# Live random digits

Fetching random numbers...

The above is 8,192 bits of free independent and identically distributed randomness, hex encoded. It is brought to you today by 16 passes of 512 bit SHA-2 across a single frame from the Photonic Instrument, as $\operatorname{SHA-512}(jpg || 0), \dots ,\operatorname{SHA-512}(jpg || 15)$. Standard caveats apply: don’t use it for your bank’s password (we’ve seen it!). And of course we might be keeping a record of it too. And how do you know it’s random anyway? It may have come from a kiddie’s linear congruential generator like RANDU or java.util.Random. This is just intended to be an example of a working, gold standard DIY TRNG. And it’s really really random. Best build your own though!

Hash based randomness extractors are generally applied to a biased entropy source $(X)$ such as:-

$$p(X_i = 1, X_i = 0) = \frac{1}{2} \pm \epsilon$$

where $\epsilon$ is a bias away from perfectly random and $> 0$ in magnitude. And the Photonic Instrument is oh so biased. All of the excessive zeros lead to a raw signal bias $\epsilon = 0.0114$ or $2^{-6.45}$. The basic idea of such an extractor is to compute $k$ output bits with high randomness from $n > k$ input bits with less randomness. Given that each bit of the input sequence has entropy $s$ ($s = 1$ for perfect randomness), the probability that the extractor output will deviate from a perfectly uniform $k$-bit string is in accordance[1] with $\epsilon = 2^{-(sn-k)/2}$. NIST generally accepts that $\epsilon \leq 2^{-64}$ is a negligible bias for a cryptographic strength random sequence. As the entropy from the Photonic Instrument arrives in batches of approximately 21.2kbits, our $\epsilon \approx 2^{-10,000}$. We don’t know whether contemporary pseudo random functions like SHA-2 can output blocks with so little bias as it’s impossible to generate the requisite massive data sample for analysis. It should offer comfort though that such a simple extraction technique can achieve the recommended negligible bias.

References:-

[1] M. Troyer and R. Renner, A randomness extractor for the Quantis device. ID Quantique Technical Paper on Randomness Extractor, September 19, 2012