Researchers Create World's First Completely Verifiable Random Number Generator (nature.com) 38
Researchers have built a breakthrough random number generator that solves a critical problem: for the first time, every step of creating random numbers can be independently verified and audited, with quantum physics guaranteeing the numbers were truly unpredictable.
Random numbers are essential for everything from online banking encryption to fair lottery drawings, but current systems have serious limitations. Computer-based generators follow predictable algorithms -- if someone discovers the starting conditions, they can predict all future outputs. Hardware generators that measure physical processes like electronic noise can't prove their randomness wasn't somehow predetermined or tampered with.
The new system, developed by teams at the University of Colorado Boulder and the National Institute of Standards and Technology, uses quantum entanglement -- Einstein's "spooky action at a distance" -- to guarantee unpredictability. The setup creates pairs of photons that share quantum properties, then sends them to measurement stations 110 meters apart. When researchers measure each photon's properties, quantum mechanics ensures the results are fundamentally random and cannot be influenced by any classical communication between the stations.
The team created a system called "Twine" that distributes the random number generation process across multiple independent parties, with each step recorded in tamper-proof digital ledgers called hash chains. This means no single organization controls the entire process, and anyone can verify that proper procedures were followed. During a 40-day demonstration, the system successfully generated random numbers in 7,434 of 7,454 attempts -- a 99.7% success rate. Each successful run produced 512 random bits with mathematical certainty of randomness bounded by an error rate of 2^-64, an extraordinarily high level of confidence.
Random numbers are essential for everything from online banking encryption to fair lottery drawings, but current systems have serious limitations. Computer-based generators follow predictable algorithms -- if someone discovers the starting conditions, they can predict all future outputs. Hardware generators that measure physical processes like electronic noise can't prove their randomness wasn't somehow predetermined or tampered with.
The new system, developed by teams at the University of Colorado Boulder and the National Institute of Standards and Technology, uses quantum entanglement -- Einstein's "spooky action at a distance" -- to guarantee unpredictability. The setup creates pairs of photons that share quantum properties, then sends them to measurement stations 110 meters apart. When researchers measure each photon's properties, quantum mechanics ensures the results are fundamentally random and cannot be influenced by any classical communication between the stations.
The team created a system called "Twine" that distributes the random number generation process across multiple independent parties, with each step recorded in tamper-proof digital ledgers called hash chains. This means no single organization controls the entire process, and anyone can verify that proper procedures were followed. During a 40-day demonstration, the system successfully generated random numbers in 7,434 of 7,454 attempts -- a 99.7% success rate. Each successful run produced 512 random bits with mathematical certainty of randomness bounded by an error rate of 2^-64, an extraordinarily high level of confidence.
so what happened? (Score:1)
What happened the other 20 times? was there a failure to generate a result or was the number not random?
Re: (Score:2)
Seems like that would affect your distribution/statistics.
Re:so what happened? (Score:5, Informative)
It's a very good question. It looks like it was mainly failures to generate a result within a predetermined time. Some of the failures were due to cryostat hardware failures (a fridge went out during a NIST campus closure); some due to fiber + interferometer polarization drifts; and so on. It also appears that [perhaps?] a few of the misses are due to latencies in the timetaggers to record a common timebase. I can't quite tell from the arXived version of the paper: https://arxiv.org/abs/2411.052... [arxiv.org]
All in all, it's a marvelously good overview of the impressive experiment!
Re: (Score:1, Informative)
Those other ones were random too, this one is free of "loopholes" in that each bit measured by a station happens in that instant and is outside of the opposite station's light cone (timewise and spacewise, 110m apart). Two stations confirm that they have the same random string with some cryptographic technique.
The "traceable" thing is a bit of an academic boast, what it means here is that you can independently verify the randomness was not tampered-with, based on the applicable laws of quantum mechanics. Pr
Re: so what happened? (Score:2)
That's true but it's not a counterexample.
You're replying to someone who said that the workaround is to use external entropy, and your example makes no attempt to use external entropy.
Low-tech workaround: read some bits from a microphone input that has no microphone connected. It'll probably pick up some noise.
Why is this a thing? (Score:3)
I know it's important to start with something truly random but why is this better than some other noise source like a resistor?
Re: (Score:2)
I know it's important to start with something truly random but why is this better than some other noise source like a resistor?
This is claimed to be verifiably random (hardware thermal noise may be able to be influenced by external factors such as heating/cooling). While it may not have many practical use cases today, this research is an impressive work.
bro (Score:5, Interesting)
I know that nobody reads the articles here but the second paragraph of the fine summary spells it out clearly. "Random numbers are essential for everything from online banking encryption to fair lottery drawings, but current systems have serious limitations. Computer-based generators follow predictable algorithms -- if someone discovers the starting conditions, they can predict all future outputs. Hardware generators that measure physical processes like electronic noise can't prove their randomness wasn't somehow predetermined or tampered with." We're talking about situations (like fair lottery drawings) where there is an intense incentive to cheat so you don't just need random numbers but you need provably random numbers.
The only reason I bothered to type all this out is because I wanted to point out how this was solved in the past. When the Vietnam war was going on, the draft in the US was a huge issue. (I.e., whose birthdays would be picked to be sent overseas to, at best, waste a few years of their lives, at worst, to have the psychic harm of kiling innocents, to have been maimed or killed by resistance fighters, etc.) If you just pick balls out of a bucket on live TV, that's one way to prove to everyone that the draw was not rigged. However, that doesn't ensure the bucket is not biased, this was actually a problem the first time they tried, the machine didn't randomize the balls well enough. So what they did was a two-stage process, where the standards bureau gave a list of random numbers which were indexes to birthdays. The standards bureau could not be trusted not to cheat (e.g., what if the guy in charge put his kid's birthday at the very end) but by adding the second stage of randomness you had both - a demonstrably fair process and a compensation for any defects in the ball-picking machine.
