The presented invention relates to a new method and device for the quantum generation of random numbers. The invention can be implemented in generation of random numbers in lotteries and gaming. The invention allows generation of binary or non-binary random number chains with high generation rates.
The existence of random processes, in addition to having philosophical consequences, has application in various disciplines of technology. Random numbers are essential in lottery and gaming industry as well as for scientific simulations. The standard measure of the quality of randomness generated is called min-entropy and is related to the probability of guessing a number of the sequence generated before it is announced. A good random number generator should be able to produce a bit string with a high entropy at a high rates.
In general, random number generators can be divided into two categories: pseudorandom number generators (PRNGS) and true random number generators (TRNGs). The PRNG are based on complex mathematical algorithms that simulate randomness generation what is disclosed in Gentle JE (2003), Random Number Generation and Monte Carlo Methods, Springer. In this case, the privacy or unpredictability of random numbers is not guaranteed and depends on additional considerations what is disclosed in CH Vincent, “The generation of truly random binary numbers,” J. Physics E, vol. 3) No. 6, pp. 594-598, 1970.
For example, if the seed of the algorithms is known to an adversary, the numbers generated will not be private—Barker E., Kelsey J., Recommendation for Random Number Generation Using Deterministic Random Bit Generators, NIST SP800-90A, January 2012. Other problems related to the implementation of the algorithm also can compromise privacy—L. Bello. “Openss1—predictable random number generator”. Debian Security Advisory, 1571-1, 2008, such as its periodicity or lack of uniformity.
On the other hand, TRNGs are based on one or more physical processes whose results are unpredictable. Some types of TRNGs are the LavaRnd (www.lavarnd.org), which digitizes a chaotic light source with a CCD chip, and the Araneus Alea II (www.araneus.fi/products/alea2/en/), which uses a reverse biased semiconductor junction to generate white Gaussian noise. Random numbers can also be generated by exploring random phenomena of nature, such as radioactive decay (www.fourmilab.ch/hotbits/), or atmospheric noise (www.random.org). Another option are quantum random number generators (QRGNs) based on the intrinsic uncertainty of the measurement processes of quantum systems what is disclosed e.g. in EP1821196.
In all these cases the private randomness or unpredictability of the numbers generated is based on theoretical models that guarantee the security of the generator, considering its operation free of anomalies, failures or malicious attacks. In practice, regularities in the numbers generated arise as a result of the inevitable use of non-ideal components in non-ideal conditions or periodic disturbances intrinsic to the system, such as: temperature fluctuations, human activity, component wear, among others. For this reason the sequence of random numbers generated must be certified in order to guarantee the operation of a generator that meets the desired quality. Statistical tests of randomness have been created (DieHarder, NIST STS 2.1.2), that look for different types of correlations between the numbers generated. Unfortunately, these tests cannot guarantee the unconditional security of a device what is disclosed in Darren Hurley-Smith and Julio Hernandez-Castro. “Quam Bene Non Quantum: Bias in a Family of Quantum Random Number Generators.” School of Computing, University of Kent, Canterbury CT2 7NF, Kent, UK.
However, there are setups where it is possible for a random number generator to self-certify, that is, to analyse itself continuously during its operation, in order to guarantee unconditional security. In this direction, different proposals have emerged for what is known today as “device-independent QRNGs” (DI-QRNGs)— e.g. Davide Rusca, Thomas van Himbeeck Anthony Martin, Jonatan Bohr Brask, Weixu Shi, Stefano Pironio, Nicolas Brunner, Hugo Zbinden. “Practical self-testing quantum random number generator based on an energy bound”. arXiv: 1904.04819, 2019. The DI-QRNGs proposed so far are not practical because they are based on complex protocols of quantum information, known as Bell tests, disclosed in Anatoly Kulikov, Markus Jerger, Anton Potoc̆nik, Andreas Wallraff, and Arkady Fedorov. “Realization of a Quantum Random Generator Certified with the Kochen-Specker Theorem.” Phys. Rev. Lett. 119, 240501, 2017, and require entangled particles. In these cases, the user can certify the generation of true random numbers. Specifically, the amount of min-entropy generated by the system can be estimated directly from the observed data. In this way, the generator self-certifies in real time the randomness or unpredictability of the numbers generated and, therefore, there is no need to perform statistical tests on the generated bit sequence. Unfortunately, in practice, DI-QRNGs require complex, bulky and very expensive hardware and even with it randomness generation has only been achieved at very low rates—Davide G. Marangon, Giuseppe Vallone, and Paolo Villoresi. “Source-Device-Independent Ultrafast Quantum Random Number Generation.” Phys. Rev. Lett. 118, 060503, 2017, severely limiting applications.
