Fetching random digits...

The above is `0` bits of free, independent and identically distributed true randomness. Each 512 bit block is brought to you today by a single pass of 512 bit SHA-2 across a unique frame from the Photonic Instrument, as $\text{SHA-512}(.jpg) $.

Standard caveats apply: don’t use it for your bank’s password (we’ve seen it!). And of course we might be keeping a record of it too. And how do you know it’s random anyway? It may have come from a kiddie’s linear congruential generator like RANDU or `java.util.Random`

. This is just intended to be an example of a working, gold standard DIY TRNG. And it’s really really random. Best build your own though!

Hash based randomness extractors are generally applied to a biased entropy source $(X)$ such as:-

$$ P(X_i = 1, X_i = 0) = \frac{1}{2} \pm \epsilon $$

where $\epsilon$ is a bias away from perfectly random and $> 0$ in magnitude. And the Photonic Instrument is oh so biased. All of the excessive zeros lead to a raw signal bias $\epsilon = 0.0114 $ or $ 2^{-6.45} $. The basic idea of such an extractor is to compute $k$ output bits with high randomness from $n > k$ input bits with less randomness. Given that each bit of the input sequence has entropy $s$ ($s = 1$ for perfect randomness), the probability that the extractor output will deviate from a perfectly uniform $k$-bit string is in accordance[1] with $ \epsilon = 2^{-(sn-k)/2} $. NIST generally accepts that $\epsilon \leq 2^{-64} $ is a negligible bias for a cryptographic strength random sequence. As the entropy from the Photonic Instrument arrives in batches of approximately 21.2 kbits, our $ \epsilon \approx 2^{-10,000} $. We don’t know whether contemporary pseudo random functions like SHA-2 can output blocks with so little bias as it’s impossible to generate the requisite massive data sample for analysis. It should offer comfort though that such a simple extraction technique can achieve the recommended negligible bias.

References:-

[1] M. Troyer and R. Renner, *A randomness extractor for the Quantis device.* ID Quantique
Technical Paper on
Randomness Extractor, September 19, 2012