The present invention relates to a method for diagnosing the functioning of a random number generator, more particularly for estimating the entropy of the RNG in real time, and even more particularly for health check of random number generators.
In general, the present invention is in the context of the generation of random numbers. Many tasks in modern science and technology make use of random numbers, including simulation, statistical sampling, gaming applications, and cryptography, both classical and quantum. A good random number generator should produce a sequence of bits with high entropy at a high rate. By high entropy, it is meant that nobody can predict the value of the bit before the bit is revealed, entropy can also be understood as randomness. This is an essential requirement in most of the modern cryptographic algorithms and protocols. Indeed, all the cryptography protocols commonly employed, such as DSA-, RSA- and Diffie-Hellman-algorithms, follow Kerckhoffs' principle, which dates back to the 19th century, and states that the security of a cypher must reside entirely in the key, i.e. in the random sequence used as secret, which is fully unpredictable. It is therefore of particular importance that the key used in a cryptographic algorithm is secure, which in practice requires it to be chosen perfectly at random, i.e. randomly generated.
Nowadays many types of true random number generators are commercially used. In cryptography, the term “true random” is used for emphasizing that a random number generator produces a real, genuine random bits, not pseudo-random or random looking bits. Currently, if a random number generator has a good physical entropy source and a good extraction method, the security of which is supported by theoretical evidences, then they can be called a true random number generator. They use their own physical entropy source which generates unpredictable random signal or bit sequences. However, the physical entropy generation principle is complex and not clear and it is hard to make a proper estimation of the quality of the entropy provided.
In addition, besides the main entropy noise generated by the entropy generation principle, the entropy output is also affected by various additional noises, e.g. from physical or electronic components which cumulates with the other noise. The additional noises can be deterministic, i.e. predictable, or out of control, or even beyond interpretation so as to render the entropy measurement impossible. Therefore, for a proper entropy estimation it is better to minimize or remove the contribution of these additional noises.
Furthermore, in order to provide a good random number generator, i.e. a ‘secure’ and ‘real random and of high entropy’ RNG, it is important to detect an entropy quality drop or failure immediately when it occurs so as to be able to correct it as soon as possible. The most common way to handle this is to apply statistical health check functions such as “repetition count test” and “adaptive proportion test” in the NIST SP800-90B as explained in “Recommendation for the Entropy Sources Used for Random Bit Generation”, Turan et al. January 2018. Such health functions detect a statistical anomaly by checking if less typical or improbable bit sequences occur continuously or often.
However, for Random Number Generators provided with an entropy source that is anyway able to generate patterns which are not too big bias or well-mixed or random-looking, for any reasons, then this statistical method is not able to detect the entropy failure.
Therefore, in order to recognize the entropy quality drop, additional treatment, such as a real-time entropy estimation by monitoring various parameters of physical components or other signatures which can prove the entropy quality, is necessary. Such that to enhance security, the entropy output is transmitted to the next steps, for example, a post-processing or user applications, only when the statistical test and the entropy estimation give an acceptable entropy measurement.
Most of commercial random number generators are not able to compute the entropy amount in real time but they only apply the above-mentioned statistical health check functions as requested in the cryptographic standards. Some advanced random number generators like quantum random number generators enable to measure the actual entropy amount based on the entropy generation principle. However, due to the complexity of the entropy generation theory and implementation, the entropy computation takes a long period of time and impedes the real-time measurement. Indeed, usually in order to check the entropy quality, it is required to use bulk external devices to analyze the signal, noises and the current status of various components. Mostly, this is only available in the lab and after deployment a real-time entropy estimation usually is not allowed.
In particular, the patent US20180260192, “Device and method for managing performance of quantum noise-based random number generator” shows a conventional calibration method of the light and the CMOS Image Sensor for maintaining the entropy quality. Specifically, it is described that first the light is turned off, then the classical noise level is measured and finally the level of the classical noise is adjusted by controlling different electronic components, such as the Analog-to-Digital Converter offset, the analog gain, the exposure time and the like.
