back to article Boffins pull off quantum leap in true random number generation

A team of physicists claim to have developed a guaranteed random number generator using photons and the laws of quantum mechanics. Random numbers are used to secure communications, and a good random number generator is essential for strong encryption. But ensuring that the numbers are truly random is difficult. Number …

  1. John Robson Silver badge


    Only need to do it once, right?

  2. Flakk


    Like the Naval Observatory does with their atomic clock, are these physicists going to hook this contraption up to the Internet for us to play with, or do I need to call my real estate agent and look for a 187m long parcel of land?

    1. Alan J. Wylie

      Re: Sooooo...

      187m long parcel of land

      Don't bother. A USB connected Geiger–Müller tube will generate randomness just as well.

      1. Josh 14

        Re: Sooooo...

        What about the RNG a few years back that had an Americium source from an ionization smoke detector firing into a webcam ccd, and used the excitation spots and traces as a random source seed?

        I did a quick search and found this project building one:

    2. Scott Glancy

      Re: Sooooo...

      I am one of the scientists working on this project. Our goal is to incorporate a quantum random number generator based on this prototype into the NIST Randomness Beacon, which will allow you to play with it. An even longer term and more ambitious goal is to shrink its size so that it can fit into a mobile phone, but that will take significant advances in the technology and years of work. If you can be patient, there is no need to call your real estate agent.

      On the other hand, we hope that other organizations will make public random sources that are compatible with NIST's. Then one can combine output from all sources to create a random source that is more trustworthy than any single source.

  3. Brandon 2

    what about

    What about radioactive decay? Sure, one can readily know the average, but what any particular isotope decays into is still unpredictable. Similarly, if you create a truly rand string of numbers, randomly chosen from 1-10, you will also know the average over time. Thus a random string correlated to radioactive decay should be possible.

    1. Anonymous Coward
      Anonymous Coward

      Re: what about

      1. Alan J. Wylie

        Re: what about

        It's not only got to be genuinely random (as John von Neumann said; "Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin"), but if someone else has generated the randomness you are using for your Certificate Signing Request, you cannot guarantee the security of your website ever after.

        1. PyLETS
          Black Helicopters

          trusting trust and someone else's randomness not being as good as yours

          Hence the larger and more complex the apparatus, the less likely it is you've been fully able to verify it doesn't contain any unwelcome secrets or hidden backdoors making the output observable, predictable or being capable of manipulation by unwelcome parties. A simple electronic circuit you've built yourself involving a pair of zener diodes as a noise source followed by some analogue amplification and digital gates to ensure you get an even bias between 1s and 0s might be as good as it gets in this particular space. If you have to buy hardware made by someone else, paying for it cash in person makes it less likely to be replaced within the delivery chain. IBM used to advise mainframe managers to use dice for system passwords, but we need more entropy for long term and session secrets nowadays. It's possible the hardware RNG vendor may be fully security audited, but what about the delivery chain ?

        2. Michael Wojcik Silver badge

          Re: what about

          if someone else has generated the randomness you are using for your Certificate Signing Request, you cannot guarantee the security of your website ever after

          You cannot "guarantee the security" of any system, ever, under any conditions. That is not a meaningful claim.

          There are plenty of physical processes that generate sufficient information entropy to seed cryptographic pseudorandom number generators (CPRNGs) sufficiently for most purposes. CPRNGs only need to raise the cost to the attacker higher than the attacker's evaluation of the value of breaking the CPRNG.

          The vast majority of X.509 certificates will never be used to secure sufficient value to justify trying to break the CPRNG used to generate their precursor CSRs.

          It's true that attacking CPRNGs has been successful in many prominent historical instances; the original Netscape SSL implementation and the Debian OpenSSL break are two well-known examples. But in the vast majority of cases there are cheaper vulnerabilities, and almost no one has a use case that requires a provably random entropy source.

    2. Mage

      Re: what about

      You can use a zener diode and differential amp to null out PSU noise. Then ADC. The noise is random and due to quantum effects. It might want to be in an regulated oven... not sure.

