Slashdot Mirror

← Back to Stories (view on slashdot.org)

Physicists Turn 8MP Smartphone Camera Into a Quantum Random Number Generator

Posted by Soulskill on from the more-than-one-way-to-skin-schrodinger's-cat dept.

KentuckyFC writes: "Random numbers are the lifeblood of many cryptographic systems and demand for them will only increase in the coming years as techniques such as quantum cryptography become mainstream. But generating genuinely random numbers is a tricky business, not least because it cannot be done with a deterministic process such as a computer program. Now physicists have worked out how to use a smartphone camera to generate random numbers using quantum uncertainties. The approach is based on the fact that the emission of a photon is a quantum process that is always random. So in a given unit of time, a light emitter will produce a number of photons that varies by a random amount. Counting the number of photons gives a straightforward way of generating random numbers. The team points out that the pixels in smartphone cameras are now so sensitive that they can pick up this kind of quantum variation. And since a camera has many pixels working in parallel, a single image can generate large quantities of random digits. The team demonstrates the technique in a proof-of principle experiment using the 8-megapixel camera on a Nokia N9 smartphone while taking images of a green LED. The result is a quantum random number generator capable of producing digits at the rate of 1 megabit per second. That's more than enough for most applications and raises the prospect of credit card transactions and encrypted voice calls from an ordinary smartphone that are secured by the laws of quantum physics."

52 of 104 comments (clear)

  1. Oldest news ever by Anonymous Coward · · Score: 3, Insightful

    This was done many years ago with a webcam as the LavaRand/LavaRnd project (which copied the Lavalamp PRNG).

    1. Re:Oldest news ever by Anonymous Coward · · Score: 1

      That's a completely different method. There the source of randomness is thermodynamic entropy. Even though a lava lamp seems so small, the degree of complexity is still more than can be perfectly simulated (bit for bit) by even the fastest computer imaginable. (Remember, the lava lamp isn't a closed system.) What's interesting about thermodynamic entropy is that even _if_ you could measure all the input variables, you still couldn't _predict_ all the output variables any faster than the system itself evolves. Which makes it unpredictable by definition.

      With the smartphone camera the source of alleged randomness is quantum entropy. This is an entirely different beast. Some neophytes don't want to believe that quantum randomness exists. But even if you don't believe in quantum randomness--and instead believe there are hidden variables--as I mentioned before it doesn't then follow that randomness (aka unpredictability) doesn't exist at all.

  2. Seed by ldbapp · · Score: 1

    What's the universe's seed?

    1. Re:Seed by Anonymous Coward · · Score: 4, Insightful

      42

  3. Always? by peon_a-z,A-Z,0-9$_+! · · Score: 1, Interesting

    The approach is based on the fact that the emission of a photon is a quantum process that is always random.

    Macroscopically it sure seems random, but the underlying quantum physics show that it is still a deterministic process. Just because we don't have the right instruments to easily observe it doesn't make it have magic properties.

    1. Re:Always? by Anonymous Coward · · Score: 2, Informative

      You've got that a bit backwards. The underlying quantum physics concludes that everything is a random possibility in a range of probabilities, but that in a macroscopic scale the random fluctuations usually cancel out and the net result generally behaves as a deterministic process.

      As related to this, if you power up a LED just enough for it to emit a single photon, you are pretty sure roughly what direction it went, but the exact path is unknown until it interacts with something. However if you juice up that LED to full power, you know that (aside from a few oddities every couple of years) every photon is travelling in the same illumination cone and the entire cone can be reliably modeled.

    2. Re:Always? by Entropius · · Score: 1

      Let's say you are detecting light from a fluorescent lamp. It has some mercury atoms in it which are excited by an electric current, and their de-excitation causes the emission of a visible light photon.

      You can compute the transition amplitude and figure out how long, on average, it will take to spit out a photon. (You do this by applying time-dependent perturbation theory coupling the two quantum states with a dipole-transition electric field, to first order.) But you can't predict exactly when the photon will come out, only the probability that it will in a certain time interval.

