

Quantum Random Number Generator Created Using A Smartphone Camera - adamnemecek
https://medium.com/the-physics-arxiv-blog/602f88552b64

======
jackgavigan
This article defines a "quantum random number generator" (QRNG) as "a device
that exploits the probabilistic nature of quantum mechanics to produce a
sequence of entirely random digits" and claims that QRNGs are "complex,
expensive devices".

Firstly, people have been building RNGs from web cams and radioactive sources
cannibalized from smoke detectors for years, at a total cost of less than
$100. Radioactive decay is a quantum process so it seems fair to describe
these as QRNGs.

Secondly, the smartphone camera-based random number generator (SCRNG)
described in the article/paper does not appear to generate its random numbers
from quantum-level events (i.e. the emission of individual photons). The
classic model for quantum cryptography uses a half-silvered mirror to create a
quantum state by introducing uncertainty over whether an individual photon has
been deflected or not. The SCRNG is not observing individual photons. Instead,
it's using the variation between the observed number of electrons that are
generated as a result of exposing the camera to a light source, and the number
of electrons that the light source is _expected_ to generate. Because the
variation is random (i.e. the entropy is high enough), this generates random
numbers but I question whether it's really a QRNG.

Disclaimer: I am not a physicist so I could be wrong. In fact, the question of
whether I'm right or wrong is currently in a quantum superposition, pending
"observation" by someone who is suitably qualified to determine whether I'm
right or wrong. ;-)

~~~
nabla9
For the purpose of this discussion there are two types of noise in
electronics: shot noise and thermal noise.

Shot noise is discrete noise that happens when single electrons are emitted
and adsorbed. Shot noise is quantum noise and can't be reduced by cooling and
don't vary with frequency.

Thermal noise is noise that depends on the temperature of the circuit.
Temperature increases the energy of material and this energy allows electrons
to bounce around more creating noise.

For the purpose of QRNG, you don't have to separate shot noise from thermal
noise if you know the shot noise to thermal noise ratio. We are not interested
of knowing actual bits generated by shot noise. We just want to collect enough
random bits so that we can guarantee that there is enough quantum randomness
to make the quality equal to just quantum bits. For example, if the ratio is
1/100, we collect more than 100 bits and mix them together to get one bit of
quantum randomness. Shot noise is amplified and has easily detectable effects
in in p-n junctions (diodes, photodectectors).

~~~
analog31
That sounds reasonable. For a camera sensor, the noise budget is made up of
four primary terms:

1\. So called "fixed pattern noise," i.e., a pixel by pixel pattern in the
measured value that isn't reduced by averaging. This pattern would be a
"fingerprint" of the camera, probably long term if not forever. You can make a
well averaged measurement of the fixed pattern (somewhat temperature
dependent) and subtract it from subsequent exposures.

2\. Thermal noise of the amplifier that converts charge into a signal that can
be read by the analog-to-digital converter. This is referred to as "readout
noise."

3\. Shot noise in "good" photocurrent, i.e., photons from the scene being
converted into charge. This becomes dominant at higher light levels, as it's
proportional to the square root of photocurrent.

4\. Shot noise in "bad" photocurrent, i.e., a constant leakage current in the
light sensitive elements, whose magnitude is temperature dependent.

------
ghshephard
The article is a little breathless about how "...physicists have long searched
for other ways to make genuinely random numbers based on physical processes
that produce random outcomes. "

My understanding is it's pretty straightforward to do so - here's a nice
little device available on tindie:

[https://www.tindie.com/products/ubldit/truerng-hardware-
rand...](https://www.tindie.com/products/ubldit/truerng-hardware-random-
number-generator/)

And here is the physical process it's based on from a (5 year old) paper.

[http://cockrum.net/Implementation_of_ECC_on_an_8-bit_microco...](http://cockrum.net/Implementation_of_ECC_on_an_8-bit_microcontroller.pdf)

And, not to be pedantic, but you really only need a small amount of entropy to
seed your PRNG - for all practical purposes, the rest of the random bits can
be computationally generated.

~~~
jgrahamc
This article seems to be talking about using quantum effects for random number
generation.

The devices you point to use the semiconductor avalanche effect
([http://en.wikipedia.org/wiki/Avalanche_breakdown](http://en.wikipedia.org/wiki/Avalanche_breakdown))
which is a thermal effect.

~~~
nabla9
Avalanche effect from shot noise is quantum noise.

------
dekhn
Doesn't anybody else think the real intersting observation is that commodity
cameras are approaching unitary quantum efficiency?

In short: we're mass producing quantum-scale-detectors and deploying them to
billions of humans. That in itself is pretty extraordinary.