      It's actually really hard to remove external periodic interference making it non-random.

      Any approach without a hardware generator is a delusion. It will be deterministic.

  4. JassMan

    But everyone knows...

    ...that ansibles work via quantum entanglement and are instantaneous throughout the entire universe, so 187 feet is not enough separation. It is obvious that the fact that they are looking at the second photon while measuring the state of the first is causing errors because of Heisenberg's uncertainty principle and these errors only appear to be random. The problem is that the heat death of the universe may occur before a repetition of data is found

    1. eldakka

      Re: But everyone knows...

      > so 187 feet

      You don't happen to build space probes do you?

      1. kventin
        Paris Hilton

        Re: But everyone knows...

        or maybe he's got really funny gait

        (Paris, because, well, if his _feet_ are this big...)

  5. scrubber

    Professor Chaos

    As Butters so safely tells us, there is a huge difference between chaos and randomness. (Hint: it's the ability to get better predictions by having more granular data.)

  6. Anonymous Coward

    A truely random number does not have to be unique !

    It may occur often, a unique random number is a JOKE, as the Random and unique number system once reproduced around the world will be the same as all the other R&N systems on every device everywhere, doing the same thing.


  7. Anonymous Coward
    Anonymous Coward

    Not new

    The ANU (the Strine Nashnul Youni) has already done this years ago. See

    1. Anonymous Coward
      Anonymous Coward

      Re: Not new

      Well, it /is/ published in Nature, after all. It doesn't need to be new, it just has to have a fancy hat to wear.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not new

        As an old prof used to say "Just because it's published in Nature doesn't mean it is necessarily wrong".

    2. Scott Glancy

      Re: Actually new

      I am one of the "boffins" involved in this research at NIST. Both our and ANU's random sources exploit quantum physics to generate randomness. The important difference between our experiment and theirs is that ours uses entangled photons whose randomness is certified by violation of a Bell Inequality. This allows confidence in the unpredictability of our randomness based on the observed correlations in the data. The proof of the randomness does not require knowledge of the workings of the experimental devices.

  8. GIRZiM

    The Observer Effect

    Doesn't the fact that we observe the value actually determine what it is? In which case, what's to stop someone being paid a lot of money to determine, in advance, that it will be '4' every time?

    What we need is a random observer. I'm pretty random and I promise not to accept bribes unless

    1. I really want to;

    2. I'm confident I'll get away with it.

    1. Oengus

      Re: The Observer Effect

      3. It is a really BIG amount so much so that I really don't care if I get away with it just so long as I get to keep the money...

      1. GIRZiM

        Re: The Observer Effect

        > It is a really BIG amount so much so that I really don't care if I get away with it just so long as I get to keep the money...

        Good thinking - nicely specific too!

  9. Frumious Bandersnatch

    how about ...

    a nice cup of hot tea?

    1. Stuart Halliday

      Re: how about ...

      Brownian motion machine?

  10. Stuart Halliday

    Pardon my ignorance. But take a picture of the sky.

    Cloud formation looks pretty random to me, so the bits making up the image should be random (assuming a working CCD)?

    1. Lee D Silver badge

      Now consider a determined state-level attacker such who might be interested in intercepting encrypted communications on a targeted and international level.

      Now he just needs a satellite picture of the sky over your head at the time they took the photo to stand a good chance of knowing enough to predict some of your "random" numbers to a certain extent.

      Not all use-cases are as simple to combat as you think, when you're talking encryption that you expect one day a government or military might use itself and/or might not want you to use.

      Random numbers are hard. Much harder than you might think. And tiny deliberate influences can drastically alter the security of them. There's a reason that there are entire books on the subject, and where most of the current traditional techniques - even on input data we're convinced is pretty random to start - revolve around hashing, mixing, eliminating higher-order bits, melding into existing pools, preserving historical pools to use for future mixing, selecting, analysing viability of and plucking numbers from random pools, etc.

