Fact-checked by Grok 2 weeks ago

Hardware random number generator

A hardware random number generator (HRNG), also known as a true random number generator (TRNG), is a physical device or integrated circuit component that produces sequences of random bits by harvesting entropy from inherently unpredictable physical processes, such as thermal noise, jitter in oscillators, or quantum fluctuations, distinguishing it from deterministic pseudorandom number generators (PRNGs) that rely on algorithmic computations from an initial seed.^[1]^[2] These generators are essential for applications requiring high-quality randomness, including cryptographic key generation, secure communications, and simulations, as they provide non-reproducible outputs that cannot be predicted even with knowledge of prior values.^[3] HRNGs operate on the principle of capturing and conditioning noise from physical phenomena to ensure statistical independence and uniformity in the output bits, often incorporating health tests to detect failures and post-processing techniques like von Neumann extractors or cryptographic hashing to mitigate biases.^[3]^[1] Common entropy sources in silicon-based implementations include electrical noise (e.g., shot or flicker noise in transistors), timing jitter in ring oscillators, and metastability in flip-flops, with quantum-based variants leveraging photon detection or radioactive decay for even higher entropy rates.^[1] Design standards, such as NIST SP 800-90B, specify requirements for entropy estimation, validation tests (e.g., min-entropy assessment and restart testing), and protection against environmental influences like temperature variations or adversarial attacks, ensuring suitability for security-critical systems.^[3] Modern HRNGs, integrated into processors like Intel's RdRand or used in dedicated chips for IoT devices, achieve throughputs from megabits to tens of gigabits per second as of 2025, while balancing power efficiency and robustness.^[4]^[1]^[5]

Fundamentals

Definition and principles

A hardware random number generator (HRNG), also known as a true random number generator (TRNG), is a physical device or component that harnesses inherent fluctuations in natural processes—such as thermal noise, quantum events, or radioactive decay—to generate sequences of bits exhibiting high entropy and thus approximating true randomness. Unlike deterministic algorithms, HRNGs rely on non-deterministic physical phenomena to produce outputs that cannot be predicted or reproduced under identical conditions, making them essential for applications requiring unpredictability.^[3] Central to HRNG functionality is the concept of entropy, which quantifies the degree of unpredictability or information content in a random source. For a discrete binary source with outcomes having probabilities p_i, the Shannon entropy H is defined as

H = -\sum p_i \log_2(p_i),

where the sum is over all possible outcomes; for a perfectly uniform binary source (p_0 = p_1 = 0.5), H = 1 bit, representing maximum uncertainty per bit. In HRNGs, entropy from the physical source is assessed in bit streams to ensure sufficient randomness, with ideal outputs approaching 1 bit of entropy per generated bit.^[6]^[3] The basic operational principles of an HRNG involve harvesting entropy from a physical noise source, typically through amplification to detectable levels, followed by digitization—such as analog-to-digital converter (ADC) sampling—to convert the analog signal into raw binary data. This raw output often exhibits biases or correlations due to the source's imperfections, so post-processing is applied via a conditioning or extractor circuit to whiten the data and produce uniform random bits; a classic method is the von Neumann debiasing, which processes pairs of bits from a biased source, outputting 0 for the sequence 01, 1 for 10, and discarding 00 or 11 pairs to yield unbiased results. Key components include the noise source (providing the entropy), the extractor circuit (for conditioning), and an output interface (delivering the processed bits). For example, raw noisy bits might show slight biases (e.g., 52% probability of 1), while conditioned outputs are uniform (50% probability of 0 or 1), ensuring cryptographic suitability.^[3]^[3]^[7]

Comparison to pseudorandom number generators

Pseudorandom number generators (PRNGs) are deterministic algorithms that produce sequences of numbers approximating randomness, starting from an initial seed value and following a fixed mathematical rule to generate subsequent outputs.^[8] Examples include linear congruential generators for non-cryptographic uses and cryptographically secure variants like those based on AES in counter mode (AES-CTR).^[9] These sequences appear statistically random but are fully reproducible given the seed, making PRNGs efficient for applications requiring high-volume output without true unpredictability.^[8] In contrast, hardware random number generators (HRNGs) draw from non-deterministic physical processes to produce entropy-driven outputs that cannot be predicted or reproduced, even with knowledge of prior results, provided the physical source remains secure.^[8] PRNGs, however, rely on the quality of their seed; poor seeding can lead to catastrophic failures, as seen in the 2008 Debian OpenSSL vulnerability (CVE-2008-0166), where a code change reduced the entropy pool to a single PID, rendering generated cryptographic keys predictable and exploitable via brute force.^[10] This highlights HRNGs' immunity to such deterministic flaws, as their randomness stems from inherent physical variability rather than algorithmic computation.^[10] HRNGs offer advantages in long-term unpredictability and independence from computational hardness assumptions, making them essential for security-critical scenarios where PRNGs might be reverse-engineered or state-compromised.^[8] However, they typically exhibit disadvantages such as slower generation rates—often in the range of 100 Mbps to 1 Gbps for commercial devices—and the need for post-processing to mitigate potential biases in raw output. PRNGs, by comparison, achieve much higher throughputs, exceeding 10 Gbps in hardware implementations, enabling rapid generation for bulk applications.^[11] To balance these trade-offs, hybrid systems commonly employ HRNGs to provide high-quality seeds for PRNGs, enhancing efficiency while preserving entropy.^[9] In NIST SP 800-90A, Deterministic Random Bit Generators (DRBGs, a type of PRNG) are instantiated and reseeded using entropy inputs from approved non-deterministic sources like HRNGs, ensuring the seed material meets or exceeds the required security strength (e.g., 256 bits of entropy).^[9] This approach allows PRNGs to expand limited HRNG output into vast sequences suitable for cryptographic use.^[9]

