TW417059B - Random number generation method and apparatus - Google Patents

Abstract

The bias inherently associated with random number generation using a physical means (e.g. noise diodes, Geiger counters, etc.) is removed with the present invention by smoothing the physically generated random number with a pseudo random number. For instance by XORing or ADDing the physically generated random number with a pseudo random number, it can be shown that the distribution of 0s and 1s in the resulting binary random number is uniform.

Description

V. Description of the invention (1) Reference to previous applications This application was filed in the United Kingdom on January 24, 1998. The patent application number is GB 9801492.1. Field of the Invention i The present invention broadly describes a method for generating a random number; more specifically, it is intended to improve the randomness of the random number generated by a physical device. |

Background of the Invention I In a certain application range, a random number generation is required 'especially in a security application that uses a random number to generate an encoding or encryption key π (but not all such security applications require a random number 3) In this application, a physical random number generator (RNG) is often used. An "entity" RNG, as used herein, means a random number of RNG, which is based on samples in reverse biased diodes, oscillator phase noise, or other physical phenomena. Generate a random number. An example of using a physical RNG in cryptographic applications is a combination of two independent oscillator circuits connected together, and the second oscillator is adjusted by the sawtooth waveform output of the first oscillator. The current source of each oscillator 'is used to generate a pulse wave train representing a binary random number. Sometimes this RNG is incorporated into a part of the cryptographic device integrated circuit, such as a smart card chip. RNG is considered extremely unpredictable. However, many applications, including cryptography, also require that the random number allocation be the same. In a binary random number, an identical allocation means that the percentage of 0 and 1 is the same That is, each is 50%. However, the traditional entity RNG inherently suffers from some form of deviation, so that a random number of " 1 more than 0 "or " 0 more than Γ is generated as such.

ί 4 I 4 170 5 3 ί ^ ~~ 1 — ----------------- --- -------- _! V. Description of the invention (2) : 丨 The deviation is fixed 'can compensate the deviation3 For example, see the National Bureau of Standards 丨 丨 Applied Mathematics Series, by J. von Neu [nann's "Using different techniques: i connect random numbers "' 1951, Book 12, pages 36-38 (in von!

I | Neiimann's Collection Reprint 'Volume 5, Pergamon Printing, 193rd | j'768-770), which reveals a "from a fixed source of deviation | Simple instant rules for "binary output". However, the artifacts of these solid RNGs in the form of integrated circuits will change with factors such as time, temperature, supply voltage, and frequency. Because the deviation is not fixed, it is impossible to compensate for the deviation using these techniques. At the same time, it is impossible for a typical type of entity r N G to rely on the past output history. If it is independent by M. Β 丨 u m from the source of '’an associated error; unbiased currency roll: a limited Sate Markov chain_’,

Combatorica, Vol. 6, '1986, pp. 97-108, proposes: " The method of determining the dependency of the next bit on the previous bit " is also not a suitable solution. 3 By M · Santha and W. Vazirani in "Semi-stable Random Sequences Generated from Unstable Random Sources", 25th Annual Institute of Electrical Engineers (I EEE) "Basics of Computer Science" Annual Report, 1984 In October, pages 434-440, a suggested method was disclosed to overcome an inconsistent deviation in a physical RNG. In this method, consider that the RNG of the entity (such as a zener diode vacuum tube, where the frequencies of 0 and 1 drift over a period of time) is an "unstable random source ^" The author explains how the A "stable semi-stable random number" is generated from an unstable random source operating in parallel (which cannot be distinguished from a real random number, but is not a real random number).