According to this prior art, the level of the classical noise in the Quantum Random Number Generator is measured only for lifting up the Analog-to-Digital Converter offset in such a way to not to see the classical noise anymore. However, classical noises are already mixed into the input signal prior to the Analog-to-Digital Converter and thus lifting up the Analog-to-Digital Converter offset does not reduce classical noise nor make quantum noise dominant.
There is therefore a need to calculate the additional statistics, i.e. not only the mean but also the variance, of the classical noise of a Random Number Generator and use it for computing the quantum entropy of the Random Number Generator.
In this regard, a primary object of the invention is to solve the above-mentioned problems and more particularly to provide an efficient way of estimating the quantum entropy by minimizing or removing the contribution of additional classical noises, and provide a diagnosis or health check method, which is based on a real-time entropy estimation in addition to a statistical health test.
In addition, the present invention also provides an effective way to reduce the classical noise contribution while remaining the quantum noise contribution dominant, instead of finishing the entropy generation when the classical noise contribution is high.
The present invention provides an efficient way to calculate a pure quantum entropy in real time and then use this information for checking if the physical entropy source generates sufficient entropy. In addition, the present invention provides an efficient way to reduce classical noise contribution to the entropy and make quantum noise contribution to the entropy dominant.
A first aspect of the invention relates to an entropy measurement method comprising the steps of a start-up phase comprising powering on the entropy source unity, a signal emitting step comprising emitting a quantum signal characterized by an overall noise made of classical noise and quantum noise, a noise measurement step comprising measuring the statistics of overall noise through active pixels upon illumination and the statistics of classical noise through non-illuminated pixels, a quantum noise calculation step comprising calculating the quantum noise based on the difference between the overall noise and the classical noise, an entropy estimation step comprising comparing the resulting quantum noise to an expected quantum noise and/or a predetermined threshold, and a health check step controlling the entropy source unit based on the result of the entropy estimation step.
Advantageously, the classical noise detection step comprises detecting said classical noise through at least one optical dark pixel.
In such manner the classical noise and the overall noise are preferably detected simultaneously.
Alternatively, the classical noise detection step comprises periodically turning on and off the light source and detecting said classical noise through at least one active pixel when the light is turned off.
In this case, the entropy measurement method preferably comprises a memorizing step comprising storing the statistics of the photon detection in a memory during the light switch-off, until the classical noise statistics are obtained.
Preferably, if a small quality drop is measured, the health check step indicates the entropy amount to the user and check the next samples.
According to a preferred embodiment of the present invention, if a quality drop beyond a predetermined threshold is measured, the health check step blocks the output of corresponding entropy bits, indicate the entropy amount to the user and checks the next samples
Advantageously, if a continuous quality drop above the threshold is measured, the health check step detects a total failure and blocks the output of the corresponding entropy bits and restart/reset the quantum entropy source
According to a preferred embodiment of the present invention, if a continuous quality drop above the threshold is measured even after the restart, the health check detects a repeated total failure and informs that the system is at the end of life.
Preferably, the at least one ODP is one pixel or a pixel array of multiple pixels.
Advantageously, the entropy measurement method further comprises an additional noise measurement and minimization step where the noises are originated from the group comprising after-pulse noise, additional digitization process, format or unit converting and the like.
Preferably, the entropy measurement method further comprises an ADC sensitivity modulation step comprising adapted to reduce the sensitivity of the ADC when the statistics of the classical noise are above a predetermined threshold.
According to a preferred embodiment of the present invention, the ADC sensitivity modulation step can occur before or after the entropy estimation step.
Advantageously, the method of the present invention provides the information on whether or not the entropy amount and/or entropy level have passed or failed the test and continue or not the next steps for the generation of the true random numbers.
Preferably, the method of the present invention is applied to all quantum random number generators using as entropy generation principle the quantum shot noise of the light.
According to a preferred embodiment of the present invention, it is possible to compute the statistics of the quantum entropy signal and the classical noise at the same time and separately.