Historical Development

Early concepts and implementations

The earliest precursors to hardware random number generators were mechanical devices employed for centuries in games of chance, harnessing physical unpredictability to produce random outcomes. Dice, originating around 3000 BCE in ancient Mesopotamia and later widespread in civilizations such as those in India, China, and Egypt, generated integers from 1 to 6 through the chaotic rolling of polyhedral objects marked with pips, predating numerical notation systems.^[12]^[13] Coin flipping, documented among Romans as early as the 1st century BCE with phrases like "navia aut caput" (ship or head), offered a binary random selection based on the unpredictable landing of a tossed coin.^[12] Roulette wheels, refined in 18th-century Europe for gambling, relied on the irregular motion of a spinning ball settling into numbered slots, providing a mechanical analog to uniform random selection across discrete outcomes.^[13] The transition to electronic hardware random number generators began in the late 1940s, driven by the need for large-scale random data in scientific simulations, particularly for Monte Carlo methods in physics and engineering. In 1947, the RAND Corporation introduced an "electronic roulette wheel," a pioneering device that generated random digits using a high-frequency pulse source derived from electronic noise in a gas discharge tube, producing approximately 100,000 pulses per second that were scaled via a modulo-32 counter to generate digits rapidly, though overall production was limited by storage and testing processes.^[14]^[13] This system, which simulated a 32-position wheel through binary scaling, compiled a million random digits by 1955 for applications like nuclear reaction modeling, marking the first automated production of extensive random tables.^[15] Concurrently, foundational techniques for processing noisy electronic sources emerged. In 1951, John von Neumann outlined methods in his paper "Various Techniques Used in Connection with Random Digits" to debias imperfect random bit streams from hardware noise, including a pairwise extraction algorithm: consecutive bits are grouped, with 01 yielding a 1, 10 yielding a 0, and identical pairs (00 or 11) discarded, ensuring unbiased output regardless of source bias assuming independence.^[16] That same year, the Ferranti Mark 1, the first commercially available general-purpose stored-program computer, integrated a dedicated hardware random number instruction drawing from thermal noise in resistors to load random bits into the accumulator, enhancing its utility for probabilistic computations.^[17] Advancements in the 1950s and 1960s incorporated diverse physical entropy sources into computing systems. Early implementations leveraged radioactive decay, detected via Geiger-Müller counters, to timestamp unpredictable atomic events as random bits, offering high theoretical entropy but limited by detection hardware; such methods appeared in analog computing setups for noise simulation during this era.^[13] For instance, the Semi-Automatic Ground Environment (SAGE) system, deployed by IBM in 1958 for air defense, utilized large-scale computers where random noise generation supported real-time probabilistic modeling, though integrated radioactive sources were exploratory and not standardized.^[18] These early designs faced significant engineering challenges, including extremely low bit generation rates—often below 1 bit per second due to slow pulse scaling or detection times—and high sensitivity to environmental factors like temperature fluctuations, which could alter noise spectra or decay rates and introduce correlations.^[13] Radiation-based approaches also raised safety concerns, restricting their practicality.^[12] By the 1970s, the advent of integrated circuits enabled more reliable noise sources, with reverse-biased Zener diodes emerging as a compact option for military applications; their avalanche breakdown produced broadband shot noise suitable for generating random bits in secure communication devices, benefiting from low power and integration ease despite requiring amplification and post-processing.^[19]

Modern advancements and commercialization

In the late 1980s and 1990s, hardware random number generators (HRNGs) transitioned from experimental prototypes to integrated solutions, with Intel introducing thermal noise-based randomness in its i810 chipset in 1999, marking an early commercial embedding of HRNG technology in computing hardware.^[20] This development paved the way for broader adoption, as seen in the mid-2010s with the launch of USB-based HRNG devices like the TrueRNG, which utilized avalanche noise in diodes to provide accessible, plug-and-play entropy for personal computers and security applications.^[21] Standardization efforts in the 2000s and 2010s formalized HRNG design and validation, with the National Institute of Standards and Technology (NIST) publishing SP 800-90B in 2018 to provide guidelines for entropy source validation, with errata updates as of May 2025, ensuring robust randomness extraction for cryptographic use. Complementing this, the Federal Information Processing Standard (FIPS) 140-3, effective from 2019, established certification requirements for cryptographic modules incorporating HRNGs, promoting interoperability and security assurance in commercial products.^[22] Commercialization accelerated in the 2010s, exemplified by ID Quantique's Quantis series of quantum random number generators (QRNGs), first introduced in the mid-2000s and scaled for USB and PCIe formats by the 2010s to deliver certified quantum entropy at rates up to 4 Mbps. Similarly, Microchip Technology (formerly Atmel) integrated an HRNG into its ATECC608A crypto authentication chip in 2018, leveraging NIST-compliant entropy sources for secure IoT key generation. Post-2017 advancements emphasized quantum and high-speed innovations, with QuintessenceLabs releasing the qStream QRNG in 2019, achieving 1 Gbps throughput using photon detection for real-time cryptographic applications. Cloud-based services emerged as well, such as IBM's integration of quantum RNG into its Quantum Platform in 2023, enabling on-demand access to QRNG bits via API for distributed computing tasks. In photonic technologies, NTT Corporation demonstrated a prototype in 2021 using integrated photonics for quantum-safe randomness generation at speeds exceeding 1 Gbps, highlighting potential for high-speed network security.^[23] The 2020s have seen deeper integration into system-on-chips (SoCs), as in Apple's M-series processors starting with the M1 in 2020, which incorporate dedicated HRNG hardware for enhanced device security and privacy features. Emerging trends include AI-optimized HRNGs tailored for Monte Carlo simulations, where hardware acceleration provides low-latency entropy to support machine learning workloads in scientific computing. Recent developments as of 2025 include enhanced NIST errata for SP 800-90B and increased adoption of QRNGs in post-quantum cryptography. The global HRNG market, valued at approximately $1.5 billion in 2020, reached about $4 billion by 2025, fueled by rising demand for secure IoT ecosystems and post-quantum cryptography.^[24]

