Toeplitz Strong Extractor
- Toeplitz Strong Extractor is a strong seeded randomness extractor that uses Toeplitz-matrix based universal hashing to convert weak entropy sources into nearly uniform random outputs.
- It supports both block and streaming methods, enabling efficient online extraction with reduced latency and simplified hardware implementations.
- The design leverages FFT-based convolution and structured matrix variants to optimize performance while ensuring rigorous security via the leftover-hash lemma.
Toeplitz Strong Extractor (TSE) denotes the use of Toeplitz-matrix universal hashing as a strong seeded randomness extractor, typically in quantum random number generation and related privacy-amplification settings. In this formulation, the extractor maps an -bit weak source and an independent seed to an -bit output that is close to uniform even when the seed is public, provided the source has sufficient min-entropy and the output length satisfies the leftover-hash bound (Chouhan et al., 3 May 2025). Recent work places Toeplitz-based strong extractors inside a broader stream-extractor framework grounded in universal and almost dual universal hashing, and proves that a stream implementation preserves the same quantum-proof security guarantees as the original block-wise protocol under quantum side information (Luan et al., 10 May 2026).
1. Formal definition and extractor model
A strong randomness extractor is defined as
where is a weak source over , is a uniform seed of length independent of , 0 is a uniform 1-bit string, and 2 denotes statistical distance at most 3 (Chouhan et al., 3 May 2025). In the quantum setting, a seeded extractor 4 is strong if, for any classical-quantum state 5 with 6 and a perfect seed 7, the joint output satisfies
8
with a smoothing correction 9 when 0 (Luan et al., 10 May 2026).
In QRNG practice, TSE denotes the universal1 Toeplitz extractor that is strong in the seed, typically with public 2 and output length 3 chosen via the quantum Leftover Hash Lemma (QLHL) (Luan et al., 10 May 2026). The security claim is information-theoretic rather than computational: even if the seed is known, the output remains 4-close to uniform so long as the seed is uniform and independent of the source (Chouhan et al., 3 May 2025).
The canonical rate bound is the leftover-hash condition
5
or, in the quantum formulation used throughout the stream-extraction framework,
6
with the final trace-distance bound becoming 7 under smoothing (Luan et al., 10 May 2026, Chouhan et al., 3 May 2025). Theorem 1 of the stream-extraction paper states that any universal8 family indexed by a uniform seed forms an 9 quantum-proof strong extractor with error 0 (Luan et al., 10 May 2026).
2. Toeplitz hashing as a universal1 strong extractor
An 2 Toeplitz matrix is determined by its first column and first row, with the first element shared, so the seed length is
3
(Chouhan et al., 3 May 2025). In the notation of the stream-extraction work, an 4 Toeplitz matrix 5 is determined by a seed 6, and the extractor computes over 7
8
Toeplitz matrices instantiate a universal9 family. For any distinct 0,
1
(Chouhan et al., 3 May 2025), and equivalently for the full Toeplitz family 2,
3
for any distinct 4 (Luan et al., 10 May 2026). This universal5 property is the algebraic basis for applying the leftover-hash lemma and obtaining strong-extractor security.
The extractor itself is the linear map
6
with each output bit expressible as a sliding-window XOR convolution over 7:
8
(Chouhan et al., 3 May 2025). This representation is central in both software and hardware implementations because it avoids materializing the full matrix and exposes regular structure for convolution, XOR reduction, and parallelization.
For large dimensions, Toeplitz multiplication reduces to an FFT-based linear convolution of length 9 with complexity 0 (Luan et al., 10 May 2026). The stream-extraction paper gives the explicit convolution identity
1
with 2 (Luan et al., 10 May 2026). This FFT interpretation underlies the comparison between block and stream modes.
3. Quantum-proof security and parameter selection
Under universal3 hashing, the QLHL gives the security-rate trade-off used to parameterize TSE under quantum side information (Luan et al., 10 May 2026). If 4, then choosing
5
achieves trace distance at most 6 (Luan et al., 10 May 2026). The same functional dependence appears in the classical strong-extractor presentation of Toeplitz hashing, where 7 is the necessary extraction condition (Chouhan et al., 3 May 2025).
For practitioners, the stream-extraction framework states that one should estimate 8 with appropriate finite-size or non-i.i.d. analyses, use conservative entropy-rate assumptions to ensure composable security, choose 9 with a safety margin to accommodate smoothing and confidence intervals, and report 0 (Luan et al., 10 May 2026). It explicitly notes that overestimating 1 relative to 2 increases 3, whereas underestimating the entropy rate is safe but reduces the extraction rate (Luan et al., 10 May 2026).
The paper’s benchmarks use 4 and 5, which is described as negligible compared to 6–7 (Luan et al., 10 May 2026). By contrast, the FPGA implementation adopts a much smaller block size and a weaker benchmark security parameter: 8, 9 bits per block, and 0, yielding 1 and extraction ratio 2 (Chouhan et al., 3 May 2025). Additional extraction ratios 3 are also evaluated there, with corresponding seed lengths 4 (Chouhan et al., 3 May 2025).
