GB2609238A - Randomness extraction - Google Patents

Randomness extraction Download PDF

Info

Publication number
GB2609238A
GB2609238A GB2110704.0A GB202110704A GB2609238A GB 2609238 A GB2609238 A GB 2609238A GB 202110704 A GB202110704 A GB 202110704A GB 2609238 A GB2609238 A GB 2609238A
Authority
GB
United Kingdom
Prior art keywords
sequence
value
random
generated
generating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB2110704.0A
Other versions
GB202110704D0 (en
GB2609238B (en
Inventor
Applegate Matthew
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nu Quantum Ltd
Original Assignee
Nu Quantum Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nu Quantum Ltd filed Critical Nu Quantum Ltd
Priority to GB2110704.0A priority Critical patent/GB2609238B/en
Publication of GB202110704D0 publication Critical patent/GB202110704D0/en
Publication of GB2609238A publication Critical patent/GB2609238A/en
Application granted granted Critical
Publication of GB2609238B publication Critical patent/GB2609238B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes

Abstract

According to an aspect of the invention, a computer-implementable method is provided for extracting an unbiased binary sequence from a random sequence. Computer-readable media and computing devices are also described. A randomness extractor and a device for generating random numbers are also described.

Description

RANDOMNESS EXTRACTION
Technical Field
[0001] The present disclosure relates to random number generation, and in particular to randomness extraction. Aspects of the invention relate to a randomness extractor, a device for random number generation, a method, a computer-readable medium, and a computing device.
Background
100021 Random numbers are necessary for many purposes, including generating cryptographic keys, perfect hashing, simulating and modelling complex phenomena, and selecting random samples from larger datasets. Often it is useful if a random number is drawn from a set of possible values, each of which is equally probable, i.e., a uniform distribution, and statistically independent of the other values. The binary system is used internally by most computing devices, and as all statistical test suites for randomness only accept uniformly distributed binary sequences as input, it is therefore no surprise that random numbers are most commonly required as uniformly distributed random bits.
[0003] Physical random number generators generate random numbers based on a physical process rather than a "pseudo-random" deterministic algorithm. Such stochastic processes may be based on, for example, statistically random noise signals or quantum uncertainty. However, many physical processes generate random numbers according to a non-uniform distribution, such as a normal distribution or a Poisson distribution, and accordingly some of the possible random values may be more likely to arise than others. Random events derived from a given randomness source are often not uniformly distributed, and moreover, can often take an arbitrary number of values, in which case a process of "randomness extraction" must be employed to extract uniformly distributed random bits.
[0004] In 1951 John von Neumann [J. von Neumann, Nat, Bur, Stand., Appl. Math. Ser., vol. 12, pp. 36-38 (1951)] presented a solution to the problem of extracting a sequence of unbiased bits from a sequence of bits generated from a biased random source. If one considers, for example, a biased coin in which the probability of Heads (H) is given by p and the probability of Tails (T) is given by q = 1 -p, then one can extract unbiased bits by considering pairs of coin tosses: if Heads occurs immediately before Tails (HT), then a -0" can be extracted; if Tails occurs immediately before Heads (TH), then a "1" can be extracted and the other two combinations (HUI or TT) can be disregarded. As the probabilities of HT and TH are equal, the resulting bits are equiprobable. However, as information is discarded in some cases (HH or TT), such a process for generating unbiased bits is inefficient. A more efficient process for extracting a sequence of unbiased bits from a sequence of bits generated from a biased random source was outlined by Peres [Y. Peres, Ann. Stat., vol. 20, no. 1, pp. 590-597 (1992)].
[0005] Many physical processes used in physical random number generators may generate random non-binary values from a non-uniform distribution -that is, the size of the alphabet of the random sequence may be greater than two. The randomness extraction processes described by Von Neumann and Peres are accordingly not applicable in many cases.
[0006] The present disclosure has been devised in the foregoing context.
Summary
[0007] According to an aspect of the invention, a randomness extractor is provided. The randomness extractor comprises circuitry for extracting an unbiased binary sequence from a random sequence. The circuitry includes one or more first subcircuits for receiving a first value and a second value and outputting a binary value based on comparing the first and second values. The circuitry further includes one or more second subcircuits for receiving a first value and a second value and outputting an absolute difference of the first and second values. The circuitry further includes one or more third subcircuits for receiving a first value and outputting the first value. The circuitry further includes one or more fourth subcircuits for receiving a first value and a second value and outputting an extremum (maximum or minimum) of the first and second values. The circuitry further comprises one or more combination subcircuits for combining binary values output from the one or more first subcircuits. The circuitry is configured to receive a random sequence, each element of the random sequence independently generated. The circuitry is further configured to apply a recursive or iterative procedure to the random sequence as an input sequence. The recursive or iterative procedure comprises: (i) identifying, from the input sequence, one or more pairs of integers, each pair comprising a first value and a second value; (ii) generating, using the one or more first subcircuits, an ordering sequence, each element of the ordering sequence determined from a corresponding pair of the one or more pairs for which the first value is not equal to the second value, each element of the ordering sequence comprising a binary output based on a comparison of the first value to the second value; (iii) generating, using the one or more second subcircuits, a difference sequence, each element of the difference sequence determined from a corresponding pair of the one or more pairs, each element of the difference sequence comprising an absolute difference of the first value and the second value; (iv) generating, using the one or more third subcircuits, an ordinal sequence, each element of the ordinal sequence determined from a corresponding pair of the one or more pairs for which the first value is equal to the second value, each element of the ordinal sequence comprising the first value of the corresponding pair; (v) for each integer greater than or equal to one and less than the size of the alphabet of the random sequence minus one: generating, using the one or more fourth subcircuits, a respective extremum sequence, each element of the respective extremum sequence determined from a corresponding pair of the one or more pairs for which the absolute difference of the first value and the second value is equal to the integer, each element comprising an extremum of the corresponding first value and second value; and (vi) applying said recursive or iterative procedure to: (a) the generated difference sequence as an input sequence, if (and optionally only if) that generated difference sequence comprises at least two elements; (b) the generated ordinal sequence as an input sequence, if (and optionally only if) that generated ordinal sequence comprises at least two elements; and (c) each of the respective generated extremum sequences as an input sequence, if (and optionally only if) that respective generated extremum sequence comprises at least two elements. The circuitry is further configured to generate, using the one or more combination subcircuits, an output binary sequence, the output binary sequence comprising a combination of ordering sequences generated using said recursive or iterative procedure.
100081 Advantageously, the elementary operations performed by the one or more first, second, third and fourth subcircuits are simple and can be easily implemented without errors. Furthermore, due to this functional simplicity, the subcircuits of the randomness extractor are physically small and compact. Accordingly, for a given recursion depth, the described randomness extractors can be smaller and faster than comparable randomness extractors. For a given randomness extractor size, the described randomness extractors enable greater recursion depth than comparable randomness extractors.
[0009] Further advantageously, the randomness extractors described herein are able to handle 25 random sequences having elements from an alphabet of a size greater than or equal to two, and to extract an unbiased random sequence in an asymptotically optimal way.
[0010] The size of the alphabet of the random sequence may be greater than or equal to two. For an alphabet of size two, the one or more fourth subcircuits are not utilised by the extractor, but nevertheless the extractor provides a simple and fast hardware implementation of an unbiasing function.
100111 The size of the alphabet of the random sequence may be greater than or equal to three. Advantageously, the randomness extractor is able to cope with random sequences generated from a vast array of physical sources of randomness, making it easier to implement a random number generator.
100121 The circuitry may be further configured to halt the recursive or iterative procedure if a halting condition is met. The halting condition may comprise a recursion depth limit being met. [0013] If an input sequence comprises an odd number of elements, identifying, from the input sequence, one or more pairs of integers, may comprise converting the input sequence to an even-length sequence. Converting the input sequence to an even-length sequence may be achieved in any suitable way, such as by removing an element and storing it for later use, or by discarding an element from the input sequence all together. It does not matter which element is removed from the input sequence. In other examples, converting the input sequence to an even-length sequence may be achieved by adding an element such as an element removed from a previous sequence in a previous iteration/recursive step.
[0014] The circuitry may be configured to generate, using the one or more combination subcircuits, an output binary sequence, by interleaving the ordering sequences generated using said recursive or iterative procedure.
[0015] The circuitry may be configured to generate, using the one or more combination subcircuits, an output binary sequence, by concatenating the ordering sequences generated using said recursive or iterative procedure.
[0016] According to an aspect of the invention, a device is provided for generating random numbers. The device comprises a random number source for generating a random sequence. The device further comprises a randomness extractor according to any preceding claim, the randomness extractor configured to receive the random sequence and output an output binary sequence.
[0017] The device may be suitable for generating unbiased biased sequences in real time. [0018] The random number source may comprise a light source and one or more photon detectors for detecting photons emitted from the light source. The device may comprise further circuitry such as an amplifier for converting a signal received from the one or more photon sensors into a voltage signal and amplifying the voltage signal, and/or an analogue-to-digital converter for converting the voltage signals into the random sequence.