苐 5 pages: 5. Description of the invention (3):

I number) ° B. Chor and 0. Glodreich further explain that only unbiased bits can be generated using two such unstable random sources ’as disclosed

I I 丨 Unbiased bit π exposed in " weak randomness and probabilistic communication complexity, SI AM j: Journal of Computing, Vol. 17, No. 2, April 1988, pp. 230-261, ten. | 丨 However, using this multiple, parallel physical RNG is not desirable. For example, j

丨 For smart cards and other portable devices that require random numbers, the size of the integrated circuit will be unexpectedly increased due to the incorporation of the multiple physical RNG; In addition, it is very difficult to make multiple R N G: truly independent from each other in a single integrated circuit chip. So ‘the two RNGs on the wafer are actually impossible to work (ca n’t work as the theory says _ι: work). When using multiple physical RNGs, a read-only memory:: body (ROM) is also needed to store the general rules for capturing unbiased bits. In view of these shortcomings, it can be seen that it is necessary to improve the identity of the random number generator allocation of an entity without including a supplementary physical RNG. In addition, a method for generating this computationally simple random number so as not to slow down or hinder the function of other devices is a more desirable ° diagram. Simple illustration. Figure 1 illustrates an integrated circuit at a functional block level. Suitable for use with the practice of the present invention: (Figure 2 illustrates an entity random number generator suitable for use in practicing the invention; Figure 3 illustrates a system according to the present invention for generating a random number of Flowchart of the method: Figure 4 illustrates the use of a virtual RNG to generate a more

Page 6 5 'Description of the invention (4) [Same random binary number' to coordinate a random number generated by an entity KNG. Detailed description of the invention i-In general, the invention uses an entity's random number generator (RNG) | to generate a random number, and then combines the pseudo-random number to make the random number generated by i unbiased . In a preferred system, either the random number of the entity and the virtual random number are mutually exclusive, or the random number of the entity 丨 i is added to the virtual random number. If so, the unpredictability of the random number of the entity is combined with the identity of a virtual random number to produce a binary random number that may not be biased, that is, a binary assigned by 0 and i for 50/50 Random number. The result of this combination means a " coordination " of the natural deviation in the random number generated by an entity RNG. 3 Just use the software 1

I control, and according to the present invention, "coordinating a random number of an entity" can be achieved, thereby canceling any increase in the scope of the circuit; or it can be implemented as M or hardware, according to the present invention to perform M to coordinate an entity Random number "to improve security. In the latter case, a virtual RNG is hard-wired to provide an independent source of random numbers, and then it plays the same role as its software implementation: it will be clearer from the detailed description below, together with Figures 1-4. Learn about these and other features and benefits. Although there are many suitable applications utilizing the present invention, there is a particularly important application for generating random numbers for passwords, such as implemented by integrated circuit devices in smart cards. Figure 丨 illustrates a functional block level suitable for implementing the present invention using an integrated circuit (IC) 12. As shown, when I C 1 2 is designed to be used in a smart card or personal data carrier, this is not a part of the present invention.

苐 Page 7 τ 4Π〇59 5. Description of invention (5) requirements. The present invention is also [Ig but " mountain, 〃, and limit coin J is executed by an integrated circuit ". On the contrary, the present invention is random for any use-Xiangshen & ^ a ^. In the application of the number generator device 'all have ^^ 生. Also ^ 100: Shixi ^ ^ y ot 疋 4, idea' When the exemplified IC 1 2 includes a limited number of secrets to perform special functions also α. A In the case of ££ block, the following is further explained: In the past, J9tu was unable to settle t shizheng r Γ, λ wt β n Xiaoda identified the special function blocks such as IC 1 2 as the consistent C 沾 π π a ^ ^ & 仏 —block on π κ ”. In addition, the women's volleyball teams in these blocks on this chip may not be able to go to the temple. It should also be noted that when using a single 'lane station 8 ίι thousand limbs day 3 capsules to open the i-type illustration, one or more grains can perform the ancient wear day recognition & „, 〇 brother month ’s Work. In addition, an IC may include work that is different from the work illustrated in Figure 1.

