
In
computing
Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algorithmic processes and development of both computer hardware , hardware and software. It has sci ...

, a hardware random number generator (HRNG) or true random number generator (TRNG) is a device that
generates random numbers from a
physical process
Physical changes are changes affecting the form of a chemical substance
A chemical substance is a form of matter
In classical physics and general chemistry, matter is any substance that has mass and takes up space by having volume. All eve ...
, rather than by means of an
algorithm
In and , an algorithm () is a finite sequence of , computer-implementable instructions, typically to solve a class of problems or to perform a computation. Algorithms are always and are used as specifications for performing s, , , and other ...

. Such devices are often based on microscopic phenomena that generate low-level,
statistically randomA numeric sequence is said to be statistically random when it contains no recognizable patterns or regularities; sequences such as the results of an ideal dice, dice roll or the digits of pi, π exhibit statistical randomness.
Statistical randomness ...
"
noise
Noise is unwanted sound
In physics, sound is a vibration that propagates as an acoustic wave, through a transmission medium such as a gas, liquid or solid.
In human physiology and psychology, sound is the ''reception'' of such waves and t ...
" signals, such as
thermal noise
A thermal column (or thermal) is a column of rising air
File:Atmosphere gas proportions.svg, Composition of Earth's atmosphere by volume, excluding water vapor. Lower pie represents trace gases that together compose about 0.043391% of the ...
, the
photoelectric effect
The photoelectric effect is the emission of electron
The electron is a subatomic particle
In physical sciences, subatomic particles are smaller than atom
An atom is the smallest unit of ordinary matter
In classical physics and ...

, involving a
beam splitter
A beam splitter (or beamsplitter) is an optical device
Optics is the branch of physics that studies the behaviour and properties of light
Light or visible light is electromagnetic radiation within the portion of the electromagnetic spect ...

, and other
quantum
In physics
Physics is the natural science that studies matter, its Elementary particle, fundamental constituents, its Motion (physics), motion and behavior through Spacetime, space and time, and the related entities of energy and force. ...

phenomena. These
stochastic
Stochastic () refers to the property of being well described by a random
In common parlance, randomness is the apparent or actual lack of pattern or predictability in events. A random sequence of events, symbols or steps often has no :wi ...
processes are, in theory, completely unpredictable for as long as an equation governing such phenomena is unknown or uncomputable, and the theory's assertions of unpredictability are subject to
experimental test. This is in contrast to the paradigm of pseudo-random number generation commonly implemented in
computer program
In imperative programming, a computer program is a sequence of instructions in a programming language that a computer can execute or interpret. In declarative programming, a ''computer program'' is a Set (mathematics), set of instructions.
A comp ...
s.
A hardware random number generator typically consists of a
transducer
A transducer is a device that converts
Religious conversion is the adoption of a set of beliefs identified with one particular religious denomination
A religious denomination is a subgroup within a religion
Religion is a social system ...

to convert some aspect of the physical phenomena to an electrical signal, an
amplifier
An amplifier, electronic amplifier or (informally) amp is an electronic device that can increase the power
Power typically refers to:
* Power (physics)
In physics, power is the amount of energy transferred or converted per unit time. In ...

and other electronic circuitry to increase the amplitude of the random fluctuations to a measurable level, and some type of
analog-to-digital converter
In electronics, an analog-to-digital converter (ADC, A/D, or A-to-D) is a system that converts an analog signal, such as a sound picked up by a microphone or light entering a digital camera, into a Digital signal (signal processing), digit ...
to convert the output into a digital number, often a simple binary digit 0 or 1. By repeatedly sampling the randomly varying signal, a series of random numbers is obtained.
The main application for electronic hardware random number generators is in
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia
''-logy'' is a suffix in the English language, used with words originally adapted from Ancient Greek ending in (''- ...

, where they are used to generate random
cryptographic key
A key in cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communicatio ...
s to transmit data securely. They are widely used in Internet encryption protocols such as
Transport Layer Security
Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer
Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer
Transport Layer Security (TLS), and its now-deprecated predecess ...
(TLS).
Random number generators can also be built from "random" macroscopic processes, using devices such as
coin flipping
Coin flipping, coin tossing, or heads or tails is the practice of throwing a coin
A coin is a small, flat, (usually, depending on the country or value) round piece of metal
A metal (from Ancient Greek, Greek μέταλλον ''métallon'' ...

,
dice
Dice (singular die or dice) are small, throwable objects with marked sides that can rest in multiple positions. They are used for generating random numbers, commonly as part of tabletop game
Tabletop games are game
with separate sliding d ...

