Independent Unbiased Coin Flips From a
Correlated Biased Source: a Finite State Markov Chain.
Manuel Blum*
Department of Electrical Engineering and Computer Sciences;
Abstract: von Neumann’s trick for generating an absolutely
University of California at Berkeley, 94720
If the input to algorithm vN is a sequence of Os and 1s obtained
unbiased coin from a biased one is this:
1. Toss the biased coin twice, getting 00, 01, 10, or 11.
2. If 00 or 11 occur, go back to step 1; else
3. Call 10 a H, 01 a T.
from independent flips of a biased coin, then the output is a
sequence of independent and unbiased
Since p[H] = p[l]*p[O] = p[T], the output is unbiased. Example:
00 10 11 01 01 + H T T.
Peter Elias gives an algorithm to generate an independent
unbiased sequence of Hs and Ts that nearly achieves the Entropy of
the one-coin source. His algorithm is excellent, but certain
difficulties arise in trying to use it (or the original vou Neumann
scheme) to generate bits in expected linear time from a Markov
chain.
In this paper, we return to the original one-coin von Neumann
scheme, and show how to extend it to generate an independent
unbiased sequence of Hs and Ts from any Markov chain in expected
linear time. We give a right and wrong way to do this. Two algorithms A and B use the simple von Neumann trick on every state of
the Markov chain. They differ in the time they choose to announce
the coin flip. This timing is crucial.
Hs and Ts. This is because
the probability of producing, an H is p*q while that of producing a T
is q*p. Here, prlu, = 11 = p for all i, and p
+ q = 1. Algorithm
VN works without knowledge of the bias, p. This is surprising, and
also useful for applications.
We are interested in producing independent unbiased coin flips
from a dependent biased source, an n-state Markov Chain. The
Markov Chain (MC) is a finite set of labelled states S, . . . S,. Out
of each state S, there emerge two arrows, one labelled (1, p , ) , the
other (0,q,), where p , and q, are probabilities that sum to 1. Each
1. Introduction
arrow goes to some (arbitrary) state of the MC. The MC produces
Von Neumann has given an algorithm (algorithm vN) for getan infinite sequence ulu2. . . of Os and 1s as follows:
ting an absolute[y unbiased sequence of coin flips from the flips of a
Initially the MC is in1 the start state, SI. Whenever it is in
biased coin:
state SI,it selects a 1 with probability p , (which depends just
Algorithm vN:
on the state SI), else
:i 0,
outputs the selected symbol (1 or 0),
Input: A sequence of 0s and Is, denote it u p 2
then goes to the state indicated by that symbol’s arrow.
Output: A sequence of Hs and Ts.
In this paper, we initially assume that we know the state
diagram of the MC in all details ezcept that the specific probabili-
For i = 1, 2, ...
ties { p , } attached to the arrows may be omitted. An example
do
# uz,-lthen output H;
where the state diagram of the MC and the start state are known is
# U,,_,then output T.
the (not unreasonable) case where each bit (1 or 0) produced by the
If u2, = 1 and
uz,
If u21= 0 and
u21
source is selected with a pralbability that depends on just the preced-
od
*Supported in part by the National Science Foundation under grant MCS 8204506.
425
0272-5428/84/0000/0425$01.00 @ 1984 IEEE
ing k bits. In that case, the MC has 2’ states, one for every string
2. Algorithms
of k bits (the last k bits produced by the source). Later, we show it
Algorithm A:
suffices to know just an upper bound on the number of states in the
Input: An MC (except that probabilities need not be attached to
MC in order to produce Hs and Ts in expected linear time (i.e., in a
the arrows); A sequence of Os and Is produced by that MC.
constant expected number of steps per output bit). If a bound is
Output: A sequence of Hs and Ts.
unknown, then it is still possible to produce
HB and Ts that are
Begin:
eventually independent and unbiased, but not in expected linear
Comment: For each state of MC, this algorithm stores one of the 3
time.