    3. Re:Always? by Bob_Who · · Score: 1, Insightful

      The approach is based on the fact that the emission of a photon is a quantum process that is always random.

      Macroscopically it sure seems random, but the underlying quantum physics show that it is still a deterministic process. Just because we don't have the right instruments to easily observe it doesn't make it have magic properties.

      I agree, the song remains the same. Its not random. Its just very, very uncertain. Same as it ever was....

    4. Re:Always? by dgatwood · · Score: 1

      Not necessarily even all that uncertain. I could see somebody with sufficient resources attacking this by fluctuating the building power or using focused EMP tricks to reduce entropy, thus weakening the resulting crypto.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    5. Re:Always? by peon_a-z,A-Z,0-9$_+! · · Score: 2

      Assuming your post is derived from the following Wikipedia excerpt:

      ...a system moves to higher energies or—equivalently—larger quantum numbers, i.e. whereas a single particle exhibits a degree of randomness, in systems incorporating millions of particles averaging takes over and, at the high energy limit, the statistical probability of random behaviour approaches zero. In other words, classical mechanics is simply a quantum mechanics of large systems.

      http://en.wikipedia.org/wiki/Q...

      Then you have interpreted it a bit incorrectly. Everything is not random, everything exhibits a degree of randomness. Just because we can't properly measure the deterministic nature of it, doesn't make it inherently random.

      It looks random to us, but if there were no limit to our measuring capability we would know that it is indeed not random.

      Kind of like the Earth Is Flat type argument of modern times.

    6. Re:Always? by invid · · Score: 2

      I guess you're not a fan of the Copenhagen interpretation. From Wikipedia:

      The Copenhagen interpretation - due largely to the Danish theoretical physicist Niels Bohr - remains the quantum mechanical formalism that is currently most widely accepted amongst physicists, some 75 years after its enunciation. According to this interpretation, the probabilistic nature of quantum mechanics is not a temporary feature which will eventually be replaced by a deterministic theory, but instead must be considered a final renunciation of the classical idea of "causality".

      --
      The Moore-Murphy Law: The number of things that will go wrong will double every 2 years.
    7. Re:Always? by peon_a-z,A-Z,0-9$_+! · · Score: 1

      No I'm not, along with Einstein, Feynman, and many others.

      A lot has happened since 1927 in quantum mechanics.

    8. Re:Always? by jfengel · · Score: 1

      Well, yes and no. Quantum-mechanically it IS deterministic in the sense that any given quantum state will evolve in a perfectly defined way. There isn't any "random number" in the Schroedinger equation (or its relativistic descendants).

      It's really the macro-scale stuff that introduces the randomness. At the quantum scale, things exist perfectly happily in a superposition of two states that we never observe at large scales. The more objects you put together, the harder it is to maintain the superposition, and by the time you get to even microscopic objects it will take one state or the other, but not both. Once it tips slightly in one direction, it cascades, and you end up with something that is entirely X or Y, not (X+Y).

      The other half of the wave function is largely a matter of philosophy, not physics. In one sense it's "still there", off in some other utterly inaccessible universe. Or you can say that at some point where you weren't looking the other part just vanished. That's two ways of saying the same thing; the math is the same and the results are the same, regardless.

      It's not a question of our inability to measure it. It's simply not there. No advances in physics will make it measurable, not without utterly throwing out everything we know and replacing it with something completely different. Which isn't impossible, but it's purely speculative: physics by "I wanna believe".

      Why we end up in "this part" rather than "that part" is, similarly, just idle speculation. I've got my suspicions that if you could, in fact, discuss the wave function of the entire universe you'd say that it could only go one way when you put all of it together, but that's just navel-gazing. It doesn't really matter, since you'll never actually know the wave-function of the universe as a whole. You can only observe a few macro parts of it since you (by definition) are a macro organism, and the total underlying wave function will always be forever shaded from your eyes.

    9. Re:Always? by invid · · Score: 1

      Personally I like the idea that the underlying reality of the universe is random. I find the idea that the universe is a deterministic clockwork to be depressing. Of course, the universe is going to be whatever it is no matter what I think. Unless, of course, I'm the one who collapses the wave function.

