How to turn loaded dice into fair coins

We present a new technique for simulating fair coin flips using a biased, stationary source of randomness. Sequences of random numbers are of pervasive importance in cryptography and vital to many other computing applications. Many sources of randomness, such as radioactive or quantum-mechanical sources, possess the property of stationarity. In other words, they produce independent outputs over fixed probability distributions. The output of such sources may be viewed as the result of rolling a biased or loaded die. While a biased die may be a good source of entropy, many applications require input in the form of unbiased bits, rather than biased ones. For this reason, von Neumann (1951) presented a now well-known and extensively investigated technique for using a biased coin to simulate a fair coin. We describe a new generalization of von Neumann's algorithm distinguished by its high level of practicality and amenability to analysis. In contrast to previous efforts, we are able to prove our algorithm optimally efficient, in the sense that it simulates the maximum possible number of fair coin flips for a given number of die rolls. In fact, we are able to prove that in an asymptotic sense our algorithm extracts the full entropy of its input. Moreover, we demonstrate experimentally that our algorithm achieves a high level of computational and output efficiency in a practical setting.

[1]  Leonid A. Levin,et al.  Pseudo-random Generation from one-way functions (Extended Abstracts) , 1989, STOC 1989.

[2]  Toshiya Itoh Simulating Fair Dice with Biased Coins , 1996, Inf. Comput..

[3]  Michael Gude Concept for a High Performance Random Number Generator Based on Physical Random Phenomena , 1985 .

[4]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[5]  Hugo Krawczyk,et al.  On the Existence of Pseudorandom Generators , 1993, SIAM J. Comput..

[6]  Adi Shamir,et al.  On the Generation of Cryptographically Strong Pseudo-Random Sequences , 1981, ICALP.

[7]  Oded Goldreich,et al.  A Note on Computational Indistinguishability , 1990, Inf. Process. Lett..

[8]  Ravi B. Boppana,et al.  The Biased Coin Problem , 1996, SIAM J. Discret. Math..

[9]  Quentin F. Stout,et al.  TREE ALGORITHMS FOR UNBIASED COIN TOSSING WITH A BIASED COIN , 1984 .

[10]  Rajeev Motwani,et al.  Randomized algorithms , 1996, CSUR.

[11]  Edsger W. DIJKSTRA Making a Fair Roulette From a Possibly Biased Coin , 1990, Inf. Process. Lett..

[12]  Vijay V. Vazirani,et al.  Efficient and Secure Pseudo-Random Number Generation , 1984, CRYPTO.

[13]  P. Elias The Efficient Construction of an Unbiased Random Sequence , 1972 .

[14]  Leonid A. Levin,et al.  One way functions and pseudorandom generators , 1987, Comb..

[15]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[16]  Donald E. Eastlake,et al.  Randomness Recommendations for Security , 1994, RFC.

[17]  Markus Jakobsson,et al.  A practical secure physical random bit generator , 1998, CCS '98.

[18]  W. Hoeffding,et al.  Unbiased Coin Tossing With a Biased Coin , 1970 .

[19]  Johan Håstad,et al.  Pseudo-random generators under uniform assumptions , 1990, STOC '90.

[20]  Michael Luby,et al.  Pseudorandomness and cryptographic applications , 1996, Princeton computer science notes.

[21]  Moni Naor,et al.  On Dice and Coins: Models of Computation for Random Generation , 1993, Inf. Comput..

[22]  Manuel Blum,et al.  Independent unbiased coin flips from a correlated biased source—A finite state markov chain , 1984, Comb..

[23]  C. E. SHANNON,et al.  A mathematical theory of communication , 1948, MOCO.

[24]  Ryuhei Uehara Efficient Simulations by a Biased Coin , 1995, Inf. Process. Lett..

[25]  Adi Shamir,et al.  On the generation of cryptographically strong pseudorandom sequences , 1981, TOCS.

[26]  Gordon B. Agnew,et al.  Random Sources for Cryptographic Systems , 1987, EUROCRYPT.