Page 1
arXiv:0908.2893v3 [quant-ph] 20 Jan 2010
Truly Random Number Generation Based on Measurement of Phase Noise of Laser
Hong Guo,∗Wenzhuo Tang, Yu Liu, and Wei Wei
CREAM Group, State Key Laboratory of Advanced Optical Communication
Systems and Networks (Peking University) and Institute of Quantum Electronics,
School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China
(Dated: January 20, 2010)
We present a simple approach to realize truly random number generation based on measurement of
the phase noise of a single mode vertical cavity surface emitting laser (VCSEL). The true randomness
of the quantum phase noise originates from the spontaneous emission of photons and the random
bit generation rate is ultimately limited only by the laser linewidth. With the final bit generation
rate of 20 Mbit/s, the physically guaranteed truly random bit sequence passes the three standard
random tests. Moreover, for the first time, a continuously generated random bit sequence up to 14
Gbit is verified by two additional criteria for its true randomness.
PACS numbers: 05.40.-a, 42.55.Px, 42.55.Ah
Random number generator (RNG) has wide applica-
tions in statistical sampling [1], computer simulations [2],
randomized algorithm [3] and cryptography [4]. Tradi-
tionally, pseudorandom number generator (PRNG) based
on computational algorithms is adopted to generate ran-
dom bits and is competent in many fields. However, it
cannot produce truly random (unpredictable and irre-
producible) bit sequence, and so may result in potential
dangers in security related applications, say, in quantum
cryptography [5]. Actually, the unconditional security of
quantum key distribution can ONLY be guaranteed when
a truly random number generator (TRNG), based on
quantum mechanical process instead of the intractabil-
ity assumption with classical algorithms [6], is available.
Distinct from PRNG, a TRNG can only be realized by
a physical way, instead of an algorithm-based way; how-
ever, a physical way does not sufficiently guarantee the
true randomness. The physically random processes, such
as radioactive decay [7], electric noise in circuits [8], fre-
quency jitter of electric oscillator [9], and those based on
laser (photon) emission/detection [10–12], can ensure the
inability of pre-estimation on random numbers and so can
be adopted as candidates to implement TRNG. In partic-
ular, those based on the detection of laser field attracted
tremendous interests in recent decade. Recently, chaotic
laser, with ultra-wide bandwidth, becomes a promising
candidate for GHz random bit generation [13, 14]. How-
ever, since the signal of chaotic laser has a periodicity
originated from the photon round trip time, it is es-
sentially NOT a truly random source. Also, we know,
the chaotic systems are deterministic that looks random
but without inherent randomness [15, 16]. Hence, we
coin this kind of physically-based, rather than algorithm-
based, pseudo RNG as physically pseudorandom number
generator (PPRNG). Thus, the true randomness guar-
anteed by physical principle(s), instead of its generation
rate, should be firstly pursued for a TRNG, otherwise,
even though with ultrahigh rate, it is just a pseudo RNG;
on the other hand, the TRNGs based on the above-
Data
Processing
BS
BS
BS
8‐bit
8-bit
ADC
MiMirror
Mirror
Clock
Delay
in?space
τ
VCSEL
FIG. 1: (color online). Schematic setup of TRNG based on
the phase noise measurement using delayed self-homodyne
method. BS, beam splitter; APD, avalanche photodetector
with the low (high) cutoff frequency of 50 kHz (1 GHz). ADC,
8-bit binary analog-digital-converter working at 40 MHz.
mentioned physical mechanisms [7–12] cannot offer the
bit generation rate as high as PPRNG based on chaotic
lasers [13, 14]. So far, the typical maximal random bit
generation rate is around 10 Mbit/s for electric oscillator
jitter measurement scheme [9] and 4 Mbit/s for photon
detection scheme [11]. Also, it should be noted that in
these schemes, the statistical bias and correlation for long
random bit sequence were not investigated.
In this Letter, we propose a new and simple TRNG
scheme based on the true randomness of the quantum
phase noise, which is a Gaussian random variable [17, 18],
of a single-mode vertical cavity surface emitting laser
(VCSEL). The true randomness of the quantum phase
noise is originated from the random nature of sponta-
neous emission and is guaranteed by physical principle.
It will, in the following, be shown that the random bit
generation rate of this TRNG is ultimately limited only
by the laser linewidth. In our experiment, the high final
bit generation rate reaches 20 Mbit/s with guaranteed
true randomness. Further, the true randomness is not
only guaranteed in physical principle and standard tests,
but is also verified by two additional criteria (statistical
bias and correlation) for the long random bit sequence
up to 14 Gbit, for the first time.
The schematic setup is shown in Fig.
delayed self-homodyne method is used to measure the
1 and the
Page 2
2
?
?
?
?
?
??
??
?
?
?
???
??
?
?