symbols A, 0, 1, called the state-bit (though state-trit might be more
It is easy to see that it is possible in principle to generate
appropriate). State-bit(S,) is a memory of the last exit (0 or 1)
independent unbiased bits from a MC: use algorithm vN on the
taken out of state S, if that was the l S t3rd,
,
. . . such exit; it is X
symbols produced by the MC just when it exits some particular
otherwise. (This is the information needed for this algorithm t o
state, throwing out all symbols produced by the MC when it exits
treat S, like a von Neumann coin.)
other states. Of course, this is wasteful of the states. Elias [
suggested a way to use all the symbols produced by a MC.
I
Comment: The bit produced upon exiting a state is called the
has
en’t-bit.
His algo-
rithm approaches maximum possible efficiency, but it does not prw
Initialize: Set state-bit(S,) = X for all i. Set i := 1 [Comment:
duce bits in expected linear time.
Enter state SI].
Repeat:
We describe two algorithms, A and B, that make moderately
good use of the MC: both have an efficiency* that is 1/4 the
do
entropy of the MC when all probabilities are 1/2. These algorithms
1. Set exit-bit := next input bit (i.e., the next bit, 0 or 1, produced
by the MC).
do as well as vN does (on a 1-state MC), which is not surprising
2. Case:
since both are natural extensions of vN. Algorithms A and B both
i) if state-bit($) = X then set s t a b b i t ( $ ) := exit-bit.
treat each state of a MC like a von Neumann coin, generating a H
ii) If state-bit(S,) = 0 or 1 then
(or T) whenever a state of the MC is exited for the 2 t f h time, f E
(1, 2,
___
CaScI
}, provided the 2t-1‘* and 2t” exits are 10 (or 01). A l p
a) if exit-bit = state-bit(S,) then set state-bit(S,) := A.
rithm A outputs the H (or T) as soon as 10 (or 01) is produced by a
b) If exit-bit
state. Algorithm B, however, is patient: it waits and outputs the H
# state-bit(S,) then
then out-
(or T ) later, when the state that produced 10 (or 01) is reentered.
if <state-bit(S,), exit-bit>
The diaerence (between A and B) is crucial. A is bad while B is
put H; eke [Comment: <state-bit(S,), exit-bit>
good. That is to say, A does not produce independent unbiased out-
= <0,1>]
= <1,0>
output T.
put bits while B doea. We give faulty ”proofs” that A and B are
3. S e t i := index of (new) state dotten to by following the exit
both good. We then exhibit a MC for which algorithm A is bad: it
arrow (arrow labelled by exit-bit) out of (old) state S,.
almost neuer produces the quadruple HHTT! Finally, we prove that
od
algorithm B
End
i8
good for every MC.
tEliaa defines the cficicncy to be the expected value of the ratio of output symbols to inpnt symbols. The entropy is defined in the usual way [see Eli=]. As expected, the entropy of the source is the maximum poasible
achievable eficicncy.
426
Algorithm B:
4. Set i := index of (new) state gotten to by following exit arrow
Input: An MC (except that probabilities need not be attached t o
(arrow labelled by exit-bit) out of (old) state S,.
the arrows); A sequence of Os and 1s produced by that MC.
od
Output: A sequence of Hs and
End
Ts.
Begin:
3. Pseudo-Theorems and Theorem
Comment: Each state can store any one of the 5 symbola A, 0, 1,
We now give a faulty "proof" that algorithms A and B are
H, T, called the state-bit (though statequint might be more
good.
appropriate). State-bit(S,) is a memory of the last exit (0 or 1)
taken out of state S, if that exit was the lS', 31d,
...
