set to 95 p s, and the gain is set to 17. Having a high gain means that for a given intensity of light source, a higher dispersion of data can be reached, which means that there is more entropy in the data.

Embodiment 3 [129] According to a third embodiment, the photon detector elements of the QRNG are incorporated into a digital camera. That is, the pixels of the digital camera correspond to the photon detecting elements, while the sensor of the digital camera coffesponds to the array. The digital camera may, for example, be the digital camera of a mobile computing device, such as mobile phone or smartphone.

[130] In this example, the pre-set period of time may be determined by the shutter speed of the camera. The pre-set period of time may be a frame or image captured by the camera. In some examples this frame, image or pre-set period of time may be part of a sequence, such as a video sequence. In some examples a series of frames, images or pre-set period of limes may be used to generate a series of sets of quantum random numbers from a sequence, such as a video sequence.

[131] The light source may be the flash of the camera. In the case of the camera being incorporated into a mobile computing device, the light source 31 may be the flash of the mobile computing device. ha crop is taken, as discussed in relation to the first embodiment, this may involve taking a crop of the image captured by the digital camera, and only using values that correspond to pixels within the cropped area.

[132] In examples where the array is a camera sensor of a camera and the light source is a flash of the camera, the intensity of the flash may be controlled by the camera settings.

[133] This third embodiment otherwise operates in a similar manner to the first and second embodiments described above. The post processing of the raw quantum random numbers is the same as described above. This post processing is performed in a post-processing block, which may be implemented in hardware such as processor -e.g. a mini PC like a Raspberry Pi -or in software. Further, this embodiment feeds the quantum random numbers into the entropy pools in the same manner as described in the first embodiment. Further, the PRNG is the same as that of the first embodiment although, as discussed previously, any suitable PRNG could be used.

[134] The embodiments described above use a light source with a controlled intensity where the light flux emitted by the light source can be controlled. In other examples the intensity and/or light flux of the light source may not be controlled. In some examples it may not be viable to control the intensity of the light source. In such examples the operating parameters of the array may be set based upon the intensity of the light source in order to give a certain likelihood that a given number of quantum random numbers will be produced. The operating parameters of the array may be based upon an already know intensity of the light source, or upon a measurement of the intensity of the light source. Indeed, in some examples, the system itself may not comprise a light source at all. In such an arrangement, the photon detectors may detect photons from, for example, ambient light and generate random numbers in the manner described above from the incident photons from the ambient light.

[135] In some embodiments, where the array is a colour sensor, such as a CMOS colour camera sensor, having different sensor elements responsive to different colours of incident light only sensor elements responsive to one or more specific colours may be selectively used to generate quantum random numbers.

[136] In the embodiments described above the matrix M of random bits is obtained from a memory. In other examples the matrix M of random bits may be obtained by calculating a new matrix each time the matrix vector multiplication is to be carried out. In some examples, one or more stored matrices M may be used repeatedly.

[137] The embodiments described above use binary bits to encode the quantum random numbers. In other examples an alternative encoding basis may be used. In some examples the encoding may be changed from binary bits to another encoding during the generation of the quantum random numbers. In some examples where an alternative encoding is used before the modulo 2 operation is carried out, the modulo 2 operation may be replaced by an alternative operation matched to the alternative encoding or the same encoding.

[138] In the illustrated embodiments some components may be integrated at a circuit, package or die level.

[139] In the illustrated embodiments of the invention the quantum random number generating system may comprise a computing and/or electronic device.

[140] Such a device may comprise one or more processors which may be microprocessors, controllers or any other suitable type of processors for processing computer executable instructions to control the operation of the device in order to gather and record routing information. In some examples, for example where a system on a chip architecture is used, the processors may include one or more fixed function blocks (also referred to as accelerators) which implement a part of the method in hardware (rather than software or firmware). Platform software comprising an operating system or any other suitable platform software may be provided at the computing-based device to enable application software to be executed on the device.

[141] The computer executable instructions may be provided using any computer-readable media that is accessible by computing based device. Computer-readable media may include, for example, computer storage media such as a memory and communications media. Computer storage media, such as a memory, includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EPROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information for access by a computing device. In contrast, communication media may embody computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave, or other transport mechanism. As defined herein, computer storage media does not include communication media.

[142] Any range or device value given herein may be extended or altered without losing the effect sought, as will be apparent to the skilled person.

[143] It will be understood that the benefits and advantages described above may relate to one embodiment or may relate to several embodiments. The embodiments are not limited to those that solve any or all of the stated problems or those that have any or all of the stated benefits and advantages.