-1000-50005001000
-90
-80
-70
-60
-50
-40
-30
3dBLinewidth
~400MHz
Power (dBm)
Frequency(MHz)
Lorentzian
BeatSpectrum
FIG. 2: (color online).
amplitude) noise of the laser field is observed with (without)
the beat signal. The inset is the power spectral density of the
beat signal. (b) Autocorrelation function of the beat signal
versus time interval. In our experiment, the sampling interval
of 25 ns (40 MHz sampling rate) is chosen.
(a) The quantum phase (classical
phase noise of the VCSEL. In this case, the output al-
ternative current (AC) voltage of the avalanche pho-
todetector (APD) detecting the beat signal is Vph ∝
AC[Ibeat] = 2E(t)E(t +τ)cos[φ(t) −φ(t +τ)], where the
amplitude fluctuations of E(t) and E(t + τ) are negligi-
ble compared to the phase fluctuation corresponding to
cos[φ(t)−φ(t+τ)] [17, 18]. When the delay time is much
longer than the coherence time of laser (i.e., τ ≫ τcoh),
the phase difference ∆φ(t) = φ(t)−φ(t+τ) is a Gaussian
random variable, and thus the autocorrelation function
of the electric field of the laser is eliminated [17], i.e.,
?E∗(t)E(t + τ)? ∝ exp(−|τ|/τcoh) → 0,
where τcoh= (π∆νlaser)−1[18], and ∆νlaser is the laser
linewidth. This indicates that the electric field ampli-
tudes of the laser at different time are mutually indepen-
dent, if time interval is much longer than the coherence
time of the laser. Further, similar calculation procedure
can be applied to obtain the autocorrelation function
of the beat signal [Ebeat(t)] as ?E∗
where ∆t is the sampling interval for original random
(1)
beat(t)Ebeat(t + ∆t)?,
050 100150200
-150
-100
-50
0
50
100
150
1
0
X
X
X
0
1
V(mV)
Time(ns)
10GHz
40MHz
X
FIG. 3: (color online). A 200 ns trace of the APD-detected
voltages of the beat signal (small black dots) is recorded at
10 GHz, while the random signal (big red dots) is sampled
at 40 MHz rate (25 ns interval).
obtained from the least significant bit (LSB, i.e., its parity) of
a sequence of 8-bit binary derivatives obtained by performing
subtraction between two consecutive sampled voltages (shown
in the bottom strip).
The final random bit is
bit generation. Using Ebeat(t) = E(t) + E(t + τ) and
Eq. (1), it is evident that when the sampling time ∆t
meets ∆t ≫ τ + τcoh, the autocorrelation of the beat
signal will also be eliminated. Thus, the bits extracted
from the beat signal are mutually independent and can
be adopted to implement TRNG.
In experiment (Fig. 1), a 795 nm VCSEL laser works
at 1.5 mA, a little above the threshold current 1.0 mA.
The laser linewidth ∆νlaser= 200 MHz (τcoh= 1.59 ns)
of laser is inversely proportional to the laser power, while
the classical noises are independent on it [25]. Due to
working just above threshold, the quantum phase noise
of laser dominates over the classical amplitude noise to
ensure the true randomness of generated bits. The delay
time τ is set to be about 10 ns (corresponds to 3.0 m
space delay) in order to fulfill τ ≫ τcoh. So, the self-
homodyne method with delay time τ is used to obtain the
beat signal with 3 dB linewidth of 400 MHz (detected by
an APD) and its power spectral density is shown in the
inset of Fig. 2 (a). It can be seen, from Fig. 2 (a), that
the classical amplitude fluctuation is negligible compared
to the quantum phase fluctuation within 200 MHz (the
gap is about 20 dB). Using Wiener-Khintchine theorem
[19, 20], i.e.,
Rbeat(t) =
?+∞
−∞
Pbeat(ω)exp(−iωt)dω,(2)
the autocorrelation function [Rbeat(t)] of the beat signal
is obtained from the power spectral density of the phase
noise [Pbeat(ω) in Fig. 2 (a)] and illustrated in Fig. 2 (b).
It can be seen from Fig. 2 (b) that the autocorrelation
of the beat signal can be ignored, if the sampling interval
is set as ∆t ≫ τ +τcoh. In our experiment, the sampling
Page 3
3
B =|0.5-p(1)|
1.5/ N
(a)
1
|a |
3/ N
(b)
FIG. 4: (color online). (a) The statistical bias (B) of the final
random bit sequence. It can be seen that B < 1.5/√N always
holds and converges to zero for large bit sequence, where p(1)
is the probability of ones in sequence. (b) The absolute value
of the first-order correlation coefficient |a1| of the final random
bit sequence. It can be seen that |a1| < 3/√N always holds
and |a1| converges to zero for large bit sequence.
