Lottery. ⢠Applications of Random Numbers. ⢠Pseudo Randomness VS. True Randomness ... Quantum Random Number Generator (QRNG). Time of arrival.
Improvements on Practical Quantum Random Number Generator Name: Zehao Zhao Discipline: Quantum Information Mentor: Xiongfeng Ma Date: August 15, 2017
Outline 1. Background
2.Modification on min-entropy 3.Acceleration on Post Processing in practical QRNG 4. Summary
2
of 31
Background Ø Applications of Random Numbers
Communication
Economy
Simulation
Lottery
Ø Pseudo Randomness VS. True Randomness Pseudo Random Numbers
Algorithm/ Classical Physical Process
Determinacy
Predictability
Reproducibility
True Random Numbers
Quantum Process
Probability
Unpredictability
Irreproducibility
• True Randomness comes from the Randomness in Specific Quantum Processes; • Quantum random number generation can be achieved via these quantum processes.
3
of 31
Background Ø Quantum Random Number Generator (QRNG) Randomnes s Source (Probability)
010101010 101010101 010110100 111010101 010110101
Digital Sampling (Raw Data)
Post Processing (final sequence)
Randomness test (Statistic property)
Time of arrival statistics [1]
Laser phase noise measurement [3]
Photon number statistics [2]
Vacuum noise measurement [4]
[1] M. Wayne, et al. Journal of Modern Optics, 2009, 56(4): 516-522. [2] M. Ren, et al. Physical Review A, 2011, 83(2): 023820. [3] H. Guo, et al. Physical Review E, 2010, 81(5): 051137. [4] C. Gabriel, et al. Nature Photonics, 2010, 4(10): 711-715.
4
of 31
Background of min-entropy Ø Information Entropy & Min-entropy
• Information Entropy 𝐻 𝑥 = − % 𝑃' (𝑥) log - 𝑃' (𝑥) 0∈2
• Min-entropy
𝐻345 𝑥 = − log - [max 𝑃' (𝑥)] 0∈2
5
of 31
Background of min-entropy
𝑷(𝑿)
Guess 0 every time: bigger probability to get a correct answer Guess 0 or 1: same 70% probability to be right or wrong
50%
𝑷(𝒙)
𝒙𝟎 : biggervalue: probability Guess arbitrary same to get a correct probability to beanswer right or wrong
50%
…
30%
0
𝑵𝒎𝒊𝒏 bit sampling 𝑯 bit
1
𝑿
𝒙𝟎
𝒙
No information leakage about the parameters of the distribution
6
of 31
Background of min-entropy 𝑵 bit sampling 𝑷(𝒙)
𝑷(𝒙𝟎 ) < 𝑷′(𝒙𝟎 ) 𝑯𝒎𝒊𝒏
𝒙𝟎
>
𝑯′𝒎𝒊𝒏
𝒙
𝑰 𝑮: 𝑬 = 𝑯𝒎𝒊𝒏 − 𝑯K 𝒎𝒊𝒏 > 𝟎 Information leakage if the varying of the distribution is not noticed! 𝑯𝒎𝒊𝒏 requires modification to eliminate information leakage!
7
of 31
Background of min-entropy Ø QRNG Based on Laser Phase Noise • Phase noise is caused by spontaneous emissions in laser; • It is a total quantum random process.
8
of 31
Attack on practical QRNG based on laser phase noise Ø QRNG Based on Laser Phase Noise • Phase noise is got by measuring the intensity fluctuation of laser; • Ideal statistic distribution of the fluctuation is Gaussian distribution; • Ideal statistic distribution of classical noise is also Gaussian distribution.
Experiment setup of measuring phase noise[1][2]
The Gaussian distribution is determined by mean value 𝜇 and variance 𝜎 - .
𝝈𝟐𝒒 = 𝝈𝟐𝒒Q𝒄 − 𝝈𝟐𝒄 [1] H. Zhou, et al. Physical Review A, 2015, 91(6): 062316. [2] X. Zhang, et al. Review of Scientific Instrument, 2016, 87(7): 076102.
9
of 31
Attack on practical QRNG based on laser phase noise Ø QRNG Based on Laser Phase Noise • PD: convert intensity into voltage; • ADC: digital sampling.
