Post on 11-Jan-2016
description
transcript
Randomness Extraction: A Survey
David Zuckerman
University of Texas at Austin
Institute for Advanced Study
Weak Random Source
• Random variable X on {0,1}n.• General model: min-entropy
• Flat source:– Uniform on A,
|A| ≥ 2k.|A| ³ 2k
{0,1}n
Weak Random Source
• Examples:– k uniform bits; others a function of these– Each bit a little random:
k/n < Pr[Xi|X1=x1,…,Xi-
1=xi-1] < 1-k/n.
Weak Random Source
• Can arise in different ways:– Physical source of randomness.– Cryptography: condition on adversary’s
information, e.g. bounded storage model.
– Pseudorandom generators (for space s machines): condition on TM configuration.
Goal: Extract Randomness
Ext n bits m bits
statistical error
Problem: Impossible, even for k=n-1, m=1, ε<1/2.
Randomness Extractor: short seed[Nisan-Z ‘93,…, Guruswami-Umans-Vadhan ‘07]
Ext n bits m =.99k bits
statistical error
d=O(log (n/ε)) random bit seed Y
Strong extractor: (Ext(X,Y),Y) ≈ Uniform
Outline
• Seeded Extractors– Basic Applications– Alternate View with Applications– Pseudorandom Generators
• Seedless Extractors for Structured Sources– Algebraic sources: independent, affine, …– Applications in cryptography– Complexity-theoretic sources
Use in Privacy Amplification[Bennett, Brassard, Robert 1985]
• Goal: convert weak shared secret X to uniform secret.• Unbounded passive adversary.
public
Pick Y
Shared secret = Ext(X,Y). Correct by strong extractor definition.
PRGs for Space-Bounded Machines
• Basic PRG: G(x,y) = (x,Ext(x,y)) [Nisan-Z]• Condition on configuration v after read x.• Whp • G:{0,1}O(s) {0,1}poly(s) fools space s TMs.• Sometimes can avoid union bound!– O(log n log log n) bit seed fools read-once polylog-
width “regular” BPs [BRRY ‘10,BV ‘10]– O(log n) bit seed fools read-once O(1)-width
permutation BPs [KNP].
Graph-Theoretic View: “Expansion”
(1-)M K=2k
D=2d
N=2n
M=2m
Can use this to constructexpanders beatingeigenvalue bound [WZ]
x y Ext(x,y)
output uniform
Constructions of Strong ExtractorsRestrictions Degree
D=2dOutput Length m
Existence None (n-k)/ε2 k – 2lg(1/ε)
Leftover Hash Lemma [ILL]
None 2n k – 2lg(1/ε)
GUV 2007 None (n/ε)O(1) (1-α)k
GUV 2007 None nO(log(k/ε)) k – 2lg(1/ε)-O(1)
DKSS 2009 ε≥1/logcn nO(1) (1-1/logcn)k
Z 2006 k=Ω(n)ε=Ω(1)
O(n) (1-α)k
Alternate View
S
BADS
D=2d
N=2n M=2m
x
Other direction:ErrorS ≤ |BADS|2-k + ε
Averaging Sampler via Alternate View [Z ‘96]
• Goal: Estimate mean μ ofAlgorithm: Pick
Sample f at Γ(x) = {x1,…,xD}.
Output μf.
Pr[error] = |BADf|/2n.
Can use (1+α)m random bits for error 1/poly(m).
Extractor Codes via Alt-View[Ta-Shma-Z 2001]
• • List recovery – generalizes list decoding.
Take subset |Codewords with agreement ≥(μ(S) + ε)D|
≤ |BADS|.
Extractor codes with efficient decoding give hardcore bits Ext(x,y) wrt 1-way (f(x),y).
Codes Extractors [Tre,TZS, SU, GUV].
Max Clique and Chromatic Number• [FGLSS,…,Hastad]: Max Clique
inapproximable to n1-, any >0, assuming NP ZPP.
• [LY,…,FK]: Same for Chromatic Number.
• Derandomize with linear degree extractors:Thm [Z]: Both inapproximable to n1-, any >0,
assuming NP P.
Pseudorandom Generators
• Cryptographically secure PRGs:– Run in time less than adversary.– Exist iff one-way functions exist [HILL].
• PRGs for derandomization:– Can take slightly more time than adversary.– Exist iff “hard” functions exist [Nisan-Wigderson ...]
