So far this chapter has been concerned solely with the distribution and authentication of cryptographic keys. This final section is concerned with the keys themselves. Even if the distribution scheme is information-theoretically secure, and the distributed key is used in a OTP cipher, it was pointed out in section 2.1.3 that the OTP is not perfectly secure if the key is not perfectly random. Simply, if the key is not random it has an element of predictability, which creates patterns in the ciphertext that can be cryptanalysed.
In terms of Shannon theory, the information-theoretic security requirement is that Eve be allowed no less than fully one bit of uncertainty for each bit of key employed. Any less and Eve has obtained some amount of certainty about the key and therefore some
3It can be assumed that a symmetric key is only possessed by someone who has received it from the
secret distribution channel, and is therefore the legitimate recipient or originator of the message. The legitimate recipient is authenticated by their ability to decrypt the message. Similarly, only an originator who possesses the key is able to encrypt the message so that the same key decrypts it correctly. A legitimate originator is therefore authenticated by their ability to encrypt the message with the right key.
§2.3 Random Number Generation 25
information which she can build on towards breaking it, even if the distribution scheme is information-theoretic. Fig. 2.4 is a graph of the binary entropy against the probability of an arbitrary key bit being ‘0’ (p) or ‘1’ (1−p). It is clear that for perfect security an
0.2 0.4 0.6 0.8 1 Probability p 0.2 0.4 0.6 0.8 1 Entropy H (bits )
Figure 2.4: The binary entropy of an arbitrary key bit against the probability of it being a ‘1’ or ‘0’.
arbitrary key bit must have equal probability of being ‘1’ or ‘0’. This is consistent with the formulapi(K) = n1 derived in section 2.1.3.
Generating large amounts of good-quality random numbers for cryptographic keys has historically been a difficult problem, since computers by nature are machines of determin- istic repetition. Often designers will settle for poorer quality random numbers. A famous example is an early version of Netscape’s internet browser. The cryptographic keys gener- ated by the browser for secure applications such as internet banking were based on three easily guessable values (the time of day, the application process number and parent process number). The flaw was discovered by two Berkeley PhD students.[34]
2.3.1 Classical Random Number Generation
Since a deterministic computer cannot generate pure random numbers algorithmically it must base its numbers on random physical phenomena. Classic examples are the decay of a radioactive element or thermal (Johnson) noise. A more modern possibility is a direct measurement of quantum vacuum noise. In 1999 Intel, a major manufacturer of computer chips, introduced an onboard physical random number source.[51] The cited paper gives an accessible explanation of classical randomness and the operation of Intel’s source.
The source is based on the thermal output of current-carrying resistors. Two adjacent resistors are used and the signals subtracted. This is because non-random signals could be coupled onto a single resistor (due to a stray, or not so stray, electromagnetic field) and affect the output. The subtraction removes any signals correlated between the resistors, leaving only the pure Johnson noise. While Intel’s random number generator (RNG) design minimises the possibility of a coupled signal biasing the randomness, thermal signals can still produce a bias.
26 Information Theory
2.3.2 Quantum Random Number Generation
Quantum theory attributes to the physical universe some fundamental uncertainties. Heisenberg’s Uncertainty Principle states that there are some circumstances where an absolute limit to knowledge can be reached, that there are situations in which no physical observer can precisely predict the outcome.[43] In these situations this unpredictability manifests itself as quantum noise, where the results of a measurement will be found to have some inherent noise despite all precautions. The quantum noise can be harnessed as a source of truly random numbers.
Radioactive decay has quantum uncertainty and so would be a suitable process on which to base a quantum random number generator (QRNG). Radioactive materials, however, are hazardous and expensive. With the advance of optical detection technology, optical QRNG is now possible. Such a device, based on the unpredictability of a single photon being transmitted or reflected from a 50% beamsplitter, is discussed in [81]. A faster and more robust device based on continuous variables has also been proposed,[55] and a trial version was used in the later stages of this project (see sections 6.1.2 and 7.2.3). QRNG offers the possibility of perfect pi = n1 random number generation in a device
that would be very difficult to manipulate. An optical QRNG could only be biased by optical interference, which is much easier to prevent than thermal interference as described in section 2.3.1. With optical QRNG the final piece of an information-theoretically secure cryptographic system can be put in place.