[144] Any reference to 'an' item refers to one or more of those items. The term 'comprising' is used herein to mean including the method steps or elements identified, but that such steps or elements do not comprise an exclusive list and a method or apparatus may contain additional steps or elements.

[145] The order of the steps of the methods described herein is exemplary, but the steps may be carried out in any suitable order, or simultaneously where appropriate. Additionally, steps may be added or substituted in, or individual steps may be deleted from any of the methods without departing from the scope of the subject matter described herein. Aspects of any of the examples described above may be combined with aspects of any of the other examples described to tem further examples without losing the effect sought.

[146] It will be understood that the above description of a preferred embodiment is given by way of example only and that various modifications may be made by those skilled in the art. Although various embodiments have been described above with a certain degree of particularity, or with reference to one or more individual embodiments, those skilled in the art could make numerous alterations to the disclosed embodiments without departing from the spirit or scope of this invention.

Claims (45)

1. CLAIMS1. A method for generating pseudo random numbers comprising: generating one or more random numbers from one or more sources of noise, wherein at least one random number is generated from a source of quantum noise, the at least one random number being a quantum random number comprising quantum noise; providing the generated one or more random numbers to a pseudo random number generator (PRNG) for generating sequences of pseudo random numbers; and using at least the quantum random number as a seed in the PRNG to generate a sequence of pseudo random numbers.
2. 2. The system of claim 1, wherein multiple quantum random numbers are generated, each quantum random number being for use as a different seed in the PRNG to generate a different sequence of pseudo random numbers.
3. 3. The method of claims 1 or 2, further comprising generating random numbers from multiple sources of noise.
4. 4. The method of claim 3, wherein the random numbers are generated such that quantum random numbers make up at least 2% of the total number of random numbers generated from all of the multiple sources of noise.
5. 5. The method of claims 3 or 4, wherein the generated random numbers are provided to the PRNG i) in entropy streams according to the source of noise used to generate the random number, or ii) by storing the generated random numbers in entropy pools according to the source of noise used to generate the random number.
6. 6. The method of any preceding claim, further comprising, while the PRNG is generating the sequence of pseudo random numbers, continuing to generate random numbers from the one or more sources of noise, and providing these random numbers to the PRNG.
7. 7. The method of claim 6, further comprising dynamically reseeding the PRNG using a second random number as a replacement seed for the PRNG to generate another sequence of pseudo random numbers.
8. 8. The method of claim 7, wherein the reseeding comprises terminating the generation of the sequence of pseudo random numbers before the PRNG regenerates the first pseudo random number in the sequence, and providing the second random number to use as a replacement seed for the PRNG to generate another sequence of pseudo random numbers.
9. 9. The method of claim 7 or 8, wherein the second random number is a quantum random number generated from the source of quantum noise or a pseudo random number generated from the PRNG.
10. 10. The method of any preceding claim, wherein the one or more sources of noise further comprise environmental noise such as keyboard or mouse activity by a user and/or thermal or auditory noise from hardware, and/or the PRNG.
11. 11. The method of any preceding claim wherein the source of quantum noise is a source of photons.
12. 12. The method of claim 11, wherein the quantum random number is generated from the source of photons by converting a property of the emitted one or more photons into a quantum random number.
13. 13. The method of claim 12, wherein the property comprises any one of a number of received photons, the energy of the one or more photons, the spin of the one or more photons, or the position of the one or more photons.
14. 14. The method of any preceding claim, wherein the PRNG is a software based PRNG, for example one of a linear-feedback shift register (LFSR), Mersenne Twister or Salsa20.
15. 15. The method of any preceding claim, wherein the quantum random number is generated using an optical beam splitter, Quantum Tunnelling or radioactive decay of an atom.
16. 16. The method of any of claims 1 to 14, wherein generating the quantum random number comprises: emitting, by at least one light source, photons such that one or more photon detector elements are illuminated; receiving, by the one or more photon detector elements, incident photons, wherein photons from the at least one lien source are incident at random on the one or more photon detector elements; generating a value corresponding to the cumulative energy of any incident photons received by the one or more photon detector elements within a pre-set period of time; and converting each value in the set of values into a random number comprising quantum noise.
17. 17. The method of claim 16, wherein the specific set of the plurality of photon detector elements comprises the central photon detector elements of the array of photon detector elements.
18. 18. The method of claims 16 or 17, wherein the one or more photon detector elements are either a CCD sensor or a CMOS sensor.
19. 19. The method of any of claims 16 to 18, wherein the one or more photon detector elements are incorporated into a digital camera.