Pseudo-Theorem:
such exit;
otherwise it is a memory of the last two exit b i b taken out of state
Let MC be a finite state Markw Chain such that with proba-
S,: H if they are (in order) 10, T if 01, X if 00 or 11. (This is the
bility 1 every state of MC is visited infinitely often. Algo-
information needed to output the
Hs and Ts "patiently.")
rithms A and B are g;ood in the sense they produce indepen-
Comment: A s usual, the bit produced upon exiting a state is called
dent unbiased coin-flips from the output of MC.
the en't-bit.
Pseudwproof: Each
state of the MC may be viewed as a biased
Initialize: Set state-bit(S,) = X for all i. Set i := 1.
coin. When a coin is flipped it produces a 0 or 1 with some bias,
Repeat:
then directs the MC to anofher coin to flip. Algorithm A applied to
do
the MC may be viewed as doing the following:
1. If state-bit(S,) = H (or T), then output H (or T) and set state-
1. flip coin
bit($) := X.
S, and get 0 or 1;
3. if this was a Is', 3rd,... flip of coin S,, output nothing.
Comment: define the atate-memory at this point (after the above
3. if this.was a 2"*, 4",
... flip of coin S,,either
output, if any, has been produced), as the vector of state-bits:
output nothing (with some probability p) or
< s t a b b i t ( S I ) ,...,state-bit(&)>.
output H or T (with equal probabilities (1-p)/2 ).
2. Set exit-bit := next input bit (i.e., the next bit, 0 or 1, produced
Each output of an S, is equally likely to be H or T. After the coin
by the MC).
comes up 0 or 1, the MC is directed to a state where a coin is
3. Case:
flipped and the argument reapplied recursively.
i) if state-bit(S,) = X then set state-bit(S,) := exit-bit.
Pseudo-qed
ii) If state-bit(.?,) = 0 or 1 then
Theorem A (Algorithm A is bad):
CMCI
Let MC be the Markov Chain consisting of k states,
a) if exit-bit = state-bit(S,) then set state-bit(S,) := X .
b) If exibbit
if <state-bit(S,), exitbit> =
bit(S,) := H; else
<0,1>]
SI, . . ,&; the Oarrow out of each state has associated pro-
# state-bit(S,) then
I
<1,0>
bability q, = 1--e andl maps the state back to itsell; the 1-
then set state-
arrow out of each state has associated probability p , = e and
[Comment: <state-bit(S,), exitbit>
maps S, to S,+l for i
set statebit(&) := T.
:. k,
S, to SI.
When Algorithm A is applied to the sequences generated
427
by this MC:
l), or else (if statebit(&) = A ) the next 1-transition out of S2
1. (Algorithm A s output sequence is initially biased): for t
leaves state-bit(S1) = 1. In that case, Ht is generated upon
-+
0 (alternatively: t: = 1/2), algorithm A can be expected to
entrance to Si. In either case, Ht is generated upon entrance to one
Hs (nearly k/3 Hs) before outputting its first
one of the states at a moment in which the other state has its state-
output nearly k/2
T
bit set to 1.
2 . (Algorithm A generates dependent sequences): Let the t f k
output of A be denoted Ht or T t . For fixed k
pr[Tt+lTt+2 I Ht_t+,
. . . H,]
-+
0 as
E -+
>
Now observe what this means for generating Tt+lTt+z. After
1,
generating Ht, A can generate a t most one symbol,
0. In particular,
Tt+l,before
entering the other state, a t which time it will almost certainly (with
for k=2, the probability that MC will output 2 successive Ts
probability
given that the last 2 symbols that it output were both Hs is
erated at time t+ 1 or t+ 2 will be H.
asymptotic to 0 (it should be asymptotic to 1/4).
2
1-c) generate H. Therefore, either the symbol gen-
It follows that pr[ Tt+1Tt+2]-+ 0.
Proof:
Qed
1. Easy to see.
Technical Lemma (for Theorem A):
2. We prove this for the special case k = 2.
of 1-arrow transitions
Apply Algorithm A to the MC of the above theorem with k=2
Hs and Ts are associated with occurrences
First note that all
states. Then lim Pr[Ht-,Ht]
A T can occur only in cme a O-transition
f -rm
from S, to S, is followed by a 1-transition out of S,. We say that T
Proof:Pr[Hf_,Ht]= Pr[Ht I
2
1/4.