      Your "random input" might well be considered untrusted external data, in effect. Someone who really wants to corrupt that pool could do so quite easily if they were determined. Hell, just by cutting your CCD and hoping you weren't checking the image wasn't all-black. 90% of handling random numbers (and 90% of coding errors where they are mishandled resulting in a security problem) is about taking only selected parts that are more likely to be random and incorporating them in such a way that their randomness leaks through but not any determined pattern or bias that may be present. The other 10% is actually getting something that looks random enough to use as source data and could probably be trusted.

      Hint: The Debian versions of OpenSSL software generated millions of certificates signed on such systems with atrociously insecure keys by failing to use proper random input and nobody noticing (they seeded from process ID, not an RNG, which varied but not truly randomly). For years. Once discovered, almost every key ever made on those systems was compromisable. Because all the fancy techniques in the world are for naught if your input isn't truly random or trusted.

      Just the JPG-artifacts in an image could give a serious attacker enough bias to compromise your RNG. Or the resolution of a particular camera. Or the post-processing algorithms in the camera biasing pixels to generate a more natural image. Or the fact that someone knows the seed picture is of the sky might well give them enough.

      As a mathematician, I have advice for people who aren't: Never think you understand randomness, encryption, statistics or probability. Just don't. Don't write code for them. Don't apply them to work things out. Don't dabble and think you understand everything. You'll make things weaker or more incorrect a billion times over before you make it stronger, no matter how clever or well-intentioned you are.

      I'm fairly certain I could sit and derive a public-key encryption/decryption algorithm, a random number generator, etc. from first-principles given enough time and a programming language. I'm also 100% certain it would be useless to the point of utter compromise upon the first serious analysis by someone who understands those fields.

      If you haven't read Numerical Recipes, go do so. It's got a maths-and-C-code heavy description of everything RNG, encryption, probability, etc. And that book is approaching 30-something years old and was never designed to cover hostile intent. It's currently holding up my coffee table, because it's thicker than my phone is wide.

      1. Claptrap314 Silver badge

        Also a mathematician here. A fun game at work is to give people a look of horror when they ask me a question about statistics. These fields really are this specialized. A non-trivial part of the graduate education of a mathematician is to teach him just how bad almost all of his ideas are.

        Please, please, PLEASE people--do not assume, unless you have gotten at A in the relevant coursework, or been similarly blessed by people who really do understand this stuff, that you can whip up some system that will be "good enough". You just don't know. Neither do I--and I know it.

    2. GIRZiM

      Re: Cloud formation looks pretty random

      Of course it isn't - how would the weather forecast be so accurate if it were random?

  11. Schultz

    True randomness, but ....

    as any claim for random number generation, this one is based on underlying assumptions about physical reality and our understanding thereof. You can always postulate hidden variables that would destroy the randomness (when we eventually understand and predict those hidden variables).

    Alternatively, you can trust our current understanding of physics and build much simpler quantum detection devices. Avalanche amplification of tunneling events (cf. or similar) is a sensible approach. The devil, of course, is in the details of the implementation.

    1. Scott Glancy

      Re: True randomness, but ....

      @Schultz, NIST's experiment proves that if hidden variables are present and determining the output, those hidden variables must be able to communicate with one another faster than light. This is why we write that our random numbers are "certified by the impossibility of superluminal signals".

      The important difference between our random source and one built from amplification of tunnelling events (or many other suggestions made in these comments) is that our randomness is certified by analysis of the data stream itself. The proof of randomness does not require knowledge of how the experimental devices are constructed. In fact, the devices could have been prepared by an adversary who wants to predict the random output. Nevertheless, quantum correlations in the data prove that the output is unpredictable.

      For us, the devil is not in the details of the implementation. The devil is in the laws of physics (as we currently understand them) and the maths.

      1. Schultz

        Re: True randomness, but ....

        Thanks for the answer ... I guess I'll have to read the full article to understand which assumptions remain :).