Physical Sources of Randomness

Classical noise and chaos-based methods

Classical noise-based hardware random number generators (HRNGs) exploit unpredictable fluctuations in physical systems, such as thermal agitation in electronic components, to produce entropy. These methods rely on macroscopic classical processes that, while deterministic in principle, exhibit high sensitivity to initial conditions and environmental variations, making their outputs effectively random for practical purposes. A prominent example is Johnson-Nyquist noise, also known as thermal noise, which arises from the random thermal motion of charge carriers in a resistor. The root-mean-square voltage fluctuation is given by the formula:

V_{\text{rms}} = \sqrt{4 k T R \Delta f}

where k is Boltzmann's constant, T is the absolute temperature, R is the resistance, and \Delta f is the bandwidth.^[25] This noise is amplified and digitized to generate random bits, providing a reliable source of entropy in integrated circuits.^[26] Another classical noise source is avalanche noise in reverse-biased diodes, particularly Zener diodes operating near breakdown voltage. In this regime, charge carriers gain sufficient energy to trigger impact ionization, creating a cascade of electrons and holes that produces high-entropy fluctuations. This noise is characterized by its white spectrum and can be harvested by buffering the voltage across the diode with operational amplifiers before sampling.^[27] Implementations often sample the amplified noise at rates up to 1 GHz using analog-to-digital converters (ADCs), followed by post-processing techniques like XOR folding to whiten the output and remove biases, ensuring uniform bit distribution.^[27] For instance, the open-hardware RAVA device uses dual Zener diodes biased at 25.5 V to generate bits at rates exceeding 100 kbps, passing NIST statistical tests for randomness.^[27] Chaos-based methods leverage nonlinear dynamical systems that exhibit sensitive dependence on initial conditions, quantified by a positive Lyapunov exponent \lambda > 0, which measures the rate of divergence of nearby trajectories. These systems evolve deterministically but produce unpredictable outputs due to exponential amplification of tiny perturbations, such as thermal noise or fabrication imperfections. Classic examples include Chua's circuit, a simple analog electronic oscillator with a nonlinear resistor that generates double-scroll attractors, and the double-scroll circuit, both of which can be implemented in CMOS for on-chip generation.^[28] In hardware, the chaotic signal is sampled at high frequency, and bits are extracted via thresholding or multiple sampling points, with XOR operations applied to enhance independence. The Lyapunov exponent ensures chaos persists, with values like \lambda \approx 0.56 to $2.21 observed in integrated designs, confirming exponential separation of states. Representative implementations include Silicon Graphics' Lavarand system from the 1990s, which digitized chaotic patterns from lava lamps—turbulent mixing akin to ink drop diffusion—to seed cryptographic keys, harvesting entropy from visual chaos.^[29] Commercial chips like Microchip's RN48x series integrate thermal noise amplification for embedded HRNGs, delivering up to 128 bits of entropy per invocation for secure applications.^[30] As of 2025, the HRNG market continues to expand, projected to reach USD 7.57 billion by 2030, driven by cybersecurity needs, with partnerships like Infineon and Quantinuum advancing hybrid technologies.^[31] However, these methods face limitations: without adequate mixing, outputs may exhibit subtle periodicity from deterministic drifts, and environmental factors like temperature variations can reduce entropy by altering noise characteristics, necessitating robust post-processing and calibration.

Oscillator and timing-based methods

Oscillator and timing-based methods exploit instabilities in electronic oscillators and timing signals to generate random bits, primarily through the accumulation of jitter in periodic signals. These approaches harvest entropy from temporal variations rather than broadband noise, making them suitable for integration into digital circuits. Free-running oscillators, such as ring oscillators consisting of an odd number of inverter stages connected in a loop, serve as the core entropy source, where randomness arises from thermal jitter that introduces phase variations in the oscillation period.^[32] The jitter in ring oscillators primarily stems from thermal noise, modeled as Johnson-Nyquist noise affecting the charge on node capacitances, leading to a phase jitter variance approximately given by \sigma^2 \approx kT / C, where k is Boltzmann's constant, T is the absolute temperature, and C is the effective capacitance per stage.^[33] This thermal jitter accumulates over multiple stages and cycles, providing a source of unpredictability when the oscillator output is sampled. To enhance entropy extraction, designs typically employ multiple independent ring oscillators with slightly mismatched frequencies, preventing synchronization and correlation in their outputs.^[34] In implementation, the outputs of these oscillators are sampled using a slower reference clock, often through self-timed loops or beat frequency detection to capture phase differences. For instance, rising edges from pairs of oscillators can be XORed to produce random bits, with the sampling timed to occur within the jitter window for maximum entropy.^[35] Post-processing, such as von Neumann debiasing or hashing, is commonly applied to condition the raw bits and ensure uniformity.^[36] A prominent example is Intel's RdRand instruction, introduced in 2012 processors, which utilizes multiple ring oscillators to generate entropy from accumulated thermal jitter, delivering high-speed random numbers directly to software via a dedicated CPU instruction.^[37] FPGA-based designs also leverage ring oscillators for true random number generation, achieving throughputs around 100 Mbps while occupying minimal logic resources, such as a few dozen lookup tables.^[38] These methods offer advantages including low power consumption—often in the microwatt range—and seamless on-chip integration without external components, facilitating deployment in embedded systems.^[39] However, a key challenge is the potential for oscillators to synchronize if their frequencies align too closely, reducing entropy through correlated phases; this is mitigated by intentional detuning via varying stage counts or process-induced mismatches.^[34] Hybrid timing-based approaches extend these principles beyond dedicated oscillators, incorporating variations in system timing signals. For example, jitter in hard disk drive head seek times, arising from mechanical and electronic instabilities, has been used as an entropy source in early secure physical random bit generators.^[40] Similarly, CPU execution time jitter, influenced by pipeline variations and interrupts, provides a software-accessible source, as implemented in Linux's /dev/hwrng interface via the jitterentropy daemon for seeding the kernel's random pool.^[41]