In EP 1447740 a microprocessor including a random number generator RNG that performs a self-test on reset and selectively enables/disables itself based on the self-test results is disclosed. The RNG includes a self-test unit that performs the self-test to determine whether the RNG is functioning properly in response to either a power-up or warm reset. If the self-test fails, the microprocessor disables the RNG. Disabling the RNG may include returning extended function information indicating the RNG is not present in response to execution of a CPUID instruction. Disabling the RNG may include generating a general protection fault in response to execution of a RDMSR or WRMSR instruction specifying an MSR associated with the RNG. Disabling the RNG may include generating an invalid opcode fault in response to execution of an instruction that attempts to obtain random numbers from the RNG. It is a device which self-tests itself at start-up. However, not entropy but some basic characteristics of the device are tested. Moreover it is not a device based on quantum mechanics but based on classical physics and therefore the self-test procedure is not very precise.
EP 3040853 describes a random number generator (1, 1000) that includes means to measure two continuous observables of an electromagnetic field prepared in a quantum state, and conversion means to obtain, by the measure of each observable, a first and a second sequence of bits. A processing unit calculates the conditional min-entropy of the random variable associated with the first sequence. A unit of post-processing extracts a third sequence of random bits whose length depends on the conditional min-entropy of the first sequence. The output of the post-processing unit is therefore a set of random bits that can be inserted in a data signal, such as a signal that carries a cryptographic key. The invention is also related to a method for generating random numbers. This device is a quantum one but does not perform self-testing. It estimates the entropy of its outcomes but it is only based on the probability distribution of the output but not the conditional probability of outputs and inputs.
In US 2015/227343 it is described a system and method for generating random numbers. The system may include a random number generator (RNG), such as a quantum random number generator (QRNG) configured to self-correct or adapt in order to substantially achieve randomness from the output of the RNG. By adapting, the RNG may generate a random number that may be considered random regardless of whether the random number itself is tested as such. As an example, the RNG may include components to monitor one or more characteristics of the RNG during operation, and may use the monitored characteristics as a basis for adapting, or self-correcting, to provide a random number according to one or more performance criteria. This device has input and output parameters but it does not use it to estimate entropy but the efficiency of its operation (according to unspecified criteria) and modifies its input to maximize it. Our device cannot choose its own inputs.
In WO 2018/065593 a device that performs self-certification of randomness is mentioned, but it has a source which needs to produce one of the two possible states with a well-defined overlap.
Accordingly, there is still need for a technological solution which allows to obtain random numbers with a self-testable unpredictability for the generated stream.
The goal of the invention was to provide the generator and methods that enable to generate unpredictable string of numbers at high rates, characterized by high entropy which can be self-tested in real time.
The invention is based on physical processes for the generation and detection of quantum states which final result is intrinsically random. Of particular importance is that the invention self-test itself, i.e.: allows the real-time certification of the randomness it generates. In this way the correct functioning of the equipment is always corroborated, and the security of the numbers generated is not conditioned on the implementation of subsequent statistical tests. The scheme is easy to implement, efficient in extracting the final sequence of random numbers, robust against imperfections of the device components, and allows the generation of binary or non-binary random number chains with high generation rates.
The invention—present method and technological device propose a fairly practical quantum true random number generator, which is self-certifiable in real time. The device's operation is based on the active manipulation of interferometers. This technology offers in particular ease of implementation, which only requires standard components, easily commercially available that can be integrated to build the device. In this way, a reduced integrated system of lower cost and less complex than the existing ones is proposed. The device offers high rates of randomness generation (of the order of Mbit/s). Another advantage is that the min-entropy of the random bits generated is calculated and monitored in real time, unlike in most existing solutions.
The essential difference of the invention in compared to state of the art is that it constantly monitors the entropy of the generated randomness with a method that does not require a characterized quantum state source nor measurements with characterized devices. This invention has a wide scope of applicability in lottery and gaming industry because it guarantees robustness against imperfections of all the components the random number generating device consists of. Any initial problem or tampering with its components will be detected at start-up and any malfunction or wear during device's operation. Accordingly if the results obtained will not be random numbers, the measured entropy will be 0 what will be detected by the invention.
The invention is described in details in examples and drawings:
a) System—generator
The device consists of two main parts: (a) interferometer; and (b) control unit CU. The interferometer is a well-known apparatus, which is described in the next paragraph. The interferometer constituting part of the device can be modified by placing additional components. The control unit governs the work of the interferometer and self-tests the quality of randomness produced by the interferometer. The self-test is performed by computing a lower bound on min-entropy of the output sting of numbers.