[0019] According to an aspect of the invention, a computer-implementable method is provided for extracting an unbiased binary sequence from a random sequence. The method comprises receiving a random sequence, each element of the random sequence independently generated.
The method further comprises applying a recursive or iterative procedure to the random sequence as an input sequence. The recursive or iterative procedure comprises: (i) identifying, from the input sequence, one or more pairs of integers, each pair comprising a first value and a second value; (ii) generating an ordering sequence, each element of the ordering sequence determined from a corresponding pair of the one or more pairs for which the first value is not equal to the second value, each element of the ordering sequence comprising a binary output based on a comparison of the first value to the second value; (iii) generating a difference sequence, each element of the difference sequence determined from a corresponding pair of the one or more pairs, each element of the difference sequence comprising an absolute difference of the first value and the second value; (iv) generating an ordinal sequence, each element of the ordinal sequence determined from a corresponding pair of the one or more pairs for which the first value is equal to the second value, each element of the ordinal sequence comprising the first value of the corresponding pair; (v) for each integer greater than or equal to one and less than the size of the alphabet of the random sequence minus one: generating a respective extremum sequence, each element of the respective extremum sequence determined from a corresponding pair of the one or more pairs for which the absolute difference of the first value and the second value is equal to the integer, each element comprising an extremum of the corresponding first value and second value; and (vi) applying said recursive or iterative procedure to: (a) the generated difference sequence as an input sequence, if (and optionally only if) that generated difference sequence comprises at least two elements; (b) the generated ordinal sequence as an input sequence, if (and optionally only if) that generated ordinal sequence comprises at least two elements; and (c) each of the respective generated extremum sequences as an input sequence, if (and optionally only if) that respective generated extremum sequence comprises at least two elements. The method further comprises generating an output binary sequence, the output binary sequence comprising a combination of ordering sequences generated using said recursive or iterative procedure.
[0020] Advantageously, the elementary operations performed by the computing means in generating the difference sequence(s), ordering sequence(s), ordinal sequence(s) and extremum sequence(s) are fast and simple to implement. Accordingly, the methods described herein provide a fast and asymptotically optimal approach to implementing a randomness extraction function.
100211 Generating an output binary sequence may comprise interleaving ordering sequences generated using said recursive or iterative procedure. Generating an output binary sequence may comprise concatenating ordering sequences generated using said iterative or recursive procedure.
[0022] The size of the alphabet may be greater than or equal to two, for example, the alphabet size may be two, or three, or four, or five etc..
[0023] Each element of at least one extremum sequence may comprise a maximum of the corresponding first value and second value. Each element of at least one extremum sequence may comprise a minimum of the corresponding first value and second value.
[0024] At least one of generating an ordering sequence, generating a difference sequence, or generating an extremum sequence may comprise consulting a lookup table.
[0025] According to an aspect of the invention, a computer-readable medium is provided. The computer-readable medium has instructions thereon which, when read by a processor of a computing device, cause the processor to execute a method as described herein.
[0026] According to an aspect of the invention, a computer-readable medium is provided. The 10 computer-readable medium has thereon a computer-readable description for implementing circuitry to execute a method as described herein. For example, the computer-readable description may comprise a.bin file or similar for configuring a field programmable gate array or other programmable logic.
[0027] According to an aspect of the invention, a computing device is provided. The computing 15 device comprises one or more memories. The computing device further comprises one or more processors configured to, using instructions stored in the one or more memories, execute a method as described herein.
[0028] The computer program and/or the code for performing such methods as described herein may be provided to an apparatus, such as a computer, on the computer-readable medium or computer program product. The computer-readable medium could be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, or a propagation medium for data transmission, for example for downloading the code over the Internet. Alternatively, the computer-readable medium could take the form of a physical computer-readable medium such as semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disc, and an optical disk, such as a CD-ROM, CD-R/W or DVD.
[0029] While some examples described herein concern a software-driven implementation of components of the invention by a more general-purpose processor such as a CPU based on program logic stored in a memory, in alternative embodiments, certain components of the invention may be partly embedded as pre-configured electronic systems or embedded controllers and circuits embodied as logic devices (programmable or otherwise), using, for example, application-specific integrated circuits (ASICs) or Field-programmable gate arrays (FPGAs), which may be partly configured by embedded software or firmware.
[0030] Many modifications and other embodiments of the inventions set out herein will come to mind to a person skilled in the art to which these inventions pertain in light of the teachings presented herein. Therefore, it will be understood that the disclosure herein is not to be limited to the specific embodiments disclosed herein. Moreover, although the description provided herein provides example embodiments in the context of certain combinations of elements, steps and/or functions may be provided by alternative embodiments without departing from the scope of the invention.
Brief Description Of The Drawings
[0031] Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which like reference numerals are used to depict like parts. In the drawings: Figure 1 shows a block diagram of a computing device and a computer-readable storage medium; Figure 2 shows a flowchart; Figure 3 shows a flowchart; Figure 4 shows a table indicating the inputs and outputs of a randomness extraction function for an alphabet size of 3; Figure 5 shows a table indicating the inputs and outputs of a randomness extraction function for an alphabet size of 4; Figure 6 shows a table indicating the ordering sequence, difference sequence, ordinal sequence, and extremum sequences generated from an example random sequence at a first layer of recursion, the example random sequence having an alphabet size of four; Figure 7 shows a tree-like structure indicating how the example random sequence described in relation to Figure 6 is processed by a randomness extraction function; Figure 8 shows a randomness extractor for an alphabet size of up to 3; Figure 9 shows a randomness extractor for an alphabet size of up to 3; Figure 10 shows a block diagram of a random number generator; and Figure 11 shows a block diagram of a random number generator.
Detailed Description
[0032] Whilst various embodiments are described below, the invention is not limited to these embodiments, and variations of these embodiments may well fall within the scope of the invention which is to be limited only by the claims.
[0033] As will be appreciated by one skilled in the art, the present invention may be embodied as a system, method, or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a "circuit," "module" or "system." Furthermore, aspects of the present invention may take the form of a computer program product embodied in any one or more computer-readable medium/media having computer usable program code embodied thereon. Furthermore, aspects of the present invention may take the form of a computer-readable description for implementing circuitry, such as a description for configuring programmable logic.
[0034] Any combination of one or more computer-readable medium/media may be utilized. The computer-readable medium may be a computer-readable signal medium or a computer-readable storage medium. A computer-readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or any suitable combination of the foregoing. More specific examples of the computer-readable medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fibre, a portable compact disc read-only memory (CDROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer-readable storage medium may be any tangible medium that can contain or store a program for use by or in connection with an instruction execution system, apparatus, or device.
[0035] A computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in a baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electromagnetic, optical, or any suitable combination thereof A computer-readable signal medium may be any computer-readable medium that is not a computer-readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
[0036] Computer code embodied on a computer-readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fibre cable, radio frequency (RF), etc., or any suitable combination thereof [0037] Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as JavaTM, SmalltalkTM, C++, or the like, and conventional procedural programming languages, such as the "C' programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
[0038] Computer-readable descriptions for configuring or defining logic devices (e.g. ASICs or FPGAs) may be provided in any suitable form. For example, the computer-readable description may be provided in binary or human readable form.
[0039] Aspects and embodiments of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to illustrative examples. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions.
These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
[0040] These computer program instructions may also be stored in a computer-readable medium that can direct a computing device, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instructions that implement the function/act specified in the flowchart and/or block diagram block or blocks.
[0041] The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus, or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
[0042] The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
[0043] The illustrative examples described herein may be utilized in many different types of data processing environments including a distributed data processing environment, a single data processing device, or the like.
[0044] With reference now to the figures, FIG. 1 depicts a block diagram of a data processing system / computing device / computing apparatus 100 in which illustrative embodiments may be implemented. Computing device 100 is an example of a computer, in which computer usable program code or instructions implementing the processes may be located. In this example, data processing system 100 includes communications fabric 102, which provides communications between processor unit(s) 104, memory unit(s) 106, input/output unit 108, communications module 110, and display 112.
[0045] The one or more processing units / processors 104 are configured to execute instructions for software that may be loaded into the memory 106. Processor unit(s) 104 may be a set of one or more processors or may be a multi-processor core, depending on the particular implementation. Furthermore, processor unit(s) 104 may be implemented using one or more heterogeneous processor systems in which a main processor is present with secondary processors on a single chip.