Ff < Φ I A ^ as ^ ^ £ The block ϋ is not intended to use these diagrams to make the target domains and corridors of the present invention 10 ^ 1 should not be used 'unless specifically indicated otherwise. The terminal and the smart: card gate connected to the power module 14 by direct connection-read the example of the total g connection between the two, with "„. ΧΑ ’s smart comet + strong β T " ^, Or an unconnected radio frequency (^) transmitted by the reader terminal (for example, Lu Xun to the empty sr h urine urine pump 14 to promote a positive power supply potential so that female virtual J-installed | Motion program] to [(: 12 other circuits. A core, 理 理 fji (^ Ρϋ) 16 'also refers to a microprocessor or microcontroller magnetic line ^ line 4 control scrape,% order and Decision-making functions. For example, CPU 1 6 〆 舄, private input and wipe, 佘 work, and generate valid data for data rotation data 2 Data input / rotation module 18 pass 7 to the reading Take the terminal 胄, and pick up the material from the reading terminal. One of the read-only memory (rigid) modules 20 in 乂 2 can be used to store the designated I, and the program instructions' are during the 1C manufacturing process. The program is set to be executed by CPlJ 16. A random access memory (RAM) module level 5. Invention description (6)! Also included. RAM is volatile memory, if provided Temporary

: Memory a Electrically erasable programmable read-only memory (EEPR0M) 24 is a non-volatile memory array in 1C | 12 'stores basic information of the card, such as personal identification code, medical case, Bank information, financial status value, security code, etc., depend on the application of the card. When EEPROM is a more preferable form of memory, other types of non-volatile memory can be used instead of EEPROM 24. : IC 12 further includes—Modularized Index Unit (MEU) 26 for adding the data of the card and the reading wheel, and transmitting the reader to the: and Λ 仃 of the present invention For the purpose, the method of data encryption and decoding is not special: it is important, so the detailed description of these methods is omitted 5 IC12 also includes a consistent follower: ^^ m ^ 丨 Rough Number Generator (RNG ) 28, suitable for use with the present invention. RNG τ #: ,, ϊ51, qa and Nitian 8bu 4 are designed for any special circuit ’for use with the present invention. {^ ΛΛΛ Π known or developing entities R N G (as previously defined)., Π nr & & @i 竹 & The present invention benefits. In the comparison test results of a system ^.. I ±., 4, RNG 28 includes two independent and connected 梃. 篇 ^, ^ „.,. # Π swing range, as shown in Figure 2 Please note that 'as described below' R λ G 2 8 includes an adjustment device between the two α,. «Vm, P ^ ^ μ cameras to adjust the g _, Missing ☆ The frequency of an oscillator is improved to improve with V ^ ^ ^ ^ nn @ s' The use of the adjustment device is # necessary, because only the present invention will ^ ^, π. Γ is fA. Any difference in the number = again referring to FIG. 2, RNG 28 package withered — the first relaxation oscillator 2 1 2,

"Π (^ 〇59__: V. Description of the invention (7) ::; :: Charge a capacitor (not shown) in the first, fixed current source 2 1 4; charge and discharge at a first frequency Produces a sawtooth waveform on the output:: out. One or two mitigating oscillators 216, a second, voltage-controlled i

'I 丨 A capacitor (not shown) is charged and discharged in the current source 218. The second current source 218 is directly coupled to the output of the first oscillator 212 on a first control input, and is adjusted by the sawtooth waveform output; I.丨 Via a transmission gate 2 2 0, the output of the first oscillator 2 1 2 is also coupled to a second control input of the second current source 2 1 8 by a software :: data bit can be set This state (not shown) of the element is controlled, and its control is adjusted. (J: signal Ad j.) A storage capacitor 222 is connected between the ground and a point, where the point is between the transmission gate 2 2 0 and the second Current sources 2 1 8 = the transmission gate 2 2 0 and the storage capacitor 2 2 2 allow the user to adjust the second current source 2 with a similar: value, where the similarity value is a closed When the transmission gate 2 2 0, the output sawtooth waveform in the first oscillator 2 12 is sampled and retained, and it is determined at that point in time. The user can 'interfer' or 'encourage' the transmission gate Adjust the bit in 22 0 to adjust the randomness of the number of results (that is, set the adjustment bit to a value of 1 to assume 0 to open the transmission gate 2 2 0, and then wait for a { Predetermined time * before setting the adjustment bit to the opposite value, such as' Γ , Close the transmission gate 2 2 0 first, and immediately retain the sampled value of the output sawtooth waveform of the first oscillator 2 1 2 stored on the capacitor 2 2 2). If it is 'interference' or 'agitation' the transmission gate Adjust the bit in 2 2 0, and by immediately closing the transmission gate 2 2 0 a quantity (the first oscillator

r '^ λ -7 A; * -i' ii .jv '.: _____________—_________,: V. Description of the invention (8)!: Between the minimum and maximum values of the output sawtooth waveform in 2 1 2)' will Can increase one! : The additional amount of current is given to the second oscillator (and thus its frequency) ° such as:;!