,
roulette
Roulette is a casino
A casino is a facility for certain types of gambling. Casinos are often built near or combined with hotels, resorts, restaurants, retail shopping, cruise ships, and other tourist attractions. Some casinos are also known ...

wheels and
lottery machine
A lottery machine is the machine
A machine is a man-made device that uses power to apply forces and control movement to perform an action. Machines can be driven by animals and people
A people is a plurality of person
A person (p ...
s. The presence of unpredictability in these phenomena can be justified by the theory of
dynamical system
In mathematics, a dynamical system is a system in which a Function (mathematics), function describes the time dependence of a Point (geometry), point in a Manifold, geometrical space. Examples include the mathematical models that describe the ...
s and
chaos theory
Chaos theory is an interdisciplinary
Interdisciplinarity or interdisciplinary studies involves the combination of two or more academic disciplines into one activity (e.g., a research project). It draws knowledge from several other fields ...
. Even though macroscopic processes are deterministic under
Newtonian mechanics
Newton's laws of motion are three Scientific law, laws of classical mechanics that describe the relationship between the motion of an object and the forces acting on it. These laws can be paraphrased as follows:
''Law 1''. A body continues ...
, the output of a well-designed device like a roulette wheel cannot be predicted in practice, because it depends on the sensitive, micro-details of the
initial conditions
In mathematics
Mathematics (from Ancient Greek, Greek: ) includes the study of such topics as quantity (number theory), mathematical structure, structure (algebra), space (geometry), and calculus, change (mathematical analysis, analysis). It ...
of each use.
Although dice have been mostly used in
gambling
Gambling (also known as betting) is the wagering something of Value (economics), value ("the stakes") on an Event (probability theory), event with an uncertain outcome with the intent of winning something else of value. Gambling thus requires ...
, and as "randomizing" elements in games (e.g.
role playing game
A role-playing game (sometimes spelled roleplaying game; abbreviated RPG) is a game
with separate sliding drawer, from 1390–1353 BC, made of glazed faience, dimensions: 5.5 × 7.7 × 21 cm, in the Brooklyn Museum (New Yo ...
s), the
Victorian
Victorian or Victorians may refer to:
19th century
* Victorian era, British history during Queen Victoria's 19th-century reign
** Victorian architecture
** Victorian house
** Victorian decorative arts
** Victorian fashion
** Victorian literature
...
scientist
Francis Galton
Sir Francis Galton, FRS
FRS may also refer to:
Government and politics
* Facility Registry System, a centrally managed Environmental Protection Agency database that identifies places of environmental interest in the United States
* Family Re ...

described a way to use dice to explicitly generate random numbers for scientific purposes in 1890.
Hardware random number generators generally produce only a limited number of random bits per second. In order to increase the available output data rate, they are often used to generate the "
seed
A seed is an embryonic
''Embryonic'' is the twelfth studio album by experimental rock band the Flaming Lips released on October 13, 2009, on Warner Bros. Records, Warner Bros. The band's first double album, it was released to generally positi ...
" for a faster
cryptographically secure pseudorandom number generator
A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator
A pseudorandom number generator (PRNG), also known as a deterministic random bit generator ...
, which then generates a
pseudorandom
A pseudorandom sequence of numbers is one that appears to be statistically randomA numeric sequence is said to be statistically random when it contains no recognizable patterns or regularities; sequences such as the results of an ideal dice, dice ...
output sequence at a much higher data rate.
Uses
Unpredictable random numbers were first investigated in the context of
gambling
Gambling (also known as betting) is the wagering something of Value (economics), value ("the stakes") on an Event (probability theory), event with an uncertain outcome with the intent of winning something else of value. Gambling thus requires ...
, and many randomizing devices such as
dice
Dice (singular die or dice) are small, throwable objects with marked sides that can rest in multiple positions. They are used for generating random numbers, commonly as part of tabletop game
Tabletop games are game
with separate sliding d ...

,
shuffling playing cards, and
roulette
Roulette is a casino
A casino is a facility for certain types of gambling. Casinos are often built near or combined with hotels, resorts, restaurants, retail shopping, cruise ships, and other tourist attractions. Some casinos are also known ...