[0046] The one or more memory unit(s) 106 may comprise any piece of hardware that is capable of storing information, such as, for example, data, program code in functional form, and/or other suitable information either on a temporary basis and/or a permanent basis. The one or more memory units 106 may include, for example, a random access memory or any other suitable volatile or non-volatile storage device. The one or more memory units may include a form of persistent storage, for example a hard drive, a flash memory, a rewritable optical disk, a rewritable magnetic tape, or some combination thereof The media used for persistent storage may also be removable. For example, the one or more memory units 106 may include a removable hard drive.
[0047] Input/Output unit 108 enables the input and output of data with other devices that may be in communication with the computing device 100. For example, input/output unit 108 may provide a connection for user input through a keyboard, a mouse, and/or other suitable devices.
The input/output unit 108 may provide outputs to, for example, a printer.
[0048] Communications module 110 enables communications with other data processing systems or devices. The communications module 110 may provide communications through the use of either or both physical and wireless communications links.
[0049] Instnictions for the applications and/or programs may be located in the one or more memory units 106, which are in communication with processor unit 104 through communications fabric 102. Computer-implementable instructions may be in a functional form on persistent storage in the memory unit(s) 106, and may be performed by processor unit 104. [0050] These instructions are referred to as program code, computer usable program code, or computer-readable program code that may be read and executed by a processor in processor unit 104. The program code in the different embodiments may be embodied on different physical or tangible computer-readable media.
[0051] In Figure 1, computer-readable instructions / program code 116 is located in a functional form on computer-readable storage medium 114 that is selectively removable and may be loaded onto or transferred to computing device 100 for execution by processor unit(s) 104. A computer-readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or any suitable combination thereof [0052] Alternatively, computer-readable instructions 116 may be transferred to computing device 100 from computer-readable storage medium 114 through a communications link to communications module 110 and/or through a connection to input/output unit 108. The communications link and/or the connection may be physical or wireless.
[0053] In some illustrative embodiments, computer-implementable instructions 116 may be downloaded over a network to the memory unit(s) 106 from a remote device for use with computing device 100. For instance, computer-implementable instructions stored in a remote server may be downloaded over a network from the server to the device 100.
[0054] The skilled person would appreciate that the architecture described above in relation to Figure 1 is not intended to provide limitations on the computing devices with which the methods described herein may be implemented. Instead, the skilled person would appreciate that other architectures may be applied. For example, the computing device may include more or fewer components.
[0055] While the example above indicates a software-driven implementation of components of the invention by a more general-purpose processor such as a CPU core based on program logic stored in a memory, in alternative embodiments, certain components of the invention may be partly embedded as pre-configured electronic systems or embedded controllers and circuits embodied as programmable logic devices, using, for example, application-specific integrated circuits (ASICs) or Field-programmable gate arrays (FPGAs), which may be partly configured by embedded software or firmware [0056] For many practical purposes, random numbers are desirable, and in particular random numbers from a unbiased distribution. One option is to use a pseudorandom number generator (PRNG), also known as a deterministic random bit generator. A PRNG is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers, and can be used to generate a sequence of numbers whose properties approximate the binary uniform distribution. However, a PRNG-generated sequence is not truly random as it is completely determinable by an initial seed value, and this may not be suitable for many use cases.
[0057] Another option is to use a physical random number generator. A physical random number generator generates a random number sequence based on a physical process as opposed to a pseudo-random / deterministic algorithm. Such stochastic processes may be based on any suitable random process such as statistically random noise or quantum uncertainty.
[0058] However, random events derived from a given randomness source are often not uniformly distributed, and accordingly one outcome is often more likely to occur than another, which is unsuitable for some purposes. Moreover, random outcomes can often take an arbitrary number of values. A process of "randomness extraction" is therefore desirable to extract uniformly distributed random bits.
[0059] In what follows, methods for extracting an unbiased sequence from a random sequence are described. Hardware implementations are also described.
[0060] A sequence is an ordered set. For a sequence X where, X = X2, X3, * * * , xixi), the length / cardinality is denoted by IXI. The I: th element of X is xi, where 1 < i < In The domain / alphabet of X is another sequence X: = , , 3, * * * , 'xi), defining the possible symbols in X where IX' 0. For example, with a sequence of coin tosses, the sequence X would consist of elements having value Heads and elements having value Tails, and the alphabet size Ix 1 is two.
[0061] The frequency of the symbol E X in Xis denoted FL) where, 0 F(x) = IXI.
[0062] The probability of the symbol xi EX in X is denoted P (L.) where, 0 P (xi) < 1, p (1.3 = 1 [0063] A sequence X defines a probability distribution having a probability mass function 15 given by P(L) = [0064] A sequence X may also be derived from another probability distribution, in which case if X has finite length it may not necessarily be exactly described by the probability distribution from which it is derived (that is, the relationship between P(L) and F(.1,) described above may not be correct). When a sequence is derived from another probability distribution, the relationship between P(xt) and F @ct) is given by the strong law of large numbers, lim* (F(=o) = lx1 [0065] That is, as the length IXI of sequence X tends to infinity, it will become increasingly more accurately described by the probability distribution from which it is derived [0066] A random sequence is a sequence comprising statistically independent elements. A randomness extraction function IP is a deterministic function that extracts a random sequence Z, described by an arbitrary probability distribution, from another random sequence X also described by an arbitrary probability distribution, ip(x) = z. 100671 A randomness extraction function may be thought of as a function that conserves randomness. As a randomness extraction function is completely deterministic, the extracted sequence Z will be perfectly correlated with the input sequence X, in which case given X and it is possible to predict with absolute certainty the sequence Z extracted from sequence X. 5 Consequently, for any random number generator employing a randomness extractor 0, which itself need not be kept secret, so that an adversary possesses no information that can be used to decrease the unpredictability of its output, the random sequence X derived from the randomness source should preferably not be output from the random number generator before the sequence Z has been extracted from it.
100681 To maximise the unpredictability of the extracted sequence Z, it is commonly described by the uniform distribution, typically the binary (1Z1 = 2) uniform distribution. In the case where both the input and extracted alphabet sizes are equivalent (1X1 = 1Z1), a randomness extraction function may be referred to as an unbiasing function or unbiasing algorithm.
100691 The randomness extraction methods described herein are applicable for input alphabet sizes greater than or equal to two (1X1 2) and an output alphabet size equal to two (1Z1 = 2).
[0070] The extraction rate ch is defined as the ratio of the length 1Z1 of the extracted sequence Z, to the length IX' of the input sequence X, 1Z1 =111 and corresponds to the mean number of symbols extracted per symbol of the input sequence.
100711 The extraction rate 4) has an information-theoretic upper limit, 0 H2 (X), where H2 (X) corresponds to the binary Shannon entropy of the input sequence X which is given by 112(X) = - P(13 log2 [P(.131, and is expressed in units of bits. The extraction efficiency, n, of an application of a randomness extraction function is given by 43 1Z 1 17 -H2 (X) = IX 1 H2 (X).
[0072] The binary Shannon entropy of the input sequence X defines a maximum number of random bits that may be extracted per symbol of input sequence X. If the limit is exceeded, then by definition correlation will be introduced in the extracted sequence Z. The binary Shannon entropy of the input sequence X is maximised if and only if each symbol of the alphabet Xis equally probable (that is, the sequence Xis described by a uniform distribution). In other words, for all discrete probability distributions, the uniform distribution is the one with maximum binary Shannon entropy. In contrast, the minimum value of the Shannon binary entropy (H2 (X) = 0) arises if and only if one of the symbols of the alphabet X has unity probability. The binary Shannon entropy accordingly acts as a measure of the uniformity of a probability distribution -the more uniform the probability distribution is, the nearer its binary Shannon entropy will be to its maximum possible value. The binary Shannon entropy also acts as a measure of the unpredictability of a randomness source -the more unpredictable the random source is, the higher its binary Shannon entropy.
[0073] A randomness extraction function is said to be "asymptotically optimal" if it satisfies the limit lim (E[n]) = 1 00 were EH represents the expected value of the extraction efficiency of the randomness extraction function. As the length IXI of an input sequence X tends to infinity, the expected value of the extraction efficiency of an asymptotically optimal randomness extraction function it) tends to 1. The unbiasing function of Peres [Y. Peres, Ann. Stat., vol. 20, no. 1, pp. 590-597 (1992)] is known to be asymptotically optimal, while the unbiasing function of von Neumann [J. von Neumann, Nat, Bur, Stand., App]. Math. Ser., vol. 12, pp. 36-38 (1951)] is not asymptotically optimal.
[0074] An asymptotically optimal randomness extraction process tp will now be described, with reference to Figures 2 and 3, that extracts a sequence Z of random bits (1Z1 = 2) described by a substantially uniform distribution, from a sequence X of random symbols taken from an alphabet of size greater than or equal to two (VI > 2). The method is performable by one or more processing unit(s) or dedicated portions thereof of a computing device such as device 100 of Figure 1.
[0075] Referring to Figure 2, at 210, the method 200 comprises receiving a random sequence X, each element of the random sequence independently generated from a random distribution. That is, each element of the random sequence is generated from a probability distribution and is statistically independent from all other elements of the random sequence.