Ht-l]*Pr[Hf-,].
occurs when the 1-arrow en'ts S,. Similarly, an H can occur only in
1. Pr[H,
case a 1-transition into S, is followed by a @transition from S, back
1
H,-,]
>_ 1/2 for all t: Without loss 01 generality,
m u m e that Ht-, is generated by Si, at which time state-bit(S1) is
to S,. We say that H occurs when the 1-arrow entera S, (though
set to X. The probability that SI generates an
N the
next time it
technically it occurs a moment later).
generates anything at all (H or T) is 1 / 2 (because Si generates
Most (at least (1-e) fraction) of the 1-transitions are followed
independent unbiased sequence of Hs and Ts). Also, after Hf-l is
by &transitions. Call these the likely 1-transitions. Call an Ht-lHt
generated, the probability that H is the next output generated by S,
pair l i k d y if a pair of consecutive 1s (11) does not occur between the
1s that produce
is
and H f . It is an immediate consequence ol the
1
1/2, since state-bit(S,) = X or 1 at the time Hf is output.
Therefore, the t f h symbol output by
B is Ht with probability 2 1/2.
Technical Lemma below and the Fact that the fraction of unlikely
1-transitions is asymptotically zero (goes t o zeyo as e
traction of all t such that the t-I"'
Ht-,Ht pairs is asymptotically
focus l u s t on these likely
2
and
fth
-+
2. It can be shown that lim Pr[H,-,] = 1JZ.
0), that the
f-rm
outputs are "likely"
1/4. In the next paragraph, we
Theorem B (Algorithm B is good):
Hc-lEF~pairs.
Let MC be a Markov Chain. Let the sequence generated by
Suppose, without loss of generality, that H f - l is output by A
MC be used m input to algorithm B. Then:
upon entrance of MC to Si Since this output cannot be followed
1. The output of B is an independent unbiased (possibly finite)
by a T , the next I-transition (from Si to S,)
must leave statesequence of Hs and Ts
bit(S1) = 1. Since by assumption the 1-transition into S2 is a likely
2. If the MC does not enter a deterministic loop (in which
one, either
Hi
is generated upon entrance to Sz (if state-bit(S2) =
428
there exits from every state a single arrow with associated p r e
will use a subset of arrows of u1 . . . U,! It will not necessarily use
bability = l), then the output of B is infinitely long with pro-
all of them (see figure 2)!
bability 1.
3. If all probabilities attached to arrows are 1/2, then B is
expected to generate an (independent unbiased) output bit for
every 4 input bits.
Proof: 1 and 2 are immediate from the Main Lemma, below.
figure 1: an order-preserving transformation that
3 follows for algorithm B as it does for algorithm vN (wherein, for
~ u,~.
exchanges u ,with
example, 00110110 (8 bits input) causes B to output TH (2 bits)).
Qed
Definitions: Let MC be a Markov Chain. Let
u1u2.. . ut be a
finite sequence of 08 and 1s generated by MC. For each state S, of
MC, let u,lu,2.. . be the subsequence of 01u2. . . ut consisting of
those symbols generated by MC when it exits state S,.
U,
u
1
12
. . . the subsequence
figure 2: interchange
u p 2 . . . uf to SJ.
assigned by
u11u12
. . . are the en’t.4 (of u1 . . . ut) out of
Call
S,. The entrance8 (of
u1 . . . ut) into S, are the symbols of u1 .
. . ut that
into S, (from any state). Note that for S,
$? {SI,ST},the number
take the MC
Let MC be a Markov Chain. Let S, be a state of MC. Let k
2
in the
assigned to S, and all subsequences assigned to S,, all j
#
with
i, being
61
left untouched). Let ujlu;,. . . denote the resulting subsequence
U:
. . U;. The map
exchange of ughwith
tion of u1 . . . ut into
u1
U:
U,
OF
u1 .