Thanks to the present invention, the statistics measured for the quantum and the classical signals allows to obtain the actual quantum entropy amount and detect the quantum entropy failure in real time.
Thanks to the present invention, it is easy to manage the entire classical noise level by controlling the sensitivity of the Analog-to-Digital Converter.
Further particular advantages and features of the invention will become more apparent from the following non-limitative description of at least one embodiment of the invention which will refer to the accompanying drawings, wherein
The present detailed description is intended to illustrate the invention in a non-limitative manner since any feature of an embodiment may be combined with any other feature of a different embodiment in an advantageous manner.
The main aspect of the invention is to measure/detect classical noise's statistics. In order to do this one has to read only the classical noise signal which is not affected by light illumination. To achieve this, the invention comprises two alternatives. The first one is to use shielded optical dark pixels which are additionally put in place as shown in
The important aspect of the invention here is that when one measures classical noises statistics, it is necessary to make no light touch pixels. In this regard two alternatives are possible, the first in 1a is the case that additional well-shielded ODPs are put in place together with active pixel array. It is possible to measure the classical noise statistics from ODPs without turning off light and thus at the same time active pixels can generate entropy bits based on the photon number fluctuation. Alternatively, in
More particularly, according to the first embodiment of the present invention shown in
The ODP can be one pixel or a pixel array of multiple pixels. They are usually placed next to dummy pixels and covered by metal shield. The physical operation is the same to the normal operation of pixels in the CIS. All outputs of them are given to the ADC according to the read-out clock management. Therefore, a function for the ODP can gather these outputs and compute the mean and the variance of classical noises. Another function for the active pixel array will gather the outputs and compute the mean and the variance of overall (quantum and classical) noises in the same manner.
According to the way to read-out pixel outputs, the outputs of each active pixel and each optical dark pixel in a whole frame can be transferred sequentially or in parallel. When there is one ADC placed in the CIS module, then all those pixel outputs should be transferred to the ADC sequentially. However, if there are multiple ADCs, then they can be disposed in parallel. In any cases, in order to get the statistics of active pixel outputs and optical dark pixels, a sufficient number of outputs need to be counted. Therefore, depending on the number of pixels in the active array and the ODP array, a part of frame, a single frame or multiple frames should be used.
Optical dark pixels refer to pixels that are shielded from radiation that is incident upon a surface of an optical sensor. An optical dark pixel is a photo-diode in a shielded zone as shown in
In this way, it is not necessary to turn off the light for measuring the classical noise outputs.
Indeed, the digitized outputs of the optical dark pixel represent the level of the entire additional classical noises from the electronic components including the Analog-to-Digital Converter noise as well as analogue signals before the ADC containing classical noises such as dark noises on the pixel, read-out noise on the circuit, cross-talk between circuits. In addition, during the digitization process, the ADC make additional electric noises and digitization distortions. By reading these outputs, various statistics for the entire classical noise are obtained. By various statistic, it is meant the mean and the variance.
In particular, by subtracting the statistics of the ODPs which only contain classical noises, from the statistics of the active pixels' outputs, an estimation of the quantum entropy can be derived. Such estimation represents the entropy given only by the light source, representing a more correct estimation.
It is important to note that the active pixel outputs are the ADC digitization for the convolution of quantum signal and classical noise signal.
If the statistics of the classical noise are too high, or higher than their thresholds, the sensitivity of the ADC can be reduced. The thresholds are not fixed, one can set the thresholds for the mean and the variance of the classical noises output from the ODPs in order to maintain the influence of classical noises negligible. The bigger variance always implies the bigger entropy. However, as mentioned before, the classical noises might not be random but just look random. Therefore, the fluctuation of classical noises should preferably be maintained as low as possible under a certain threshold. Such reduction is obtained by enlarging the input voltage range of the ADC, in this way the classical noise signal becomes weakened and squeezed with this setting. Consequently, the statistics gets smaller. In this scenario, the fluctuations of the quantum signal should be kept at a value high enough to provide good randomness even in this less sensitivity of the ADC. This can be realized by increasing the intensity of light. (See also the prior art previously mentioned.)
