Deterministic extractors for bit- fixing sources by obtaining an independent seed Ariel Gabizon Ran Raz Ronen Shaltiel Seedless.

Deterministic extractors for bit-fixing sources by obtaining an independent seed

Ariel GabizonRan Raz

Ronen Shaltiel

Seedless

Randomness extractors (motivation)Randomness is essential in Computer

Science: Cryptography (!!) Distributed Protocols (!) Probabilistic Algorithms (?)

Algorithm designers always assume that we have access to a stream of independent unbiassed coin tosses.

How can we obtain random bits?

Refining randomness from nature

We have access to distributions in nature:

Weather (?) Particle reactions Key strokes of user Timing of past eventsThese distributions are

“somewhat random” but not “truly random”.

Solution: Randomness Extractors

random coins

Probabilistic algorithm

input

output

Somewhat random

RandomnessExtractor

Randomness Extractors: Definition and two flavors

C is a class of distributions over n bit strings.

A deterministic (seedless) C-extractor is a function E such that for every XєC, E(X) is ε-close to uniform.

A seeded C-extractor has an additional (short i.e. log n) independent random seed as input.

source distribution from C

Extractorseed

random output

DeterministicSeeded

Two distributions are ε-close if the probability they assign to any event differs by at most ε.

A brief survey of randomness extractorsDeterministic von-Neumann sources

[vN51]. Markov Chains [Blu84]. Several independent

sources [SV86,V86,V87,VV88,CG88,DEOR04,BIW04].

Samplable sources [TV00].

Seeded High min-entropy

distributions [Z91,NZ93].

Lower bound of log n on the seed length [NZ93,RT99].

Explicit constructions coming close to matching bound (mass of work).

Extractors turn out to have lots of applications in TCS.

Bit-fixing sources [CGHFRS85] An (n,k)-(oblivious) bit-fixing source is

a distribution on n bit strings s.t. k bits are uniformly distributed (good

bits). remaining n-k bits are fixed to arbitrary

values (bad bits).

x1

x2

x3

xn

k random bits

Bit-fixing source extractors The exclusive or function extracts one

perfectly random bit. Impossible to extract two perfect bits

for k<n/3 [CGHFRS85]. A probablistic argument gives an

extractor which extracts k-O(log(n/ε)) bits (for statistical distance ε from uniform).

Best explicit construction extracts Ω(k2/n) bits [KZ03].

Our results: rangebits

extracted [KZ03]

bits extracted our result

error

k>n½ Ω(k2/n)k-n½+a

(a>0 is an arbitrary constant)

exp(-na)

k<n½

k>(log n)c

Ω(log k)*

k-kb

(0<b<1 is a universal constant)

k-b

We extract (1-o(1))k bits even for small k.

Our approach

Start with an extractor that extracts few bits.

Convert into an extractor that extracts many bits.

Getting more mileage from extractors: first attempt

x1

x2

x3

xn

k random bits

DeterministicExtractor

random output

SeededExtractor

Seeded Extractors are only guaranteed to work when the source and seed are independent.

correlated!

Solution: Seed obtainers

x1

x2

x3

xn

k random bits

SeedObtainer

random outputbit fixing source

X

X’ Y

We require that X’ and Y are independent!

We obtain a seed!

Seed obtainer: Definition

A seed obtainer is a function F(X)=(X’,Y) s.t.

For every (n,k)-bit-fixing source X:

X’ is an (n’,k’)-bit-fixing source with (n’,k’)≈(n,k).

Y is uniformly distributed. X’ and Y are

independent.

SeedObtainer

x1

x2

x3

xn

X

X’ YF(X) is close to a convex combination of distributions X’,Y s.t.

SeededExtractor

random output

Seed obtainers allow us to get more randomness from deterministic bit-fixing source extractors.

Construction of seed obtainers (erasing the correlation)

k random bits

random outputbit fixing source

X

X’ Y

Deterministic Extractor

Wseed for

averaging sampler

Seed obtainer

Intuition: Erase parts that are

correlated with Y

We will pretend red bits are fixed!

The extractor won’t know!

Warning: Intuition is

oversimplified!

For any set (and in particular set of good bits) The sampled set hits it in the “correct” proportion.

Set parameters so that:

• few red bits are in.

• Most red bits are out.

correlated!

Construction for k>n½

We use the [KZ03] deterministic extractor as basis for the seed-obtainer.

Attach a good seeded extractor [RRV99].

SeedObtainer

x1

x2

x3

xn

X

X’ Y

SeededExtractor

random output

The case of k<n½

We need a deterministic bit-fixing source extractor to start with.

The tecnique of [KZ03] also works for k<n½, but extracts very few bits.

Only Ω(log k) bits. For k=polylog n, we get only log log n

bits. Not sufficient for seeded extractors! (Also not sufficient for standard

averaging samplers.)

Solution: seeded bit-fixing source extractor.

We construct a seeded bit-fixing source extractor that uses seed O(log log n) and extract (1-o(1))k bits.

Apply it after the seed obtainer.

SeedObtainer

x1

x2

x3

xn

X

X’ Y

Seeded bit-fixingExtractor

random output

A Seeded extractor for bit-fixing sources: log log n -> log n

We partition the source into about log n blocks.

Each bit tosses a coin to decide on its block.

We use ε-pairwise dependent coins [NN93]. Cost: O(log log n) random bits.

w.h.p. each block contains at least one good bit.

Each block outputs the xor of its bits.

log n

Output log n random bits.

A Seeded extractor for bit-fixing sources: log n -> (1-o(1))k

We have O(log log n) random bits as seed.

Use O(log log n) random bits to partition into two blocks.

Use seeded bit-fixing extractor from previous slide to extract log n bits.

Use the output as a seed for a (standard) seeded extractor. To extract (1-o(1))k bits. log n bits

Seeded extracto

r

prvs

n/log n

Note on averaging samplers Ingredient in the seed obtainer construction. We need to sample subsets of {1..n}. Sampling one element: log n bits. We already saw: Sampling based on ε-pairwise

dependence: log log n bits [EGLNV95,RSW00]. ?????? Possible because query complexity is huge

(n/log n). Note: We need samplers that hit very small

sets (size<n½)) and cannot use samplers based on (seeded) extractors.

Overview We construct deterministic

bit-fixing extractors that: Extract almost all

randomnes. Work even for small k.

Introduce “seed obtainers”.

Allow getting more random bits from deterministc bit-fixing extractors.

Construction for small k uses seeded bit-fixing extractor, that uses seed of length O(log log n) to “partition” source.

SeedObtainer

x1

x2

x3

xn

X

X’ Y

SeededExtractor

random output

Open problems

Improve error for small k (say k<n½).

Possible direction: Construct deterministic bit-fixing source with larger output (>>log k) for small k.

Can this technique be applied to seeded extractors? (probably not).

That’s it