Physicists Turn 8MP Smartphone Camera Into a Quantum Random Number Generator

KentuckyFC writes: "Random numbers are the lifeblood of many cryptographic systems and demand for them will only increase in the coming years as techniques such as quantum cryptography become mainstream. But generating genuinely random numbers is a tricky business, not least because it cannot be done with a deterministic process such as a computer program. Now physicists have worked out how to use a smartphone camera to generate random numbers using quantum uncertainties. The approach is based on the fact that the emission of a photon is a quantum process that is always random. So in a given unit of time, a light emitter will produce a number of photons that varies by a random amount. Counting the number of photons gives a straightforward way of generating random numbers. The team points out that the pixels in smartphone cameras are now so sensitive that they can pick up this kind of quantum variation. And since a camera has many pixels working in parallel, a single image can generate large quantities of random digits. The team demonstrates the technique in a proof-of principle experiment using the 8-megapixel camera on a Nokia N9 smartphone while taking images of a green LED. The result is a quantum random number generator capable of producing digits at the rate of 1 megabit per second. That's more than enough for most applications and raises the prospect of credit card transactions and encrypted voice calls from an ordinary smartphone that are secured by the laws of quantum physics."

Oldest news ever

[Anonymous Coward]

This was done many years ago with a webcam as the LavaRand/LavaRnd project (which copied the Lavalamp PRNG).

This story is a dup

[TFlan91]

Because he failed to give any links...

http://www.lavarnd.org/ [lavarnd.org] - Was the site linked in story below, but is now dead

Sourceforge: http://sourceforge.net/project... [sourceforge.net]

http://slashdot.org/story/03/0... [slashdot.org]

Re:This story is a dup

[timeOday]

I am not so sure the randomness from that project actually came from the quantum properties of the photons themselves. A saturated CCD may be a chaotic physical process, but (I think) the dynamics of that chaotic process are properties of that CCD, not directly from the actions of individual photons which are known to be "quantum" and truly random.

Re:

[timeOday]

By way of analogy, rolling dice is a chaotic physical process that does not rely on quantum randomness. Given the starting conditions of a dice roll, the outcome is predictable, at least in theory.

Re:

[timeOday]

So you're sure there are processes which are completely deterministic? If it relied on the interaction of light and matter, then the same random component being used in the current article is still applicable

I would guess there are incredibly small regions of instability in many chaotic processes that can be tipped either way by quantum randomness, but that does not make them useful as sources of randomness. What you want is to prove the outcome of your system is nothing BUT quantum randomness, and thus

Re:

[KramberryKoncerto]

I don't think counting photons is going to be unbiased either. Randomness is different from unbiasedness. There must be a distribution, with some more values more likely than others. Unbiased-ness is however not necessary. You can use an unbiased coin to simulate a biased coin, and vice versa, and any continuous distribution can be turned into a coin flip. If you want a more efficient `unbiased randomness translator', there's research on stuff called randomness extractors, which aim to generate as many appr

Re:

[Anonymous Coward]

From TFA:

In practice, the first step is to characterise the light sensitivity of the camera by shining a green LED at it. That allows the team to work out the number of photons that saturate a pixel and ensure this does not happen while the random numbers are being generated (otherwise the results are no longer random).

Re:

[Anonymous Coward]

When we were developing lavarand, we found that closing the shutter on the Indycam gave us a similar statistical amount of randomness as taking a picture of a chaotic system (the lamps). So yes, I can say been there, done that, got the patent.

Re:

[Anonymous Coward]

Isn't that thermal noise instead of quantum noise from a photon?

Re:

[Anonymous Coward]

That's a completely different method. There the source of randomness is thermodynamic entropy. Even though a lava lamp seems so small, the degree of complexity is still more than can be perfectly simulated (bit for bit) by even the fastest computer imaginable. (Remember, the lava lamp isn't a closed system.) What's interesting about thermodynamic entropy is that even _if_ you could measure all the input variables, you still couldn't _predict_ all the output variables any faster than the system itself evolve

Seed

[ldbapp]

What's the universe's seed?

Re:Seed

[Anonymous Coward]

42

Re:

[K. S. Kyosuke]

In the 24th century, it will be adjusted to 47 to account for inflation.

Always?

[peon_a-z,A-Z,0-9$_+!]

The approach is based on the fact that the emission of a photon is a quantum process that is always random.