: Yes, in order to obtain increased randomness, the user 'interferes' or 'agitates' before generating a random number in the arrangement 210 'i'. The adjustment bit in the transmission gate 220 . I 'via a distributor 2 2 4 and a transmission gate 2 2 6 (controlled by a read signal Rd | i;), the output of the second oscillator 2 1 6 is on a data bus 2 2 8 Couple i

I; together. By using a software to set the state of the data bit (not shown), the distribution rate of the distributor 224 can be selected between a single and a predetermined non-single value, and the distribution rate controls an adjustment signal Ad. j 2. Control the adjustment of the distributor 2 24: bits to determine whether the output pulse wheel train of the second oscillator 2 1 6 is allocated by a predetermined ratio before the material bus 2 2 8 is disabled. It will be observed that the distribution of the output pulse wave trains of the second oscillator 2 1 6 further "randomizes" the number of results. It should also be noted that if the adjustment device is coupled between the oscillators and the output of the second oscillator 2 1 6 is dug, it is not necessary in the practice of the invention | because the invention alone can compensate: the Entities generate any difference in random numbers. However, using the circuit design of FIG. 2 to test the benefits of the present invention, the results will be explained as follows, and a description of the circuit is also included below for reference. In operation, the CP I) of C 1 2 will encounter a "requires the use of a random number" routine, where the CPU is fetched from RNG 28. For example, a random number is often required to generate a cryptographic key As for a supplementary security measure, it is also possible to modify the execution time or the software program flow of an application with a random number to prevent computer hackers from being able to copy the routine. In some cases

Page 11 r 4 1705 9 I · ^ '' '™ ~ ^ r'-^: 丨 Fifth, the description of the invention (9); in the case, a random number can also be used to determine a current conversion <: : Whether to turn up or down. It is also possible to make each card generate a random number (metalog: | a number generated for the reader) to resolve the conflict between multiple disconnected smart cards i 丨 and a reader terminal. : Once the CPU 12 determines that a random number is needed, it generates a random number according to the present invention, and provides the random number to the CPU to pass |

I bus 228 for processing. An example of generating a random I: number using a method of the present invention will be illustrated in the flowchart of FIG. In a first step 30, a random number is generated using an entity RNG. As explained above, it is not important whether to use the solid RNG of this particular form or design. In addition, the size of the generated random number is not important. But for the purpose of illustration, it is assumed that the entity R N G generates a random number of 64 bytes. As shown in step 3 2 below, a seed is generated from the random number of the entity to generate a virtual random number. : A virtual random number, a number that has been generated by a general manipulation of a sub-number. In some cases, the virtual random number can be used to replace the random number generated by the entity. However, in highly secure applications, the virtual pseudo-random number is not suitable: it is too easy to predict. If someone starts with the same seed, the result will be the same virtual random number. According to the present invention, a virtual random number is generated to coordinate an entity to generate a random number] deviation, instead of the CPU using the virtual random number as the last random number generated. 3 For the purposes of implementing the present invention, it is generated from the entity The method of extracting one seed from a random number of is not particularly important, because by this coordinated operation,