Quantum-based methods

Quantum-based hardware random number generators exploit the fundamental indeterminacy of quantum mechanics to produce outputs with provable randomness, distinguishing them from classical sources by their theoretical security guarantees. The core principle stems from the measurement-induced collapse of the quantum wavefunction, governed by the Heisenberg uncertainty principle, which imposes limits on the simultaneous precise knowledge of non-commuting observables, such as position and momentum, ensuring inherent unpredictability in measurement outcomes. Additionally, Bell's theorem confirms that quantum correlations cannot be replicated by any local hidden-variable theory, ruling out deterministic explanations for the observed randomness and providing a foundation for device-independent certification. Photodetection methods represent a widely adopted quantum approach, typically involving the generation of weak coherent states from an attenuated laser, where the average photon number is less than one, followed by routing through a 50:50 beam splitter. The single-photon state enters a quantum superposition of transmission and reflection paths, and detection at one of two single-photon detectors yields a random bit corresponding to which path is observed, with the outcome determined solely by quantum probabilities.^[42] In low-photon regimes, thermal dark counts—spontaneous electron excitations in the detectors—further contribute entropy, enhancing the randomness without relying on external noise sources.^[43] Vacuum fluctuation-based generators measure the quantum zero-point fluctuations of the electromagnetic field in the vacuum state, which exhibit non-zero uncertainty in quadrature amplitudes due to the commutation relations of creation and annihilation operators. These systems employ homodyne detection, where a strong local oscillator laser interferes with the vacuum mode on a balanced beam splitter, and the resulting intensity difference on photodetectors quantizes the random quadrature value into bits. Commercial examples include ID Quantique's Quantis device, which uses this technique to extract entropy from vacuum noise, achieving certified randomness suitable for cryptographic applications.^[44] Since 2017, significant progress has miniaturized and accelerated these technologies, with integrated photonic circuits enabling chip-scale quantum RNGs that measure vacuum fluctuations at rates exceeding 100 Gbit/s through on-chip homodyne detection and high-speed digitization.^[45] In September 2025, researchers demonstrated a compact 2 Gbps low size, weight, and power (SWaP) quantum RNG using integrated photonic asymmetric Mach-Zehnder interferometers, advancing portable applications.^[46] Additionally, in March 2025, a 56-qubit quantum computer achieved experimental certified randomness generation, marking a milestone in quantum hardware-based certification.^[47] Satellite platforms, such as China's Micius mission operational from 2017 onward, have demonstrated quantum RNGs in space for generating random measurement bases in Bell tests, facilitating certified randomness distribution over thousands of kilometers to ground stations.^[48] However, challenges persist, including elevated costs from precision optics and detectors, as well as the requirement for cryogenic cooling in designs using superconducting single-photon detectors to minimize thermal noise. Security certification often demands loophole-free Bell inequality violations to confirm the absence of classical correlations.^[49] Laboratory prototypes have reported entropy extraction rates up to 10^9 bits/s, with min-entropy per bit surpassing 0.99 after post-processing, underscoring their potential for high-throughput secure applications.^[50]

Applications

Cryptographic applications

Hardware random number generators (HRNGs) play a critical role in cryptographic key generation by supplying high-quality entropy to ensure keys are unpredictable and resistant to cryptanalysis. In symmetric cryptography, such as the Advanced Encryption Standard (AES), HRNGs provide the full bit length of entropy required for key material; for instance, AES-256 keys demand at least 256 bits of entropy to achieve the desired security strength.^[51] This entropy is directly sourced from the HRNG output within approved cryptographic modules to generate keys that cannot be feasibly guessed or reproduced. HRNGs are frequently combined with pseudorandom number generators (PRNGs), where the HRNG provides initial or periodic seeding to enhance security and unpredictability.^[51] In asymmetric cryptography, HRNGs support key pair generation, including the selection of large prime numbers for schemes like RSA. For RSA, HRNG-derived randomness is used in probabilistic primality tests such as the Miller-Rabin algorithm, where random witnesses ensure the primes are sufficiently random and secure against targeted attacks.^[52] Entropy requirements here align with the security level, often necessitating 256 bits or more to match modern threat models.^[51] HRNGs are integral to cryptographic protocols, providing unpredictable values for nonces, padding, and ephemeral keys to prevent replay attacks and ensure session uniqueness. In the Transport Layer Security (TLS) protocol, HRNGs generate nonces during the handshake to bind session data and avoid predictability in encrypted communications.^[52] For Optimal Asymmetric Encryption Padding (OAEP) in RSA encryption, HRNGs supply random seed values for the padding process, which masks the plaintext and provides semantic security by making identical messages produce different ciphertexts. Ephemeral keys in Diffie-Hellman exchanges, such as those used for forward secrecy in TLS, rely on HRNGs to generate temporary private keys, ensuring that each session's shared secret is unique and protected even if long-term keys are later compromised. Standards like ANSI X9.31, first published in 1998 and later updated (withdrawn in 2013 and superseded by NIST SP 800-90A), mandate that random number generators for financial cryptography deliver more than one bit of entropy per output bit, often achieved through HRNG seeding of deterministic components to meet high-assurance requirements.^[53] These generators are commonly integrated into Hardware Security Modules (HSMs), tamper-resistant devices that safeguard keys and perform cryptographic operations, including entropy collection from physical sources to comply with FIPS 140 validations.^[54] In practical case studies, HRNGs secure Bitcoin wallet seed generation, where devices like Ledger hardware wallets employ embedded Secure Element RNGs to produce 24-word recovery phrases from 256 bits of true entropy, preventing deterministic derivation that could expose funds. For post-quantum cryptography, the National Institute of Standards and Technology (NIST) finalized standards in 2024, such as FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA), which demand high-quality randomness; quantum random number generators (QRNGs), a subset of HRNGs, are increasingly recommended to supply the entropy needs of these algorithms.^[55] A key benefit of HRNGs over pseudorandom number generators (PRNGs) in cryptography is their resistance to seed exhaustion attacks, where an adversary exhausts or predicts a PRNG's internal state to compromise subsequent outputs; HRNGs draw continuous physical entropy, eliminating a single-point seed vulnerability and maintaining security without reseeding dependencies.^[56]