PRGpseudorandomrandom seed
PRGs from Hard Functions[Nisan-Wigderson 1988]
PRGcomp. error εrandom seed
hard function
NW-Style PRGs Give Extractors[Trevisan 1999]
• View x as hard function f:{0,1}lg n {0,1}– Most functions hard
• Set Ext(x,y) = NW-PRG(f,y)• Better: Ext(x,y) = NW-PRG(Code(f),y)
Ext n bits
statistical error
seed
Crypto-Tailored Extractors
• Fuzzy extractors– Noise tolerant [Dodis-Ostrovsky-Reyzin-Smith ‘04]
• Correlation extractors– [Ishai-Kushilevitz-Ostrovsky-Sahai ‘09].
• Non-malleable extractors [Dodis-Wichs ‘09]
Seedless (Deterministic) Extractors for Structured Sources
• Probabilistic Method: If ≤ sources of min-entropy k:
Can deterministically extract m=(1-α)k bits with error 2-αk/3.
• Algebraic sources:– Bit-fixing, affine, independent sources.
• Complexity-theoretic sources:– AC0 sources, small-space sources.
Independent Sources
n bits n bits
Ext
m =Ω(k) bits statistical error
Independent Sources# sources k=H∞(X) Restrictions
Existence 2 k ≥ 2log n None
Bourgain 2 k ≥ .499n None
BRSW 2 k ≥ nα Disperser
Li 3 k ≥ n1/2+α None
Rao-Z 3 k ≥ nα Uneven lengths
Rao, BRSW O(1/α) k ≥ nα None
Cryptography with Weak Sources
• Players have independent weak sources.• Allow Byzantine faults.• For 2 players, impossible [DOPS].• For more players, possible!– Network extractor protocols [DO,GSV, KLRZ,KLR].– After network extractor protocol, most honest
players end up with good, private randomness. Can then run a standard protocol, e.g., BA.
Network Extractor Protocols
• Naïve idea:– A few players broadcast sources.– Remaining players apply independent-source
extractor to those sources and own source.– Problem: what if only malicious players
broadcast?
Network Extractor Constructions
• Information-theoretic setting [Kalai-Li-Rao-Z]:– For k ≥ exp(logα n), can still tolerate linear number
of faults in BA and leader election, any α>0.• Computational setting [Kalai-Li-Rao]:– Under certain crypto assumptions, for k = αn,
secure multiparty computation if ≥ 2 honest players.
– Under certain crypto assumptions, 2-source extractors for k = αn, any α>0.
Oblivious Bit-Fixing Sources
• Example: ?0010?111??11.– ? = uniform on {0,1}.– (n-k) bits fixed by adversary; k uniform bits.– Parity extracts 1 bit.
• For k≥logc n, can extract k-o(k) bits [GRS, Rao].• Application: Exposure Resilient Cryptography.– Adversary learns many bits of secret key.– Can still do cryptography.
Affine Extractors
• X = random element from affine subspace.• Generalizes bit-fixing sources.• Extractor for min-entropy αn, any α>0
[Bourgain].• 1-bit disperser for min-entropy exp(log.9 n)
[Shaltiel].• Large fields: any k>0 [Gabizon-Raz].
Complexity-Theoretic Sources
• X=f(U), complexity(f) small.• Deterministic extraction possible under
assumptions [Trevisan-Vadhan ‘00].• No assumptions:– NC0 [De-Watson ‘11, Viola ‘11]– AC0 [Viola ‘11]– Proofs reduce to low-weight affine extractors [Rao
‘09].
Small Space Sources• Space s source: min-entropy k source
generated by width 2s branching program.
n+1 layers
1 1 0 1 0 0
1/, 0
1-1/, 0 1,10.1,0
0.8,1
0.1,0
0.3,0
0.5,10.1,1
0.1,0
1
width 2s
Bit Fixing Sources can be modelled by Space 0 sources
? 1 ? ? 0 1
0.5,1 0.5,1 0.5,1
0.5,0 0.5,0 0.5,0
1,1 1,0 1,1
Extractors for Small Space Sources
• For k ≥ αn, any α>0, space αβn, β>0 sufficiently small, can extract k-o(k) bits [Kamp-Rao-Vadhan-Z ‘06].
• Proof reduces to variants of independent sources by conditioning on intermediate states.
Conclusions
• Crypto apps: privacy amplification, crypto using weak sources, exposure-resilient crypto, information reconciliation, leakage-resilient crypto, bounded storage model, OWFs to PRGs, …
Crypto
Expanders Coding Theory
Extractors
PRGs Inapproximability
Open Questions
• Seeded Extractors– O(n) degree for all min-entropy.– O(log n) seed to extract k - 2log(1/ε) – O(1).
• Seedless Extractors– 2-source extractors for entropy rate αn, any α>0. – Affine extractors for min-entropy nα.– Other general models.
• Crypto-Tailored Extractors– Non-malleable extractors for entropy rate αn.
• Other Applications & Connections.