.. .
0;
.
I
ib+rl.
’
.
’
.
‘
and
‘
.
’
U;
a
(unique)
sequence
u:t+rl with the following properties:
. . . u:k+rl both use the same multiset
cr;
. . O:~+~.Iboth leave the MC with the
same state-rnemory (both sequences store the 6ame state-bit in
a state: see definition in algorithm B).
the order-preserving transforrna-
3. u1 . . . u,t+r2 and
(see figure 1).
(7;
. . . u;++ (note last index of the two
sequences!) both cause algorithm €3 to output the same number
u1 . . . U,?
. . ut into a state there is an exit u
state, except for the last entrance ut into S,.
.
,
2. u1 . . . u,,+*.~and
. U:, defined (above) by the
. . . U:, related to
5
a sequence of Os
the same probabthty.
takes MC into some state, SI,
+ U;
u , ~ is
+ called
~
How is the sequence
entrance
. . . ut
1
of exit,arrows, and therefore both have the same length and
the first exit
= first exit out of S I that has not been taken by any of
then
U;
SI. Inductively, if
. uh+c.lbe
o , ~ + ~
de1,errnines
u,i+l
1. u1 . . .
assigned to S,. The subsequences associated with S,, all j, define a
(u:J out of
. uft
An order-preserving transformation that exchanges u4
subsequence assigned to S, are interchanged (all other symbols
,
1. Let u1 .
and 1s generated by MC, where it+l
Now suppose that two successive symbols u k ,
t
with us
Lemma 1:
of entrances to S, equals the number of exits from S,.
new sequence ulu2 . . . in a natural way: u;
0
,
For every
of Hs and the same number of Ts (in possibly difierent orders).
~ out
+ ~
of that
Therefore,
U;
Moreover, u , ~ + * -cau~es
~
5 to output H (T) if and only if
. . . U:,
u : ~ causes
+ ~ ~
B
429
to out,put T (H).
4. If
. . . u:t+ri is transformed into
U;
U;'
.
' '
order-preserving transformation that exchanges
then
..
U;'
U:,'++
= 01
u:t'+ri
U:,
in an
2. Since every state of MC (except S,) is exited in the same order
with u:,+~,
by
. . .U , ~ + ~ I .
...
U;
u L + ~ - ~as by
61
..
and since both sequences leave
0,~+~-1,
S, with the same state-bit, X, the two sequences leave MC with the
same state-memory
proof: True if
ult = u , ~ + Now
~ . assume without loss of generality
3. The sequence u1 .
that uIt = 0 and o , ~ =
+ ~
1.
. ulr+rZgenerates the same number of Hs and
same number of Ts as
Suppose u1 . . . u t , t = ik+l-l,is transformed into
U;
U;
. . . u : ~ + ~Same
~ , . argument
as for 2
. . . U ; . We
above.
must show that
U;
. . U ; uses all the arrows of u1 . . . ut (it uses a
4. This follows because
subset of those arrows, cf. paragraph preceding Lemma 1).
Suppose not. Then after the interchange,
U:
subset of arrows of o1. . . at.The arrows of
. . . g i r , shown dotted in figure
0;
U;
. . . U ; ends in
. . . ut not used by
u1
.. .~
=u,~.
~
...
II, however, B is fed MC and a finite (rather than insnite)
initial sequence C J ~. . . u t , the output ot B will stili be a well-defined
equals the number of exits from S, in both the original sequence
U:,
U;+,
Algorithm B takes as input a MC and an i n m t e sequence
3, form cycles: this is because
S,, so the number d entrances to S,, my j,
u,~
. . . u,t+z-i and the new one
= u l t f land
Qed
. . . U:, uses a proper
U,
U:,
te initial string of H s a d
Ts. We eall u1 . .