Non-cryptographic applications

Hardware random number generators (HRNGs) play a key role in gaming applications where true unpredictability enhances fairness and immersion, particularly in procedural content generation and loot systems. In electronic gambling machines and lotteries, HRNGs ensure unbiased outcomes by drawing from physical entropy sources, such as thermal noise or radioactive decay, to determine results like slot spins or winning combinations, meeting regulatory standards for non-deterministic play.^[57]^[58] Many state lotteries employ RNGs, often PRNGs seeded by HRNGs, to generate draw combinations, replacing mechanical ball machines to improve integrity and auditability. HRNGs are frequently combined with PRNGs, where the HRNG provides initial or periodic seeding to enhance security and unpredictability. In scientific simulations, HRNGs provide high-fidelity randomness essential for accurate modeling of complex phenomena, surpassing pseudorandom alternatives in entropy quality. Monte Carlo methods, widely used in particle physics, rely on HRNGs to simulate probabilistic events like particle interactions without introducing detectable patterns that could skew results. Similarly, in stochastic modeling for climate predictions, HRNGs support ensemble simulations by minimizing long-sequence correlations, enabling more precise forecasts of variables like precipitation variability.^[59] For artificial intelligence and machine learning, HRNGs contribute to robust model training by supplying unbiased random values for critical processes. In neural network initialization, high-quality randomness from HRNGs prevents symmetry breaking issues and reduces the risk of suboptimal convergence, as poor randomness can degrade performance in deep learning tasks.^[60] TensorFlow and similar frameworks can integrate HRNG outputs for seeding weights, ensuring diverse starting points that enhance generalization across datasets. In data augmentation, HRNGs generate varied transformations—such as random rotations or flips—for training images, mitigating overfitting in limited-data scenarios like medical imaging classification.^[61] Beyond these domains, HRNGs support non-cryptographic computations in distributed systems. In blockchain-based multi-party computation for decentralized applications (dApps), HRNGs provide shared randomness for fair ordering or sampling without key generation, using trusted execution environments to pool entropy from multiple devices. Compared to pseudorandom number generators (PRNGs), HRNGs offer superior statistical accuracy in extended simulations by eliminating periodicities and correlations that accumulate over iterations, leading to more reliable probabilistic outcomes. Studies on Monte Carlo techniques demonstrate that HRNGs yield results closer to theoretical expectations compared to weaker PRNGs in long runs. This reduced bias is particularly impactful for high-dimensional problems, where PRNG artifacts can amplify errors in entropy estimation.^[62]^[63]

Evaluation and Security

Testing and entropy estimation

Testing the quality of hardware random number generators (HRNGs) involves rigorous statistical analysis and entropy quantification to ensure the output exhibits sufficient unpredictability and uniformity for secure applications. Entropy estimation focuses on measuring the inherent randomness in the noise source, while statistical tests assess deviations from ideal random behavior. These methods are essential for validating HRNGs against standards that guarantee cryptographic security.^[22] A primary framework for entropy estimation is provided by NIST Special Publication 800-90B, which outlines tests for validating entropy sources in random bit generators. Key tests include the Most Common Value Estimate, which identifies biases by examining the frequency of the most probable output value; the Repetition Count Test, which detects patterns of repeated values that could indicate correlation; and the Adaptive Proportion Test, which evaluates the proportion of ones in the output stream over varying window sizes to uncover non-stationarity. These tests help quantify the min-entropy, defined as H_{\min} = -\log_2 (\max p_i), where p_i represents the probability of the most likely outcome, providing a conservative measure of extractable randomness per bit.^[22]^[22]^[22] Statistical test suites offer comprehensive batteries for evaluating HRNG output. The Dieharder suite, an extension of the Diehard tests originally developed in 1995 by George Marsaglia and updated thereafter, includes over 30 tests such as the chi-squared test for uniformity, which measures how well the distribution matches a uniform expectation, and the serial correlation coefficient, which detects dependencies between consecutive bits. Similarly, TestU01, released in 2007, provides a C library with batteries like Crush and BigCrush, incorporating advanced tests for long-range correlations and lattice structures in multidimensional projections. These suites are widely used to benchmark HRNGs, with passing criteria typically requiring p-values above a threshold like 0.001 to reject non-randomness.^[64]^[64]^[65] Certification processes ensure HRNG compliance with federal standards. Under FIPS 140-3, HRNG modules can achieve Level 4 validation, the highest security level, requiring demonstration of entropy sources meeting SP 800-90B criteria and resistance to environmental stressors through physical security testing. For quantum-based HRNGs, loophole-free Bell tests verify true randomness by confirming quantum correlations without detection or locality loopholes, as demonstrated in NIST's 2018 implementation using entangled photons for certified random bit generation. In June 2025, NIST and partners developed a traceable quantum random number generator beacon using entanglement for certifiable randomness, available as a public service.^[66]^[66]^[67]^[68] Practical tools facilitate ongoing entropy assessment and validation. In Linux environments, the rngtest utility from the rng-tools package performs FIPS 140-2 compliant tests on hardware random number sources, reporting failure rates for runs and poker tests to estimate basic entropy quality. Post-processing validation, such as using hash-based extractors like those in NIST SP 800-90A, confirms that conditioning methods preserve or enhance the entropy rate, often requiring re-testing of the output to verify uniformity.^[69] Recent standards updates include the 2024 revision of AIS 20/31, originally from 2001, which defines functionality classes for physical random number generators in smart cards, incorporating advanced entropy assessments and noise source modeling for Common Criteria evaluations.^[70]^[70]