Macroscopically it sure seems random, but the underlying quantum physics show that it is still a deterministic process. Just because we don't have the right instruments to easily observe it doesn't make it have magic properties.

Re:

[Anonymous Coward]

You've got that a bit backwards. The underlying quantum physics concludes that everything is a random possibility in a range of probabilities, but that in a macroscopic scale the random fluctuations usually cancel out and the net result generally behaves as a deterministic process.

As related to this, if you power up a LED just enough for it to emit a single photon, you are pretty sure roughly what direction it went, but the exact path is unknown until it interacts with something. However if you juice up t

Re:

[peon_a-z,A-Z,0-9$_+!]

Assuming your post is derived from the following Wikipedia excerpt:

...a system moves to higher energies or—equivalently—larger quantum numbers, i.e. whereas a single particle exhibits a degree of randomness, in systems incorporating millions of particles averaging takes over and, at the high energy limit, the statistical probability of random behaviour approaches zero. In other words, classical mechanics is simply a quantum mechanics of large systems.

http://en.wikipedia.org/wiki/Q... [wikipedia.org]

Then you have interpreted it a bit incorrectly. Everything is not random, everything exhibits a degree of randomness. Just because we can't properly measure the deterministic nature of it, doesn't make it inherently random.

It looks random to us, but if there were no limit to our measuring capability we would know that it is indeed not random.

Kind of like the Earth Is Flat type argument of modern times.

Re:

[invid]

I guess you're not a fan of the Copenhagen interpretation. From Wikipedia:

The Copenhagen interpretation - due largely to the Danish theoretical physicist Niels Bohr - remains the quantum mechanical formalism that is currently most widely accepted amongst physicists, some 75 years after its enunciation. According to this interpretation, the probabilistic nature of quantum mechanics is not a temporary feature which will eventually be replaced by a deterministic theory, but instead must be considered a final

Re:

[peon_a-z,A-Z,0-9$_+!]

No I'm not, along with Einstein, Feynman, and many others.

A lot has happened since 1927 in quantum mechanics.

Re:

[invid]

Personally I like the idea that the underlying reality of the universe is random. I find the idea that the universe is a deterministic clockwork to be depressing. Of course, the universe is going to be whatever it is no matter what I think. Unless, of course, I'm the one who collapses the wave function.

Re:

[peon_a-z,A-Z,0-9$_+!]

Haha you have a good point there. Hopefully we as a species can find some non-depressing realities through the results over our lifetimes. Hopefully...

You collapsing the wave function doesn't look like the likely way we'll all end, given the current state of affairs :/

another option - not everything is classic physics

[raymorris]

> Personally I like the idea that the underlying reality of the universe is random. I find the idea that the universe is a deterministic clockwork to be depressing.

There is a third option. A butcher from 2,000 years ago could explain that bodies are mechanical systems, with ball joints, plumbing, etc. Later, psychology developed and we began to study what makes humans tick at a different level. The mechanical level if bones and blood vessels is important, of course. To understand people, you have to al

Re:

[Entropius]

Let's say you are detecting light from a fluorescent lamp. It has some mercury atoms in it which are excited by an electric current, and their de-excitation causes the emission of a visible light photon.

You can compute the transition amplitude and figure out how long, on average, it will take to spit out a photon. (You do this by applying time-dependent perturbation theory coupling the two quantum states with a dipole-transition electric field, to first order.) But you can't predict exactly when the photon

Re:

[Bob_Who]

The approach is based on the fact that the emission of a photon is a quantum process that is always random.

Macroscopically it sure seems random, but the underlying quantum physics show that it is still a deterministic process. Just because we don't have the right instruments to easily observe it doesn't make it have magic properties.

I agree, the song remains the same. Its not random. Its just very, very uncertain. Same as it ever was....

Re:

[dgatwood]

Not necessarily even all that uncertain. I could see somebody with sufficient resources attacking this by fluctuating the building power or using focused EMP tricks to reduce entropy, thus weakening the resulting crypto.

Re:

[dgatwood]

Considering that similar attacks have been done in the past [wikipedia.org], yes, I'm serious.

Re:

[jfengel]

Well, yes and no. Quantum-mechanically it IS deterministic in the sense that any given quantum state will evolve in a perfectly defined way. There isn't any "random number" in the Schroedinger equation (or its relativistic descendants).