wheels, were first developed for such use. Fairly produced random numbers are vital to electronic gambling and ways of creating them are sometimes regulated by governmental gaming commissions.
Random numbers are also used for non-gambling purposes, both where their use is mathematically important, such as sampling for
opinion poll
An opinion poll, often simply referred to as a poll or a survey, is a survey (human research), human research survey of public opinion from a particular sampling (statistics), sample. Opinion polls are usually designed to represent the opinions o ...
s, and in situations where fairness is approximated by
randomizationRandomization is the process of making something random; in various contexts this involves, for example:
* generating a random permutation of a sequence (such as when shuffle, shuffling cards);
* selecting a random sample of a population (important i ...
, such as
and selecting
juror
A jury is a sworn body of people (the jurors) convened to render an impartiality, impartial verdict (a Question of fact, finding of fact on a question) officially submitted to them by a court, or to set a sentence (law), penalty or Judgment (la ...
s.
Cryptography
The major use for hardware random number generators is in the field of
data encryption
In cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in ...
, for example to create random
cryptographic key
A key in cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communicatio ...
s and
nonces needed to encrypt and sign data. They are a more secure alternative to
pseudorandom number generator
A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm
In and , an algorithm () is a finite sequence of , computer-implementable instructions, typically to solve a class of proble ...
s (PRNGs), software programs commonly used in computers to generate "random" numbers. PRNGs use a
deterministic algorithm
In computer science, a deterministic algorithm is an algorithm that, given a particular input, will always produce the same output, with the underlying machine always passing through the same sequence of states. Deterministic algorithms are by far ...
to produce numerical sequences. Although these pseudorandom sequences pass
statistical pattern tests for randomness, by knowing the algorithm and the conditions used to initialize it, called the "seed", the output can be predicted. Because the sequence of numbers produced by a PRNG is in principle predictable, data encrypted with pseudorandom numbers is potentially vulnerable to
cryptanalysis
Cryptanalysis (from the Greek#REDIRECT Greek
Greek may refer to:
Greece
Anything of, from, or related to Greece
Greece ( el, Ελλάδα, , ), officially the Hellenic Republic, is a country located in Southeast Europe. Its population is ...
. Hardware random number generators produce sequences of numbers that are assumed not to be predictable, and therefore provide the greatest security when used to encrypt data.
Early work
One early way of producing random numbers was by a variation of the same machines used to play
keno
Keno is a lottery
A lottery is a form of gambling that involves the drawing of numbers at random for a prize. Some governments outlaw lotteries, while others endorse it to the extent of organizing a national or state lottery. It is common to ...

or select
lottery
A lottery is a form of gambling
Gambling (also known as betting) is the wagering something of Value (economics), value ("the stakes") on an Event (probability theory), event with an uncertain outcome with the intent of winning something e ...
numbers. These involved mixed, numbered ping-pong balls with blown air, perhaps combined with mechanical agitation, and used some method to withdraw balls from the mixing chamber (). This method gives reasonable results in some senses, but the random numbers generated by this means are expensive. The method is inherently slow, and is unusable for most computing applications.
On 29 April 1947,
RAND Corporation
The RAND Corporation ("research and development") is an American nonprofit
A nonprofit organization (NPO), also known as a non-business entity, not-for-profit organization, or nonprofit institution, is a legal entity organized and ope ...
began generating random digits with an "electronic roulette wheel", consisting of a random frequency pulse source of about 100,000 pulses per second gated once per second with a constant frequency pulse and fed into a five-bit binary counter. Douglas Aircraft built the equipment, implementing Cecil Hasting's suggestion (RAND P-113) for a noise source (most likely the well known behavior of the 6D4 miniature gas
thyratron
hydrogen thyratron, used in pulsed radar
Radar is a detection system that uses radio waves to determine the range, angle, or velocity of objects. It can be used to detect aircraft
An aircraft is a vehicle that is able to flight, fly by ...
tube, when placed in a magnetic field). Twenty of the 32 possible counter values were mapped onto the 10 decimal digits and the other 12 counter values were discarded.
The results of a long run from the RAND machine, filtered and tested, were converted into a table, which was published in 1955 in the book ''
A Million Random Digits with 100,000 Normal Deviates''. The RAND table was a significant breakthrough in delivering random numbers because such a large and carefully prepared table had never before been available. It has been a useful source for simulations, modeling, and for deriving the arbitrary constants in cryptographic algorithms to demonstrate that the constants had not been selected maliciously. The block ciphers
Khufu and KhafreIn cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in th ...