Attacks and mitigations

Hardware random number generators (HRNGs) are susceptible to physical attacks that exploit their reliance on unpredictable physical processes for entropy generation. Electromagnetic side-channel attacks target the emissions from noise amplification circuits or ring oscillators, allowing adversaries to infer internal states and reduce effective randomness. For instance, out-of-band electromagnetic injection can fully control the output of photonic quantum random number generators (QRNGs) by perturbing photon detection without direct access to the optical path. Similarly, electromagnetic fault models have been demonstrated on ring-oscillator-based true random number generators (TRNGs) in microcontrollers, where injected signals correlate with power traces to predict bit sequences. Fault injection techniques, such as laser-based methods, pose another threat by inducing errors in the hardware entropy sources. Practical optical fault injection using high-intensity lasers has been shown to disrupt secure microcontrollers, potentially corrupting the noise amplification or sampling processes in HRNGs and leading to biased outputs. These semi-invasive attacks require physical proximity but can bypass software protections. Environmental manipulations can degrade the entropy of classical HRNGs. Frequency injection attacks synchronize ring oscillators to an external signal, locking their phases and eliminating the jitter that provides randomness; this has been experimentally verified on multiple ring-oscillator TRNGs, reducing entropy to near zero even at low injection amplitudes. While temperature variations affect some noise sources like phase-change materials, Zener diode-based HRNGs exhibit stable entropy across moderate ranges (e.g., 20–50°C), limiting the practicality of thermal attacks on avalanche breakdown generators. Quantum-specific threats target the inherent vulnerabilities of photonic QRNGs. Eavesdropping via side-channels, such as electromagnetic interference on detectors, can compromise the randomness without intercepting the quantum channel. Future quantum computers may indirectly threaten classical HRNGs by enabling faster cryptanalysis of predictable patterns in flawed implementations, though truly physical entropy sources remain resistant to direct prediction. Mitigations for these attacks emphasize hardware protections and ongoing validation. Electromagnetic shielding, including Faraday cages, prevents external injections by attenuating radiated emissions and has been integrated into secure HRNG designs to block side-channel leaks. Continuous health tests, such as real-time entropy estimation and post-processing failure detection, monitor output quality and trigger alarms or reseeding if degradation occurs, as recommended in standards for entropy sources. Redundancy through dual-source designs combines multiple independent entropy sources (e.g., thermal noise and oscillator jitter) to maintain randomness if one is compromised, enhancing resilience against targeted faults. For QRNGs, decoy-state protocols mitigate eavesdropping by inserting dummy pulses with varying intensities to detect anomalies in photon statistics, ensuring secure key generation rates in practical weak-coherent source implementations. The ETSI GS QKD 014 standard (2023) specifies interfaces and security requirements for quantum-safe cryptography, including QRNG components, to address implementation vulnerabilities. Case studies highlight real-world adaptations. The 2008 cold boot attack, which recovers encryption keys from DRAM remanence, has been extended to HRNG contexts where generated random numbers reside in volatile memory; adaptations target systems using DRAM-based entropy sources, allowing partial reconstruction of bit streams post-power-off. In 2025, supply-chain tampering reports on IoT devices revealed compromised hardware components, leading to an 88% rise in hardware vulnerabilities and emphasizing the need for verified sourcing in embedded systems.^[71]