V. Description of the invention (10) !: Compensation for the randomness lacking in the seed ° However, in general, 1 makes the seed as random as possible. If it is' a person can randomly select a byte or a subset of bits from the entity random number I I | to generate the i 丨 random seed (for example, randomly from the 64 byte entity Among the numbers, with |: the machine selects 3 or 4 bytes). In order to obtain a more random seed, 1-a preselected number can be mutually exclusive with the bytes retrieved from the entity RNG to generate the seed. Use a pre-selected number to avoid producing |: generate a number that is all 0 or all 1. Alternatively, it may be appropriate to fix the most important bits (MSBs) of i in the virtual seed to avoid a situation of all zeros or all ones, and treat π to generate the virtual random number of : General rules "==; After the seed is retrieved, a counter is set as shown in steps 3 and 4 of FIG. 3. According to the system shown, a virtual random number of one byte is generated at a time, as in step 3. As shown in Figure 6, but this is not a requirement of the present invention, and will depend on the particular virtual random number generation rule used. If so, use this counter to determine when the virtual random number generation is completed (ie, when the entity is random Each byte of the number corresponds to a byte in a virtual random number). As shown, the counter is an incrementing counter, but it can also be optionally changed to a decrementing counter. Selectivity Ground, the entire virtual random number can be generated from the seed without the need for a counter or repeating the generation rule. For the purpose of practicing and understanding the present invention, 'utilization in step 36 (And the like) to produce a specific number of General Virtual Machine byte " is particularly important and non However, on the other hand, with the most advanced with use.

Page 13

丨 Fifth, the description of the invention (11); 丨 organic routine is preferable. A variety of general rules have been written to generate the number of virtual slaves, and any one of the general rules can be used to implement the present invention. For example, 1 | | See P. L Ecuyer's "Random Number of Simulations", ACM Newsletter, Volume 33 |: Book No. 3, October 1990, pages 85-97, and references therein.丨 Next, according to the present invention, as in step 38, a sample of the entity to generate a random number 丨! Is sampled, and in step 40, the virtual | generated in step 36 is used to coordinate the pseudo-random number of bytes The entity generates a random number of bits: groups. As used herein, "coordination" means to perform a mathematical function on both the entity and the virtual random number: in order to maintain the unpredictability of the entity to generate a random number, and at the same time 1 will generate a random number with the entity. Associated with: (: the natural deviation or dissimilarity of the assignment is removed 3 In theory, the association; the tuning operation is a mathematical proof that produces a 0 and 1 with 50/50 points; § of its own Random number operation. In a more preferable system of the present invention, by: mutually exclusive of the virtual and physical random number of these bytes to achieve the: coordination function. In another preferable system f Only add the bytes: In the appendix, a mathematical proof is provided that "each function will result in a random number of the same assignment". After coordinating the physical and virtual bytes, the The result is stored in a memory, as shown in step 42 = then, the counter is increased or decreased, (as shown in step 44. If the counter does not reach its final total, as determined in step 4 6, this is generated A pseudo-random number of another byte. In order to avoid generating the same byte of the virtual random number, a seed different from the previous byte is used. In some cases 1 the virtual RNG is used The general rules of this modification modify the seed during the generation of the virtual number. Here

Page 5 of the fifth, the description of the invention (12) In the case of 'it will be judged in step 4 8' "no new seed is needed". However, if the seed is not modified, a new seed is required to perform the virtual random The generation of the number is completed in step 50. Continue to generate new virtual bytes of the virtual random number, and stop until all the bytes in the random number of the entity are coordinated = > In Figure 4, the legend shows The process described above. Generate a 64-bit random number 100 from an entity RN g. Use a random number of 100