are among the applications which use the RAND table. ''See:''
Nothing up my sleeve number
In cryptography, nothing-up-my-sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as cryptographic hash, hashes and ciphers. These algorithms ...
s.
Physical phenomena with random properties
Quantum random properties
There are two fundamental sources of practical
quantum mechanical
Quantum mechanics is a fundamental theory
A theory is a rational
Rationality is the quality or state of being rational – that is, being based on or agreeable to reason
Reason is the capacity of consciously making sense of things, ...
physical randomness: quantum mechanics at the atomic or sub-atomic level and
thermal noise
A thermal column (or thermal) is a column of rising air
File:Atmosphere gas proportions.svg, Composition of Earth's atmosphere by volume, excluding water vapor. Lower pie represents trace gases that together compose about 0.043391% of the ...
(some of which is quantum mechanical in origin). Quantum mechanics predicts that certain physical phenomena, such as the
nuclear decay
Radioactive decay (also known as nuclear decay, radioactivity, radioactive disintegration or nuclear disintegration) is the process by which an unstable atomic nucleus
The atomic nucleus is the small, dense region consisting of proton
A ...
of atoms, are
fundamentally random and cannot, in principle, be predicted (for a discussion of empirical verification of quantum unpredictability, see
Bell test experiments
A Bell test, also known as Bell inequality test or Bell experiment, is a real-world physics
Physics (from grc, φυσική (ἐπιστήμη), physikḗ (epistḗmē), knowledge of nature, from ''phýsis'' 'nature'), , is the natural ...
). And, because the world exists at a temperature above
absolute zero
Absolute zero is the lowest limit of the thermodynamic temperature
Thermodynamic temperature is the measure of ''absolute temperature'' and is one of the principal parameters of thermodynamics. A thermodynamic temperature reading of zero deno ...
, every system has some random variation in its state; for instance, molecules of gases composing air are constantly bouncing off each other in a random way (''see''
statistical mechanics
In physics
Physics is the that studies , its , its and behavior through , and the related entities of and . "Physical science is that department of knowledge which relates to the order of nature, or, in other words, to the regular ...
.) This randomness is a quantum phenomenon as well (''see''
phonon
In , a phonon is a in a periodic, arrangement of s or s in , specifically in s and some s. Often referred to as a , it is an in the of the for elastic structures of interacting particles. Phonons can be thought of as quantized , similar to ...
).
Because the outcome of quantum-mechanical events cannot be predicted even in principle, they are the ‘
gold standard
Gold certificates were used as paper currency in the United States">paper_currency.html" ;"title="Gold certificates were used as paper currency">Gold certificates were used as paper currency in the United States from 1882 to 1933. These certifi ...
’ for random number generation. Some quantum phenomena used for random number generation include:
*
Shot noise 300px, noise
Noise is unwanted sound considered unpleasant, loud or disruptive to hearing. From a physics standpoint, noise is indistinguishable from desired sound, as both are vibrations through a medium, such as air or water. The difference a ...
, a quantum mechanical noise source in electronic circuits. A simple example is a lamp shining on a photodiode. Due to the
uncertainty principle
In quantum mechanics
Quantum mechanics is a fundamental Scientific theory, theory in physics that provides a description of the physical properties of nature at the scale of atoms and subatomic particles. It is the foundation of all quant ...

, arriving photons create noise in the circuit. Collecting the noise for use poses some problems, but this is an especially simple random noise source. However, shot noise energy is not always well distributed throughout the bandwidth of interest. Gas diode and thyratron electron tubes in a crosswise magnetic field can generate substantial noise energy (10 volts or more into high impedance loads) but have a very peaked energy distribution and require careful filtering to achieve flatness across a broad spectrum.
* A
nuclear decay
Radioactive decay (also known as nuclear decay, radioactivity, radioactive disintegration or nuclear disintegration) is the process by which an unstable atomic nucleus
The atomic nucleus is the small, dense region consisting of proton
A ...
radiation source, detected by a
Geiger counter
A Geiger counter (also known as a Geiger–Müller counter) is an electronic instrument used for detecting and measuring ionizing radiation
Ionizing radiation (or ionising radiation), including nuclear radiation, consists of subatomic particles o ...

attached to a PC.
*
Photon
The photon ( el, φῶς, phōs, light) is a type of elementary particle
In , an elementary particle or fundamental particle is a that is not composed of other particles. Particles currently thought to be elementary include the fundamental s ...

s travelling through a
. The
mutually exclusive events
In logic
Logic (from Ancient Greek, Greek: grc, wikt:λογική, λογική, label=none, lit=possessed of reason, intellectual, dialectical, argumentative, translit=logikḗ)Also related to (''logos''), "word, thought, idea, argument ...
(reflection/transmission) are detected and associated to ‘0’ or ‘1’ bit values respectively.
*
of the signal produced on the base of a
reverse-biased transistor
upright=1.4, gate
Candi bentar, a typical Indonesian gate that is often found on the islands of Java">Indonesia.html" ;"title="Candi bentar, a typical Indonesia">Candi bentar, a typical Indonesian gate that is often found on the islands o ...