𝑯𝒎𝒊𝒏 𝒙
𝑽 = 𝜶𝟎 𝑰 Gaussian distribution
Gaussian distribution
→ 𝑯𝒎𝒊𝒏 𝒙
10 of 31
Attack on practical QRNG based on laser phase noise Ø Eavesdropper and Attack on QRNG
Attack on PD Eavesdropper
• The eavesdropper can attack the PD by change its amplify coefficient
𝜶𝟎 → 𝜶(𝑰) 𝑽 = 𝜶(𝑰)𝑰 Non-Gaussian distribution
𝑯𝒎𝒊𝒏 𝒙
𝑯′𝒎𝒊𝒏 𝒙
Gaussian distribution
→ 𝑯′𝒎𝒊𝒏 𝒙 11 of 31
Attack on practical QRNG based on laser phase noise Ø Information Leakage
𝑰 𝑮: 𝑬 = 𝑯𝒎𝒊𝒏 𝒙 − 𝑯′𝒎𝒊𝒏 𝒙 𝑰 𝑮: 𝑬 > 𝟎 → Information leakage to the eavesdropper
𝜶 𝑰 = 𝜶𝒆 Attack on PD
𝑰 𝟏− 𝜷𝒆 𝑰𝒎𝒂𝒙
𝑽′ = 𝜶 𝑰 𝑰 + 𝒄
𝑯𝒎𝒊𝒏 𝑽 ≈ 𝟐. 𝟗𝟗, 𝑯K 𝒎𝒊𝒏 𝑽K ≈ 𝟐. 𝟗𝟒, 𝑰 𝑮: 𝑬 = 𝟎. 𝟎𝟓[𝟏]
Eavesdropper can get almost 1.7% information of the random sequences [1] We set 𝐼~N 0,1 , 𝛼g = 1, 𝛼h = 0.99, 𝛽h = 2, 𝐼3l0 = 5, c = 0.1, and implement 5-bit sampling.
12 of 31
Modification under the possible attacks from the eavesdropper Ø Modification of Min-entropy ∆𝐻 = 𝐼 𝐺: 𝐸 = 𝐻345 𝑥 − 𝐻 K 345 𝑥 = log - max 𝑃K 𝑥 0∈2
K
= log - % 𝑃 𝑥 0∈r
− log - % 𝑃 𝑥 0∈r
K
= log -
− log - max 𝑃 𝑥
∑0∈r 𝑃K 𝑥 ∑0∈r 𝑃 𝑥
0∈2
∑0∈r 𝑃 𝑥 − 𝑃 𝑥 +1 ∑0∈r 𝑃 𝑥 ∑0∈r 𝑃K 𝑥 − 𝑃 𝑥 ≤ log +1 ∑0∈r 𝑃 𝑥 ∑0∈r 𝑃K 𝑥 − 𝑃 𝑥 2𝑑r 𝑃K , 𝑃 = log + 1 log +1 2yz{|} 2y5 𝑑r 𝑃K , 𝑃 = log + 1 = ∆𝐻3 2y5y•
= log -
𝒎𝒐𝒅𝒊𝒇𝒚
𝑯𝒎𝒊𝒏
(𝒙) = 𝑯𝒎𝒊𝒏 𝒙 − ∆𝑯𝒎 13 of 31
Modification under the possible attacks from the eavesdropper Ø Modification of Min-entropy
Attack on PD
𝑯𝒎𝒊𝒏 𝒙
𝑯′𝒎𝒊𝒏 𝒙
𝑯𝒎𝒊𝒏 𝑽 ≈ 𝟐. 𝟗𝟗, 𝑯K 𝒎𝒊𝒏 𝑽K ≈ 𝟐. 𝟗𝟒 ∆𝑯 ≈ 𝟎. 𝟏 𝒎𝒐𝒅𝒊𝒇𝒚
𝑯𝒎𝒊𝒏
𝑽 = 𝟐. 𝟖𝟗
No information leakage to the eavesdropper
14 of 31
Modification under the possible attacks from the eavesdropper
Original secure bottom line
Possible attack New method bottom line The largest possible attack
The estimation of information leakage 15 of 31
Post processing Randomnes s Source (Probability)
010101010 101010101 010110100 111010101 010110101
Digital Sampling (Raw Data)
Post Processing (final sequence)
16 of 31
Background of post processing Ø Post Processing in QRNG • Post processing is the procedure to process raw data to a uniform distribution; • Extract shorter final key sequences (𝒎-bit long) from raw data (𝒏-bit long) with extraction ratio 𝜸.
𝑵-bit sampling, 𝑯𝒎𝒊𝒏 𝒙 𝑯𝒎𝒊𝒏 𝟏 [𝟏] 𝒎 = 𝒏× − 𝟐 log 𝟐 𝑵 𝝐
⋯
𝜸 = 𝒎/𝒏
• Different post processing methods: Von Neumann Rectification, Xor, Least Significant Bit (LSB), etc. [1] 𝜖 is the information theoretic security bound. We set 𝜖 = 2y-g .