        1. Scott Glancy

          Re: True randomness, but ....

          We assume that:

          * Faster than light communication is impossible.

          * The experimental devices maintain no quantum entanglement with potential adversaries trying to predict the random output.

          * The distances between components and times between events are measured accurately (necessary for ensuring slower than light communication is not influencing events).

          * The computers used for processing the data are reliable.

  12. Anonymous Coward
    Anonymous Coward

    Overcoming Objections

    Easy. White Noise.

    Sorry. It won't be perfectly White. Likely a tilt in the spectrum.

    Okay then. Compensate the spectrum.

    Sorry. Even then, it'll probably be slightly biased towards 0s or 1s, due to a tiny amplitude offset from zero as impacts the comparator trigger point, and correlated to local environmental variables.

    Okay then. Perform a delta based on the sequential period to normalize it to exactly 50% each 0s/1s. Ha!

    Sorry. It'll still be slightly biased due to tiny fixed timing offsets. You can't win for trying.

    Okay then, go nuclear. Wire in a whole series of XOR gates (selectable inverters), each fed from stages of a huge binary counter, so that our signal is randomly inverted at an endless variety of periods. Hundreds of stages covering from the clock period to a thousand human lifetimes.

    On paper, it looks good. But then there's some residual power line humm at -65dB, and that's showing up in an FFT of the supposedly random output. Sorry.


    It's much harder than it might seem to overcome all objections. Close enough is easy.

    Worth mentioning that real time stream versus data stored in a file probably doesn't make very much difference. As far as I know, they're precisely equivalent. Except that the file could have some extensive QA applied before shipment. could the real time stream with a big enough buffer. .: Equivalent.

  13. Daedalus

    Just a random idea

    So you base your device on the noise generated by electronic components, like say a transistor or even a neon gas tube. Your numbers would be so random you could use them to run, oh, some kind of national lottery. Call the device Electronic Random Number Indicator Equipment. ERNIE see? Write the name in large, friendly letters on the outside. Heck, it's so obvious that you'd expect people to have thought of it decades ago.

    Oh you can call me an optimist. Or you can call me 2AL 838710.

    1. Charles 9

      Re: Just a random idea

      I believe the HAVEGE system runs on similar principles.

      This article is reaching for a higher standard: PROVABLY, TRULY random numbers.

    2. Primus Secundus Tertius Silver badge

      Re: Just a random idea

      The British Government generates random numbers on a large scale: not just with ERNIE but in everything that they say and do. That is because they are all arts graduates.

      1. Doctor Syntax Silver badge

        Re: Just a random idea

        "That is because they are all arts graduates."

        Worse. They're PPE graduates.

  14. Neil Barnes Silver badge

    Bother the random numbers

    What about the poor cat?

  15. Norman Nescio Silver badge

    Obligatory link to webcomic

    ...but not xkcd this time:

    Dilbert: Random Number Generator

  16. Tessier-Ashpool

    Pah! Nothing is random.

    The results just depend on which universe you happen to be in, that's all.

    Whoever devised our multiverse simulation isn't entirely stupid, you know.

    1. kventin

      Re: Pah! Nothing is random.

      """The results just depend on which universe you happen to be in, that's all."""

      so -- can you _switch_ universes by tweaking the results?

      (mine is the one with a copy of neal stephenson's anathem in the pocket)

  17. Tromos


    You're welcome. If you ever need another one, just give me a call.

  18. scrubber

    True randomness

    Couldn't we just use Trump's tweets?

    1. Francis Boyle Silver badge


      The inherent bias towards stupidity rules that one out.

  19. CrazyOldCatMan Silver badge

    Quantum randomness, on the other hand, is real randomness

    I'm sure that there is a mathematical proof of this somewhere (not that I'd be able to understand the maths) but is it really true? Lots of stuff have been assumed to be really random that later have been found not to be once we understand or model the underlying mechanism.

    So, since we don't really understand quantum physics terribly well at the moment, how can we be confident that the statement is true?

