+     deccrl!!!
From: (Topher Cooper)
Newsgroups: sci.crypt,comp.compression

Subject: Re: Source for _real_ random numbers
Message-ID: <>
Date: 18 Mar 92 15:33:16 GMT
+           <>  <> 
Reply-To: (Topher Cooper)
Followup-To: sci.crypt
Distribution: usa
Organization: Digital Equipment Corporation, Hudson MA
Lines: 51
Xref: sci.crypt:5598 comp.compression:2559

In article ,
(Bruce J Bell) writes:

|>One simple and effective(?) way to remove non-randomness from
|>physically-generated random numbers is to xor several near-
|>or semi-random bits together for 1 output bit.

    If your "non-randomness" is in the form of bias (i.e., the probability
    of a 1 being not equal to .5) then this will indeed increase the

    An even better method (using slightly more bits -- if your bias is
    low) goes back to, I believe, Von Neumann.  It will remove *all* bias
    from a biased but otherwise random sequence.  Look at the bits in
    pairs.  If both bits are the same, discard them.  If they are different
    emit the first bit.

    There is a problem with both these methods -- if there is a correlation
    between adjacent bits (another form of "non-randomness") then these
    methods will both *increase* the bias.  For many applications (though
    by no means all) a slight correlation is less harmful then a slight
    bias, so these procedures will make the non-randomness worse for those

    Probably your best bet for removing subtle non-randomness from physical
    random number sequences -- if you can afford the computational load --
    is to XOR them with a statistically well-behaved (but deterministic)
    pseudo-random source -- such as can be gotten from DEA.  The physical
    random source provides the non-deterministic part of "randomness" while
    the pseudo-random source provides the statistical properties.

    If there is some degree of non-randomness (predictability such as produced
    by simple bias, periodic bias, or correlations) this will technically
    leave a degree of determinism in your output sequence (though it will
    be computationally infeasable to recover it if you use a pseudo-random
    sequence which is cryptographically strong in practice, such as DEA).
    If you can set bounds on how much determinism exists, algorithms can
    be devised which will hash your semi-deterministic mixed-random sequence
    to a non-deterministic mixed-random sequence.

    For example, let us say that you are confident that there is at least
    one bit of non-determinism for each two bits of output from your physical
    random number generator (not too hard to accomplish).  Instead of xoring
    with a psuedo-random sequence as I suggested previously, encrypt the
    physical RNG with DEA and an arbitrary password.  Then just use the
    top half of the encrypted result.  Since DEA distributes the input well
    over the output, you have hashed down the input to non-deterministic