An interferometer is a device that is used to measure interference properties of waves in a form of signal. In
The interferometer has a signal that comes from a source (S) and consists of n paths. The signals can be modified according to the parameters(x1, . . . , xn) in the control components A1, . . . , An. The interference takes part in the interference region (I) and then the signals are measured at the detection stations (D1, . . . , Dm). The number of detectors m usually is but does not have to be equal to the number of paths.
The initial signal in the form of a wave is emitted from a source S and travels along two or more paths. The signal can be anything with interference properties, e.g. particles, electric current, light or acoustic waves. In each path, the signals can be modified independently, to change its properties in the components denoted by A1, . . . , An, according to the configuration of their input parameters (x1, . . . , xn). Then the signals interfere in the interference region I-region indicated in
The described invention is based on the interferometer presented in the previous paragraph and control unit connected to it. The main idea of this invention is based on the fact that for some combination of input parameters (x1, . . . , xn) from a control unit CU, the outcomes of the detection stations should be deterministic and for other completely random, if the device works correctly. Checking for deviations and estimating their magnitude when we expect the determinism allows us to quantify the current quality of the device and randomness it produces. The outcomes of the device are random in a way which admits self-testing only if the behaviour of the device can be modelled by quantum theory (not any classical one).
The device comprises interferometer and control unit CU, which is presented in
The source of the signal, basic components of the interferometer (x1, . . . , xn), optional ones (y1, . . . , yk), the detectors (D1, . . . , Dm) and, additional detection stations (D′1, . . . , D′k) if they exist, are controlled by a control unit CU. {right arrow over (d)} stands for the messages from the detectors (D1, . . . , Dm) and, if they exist, (D′1, . . . , D′k) to CU and {right arrow over (x)} for all the inputs—parameters (x1, . . . , xn) and, if additional parameters if they exist, (yr, . . . , yk). The control unit CU itself has four main components: timer T, hardware driver HD, memory M and computing processor CP, all communicating via electrical wires.
According to the
As is presented in the
As is presented in the
The control unit's CU internal structure is shown in
CP also uses randomness extractor (a well-known mathematical function) to obtain from {right arrow over (d)} the value of {right arrow over (x)} which is sent to memory M and will be used for the settings of components A1, . . . , An and B1, . . . , Bk in the next step.
Self-Testing. Part 1: Estimation of Probability Distribution p({right arrow over (d)}|{right arrow over (x)})
The method used to establish and update Hmin({right arrow over (d)}|{right arrow over (x)}) based on {right arrow over (d)} and {right arrow over (x)} works in the following way:
The control unit CU stores in its memory M values of {right arrow over (d)} and {right arrow over (x)} for the last N0 steps. N0 is a free parameter chosen by the user. In each step next pair of {right arrow over (d)} and {right arrow over (x)} is added and the one which is in memory for longest removed. The current content of the memory is a list of pairs ({right arrow over (d)}i, {right arrow over (x)}i)i=1, . . . , N0 and the value of {right arrow over (x)} for the next step. The value of Hmin({right arrow over (d)}|{right arrow over (x)}) returned in any given step is then a lower bound on the average min-entropy of {right arrow over (d)} for the block of last N0 steps.
First conditional probability distribution p({right arrow over (d)}|{right arrow over (x)}) of {right arrow over (d)} as a function of {right arrow over (x)} is estimated by the control unit CU. It is taken to be equal to the frequency of any given value of a for any particular {right arrow over (x)} in the block of the last N0 steps and given by the formula:
where δ(a, b) is Kronecker's function equal to 1 if a=b and 0 otherwise.
