Gabriel Gonzalez – Cyber Security

Randomness Extraction in Quantum and Physical RNGs

by

Gabriel Gonzalez
in

Over the past few weeks I have been diving deep into one of the most fascinating areas of applied cryptography and hardware security: building a high-quality random number generator (RNG) from a physical entropy source.

My current project (https://www.gabrielcybersecurity.com/QRNG) generates bits from the radioactive decay of Radon-222. Every decay event is fundamentally unpredictable, making radioactive decay an excellent entropy source for a true random number generator (TRNG). But there is an important catch:

Raw physical randomness is almost never perfectly uniform.

Even if the underlying physical process is truly random, the measured output usually contains bias introduced by the electronics, timing resolution, detector sensitivity, environmental effects, and signal processing chain.

Understanding how to transform these imperfect raw bits into cryptographically useful randomness has become a rabbit hole that touches probability theory, information theory, hardware design, and cryptography all at once.

Why Raw Random Bits Are Biased

A perfect random bitstream would produce:

  • 50% zeros
  • 50% ones
  • No predictable patterns
  • No correlation between consecutive bits

In reality, physical RNGs rarely behave this cleanly.

For example, imagine a detector that produces:

  • 53% ones
  • 47% zeros

This tiny imbalance may look harmless, but cryptographic systems are extremely sensitive to entropy quality. Small biases can become exploitable depending on how the random numbers are later used.

This issue is common across many physical RNG designs:

  • Quantum RNGs based on photon detection
  • Avalanche diode noise RNGs
  • Thermal noise RNGs
  • Ring oscillator entropy sources
  • Radioactive decay RNGs

The challenge is not generating randomness, the challenge is extracting uniform randomness from noisy physical measurements.

von Neumann Debiasing

One of the oldest randomness extraction methods is the von Neumann extractor.

The idea is elegant:

Input PairOutput
00discard
11discard
010
101

The key insight is that while the individual bits may be biased, the transitions 01 and 10 remain equiprobable under certain assumptions.

This method works surprisingly well, but it is extremely inefficient.

If the source is close to unbiased, roughly 75% of the bits get discarded.

For high-throughput hardware RNGs this becomes painful very quickly.

The Quantis Paper and Two-Universal Hashing

Recently I started reading a fascinating technical paper from the creators of the Quantis quantum random number generator:

Quantis Randomness Extraction Paper

The paper describes a far more efficient extraction mechanism based on two-universal hashing.

Instead of throwing away massive amounts of data like the von Neumann approach, the extractor compresses a larger block of weakly random bits into a smaller block with very strong statistical properties.

The core operation can be represented as a matrix multiplication over GF(2):

Where:

  • x is the raw entropy vector
  • M is a randomly generated binary matrix
  • y is the extracted output

All operations are performed modulo 2, meaning the computation is essentially XOR-based linear algebra.

The beauty of this approach is that it acts as a randomness extractor: even if the input contains bias or partial predictability, the output approaches a uniform distribution as long as the source still contains sufficient min-entropy.

The Quantis paper shows that this technique only discards around 12%–35% of the bits depending on the parameters used — a massive improvement compared to von Neumann extraction.

Why the Matrix Does Not Need to Be Secret

One aspect that initially surprised me was this:

The extraction matrix M does not need to remain secret.

In fact:

  • It can be public
  • It can be shared across devices
  • An attacker may fully know it

At first glance this feels counterintuitive because we instinctively compare it to symmetric cryptography like AES, where secrecy of the key is essential.

But randomness extraction is solving a completely different problem.

The security does not come from hiding the matrix.

The security comes from the unpredictability of the entropy source itself.

If the input bits contain enough entropy, then applying a universal hash function produces output bits that are statistically indistinguishable from uniform randomness, even when the hashing function is public knowledge.

Min-Entropy

While studying randomness extractors, one concept keeps appearing over and over again:

Min-Entropy

Unlike Shannon entropy, which measures average uncertainty, min-entropy focuses on the probability of the most predictable outcome.

This metric is extremely important for cryptographic RNGs because attackers only care about the best prediction strategy.

A source with high Shannon entropy but a highly predictable dominant outcome may still be insecure.

Randomness extractors are usually designed around conservative estimates of min-entropy.

Entropy Extraction Is Everywhere

The more I study this topic, the more I realize how universal it is.

Modern systems constantly rely on entropy extraction:

  • Operating system RNGs
  • Hardware security modules (HSMs)
  • TPMs and Roots of Trust
  • Secure boot key generation
  • TLS session key creation
  • Embedded security chips
  • Cryptocurrency wallets

Even Intel, AMD, and ARM hardware RNG implementations internally use forms of conditioning and extraction functions to stabilize noisy entropy sources before exposing randomness to software.

Building a Better Radon-Based RNG

My current setup uses radioactive decay timing events from Radon-222 as the entropy source.

The next major steps I am exploring are:

  • Measuring long-term statistical bias
  • Studying autocorrelation between samples
  • Implementing extractor pipelines
  • Comparing extractor efficiency

Let’s see how this goes

Would you like to receive notifications about new posts?