A common misconception is that passing statistical tests suffices to establish extractor security. The sources distinguish these notions sharply. Information-theoretic security is derived from universal hashing and the leftover-hash bound, while NIST STS 2.1.2 is used only as a finite-sample sanity check (Chouhan et al., 3 May 2025, Luan et al., 10 May 2026).
4. From block Toeplitz extraction to stream Toeplitz extraction
Conventional Toeplitz extraction evaluates 5 on a complete accumulated block 6, which incurs FFT latency and requires buffering the entire block before extraction (Luan et al., 10 May 2026). The stream formulation generalizes a stream-cipher-like implementation by shifting the expensive linear computation into an offline pre-processing stage that generates a pseudo-random mask, after which the online path consists only of XOR and slicing (Luan et al., 10 May 2026). The paper emphasizes that this is still privacy amplification under universal7 hashing rather than computational stream-cipher security (Luan et al., 10 May 2026).
For the standard Toeplitz stream extractor, the procedure is as follows (Luan et al., 10 May 2026):
- Choose 8 uniformly and 9 uniformly and independently of 0.
- Construct a Toeplitz matrix 1 of size 2 from 3.
- Compute the 4-bit mask 5.
- As raw bits arrive, compute 6 on the fly and output the first 7 bits:
8
This defines
9
with seed 0 and stream seed length
1
(Luan et al., 10 May 2026). The paper states that the stream Toeplitz construction is algebraically equivalent to TSE: it realizes the same linear map but computes the “keystream” 2 offline and produces outputs 3 online (Luan et al., 10 May 2026).
The main theorem is that streaming strictly preserves the quantum-proof security guarantees of the original block-wise protocol (Luan et al., 10 May 2026). The proof relies on Tsurumaru’s equivalence between privacy amplification and error correction with quantum side information: linear universal4 hashing implements both tasks, so replacing explicit hash evaluation by a precomputed linear mask and an online XOR is an algebraic rearrangement of the same linear map (Luan et al., 10 May 2026). With seeds chosen uniformly and independently of 5 and 6, the stream output satisfies
7
with the same 8 as in the block protocol (Luan et al., 10 May 2026).
The strong property is preserved in 9, and the paper explicitly states that 00 can be reused across extractions, while the last 01 bits of 02 can be harvested to refresh 03 for another extraction with a small additive increase in 04 (Luan et al., 10 May 2026). At the same time, it warns that the exact mask 05 must not be reused across multiple raw blocks without care, because such reuse induces linear relations between outputs (Luan et al., 10 May 2026).
5. Structured variants: circulant and modified Toeplitz families
The stream-extraction framework extends beyond standard Toeplitz matrices to circulant and modified Toeplitz constructions (Luan et al., 10 May 2026). This situates TSE within a broader family of linear extractors that preserve the same leftover-hash rate while trading seed length, algebraic structure, and convolution cost.
| Family | Block seed length 06 | Stream seed length 07 |
|---|---|---|
| Toeplitz | 08 | 09 |
| Circulant | 10 | 11 |
| Modified Toeplitz | 12 | 13 |
The circulant extractor uses universal14 circulant hashing with seed length 15 (Luan et al., 10 May 2026). For raw 16, one pads 17, forms the circulant 18, and computes
19
(Luan et al., 10 May 2026). The stream conversion chooses 20, pads 21, builds 22, chooses 23, computes the 24-bit mask
25
and streams out 26 (Luan et al., 10 May 2026). The paper states that this stream extractor is strong and preserves the block-mode 27 under QLHL when seeds are uniform and independent (Luan et al., 10 May 2026).
Modified Toeplitz, associated in the source with Hayashi–Tsurumaru’s almost dual universal28 construction, uses an 29-bit seed and preserves the same leftover-hash rate 30 (Luan et al., 10 May 2026). The relevant condition is
31
for all 32 (Luan et al., 10 May 2026). In block form, the structured matrix 33 yields
34
with FFT-accelerated Toeplitz-like convolution 35 plus 36 XOR (Luan et al., 10 May 2026). In stream form, one chooses 37 and 38, builds 39, computes
40
and outputs 41 (Luan et al., 10 May 2026). The same soundness 42 is preserved, and the extractor is strong in 43 (Luan et al., 10 May 2026).
This broader perspective suggests that “Toeplitz Strong Extractor” is often used narrowly in QRNG engineering, while the underlying algebra belongs to a larger class of linear, quantum-proof, seed-based extractors (Luan et al., 10 May 2026).
6. Algorithmics, hardware realization, and operational constraints
The computational profile of TSE depends strongly on whether it is implemented in block or stream mode. The stream-extraction paper summarizes the asymptotic costs as follows: block Toeplitz requires 44, stream Toeplitz mask generation requires 45 with online XOR cost 46, block circulant requires 47, stream circulant mask generation requires 48 with online XOR cost 49, and block modified Toeplitz requires 50 while the stream version requires 51 plus linear concatenation and online XOR 52 (Luan et al., 10 May 2026).