~
ut the finite
i r .
sequence (01Ds and 1s) that underlies that given sequence of Hs and
Ts, provided
ut caused the last H or T t o be output, i.e.,
U*
took
MC into a state whose state-bit was previously set t o (that last) H
or T.
The probability that MC causes B to generate a certain finite
'.-,Y
initial sequence of
Hs and Ts is xprob(o, . . .ut), where the sum is
taken over all strings u1
figure 3
. . . ut that underlie the given sequence of
Hs and Ts.
Clearly, none of the cycles goes through S,,
The idea behind the proof of Theorem B is this: show that
We are to show that there are actually no cycles. Consider the first
pr[TTHH] = pr[HHHT], say, by constructing a 1-1 correspondence
edge, e, of any cycle that is taken by u1 . . . u t . Suppose this edge is
between SlrHH,the 0-1 strings underlying TTHH, and S H H ~the
,
out of S,. Suppose there are exactly c cycle edges out of S,. These
are the last e edges taken by ul
by
U:
* * U:,).
' ' '
0-1 strings underlying HHHT. If a string of 0 and/or 1 arrows is
ut (since they were not taken
used to generate TTHH, then the same 0 and/or 1 arrows is used in
After taking edge e, c-1 edges remain to be taken
a different order to generate HHHT.
out of S, by u1 . . ut. But at least c edges must still be taken into
S, by u1
Main Lemma:
. . . ut, which is a contradiction.
Let MC be a Markov Chain. Let n be any positive integer.
It now
fOIlOW6
that:
Let ST,T,
r,, ST,T,
...
H ~ ,
siiliil H,
be 2" sets, each
indexed by a distinct n-bit string of Hs and Ts, each defined t o
1. We have just proved it.
430
be the set of all finite sequences of Os and 1s that underlie the
where the additional crs on both sides are the u n p r h e d m that were
indexed sequence of Hs and Ts.
previously deleted. In this way,
Then there is an equivalence relation
on the set of all
3
rs whose indices end in
relation on the union of all 2"-' subsets S
strings u1 . . . uk that underlie finite sequences of Hs and Ts,
T..
such that:
union of all 2"-' subsets S
1. If u1 . . . ut underlies an n-bit sequence of Hs and Ts then
In similar fashion, extend
3
HZ
to an equivalence relation on the
whose indices end in H , . Finally,
extend the equivalence relatiion by setting each string in the partieu-
every n-bit sequence of Hs and Ts has exactly one underlying
sequence r1 . . . rL that is equivalent to u1 .
is extended to an equivalence
E
lar set STIT,
. . u k ; moreover,
r a _ l ~(whose
,
the unique string in
index consists of n Ts) equivalent to
r8-IHs
STITz
gotten by applying the order-
no other sequences are equivalent to u1 . . . b k .
preserving transformation of Lemma 1. Note that Lemma 1, part 3,
r1 . .
. . .uk
2. If ul
7, then:
assures that strings in ST1r2
i) u1 . . . uk uses the same multiset of arrows as
(consequentIy k = f , pr[ul
both u1 . . . 0 1 and rl
T~
Srlr2
. . . ut] = pr[rl . . . rkl, and
. . . rk
ra-lrnare transformed into strings in
. . . r,
r=,_,H,.
The result is an equivalence relation satisfying 1
and 2 on the set of all finite sequences that underlie strings of up to
take MC into the same
n Hs and Ts.
state).
ii) If u1 . . . (It
rl . . .
then u1 .
Qed
. . ut leaves the
MC with exactly the same stabmemory as r1 . . .
Proof of Main Lemma: We define = recursively, proving by
How
4.
induction on n that it has the desired properties.
generate
to
an
independent
unbiased sequence of Hs and Ts from an
on STUsH by setting ul
n=l: Define
U;
. . . U:
. . . a i 2 .. . U:,,,
.