[0076] For example, processor unit(s) 104 of computing device 100 may receive the random sequence from a source external to the device 100 via input/output unit 108 or communication module 110. Alternatively, the processor unit(s) 104 of computing device 100 may receive the random sequence from a source internal to the computing device 100, for example from a hardware-based random number source connected to the communications fabric 102 or intrinsic to the one or more processing unit(s) 104 itself/themselves. That is, the computing device 100 may further comprise a random number source for generating the random number sequence.
[0077] At 220, the method 200 comprises applying a recursive or iterative procedure to X as an input sequence (denoted IN). All recursive sequences can be described by iterative processes. An example recursive or iterative procedure 300 will be described in relation to Figure 3.
[0078] At 310, the method 300 comprises identifying, from the input sequence IN = X one or more pairs of integers, each pair comprising a first value and a second value.
[0079] If the alphabet of the input sequence IN comprises non-integer symbols, then each symbol can be replaced with an integer value. For example, if IN = X is a sequence of non-integer symbols (p, p) then the sequence can be converted to an integer sequence by identifying p = 1, = 2, it = 3 and so on.
[0080] If the length of IN, denoted 1./NI, is odd (i.e. IN comprises an odd number 2N + 1 of elements), then the input sequence is converted to an even-length sequence (2N elements). Converting the input sequence to an even-length sequence may be achieved in any suitable way, such as by removing an element and storing it for later use, or by discarding an element from the input sequence all together. It does not matter which element is removed from the input sequence. In other examples, converting the input sequence to an even-length sequence may be achieved by adding an element such as an element removed from a previous sequence in a previous iteration/recursive step.
[0081] Identifying one or more pairs of integers may be performed in any way. For example, the first element of IN (INi) may be paired with the second element of IN (denoted /N2), the third element of IN (denoted /N3) may be paired with the fourth element of IN (denoted /N4) and so on. In another example, the first element of IN (denoted /NO may be paired with the last element of IN (denoted /N2N), the second element of IN (denoted /N2) may be paired with the penultimate element of IN (denoted /N2N_i) and so on. Accordingly, each pair comprises a first value and a second value -the jth pair is denoted (a1, b1) where aj denotes the first value of the]t" pair and bj denotes the second value of the jth pair.
[0082] At 320, the method 300 comprises generating an "ordering sequence", denoted a. Each element (3-i of the ordering sequence is determined from a corresponding pair (aj, b1) of the one or more pairs for which the first value aj is not equal to the second value bj. For pairs for which the first value aj is equal to the second value bj, there is no corresponding element of the ordering sequence a. That is, the length of the ordering sequence I al may be less than the number of pairs N identified from sequence IN (and is why the subscript i has been used for an element of a instead of the subscript]).
[0083] Each element at of the ordering sequence a comprises a binary output based on a comparison of the first value aj to the second value bp In one example, if the first value aj is greater than the second value bj then the corresponding element a is set to 1, while if the first value aj is less than the second value bj then the corresponding element ai is be set to 0. In another example, if the first value aj is greater than the second value bj then the corresponding element ai is set to 0, while if the first value aj is less than the second value bj then the corresponding element ai is be set to 1. As it is assumed that each element ofX is independent, it follows that each element of IN is independent, and so the probability that the first value aj is greater than the second value bj is equal to the probability that the first value aj is less than the second value bj. The ordering sequence a can accordingly be used as the basis for building a uniformly distributed binary output sequence from a non-uniform distribution.
[0084] At 330, the method 300 comprises generating a "difference sequence", denoted A. Each element Aj of the difference sequence is determined from a corresponding pair (aj, bj) of the one or more pairs, each element of the difference sequence comprising an absolute difference of the first value aj and the second value bj. That is aj =I at - and the length of the difference sequence IA l is equal to the number of pairs N identified from sequence IN.
[0085] At 340, the method 300 comprises generating an "ordinal sequence", denoted a. Each element ai of the ordinal sequence is determined from a corresponding pair (ap bj) of the one or more pairs for which the first value is equal to the second value (a.1 = bj). For pairs for which the first value aj is not equal to the second value bj, there is no corresponding element of the ordinal sequence a. That is, the length of the ordinal sequence I al may be less than the number of pairs N identified from sequence IN.
[0086] Each element ai of the ordinal sequence a comprises the first value aj (or second value bj) of the corresponding pair (apbj).
[0087] At 350, the method 300 comprises generating extremum sequences as required.
Specifically, for each integer t greater than or equal to one arid less than the size of the alphabet of the random sequence minus one, a respective extremum sequence, denoted 2(0, is generated.
Each element 4t) of a respective extremum sequence s(t) is determined from a corresponding pair (di, b1) of the one or more pairs for which the absolute difference of the first value di and the second value b1 is equal to the integer t, i.e. I aj -bj I = t.
[0088] Each element si(t) of the respective extremum sequence et) comprises an extremum of the first value and the second value. In some examples, each element Et) of the extremum sequence EM may comprise a maximum of the corresponding first value and second value. In some examples, each element ci(t) of the extremum sequence et) may comprise a minimum of ( the corresponding first value and second value. In some examples, each element En) i of a first extremum sequence en) may be derived from a maximum value, while each element Et(t2) of 10 a second extremum sequence t(t2) may be derived from a minimum value.
[0089] The skilled person would appreciate that each of steps 320, 330, 340 and 350 may be performed in any order or even at the same time.
[0090] At step 360, the method 300 comprises applying the method 300 to each of the generated difference sequence A, the generated ordinal sequence a, and each of the generated extremum sequences s(t) when the given sequence comprises at least two elements or until another halting condition is met. For example, when A comprises at least two elements then one can identify at 310, from the input sequence IN = A at least one pair of integers and progress through steps 320, 330, 340 and 350 to produce a second ordering sequence, a second difference sequence, a second ordinal sequence and more extremum sequences. The method 300 may then be applied (step 360) to that second difference sequence, second ordinal sequence, and further extremum sequences in turn to generate further sequences. That is, the method 300 is a recursive process.
[0091] The recursive process 300 may halt, for example, when there are no further sequences to apply the process 300 to as an input function, or when a predetermined limit on recursive depth is met.
[0092] In all cases, the ordering sequences (a) are stored. The order in which each generated sequence (subsequence) is fed into the process 300 is not important.
[0093] Returning again to Figure 2, once the recursive or iterative procedure has been applied to the random sequence X, at 230, the method 200 comprises generating an output binary sequence Z comprising a combination of ordering sequences (a) generated using said recursive or iterative procedure. For example, the output binary sequence may be further processed by the one or more processor unit(s) in downstream data processing, or may be communicated via the input/output unit 108, the communication module 110, or the visual display 112.
[0094] In some examples, combining the ordering sequences output provided by the recursive or iterative procedure comprises interleaving the ordering sequences. This is particularly useful for real-time generation of unbiased random numbers from a streamed random sequence. If the random sequence X is received (step 210) for example as a time-ordered data stream, then the recursion/iteration of Figure 3 may be applied dynamically and the ordering sequences may be generated dynamically. The ordering sequences may be combined dynamically by interleaving the ordering sequences as they are generated in order to dynamically generate an output sequence Z. [0095] In some examples, the combination of ordering sequences comprises a concatenation of ordering sequences. The order of the concatenation of ordering sequences does not matter. For example, a random sequence X, processed using the method 300, may lead to five ordering sequences 0A,CE,CE,amaE generated from the method 300 by applying respectively IN = X, IN = A[X], IN = cc[X], IN = £(1) [X], IN = cciA[X]l, where A[X] denotes the difference sequence A generated at step 330 when the input sequence IN = X, where a[A[X]] denotes the ordering sequence a generated at step 340 when the input sequence is that difference sequence IN = A[X] and so on. The output binary sequence Z may be defined as the concatenation Z = o-A0o-B0o-cOo-DOcrE where 0 denotes concatenation. Alternatively, the output binary sequence Z may be defined as the concatenation Z = 0-A0a BOcrEacfrOaD or some other ordering. The ordering of the concatenation does not matter.
[0096] The person skilled in the art would appreciate that the difference sequences, ordinal sequences, and extremum sequences may be provided to the recursive procedure as an input sequence in any convenient order.
[0097] It will be appreciated that a method such as that described in Figures 2 and 3 may be defined as a recursive function 4.i. For an input sequence IN of an even length, one may define: ifr[M] = where denotes combination, N denotes the number of pairs of integers identified in input sequence IN, and cri and bi denote respectively the first value and second value of the jth pair. One may similarly define: o-[1111] =07=1 o-(aj, b1) A [IN] =07-i, gap b1) a[/N] =0107_, a(aj, kJ) (t) [IN] =07-1 E(t)(Cl1, I 3 1) Using A to denote a null output where nothing is generated, and defining CA] = a[A] = A[A]= a[A]=E(t) [A]= A, the ordering function a (aj, b1) may be more formally defined as: (1 if aj < bj o-(aj, b j) 0 if a > b 1 1 A if aj = bj (of course, the 0 and 1 may be swapped). Similarly, the difference function, ordinal function, and extremum functions may be more formally defined as: A(aj, bi) a-if a * = b a(aj, b = " J. otherwise Ecti (0( , = imin(aj, kJ) A otherwise (of course, the maximum function max(aj, bj) may be used in place of the minimum function min(aj, bj), and one may use a maximum function for one value of integer t while using a minimum function for another value of integer t).
10098] The recursive function may then be defined as: = o-[1 N] 0 ip[A[IN]] 0 zpEct[lN]] 01tv=-12 p [ern [I N]i 10099] The recursive function IP takes an input sequence, which may be a random sequence X with an alphabet size greater than or equal to two, and outputs a sequence of unbiased random bits.
[0100] The skilled person will appreciate that the recursive process may be applied to an input sequence as a recursion, or that an iterative procedure may be used to implement the recursion. The skilled person would also appreciate that the order of the concatenation does not matter. [0101] Figure 4 shows the effects of the difference function, ordering function, ordinal function and extremum functions on pairs of values from an alphabet of size three. Figure 5 shows the effects of the difference function, ordering function, ordinal function and extremum functions on pairs of values from an alphabet of size four.
