Randomness

70 Subsection 2.1.1 provides an intuitive notion of randomness, which will be made precise in a mathematical sense in section 2.3.

2.1.1. Concept of Randomness and Random Experiments

71 The core of any non-deterministic (true) random number generator (TRNG) is the entropy source that, loosely speaking, “generates” randomness.

72 An experiment is called unpredictable if the observable outcome of the experiment is (to a certain extent) unknown before it is conducted. After the experiment has been performed, the degree of uncertainty depends on the ability to observe the outcome. In this document we denote the outcome of an experiment as random if it is unpredictable, i.e., if it cannot be predicted with certainty. Entropy quantifies the amount of unpredictability relative to the observer.

73 Experiments are called independent if the outcomes of previous experiments do not influence the outcome of the current experiment.

74 A random experiment is called unbiased, if each admissible outcome has the same chance of occurring.

75 Ideal random experiments are unpredictable, independent and unbiased (ideal randomness).

Ideal randomness excludes order and regularity in the sequence of outcomes of repeated experiments unless these occur by chance. Any deviation from these properties, i.e., dependency or bias, makes the experiment less random.

76 The goal of any true RNG is clearly to generate ideal random numbers. However, real-world RNGs can only achieve this goal approximately. The key point of any RNG evaluation is to verify to what extent the TOE guarantees fulfillment of this goal.

77 How can we determine to what extent an experiment is random (bias, dependencies)? Assume that an attacker knows the outcomes of many previous experiments. Why should he not be able to guess future outcomes? It is meaningless to argue about randomness on the basis of a single run of an experiment or on the basis of a small number of experiments. The “randomness” of an experiment can only be observed asymptotically. A statistical test that applies a computable function tests the hypothesis of whether the sequence of outcomes is “typical” in some sense.

Ideal random sequences belong to any (before the observation of the experiments) reasonably defined “majority” of sequences with overwhelming probability, not showing any regularity

patterns that can be detected by this statistical test⁵. Any finite collection of statistical tests can only check for finitely many types of regularity. A statistical test may not contradict or it may reject the randomness hypothesis under specific assumptions, but this cannot serve as a proof for the randomness of an arbitrary experiment. Testing the randomness of RNG output sequences is computationally hard under “black box assumptions”. Hence, it is important to understand the nature of the random source to rate the randomness of number generation.

2.1.2. Random number generators (RNGs)

78 Generally, an RNG consists of a deterministic part (entropy source) that generates non-predictable digital data, and a deterministic part that generates from this data the output sequence of the RNG (random numbers). The non-deterministic part of the RNG exploits a physical entropy source or any other kind of non-physical entropy source to generate a raw random number sequence, which is deterministically post-processed. Either the deterministic part or the non-deterministic part may be omitted, giving a pure PTRNG or a pure DRNG, respectively.

PTRNG

79 The core of any physical RNG (PTRNG) is the entropy source, which is used to generate the raw random numbers. By exploiting an analogue signal, a digitization mechanism generates a sequence of digital “raw” data (raw random numbers; usually das-random numbers).

Additionally, the PTRNG may comprise a post-processing algorithm that transforms the raw

data to internal random numbers.

Note that formally a missing post-processing algorithm can be interpreted as the identity mapping.

80 Physical entropy sources are based on physical microscopic random processes. Measurements of these processes result in digital random numbers. Examples of time-discrete physical entropy sources are:

- Radioactive atomic disintegration: The number of decay events (detected particles) per time interval follows a Poisson distribution (cf. [Neue04], section 4.1).

- Shot entropy of a diode: The shot entropy of a parallel-plane temperature-limited diode is non-deterministic. The number of electrons emitted from the tube’s cathode during a time interval follows a Poisson distribution (cf. [DaR087], section 7-2).

The Poisson distribution implies that the inter-occurrence waiting time between consecutive events is exponentially distributed.

81 A large number of discrete random events like e.g. emitted electrons may be observed as analogue entropy signal. Examples of analogue physical entropy sources are (cf. [BuLu08] for examples):

- Thermal resistive entropy: The voltage between resistors varies randomly due to vibration of atoms. Ideally, the thermal entropy signal has the same energy in all

frequency bands (so called “white entropy”). Sampling an ideally-amplified white entropy signal generates a sequence of independent bits.

- Diode breakdown entropy: The reverse current through diodes varies randomly due to tunnelling of electrons. The power of the entropy signal is inversely proportional to the frequency.

- Free running oscillators generate digital signals with an edge-to-edge random analogue time drift (jitter). Sampling a fast oscillator by a lower frequency oscillator generates a random bit signal. If the standard deviation of the slow oscillator is considerably greater than the fast period, the sampled bit sequence may be expected to be uncorrelated.

82 A typical goal of algorithmic post-processing may be to extract entropy from the das-random numbers sequence in order to increase the entropy per bit, e.g., to correct a given bias. Note that increasing the entropy per bit demands data compression, reducing the output rate. A cryptographic post-processing algorithm may be viewed as an additional security anchor.

NPTRNG

83 A non-physical true RNG (NPTRNG) uses external signals as entropy source to generate random numbers for output.

84 Examples of such external entropy sources are:

- Processes as disk I/O operations and interrupts (cf. e.g. Linux RNG /dev/random [GuPR06]).

- System data as tick counter since system boot, process and thread IDs, current local time (cf. e. g., function CryptGenRandom of Microsoft Windows CE Enhanced Cryptographic Provider 5.01.01603 [MSCE06]).

- Human interaction as mouse movement and key strokes (cf. PGP key generation [PGP]).

85 The NPTRNG are based on the concept of randomness as lack of information about processes and their outcomes. If a huge amount of data from different sources are collected and mapped onto a shorter sequence (e.g., by a hash function), the output value will appear random to an observer who neither knows the source data nor is able to control them.

DRNG

86 A deterministic RNG (DRNG) generates random numbers with a deterministic algorithm and starts with a randomly selected seed. The output sequence depends on the seed and possibly also on additional external input values.

87 Examples:

- Deterministic random bit generators based on hash functions, as described in [ISO18031], Annex C.

- NIST-recommended DRNG based on hash functions or block ciphers [NIST800-90].

88 A DRNG may be viewed as a finite automaton that receives input (seed and possibly also additional external input). The DRNG updates the internal state (possibly also considering additional input) and generates output that depends on the current internal state and possibly on additional input. The DRNG (or more generally, the deterministic part of an RNG) may gain entropy from the seed and possibly from additional input during the operational work (reseeding or refreshing). The seed and the additional input may be provided by different sources.

89 A DRNG may be based on the concept of complexity-theoretic randomness (cf. e.g. [Calu02]

for details). The sequences generated by a DRNG then shall be computationally indistinguishable from random sequences generated by computational power.

Hybrid RNG

90 A hybrid RNG combines the design principles of true and deterministic RNGs, in particular, it consists of an entropy source and a deterministic part. The entropy source of a hybrid PTRNG should provide at least as much entropy as the output random numbers might at most contain⁶. Loosely speaking, this means that the entropy source must generate at least so much entropy that a perfect post-processing algorithm might generate an ideal output sequence. A hybrid DRNG usually gets (considerably) less entropy from the entropy source by reseeding (or refreshing) than the length of its output measured in bits. Roughly speaking, the security of hybrid PTRNGs relies on both the entropy of the output sequences and the computational complexity, while the security of hybrid DRNGs essentially relies on computational complexity.