    1. Scott Glancy

      Re: Quantum randomness, on the other hand, is real randomness

      @CrazyOldCatMan, there is a mathematical proof in our paper, published by Nature, and we believe that it is "really true".

      As a scientific theory quantum physics is very well understood. It has been thoroughly tested over nearly 100 years in countless experiments. It is the foundation of the technologies that make the backbone of our modern economy. Physicists are beginning to despair because we are unable to find experiments in which quantum theory fails.

      Of course, quantum theory might turn out to be wrong close to black holes or in the very early universe. The issue is not that it is poorly understood, but that it has not yet been tested in these regimes.

  20. Anonymous Coward
    Anonymous Coward

    What is the difference?

    There's this system commercially available for some time: I know it's not vaporware, but I'm unsure of the working principle differences.

  21. Stumpy

    I always thought that the generator used for ERNIE (the Premium Bonds picker) was supposed to be completely random.

    It might have changed in the years since I was up at National Savings, but the generator I saw relied on two metal discs with a pattern of holes drilled in them. These rotated in opposite directions and were stored up at a high potential difference. The time taken for a spark to jump the gap between them was used as a timing signal for a random seed generator (or something along those lines).

    1. Charles 9

      I think the catch here is that it was the best that could be developed at the time, but it doesn't preclude the possibility of an entity with sufficient resources to be able to replicate/simulate the setup and predict the sparks. The mathematical principles for this machine seem sounder (Bell's theorem, by definition a proven statement) unless someone breaks the whole quantum mechanics system.

  22. Stuart Halliday

    One thing I noticed over the decades is that if I seed a RND function with a fixed time value the resultant 'random' number is different on different computers.

    So a pile of obsolete computers each feeding into each other.

    Sounds very HHGTTG.

    Good enough? :)

  23. Jason Bloomberg Silver badge


    What does amanfrommars use?

    1. An nonymous Cowerd

      Re: Randomness

      "Cryptographically, we believe that the Intel RNG is strong and that it is unlikely that any computationally feasible test will be found to distinguish data produced by Intel’s RNG library from output from a perfect RNG" ? , methinks, if he uses IvyBridge

  24. Mike 137 Silver badge

    Sounds a bit complicated.

    Jolly good stuff but maybe a bit complicated.

    Must be 40 years ago that we were using a noisy diode to generate a signal that could be converted into a random bit stream, from which we could peel off arbitrary numbers - total cost in modern terms about five quid. The randomness of that bit stream was driven by the uncertainty of the drift of electrons across the diode junction, which is quite adequate for most purposes.

    BTW there's no such thing as a random number. Randomness is a property of series or sequences (and possibly sets) not of individual entities. It describes the independence of entities with respect to each other - which is why I refer above to arbitrary numbers.

    1. Charles 9

      Re: Sounds a bit complicated.

      I disagree. Randomness can apply to new members of a set (which can be empty OR solitary), describing the likelihood a new member of the set is in any way related to the existing members of a set; a truly random new entry would have NO relation to the existing members of the set.

  25. Yes Me Silver badge

    I call BS

    "Something like a coin flip may seem random, but its outcome could be predicted if one could see the exact path of the coin as it tumbles."

    Sorry, but that's plain wrong. Everything is a quantum process; there are just a zillion zillion quanta in a coin toss, but ultimately the one quantum that determines whether the coin lands heads or tails is unpredictable. (Yes, that only applies to the small fraction of coin tosses that are too close to call from Netwonian mechanics, because of measurement error, but philosophically a coin toss is just as unpredictable as the health of Schroedinger's cat, and for the same reason.)

    1. Charles 9

      Re: I call BS

      That doesn't make sense since it's also possible to toss a coin in a predictable manner, say making it flip only once or twice. By your reasoning, even that kind of flip is unpredictable due to quantum.

    2. Charles 9

      Re: I call BS

      And as for Schroedinger's cat, it's obvious: it's a zombie, dead AND mobile at the same time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like