Re: (Score:2)
I know it's important to start with something truly random but why is this better than some other noise source like a resistor?
Computed-based generators follow predictable algorithms -- if someone discovers the starting conditions, they can predict all future outputs.
In theory, a security system that bases its integrity on true randomness, could become predictably broken.
Re: (Score:2)
So what makes this better?
It just so happens to bug people that we require special handling of the hardware and rely entirely on others ensuring that basic assumption they are protecting it properly.
IMHO, that situation is exacerbated by the proliferation of virtual machines and containers and such. When the server I was renting was a physical server, it was a lot less likely that someone faked an input (such as a crummy mic on the line in, or the timing of other inputs like keyboard and mouse). With a VM and an exploit for the hypervisor its on, one could influence other VMs on the same host; The operator of the host wouldn't even need such a loophole, and could control when your processes run and how
Re: (Score:2)
This isn't about simply generating random numbers, this is about verifying random numbers. It's the difference between you saying: "Here's a random number", and me saying "I see your number was chosen at random".
You want a random number? (Score:2)
Re: (Score:2)
Re: (Score:2)
I had a co-worker who insisted that 17 was the only true random number and all other numbers were pseudo-random.
Separation (Score:2)
That'll fit nicely in my next secure smartphone.
Re: Separation (Score:2)
Well, maybe over the network: random as a service.
You of course lose provability, but if true randomness became necessary for some future phone app, you could just ask for and receive one.
Re: (Score:2)
So, essentially random.org [random.org] then...
Re: (Score:2)
Well...yeah!
Didn't know about this. Very cool.
My competing idea: (Score:1)
\âIt got a picokelvin hotter!\â \âIt got a picokelvin colder!\â
If one tries to tamper with it, the entropy quality may go down and may be noticeable, I don\â(TM)t really know, might have to think about it some more.
This idea of mine is in the public domain.
Re: (Score:2)
random.org has been using radios with no static filter, tuned to bands where no radio stations are as their random seed. As they've scaled, they've added a few more radios to listen to static.
This has been sufficiently random for literally decades for most uses. However, there's no certifying that someone didn't start broadcasting on the frequency they're listening to, screwing up the randomness.
Shuffle Music Playlists? (Score:1)
If only Amazon Music could learn how to randomly shuffle playlists when requested. They have the most ludicrous, repetitive random shuffle I've ever come across, it makes me pull my hair out every day. Jeff Bezos, are you reading this???
Re: (Score:2)
Paranioa (Score:3)
I never understood paranoid people like that. So you don't trust the RNG in your CPU but you trust that the rest of the CPU isn't compromised? If Intel/AMD are putting backdoors in their chips it's game over, no amount of quantum wizardry is going to save you.
Re: Paranioa (Score:1)
I swear to god (Score:1)
Re: (Score:2)
You people don't read, the article, the SUMMARY or even other comments before typing out responses.
guilty as charged! otoh, apparently reading the whole thing didn't do you much service either ...
btw, how far would you like to "scale" a lottery draw? 2 notes:
1. this system is actually far more complex and expensive to implement, and harder to "scale", likely by orders of magnitude, than your good old mechanical device with its accounting firm, and ...
2. even if it weren't, verifiability doesn't do zilch to scale, it only allows you to discard an entire process if verification happens to fail, effectively
Re: (Score:2)
I never understood paranoid people like that.
the research is interesting, the theoretical framing is sound but the whole issue is just a bit exaggerated. that attacks are theoretically possible doesn't mean they're plausible nor even likely. the effort is proportional to the value of what you want to protect and we are doing just fine with imperfect pseudo random generators for literally everything, combined with additional security provisions as needed.
So you don't trust the RNG in your CPU but you trust that the rest of the CPU isn't compromised? If Intel/AMD are putting backdoors in their chips it's game over, no amount of quantum wizardry is going to save you.
there is indeed no such thing as a secure system except in ads, there is always a weakest link in a
Re: (Score:2)
So you don't trust the RNG in your CPU but you trust that the rest of the CPU isn't compromised?
The people looking to use this do not trust their CPU either. This isn't for some silly consumer creating an SSL connection.
Re: (Score:2)
I never understood paranoid people like that. So you don't trust the RNG in your CPU but you trust that the rest of the CPU isn't compromised? If Intel/AMD are putting backdoors in their chips it's game over, no amount of quantum wizardry is going to save you.
One can verify the non-random functions in a CPU. You can not verify that the RNG function in the CPU is not predictive.
Over simplified, you could verify that 2+1=3; 2+2=4; 2+3=5; etc..
Then, if I replace one of those operands with a variable that I fill with a value from the RNG, we expect the sum to be random, but how does one verify that? We just have to trust it, whereas we don't simply trust that 2+2=4. We can verify 2+2=4.
This closes the loophole. Now one can verify their code paths all behave as expec
Verifiable Random Number Generator Generator (Score:2)
Re: (Score:2)
But how can we know and verify the process they used to generate the random number generator?
Yes, how can we tell the difference between a true random number generator, and a device that is simply reading the next entry from a very long one-time-pad that our mortal enemies also have a copy of, and therefore can trivially "predict" future results from, no matter how perfectly random they are?
fundamentally random? (Score:2)
I can buy that it's not influenced by any classical communication between the stations between when one photon is sensed and the other is sensed, but being fundamentally random is a stronger claim.
So much bait. (Score:1)
Sure someone will go into length about how it applies to secure a network type connection, good for you.
They aren't verifying a number is truly random, just that the transmission of that value wasn't altered... It could be a phone number ffs. This is a call for