.
u , ' ~' . u , ~ .. U,+
' '
where the latter is obtained by an
While algorithms vN, A and B appear practical, algorithms C
(so
and D below do not. There is one exception: a properly modified
satisfies 1 and 2
algorithm C may be pract.ica1 in case MC is known but its start
order-preserving transformation that exchanges
U:
1
=
U,
2
and
unknown Markov chain.
= u,J. Then, by Lemma 1,
U,]
with
U,?
state is unknown.
(of the Main Lemma) on STUSH.
General nr Now assume
= has been
Let k or k(n) denote the number of n-state finite state
defined
60
that it satisfies 1
machines (FSM). Let the i f h n-state FSM, M , , have states q,%, j E
and 2 on the set of all finite sequences that underlie m-bit strings of
HB and Ts, tor all m < n. We extend
u1 . . . U,
. . . uk E
11,
as follows:
. . . , n}, where
q; = start state. Define M(n), the universal
Let
simulator of n-state FSMs,, or universal FSM for short, to be the
STIHl
rs-lrs,say, one of the 2" subsets whose
FSM with n k states, each denoted by < q j l ,
index terminates in T. Delete symbols from the right hand side of
ul
..
* U,
. . ut. to
*
get the sequence u1 . . . U, of Os and 1s that
underlies the n-1 bit string T I H ~. .. T._l.
U;
. . . U;
If
u1
for
jl, . . . , jk E
<q:,
. . . , q i , . . . , q f > . If a state
. . U,
then associated state
then, by Lemma 1, both strings leave the MC in the same
vector-state.
Extend
=
to:
.T~. . . U , .
. ut
U:
. . . U;
< . . . q ; . . . >.
. . . ukr
43 1
(1,
. . , n}.
M(n)
q; of
< . . qj . . . >
. . . , qj, , . . . , qi >
has
start
state
M, maps under 0 to qf,
of MC(n) maps under 0 to
Algorithm D:
Algorithm C:
Input: A positive integer n; a sequence of Os and 1s (produced
Input: A sequence of Os and 1s (produced by a MC with a
by an n-state MC).
finite but unknown number of states).
Output: A sequence of Hs and Ts (independent and
Output: A sequence of Hs and Ts (eventually independent
unbiased).
and unbiased).
Begin:
Begin:
1. Set f(1) := 0.
Apply Algorithm B to input M(n) and the given sequence
2. For n = 1, 2, 3, ._.
of Os and 1s.
do:
End.
Algorithm
C
to
input
(n;
O , ( ~ H ~ O , ( . H. ~. ). until a H or T is produced.
Then
Lemma:
(i) Output that H or T, and
Let MC, be an n-state MC with underlying FSM M, (MI got-
(ii) Set f(n+ 1) := index i such that
ten from MC, by deleting the probabilities on the arrows).
od
MC,. Attach probabilities to the arrows of the universal
End
FSM, M(n), to get a Markov chain MC(n) that simulates M C , ,
by setting pr[Ol<
..
qj . . .
>] := pr(Olq;].
Theorem D:
Then MC(n) is a Markov chain having the same
input/output conditional probabilities (eg., pr[l
O,
caused above H or T to be produced.
Let prl0lq;I = probability attached to the O-arrow out of state
q j of
Apply
I OOlOl
Algorithm D on being input an infinite sequence of Os and Is
) as
produced by a finite state Markov Chain, MC, (no bound given
on the number of states in MC) will output a sequence of Hs
and Ts that is eventually (after some point) independent and
Theorem C:
unbiased. If MC does not enter a periodic cycle, then with
Algorithm C on being input a pair (n; an infinite sequence of
probability 1 the output of algorithm D will be infinitely long.
Os and Is produced by an n-state Markov chain, MC,) will out-
put an independent unbiased sequence of Hs and Ts. If MC,
5. Conclusions
does not enter a periodic cycle, then with probability 1 the
A variety of sources (e.g., back-biased zener diodes) can be
output of algorithm C will be infinitely long.