Tuple 'to produce a seed number. Next, a virtual I? MP 'is used to generate a virtual random number 104 from the seed. Then, ^ 'quasi-random number 104 and the function f (X i γ i) to coordinate the random number of the entity' to generate a random number 1 0 6 'where the random number of the entity 丨 〇 phase ^' far random number There is an improvement on the same allocation of 106 and 0. As described above, a randomness generated by the coordinated entity device according to the present invention provides a significant improvement over the identity of the -f pairings 0 and 丨. In a nutshell, the random number generated by the body 1 and coordinated according to the present invention is obtained. ≫ 丨 ί Many executions of the random number generated by only one entity ㈣0 ", can show gh. Then For example, the actual RNG that should be used in the comparison is described in Figure 2 above. It is described in Figure 2: H ^, w, and or the argument function is used, as in the example in Figure 3 above. The random numbers of the entities are mutually exclusive. Enter a random number of megabytes at each of the same data points, so that it can be used to test all the tests performed by the present invention. (Due to different operating conditions ^ 1 government > dish temperature, two pit voltage and frequency change as follows: temperature_a-25t 4 1705 91 1 V. Description of the invention (13), 2 5 ° C and 8 5 ° C; voltage --3.5 volts, 5.5 volts, 6.5 volts; frequency: rate -2.5 million hertz, 4.9 million hertz and 8.0 million hertz, all other variables remain unchanged. V. Description of the invention (14) Test data I Mean 値 Standard deviation failure rate (%) Note Zero column 1 50.7661 I 3.50648 N / A Significantly different 50.0006 0.04778 N / A One column 49.2339 3.50648 N / A Significantly different Coordinated 49.9994 0.04778 N / A Deviation column 0.023669 0.026927 6L8% Significantly different coordination 0.000389 0.000276 0.0% Chi Sqrl column 5389.895 14373.5 95.3% Significantly different coordination 0.93 1.1 0.0% Chi Sqr255 column 40369.7 131372 99.4% Significantly different coordination Tune 25 8.0 24 0.0% Upward 6.41720 4.47521 4.1% No significant different coordination 6.41982 3.66742 1.8% Downgraded 6.287665 3.96110 2.9% No significant different coordination Canton C O.UJ 3.38882 (16% conflicting list 364.576 856.947 45.9% Significantly different coordination 128.256 10.805 0.6% Multiple conflicting columns 461.665 1123.47 47.1% Significantly different coordination 128.333 7.07 0.0% | Multipurpose column 12.0005 0.433735 94.1% Significantly different coordination 12.1674 0.006089 〇% 1 3 1 -Bit row 6601.11 17955.0 97.1% j Significantly different coordination 4.13 2.6 | 1.2% 1 3 3-bit rows 20826.9 72239.81 91.8% | Significantly different coordination 451.6 30.0 2.4% Table 1

Kill page II7 aMQ59_ 丨 V. Description of the invention (15) In a test, the π zero " test determines the i percentage of 0 in the random number of the result. Similarly, the "one" test determines the percentage of the random number in the result. The "bias" test shows that the percentage of 0 and 1 is more than 50%. Borrow a positive real number e to indicate the deviation, such as a percentage of 0 or 1 is equal to | 0.5 soil e. Actually, it is expected that ε S0. 01 ° However, 'a small e does not mean that the difference between the total number of 0 and the total number of 1 is not significant. The C h i S q u a r e test (11 C h i S q I " 1 ") is used to measure the significance of the difference. If the result of Chi Sqrl is less than 6.635, the sequence is regarded as "no significant difference between the total number of 0 and 1 |". i " C hi S qr 2 5 5 ”test is a C hi S quar test of 2 5 5 degrees of freedom, which checks the frequency of the 8-bit form (a byte) in a sequence, 丨Does it look like the frequency of the 8-bit form in a real random sequence. If the result of this test is less than 3 3 5 then the 8-bit form is considered to be the same assignment. This test is better than C hi S t | r Strong 1, because the sequence f that produces a good C hi S qr 1 result will still produce bad results when it is similar to C hi S qr 2 5 5.: The "Run Up1 'test checks whether a sequence looks like a real Random Order: Columns are aggregated 3 and the same "this" RUN DOWN test "tests whether a sequence is RUN DOWN like a real random sequence. In other words, these results indicate whether a candidate sequence looks like a real random number sequence Similarly, make changes in any direction. If each result is less than 1 6. 8 1 2, the candidate sequence is regarded as a sequence that changes like a true random sequence. A "collision H test'1 tests the First 254 (3 2 7, 6 8 0) 2 0- The total number of elements of the conflict element 3 - 1 produces a conflict of a number of identical two R N G

4U〇59 V. Description of the invention (16) Item 3-A real random RMG ′ generates a number with a low probability of collision: although some number of collisions is inevitable. The multiple collisions' test (" Mu 11 i-C 1 1 s η ") tests the maximum, minimum, and average total number of collisions of a sequence consisting of 214 20-bit elements j. In practical applications, the probability of this conflict is inferred by observing the conflict characteristics of a 20-bit long segment! Calculate 3 in a candidate sequence of 327, 680 (214) bits, if the conflict occurs less than 1 5 3, then regard the sequence as " low conflict risk, '. Secondary