      --
      The Moore-Murphy Law: The number of things that will go wrong will double every 2 years.
    10. Re:Always? by peon_a-z,A-Z,0-9$_+! · · Score: 1

      Haha you have a good point there. Hopefully we as a species can find some non-depressing realities through the results over our lifetimes. Hopefully...

      You collapsing the wave function doesn't look like the likely way we'll all end, given the current state of affairs :/

    11. Re:Always? by dgatwood · · Score: 1

      Considering that similar attacks have been done in the past, yes, I'm serious.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  4. This story is a dup by TFlan91 · · Score: 5, Interesting

    Because he failed to give any links...

    http://www.lavarnd.org/ - Was the site linked in story below, but is now dead

    Sourceforge: http://sourceforge.net/project...

    http://slashdot.org/story/03/0...

    1. Re:This story is a dup by timeOday · · Score: 4, Informative

      I am not so sure the randomness from that project actually came from the quantum properties of the photons themselves. A saturated CCD may be a chaotic physical process, but (I think) the dynamics of that chaotic process are properties of that CCD, not directly from the actions of individual photons which are known to be "quantum" and truly random.

    2. Re:This story is a dup by timeOday · · Score: 2

      By way of analogy, rolling dice is a chaotic physical process that does not rely on quantum randomness. Given the starting conditions of a dice roll, the outcome is predictable, at least in theory.

    3. Re: This story is a dup by timeOday · · Score: 2

      So you're sure there are processes which are completely deterministic? If it relied on the interaction of light and matter, then the same random component being used in the current article is still applicable

      I would guess there are incredibly small regions of instability in many chaotic processes that can be tipped either way by quantum randomness, but that does not make them useful as sources of randomness. What you want is to prove the outcome of your system is nothing BUT quantum randomness, and thus unbiased. I don't think the 'prior art' cited above proved that it met that standard. This paper claims to have done so within quantifiable bounds:

      But Sanguinetti and co calculate that their numbers are pretty close to random. They say that the process would have to be repeated 10^118 times before any deviation from randomness might be observed. "If everybody on earth used such a device constantly at 1Gbps, it would take 10^80 times the age of the universe for one to notice a deviation from a perfectly random bit string," they say.

    4. Re:This story is a dup by Anonymous Coward · · Score: 1

      From TFA:

      In practice, the first step is to characterise the light sensitivity of the camera by shining a green LED at it. That allows the team to work out the number of photons that saturate a pixel and ensure this does not happen while the random numbers are being generated (otherwise the results are no longer random).

    5. Re:This story is a dup by Anonymous Coward · · Score: 1

      When we were developing lavarand, we found that closing the shutter on the Indycam gave us a similar statistical amount of randomness as taking a picture of a chaotic system (the lamps). So yes, I can say been there, done that, got the patent.

    6. Re:This story is a dup by Anonymous Coward · · Score: 1

      Isn't that thermal noise instead of quantum noise from a photon?

    7. Re: This story is a dup by KramberryKoncerto · · Score: 1

      I don't think counting photons is going to be unbiased either. Randomness is different from unbiasedness. There must be a distribution, with some more values more likely than others. Unbiased-ness is however not necessary. You can use an unbiased coin to simulate a biased coin, and vice versa, and any continuous distribution can be turned into a coin flip. If you want a more efficient `unbiased randomness translator', there's research on stuff called randomness extractors, which aim to generate as many approximately-unbiased random bits as possible from a random source.

  5. You can never be sure... by tippe · · Score: 4, Insightful

    Oblig. Dilbert Reference

    1. Re:You can never be sure... by TeknoHog · · Score: 1

      http://xkcd.com/221/

      --
      Escher was the first MC and Giger invented the HR department.
  6. Re:Worth exactly what? by Anonymous Coward · · Score: 1

    The human-sized holes get larger as the obesity rate increases. Poor encryption. =(

  7. xkcd by zm · · Score: 1

    http://www.xkcd.com/221/

    --
    Sig ?
  8. Why not just use noise from the various antennas? by Garble+Snarky · · Score: 2

    Bluetooth, GPS, NFC. At the very least, the cell/wifi are listening anytime you're online anyway, and with the relatively large bandwidth there should be plenty of entropy in that noise. Right?