20. 20. The method of any of claims 16 to 19, wherein the at least one light source is a flash of the mobile computing device.
21. 21. The method of claim 20, wherein the mobile computing device is a smartphone.
22. 22. The method of any of the above claims, wherein the system further comprises an optical diffuser between the one or more light sources and the one or more photon detector elements.
23. 23. A system for generating pseudo random numbers comprising: means for providing one or more sources of noise, wherein at least. one of the one or more sources of noise is a source of quantum noise; means for generating one or more random numbers from the one or more sources of noise, wherein at least one random number is generated from the source of quantum noise, the at least one random number being a quantum random number comprising quantum noise; means for providing the generated one or more random numbers to a pseudo random number generator (PRNG) for generating sequences of pseudo random numbers; means for using at least the quantum random number as a seed in the pseudo random number generator (PRNG) to generate a sequence of pseudo random numbers.
24. 24. The system of claim 23, wherein multiple quantum random numbers are provided to the PRNG, each quantum random number being for use as a different seed in the PRNG to generate a different sequence of pseudo random numbers.
25. 25. The system of claims 23 or 24, wherein the means for generating one or more random numbers from the one or more sources of noise comprises means for generating random numbers from multiple sources of noise.
26. 26. The system of claim 25, wherein the generated random numbers are provided to the PRNG i) in entropy streams according to the source of noise used to generate the random number, or ii) by storing the generated random numbers in entropy pools, according to the source of noise used to generate the random number.
27. 27. The system of any of claims 23 to 26, wherein the means for generating one or more random numbers is configured so that, while the PRNG is generating the sequence of pseudo random numbers, the means for generating one or more random numbers continues to generate random numbers from the one or more sources of noise.
28. 28. The system of claim 27, further comprising a means for dynamically reseeding the PRNG using a second random number as a replacement seed for the PRNG to generate another sequence of pseudo random numbers.
29. 29. The system of claim 28, wherein the means for dynamically reseeding comprises terminating die generation of the sequence of pseudo random numbers before the PRNG regenerates the first pseudo random number in the sequence, and means for providing the second random number to use as a replacement seed for the PRNG to generate another sequence of pseudo random numbers.
30. 30. The system of claims 28 or 29, wherein the second random number is a quantum random number generated from the source of quantum noise, or a pseudo random number generated from the PRNG.
31. 31. The system of any of claims 23 to 30, wherein the one or more sources of noise further comprise environmental noise such as keyboard or mouse activity by a user and/or thermal or auditory noise from hardware, and/or the PRNG.
32. 32. The system of any of claims 23 to 31 wherein the source of quantum noise is a source of photons.
33. 33. The system of claim 32, wherein the quantum random number is generated from the source of photons by converting a property of the emitted one or more photons into a quantum random number.
34. 34. The system of claim 33, wherein the property comprises any one of a number of received one or more photons, the energy of the one or more photons, the spin of the one or more photons, or the position of the one or more photons.
35. 35. The system of any of claims 23 to 34, wherein the PRNG is a software based PRNG, for example one of a linear-feedback shift register (ILFSR), Mersenne Twister or Salsa20.
36. 36. The system of any of claims 21 to 31, wherein the means for generating the quantum random number is configured to generate the quantum random number using an optical beam splitter, Quantum Tunnelling or radioactive decay of an atom.
37. 37. The system of any of claims 23 to 35, wherein the means for generating the quantum random number comprises: means for emitting, by at least one light source, photons such that one or more photon detector elements are illuminated; means for receivine, by the one or more photon detector elements, incident photons, wherein photons from the at least one light source are incident at random on the one or more photon detector elements; means for generating a value corresponding to the cumulative energy of any incident photons received by the one or more photon detector elements within a preset period of time; and means for converting each value in the set of values into a random number comprising quantum noise.
38. 38. The system of claim 37, wherein the specific set of the plurality of photon detector elements comprises the central photon detector elements of the array of photon detector elements.
39. 39. The system of claims 37 or 38, wherein the one or more photon detector elements are either a CCD sensor or a CMOS sensor.
40. 40. The system of any of claims 37 to 39, wherein the one or more photon detector elements are incorporated into a digital camera.
41. 41. The system of any of claims 37 to 40, wherein the at least one light source is a flash of the mobile computing device.
42. 42. The system of claim 41, wherein the mobile computing device is a smaiiphone.
43. 43. The system of any of claims 23 to 42, wherein the system further comprises an optical diffuser between the one or more light sources and the one or more photon detector elements.
44. 44. A computer program that, when executed, causes the system of any of claims 23 to 43 to carry out the method of any of claims 1 to 22.
45. 45. A computer-readable medium having stored thereon the computer program of claim 44.