References

[1]
Entropy Sources Based on Silicon Chips: True Random Number ...
Most silicon TRNGs are designed to harvest physical or environmental randomness using one of four entropy sources, namely, noise-based, chaos-based, jitter- ...
[2]
[PDF] Hardware Random Number Generator Using FPGA - River Publishers
TRNG output is entirely based on random physical process. Unlike PRNG there ... Thus the output sequence of hardware random number generator is assured to have ...
[3]
[PDF] Recommendation for the Entropy Sources Used for Random Bit ...
The submitter provides the following inputs for entropy estimation, according to the requirements presented in Section 3.2.4. Page 18. NIST SP 800-90B.
[4]
Intel® Digital Random Number Generator (DRNG) Software ...
Oct 17, 2018 · The Digital Random Number Generator (DRNG) is an innovative hardware approach to high-quality, high-performance entropy and random number ...
[5]
[PDF] A Mathematical Theory of Communication
379–423, 623–656, July, October, 1948. A Mathematical Theory of Communication. By C. E. SHANNON. INTRODUCTION. THE recent development of various methods of ...Missing: URL | Show results with:URL
[6]
[PDF] Randomness Extractors
Von Neumann proposed the following extractor: Break all the variables in pairs and for each pair output 0 if the outcome was. 01, 1 if the outcome was 10, and ...
[7]
Difference between Pseudorandom Number Generators and True ...
Jun 13, 2024 · The key distinction between the two lies in how they generate randomness. PRNGs employ deterministic algorithms and an initial seed value to ...
[8]
[PDF] NIST Special Publication 800-90A Revision 1
NIST SP 800-90A Rev 1 recommends random number generation using deterministic methods, based on hash functions or block cipher algorithms.
[9]
NVD - CVE-2008-0166
### Summary of CVE-2008-0166: Debian OpenSSL Vulnerability
[10]
Pseudorandom Number Generation (PRNG) - Xiphera
Technical specifications · Suitable for high-throughput environments · Over 69 Gbps output · Only ~18 kLUTs in a typical FPGA setup · CAVP validated IP core.
[11]
[PDF] HISTORY OF UNIFORM RANDOM NUMBER GENERATION - Hal-Inria
ABSTRACT. Random number generators were invented before there were symbols for writing numbers, and long before mechanical and electronic computers.
[12]
[PDF] History of Random Number Generators
Dec 9, 2017 · 1947: RAND Corporation project of a million random digits. Tables in books were not convenient for random sampling with computers. Project ...Missing: nitrogen triode
[13]
[PDF] History of RAND's Random Digits: Summary
The variety of appli- cations led to a desire for a large supply of random digits, of sufficiently high quality so that the user wouldn't have to question.Missing: nitrogen triode
[14]
A Million Random Digits with 100,000 Normal Deviates | RAND
The random digits in this book were produced by rerandomization of a basic table generated by an electronic roulette wheel.Missing: nitrogen triode
[15]
[PDF] Various Techniques Used in Connection With Random Digits - MCNP
Random Digits. By John von Neumann. SUJnJnary written by George E. Forsythe. In manual computing methods today random control call for these numbers as needed.
[16]
The Ferranti Mark 1 (Digital 60) - The University of Manchester
The enhanced order code included a number of new "one-off" instructions (e.g. a random number generator, and an instruction counting the number of 1s in a word) ...
[17]
SAGE - IBM
SAGE established IBM as a leader in a new class of online computing and attracted the interest of other government agencies and industry alike.Missing: radioactive decay
[18]
Random Number Machines: A Literature Survey - Ciphers By Ritter
Dec 4, 2002 · Yarza and Martinez show a random digital pulse circuit, based on amplified and compared Zener diode noise.Missing: military | Show results with:military
[19]
Enhancing Johnson-Nyquist noise for high-performance Mott ...
Jun 4, 2025 · In this study, we enhance Johnson-Nyquist noise to demonstrate the fastest, most energy-efficient memristor-based TRNG.Missing: paper | Show results with:paper
[20]
A truly random number generator based on thermal noise
A simple circuit to generate truly random numbers, which is based on thermal noise of the resistor, is presented, as well as some simulation results.
[21]
https://ubld.it/new-product-launched-truerng-hardware-random-number-generator/
[22]
[PDF] Implementation of True Random Number Generator based ... - arXiv
May 19, 2018 · According to average calculation of data from each component in non- linear circuit of original chaotic Chua circuit the power is. 5.02 mW.
[23]
Machine Vision Random Number Generator - Using the Raspberry Pi
Dec 28, 2020 · One novel physical random number generator, created in the late 1990s by Silicon Graphics, is Lavarand. Lavarand generated random numbers from ...
[24]
Random Number Generator Offers Stand-Alone, Ready-to-Use FIPS ...
Jun 29, 2023 · Microchip's new RNG90 provides a cost-effective, ready-to-use, stand-alone random number generator IC device for systems requiring FIPS 140 certification.Missing: RN48 | Show results with:RN48
[25]
[PDF] On Entropy and Bit Patterns of Ring Oscillator Jitter - PQShield
Abstract—Thermal jitter (phase noise) from a free-running ring oscillator is a common, easily implementable physical ran- domness source in True Random Number ...
[26]
[PDF] Analysis of timing jitter in CMOS ring oscillators - UCSB ECE
The jitter per stage was shown to depend on the ratio of the kT/ C noise level to the (VGS-VT) bias point. The cycle-to-cycle jitter of a ring oscillator was ...
[27]
[PDF] Random Number Generation Based on Oscillatory Metastability in ...
Strong internal or external signals might synchronize ring oscillators, and cause deterministic phase drift. Therefore, random number generator circuits ...Missing: detuning | Show results with:detuning
[28]
https://arxiv.org/pdf/1805.06622
[29]
Entropy Computation for Oscillator-based Physical Random Number ...
Feb 29, 2024 · Thermal noise is the most frequently exploited noise in TRNGs, since it has been characterized and is well understood and modeled. Since thermal ...
[30]
Behind Intel's New Random-Number Generator - IEEE Spectrum
Aug 24, 2011 · A new instruction, called RdRand, provides a way for software that needs random numbers to request them from the hardware that's producing them.Missing: principles | Show results with:principles
[31]
True Random Number Generator: Dynamic Hybrid Entropy Sources
The experimental results reveal that the suggested design consumes only 19 LUTs, 8 DFFs, and 4 MUXs to provide random numbers with up to 380 Mbps throughput, ...
[32]
A 10-MHz CMOS-based Ring Oscillator with Low Power ...
The results exhibit that the power consumption of 5.56 MW at a supply of 1V is achieved, which is approximately 45% less than the conventional ring oscillator.
[33]
[PDF] A Practical Secure Physical Random Bit Generator - Ari Juels