[0102] An example of the methods of Figures 2 and 3 will now be described with reference to a particular sequence taken from an alphabet of size four. This particular sequence is denoted X example and is given by X exempt° -{0,3,1,2,1,2,2,2,3,3,2,0,0,0,1,1,3,2,3,1}.
101031 The sequence X"Bmpte is received (see 210 of Figure 2) and provided to an iterative or recursive procedure as an input sequence IN (see 220 of Figure 2).
[0104] A plurality of pairs of integers are identified from the input sequence. In this example, for any input sequence IN having an odd number of elements, the first element in the sequence is removed to provide an even length sequence. Of the even length sequence, the first element "0" is paired with the second element -3", the third element "1" is paired with the fourth element "2", the fifth element "1-is paired with the sixth element "2" and so on.
[0105] An ordering sequence (denoted a A)is generated as described above in relation to Figure 3 (see 320). A difference sequence (denoted AA), an ordinal sequence (denoted aA), and two extremum sequences (denoted EA(1) and c(A2) respectively) are generated also as described above in relation to Figure 3 (see 350). Figure 6 shows a table of the elements of each of the generated sequences for this particular example, with A used to denote an empty string. In particular, CA= {1,1,1,0,0,0} AA = {3,1,1,0,0,2,0,0,1,2} aA = {2,3,0,1} E(1) = {1,1,2} A E(2) = {0,1}. A [0106] The order in which difference, ordinal, and extremum sequences are provided to the iterative/recursive procedure in this present example is indicated in Figure 7. Except for the ordering sequences, only those subsequences that comprise two or more elements are indicated. As can be seen, the recursion/iteration can be illustrated as a tree-like structure.
[0107] The generated difference sequence AA has a length greater than or equal to two, and accordingly is provided to the iterative/recursive procedure as an input sequence. A second ordering sequence (denoted c r B) is generated as described above in relation to Figure 3 (see 320). A second difference sequence (denoted AB), a second ordinal sequence (denoted aB), and two extremum sequences (denoted 41) and EB(2) respectively) are generated also (see 330350 of Figure 3). In particular, CB = {0,0,1,1}; AB = [2,1,2,0,11; alf = {0}; 41) = {0,1}; 42) = [1,01.
[0108] The generated sequence AB has a length greater than or equal to two, and accordingly is provided to the iterative/recursive procedure as an input sequence. A third ordering sequence (denoted ac) is generated as described above in relation to Figure 3 (see 320). A third difference sequence (denoted Ac), a third ordinal sequence (denoted ac), and two extremum ( sequences (denoted E Ec2) t and respectively) are generated also (see 330-350 of Figure 3). In particular, = UM; Ac = ac = Pili E(c!.) = ai0); 4:2) = [A) 101091 The generated difference sequence Ac has a length greater than or equal to two, and accordingly is provided to the iterative/recursive procedure as an input sequence, giving rise to: up {A}; a, , fol; aD 11; £bn = {A}; E(D2) = (1) (2) [0110] None of AD, am Ev, or ED comprises greater than or equal to two elements and accordingly no further subsequences can be generated from them. As can be seen in Figure 7 a leaf node of the tree-like structure has been reached. The generated extremum sequence 41) = {1,0} is next provided to the iterative/recursive procedure and leads to the ordering sequence irrE = [0), but once again a leaf node has been reached on the tree-like structure, and so the next sequence provided to the iterative/recursive process is 41).
[0111] The process continues in this way until no further subsequences are suitable for providing to the iterative/recursive process. At this stage, in this particular example, the ordering sequences generated are given by: crA (1,1,1,0,0,01 crB [0,0,1,1} aic Mil aD {Ai CE [0) CF f1) ac 10) o-H Mil al IA) [0) a K 11) Cc 11} [0112] The ordering sequences are combined (in this example concatenated) to provide an output string Zexampie. As described above, the ordering of the concatenation does not matter.
In this particular example, the output string is given by Z example -o-AC)o-B 0 o-B = [0113] It has accordingly been demonstrated that an efficient method of randomness extraction may be implemented. Advantageously, such a method of randomness extraction is asymptotically optimal and easy to expand to alphabets of any size. Such randomness extraction methods are also implementable in hardware, as will now be described, giving rise to further advantages.
[0114] Figure 8 illustrates a randomness extractor 800. The randomness extractor 800 comprises circuitry for extracting an unbiased binary sequence from a random sequence with an alphabet size less than or equal to three, and may be used to extract an unbiased binary sequence from a received time-ordered random sequence. For example, the randomness extractor may be used for extracting a random binary sequence from a streamed random sequence, i.e. substantially in real time. The skilled person will appreciate that many variations on the architecture of Figure 8 may be utilised, and that further or fewer components may be used.
[0115] Referring to Figure 8, the randomness extractor comprises recursion logic 810. A first layer of recursion (880) comprises one instantiation of recursion logic 810, a second layer of recursion (885) comprises three instantiations of recursion logic 810, and a third layer of recursion (890) comprises nine instantiations of recursion logic 810. While the randomness extractor 800 of Figure 8 has a recursion depth of three (three layers of recursion), the randomness extractor may comprise further layers of recursion. Furthermore, as will be appreciated by the skilled person, the number of instantiations of recursion logic 810 in each layer of recursion may be greater than that shown in the figure, especially when larger alphabet sizes and hence further fourth subcircuits are used.
[0116] Recursion logic 810 comprises a dedicated memory unit 820. The memory unit 820 is configured to store two values of the received random sequence and may comprise, for example, a data buffer. For example, if a first value x1 is received at time t then this may be stored in the memory (denoted as a in Figure 8). A second value x2 is received at time t+1 and may be stored in the memory 820 (denoted as h in Figure 8). While memory unit 820 is shown to hold two received elements in Figure 8, the skilled person would appreciate that the memory unit 820 may operate differently. For example, the memory unit may store only one element received at time t and may not store the next element received at time t+1 instead passing the two elements to the subcircuits of the recursion logic 810 as soon as the latter element is received. Alternatively, the memory unit 820 may be configured to store further elements of the random sequence.
101171 Once the memory unit 820 contains a pair of elements of the incoming random sequence, the two elements are processed by the subcircuits 830, 840, 850, 860 of the recursion logic 810.
[0118] Recursion logic 810 further comprises first subcircuit 830. The first subcircuit 830 is configured to receive a first value and a second value, and configured to output a binary value based on comparing the first and second values. When the memory 820 contains two values, the first subcircuit 830 may compare the first value to the second value and, if the first value is greater than the second value, output a first binary value (e.g. 1) and if the first value is less than the second value, output a second binary value (e.g. 0). If the first value is equal to the second value, then the first subcircuit 830 does not output a binary value.
[0119] Recursion logic 810 further comprises a second subcircuit 840. The second subcircuit is configured to receive a first value and a second value. The second subcircuit is further configured to output an absolute difference of the first and second values. When the memory 820 contains two values, the second subcircuit may output the absolute difference of the two values.
[0120] Recursion logic 810 further comprises a third subcircuit 850. The third subcircuit 850 is configured to receive a first value and output the first value on the condition that the first value is equal to the second value. For example, the third subcircuit 850 of Figure 8 may be configured to directly compare the first value to the second value and to output the first value only if the first value is equal to the second value. Alternatively, the third subcircuit may be configured to receive a signal from the second subcircuit when the absolute difference of the first and second values is equal to zero, and to output the first value (or second value) accordingly. Alternatively, the comparison of the first value to the second value may take place elsewhere in the recursion logic, and the third subcircuit may simply output the first value (or second value) accordingly.
[0121] Recursion logic 810 further comprises a fourth subcircuit 860. The fourth subcircuit is configured to receive a first value and a second value. The fourth subcircuit 860 is further configured to output a maximum or a minimum of the first and second values. In particular, the fourth subcircuit 860 of Figure 8 is configured to output a maximum or a minimum of the first and second values stored in memory 820 on the condition that the absolute difference between the first and second values is equal to one.
[0122] Each recursion logic instantiation 810 of Figure 8 comprises a single instantiation of the fourth subcircuit 860, conditioned to produce an output when the absolute difference of the first and second values is equal to one, and accordingly the randomness extractor 800 of Figure 8 is suitable for use with a received sequence of alphabet size 3 or less. The skilled person would appreciate that, for larger alphabet sizes, each recursion logic instantiation may comprise further fourth subcircuits, configured to output a maximum or minimum of the first and second values stored in memory 820 on the condition that the absolute difference between the first and second values is a different value, for example 2. For example, to handle an alphabet of size 4, the recursion logic instantiation 810 may comprise two instantiations of fourth subcircuit 860, the first arranged to produce an output when the absolute difference between the first and second values is equal to one, and the second arranged to produce an output when the absolute difference between the first and second values is equal to two.
[0123] The outputs from the second subcircuit 840, third subcircuit 850, and fourth subcircuit 860 are provided into instantiations of the recursion logic 810 of the second layer 885. In turn, the outputs from the instantiations of the recursion logic 810 of the second layer 885 are passed to respective instantiations of the recursion logic 810 of the third layer 890.
[0124] The outputs from the first subcircuit 830 of each instantiation of the recursion logic 810 are provided to combination subcircuit 870. The combination subcircuit is configured to combine binary values output from the one or more first subcircuits 830. The combination circuitry may comprising interleaver circuitry for interleaving the outputs received from the first subcircuit 830 of each instantiation. Accordingly, the combination subcircuit may output a stream of unbiased random bits.
[0125] As will be appreciated by the skilled person, while only one combination subcircuit is shown in Figure 8, further such circuits may be utilised in other examples.