. The emitter is saturated with electrons and occasionally they will
tunnel
A tunnel is an underground passageway, dug through the surrounding soil/earth/rock and enclosed except for entrance and exit, commonly at each end. A pipeline
Pipeline may refer to:
Electronics, computers and computing
* Pipeline (comput ...
through the
band gap
In solid-state physics
Solid-state physics is the study of rigid matter, or solids, through methods such as quantum mechanics, crystallography, electromagnetism, and metallurgy. It is the largest branch of condensed matter physics. Solid-stat ...

and exit via the base. This signal is then
through a few more
transistor
upright=1.4, gate
Candi bentar, a typical Indonesian gate that is often found on the islands of Java">Indonesia.html" ;"title="Candi bentar, a typical Indonesia">Candi bentar, a typical Indonesian gate that is often found on the islands o ...

s and the result fed into a
Schmitt trigger
In electronics
The field of electronics is a branch of physics and electrical engineering that deals with the emission, behaviour and effects of electrons
The electron is a subatomic particle
In physical sciences, subatomic partic ...
.
*
Spontaneous parametric down-conversionImage:Spontaneous Parametric Downconversion.png, 350px, Schematic of SPDC process. Note that conservation laws are with respect to energy and momentum ''inside'' the crystal.
Spontaneous parametric down-conversion (also known as SPDC, parametric fluo ...
leading to binary phase state selection in a degenerate
optical parametric oscillator
An optical parametric oscillator (OPO) is a parametric oscillator that oscillates at optical frequencies. It converts an input laser
A laser is a device that emits light
Light or visible light is electromagnetic radiation within the ...
.
* Fluctuations in
vacuum energy
Vacuum energy is an underlying background energy
In physics, energy is the physical quantity, quantitative physical property, property that must be #Energy transfer, transferred to a physical body, body or physical system to perform Work ...
measured through
homodyne detection.
Classical random properties
Thermal phenomena are easier to detect. They are somewhat vulnerable to attack by lowering the temperature of the system,
though most systems will stop operating at temperatures low enough to reduce noise by a factor of two (e.g., ~150 K). Some of the thermal phenomena used include:
*
Thermal noise
A thermal column (or thermal) is a column of rising air
File:Atmosphere gas proportions.svg, Composition of Earth's atmosphere by volume, excluding water vapor. Lower pie represents trace gases that together compose about 0.043391% of the ...
from a
resistor
A resistor is a passive
Passive may refer to:
* Passive voice, a grammatical voice common in many languages, see also Pseudopassive (disambiguation), Pseudopassive
* Passive language, a language from which an interpreter works
* Passivity (b ...

, amplified to provide a random voltage source.
*
Avalanche noise generated from an
avalanche diode
In electronics, an avalanche diode is a diode
A diode is a two- that conducts primarily in one direction (asymmetric ); it has low (ideally zero) in one direction, and high (ideally infinite) in the other. A diode or thermionic diode is ...
, or
Zener breakdown
In electronics
Electronics comprises the physics, engineering, technology and applications that deal with the emission, flow and control of electrons in vacuum and matter. It uses active devices to control electron flow by amplifier, amplificati ...
noise from a reverse-biased
Zener diode
A Zener diode is a special type of diode
A diode is a two- that conducts primarily in one direction (asymmetric ); it has low (ideally zero) in one direction, and high (ideally infinite) in the other. A diode or thermionic diode is a v ...

.
*
Atmospheric noise
Atmospheric noise is radio noise caused by natural atmospheric processes, primarily lightning discharges in thunderstorms. On a worldwide scale, there are about 40 lightning flashes per second – ≈3.5 million lightning discharges p ...
, detected by a radio receiver attached to a PC (though much of it, such as lightning noise, is not properly thermal noise, but most likely a
chaotic
Chaotic was originally a Denmark, Danish trading card game. It expanded to an online game in United States, America which then became a television program based on the game. The program was able to be seen on 4Kids TV (Fox affiliates, nationwide), ...
phenomenon).
In the absence of quantum effects or thermal noise, other phenomena that tend to be random, although in ways not easily characterized by laws of physics, can be used. When several such sources are combined carefully (as in, for example, the
Yarrow algorithm or
Fortuna
Fortuna ( la, Fortūna, equivalent to the Greek goddess Tyche) is the goddess of fortune and the personification
Personification occurs when a thing or abstraction is represented as a person, in literature or art, as an anthropomorphism, anthro ...
CSPRNGs), enough entropy can be collected for the creation of cryptographic keys and
nonces, though generally at restricted rates. The advantage is that this approach needs, in principle, no special hardware. The disadvantage is that a sufficiently knowledgeable attacker can surreptitiously modify the software or its inputs, thus reducing the randomness of the output, perhaps substantially. The primary source of randomness typically used in such approaches is the precise timing of the
interrupt
In digital computer
A computer is a machine
A machine is a man-made device that uses power to apply forces and control movement to perform an action. Machines can be driven by animals and people
A people is a plurality of pe ...