After the above, if the classical noise level is within an acceptable level, the entropy estimation phase can start. To simplify, it is assumed that the digitized quantum and the classical noises follow a normal distribution and they are independent of each other. From the outputs of active pixels and the ODPs, the mean and the variance of the pixels outputs (Epixel, Vpixel) and of the classical noises (EODP, VODP) will be computed as reported in the following.
By considering that
E
pixel
=E
Quantum
+E
Classical,
V
pixel
=V
Quantum
+V
Classical,
E
ODP
=E
Classical,
and
V
ODP
=V
Classical,
The following can be derived:
E
Quantum
=E
pixel
−E
ODP and VQuantum=Vpixel−VODP.
Based on (EQuantum, VQuantum), the entropy of the quantum signal is eventually computed.
Once the (EQuantum, VQuantum) is calculated, a probability distribution can be derived, and the entropy can be computed. More particularly, for given E and V, one can get the probability distribution {p_i}, based on which one can compute the Shannon entropy, H=sum_i−p_i*log_2(p_i), or the min-entropy, H=−log_2(p_max).
For the practical efficiency, only meaningful p_i are taken into account. For example, negligible probabilities less than 10{circumflex over ( )}−1 or 10{circumflex over ( )}−2 are ignored in this calculation. The entropy so obtained is compared with a predefined threshold value to check its quality.
Generally speaking, the predefined threshold for the entropy per bit should be set by the quality of physical entropy source measured by a long-term test and also by how much entropy should be requested at minimum. By a long-term test, one can find a reliable range of the entropy per bit. For example, if the physical entropy source generates the entropy per bit greater than 0.9 in most of time, then the threshold could be 0.9 or less. Considering the case that the quality of physical entropy gets gradually worse but still generate the entropy good enough for any requirement, for example, 0.5, then one can set the second threshold in between 0.9 and 0.5. These layered thresholds should be set accordingly by alarm severities, for example, weak, instant, strong, permanent, and the like.
Alternatively, the predefined threshold value can be set directly on the pair (EQuantum, VQuantum), instead of on the entropy value itself.
Depending on the measured entropy, the health check function can be set to perform different levels of check, as indicated in the list below.
Alternatively, it is also possible to put several thresholds in order to define multiple types of failures (weak, strong, instant and the like) and the corresponding reactions.
Alternatively, as shown in
When the light source is turned off, the same procedure as described above can be applied to measure the classical noise statistics. As a matter of fact, without ODPs, to get E_quantum and V_quantum, one has to know E_pixel, V_pixel and E_classical, V_classical. The former and the latter should be computed with and without light, respectively. For this reason, the light is alternatively turned on and off.
However, in this case, in order to estimate the quantum entropy, it is necessary to store the statistics of the photon detection in a memory until the classical noise statistics are obtained, as they require the light to be switched off. Once the statistics of the photon detection are measured for both the quantum and classical regimes, the entropy estimation will be calculated and used as described above.
In conclusion, to measure the classical noise statistics, one has to read pixel outputs with no effect of light on pixels. If ODPs are available, then one can do this without turning off the light, that is, still running the active pixels, since the ODPs are all shielded, and thus only classical noises affect on the ODPs output. However, if there is no additional ODP, the alternative is to turn off the light for a while and read outputs from the active pixels to see the classical noise statistics.
While the embodiments have been described in conjunction with a number of embodiments, it is evident that many alternatives, modifications and variations would be or are apparent to those of ordinary skill in the applicable arts. Accordingly, this disclosure is intended to embrace all such alternatives, modifications, equivalents and variations that are within the scope of this disclosure. This for example particularly the case regarding the different apparatuses which can be used.
Number | Date | Country | Kind |
---|---|---|---|
20214383.0 | Dec 2020 | EP | regional |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2021/081964 | 11/17/2021 | WO |