True hardware random number generators

True hardware random number generators	Hier gibt's auch die deutsche Version	SSL-URL of this site

Introduction

True hardware random number generators (TRNGs) do produce true random numbers based on true random processes like the falling of a dice or the noise of a resistor or oscillator. The true randomness of these numbers is the base of many cryptographical applications, e. g. the generation of PINs, TANs and cryptographical keys. They can also be used for many other applications like stochastic resonance, genetic algorithms, monte carlo simulations, surrogat data method, creation of lottery numbers and many other.

An often emerging problem of hardware random number generators, as well of pseudorandom number generators, are statistical conspicuities, which can be characterized partially by the entropy (average randomness of a single random number). The information theory entropy is not meaningful, because it only incorporates the single probabilities of the random numbers but not conditional probabilities and other. Furthermore the entropy is not invariant against a basis transformation, so the bit-wise entropy and the byte-wise entropy can have totally different values. That's the reason why there are so many different entropy tests and why in the strict sense not only one but also many information theory entropies do exist.

The statistical conspicuities can have drastically consequences. Quote from a textbook:

"If all scientific paper whose results are in doubt because of bad rand()s were to disappear from library shelves, there would be a gap on each shelf about as big as your fist."

Numerical Recipes (in C), Chapter 7.1

Another problem is the estimation of the degree of non-computability or true randomness / really randomness, also called unpredictability or degree of nondeterminateness.
Because a hardware random number generator is a stochastic automat with a finite memory, it's true randomness can be calculated by the theory of markov chains.
The true randomness, more precisely the average randomness of a random number of a stochastic automat, is known as the entropy cover in this theory. In contrast of the entropy, the entropy cover incorporates conditional probabilities and it's value is invariant against basis transformations.
In the theory the memory of length m means that a random number depends on the m previous produced random numbers.
The number of interior states is n^m (n to the power of m) with n=number of possible random numbers, e. g. (2^(16))^(1000) = 3,02E4816 with a 16-bit random number generator and a memory length of m=1000. Because of this huge number of states and a greater number of transitions the entropy cover can generally not be calculated. Another problem is that before this calculation the parameters, the ergodic probabilities of the states and transitions probabilities, have to be estimated. Additionally the independence from outside influences, at all allowed parameter values, has to be validated. Because of Bell's theorem it is not necessary to care about hidden variables.

The due to the huge number of interior states and conditional probabilities practically impossible effort is the only reason why hardware random number generators have to be tested; in theory they can be calculated completely.
It is also the reason why true random numbers often are after-treated deterministic. A complete deterministic after-treatment like exclusive oring (so called XOR mode) with pseudorandom numbers increases the entropy in most cases but never the entropy cover. For cryptographically application such after-treatments are senseless and should be avoided, because they can only mask the weaknesses of the hardware but they can not cancel the weaknesses. Through this, such after-treatments do fool the user and cozenage a randomness which is not really there.

Because the entropy cover can generally not be estimated, in practice only tests like an entropy test or the diehard tests and estimating of simplifying details like an entropy be done.
In special cases an entropy and the entropy cover can be calculated. An example are pseudorandom number generators because they do have N interior states and all transition probabilities are 0 or 1. Therefore the term p*ld(p) in the definition formula of the entropy cover is always zero and also the whole entropy cover.
As can bee seen at the simple definition formula, the entropy is also zero when, and only when, the random numbers where so designed (the number width so choosen) that they meet an integer multiple of the length M>0 of the period length P of the generator. For this the period P has to be finite, because otherwise the entropy would always be zero, even at nondeterministic random number generators. Pseudorandom number generators (PRNGs) with an infinite period, for example an algorithmically random sequence like the decimal places of a normal number, e. g. the Champernowne constant, the entropies are (close to) one because every newly calculated decimal place is a surprise (because it was unknown before) while the entropy cover is zero because the decimal places are constant and do exist, indendently from a calculation.

In practice often there is no distinction between pseudorandomness and true randomness (nondeterminism) and named entropy what is accurately named entropy cover. With this there is no distinction between appearances and reality of randomness.

Generally the physical states do not meet the markov-states, but the physical states can be approximated by markov-states. With a m growing to infinity this approximation is arbitrary accurate. That's why every random number generator is a markov process and can be described by the theory of markov chains.

The nondeterminism is the criteria for information theoretical safety of the random numbers and is important e. g. for preventing that someone can calculate or guess with a high probability transaction numbers (TANs), even if that someone knows all previous TANs (e. g. from the recovered paper container). For this another quote:

"There is a DEFINITE NEED FOR DATA WITH ENTROPY NOT BASED ON ALGORITHMS. As to whether we need *true* random numbers, that's a subject for debate. Typically we get data that's as good as we need it to be from a hardware generator by running the initial data (which may have some kind of pattern or bias) through an algorithm which sort of mixes it. But it is very useful to have this entropy come from a hardware device, because it affords an EXTRA LEVEL OF SECURITY; pseudorandom numbers can be compromised if the algorithm is known and the seed is discovered, but THERE IS NO SUCH EQUIVALENT FOR RANDOM NUMBERS GENERATED BY A HARDWARE DEVICE."