s caused by mechanical input/output devices, such as keyboards and
disk drive
Disk storage (also sometimes called drive storage) is a general category of storage mechanisms where data is recorded by various electronic, magnetic, optical, or mechanical changes to a surface layer of one or more rotating disks. A disk drive is ...
s, various system information counters, etc.
This last approach must be implemented carefully and may be subject to attack if it is not. For instance, the forward-security of the generator in Linux 2.6.10 kernel could be broken with 2
64 or 2
96 time complexity.
Clock drift
Another variable physical phenomenon that is easy to measure is clock drift.
There are several ways to measure and use clock drift as a source of randomness.
The
Intel
Intel Corporation is an American multinational corporation
A multinational company (MNC) is a corporate
A corporation is an organization—usually a group of people or a company
A company, abbreviated as co., is a Legal personalit ...

82802 Firmware Hub (FWH) chip included a hardware RNG using two free running oscillators, one fast and one slow. A thermal noise source (non-commonmode noise from two diodes) is used to modulate the frequency of the slow oscillator, which then triggers a measurement of the fast oscillator. That output is then debiased using a
von Neumann Von Neumann may refer to:
* John von Neumann (1903–1957), a Hungarian American mathematician
* Von Neumann family
* Von Neumann (surname), a German surname
* Von Neumann (crater), a lunar impact crater
See also
* Von Neumann algebra
* Von Ne ...

type decorrelation step (see below). The output rate of this device is somewhat less than 100,000 bit/s. This chip was an optional component of the 840 chipset family that supported an earlier Intel bus. It is not included in modern PCs.
All
VIA C3
The VIA C3 is a family of x86
x86 is a family of instruction set architecture
In computer science, an instruction set architecture (ISA), also called computer architecture, is an abstract model of a computer. A device that executes in ...
microprocessors have included a hardware RNG on the processor chip since 2003. Instead of using thermal noise, raw bits are generated by using four freerunning oscillators which are designed to run at different rates. The output of two are XORed to control the bias on a third oscillator, whose output clocks the output of the fourth oscillator to produce the raw bit. Minor variations in temperature, silicon characteristics, and local electrical conditions cause continuing oscillator speed variations and thus produce the entropy of the raw bits. To further ensure randomness, there are actually two such RNGs on each chip, each positioned in different environments and rotated on the silicon. The final output is a mix of these two generators. The raw output rate is tens to hundreds of megabits per second, and the whitened rate is a few megabits per second. User software can access the generated random bit stream using new non-privileged machine language instructions.
A software implementation of a related idea on ordinary hardware is included in CryptoLib, a cryptographic routine library. The algorithm is called ''
truerand''. Most modern computers have two crystal oscillators, one for the real-time clock and one for the primary CPU clock; truerand exploits this fact. It uses an operating system service that sets an alarm, running off the real-time clock. One subroutine sets that alarm to go off in one clock tick (usually 1/60th of a second). Another then enters a while loop waiting for the alarm to trigger. Since the alarm will not always trigger in exactly one tick, the least significant bits of a count of loop iterations, between setting the alarm and its trigger, will vary randomly, possibly enough for some uses. Truerand doesn't require additional hardware, but in a multi-tasking system great care must be taken to avoid non-randomizing interference from other processes (e.g., in the suspension of the counting loop process as the operating system scheduler starts and stops assorted processes).
The
RDRAND
RDRAND (for "read random"; known as Intel Secure Key Technology, previously known as Bull Mountain) is an instruction for returning random numbers from an Intel
Intel Corporation is an American multinational corporation
A multinational com ...
opcode will return values from an onboard hardware random number generator. It is present in Intel
Ivy Bridge processors and AMD64 processors since 2015.
Dealing with bias
The bit-stream from such systems is prone to be biased, with either 1s or 0s predominating. There are two approaches to dealing with bias and other artifacts. The first is to design the RNG to minimize bias inherent in the operation of the generator. One method to correct this feeds back the generated bit stream, filtered by a low-pass filter, to adjust the bias of the generator. By the
central limit theorem
In probability theory
Probability theory is the branch of mathematics
Mathematics (from Greek: ) includes the study of such topics as numbers (arithmetic and number theory), formulas and related structures (algebra), shapes and spaces in ...
, the feedback loop will tend to be well-adjusted '
almost all the time'. Ultra-high speed random number generators often use this method. Even then, the numbers generated are usually somewhat biased.
Software whitening
A second approach to coping with bias is to reduce it after generation (in software or hardware). There are several techniques for reducing bias and correlation, often called "
whitening" algorithms, by analogy with the related problem of producing white noise from a correlated signal.
John von Neumann
John von Neumann (; hu, Neumann János Lajos, ; December 28, 1903 – February 8, 1957) was a Hungarian-American
Hungarian Americans (Hungarian language, Hungarian: ''amerikai magyarok'') are United States, Americans of Hungarian p ...

