Random number generation is critical to many security protocols, a basic building block on which it rests the robustness of many security solutions. Quantum physics, on the other hand, offers a very attractive approach to True Random Number Generation, based on the inherent randomness of some physical phenomena. Naturally, there are a number of quantum random number generators in the market. In this work, we present the first analysis of a popular commercial family called Quantis, designed and manufactured by ID Quantique. Statistical tests are performed to determine whether captured sequences exhibit sufficient randomness. Dieharder and NIST STS 2.1.2 are included in many certification schemes, whilst ENT provides a free, simple and powerful means of expanding on the previous tests. The Quantis devices under examination have achieved METAS and other independent certifications and indeed the results over the Dieharder and NIST batteries confirm that the certifications awarded are based on an acceptable performance on both sets of tests. However, ENT finds strong evidence of significant biases in Quantis devices. These biases are analysed to identify their traits and attempt to isolate their root cause. We end with a discussion on the need to expand testing strategies to incorporate lesser-known tests that regularly detect problems that the commonly accepted batteries do not. These analyses are extended to three more contemporary QRNG sources, Comscire's PQ32MU, Homboldt's physik server and the ANU QRNG server. The identification of weaknesses in generators that have passed official certification schemes raises important questions that must be addressed. The ongoing work based on these findings seeks to identify flaws in current testing regimens and suggest appropriate procedures and tests to ensure that application-defined definitions of 'sufficient randomness' are achieved by target devices prior to certification.
Darren Hurley-Smith is a Research Associate in Computer Security at the School of Computing of the University of Kent, in the UK. He received a BEng. Degree in Computer Systems and Hardware Design in 2012, and a PhD in Computer and Network Security in 2015, from the University of Greenwich. His interests are in statistical testing of Random Number Generators, RFID/NFC Security, Mobile Ad Hoc Network Security, and Cryptocurrency. He also has a keen interest in ransomware, the economics of cyber-crime, and autonomous aerial systems.
Cornwallis South West,
University of Kent,
DetailsOpen to everyone, especially those interested in security research,
Contact: Budi Arief