17 of 31
Acceleration on Post processing with Fast Fourier Transform
A Toeplitz matrix 𝑇 is a matrix whose elements on every diagonal are the same, that is 𝑎4,• = 𝑎4Q•,•Q• 1 ≤ 𝑖 ≤ 𝑚 − 1,1 ≤ 𝑗 ≤ 𝑛 − 1 . A small example of Toeplitz matrix on ℝ is 4 2 3 1 7 4 2 3 5 7 4 2 On which we can see that the elements on every diagonal are the same.
18 of 31
Acceleration on Post processing with Fast Fourier Transform Ø Post Processing with Toeplitz Matrix • Toeplitz matrix can convert arbitrary-distribution random numbers into uniform-distribution random numbers. • 𝑘 𝑘 𝑘 = 𝑚 bits Ÿ ⋮ 𝑘3
=
= 𝐴𝑟
𝑎5 𝑎5y• 𝑎5Q• 𝑎5 𝑎5Q- 𝑎5Q• ⋮ 𝑎5Q3y£ 𝑎5Q3y¥ 𝑎5Q3y- 𝑎5Q3y£ 𝑎5Q3y• 𝑎5Q3y-
𝑎5y𝑎5y• 𝑎5 𝑎5Q3y¤ 𝑎5Q3y¥ 𝑎5Q3y£
𝑎£ 𝑎𝑎5Q• 𝑎£ ⋯ 𝑎¤ 𝑎¥ ⋱ ⋮ 𝑎3 𝑎3y• ⋯ 𝑎3Q• 𝑎3 𝑎3Q- 𝑎3Q•
𝑎• 𝑎𝑎£ 𝑎3y𝑎3y• 𝑎3
𝑟 • 𝑟 ⋮ § 𝑛 bits 𝑟5
The computation complexity is 𝑶(𝒎𝒏) Need large storage resources to preserve the matrix 19 of 31
Acceleration on Post processing with Fast Fourier Transform Ø Post Processing with Toeplitz Matrix • We improve the algorithm to reduce the storage resources; • Achieve with a circulant matrix. A small example of the circulant matrix 𝐴 constructed based on the previous Toeplitz matrix example is 1 5 7 4 2 3 3 1 5 7 4 2 4 2 3 1 matrix 2 3 1 5 7 4 7 4 2 3 4 2 3 1 5 7 extension 5 7 4 2 7 4 2 3 1 5 The Toeplitz matrix 5 7 4 2 3 1 The circulant matrix
Hence, we get a 𝟔×𝟔 circulant matrix
[1] Key: final key vector; Rawdata: raw data vector; Matrix: (𝒏+𝒎−𝟏) bits vector to construct the Matrix; dot: dot product operation; mod: modulus operation.
20 of 31
Acceleration on Post processing with Fast Fourier Transform Acceleration on Post processing with Fast Fourier Transform
Ø So processing with the circulant matrix becomes
𝑛 + 𝑚 − 1 bits 𝑘 K =
𝑘• ⋮ 𝑘⋮
= 𝐴𝑟 K
𝑘3Q5y• ⋯ 𝑎¥ 𝑎5Q3y• 𝑎5Q3y⋯ 𝑎¤ 𝑎• 𝑎5Q3y• ⋮ 𝑎5 𝑎5y• 𝑎5y𝑎• 𝑎 𝑎5Q• 𝑎5 𝑎5y• ⋮ 𝑎5Q3y- 𝑎5Q3y£ ⋯ 𝑎3 𝑎3y• 𝑎5Q3y• 𝑎5Q3y- ⋯ 𝑎3Q• 𝑎3
𝑎• 𝑎=
𝑎£ 𝑎¥
𝑎𝑎£
⋮ … 𝑎5Q• … 𝑎5Q⋮ ⋯ 𝑎5Q3y• ⋯ 𝑎•
𝑟• 𝑟⋮ 𝑟5 0 ⋮ 0
𝑛 + 𝑚 − 1 bits
Use the n-th row as an example, we find 𝑘5 = 𝑎5 𝑟• + 𝑎5y• 𝑟- + ⋯ + 𝑎• 𝑟5 + 𝑎5Q3y• 𝑟5Q• + 𝑎5Q3y- 𝑟5Q- + ⋯ + 𝑎5Q• 𝑟5Q3y• = 5Q3y•
𝑘5 = % 𝑎5y•Q•(3ª«(5Q3)) 𝑟• •¬•
which is exactly the form of discrete convolution. 21 of 31
Acceleration on Post processing with Fast Fourier Transform Ø Acceleration with Fast Fourier Transformation • We notice the formula 𝑘4 = ∑5Q3y• 𝑎4y•Q•(3ª«(5Q3)) 𝑟• is exactly the form discrete •¬• convolution which can be accelerated by Fast Fourier Transformation (FFT). More importantly, we have the following theorem: Theorem 2: A circulant matrix 𝐴 is unitarily similar to a diagonal matrix and the unitary matrix is 𝐹 = 𝑤 4• , which is the representation of discrete Fourier transformation matrix. Furthermore, the elements of the diagonal matrix are equal to the elements of 𝐹𝑎. So in general, we have 𝐹𝐴𝐹 y• = 𝑑𝑖𝑎𝑔 𝐹𝑎 𝑘 K = 𝐴𝑟 K = 𝐹 y• 𝑑𝑖𝑎𝑔 𝐹𝑎 𝐹𝑟 K = 𝐹 y• 𝐹𝑎 ⋅ 𝐹𝑟 K
[•]
And by choosing the last m bits of 𝑘 K we get the required key 𝑘
[1] fft: fast Fourier transformation; ifft: inverse fast Fourier transformation; round: round operation.