rate is chosen as 40 MHz accordingly, i.e., ∆t = 25 ns, so
the bits extracted from these sampled voltages are mutu-
ally independent. These sampled voltages are digitized
by an 8-bit analog-digital-converter (ADC) shown as the
red dots in Fig. 3, and further we have confirmed that the
distribution of voltages is symmetric. Hence, we take the
least significant bit (LSB) of each sampled 8-bit voltage
as the original random bit, i.e., the parity of this 8-bit bi-
nary number, which represents whether the voltage falls
in an even or odd bin of the total 256 bins. For the non-
ideal distribution of these voltages, the probability of all
the even and odd bins of the total 256 bins are not per-
fectly equal, and the bit sequence shows a statistical bias
of the order of 10−3. For much lower bias, we perform
a subtraction between two consecutive sampled voltages
to obtain a sequence of N/2 8-bit binary derivatives as
V2− V1,V4− V3,...,VN− VN−1, where N is the total
number of the original sampled voltages. In this process,
each voltage is used only once, and thus no correlation
is introduced. After that, we adopt the LSB of the 8-
bit binary derivatives to generate the final random bits.
TABLE I: Results of Diehard statistical test suite. Data sam-
ple containing 100 Mbits is used for the Diehard test. For the
cases of multiple p-values, a Kolmogorov-Smirnov (KS) test is
used to obtain a final P-value, which measures the uniformity
of the multiple p-values. The test is considered successful if
all final P-values satisfy 0.01 ≤ P ≤ 0.99.
Statistical test
Birthday spacings
Overlapping permutations
Ranks of 31 × 31 matrices
Ranks of 32 × 32 matrices
Ranks of 6 × 8 matrices
Monkey tests on 20-bit words
Monkey test OPSO
Monkey test OQSO
Monkey test DNA
Count 1’s in stream of bytes
Count 1’s in specific bytes
Parking lot test
Minimum distance test
Random spheres test
Squeeze test
Overlapping sums test
Runs test (up)
Runs test (down)
Craps test No. of wins
Craps test throws/game
P-value
0.910531 [KS]
0.294899
0.322213
0.482575
0.749427 [KS]
0.019887 [KS]
0.079864 [KS]
0.725649 [KS]
0.293543 [KS]
0.244463
0.062188 [KS]
0.806898 [KS]
0.326209 [KS]
0.902946 [KS]
0.815876 [KS]
0.806025 [KS]
0.817356
0.805323
0.502035
0.403322
Result
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Therefore, we directly obtained the final random bit at
generation rate of 20 Mbit/s with a software-based post-
processing. Note that, the post-processing enhances the
performance of the random bits sequence by lowering the
statistical bias while not introducing any additional cor-
relations. For a TRNG, both the statistical bias and the
absolute value of the first-order correlation coefficient of
the final random bit sequence are expected to be smaller
than three standard deviations (3σ1= 1.5/√N for sta-
tistical bias [Fig. 4(a)], and 3σ2= 3/√N for correlation
coefficient [Fig. 4(b)]) with the probability of 99.7%. In
our case, both criteria are well satisfied for the final ran-
dom bit sequence up to 14 Gbit.
We continuously record a final random bit sequence of
1 Gbit, which passed three standard random tests, i.e.,
ENT [21], Diehard [22] and STS [23]. The ENT results
are: Entropy = 1.000000 bit per bit (the optimum com-
pression would reduce the bit file by 0%). χ2distribution
is 0.53 (randomly would exceed this value by 46.62% of
the times). Arithmetic mean value of data bits is 0.5000.
Monte Carlo value for π is 3.141725650. Serial correla-
tion coefficient is −0.000017. The Diehard and STS test
results are shown in Tables I and II, respectively.
It should be noted that, for a nonuniform distribution
of the probability of 256 8-bit binary derivatives, if more
Page 4
4
TABLE II: Results of NIST statistical test suite. Using 1000
samples of 1 Mbits data and significance level a = 0.01,
for “Success”, the P-value (uniformity of p-values) should
be larger than 0.0001 and the proportion should be greater
than 0.9805608 [23]. For the tests which produce multiple P-
values and proportions, the worst case is shown. As advised
by NIST, the Fast Fourier Transform test is disregarded [24].