It's really the macro-scale stuff that introduces the randomness. At the quantum scale, things exist perfectly happily in a superposition of two states that we never observe at large scales. The more objects you put together, the harder it is to maintain the superposition, an

You can never be sure...

[tippe]

Oblig. Dilbert Reference [dilbert.com]

Re:

[TeknoHog]

http://xkcd.com/221/ [xkcd.com]

Worth exactly what?

[gurps_npc]

To my knowledge, the limitations of pseudo random number generators are not the weak point in encryption.

To my mind, the most pressing problem are caused by Moore's law (and similar effects). Whatever encryption is worthwhile now, is worthless in 5 years.

Not to mention the human sized holes in encryption caused by human limitations.

Re:

[Anonymous Coward]

The human-sized holes get larger as the obesity rate increases. Poor encryption. =(

Re:

[jeffmeden]

To my knowledge, the limitations of pseudo random number generators are not the weak point in encryption.

To my mind, the most pressing problem are caused by Moore's law (and similar effects). Whatever encryption is worthwhile now, is worthless in 5 years.

Not to mention the human sized holes in encryption caused by human limitations.

Having a true random number stream is very valuable since one of the key weaknesses in PRNGs come when you gather enough output and can guess what random numbers the algo will use next. This compromises forward secrecy. If you can use a stream of constantly random numbers, one weakness is gone entirely leaving you more time to worry about other issues (like human weakness, processing bottlenecks, etc). Also, see the issue of a PRNG with a backdoor allowing perfect guessing of the pattern hence making the

Re:

[Anonymous Coward]

That is almost exactly wrong. Random number generators are a great place to subvert encryption systems, because if you can get a bad one implemented as a standard, there's not always a great way to prove that there's a backdoor in them. You can throw as much Moore's Law as you want at 2048 bit encryption, but it's still gonna take you more time than you have left until the heat death of the universe to crack my encrypted drive.

The math behind strong encryption is good, unless the NSA has something we don'

NSA Mods

[jtara]

Looks like we have some NSA mods here.

Every post suggesting that this won't work because the electronics will just be covertly re-designed are being modded down.

Re:

[DMUTPeregrine]

Moore's law doesn't help.

Take Bremermann's Limit. With all the computing power available on Earth right now, assuming it actually doubles every year (instead of simply new computers coming out every 18 months which have double the power) then it will still take more than a few thousand years to do the computation. If someone converts the entire earth into a computer operating at the limit, then simply using a 512-bit key with symmetric algorithms will effectively fix the issue, since the time to brute-forc

Re:

[K. S. Kyosuke]

After doing some mild research, I concluded that the most practical solution for a home EE hobbyist is building a circuit to utilize the shot noise of a PN junction (e.g., in an avalanche diode or a Zener diode). But this Flash thingy looks interesting, too.

Re:

[niftymitch]

Personally I found this an interesting read:
http://ieeexplore.ieee.org/xpl... [ieee.org]

Quantum RNG based on off-the-shelf flash memory. It's not very fast (up to 10kbit/s), but it's quite simple and since you have flash memory in close to every device, it's probably a lot cheaper to do than using optical sensors.

This is interesting but to get the bits from flash
you do not have them for other things.

A camera because of the size of the array and speed is interesting as a source
of entropy in a system. Also they are not alike so it is very hard to model
a camera and generate the same result.

Part of the news here is that the crypto folk are worried that a TLA got in
bed with a five letter company and biased the built in sparkling new RNG
instruction hardware and silicon magic in ways that they like.

Add some additional en

xkcd

[zm]

http://www.xkcd.com/221/ [xkcd.com]

Why not just use noise from the various antennas?

[Garble Snarky]

Bluetooth, GPS, NFC. At the very least, the cell/wifi are listening anytime you're online anyway, and with the relatively large bandwidth there should be plenty of entropy in that noise. Right?

Re:

[mlts]

If it doesn't take too much expense, why not toss all those RNGs into the /dev/random (or more accurately /dev/urandom as that is the only device used in more recent Android versions) pool? Even if one of the sources ends up becoming periodic, there are enough "blended bits" that it won't make as much a difference.

Re:

[ericloewe]

That's what's typically done, from what I know.

Re:

[Rashdot]

All of those can be manipulated, including the camera.

So it's a nice idea, but not guaranteed to be random.