We focus on timings of magnetic hard disks for the rest of this paper. We describe how to use variations in disk drive response times as a source of randomness.
[34]
Random numbers from CPU execution time jitter - LWN.net
Apr 29, 2015 · To sufficiently seed a random number generator, all you need is 128 random bits -- 128 unpredictable clock cycles. Random numbers from CPU ...
[35]
A new optical random number generator circuit design using single ...
In this paper a new optical random number generator circuit is presented and post layout simulated in 180 nm standard Complementary Metal Oxide Semiconductor ( ...
[36]
Quantum random number generator based on photonic emission in ...
Apr 9, 2007 · The two photon detectors D 1 and D 2 are used to detect two possible outcomes corresponding to one of the two possible paths a photon can take.
[37]
Quantum random number cloud platform | npj Quantum Information
Jul 7, 2021 · Recently, popular QRNG realizations are mainly based on single-photon detection, photon-counting detection, and phase or vacuum-fluctuations.
[38]
100-Gbit/s Integrated Quantum Random Number Generator Based ...
Mar 22, 2023 · We experimentally demonstrate an ultrafast generation rate of 100 Gbit/s, setting a new record for vacuum-based quantum random number generation by one order ...Missing: throughput | Show results with:throughput
[39]
Micius quantum experiments in space | Rev. Mod. Phys.
Jul 6, 2022 · The Micius satellite, launched from China in August 2016, is the first and only satellite dedicated entirely to quantum experiments.
[40]
Loophole-free Bell inequality violation with superconducting circuits
May 10, 2023 · Observing a violation of Bell's inequality indicates that the system possesses non-classical correlations, and asserts that the potentially ...
[41]
Homodyne-based quantum random number generator at 2.9 Gbps ...
Jan 27, 2021 · The reduction of the min-entropy due to the digitization error is 7.23 bit with a confidence of 2 × 10−6 as 500,000 measurements have been ...
[42]
[PDF] Recommendation for Cryptographic Key Generation
Jun 2, 2020 · Asymmetric key pairs require the use of an approved algorithm for their generation. Examples are those included in FIPS 186 for generating DSA, ...
[43]
RFC 4086 - Randomness Requirements for Security
This document points out many pitfalls in using poor entropy sources or traditional pseudo-random number generation techniques for generating such quantities.
[44]
Page Not Found | CSRC
**Summary:**
[45]
Hardware Security Module (HSM) - Glossary | CSRC
A physical computing device that safeguards and manages cryptographic keys and provides cryptographic processing. An HSM is or contains a cryptographic module.
[46]
NIST Releases First 3 Finalized Post-Quantum Encryption Standards
Aug 13, 2024 · NIST has finalized its principal set of encryption algorithms designed to withstand cyberattacks from a quantum computer.
[47]
[PDF] Cryptanalytic Attacks on Pseudorandom Number Generators
This means that once an attacker has compromised K, the PRNG can never fully recover, even after processing a sequence of inputs the attacker could never guess.
[48]
RNGs – What Are They, and Are They Random? - CDC Gaming
Sep 4, 2019 · They define the RNG as “a hardware, software, or combination hardware and software device for generating number values that exhibit ...
[49]
Types, Certifications of RNG in iGaming - Skilrock Technologies
Mar 31, 2023 · RNG, or Random Number Generator, is a critical component of modern gaming. RNG acts as the foundation of lottery, casino gamers, slot machines, ...
[50]
State lotteries using Hardware RNG to generate combinations ...
Jun 23, 2025 · The state lotteries in Arizona, Oregon, and Washington State have abandoned ball machines in favor of computer generated combinations using ...Missing: electronic | Show results with:electronic
[51]
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf
[52]
Evaluation of Random Number Generator Utilizing Weather Data ...
The current study proposes to use weather data as the entropy source for URN generation, where the sampling period is modified by the wind direction data. The ...
[53]
Quality of randomness and node dropout regularization for fitting ...
Nov 30, 2022 · The artificial neural networks used for example in deep learning use random number generation for weight initialization, optimization and in ...
[54]
[PDF] The Pitfalls of Pseudo-Random Numbers in Machine Learning
Many machine learning methods rely on random numbers to initialise coefficients, generate data subsets, or shuffle the data. We investigated the effects and ...
[55]
Strategies for the New Era of High Frequency Trading [2024] - Quside
Randomness generation is a bottleneck when the optimization is based on random numbers, then the use of a purpose-specific device allows to overcome this pain ...
[56]
Quality of random number generators significantly affects results of ...
We have simulated pure liquid butane, methanol and hydrated alanine polypeptide with the Monte Carlo technique using three kinds of random number generators.
[57]
Comparing pseudo- and quantum-random number generators with ...
Sep 20, 2024 · If the seed is truly random, i.e., obtained from a true random number generator, then the PRNG will have an infinite period of repetition.2 ...
[58]
SP 800-90B, Recommendation for the Entropy Sources Used for ...
Jan 10, 2018 · This Recommendation specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and the tests for the validation of ...
[59]
Robert G. Brown's General Tools Page - Duke Physics
Dieharder is a random number generator testing suite, designed to test generators and make it easy to time and test them.
[60]
[PDF] TestU01: A C Library for Empirical Testing of Random Number ...
TestU01 is a C library for empirical statistical testing of uniform random number generators (RNGs), providing various tests and tools.
[61]
Cryptographic Module Validation Program - FIPS 140-3 Standards
FIPS 140-3 became effective September 22, 2019, permitting CMVP to begin accepting validation submissions under the new scheme beginning September 2020.
[62]
NIST's New Quantum Method Generates Really Random Numbers
Apr 11, 2018 · Other researchers have previously used Bell tests to generate random numbers, but the NIST method is the first to use a loophole-free Bell test ...
[63]
Hardware random number generators
Those tools use /dev/hwrng to fill the kernel entropy ... The rng-tools package uses such tests in “rngd”, and lets you run them by hand with a “rngtest” utility.
[64]
[PDF] A Proposal for Functionality Classes for Random Number Generators
Jun 2, 2023 · This document proposes an evaluation methodology for true and deterministic random number generators. This document is updating the ...
[65]
[2309.05299] Partial Loopholes Free Device Independent Quantum ...
Sep 11, 2023 · Comments: We present a scheme by which one can generate device independent quantum random numbers by use of IBM quantum computers that are ...