Statistical test
Frequency
Block frequency
Cumulative sums
Runs
Longest run
Rank
Nonperiodic
Overlapping
Universal
Approximate
Random excursions
Random variant
Serial
Linear complexity
P-value
0.679846
0.248571
0.858032
0.816029
0.648795
0.609895
0.569334
0.565500
0.143336
0.590520
0.016388
0.029796
0.946683
0.732979
Proportion
0.9916
0.9897
0.9888
0.9907
0.9935
0.9860
0.9823
0.9916
0.9888
0.9879
0.9880
0.9865
0.9916
0.9915
Result
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
than 1 bit are extracted from each 8-bit binary deriva-
tives in order to improve the random bit generation rate
(see, e.g., 5 LSBs are adopted in [14]), an additive corre-
lation in the final random bit sequence will be introduced,
even though this additive correlation is not so significant
to fail the random tests. Taking 5 LSBs for an instance,
every set of the 5 LSBs possesses a different probability
(due to the nonuniform distribution) and thus these 5 bits
from the same set are correlated to some extent. How-
ever, with this additive correlation within the same set,
both the random bit sequence of extracting 5 LSBs (with
the sampling rate of 2.5 GHz in [14]) and 4 LSBs (with
the sampling rate of 40 MHz in our case) from an 8-bit
binary number both successfully pass the three standard
random tests. This fact also indicates that the standard
random tests are only a way to examine whether the ran-
dom bit stream is “sufficiently” random, but not to judge
whether it is truly random.
We propose a new and simple approach to realize a
high-speed TRNG, which is compact and convenient to
implement. The randomness of our TRNG is physically
guaranteed by the intrinsic random nature of the quan-
tum phase noise originated from the spontaneous emis-
sion of photons. Moreover, for the first time, the true
randomness is verified by both the statistical bias and
the correlation coefficient for long random bit sequence
up to 14 Gbit. Note that, the long random bit sequence is
even more important than generation rate, because it is
the length of the random bit sequence that is required in
most applications and essentially, it is a metric for qual-
ifying the true randomness. Compared to the chaotic
laser, the intrinsic phase noise of a free-running laser is
confirmed in true randomness, which only depends on its
inherent quantum mechanical properties and does not
need the external optical feedback to laser thereby intro-
ducing photon round trip period. Although the random
bit generation rate is not as high as that of chaotic laser
scheme [13, 14], its physically guaranteed true random-
ness and high generation rate, together with its simplicity
and compactness, are attractive for applications which
need true randomness. Also, a higher generation rate is
attainable using a laser with larger linewidth and faster
data acquisition hardware.
This work is supported by the Key Project of National
Natural Science Foundation of China (NSFC) (grant
60837004). We acknowledge the support from W. Jiang,
K. Deng, X. X. Liu, C. Zhou, and G. D. Xie, and the
helpful discussions with B. Luo and J. B. Chen.
∗Corresponding author: hongguo@pku.edu.cn
[1] S. L. Lohr, Sampling: Design and Analysis (Duxbury,
1999).
[2] J. E. Gentle, Random Number Generation and Monte
Carlo Methods (Statistics
(Springer-Verlag, 2003).
[3] M. Mitzenmacher and E. Upfal, Probability and Comput-
ing: Randomized Algorithms and Probabilistic Analysis
(Cambridge U. Press, 2005).
[4] A. J. Menezes et al., Handbook of Applied Cryptography
(CRC, 1997).
[5] C. H. Bennett et al., J. Cryptology 5, 3 (1992).
[6] L. Blum et al., SIAM J. Comput. 15, 364 (1986).
[7] H. Schmidt, J. Appl. Phys. 41, 462 (1970).
[8] C. S. Petrie and J. A. Connelly, IEEE Trans on Circuits
and Systems I: Fundamental Theory and Applications,
47, 615 (2000)
[9] M. Bucci et al., IEEE Trans. on Computers 52, 403
(2003).
[10] M. Stipcevic et al., Rev. Sci. Instrum. 78, 045104 (2007).
[11] J. F. Dynes et al., Appl. Phys. Lett. 93, 031109 (2008).
[12] W. Wei and H. Guo, Opt. Lett. 34, 1876 (2009).
[13] A. Uchida et al., Nat. Photon. 2, 728 (2008).
[14] I. Reidler, et al., Phys. Rev. Lett. 103, 024102 (2009).
[15] C. Werndl, et al., Brit. J. Phil. Sci. 60, 195 (2009).
[16] T. Jennewein, et al., Rev. Sci. Instrum. 71, 1675 (2000).
[17] M. Lax, Phys. Rev. 160, 290 (1967).
[18] C. H. Henry, IEEE J. Quantum Electron. 18, 259 (1982).
[19] N. Wiener, Acta Math. 55, 117 (1930).
[20] A. Khintchine, Math. Ann. 109, 604 (1934).
[21] J. Walker, http://www.fourmilab.ch/random/.
[22] G. Marsaglia, Diehard: A Battery of Tests of Random-
ness, http://www.stat.fsu.edu/pub/diehard/, 1995.
[23] http://csrc.nist.gov/groups/ST/toolkit/rng/stats tests.html.
[24] http://csrc.nist.gov/groups/ST/toolkit/
rng/documentation software.html.
[25] B. Qi et al., arXiv:0908.3351v2 [quant-ph].
& Computing), 2nd ed.
Download full-text