[0126] Each instantiation of recursion logic 810 is accordingly configured to receive (identify) a first integer value and a second value. Each instantiation of recursion logic 810 is further configured to generate, using the first subcircuit 830, an element of an ordering sequence if the first value is not equal to the second value. The instantiation of the recursion logic 810 is further configured to generate, using the second subcircuit 840, an element of a difference sequence, the element of the difference sequence comprising an absolute difference of the first value and the second value. The instantiation of the recursion logic 810 is further configured to generate, using the third subcircuit 850, an element of an ordinal sequence if the first value is equal to the second value, the element of the ordinal sequence comprising the first value (or second value). The instantiation of the recursion logic 810 if further configured to generate, using the fourth subcircuit 860, a maximum (or minimum) of the first value and the second value on the condition that the absolute difference between the first and second values is equal to one.
101271 If the first value is not equal to the second value then the first subcircuit 830 outputs a binary value to the combination subcircuit 870. The output of the second subcircuit 840 is provided as input to a first instantiation of recursion logic 810 of the second recursion layer 885. The output, if there is an output, of the third subcircuit 850 is provided as input to a second instantiation of recursion logic 810 of the second recursion layer 885. The output, if there is an output, of the fourth subcircuit 860 is provided as input to a third instantiation of the recursion logic of the second recursion layer 885. Outputs from the first subcircuits of the second layer are provided to the combination subcircuit 870. Outputs from the second, third and fourth subcircuits of the second layer 885 are provided to further instantiations of recursion logic 810 in a third layer of recursion 890. As there are no further recursion layers in the randomness extractor of Figure 8, only the outputs of the first subcircuits of the third layer 890 are shown.
10128] As an example, consider that the first six elements of a sequence { ...} are received at times t, t + 1, t + 5 respectively. At time t + 1 the memory 820 of the recursion logic 810 of the first layer 880 contains a first value 0 and a second value 2. The first subcircuit 830 outputs a binary value to the combination subcircuit 870. The second subcircuit 840 outputs a value to a first instantiation of the recursion logic 810 in the second layer 885, which is stored in memory 820 of that instantiation. The third subcircuit 850 does not produce an output. The fourth subcircuit 860 does not produce an output.
[0129] At time t + 3 the memory 820 of the recursion logic 810 of the first layer 880 contains a first value 1 and a second value 0. The first subcircuit 830 of the first layer 880 outputs a binary value to the combination subcircuit 870. The second subcircuit 840 of the first layer 880 outputs a value to the first instantiation of the recursion logic 810 in the second layer 885, which is stored in memory 820 of that instantiation. The third subcircuit 850 does not produce an output. The fourth subcircuit 860 outputs a value to another instantiation of the recursion logic 810 in the second layer 885.
[0130] As the first instance of the recursion logic 810 in the second layer 885 now has two values in its local memory at time t + 3, further processing is performed (specifically, a further value is output to combination circuitry 870, second circuitry outputs a value to an instantiation of the recursion logic in the third layer 890, where it is stored in local memory, and fourth circuitry outputs a value to an instantiation of the recursion logic in the third layer 890 where it is stored in local memory).
101311 At time t 5 the memory 820 of the recursion logic 810 of the first layer 880 contains a first value 1 and a second value 2. The first subcircuit 830 outputs a binary value to the combination circuitry 870. The second subcircuit 840 outputs a value to a first instantiation of the recursion logic 810 in the second layer 885, which is stored in memory 820 of that instantiation. The third subcircuit 850 does not produce an output. The fourth subcircuit 860 outputs a value to another instantiation of the recursion logic 810 in the second layer 885. As two values have now been output from the fourth subcircuit 860 of layer one 880, further processing of those two output values takes place.
[0132] In this manner, a recursive/iterative procedure is applied to the incoming random sequence.
[0133] The circuitry of the randomness extractor 800 is accordingly suitable for producing an unbiased binary sequence from an incoming time-ordered random sequence and may be suitable for use in generation of such unbiased sequences in substantially real-time. That is, the randomness extractor 800 is configured to receive a random sequence, each element of which is independently generated. The randomness extractor 800 is further configured to apply a recursive/iterative procedure to the random sequence as an input sequence, and to generate an output binary sequence, the output binary sequence comprising a combination of all ordering sequences generated using said recursive or iterative procedure.
[0134] The randomness extractor 800 is thus advantageous for extracting unbiased bits in substantially real time from an incoming random sequence. Furthermore, as the first subcircuits, second subcircuits, third subcircuits and fourth subcircuits are comparatively simple, they are implementable in a small area, enabling many layers of recursion or iterations for a given randomness extractor size.
[0135] The skilled person would appreciate that the randomness extractor 800 is provided as an example only, but many variations may be apparent to the skilled person, for example the randomness extractor may be configured to pair values in a different way, or to parallel-process an incoming data stream.
[0136] Figure 9 shows an illustration of a randomness extractor 900 according to another example. The randomness extractor 900 of Figure 9 is suitable for processing a received random sequence and comprises recursion logic 910, multiple memory units 920 and a microcontroller 930 having access to combination circuitry 970. In this example, the combination circuitry comprises concatenation circuitry, although the skilled person would appreciate that other forms of combination circuitry may be used. The microcontroller 930 further comprises a memory 940 having stored therein a sequence queue 950 and an output sequence memory allocation.
[0137] An instantiation of recursion logic 910 comprises a first subcircuit 830, second subcircuit 840, third subcircuit 850, and fourth subcircuit 860 substantially as described with reference to Figure 8. A microcontroller 930 is configured to receive a random sequence having a length equal to 2N elements and to store it in the sequence queue 950. The microcontroller 930 is configured to access the sequence queue 950, to identify one or more pairs of integers in the received sequence and to pass each pair to a corresponding instantiation 9101, 9102, , 910N of the recursion logic 910. The outputs from the first sub circuits 830 are provided back to the microcontroller for concatenation using concatenation subcircuit(s) 970 and as the unbiased output sequence is generated it is stored in the output sequence memory allocation 960. The outputs of each of the second, third, and fourth subcircuits are stored in respective memory units 920 (labelled 920a, 920b, 920c in Figure 9 for the outputs of the second, third and fourth subcircuits respectively). The microcontroller 930 is configured to read a first plurality of the memory units 920a to retrieve a difference sequence and to store the difference sequence in the sequence queue 950. The microcontroller 930 is further configured to read a second plurality of the memory units 920b to retrieve an ordinal sequence and to store the ordinal sequence in the sequence queue 950. The microcontroller is further configured to read a third plurality of the memory units 920c to retrieve an extremum sequence and to store the extremum sequence in the sequence queue 950. The received random sequence and the entries in each of the memory units 920 can be erased from the sequence queue 950 and the memories 920, and the process can repeat with the next sequence in the sequence queue 950.
[0138] Advantageously, the randomness extractor of Figure 9 can parallel process a received sequence and reuse the same first, second, third and fourth subcircuits for multiple sequences as the recursion progresses.
[0139] Figure 10 shows a block diagram of a random number generator 1000. The random number generator comprises a random number source 1010 and a randomness extractor 1020 which may or may not take the form of randomness extractor 800 of Figure 8 or of randomness extractor 900 of Figure 9. The random number source 1010 is suitable for generating a random sequence. The randomness extractor 1020 is configured to receive the random sequence and output an unbiased binary sequence.
[0140] Figure 11 shows a block diagram of a random number generator 1000' according to a particular embodiment. The random number generator 1000' of Figure 11 is an example of a quantum random number generator, and comprises a random number source 1010' and the randomness extractor 1020' [0141] The random number source 1010' of Figure 11 comprises a light source 1110 such as a pulsed laser, acting as a source of coherent states of light. The random number source 1010' further comprises one or more photon detectors 1120 for detecting photons emitted from the light source. The one or more photon detectors may comprise, for example, an electric field-modulated silicon avalanche photodiode. The electric field profile may be strongly modulated by doping to realise a spatially multiplexed detector containing a finite number P of single photon sensitive pixels, thereby permitting photon number detection in the interval [0-P]. In a time interval, the number of pixels that register a detection may take a value between 0 and P and accordingly, over a series of time intervals, a random sequence can be generated having an alphabet size of P+1.
[0142] The random number source 1010' may further comprise further circuitry 1130 for converting a signal received from the one or more photon detectors 1120 to a random sequence to be processed by the randomness extractor 1020'. For example, the further circuitry may include one or more amplifiers and/or one or more analogue-to-digital converters.
[0143] The randomness extractor 1020' may be of a similar design to that described in relation to Figure 8, thereby enabling unbiased quantum random numbers to be generated in substantially real-time. It will be appreciated that embodiments of the present invention can be realised in the form of hardware, software or a combination of hardware and software. Any such software may be stored in the form of volatile or non-volatile storage such as, for example, a storage device like a RONI, whether erasable or rewritable or not, or in the form of memory such as, for example, RAM, memory chips, device or integrated circuits or on an optically or magnetically readable medium such as, for example, a CD, DVD, magnetic disk or magnetic tape. It will be appreciated that the storage devices and storage media are embodiments of machine-readable storage that are suitable for storing a program or programs that, when executed, implement embodiments of the present invention.
[0144] Accordingly, embodiments provide a program comprising code for implementing a system or method as described herein and a machine-readable storage storing such a program.
Still further, embodiments of the present invention may be conveyed electronically via any medium such as a communication signal carried over a wired or wireless connection and embodiments suitably encompass the same.
[0145] Many variations of the methods described herein will be apparent to the skilled person.
101461 Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features. 101471 The invention is not restricted to the details of any foregoing embodiments. The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed. The claims should not be construed to cover merely the foregoing embodiments, but also any embodiments which fall within the scope of the claims.