22 of 31
Acceleration on Post processing with Fast Fourier Transform 𝑛 + 𝑚 − 1 bits 𝑘 K =
= 𝐴𝑟 K
𝑘3Q5y•
𝑎• 𝑎=
𝑘• ⋮ 𝑘⋮
n bit
𝑎5Q3y• 𝑎5Q3y𝑎• 𝑎5Q3y• ⋮ 𝑎5 𝑎5y• 𝑎5y𝑎5Q• 𝑎5 𝑎5y• ⋮ 𝑎5Q3y- 𝑎5Q3y£ ⋯ 𝑎5Q3y• 𝑎5Q3y- ⋯
⋯ ⋯
𝑎¥ 𝑎¤
𝑎• 𝑎 𝑎3 𝑎3y• 𝑎3Q• 𝑎3
The desired m-bit key 𝑎£ 𝑎¥
𝑎𝑎£
⋮ … 𝑎5Q• … 𝑎5Q⋮ ⋯ 𝑎5Q3y• ⋯ 𝑎•
𝑟• 𝑟⋮ 𝑟5 0 ⋮ 0
𝑛 + 𝑚 − 1 bits
m bits The Toeplitz matrix
The computation complexity is 𝑶(𝒏𝐥𝐨𝐠𝒏) Much higher processing speed compared to original algorithm (𝑶(𝒎𝒏)) 23 of 31
Acceleration on Post processing with Fast Fourier Transform Ø Comparison Between Processing Time of Two Algorithm
24 of 31
Processing with modified Toeplitz matrix • Modified Toeplitz Matrix can also employ FFT • Require less random seed only n-1 bits • 𝑘 𝑘 m bits ⋮ 𝑘3y• 𝑘3 𝑎5y3 𝑎5y3y• 𝑎5y3y𝑎5y3Q• 𝑎5y3 𝑎5y3y• 𝑎5y3Q- 𝑎5y3Q• 𝑎5y3 = ⋮ 𝑎5y£ 𝑎5y¥ 𝑎5y¤ 𝑎5y- 𝑎5y£ 𝑎5y¥ 𝑎5y• 𝑎5y- 𝑎5y£
⋯ ⋱ ⋯
𝑎£ 𝑎¥ 𝑎¤ 𝑎3 𝑎3Q• 𝑎3Q-
𝑎𝑎£ 𝑎¥ ⋮
𝑎3y• 𝑎3 𝑎3Q•
𝑎• 𝑎𝑎£ 𝑎3y𝑎3y• 𝑎3
1 0 0 0 1 0 ⋯ 0 0 1 ⋮ ⋱ 0
⋯
0 ⋮ 1 0 0 0 1 0 0 0 1
𝑟 • 𝑟 ⋮ 𝑟5y• 𝑟 5
𝑛 bits
25 of 31
Proper Block Length in Processing a Fixed-length Long Raw Sequence Ø Proper Block Length in Processing a Fixed-length Long Raw Sequence • Processing a 10Gbit-long raw sequence • To find a proper block length 𝑛 to guarantee the shortest total processing time.
26 of 31
NIST Randomnes s Source (Probability)
010101010 101010101 010110100 111010101 010110101
Digital Sampling (Raw Data)
Post Processing (final sequence)
Randomness test (Statistic property)
27 of 31
Summary
l Modification on Min-entropy
l Acceleration on Post Processing
l Further Improvement
28 of 31
Acknowledgement • We acknowledge Prof. Xiongfeng Ma and Mr. Hongyi Zhou for their great support on the research idea and experiment. We also acknowledge Mr. Daniel Comber Todd and Mr. Deion Hawkins for their kindly help on writing this article.
29 of 31
