1 / 33

Randomness Extraction: A Survey

Randomness Extraction: A Survey. David Zuckerman University of Texas at Austin Institute for Advanced Study. Weak Random Source. Random variable X on {0,1} n . G eneral model: min-entropy Flat source: Uniform on A, |A| ≥ 2 k. {0,1} n. |A| ³ 2 k. Weak Random Source. Examples:

morley
Download Presentation

Randomness Extraction: A Survey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Randomness Extraction: A Survey David Zuckerman University of Texas at Austin Institute for Advanced Study

  2. Weak Random Source • Random variable X on {0,1}n. • General model: min-entropy • Flat source: • Uniform on A, |A| ≥ 2k. {0,1}n |A| ³ 2k

  3. Weak Random Source • Examples: • k uniform bits; others a function of these • Each bit a little random: k/n < Pr[Xi|X1=x1,…,Xi-1=xi-1] < 1-k/n.

  4. Weak Random Source • Can arise in different ways: • Physical source of randomness. • Cryptography: condition on adversary’s information, e.g. bounded storage model. • Pseudorandom generators (for space s machines): condition on TM configuration.

  5. Goal: Extract Randomness m bits n bits Ext statistical error  Problem: Impossible, even for k=n-1, m=1, ε<1/2.

  6. Randomness Extractor: short seed[Nisan-Z ‘93,…, Guruswami-Umans-Vadhan ‘07] d=O(log (n/ε)) random bit seed Y m =.99k bits n bits Ext statistical error  Strong extractor: (Ext(X,Y),Y) ≈ Uniform

  7. Outline • Seeded Extractors • Basic Applications • Alternate View with Applications • Pseudorandom Generators • Seedless Extractors for Structured Sources • Algebraic sources: independent, affine, … • Applications in cryptography • Complexity-theoretic sources

  8. Use in Privacy Amplification[Bennett, Brassard, Robert 1985] public • Goal: convert weak shared secret X to uniform secret. • Unbounded passive adversary. Y Pick Shared secret = Ext(X,Y). Correct by strong extractor definition.

  9. PRGs for Space-Bounded Machines • Basic PRG: G(x,y) = (x,Ext(x,y)) [Nisan-Z] • Condition on configuration v after read x. • Whp • G:{0,1}O(s){0,1}poly(s) fools space s TMs. • Sometimes can avoid union bound! • O(log n log log n) bit seed fools read-once polylog-width “regular” BPs [BRRY ‘10,BV ‘10] • O(log n) bit seed fools read-once O(1)-width permutation BPs [KNP].

  10. Graph-Theoretic View: “Expansion” N=2n output  uniform  K=2k M=2m Ext(x,y) x y  (1-)M D=2d Can use this to construct expanders beating eigenvalue bound [WZ]

  11. Constructions of Strong Extractors

  12. Alternate View M=2m N=2n D=2d S BADS x Other direction: ErrorS ≤ |BADS|2-k + ε

  13. Averaging Sampler via Alternate View [Z ‘96] • Goal: Estimate mean μ of Algorithm: Pick Sample f at Γ(x) = {x1,…,xD}. Output μf. Pr[error] = |BADf|/2n. Can use (1+α)m random bits for error 1/poly(m).

  14. Extractor Codes via Alt-View[Ta-Shma-Z 2001] • List recovery – generalizes list decoding. Take subset |Codewords with agreement ≥(μ(S) + ε)D| ≤ |BADS|. Extractor codes with efficient decoding give hardcore bits Ext(x,y) wrt 1-way (f(x),y). Codes Extractors [Tre,TZS, SU, GUV].

  15. Max Clique and Chromatic Number • [FGLSS,…,Hastad]: Max Clique inapproximable to n1-, any >0, assuming NP  ZPP. • [LY,…,FK]: Same for Chromatic Number. • Derandomize with linear degree extractors: Thm [Z]: Both inapproximable to n1-, any >0, assuming NP  P.

  16. Pseudorandom Generators random seed pseudorandom PRG • Cryptographically secure PRGs: • Run in time less than adversary. • Exist iff one-way functions exist [HILL]. • PRGs for derandomization: • Can take slightly more time than adversary. • Exist iff “hard” functions exist [Nisan-Wigderson ...]