Claims (17)

  1. CLAIMS1. A randomness extractor comprising circuitry for extracting an unbiased binary sequence from a random sequence, wherein the circuitry includes: one or more first subcircuits for: receiving a first value and a second value; and outputting a binary value based on comparing the first and second values; one or more second subcircuits for: receiving a first value and a second value; and outputting an absolute difference of the first and second values; one or more third subcircuits for receiving a first value and outputting the first value; one or more fourth subcircuits for: receiving a first value and a second value; and outputting a maximum or minimum of the first and second values; and one or more combination subcircuits for combining binary values output from the one or more first subcircuits; wherein the circuitry is configured to: receive a random sequence, each element of which is independently generated; apply a recursive or iterative procedure to the random sequence as an input sequence, wherein the recursive or iterative procedure comprises: (i) identifying, from the input sequence, one or more pairs of integers, each pair comprising a first value and a second value; (ii) generating, using the one or more first subcircuits, an ordering sequence, each element of the ordering sequence determined from a corresponding pair of the one or more pairs for which the first value is not equal to the second value, each element of the ordering sequence comprising a binary output based on a comparison of the first value to the second value; (iii) generating, using the one or more second subcircuits, a difference sequence, each element of the difference sequence determined from a corresponding pair of one or more pairs, each element of the difference sequence comprising an absolute difference of the first value and the second value; (iv) generating, using the one or more third subcircuits, an ordinal sequence, each element of the ordinal sequence determined from a corresponding pair of the one or more pairs for which the first value is equal to the second value, each element of the ordinal sequence comprising the first value of the corresponding pair; (v) for each integer greater than or equal to one and less than the size of the alphabet of the random sequence minus one: generating, using the one or more fourth subcircuits, a respective extremum sequence, each element of the respective extremum sequence determined from a corresponding pair of the one or more pairs for which the absolute difference of the first value and the second value is equal to the integer, each element comprising an extremum of the corresponding first value and second value; and (vi) applying said recursive or iterative procedure to: (a) the generated difference sequence as an input sequence, if that generated difference sequence comprises at least two elements, (b) the generated ordinal sequence as an input sequence, if that generated ordinal sequence comprises at least two elements; and (c) each of the respective generated extremum sequences as an input sequence, if that respective generated extremum sequence comprises at least two elements; and generating, using the one or more combination subcircuits, an output binary sequence, the output binary sequence comprising a combination of ordering sequences generated using said recursive or iterative procedure.
  2. 2. A randomness extractor according to claim 1, wherein the size of the alphabet of the random sequence is greater than or equal to two.
  3. 3. A randomness extractor according to claim 2, wherein the size of the alphabet of the random sequence is greater than or equal to three.
  4. 4. A randomness extractor according to any preceding claim, wherein the circuitry is further configured to halt the recursive or iterative procedure if a halting condition is met.
  5. 5. A randomness extractor according to claim 4, wherein the halting condition comprises a recursion depth limit being met.
  6. 6. A randomness extractor according to any preceding claim, wherein if an input sequence comprises an odd number of elements, identifying, from the input sequence, one or more pairs of integers, comprises removing an element and identifying one or more pairs from the remaining elements of the input sequence.
  7. 7. A device for generating random numbers, the device comprising: a random number source for generating a random sequence; and a randomness extractor according to any preceding claim, the randomness extractor configured to receive the random sequence and output an output binary sequence.
  8. 8. A device according to claim 7, wherein the device is for generating unbiased binary sequences in real time.
  9. 9 A device according to claim 7 or claim 8, wherein the random number source comprises a light source and one or more photon detectors for detecting photons emitted from the light source.
  10. 10. A computer implementable method of extracting an unbiased binary sequence from a random sequence, the method comprising: receiving a random sequence, each element of which is independently generated; applying a recursive or iterative procedure to the random sequence as an input sequence, wherein the recursive or iterative procedure comprises: (i) identifying, from the input sequence, one or more pairs of integers, each pair comprising a first value and a second value; (ii) generating an ordering sequence, each element of the ordering sequence determined from a corresponding pair of the one or more pairs for which the first value is not equal to the second value, each element of the ordering sequence comprising a binary output based on a comparison of the first value to the second value; (iii) generating a difference sequence, each element of the difference sequence determined from a corresponding pair of the one or more pairs, each element of the difference sequence comprising an absolute difference of the first value and the second value; (iv) generating an ordinal sequence, each element of the ordinal sequence determined from a corresponding pair of the one or more pairs for which the first value is equal to the second value, each element of the ordinal sequence comprising the first value of the corresponding pair; (v) for each integer greater than or equal to one and less than the size of the alphabet of the random sequence minus one: generating a respective extremum sequence, each element of the respective extremum sequence determined from a corresponding pair of the one or more pairs for which the absolute difference of the first value and the second value is equal to the integer, each element comprising an extremum of the corresponding first value and second value; and (vi) applying said recursive or iterative procedure to: (a) the generated difference sequence as an input sequence, if that generated difference sequence comprises at least two elements; (b) the generated ordinal sequence as an input sequence, if that generated ordinal sequence comprises at least two elements; and (c) each of the respective generated extremum sequences as an input sequence, if that respective generated extremum sequence comprises at least two elements; and generating an output binary sequence, the output binary sequence comprising a combination of ordering sequences generated using said recursive or iterative procedure.
  11. 11 A method according to claim 10, wherein the size of the alphabet is greater than or equal to two
  12. 12. A method according to claim 10 or claim 11, wherein each element of at least one extremum sequence comprises a maximum of the corresponding first value and second value.
  13. 13. A method according to any of claims 10 to 12, wherein each element of at least one extremum sequence comprises a minimum of the corresponding first value and second value
  14. 14. A method according to any of claims 10 to 13, wherein at least one of generating an ordering sequence, generating a difference sequence, or generating an extremum sequence comprises consulting a lookup table.
  15. 15. A computer-readable medium having instructions thereon which, when read by a processor of a computing device, cause the processor to execute a method according to any of claims 10 to 14.
  16. 16. A computer-readable medium having stored thereon a computer-readable description for implementing circuitry to perform the method of any of claims 10 to 14
  17. 17. A computing device, the computing device comprising: one or more memories; one or more processors configured to, using instructions stored in the one or more memories, execute a method according to any of claims 10 to N.
GB2110704.0A 2021-07-26 2021-07-26 Randomness extraction Active GB2609238B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB2110704.0A GB2609238B (en) 2021-07-26 2021-07-26 Randomness extraction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB2110704.0A GB2609238B (en) 2021-07-26 2021-07-26 Randomness extraction