  9. Haven't addressed the main issue. by jcochran · · Score: 2

    If the article is correct and it's possible to generate a megabit/second random number stream, then that's very nice. But that stream is effectively worthless for all the applications they mentioned since the real problem is arranging for both parties to have access to the exact same random bit stream. That problem is the real one.

    1. Re:Haven't addressed the main issue. by K.+S.+Kyosuke · · Score: 2

      You'd use this for session keys. Or, if you're into OTP, you'd transfer the bit stream in person (using something like NFC). (But I suspect that a much weaker point would be the penetrability and backdoorability of current horribly complex smartphone operating systems.)

      --
      Ezekiel 23:20
    2. Re:Haven't addressed the main issue. by jcochran · · Score: 1

      Indeed, you could use it for the session key. But then again, the rate in which the random bits needs to be generated isn't anywhere near the 1 Mbit/sec rate. After all, how long does it take to generate 256 bits? As for OTP, getting the bits to the receiver is as mentioned earlier "The Real Problem". But contract that issue with the quote "And applications? Secure credit card transactions are only the beginning. A quantum random number generator that works at 1 Mbps can also secure emails and even phone calls." from the fine article. That quote certainly implies that we're talking about a megabit per second of information being encoded and securely transmitted. Which once again leaves the question "How are the random bits sent to the other party?" Heck, even if you use that method solely for the generation of session keys, that session key needs to be securely transmitted. Usually via public key encryption. Which in turn becomes the limiting factor in the overall security.

      So what's the use of a 1mbit/sec random number generator again?

    3. Re:Haven't addressed the main issue. by InvalidError · · Score: 1

      In cryptography, RNGs are typically used to seed PRNGs.

      You do not send the random bits: you encrypt and transmit the PRNG seed along with whatever other parameters might be necessary to synchronize both ends then use the PRNG to generate your nonces and the nonces are used to generate your OTP blocks.

  10. Re:Worth exactly what? by jeffmeden · · Score: 2

    To my knowledge, the limitations of pseudo random number generators are not the weak point in encryption.

    To my mind, the most pressing problem are caused by Moore's law (and similar effects). Whatever encryption is worthwhile now, is worthless in 5 years.

    Not to mention the human sized holes in encryption caused by human limitations.

    Having a true random number stream is very valuable since one of the key weaknesses in PRNGs come when you gather enough output and can guess what random numbers the algo will use next. This compromises forward secrecy. If you can use a stream of constantly random numbers, one weakness is gone entirely leaving you more time to worry about other issues (like human weakness, processing bottlenecks, etc). Also, see the issue of a PRNG with a backdoor allowing perfect guessing of the pattern hence making the encryption useless (thanks to the NSA, no less).

      I can see how it will be awkward to carry a green LED around to wave in front of your smartphone to maintain the stream but more advancement may miniaturize that part to the point where it's barely noticable [/snark]

  11. Re:Why not just use noise from the various antenna by mlts · · Score: 1

    If it doesn't take too much expense, why not toss all those RNGs into the /dev/random (or more accurately /dev/urandom as that is the only device used in more recent Android versions) pool? Even if one of the sources ends up becoming periodic, there are enough "blended bits" that it won't make as much a difference.

  12. Re:Worth exactly what? by Anonymous Coward · · Score: 2, Insightful

    That is almost exactly wrong. Random number generators are a great place to subvert encryption systems, because if you can get a bad one implemented as a standard, there's not always a great way to prove that there's a backdoor in them. You can throw as much Moore's Law as you want at 2048 bit encryption, but it's still gonna take you more time than you have left until the heat death of the universe to crack my encrypted drive.

    The math behind strong encryption is good, unless the NSA has something we don't know about, and it's unlikely they do because the Snowden docs reveal that they have spent quite a lot of money on doing things like poisoning random number generators. According to people like Bruce Schneier, the math works; it's things like key exchange, implementation, and getting people to use it that's the problem.

