[akallio9000]

You want your own random bits? Tune your AM radio between stations and record the resulting static to your PC. Grab the low bit from every 10'th sample or so and concatenate into a buffer until desired length is reached. You may want to XOR alternate samples to eliminate any voltage bias your sound card has to provide equal numbers of 0's and 1's.

[roywiggins]

The NIST beacon means that two people can decide on a random value without trusting each other.

The NIST beacon just requires you trust NIST, and since you're not making an agreement with NIST, even -if- NIST knows the random values ahead of time, it's no use to either party unless they've hacked NIST's secret precalculated list of random values.

[tyho]

All you need is a commitment scheme. This is more secure than having to trust NIST and does not rely on being able to receive their beacon.

Alice and bob want to decide between Italian or Thai food using a coin flip, but do not trust each other to perform a fair flip. They devise a solution to their dilemma:

1. Alice generates a 512b random number A.

2. Alice performs SHA512(A) and shows the result to Bob who stores this as A_1.

3. Bob generates his own 512b random number B and sends it to Alice.

4. Alice sends A to Bob who stores it as A_2.

5. Bob verifies that A_1 = SHA512(A_2)

6. Both Alice and Bob perform XOR(A, B) and use the least significant bit to determine if they eat Thai or Italian.

Alice is satisfied that XOR(A, B) cannot be predicted by Bob because he sent her B before she revealed A to him.

Bob is satisfied that XOR(A, B) cannot be predicted by Alice because she `committed` to her value of A before he sent his B by sending him the cryptographic hash of it. If Alice tried to change her value of A in response to Bob's B, then Bob would detect it in step 5.

[jemfinch]

But this can be done without trusting anyone at all (e.g., http://users.cis.fiu.edu/~carbunar/teaching/cis5374.F.2014/s...; cf. pages 90-91 of Applied Cryptography).

[logicallee]

Don't xor things that are obviously dependent on each other in any way - such as two samples of radio noise - since you risk eliminating a source of entropy.

on the other hand, you can only increase entropy by xoring things that are obviously independent, such as a software RNG that doesn't know anything about your radio setup, and obviously your radio setup doesn't depend on your software RNG (but make sure of this - it's imaginable, though unlikely, that your radio setup somehow is actually picking up the low bit from your CPU right as you're doing all this xor'ing.)

if you can be guaranteed that sources are independent, you can xor with anything (all zeros if you like, whatever) and it cannot possibly decrease entropy. set up a chain of xor's.

why? Because recall: 1) XOR'ing is commutative, so if a good source of entropy is anywhere in the xor list you can rewrite it to be the last element and the value of the expression will be unchanged. 2) a good source of entropy is an OTP, so applying an OTP from a random source as the last step cannot possibly retain any information from previous steps. even if all the other steps add up to "all zeros" a single good source of entropy xor'd anywhere in the expression will make it perfectly random.

So, as long as you can be assured they're independent, xor all of the sources you want. If they're not independent, though, be careful.

A source of radio entropy is not bad in your 'stack'. But there is no cost to adding half a dozen pseudo RNG's either, the low-bit of the time in milliseconds, and any other source you can think of.

as a tip to increase entropy, draw from your RNG continuously, not only when you need the next value. then the exact timing of which output you use will be end up increasing entropy. Again this is true if your sources are independent and nothing can play with this entropy by viewing and selectively massaging the final output.

[tyho]

That works until somebody either sets up an antenna close to you and starts being able to gather the same random data as you or worse they transmit on the frequency that you are listening and actively manipulate the random data you are receiving.

[caf]

XORing samples does not whiten the output. If we consider as an example the biased source producing independent & identically distributed (iid) bits, where each bit has a 0.7 probability of being 1 and 0.3 probability of being 0.

Your suggested whitener would produce 1-bits with probability 0.42 and 0-bits with probability 0.58 - still biased.

An example of a correct whitening algorithm for a source producing iid bits is this: Take two adjacent samples. If they are the same, throw them away; otherwise, take the first sample as the next output.