Publications (3)

Publication Number Publication Date
GB202110704D0 GB202110704D0 (en) 2021-09-08
GB2609238A true GB2609238A (en) 2023-02-01
GB2609238B GB2609238B (en) 2024-02-28

Family

ID=77541012

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2110704.0A Active GB2609238B (en) 2021-07-26 2021-07-26 Randomness extraction

Country Status (1)

Country Link
GB (1) GB2609238B (en)

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
CLAUDE GRAVEL: "A generalization of the Von Neumann extractor", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 7 January 2021 (2021-01-07), XP081853602 *
DODIS Y ET AL: "Fuzzy Extractors", 1 January 2008, SECURITY WITH NOISY DATA : ON PRIVATE BIOMETRICS, SECURE KEY STORAGE AND ANTI-COUNTERFEITING; [SECURITY WITH NOISY DATA], SPRINGER, GB, PAGE(S) 1 - 19, ISBN: 978-1-84628-983-5, XP007905702 *
J. VON NEUMANN, NAT. BUR. STAND., APPL. MATH. SER., vol. 12, 1951, pages 36 - 38
KAMP J ET AL: "Deterministic extractors for bit-fixing sources and exposure-resilient cryptography", 43RD. ANNUAL SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE.(FOCS 2003). CAMBRIDGE, MA, OCT. 11 - 14, 2003; [ANNUAL SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE], LOS ALAMITOS, CA : IEEE COMP. SOC, US, 11 October 2003 (2003-10-11), pages 92 - 101, XP010661711, ISBN: 978-0-7695-2040-7, DOI: 10.1109/SFCS.2003.1238184 *
Y. PERES, ANN. STAT., vol. 20, no. 1, 1992, pages 590 - 597

Also Published As

Publication number Publication date
GB202110704D0 (en) 2021-09-08
GB2609238B (en) 2024-02-28

Similar Documents

Publication Publication Date Title
JP6908606B2 (en) Methods and devices for generating quantum random numbers based on optics
Yu et al. Secure and robust error correction for physical unclonable functions
US9588737B2 (en) Random number generating method and apparatus using light source and single photon detector
US7921145B2 (en) Extending a repetition period of a random sequence
Wayne et al. Photon arrival time quantum random number generation
US7970809B2 (en) Mixed radix conversion with a priori defined statistical artifacts
US10007488B2 (en) Secured pseudo-random number generator
US9430192B2 (en) Method and system for generating random numbers
JP6397966B2 (en) String processor
US20230244451A1 (en) Systems and Methods for Multi-Source True Random Number Generators, Including Multi-Source Entropy Extractor Based Quantum Photonic True Random Number Generators
Condo et al. Pseudo‐random Gaussian distribution through optimised LFSR permutations
GB2609238A (en) Randomness extraction
Choi et al. Fast compact true random number generator based on multiple sampling
CN112653547B (en) Apparatus and method for processing input data, vehicle, and storage medium
US9160533B2 (en) Random number generation
KR102027686B1 (en) True random number generation device and method using visible light for secure communication
Guo et al. Parallel and real-time post-processing for quantum random number generators
Nahar et al. Survey of Stochastic Number Generators and Optimizing Techniques
Stanco et al. Certification of the efficient random number generation technique based on single‐photon detector arrays and time‐to‐digital converters
JP5586807B1 (en) Random number generator, random number data processor, and program
WO2024025443A1 (en) Methods and apparatus for generating a random number
Ferreira et al. Probable Prime Generation from a Quantum Randomness Source
KR102191305B1 (en) Lightweight entropy management apparatus and method
De Micco et al. RO-based PRNG: FPGA implementation and stochastic analysis
Wirth et al. Random Telegraph Noise-Based True Random Number Generator for Fully Integrated Systems