I The " Universal " test 'measures the average information entropy in a segment with a specified total number of bits, using E 1 i a s roller wheel rule'. This test was proposed by U.M. Ma a r r r and recommended by I Ε Ε Ε to evaluate whether a hardware (physical) random number generator can generate a sequence with insufficient stability. By testing a sequence with ^! Megabits, the test shows an average assessment of the instability of any 1 3-bit 'fragments produced by the RNG. By testing a sequence with seven million bits, the test shows an average for any 16-bit segment. For example, if L = I 6-bits 'and shows 1 5, 1 6 6 1 4 4' This refers to any 6-bit segment in the candidate sequence. The average 1 5. 1 6 6 1 4 4 does Unstable (or unpredictable, unpredictable). This test yields two values, v,. And v2. For a given L, Vi is the average instability 1 V: is the boundary of the test and is related to the size of the sample. In the table, “v” is displayed, and in both cases, V2 is 1 2 · 1 3 6 7 3 1 a If A > v2, the candidate sequence passes the universal test. The 11 1-bits' 'test the independence of the three bits by examining each bit' in a sequence and examine the sameness at the same time. The "3 3-bits" test the three 3-bits by examining each 3-bit element in the sequence

· / ——. Page 19-5. Description of the invention (17) Independence among meta-elements, and check the sameness at the same time. If a random number sequence passes these tests, C h i S q u a r e and different 0 s / 1 s tests ’then’

(I ί The results of the "3 1-bit" and π 3 3-bit M tests show whether the neighboring elements in the sequence 1! | Are dependent on each other. In other words, the test not only determines a sequence 丨 ί Whether the components in! Are identically distributed, and at the same time determine whether they are executed like currency throws. It is expected that a good result should be less than 13.277 (three 1-bit i! I yuan), less than 5 20.556 (Three 3-bit ί! From the table above, it is known that the uncoordinated output system in the entity RNG is systematically bad, and more than 90% of the data points failed: Chi Sqrl / 25 5,000,000 And independent tests' and more than 60% failed the deviation test. Not only because each test has a high average; π failed, "but also because of a very large standard deviation. The physical RNG cannot generate a random number 'crossing the voltage, temperature: degree and frequency range of the assessment. By coordinating the physical RNG with a number generated by a virtual RNG, a dramatic improvement can be achieved in the implementation, as illustrated above. The only ones that have not improved significantly due to this coordination The tests are the Run and Run Down tests. Regardless of whether they are coordinated or not, the two tests are far away. The tests are for acceptable results. The descriptions and examples previously contained herein prove that many and this Advantages related to the invention. In particular, it discloses " coordinating the number with a virtual random number, which can remove the deviation and dissimilarity of a random number generator in a physical device π = only by mutual exclusion or such The number can be added without additional hardware to achieve the coordination. Twelve tests for measuring randomness are used to evaluate the advantages of the present invention, of which ten kinds of brakes show that the realities are coordinated by coordination.

λ ， ί〇0 V. Description of the invention (18): A significant improvement in the output of the body RNG can be obtained. 3 As can be seen, a method for generating-random has been provided according to the present invention.

| I | The number method, which fully meets the aforementioned needs and advantages ° Although the special system description and illustration related to the invention has been exemplified by the invention, it is not intended to limit the invention to The system of such examples. For those skilled in the art, it will be appreciated that the invention can be modified and changed without departing from the scope of the invention = for example, the invention is not limited to being implemented by an integrated circuit. Any general data processing system can be utilized, and software'hardware, hardware, or any combination thereof can be used to perform this coordination function. For example, if the hardware i 1 is designed with a hardware, the present invention can be implemented using the traditional hardware i,! Of a virtual R N G. In addition, the present invention is not limited to the special! Application that uses the random number, nor is the invention limited to the special RNG entity used to generate the starting random number, because all the entity RNG Equal is inherently biased and / or provides somewhat different distributions, and thus can benefit from the present invention: Therefore, it is intended that the present invention include all the changes and amendments that fall within the scope of the patent application. 3 Appendix: Mutual exclusion proof: Note that if a deviation sequence 丨 丨 and a perfectly balanced sequence y,} are mutually exclusive, you will get A perfectly balanced sequence of results 丨 z; 丨. This fact can be proved by:

Page 21

-ArV 5. Description of the invention (19) p ^ i == 0} = p {(^ = 〇 = 〇) ^ J (χι == lr \ yi = 1)} = p {X4 = 0 r \ yi = 0 } -h τ? {Χί = 1 C \ yt = 1} ~ p {xi = 0r \ yt = ^ 0r \ xt = lr ^ yi = 1} = p {xi = 0 oyi = 0} + p {xi = 1 r \ yt = 1} = p {xi 0}-== 0} 4- /? {X 1}. Office = 1} = ρ {χ. = 〇} -J- + p {x > = 1} 2 Available by the same reasoning. Therefore, regardless of the distribution of U, 丨, {ζ;} will always be 0 or 1 ° of the "1/2 probability". Eyesight: Same as this mutually exclusive operation, this addition operation also has Same effect. This fact can be proved below. Let c be the carry from the previous addition, and its probability is unknown. p ^, = 0} = ρ ({χ · = Οηγ, -Ο nc = 0) u (xt = Ir ^ y, = 1 nc = 0) ^ (¾ = 0 〇 > = 1 nc = l) u = 1 = 0 c = 1)} = 丄 = 0} · p {c = 0} ten = 1} · /? {C: = 〇} + p {xi = 1} · p {c = 0} + p {x > -1} -p {^ = 1)): — (j? {x- = 0} + p {x · = 1}) · ip {c = 〇} + p {c = 1}) 2 2 >

TH 2

佘 Page 22 V. Description of Invention (20)

By the same reasoning we can obtain p 丨 \ = and therefore, regardless of the assignment of {X1 丨 to 0 or 1. 1} = 1/2. ίZOι 丨 will always be "1/2 probability" " Result " means that the structure below provides a balanced wheel

Physical RNG virtual RNG where (1) f (χΜ yi) Xi or (2) fCx ^ yi) = carry of xi + yi + ci.1 +, and c 12 16 20 22 24 26 28 212 216

Component symbol description Integrated circuit (1C) Central processing unit (CPU) Read-only memory (ROM) module Random access memory (RAM) module Electrically erasable programmable read-only memory (EEPR0M) Modularization Exponential Unit (MEU) Entity Random Number Generator (RNG) The first moderator oscillator 214 a fixed current source, the second moderator oscillator 218 the second current source 14 power module 18 data input / output module

Page 23

Page 24

Claims (1)

Six 'patent application scope 1. A method for generating a random number by using an entity random number generator, the method includes the steps of: generating a binary random number @ using the entity random number generator; generating a binary virtual random number Number; and combining the binary random number and the binary virtual random number to coordinate the binary random number and substantially remove any allocation bias associated with the binary random number. 2. The method of claim 1, wherein the step of coordinating includes mutually exclusive of the binary random number and the binary virtual random number. 3. The method of claim 1, wherein the step of coordinating includes adding the binary random number and the binary virtual random number. 4. The method according to item 1 of the patent application scope, wherein the step of coordinating includes combining the binary random number and the binary virtual random number by a method that can be proved mathematically to generate a 0 and 1 as the same allocation. The result is a random number. 5. The method of claim 1 in which the data processing system includes an integrated circuit. 6. The method according to item 5 of the patent application, wherein the entity random number generator includes two independent oscillators connected together. 7. The method of claim 5 in which the integrated circuit is used in a smart card. 8. The method of claim 1 in which the virtual random number is generated by a seed derived from the binary random number, and only Page 25-Scope of patent application of 06: 1 The random number is generated by an entity random generator. 9. A random number generator comprising: a physical random number generator device that generates a first number @; a device for generating a virtual random number that generates a second number; and A device that combines a number with the second number to coordinate the first number and substantially remove any allocation deviation associated with the first number. 10. If the random number generator of item 9 of the patent application scope, wherein the first and the second numbers are binary numbers. 11. If the random number generator of item 10 of the patent application scope, the means for coordinating comprises a means for performing a mutually exclusive function on the first and the second number. 12. If the random number generator of item 10 of the patent application scope, wherein the means for coordinating comprises a means for performing an adding function on the first and the second numbers. Page 26