After an initial delay, algorithm C generates bits in
used to generate truly random (as opposed to pseudo-random)
expected linear time: the expected number of output bits per
sequences. This is important, for example, for producing the seeds
input bit is
' -p-r-'-x!S-->I
,E1
required by pseudo-random number generators.
, where k is the number of n-state
PlQl
Unfortunately, the bits produced by physical sources appear to
FSMs, p r [ < S , > ]
=
probability that MC(n) (see above
not be completely random; rather, the probability of each bit is con-
Lemma) is in state <SI >, and p , = I-q, = probability
ditional on the preceding bits. Producing completely rondom, i.e.,
assigned to the 1-arrow out of <SI>.
432
--(log
1
n).(log* n) independent parallel sources of random bits.
independent and unbiased, bits is difficult primarily because of this
6
dependence. This paper studies how to generate independent
Each source is unknown and arbitrary except that its conditional
unbiased sequences of Hs and Ts from certain correlated sources,
probability of generating a 1 bit at time t (whatever the history of
finite state Markov chains. The study reveals a surprising and coun-
that bit) lies in the interval 16, 1-4, for some Exed 6 > 0.
terintuitive finding: a simple algorithm that one would expect would
In addition to the :above four, I want to thank David
produce independent and unbiased bits from a Markov source is
Blackwell, David Gifford, John Gill, Michael Saks, and Avi Wigder-
shown to fail. This algorithm A is a natural extension of von
son for many valuable discussions.
Neumann’s algorithm for generating unbiased Hs or Ts from a
The students in Berkeley course CS 276, Number Theory and
biased coin.
Cryptography, suffered through the initial discovery and presenta-
Though algorithm A is faulty, a small (but nonobvious)
tion of the material in this paper. I would like to thank each of
modification of it yields a correct algorithm B. The resulting B
them for their participation in this venture!
diBers from A primarily in the time when it elects to output bits. B
uses only slightly more memory than A, is just as frugal as A in its
Bibliography:
use of Markov chain bits, and outputs completely random Hs and Ts
1.
in expected linear time.
Cohen, Josh D. (IQ=), ”How and When to Flip a Biased Coin
Fairly,” Draft paper, Comp. Science Dept., Yale U,, 13 pp.
Theorems A, B, C, D can be extended to the more usual
2.
definition of Markov chain in terms of matrices (n arrows out of
Elias, Peter (1972), ”The Efficient Construction of an Unbiased
Random Sequence,” Ann. Math. Statist. Vol 43, No. 3, 865-
each state, one to each of the n states; each arrow labelled by the
870.
state it goes to rather than by 0 or 1; probabilities attached to all
The following paper has a comprehensive bibliography:
arrows out of a state sum to 1). Theorems A, B, C can be extended
3.
to the problem of generating Hs and Ts in expected linear time with
Stout, Quentin F. and Warren, Bette (1984), ”Tree Algorithms
for Unbiased Coin Toessing with a Biased Coin,” Ann. Prob.
an efficiency that very nearly achieves the entropy of the source
Vol. 12, No. 1, 212-222.
[Elias].
4.
von Neumann, John (11951), ”Various Techniques Use in Connection with Random Digits,” Notes by G. E. Forsythe,
Acknowledgements:
National Bureau of Standards, Applied Math Series, Vol. 12,
Michael Fischer and his student, Josh Cohen, are doing
36-38. Reprinted in won Neumann’s Collected Works, Vol. 5,
interesting work along related lines: they consider how to generate
Pergamon Press ( l a ) ,768-770.
sequences that are as independent and unbiased as possible, given
that an output must be generated for every 100 bits input from a
biased coin.
Miklos Santha and Umesh Vazirani have their own novel
approach: they generate n-biblong random sequences that appear
independent and unbiased to
any (not
necessarily
computable) e t a
tistical test, when the underlying Gource is a collection of
433