invented a simple algorithm to fix simple bias and reduce correlation. It considers two bits at a time (non-overlapping), taking one of three actions: when two successive bits are equal, they are discarded; a sequence of 1,0 becomes a 1; and a sequence of 0,1 becomes a zero. It thus represents a
falling edge with a 1, and a rising edge with a 0. This eliminates simple bias, and is easy to implement as a computer program or in digital logic. This technique works no matter how the bits have been generated. It cannot assure randomness in its output, however. What it can do (with significant numbers of discarded bits) is transform a biased random bit stream into an unbiased one.
Another technique for improving a near random bit stream is to XOR, exclusive-or the bit stream with the output of a high-quality
cryptographically secure pseudorandom number generator
A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator
A pseudorandom number generator (PRNG), also known as a deterministic random bit generator ...
such as Blum Blum Shub or a strong stream cipher. This can improve decorrelation and digit bias at low cost; it can be done by hardware, such as an FPGA, which is faster than doing it by software.
A related method which reduces bias in a near random bit stream is to take two or more uncorrelated near random bit streams, and exclusive or them together. Let the probability of a bit stream producing a 0 be 1/2 + ''e'', where −1/2 ≤ ''e'' ≤ 1/2. Then ''e'' is the bias of the bitstream. If two uncorrelated bit streams with bias ''e'' are exclusive-or-ed together, then the bias of the result will be 2''e''
2. This may be repeated with more bit streams (see also the Piling-up lemma).
Some designs apply cryptographic hash functions such as MD5, SHA-1, or RIPEMD-160 or even a Cyclic redundancy check, CRC function to all or part of the bit stream, and then use the output as the random bit stream. This is attractive, partly because it is relatively fast.
Many physical phenomena can be used to generate bits that are highly biased, but each bit is independent from the others.
A Geiger counter (with a sample time longer than the tube recovery time) or a semi-transparent mirror photon detector both generate bit streams that are mostly "0" (silent or transmission) with the occasional "1" (click or reflection).
If each bit is independent from the others, the Von Neumann strategy generates one random, unbiased output bit for each of the rare "1" bits in such a highly biased bit stream.
Whitening techniques such as the Advanced Multi-Level Strategy (AMLS) can extract more output bits – output bits that are just as random and unbiased – from such a highly biased bit stream.
PRNG with periodically refreshed random key
Other designs use what are believed to be true random bits as the key (cryptography), key for a high quality block cipher algorithm, taking the encrypted output as the random bit stream. Care must be taken in these cases to select an appropriate Block cipher modes of operation, block mode, however. In some implementations, the PRNG is run for a limited number of digits, while the hardware generating device produces a new seed.
Using observed events
Software engineers without true random number generators often try to develop them by measuring physical events available to the software. An example is measuring the time between user keystrokes, and then taking the least significant bit (or two or three) of the count as a random digit. A similar approach measures task-scheduling, network hits, disk-head seek times and other internal events. One Microsoft design includes a very long list of such internal values, a form of
cryptographically secure pseudorandom number generator
A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator
A pseudorandom number generator (PRNG), also known as a deterministic random bit generator ...
. Lava lamps have also been used as the physical devices to be monitored, as in the Lavarand system.
The method is risky when it uses computer-controlled events because a clever, malicious attacker might be able to predict a cryptographic key by controlling the external events. It is also risky because the supposed user-generated event (e.g., keystrokes) can be Spoofing attack, spoofed by a sufficiently ingenious attacker, allowing control of the "random values" used by the cryptography.
However, with sufficient care, a system can be designed that produces cryptographically secure random numbers from the sources of randomness available in a modern computer. The basic design is to maintain an "entropy pool" of random bits that are assumed to be unknown to an attacker. New randomness is added whenever available (for example, when the user hits a key) and an estimate of the number of bits in the pool that cannot be known to an attacker is kept. Some of the strategies in use include:
* When random bits are requested, return that many bits derived from the entropy pool (by a cryptographic hash function, say) and decrement the estimate of the number of random bits remaining in the pool. If not enough unknown bits are available, wait until enough are available. This is the top-level design of the "/dev/random" device in Linux, written by Theodore Ts'o and used in many other Unix-like operating systems. It provides high-quality random numbers so long as the estimates of the input randomness are sufficiently cautious. The Linux "/dev/urandom" device is a simple modification which disregards estimates of input randomness, and is therefore rather less likely to have high entropy as a result.