  13. Re:Flash-Memory based RNG by K.+S.+Kyosuke · · Score: 1

    After doing some mild research, I concluded that the most practical solution for a home EE hobbyist is building a circuit to utilize the shot noise of a PN junction (e.g., in an avalanche diode or a Zener diode). But this Flash thingy looks interesting, too.

    --
    Ezekiel 23:20
  14. The problem isn't the RNG by bytesex · · Score: 1

    Well, the problem is *also* the RNG. The bigger problem is finding a RNG like this, that can be easily embedded in electronics that you lock away. A camera won't do that.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
    1. Re:The problem isn't the RNG by InvalidError · · Score: 1

      I do not see where the problem with a camera is: even if you lock the camera in a perfectly dark EMI-shielded box, the CCD or CMOS sensor will still have a fair amount of thermal noise and the same goes for the ADCs so even if all the camera does is take images of the darkness, it will still get a fair amount of entropy from thermal and electrical noise. Put a few thousand pixels worth of this through SHA256 and now you have a pretty decent RNG even if you only get one LSB worth of entropy per pixel..

  15. Re:Why not just use noise from the various antenna by ericloewe · · Score: 1

    That's what's typically done, from what I know.

  16. camera, light, securing... by MoFoQ · · Score: 1

    Hmmmm...camera, capturing light (or image), then using that to secure something......reminds me of Johnny Mnemonic.
    Just need Ice-T and it'll be complete.

  17. NSA Mods by jtara · · Score: 1

    Looks like we have some NSA mods here.

    Every post suggesting that this won't work because the electronics will just be covertly re-designed are being modded down.

  18. Re:Why this won't work... by Sentrion · · Score: 1

    The only question is: will they be US intelligence agencies or Chinese intelligence agencies? Or have the two world powers finally merged to form the top secret Sole Power of Ex-Communists and Republicans Empire, aka S.P.E.C.T.R.E?

  19. Be careful by mbone · · Score: 3, Informative

    The question is not really whether some physical process is random, the question is whether someone could predict some of the bits, say if you immersed the camera in a light field pulsed at the ccd refresh rate. Or an electromagnetic field that saturates the A/D converters wiring. Or...

    The thing is that such a design has to be fixed, and then released in the field, and then be subjected to attacks tailored to its individual design and implementation, and there really is no magic bullet. So, "Counting the number of photons gives a straightforward way of generating random numbers" : maybe, but we won't know for sure if they are really and always random until it's been attacked for a few years.

  20. It might just be possible... by OakDragon · · Score: 1

    ...if we reverse the polarity... yeah, this can work!

    --
    Dark Reflection
  21. Been there done that! by Atl+Rob · · Score: 1

    I've had a CMOS imager noise gen for 5+ years! This is not new, I'll bet I wasn't the first to relize random image noise either? I made this discovery in an attempt to remove the noise with an algorithm. Also photon emission is not the best source! Random, sure, but will pile up in patterns so... Cosmic rays and background radiation are far better, impossible -or- at best highly impractical to remove from images, hence impossible to predict. Random number gens have been perfected for some time now? No? Crypto doesn't work if someone sees the data before or after its encoded! Obviously.

  22. Re:Flash-Memory based RNG by niftymitch · · Score: 1

    Personally I found this an interesting read:
    http://ieeexplore.ieee.org/xpl...

    Quantum RNG based on off-the-shelf flash memory. It's not very fast (up to 10kbit/s), but it's quite simple and since you have flash memory in close to every device, it's probably a lot cheaper to do than using optical sensors.

    This is interesting but to get the bits from flash
    you do not have them for other things.

    A camera because of the size of the array and speed is interesting as a source
    of entropy in a system. Also they are not alike so it is very hard to model
    a camera and generate the same result.

    Part of the news here is that the crypto folk are worried that a TLA got in
    bed with a five letter company and biased the built in sparkling new RNG
    instruction hardware and silicon magic in ways that they like.

    Add some additional entropy and mix it in then the TLAs of the world
    have a more difficult path.

