Randomness extractor

A randomness extractor, often simply called an 'extractor', is a function, which being applied to output from a weakly random entropy source, together with a short, uniformly random seed, generates a highly random output that appears independent from the source and uniformly distributed. Examples of weakly random sources include radioactive decay or thermal noise; the only restriction on possible sources is that there is no way they can be fully controlled, calculated or predicted, and that a lower bound on their entropy rate can be established. For a given source, a randomness extractor can even be considered to be a true random number generator (TRNG); but there is no single extractor that has been proven to produce truly random output from any type of weakly random source. A randomness extractor, often simply called an 'extractor', is a function, which being applied to output from a weakly random entropy source, together with a short, uniformly random seed, generates a highly random output that appears independent from the source and uniformly distributed. Examples of weakly random sources include radioactive decay or thermal noise; the only restriction on possible sources is that there is no way they can be fully controlled, calculated or predicted, and that a lower bound on their entropy rate can be established. For a given source, a randomness extractor can even be considered to be a true random number generator (TRNG); but there is no single extractor that has been proven to produce truly random output from any type of weakly random source. Sometimes the term 'bias' is used to denote a weakly random source's departure from uniformity, and in older literature, some extractors are called unbiasing algorithms, as they take the randomness from a so-called 'biased' source and output a distribution that appears unbiased. The weakly random source will always be longer than the extractor's output, but an efficient extractor is one that lowers this ratio of lengths as much as possible, while simultaneously keeping the seed length low. Intuitively, this means that as much randomness as possible has been 'extracted' from the source. Note that an extractor has some conceptual similarities with a pseudorandom generator (PRG), but the two concepts are not identical. Both are functions that take as input a small, uniformly random seed and produce a longer output that 'looks' uniformly random. Some pseudorandom generators are, in fact, also extractors. (When a PRG is based on the existence of hard-core predicates, one can think of the weakly random source as a set of truth tables of such predicates and prove that the output is statistically close to uniform.) However, the general PRG definition does not specify that a weakly random source must be used, and while in the case of an extractor, the output should be statistically close to uniform, in a PRG it is only required to be computationally indistinguishable from uniform, a somewhat weaker concept. NIST Special Publication 800-90B (draft) recommends several extractors, including the SHA hash family and states that if the amount of entropy input is twice the number of bits output from them, that output can be considered essentially fully random. The min-entropy of a distribution X {displaystyle X} (denoted H ∞ ( X ) {displaystyle H_{infty }(X)} ), is the largest real number k {displaystyle k} such that Pr [ X = x ] ≤ 2 − k {displaystyle Prleq 2^{-k}} for every x {displaystyle x} in the range of X {displaystyle X} . In essence, this measures how likely X {displaystyle X} is to take its most likely value, giving a worst-case bound on how random X {displaystyle X} appears. Letting U ℓ {displaystyle U_{ell }} denote the uniform distribution over { 0 , 1 } ℓ {displaystyle {0,1}^{ell }} , clearly H ∞ ( U ℓ ) = ℓ {displaystyle H_{infty }(U_{ell })=ell } . For an n-bit distribution X {displaystyle X} with min-entropy k, we say that X {displaystyle X} is an ( n , k ) {displaystyle (n,k)} distribution. Definition (Extractor): (k, ε)-extractor Let Ext : { 0 , 1 } n × { 0 , 1 } d → { 0 , 1 } m {displaystyle { ext{Ext}}:{0,1}^{n} imes {0,1}^{d} o {0,1}^{m}} be a function that takes as input a sample from an ( n , k ) {displaystyle (n,k)} distribution X {displaystyle X} and a d-bit seed from U d {displaystyle U_{d}} , and outputs an m-bit string. Ext {displaystyle { ext{Ext}}} is a (k, ε)-extractor, if for all ( n , k ) {displaystyle (n,k)} distributions X {displaystyle X} , the output distribution of Ext {displaystyle { ext{Ext}}} is ε-close to U m {displaystyle U_{m}} . In the above definition, ε-close refers to statistical distance.