* Maintain a stream cipher with a key and initialization vector (IV) obtained from an entropy pool. When enough bits of entropy have been collected, replace both key and IV with new random values and decrease the estimated entropy remaining in the pool. This is the approach taken by the Yarrow algorithm, yarrow library. It provides resistance against some attacks and conserves hard-to-obtain entropy.
(De)centralized systems
A true random number generator can be a (de)central service. One example of a centralized system where a random number can be acquired is the ''randomness beacon service'' from the National Institute of Standards and Technology; another example is Random.org, a service that uses atmospheric noise to generate random binary digits (bits).
As an example of a decentralized system, the Cardano platform uses the participants of their decentralized proof-of-stake protocol to generate random numbers.
Problems
It is very easy to misconstruct hardware or software devices which attempt to generate random numbers. Also, most 'break' silently, often producing decreasingly random numbers as they degrade. A physical example might be the rapidly decreasing radioactivity of the smoke detectors mentioned earlier, if this source were used directly. Failure modes in such devices are plentiful and are complicated, slow, and hard to detect. Methods that combine multiple sources of entropy are more robust.
Because many entropy sources are often quite fragile, and fail silently, statistical tests on their output should be performed continuously. Many, but not all, such devices include some such tests into the software that reads the device.
Attacks
Just as with other components of a cryptography system, a software random number generator should be designed to resist random number generator attack, certain attacks. Defending against these attacks is difficult without a hardware entropy source.
Estimating entropy
There are mathematical techniques for estimating the information entropy, entropy of a sequence of symbols. None are so reliable that their estimates can be fully relied upon; there are always assumptions which may be very difficult to confirm. These are useful for determining if there is enough entropy in a seed pool, for example, but they cannot, in general, distinguish between a true random source and a pseudorandom generator. This problem is avoided by the conservative use of hardware entropy sources.
Performance test
Hardware random number generators should be constantly monitored for proper operation. RFC 4086, Federal Information Processing Standard, FIPS FIPS 140, Pub 140-2 and NIST Special Publication 800-90b
Elaine Barker and John Kelsey,'' Recommendation for the Entropy Sources Used for Random Bit Generation,'' NIST SP 800-90b
/ref> include tests which can be used for this. Also see the documentation for the New Zealand cryptographic software library cryptlib.
Since many practical designs rely on a hardware source as an input, it will be useful to at least check that the source is still operating. Statistical tests can often detect failure of a noise source, such as a radio station transmitting on a channel thought to be empty, for example. Noise generator output should be sampled for testing before being passed through a "whitener." Some whitener designs can pass statistical tests with no random input. While detecting a large deviation from perfection would be a sign that a true random noise source has become degraded, small deviations are normal and can be an indication of proper operation. Correlation of bias in the inputs to a generator design with other parameters (e.g., internal temperature, bus voltage) might be additionally useful as a further check. Unfortunately, with currently available (and foreseen) tests, passing such tests is not enough to be sure the output sequences are random. A carefully chosen design, verification that the manufactured device implements that design and continuous physical security to insure against tampering may all be needed in addition to testing for high value uses.
See also
* AN/CYZ-9
* Bell test experiments
A Bell test, also known as Bell inequality test or Bell experiment, is a real-world physics
Physics (from grc, φυσική (ἐπιστήμη), physikḗ (epistḗmē), knowledge of nature, from ''phýsis'' 'nature'), , is the natural ...
* /dev/random
* Premium Bond#ERNIE, ERNIE
* List of random number generators
* Lottery machine
* Randomness extractor
* RDRAND
RDRAND (for "read random"; known as Intel Secure Key Technology, previously known as Bull Mountain) is an instruction for returning random numbers from an Intel
Intel Corporation is an American multinational corporation
A multinational com ...
* Trusted Platform Module
References
General references
* .
* .
* .
* .
* .
* .
External links
* .
* .
ProtegoST SG100
ProtegoST, "Hardware Random Number Generator "Based on quantum physics random number source from a zener diode".
{{DEFAULTSORT:Hardware Random Number Generator
Cryptography
Random number generation
Computer peripherals
de:Zufallszahlengenerator#Physikalischer Zufallszahlengenerator