Moses Liskov (faq-editor@rsa.com), http://www.rsa.com/ , year 2000

For solving these two problems, producing random numbers without statistical conspicuities and with high entropy and entropy cover, the below-mentioned hardware random number generators have been developed.
There are virtual for free hardware random number generators like /dev/random (the standard hardware random number generator on Linux and other Unix derivatives) which also do produce high quality random numbers but only with a speed of approximately 2 Bytes/s, which is million times slower than the below-mentioned generators.

As tests the FIPS, AIS, NIST, diehard and special tests, e. g. with a hardware spectrum analyser, were used. Because the diehard tests are most often stronger and more versatile than the other tests, they were used most often.

1. Generation (after-treatment of the random numbers is necessary)

The generators of the first generation do produce random numbers by dumping hazards from digital circuits. They are shielded with a high frequency tight iron case to block external interferences. Without after-treatment the quality of these random numbers is not sufficient to pass all statistically tests. Therefore the after-treatment is done by the device driver, so as /dev/random, the standard hardware random number generator on Linux and other Unix derivatives, does.

rp1: true random number generator of the first generation for the parallel port

rp1: true random number generator of the first generation for the parallel port

rp1 is a parallel port device, generating 5-bit hardware random numbers based on hazards.
This generator is hot swappable and has low power consumption (approx. 0.1 W). The device is powered from the parallel port - no batteries or cables required.

Speed: 2 MByte/s (the Parallel Port can only read approx. 1 MByte/s)
Dimensions: 6 x 5 x 1.5 cm
Weight: 55 g
Price: 99,99 EUR (if necessary +7 EUR mailing expenses)

Software (open source drivers and test programs for DOS, Windows 3x/95/98, Windows NT/2000, Unix/Linux and kernel module for Linux) and 60 days free Technical Support included.
The random bit files produced with the corresponding device driver do not contain any significant correlations and also pass the 15 diehard tests.

Reference Customers:	iPei

rw1: fast true random number generator (16Bit) of the first generation

rw1 is an ISA card, generating 16-bit hardware random numbers based on hazards.

Speed (without overclocking): 16.67 MByte/s (the ISA Bus can only read approx. 2 MByte/s)
Dimensions (incl. IBM Bracket): 18 x 12 x 2 cm
Weight: 200 g

Software (open source drivers and test programs for DOS, Windows 3x/95/98, Windows NT/2000, Unix/Linux and kernel module for Linux) and 60 days free Technical Support included. This card is hot swappable and the random bit files produced with the corresponding device driver do not contain any significant correlations and also pass the 15 diehard tests.

2. Generation (perfect random number generators, no after-treatment necessary)

The second generation of hardware random number generators is based on the first generation and the central limit theorem. A complete description, which is mainly a chapter of my doctoral thesis, can be found here.
Short said it can be shown by the central limit theorem that by modulo addition of sufficient many true random numbers the memory length m of the markov process is effectively reduced to one and the transition probabilities are approximated to equal values. This means that the entropies and the entropy cover do have the theory maximum value of one. It is only necessary to verify that sufficient many true random numbers are used, because this means that the Lindeberg condition is fulfilled.

The main advantage is that while production of a new random number takes only one clock cycle, these random numbers do pass all tests, i. e. the 15 diehard tests, without after-treatment and that this can be shown both experimental and in theory. Furthermore no shielding is necessary and the slowest generators here are at minimum eight million times faster than /dev/random, the standard hardware random number generator on Linux and other Unix derivatives.

This mathematical proven technique is patented (german patent number 199 26 640) and makes these random number generators unique.
For showing that the random numbers do need no after-treatment the software is completely open source. Because no after-treatment is necessary, these generators can be used without software. That's the reason why some of them (rw2) do have one mono and two stereo outputs with the random bits, which can be used e. g. as perfect white noise for audio measurements or for switching a Laser for crosscorrelation measurements.

It could be shown that these generators do pass all statistical tests even in climate chambers at -10...+60°C, as certified e. g. from Kryptografics.
These generators are optimised for a) autonomous operation, b) hard real time and c) high quality at high speed. Therefore they can also be used for noise radar, stealth radar, as interfering transmitter and as random clock generator (with discrete exponential distributed cycle duration).

rw2: fast true random number generator (16Bit) of the second generation

rw2 is an ISA card, generating 16-bit hardware random numbers based on the central limit theorem.
The numbers are produced at a speed of more than 16,67 MByte/s and emitted at clock frequency (0..8.33 MHz) as digital noise (sequence of independent random bits, white noise with a critical frequency = 1/4 clock frequency) using a BNC connector. This card is also hot swappable and has also a stereo output (0..2*4.17MHz), three control LEDs (supply voltage, BNC output, clock) and can be used without an ISA-bus because the card does only need 5V and a clock.