  17. PRGs from Hard Functions[Nisan-Wigderson 1988] hard function random seed comp. error ε PRG

  18. NW-Style PRGs Give Extractors[Trevisan 1999] • View x as hard function f:{0,1}lgn{0,1} • Most functions hard • Set Ext(x,y) = NW-PRG(f,y) • Better: Ext(x,y) = NW-PRG(Code(f),y) seed n bits Ext statistical error 

  19. Crypto-Tailored Extractors • Fuzzy extractors • Noise tolerant [Dodis-Ostrovsky-Reyzin-Smith ‘04] • Correlation extractors • [Ishai-Kushilevitz-Ostrovsky-Sahai ‘09]. • Non-malleable extractors [Dodis-Wichs ‘09]

  20. Seedless (Deterministic) Extractors for Structured Sources • Probabilistic Method: If ≤ sources of min-entropy k: Can deterministically extract m=(1-α)k bits with error 2-αk/3. • Algebraic sources: • Bit-fixing, affine, independent sources. • Complexity-theoretic sources: • AC0 sources, small-space sources.

  21. Independent Sources n bits n bits Ext m =Ω(k) bits statistical error 

  22. Independent Sources

  23. Cryptography with Weak Sources • Players have independent weak sources. • Allow Byzantine faults. • For 2 players, impossible [DOPS]. • For more players, possible! • Network extractor protocols [DO,GSV, KLRZ,KLR]. • After network extractor protocol, most honest players end up with good, private randomness. Can then run a standard protocol, e.g., BA.

  24. Network Extractor Protocols • Naïve idea: • A few players broadcast sources. • Remaining players apply independent-source extractor to those sources and own source. • Problem: what if only malicious players broadcast?

  25. Network Extractor Constructions • Information-theoretic setting [Kalai-Li-Rao-Z]: • For k ≥ exp(logα n), can still tolerate linear number of faults in BA and leader election, any α>0. • Computational setting [Kalai-Li-Rao]: • Under certain crypto assumptions, for k = αn, secure multiparty computation if ≥ 2 honest players. • Under certain crypto assumptions, 2-source extractors for k = αn, any α>0.

  26. Oblivious Bit-Fixing Sources • Example: ?0010?111??11. • ? = uniform on {0,1}. • (n-k) bits fixed by adversary; k uniform bits. • Parity extracts 1 bit. • For k≥logc n, can extract k-o(k) bits [GRS, Rao]. • Application: Exposure Resilient Cryptography. • Adversary learns many bits of secret key. • Can still do cryptography.

  27. Affine Extractors • X = random element from affine subspace. • Generalizes bit-fixing sources. • Extractor for min-entropy αn, any α>0 [Bourgain]. • 1-bit disperser for min-entropy exp(log.9 n) [Shaltiel]. • Large fields: any k>0 [Gabizon-Raz].

  28. Complexity-Theoretic Sources • X=f(U), complexity(f) small. • Deterministic extraction possible under assumptions [Trevisan-Vadhan ‘00]. • No assumptions: • NC0 [De-Watson ‘11, Viola ‘11] • AC0 [Viola ‘11] • Proofs reduce to low-weight affine extractors [Rao ‘09].

  29. 0.1,0 1,1 1-1/, 0 0.3,0 0.8,1 0.5,1 0.1,0 1/, 0 0.1,1 0.1,0 Small Space Sources • Space s source: min-entropy k source generated by width 2s branching program. n+1 layers width 2s 1 1 0 1 0 0 1

  30. Bit Fixing Sources can be modelled by Space 0 sources 0.5,1 0.5,1 0.5,1 1,1 1,0 1,1 0.5,0 0.5,0 0.5,0 ? 1 ? ? 0 1

  31. Extractors for Small Space Sources • For k ≥ αn, any α>0, space αβn, β>0 sufficiently small, can extract k-o(k) bits [Kamp-Rao-Vadhan-Z ‘06]. • Proof reduces to variants of independent sources by conditioning on intermediate states.

  32. Conclusions Crypto • Crypto apps: privacy amplification, crypto using weak sources, exposure-resilient crypto, information reconciliation, leakage-resilient crypto, bounded storage model, OWFs to PRGs, … Expanders Coding Theory Extractors Inapproximability PRGs

  33. Open Questions • Seeded Extractors • O(n) degree for all min-entropy. • O(log n) seed to extract k - 2log(1/ε) – O(1). • Seedless Extractors • 2-source extractors for entropy rate αn, any α>0. • Affine extractors for min-entropy nα. • Other general models. • Crypto-Tailored Extractors • Non-malleable extractors for entropy rate αn. • Other Applications & Connections.

More Related