As mobile devices such as portable telephone devices, IC cards, and the like are rapidly becoming common, there is an increasing demand for tightening security measures to protect personal information in small-sized electronic circuits. In response to that trend, the demand for high-quality, small-sized random number generator circuits that are manufactured by one of fundamental security techniques has been becoming greater year by year. In recent years, the need of physical random numbers using natural fluctuations, instead of pseudorandom numbers generated by software, has been emphasized.
In such circumstances, physical random number generating elements and circuits that amplify physical phenomena, particularly, transistor noise, have been suggested recently. Typical examples of random number generator circuits that have been suggested include random number generator circuits that utilize 1/f noise of SI transistors (MOSFETs), and random number generator circuits that are smaller in size and use SiN transistors having the function to generate random numbers at a high speed.
In those random number generator circuits that utilize transistor noise, however, the noise characteristics slightly vary among conventional transistors. Therefore, with device variations in and among wafers being taken into account, optimization needs to be performed for each individual chip (random number generator circuit) before shipment from the factory. Also, it is necessary to prepare a correcting circuit that performs readjustment on the optimum operating voltage or the like in accordance with a secular change in transistor characteristics due to use over the years, and there have been problems such as an increase in circuit area and a decrease in reliability.
In the academic field, Patrick Lacharme mathematically maintains that the quality of random numbers is increased by using a code generating matrix called Error Correcting Code (ECC) according to a code theory (see the literature, “Post-processing functions for a biased physical random number generator,” Fast Software Encryption (FSE), 2008, pp. 10-13, February 2008). In a case where an input signal sequence consisting of n pieces of data “0” and “1” is (x1, x2, . . . , xn), one of the data “0” and the data “1” appears with probability 1/2 if the data “0” and the data “1” appear completely at random. However, the actual appearance ratio is not 1/2. Where the shift or deviation from 1/2 is represented by e/2 (0<e<1), or where the probabilities of appearance of the data “0” and the data “1” are expressed as (1+e)/2 and (1−e)/2, respectively, the deviation e/2 of the data “0” and the data “1” is expressed as ed/2 (see theorem 1 in the literature) in the following new signal sequence (y1, y2, . . . , ym):
                                          (                                                                                g                    11                                                                                        g                    12                                                                    …                                                                      g                                          1                      ⁢                      n                                                                                                                                        g                    21                                                                                        g                    22                                                                    …                                                                      g                                          2                      ⁢                      n                                                                                                                    ⋮                                                  ⋮                                                  ⋱                                                  ⋮                                                                                                  g                                          m                      ⁢                                                                                          ⁢                      1                                                                                                            g                                          m                      ⁢                                                                                          ⁢                      2                                                                                        …                                                                      g                    mn                                                                        )                    ⁢                      (                                                                                x                    1                                                                                                                    x                    2                                                                                                ⋮                                                                                                  x                    n                                                                        )                          =                  (                                                                      y                  1                                                                                                      y                  2                                                                                    ⋮                                                                                      y                                      m                    ⁢                                                                                                                                              )                                    (        1        )            
which is converted by using the following code generating matrix G for error corrections in communication circuits:
                    G        =                  (                                                                      g                  11                                                                              g                  12                                                            …                                                              g                                      1                    ⁢                    n                                                                                                                        g                  21                                                                              g                  22                                                            …                                                              g                                      2                    ⁢                    n                                                                                                      ⋮                                            ⋮                                            ⋱                                            ⋮                                                                                      g                                      m                    ⁢                                                                                  ⁢                    1                                                                                                g                                      m                    ⁢                                                                                  ⁢                    2                                                                              …                                                              g                  mn                                                              )                                    (        2        )            
At this point, d represents the minimum distance of the linear code formed from the code generating matrix G. In that case, the relationship, n>m, is established. By compressing data, the entropy of random number data is essentially increased.
According to the above literature, the deviation is reduced, but it is not clear whether a commercial random number test that is being actually used can be passed. Also, according to the above literature, a shift register is used, but it is not clear how a shift register is to be incorporated into an actual physical random number generator circuit as a system. That is, if the equation (1) is simply formed into a circuit, only excess overhead is added to the random number generator circuit, resulting in a low efficiency.