Self-Testing. Part 2: Estimation of Min-Entropy Hmin({right arrow over (d)}|{right arrow over (x)})
It will call p({right arrow over (d)}|{right arrow over (x)}) an observed probability distribution and assume it to arise from underlying probabilities pγ({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}). There are two kinds of parameters here to which we don't have a direct access:
The control unit CU stores in its memory a finite set of pairs pγ({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}) and Hγ({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}), which were calculated previously by modelling the behaviour of the device as a function of γ and {right arrow over (λ)}. The exact parametrization of the device by γ and A and their ranges depend on the choice of the security paradigm. For example in order to model the device we may assume that there are no rapid changes in the parameters of the device and A is constant, or that signal source produces always single photons. The device can store more than one set and the user can switch between different paradigms trading level of security for higher randomness generation rates. To make the set of pairs pγ({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}) and Hγ({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}) finite the parameters γ and {right arrow over (λ)} may need to be coarse-grained. Then for every value of γ and {right arrow over (λ)} pγ({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}) is calculated. Then Hγ ({right arrow over (d)}|{right arrow over (x)}, {right arrow over (λ)}) is taken to be the minimal min-entropy of probabilities pΓ({right arrow over (d)}|{right arrow over (x)}, {right arrow over (Λ)}), where Γ and Λ denote sets of values which, when coarse-grained, yield γ and {right arrow over (λ)} respectively, i.e.:
Let us denote the probability distribution of {right arrow over (λ)} as p({right arrow over (λ)}) Then the min-entropy of potential adversary for a particular value of γ is lower bounded by
H
γ({right arrow over (d)}|{right arrow over (x)})=Σ{right arrow over (λ)}p({right arrow over (λ)})Hγ({right arrow over (d)}|{right arrow over (x)},{right arrow over (λ)})(*).
The observed probability distribution for a particular value of γ is then
p
γ({right arrow over (d)}|{right arrow over (x)})=Σ{right arrow over (λ)}p({right arrow over (λ)})pγ({right arrow over (d)}|{right arrow over (x)},{right arrow over (λ)}).
Now the control unit CU can perform linear programming to find minimum of (*) under the constraint that |pγ({right arrow over (d)}|{right arrow over (x)})−p({right arrow over (d)}|{right arrow over (x)})|<ϵ, where ϵ is a constant implied by coarse-graining chosen. The meaning of this constraint is that the linear program is trying to find lowest min-entropy Hγ({right arrow over (d)}|{right arrow over (x)}) compatible with the observed probability distribution. After solving the linear program for all values of γ the lower bound on Hmin({right arrow over (d)}|{right arrow over (x)}) is taken to be minimum over all values of γ, i.e.
The preferred embodiment of the invention (shown in
The user of the device is a lottery, which needs random numbers of the results of a draw. It starts the procedure of obtaining them by giving a signal to the control unit CU of the device to produce the numbers.
The role of the control unit CU is played by a field-programmable gate array (FPGA) electronic unit. It contains all the necessary elements of the control unit CU: Memory M, Timer T, Hardware Driver HD and Computing Processor CP. The FPGA unit controls and synchronises the signal source S, signal modifying components A and B and detectors D.
After the light is emitted from the laser optical attenuators are then used to reduce initial signal intensity. The attenuators set the average number of photons per pulse to μ=0.2. In this case, the source can be seen as a good approximation of a nondeterministic source of single photons. We use standard ket notation of quantum information and describe the state of light after a single photon is generated by|x0=|0.
After the attenuators, the signal is split into four paths using 4×4 multi-port beam splitter unit (MBS0). This unit consists of a commercial demultiplexer (DEMUX) device, with 1 fiber as an input and 4 independent fibres as an output. It implements a 4-dimensional Hadamard gate operation:
The quantum state of light after it leaves the source is
where |k> is the mode representing the photon in the k-th path.
The device follows the schematics from
The role of components B1, . . . , B4 is played by another set of—phase modulators (PM) connected to each of—fibers. The role of parameters (y1, . . . , y4), is played by phases ϕ0A, ϕ1A, ϕ2A, ϕ3A. The FPGA controls ϕ0A, ϕ1A, ϕ2A, ϕ3A by applying different voltages to the drivers of PMs. After passing through components B1, . . . , B4 the state of light becomes
The role of the interference region I is played by another 4×4 multi-port beam splitter unit (MBS1) build in the same way as (MBS0) and performing the same transformation. After that, the state of light becomes
Then the light is measured by the detectors. Photons in mode|0 are measured by the detector D1, those in |1 are measured by the detector D2, those in |2 are measured by the detector D3, and those in |3 are measured by the detector D4. The detectors are triggered commercial InGaAs single-photon avalanche detectors.
The detectors send the measurement outcomes to FPGA which estimates min-entropy Hmin({right arrow over (d)}|{right arrow over (x)}). The FPGA pots-process a with well-known method of randomness extraction, which takes as an input {right arrow over (d)} and Hmin({right arrow over (d)}|{right arrow over (x)}), and produces a sting of random numbers with arbitrary quality {right arrow over (r)}. Next FPGA returns {right arrow over (r)} to the user which can use the numbers in {right arrow over (r)} for the results of the lottery draw.
The inventors acknowledge the support of Foundation for Polish Science through grant First TEAM/2016-1/5.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/PL2020/050032 | 4/24/2020 | WO |