    This is not exactly LavaRand or aquarium bubbles but the very fast
    part has value.

    --
    Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
  23. Re:Why not just use noise from the various antenna by Rashdot · · Score: 1

    All of those can be manipulated, including the camera.

    So it's a nice idea, but not guaranteed to be random.

    --
    This is not the sig you're looking for.
  24. another option - not everything is classic physics by raymorris · · Score: 1

    > Personally I like the idea that the underlying reality of the universe is random. I find the idea that the universe is a deterministic clockwork to be depressing.

    There is a third option. A butcher from 2,000 years ago could explain that bodies are mechanical systems, with ball joints, plumbing, etc. Later, psychology developed and we began to study what makes humans tick at a different level. The mechanical level if bones and blood vessels is important, of course. To understand people, you have to also look at another level, the psychological level. Mind and body, two different parts of who we are. 2,000 years ago, a guy who built things talked about a third level of humaness, what some people call the spirit. Mind, body, spirit. We don't know much about this "spirit" level yet, but there is a wealth of evidence that SOMETHING is going on, something we can't yet explain well. It's possible that the body is deterministic clockwork, while the spirit may be governed by entirely different rules. In some ways, it seems that spiritual laws like "honesty is the best policy" (the best general rule) are just as true as physical laws like "what goes up must come down". There might be a reason for that, and it might not be because of particle physics.

  25. Re:Why not just use noise from the various antenna by fsterman · · Score: 1

    I had the same thought, smartphones have plenty of physical hardware interfaces and can certainly make due. AFAIK, servers are the only place where we need a lot more entropy than a standard device and where (especially on virtual machines) there is a poverty of physical signals to mix in. Even here, however, you only need to ensure that the initial seed is random, hashing will take care of the rest. FWIW, Ubuntu 14 comes with a nifty random entropy seed protocol called pollinate.

    I think the authors are just going out on an a limb to try and find some practical edge to the paper. Everyone's being pushed to do that now, it's a publicity stunt that (apparently) works.

    --
    Is there anything better than clicking through Microsoft ads on Slashdot?
  26. Complete BS by gweihir · · Score: 1

    A 5.6V Zener-diode is half thermal noise, half quantum noise. It costs something like 5 cent. Amplification and digitization may be another $30 or so, but only for the prototype (e.g. Arduino clone).

    This is a complete non-news item.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  27. Re:Worth exactly what? by DMUTPeregrine · · Score: 1

    Moore's law doesn't help.

    Take Bremermann's Limit. With all the computing power available on Earth right now, assuming it actually doubles every year (instead of simply new computers coming out every 18 months which have double the power) then it will still take more than a few thousand years to do the computation. If someone converts the entire earth into a computer operating at the limit, then simply using a 512-bit key with symmetric algorithms will effectively fix the issue, since the time to brute-force the keyspace (10^72 yrs) is longer than the expected lifetime of the universe.

    The Landauer limit is somewhat stronger, but may not be correct. Let's assume we have a good cryptosystem that uses a 256-bit key, with no attack better than brute force. Let us also assume that the Landauer limit is correct (it very probably is) and there is a minimum energy to perform a computation. To break such a cipher with a 256-bit key takes a worst-case time of 2^256 with an average case of 2^255.

    Let's assume we're running our cracking computer at the coldest temperature ever produced, 100pK. Then it would take 9.67x10-34 J per operation. Let's pretend we can try a key with only one operation, since in reality it will take a few more but we should be correct to an order of magnitude. It therefore takes 2256*9.57x10-34 J = 1.1081x1044 J to brute force the key space, or about 5.5x1043 J in the average case. The average type 1a supernova puts out about 1.5x1044 J. It's about as much energy as we could get by covering the entire earth (including the oceans) with solar panels and using it all... for 20,000,000,000,000,000,000 years. Even with exponential growth we won't hit the Landauer limit for thousands of years.

    So having a better random stream and being more resistant to cryptanalysis is more important than being resistant to increased computing power. It's far easier to use a side-channel attack than to directly attack the crypto, and far easier to attack the crypto than to brute-force the key.

    --
    Not a sentence!