------
downer73
No thanks.

My banking app does not need access to my phone's camera "for security"
purposes.

My banking app will more than likely be snapping photos of me at the time of
the transaction, encrypting them, and then transmitting the images back to
themselves as opaque binary blobs (claiming that they are part of the normal
transaction data, even though they add 3MB to the bandwidth, because
security), and retaining them for audit, in case there's a security breach,
and securing their unfortunate scenario for their own purposes with ordinary
photographic information, and never actually generating "quantum" random seed
information (their database fell into the wrong hands, but they have upwards
of 20,000 distinct, recognizable faces as a starting point for a possible ID
during the subsequent postmortem and investigation). All while receiving
kickbacks from the NSA for for sharing geotagged facial recognition images for
their world domination scheme.

In this situation, cameras become a dual-use technology. Maybe they're used
for a QRNG or maybe something else?

How would I honestly ever know whether my bank was lying to me about what it's
really using my camera for?

~~~
sexmonad
The obvious solution for this would be for Android to expose "derive random
numbers from image frame" as a permission. But this is unnecessary, because
they can just seed /dev/random from this source at boot (or if the device is
unseeded).

That said, mobile devices really aren't lacking in entropy sources. With all
the radios and sensors in a modern smartphone, why do they need additional
methods to generate random numbers?

For information security purposes, a cryptographically secure PRNG is
typically at least as secure as the encryption algorithms that it protects.

------
dlss
It's unfortunate that this requires an LED shone at the camera. I hope
something similar can be done using just the variation between frames w/o
needing controlled illumination.

~~~
zrgiu_
that's the beauty of it: the randomness is "bigger" for objects illuminated
"just right" (half way through completely dark and 100% bright), but it still
works for pictures taken in less than ideal conditions. And it's all because
of the imperfections in all smartphone cameras. Out of 100.000 pictures taken
in the exact same position with the same camera, do you think you can get two
100% identical ones? Even if you could get the exact same conditions
(illumination, position, etc.), there are always factors like that tiny little
bit of degradation that happens each second you expose the sensor to light.

------
joelberman
Two uses of quantum effects are 1. Generating random numbers, 2. Entangling
bits to detect "man in the middle".

The point of this discovery is to decide whether it improves the security of
smartphone communications. If yes, it will upset governments, if no, it is an
interesting observation.

------
sgloutnikov
Glad to see the N9 do one more good deed during the rough path it has been on.
Simply love how open that phone and OS is. Yeah, they could have tested this
on any phone probably, but I still felt a little tingling inside when I saw it
mentioned :)

------
JacobEdelman
A RNG with 10^118 secure bits isn't really that great at all. All I need is a
49 character entirely random password or a 36 word long xkcd-936 complaint
password. I can then use them as my key/seed for secure cryptosystem (RSA or
Rabin's) and then generate on the order of 10^118 bits before my system is
breakable. QRNG's are only useful when you need large amounts of random data
are needed for a (relatively) slow device. The average person has little need
of a QRNG. That said, the work itself is an interesting method to create one,
its just that the article makes it sound like something its not. (I'm not a
cryptologist, so feel free to correct me.)

------
frozenport
Can you mess it up? Take your friends phone, point it at a known pattern and
send tons of insecure data?

~~~
sillysaurus3
_Can you mess it up?_

Lay the phone's camera facedown on computer desk. It'll probably be a black
picture.

There's still noise in the picture even if it's entirely black, but Whether
it's possible to generate secure random numbers via nothing but that noise is
an open question.

~~~
frozenport
Also saturate the sensor, then you don't get noise.

~~~
userbinator
In my experience even a "saturated" sensor (with light bright enough to cause
all pixels to read full-white, but not bright enough to cause damage) will
still generate some random noise, although far less of it.

(Ironically, the cheaper the camera the more noise it is likely to have, and
thus be better for this application...)

------
tnash
If someone could build this into a usb key, I'd buy one for each of my servers
in a heartbeat.

~~~
sexmonad
[https://www.tindie.com/products/ubldit/truerng-hardware-
rand...](https://www.tindie.com/products/ubldit/truerng-hardware-random-
number-generator/)

But I'll give two cautions:

1\. This device has received less auditing than linux's software crypto. And
some HWRNGs are quite bad:
[https://news.ycombinator.com/item?id=6060636](https://news.ycombinator.com/item?id=6060636)

2\. You don't really need that much randomness. After your machine has been on
for a while and has seeded correctly, /dev/urandom is just as secure as
/dev/random. Entropy is not gasoline - it does not disappear as you use it.

------
coin
I'll put in my usual -1 rant for medium disabling zoom on tablets