Re:

[fsterman]

I had the same thought, smartphones have plenty of physical hardware interfaces and can certainly make due. AFAIK, servers are the only place where we need a lot more entropy than a standard device and where (especially on virtual machines) there is a poverty of physical signals to mix in. Even here, however, you only need to ensure that the initial seed is random, hashing will take care of the rest. FWIW, Ubuntu 14 comes with a nifty random entropy seed protocol called pollinate.

I think the authors are

Haven't addressed the main issue.

[jcochran]

If the article is correct and it's possible to generate a megabit/second random number stream, then that's very nice. But that stream is effectively worthless for all the applications they mentioned since the real problem is arranging for both parties to have access to the exact same random bit stream. That problem is the real one.

Re:

[K. S. Kyosuke]

You'd use this for session keys. Or, if you're into OTP, you'd transfer the bit stream in person (using something like NFC). (But I suspect that a much weaker point would be the penetrability and backdoorability of current horribly complex smartphone operating systems.)

Re:

[jcochran]

Indeed, you could use it for the session key. But then again, the rate in which the random bits needs to be generated isn't anywhere near the 1 Mbit/sec rate. After all, how long does it take to generate 256 bits? As for OTP, getting the bits to the receiver is as mentioned earlier "The Real Problem". But contract that issue with the quote "And applications? Secure credit card transactions are only the beginning. A quantum random number generator that works at 1 Mbps can also secure emails and even phone ca

Re:

[InvalidError]

In cryptography, RNGs are typically used to seed PRNGs.

You do not send the random bits: you encrypt and transmit the PRNG seed along with whatever other parameters might be necessary to synchronize both ends then use the PRNG to generate your nonces and the nonces are used to generate your OTP blocks.

The problem isn't the RNG

[bytesex]

Well, the problem is *also* the RNG. The bigger problem is finding a RNG like this, that can be easily embedded in electronics that you lock away. A camera won't do that.

Re:

[InvalidError]

I do not see where the problem with a camera is: even if you lock the camera in a perfectly dark EMI-shielded box, the CCD or CMOS sensor will still have a fair amount of thermal noise and the same goes for the ADCs so even if all the camera does is take images of the darkness, it will still get a fair amount of entropy from thermal and electrical noise. Put a few thousand pixels worth of this through SHA256 and now you have a pretty decent RNG even if you only get one LSB worth of entropy per pixel..

Why this won't work...

[jtara]

No.

The intelligence agencies will just plant engineers in the companies that make the sensors, and will stealthily add circuitry that will alter the data to make it non-random in a known way.

Re:

[Sentrion]

The only question is: will they be US intelligence agencies or Chinese intelligence agencies? Or have the two world powers finally merged to form the top secret Sole Power of Ex-Communists and Republicans Empire, aka S.P.E.C.T.R.E?

camera, light, securing...

[MoFoQ]

Hmmmm...camera, capturing light (or image), then using that to secure something......reminds me of Johnny Mnemonic.
Just need Ice-T and it'll be complete.

Be careful

[mbone]

The question is not really whether some physical process is random, the question is whether someone could predict some of the bits, say if you immersed the camera in a light field pulsed at the ccd refresh rate. Or an electromagnetic field that saturates the A/D converters wiring. Or...

The thing is that such a design has to be fixed, and then released in the field, and then be subjected to attacks tailored to its individual design and implementation, and there really is no magic bullet. So, "Counting the number of photons gives a straightforward way of generating random numbers" : maybe, but we won't know for sure if they are really and always random until it's been attacked for a few years.

It might just be possible...

[OakDragon]

...if we reverse the polarity... yeah, this can work!

Been there done that!

[Atl Rob]

I've had a CMOS imager noise gen for 5+ years! This is not new, I'll bet I wasn't the first to relize random image noise either? I made this discovery in an attempt to remove the noise with an algorithm. Also photon emission is not the best source! Random, sure, but will pile up in patterns so... Cosmic rays and background radiation are far better, impossible -or- at best highly impractical to remove from images, hence impossible to predict. Random number gens have been perfected for some time now? No? Cryp

Complete BS

[gweihir]

A 5.6V Zener-diode is half thermal noise, half quantum noise. It costs something like 5 cent. Amplification and digitization may be another $30 or so, but only for the prototype (e.g. Arduino clone).

This is a complete non-news item.