Speed (without overclocking): 16.67 MByte/s (the ISA Bus can only read approx. 2 MByte/s)
Dimensions (incl. IBM Bracket): 18 x 12 x 2 cm
Power Supply: 5V/0.75A
Weight: 250 g
Price: 999 EUR

Software (open source drivers and test programs for DOS, Windows 3x/95/98, Windows NT/2000, Unix/Linux and kernel module for Linux) and 60 days free Technical Support included. The main advantage is that while production of a new random number takes only one clock cycle, these random numbers do pass all tests, i. e. the 15 diehard tests, without after-treatment.

Reference Customers:

rw3: schneller echter Zufallszahlengenerator (32Bit) der zweiten Generation

rw3 is a PCI card, generating 16-bit hardware random numbers based on the central limit theorem.
This card is hot swappable and based on the PROTO-3 which has a lot of documentation and software.

Speed (without overclocking): 80 MByte/s (the PCI Bus can only read approx. 5 MByte/s)
Dimensions (incl. IBM Bracket): 23 x 12 x 2 cm
Weight: 330 g

The main advantage is that while production of a new random number takes only one clock cycle, these random numbers do pass all tests, i. e. the 15 diehard tests, without after-treatment.

Reference Customers:

rw4: fast true random number generator (32Bit) of the second generation

rw4 is a PCI card, generating 32-bit hardware random numbers based on the central limit theorem.
This card is hot swappable and the fastest hardware random number generator (which needs no after-treatment) of this world.
rw4 is based on the PCI-Proto Lab/PLX which has a lot of documentation and software.

Speed (without overclocking): 160 MByte/s (internal data rate, the PCI Bus can only read approx. 10 MByte/s without DMA)
Dimensions (incl. IBM Bracket): 32 x 12 x 2 cm
Weight: 450 g
Price: 2999 EUR

Software (open source drivers and test programs for DOS, Windows 3x/95/98, Windows NT/2000, Unix/Linux and kernel module for Linux) and 60 days free Technical Support included. The main advantage is that while production of a new random number takes only one clock cycle, these random numbers do pass all tests, i. e. the 15 diehard tests, without after-treatment.

Reference Customers:

rw3usb: fast true random number generator of the second generation

RW3USB is a hardware random number generator for the universal serial bus bus.
The basic version has a USB connection for power supply and data exchange. The premium versions do have a parallel port connection, a stereo output or a battery powered real time clock.
The parallel port is for data exchange in hard real time with a latency lower than 10 microseconds. The two bit streams at the stereo output are released at approx. 200 kHz and can be used as two channel white noise or random clock signals with discrete exponential distributed cycle duration.

Speed: 1.5 MBit/s
Dimensions (without cable): 8 x 5,5 x 2,5 cm
Power Supply: 5V/0,3A via USB bus
Weight (without cable): 150 g

Further Features:
Modern mikrocontroller (MSP430) with internal temperature sensor. The firmware can be updated.
Modern FTDI USB controller.
128 MB flash memory for user data. As an option more is available.
Well documented interfaces.
Much Open Source-Software for MS-Win, Linux and for hard realtime (RTAI).
The data exchange via USB is secured with checksums, the data exchange via parallel port is secured with a parity bit.
Self test of the hardware and complete self test of the random number generator according to FIPS and AIS.
Fulfills the requirements of CE, FIPS 140-1, FIS 140-2, AIS 31, etc..
Robust, solid and HF leakproof iron case.
Different modes, e. g. interrupt free mode for lowest latency for hard realtime use.

Delivery and Payment - Terms and conditions

Links

An associate article from uni ulm intern, November 1999, here.

An article about my first generation of random number generators here.

If the random number generator /dev/random is not fast enough for you and if the generators above are too fast (or expensive, or ...), you can use the free ALSA sound card related entropy gathering daemon (abbrev. EGD) randomsound to speed up /dev/random by a factor of about 100: http://packages.debian.org/en/sid/admin/randomsound
http://v2.www.rpmseek.com/rpm-pl/randomsound.html?hl=de&cx=857:R:0.
For randomsound the onboard sound or a small USB sound card for about 4 Euro is sufficient.
A similar alternative is the EGD RandD.
A further alternative are the rng-tools ( http://www.kernel.org/doc/Documentation/hw_random.txt).

c't-RandCam & Co - for generating and testing random numbers.

Dieharder: A (new) Random Number Test Suite.

TestU01 - Empirical Testing of Random Number Generators.

NIST test suite

http://csrc.nist.gov/rng/

FIPS 140 standard

AIS 20 and AIS 31 for evaluation of deterministic (AIS 20) and nondeterministic (AIS 31) random number generators:

L'Ecuyer's test suite (also a number of pseudo rngs)

http://www.iro.umontreal.ca/~simardr/

A method for recycling physical random numbers, from Art Owen

Public Domain random bit files, Freeware (e. g. a program for creation of true random and exact equally distributed lottery numbers) and further information here.

Information Theory with Entropy, Entropy Cover and more: Book "Grundlagen der Information", Akademie Verlag, Berlin, 1991.

About me (homepage)