At high entropy rates, the paper states that stream Toeplitz gains runtime by shortening the effective convolution length from 53 to 54, whereas circulant and modified Toeplitz already have convolution length 55 in both modes and therefore show smaller block/stream differences (Luan et al., 10 May 2026). It further notes that stream-total time equals mask-generation time plus read-and-XOR time, and that the qualitative gain comes from shifting nontrivial computation offline and reducing online latency and buffer requirements (Luan et al., 10 May 2026).
A concrete FPGA realization of block TSE is reported in “FPGA-based Toeplitz Strong Extractor for Quantum Random Number Generators” (Chouhan et al., 3 May 2025). The implementation uses a Xilinx VC709 FPGA at 200 MHz, with block size 56, parallelism 57, and batch size 58 input bits (Chouhan et al., 3 May 2025). The design stores the raw block 59 and the Toeplitz string 60 of length 61, aligns successive length-62 substrings of 63 with 64, and performs bitwise AND followed by pipelined XOR reduction for each output bit (Chouhan et al., 3 May 2025). Forty identical per-block extractor engines run in parallel, and sliding-window generation avoids materializing the full matrix (Chouhan et al., 3 May 2025).
The measured throughput is 26.57 Gbps at 65, 13.30 Gbps at 66, and 9.99 Gbps at 67 (Chouhan et al., 3 May 2025). The one-time overhead per run is 100,274 cycles, approximately 502 68s at 200 MHz, and the cycles per extraction are 6,021 for 69, 10,021 for 70, 12,021 for 71, and 16,021 for 72 (Chouhan et al., 3 May 2025). The source attributes the throughput decline with increasing 73 to the growth in 74 and in the Toeplitz string length, which increases the amount of AND/XOR work per extraction (Chouhan et al., 3 May 2025).
Several implementation caveats are explicit in the two sources. Synchronization matters in stream mode: XOR must align bit-for-bit, and loss, insertion, or jitter in the raw stream corrupts 75; a counter or frame marker aligned to 76 is suggested as mitigation (Luan et al., 10 May 2026). In hardware, correctness depends on avoiding timing hazards in XOR trees, ensuring no metastability in shift registers, and properly zeroizing seed and intermediate buffers if sensitive (Chouhan et al., 3 May 2025). For deployment, seed independence is critical: the FPGA paper notes that its LFSR-based seed generation from raw data is an engineering convenience for benchmarking and strictly compromises the strong-extractor assumption, so an independent seed source should be used in practice (Chouhan et al., 3 May 2025).
7. Validation, misconceptions, and design guidance
The two papers distinguish extractor security, empirical validation, and deployment practice with considerable precision. In the FPGA study, raw data from an in-house phase-noise-based QRNG digitized by an 8-bit ADC is processed, the min-entropy is evaluated as 2.6 bits per 8 raw bits, and NIST STS 2.1.2 is applied to raw and extracted outputs (Chouhan et al., 3 May 2025). The datasets are 800 Kbits of raw data split into 100 sequences of length 8000 and 240 Kbits of extracted data split into 30 sequences of length 8000; Random Excursions and Random Excursions Variant are undefined because of small sample sizes, and some post-extraction failures are attributed to data-size limitations (Chouhan et al., 3 May 2025). The reported conclusion is that post-processed data exhibits markedly improved statistical behavior compared to raw data (Chouhan et al., 3 May 2025).
The stream-extraction paper likewise states that extracted outputs pass NIST SP 800-22 tests for finite-sample sanity in addition to information-theoretic security (Luan et al., 10 May 2026). A plausible implication is that empirical test batteries remain useful as implementation checks, but not as replacements for entropy estimation and QLHL-based parameter selection.
Several recurrent misconceptions are directly addressed by the source material. First, public seeds do not invalidate TSE; strong extractors are defined precisely so that security holds jointly with the seed (Chouhan et al., 3 May 2025, Luan et al., 10 May 2026). Second, reusing a public seed 77 is not the same as reusing the effective mask 78; the former is compatible with the strong property, while the latter can induce linear relations unless the protocol explicitly accounts for them (Luan et al., 10 May 2026). Third, statistical success alone does not certify privacy-amplification security; the decisive requirement is a valid lower bound on min-entropy and independent seed generation (Chouhan et al., 3 May 2025, Luan et al., 10 May 2026).
The design checklist given for streaming TSE under quantum side information is explicit (Luan et al., 10 May 2026). One fixes a target 79, obtains a conservative bound 80, chooses 81 with possible safety margin, chooses among Toeplitz, circulant, and modified Toeplitz depending on seed-length and complexity trade-offs, generates the mask 82 offline from independent seeds, XORs with the incoming raw stream online, and validates outputs statistically while reporting 83 for composable security (Luan et al., 10 May 2026). Within this framework, TSE is best understood as a universal84 linear hash whose block and streaming realizations are algebraically equivalent, but operationally different in latency, buffering, and seed-management requirements (Luan et al., 10 May 2026).