deterministic extractors for bit-fixing sources by obtaining an independent seed
DESCRIPTION
Seedless. Deterministic extractors for bit-fixing sources by obtaining an independent seed. Ariel Gabizon Ran Raz Ronen Shaltiel. Randomness extractors (motivation). Randomness is essential in Computer Science : Cryptography (!!) Distributed Protocols (!) Probabilistic Algorithms (?) - PowerPoint PPT PresentationTRANSCRIPT
Deterministic extractors for bit-fixing sources by obtaining an independent seed
Ariel GabizonRan Raz
Ronen Shaltiel
Seedless
Randomness extractors (motivation)Randomness is essential in Computer
Science: Cryptography (!!) Distributed Protocols (!) Probabilistic Algorithms (?)
Algorithm designers always assume that we have access to a stream of independent unbiassed coin tosses.
How can we obtain random bits?
Refining randomness from nature
We have access to distributions in nature:
Weather (?) Particle reactions Key strokes of user Timing of past eventsThese distributions are
“somewhat random” but not “truly random”.
Solution: Randomness Extractors
random coins
Probabilistic algorithm
input
output
Somewhat random
RandomnessExtractor
Randomness Extractors: Definition and two flavors
C is a class of distributions over n bit strings.
A deterministic (seedless) C-extractor is a function E such that for every XєC, E(X) is ε-close to uniform.
A seeded C-extractor has an additional (short i.e. log n) independent random seed as input.
source distribution from C
Extractorseed
random output
DeterministicSeeded
Two distributions are ε-close if the probability they assign to any event differs by at most ε.
A brief survey of randomness extractorsDeterministic von-Neumann sources
[vN51]. Markov Chains [Blu84]. Several independent
sources [SV86,V86,V87,VV88,CG88,DEOR04,BIW04].
Samplable sources [TV00].
Seeded High min-entropy
distributions [Z91,NZ93].
Lower bound of log n on the seed length [NZ93,RT99].
Explicit constructions coming close to matching bound (mass of work).
Extractors turn out to have lots of applications in TCS.
Bit-fixing sources [CGHFRS85] An (n,k)-(oblivious) bit-fixing source is
a distribution on n bit strings s.t. k bits are uniformly distributed (good
bits). remaining n-k bits are fixed to arbitrary
values (bad bits).
x1
x2
x3
xn
k random bits
Bit-fixing source extractors The exclusive or function extracts one
perfectly random bit. Impossible to extract two perfect bits
for k<n/3 [CGHFRS85]. A probablistic argument gives an
extractor which extracts k-O(log(n/ε)) bits (for statistical distance ε from uniform).
Best explicit construction extracts Ω(k2/n) bits [KZ03].
Our results: rangebits
extracted [KZ03]
bits extracted our result
error
k>n½ Ω(k2/n)k-n½+a
(a>0 is an arbitrary constant)
exp(-na)
k<n½
k>(log n)c
Ω(log k)*
k-kb
(0<b<1 is a universal constant)
k-b
We extract (1-o(1))k bits even for small k.
Our approach
Start with an extractor that extracts few bits.
Convert into an extractor that extracts many bits.
Getting more mileage from extractors: first attempt
x1
x2
x3
xn
k random bits
DeterministicExtractor
random output
SeededExtractor
Seeded Extractors are only guaranteed to work when the source and seed are independent.
correlated!
Solution: Seed obtainers
x1
x2
x3
xn
k random bits
SeedObtainer
random outputbit fixing source
X
X’ Y
We require that X’ and Y are independent!
We obtain a seed!
Seed obtainer: Definition
A seed obtainer is a function F(X)=(X’,Y) s.t.
For every (n,k)-bit-fixing source X:
X’ is an (n’,k’)-bit-fixing source with (n’,k’)≈(n,k).
Y is uniformly distributed. X’ and Y are
independent.
SeedObtainer
x1
x2
x3
xn
X
X’ YF(X) is close to a convex combination of distributions X’,Y s.t.
SeededExtractor
random output
Seed obtainers allow us to get more randomness from deterministic bit-fixing source extractors.
Construction of seed obtainers (erasing the correlation)
k random bits
random outputbit fixing source
X
X’ Y
Deterministic Extractor
Wseed for
averaging sampler
Seed obtainer
Intuition: Erase parts that are
correlated with Y
We will pretend red bits are fixed!
The extractor won’t know!
Warning: Intuition is
oversimplified!
For any set (and in particular set of good bits) The sampled set hits it in the “correct” proportion.
Set parameters so that:
• few red bits are in.
• Most red bits are out.
correlated!
Construction for k>n½
We use the [KZ03] deterministic extractor as basis for the seed-obtainer.
Attach a good seeded extractor [RRV99].
SeedObtainer
x1
x2
x3
xn
X
X’ Y
SeededExtractor
random output
The case of k<n½
We need a deterministic bit-fixing source extractor to start with.
The tecnique of [KZ03] also works for k<n½, but extracts very few bits.
Only Ω(log k) bits. For k=polylog n, we get only log log n
bits. Not sufficient for seeded extractors! (Also not sufficient for standard
averaging samplers.)
Solution: seeded bit-fixing source extractor.
We construct a seeded bit-fixing source extractor that uses seed O(log log n) and extract (1-o(1))k bits.
Apply it after the seed obtainer.
SeedObtainer
x1
x2
x3
xn
X
X’ Y
Seeded bit-fixingExtractor
random output
A Seeded extractor for bit-fixing sources: log log n -> log n
We partition the source into about log n blocks.
Each bit tosses a coin to decide on its block.
We use ε-pairwise dependent coins [NN93]. Cost: O(log log n) random bits.
w.h.p. each block contains at least one good bit.
Each block outputs the xor of its bits.
log n
Output log n random bits.
A Seeded extractor for bit-fixing sources: log n -> (1-o(1))k
We have O(log log n) random bits as seed.
Use O(log log n) random bits to partition into two blocks.
Use seeded bit-fixing extractor from previous slide to extract log n bits.
Use the output as a seed for a (standard) seeded extractor. To extract (1-o(1))k bits. log n bits
Seeded extracto
r
prvs
n/log n
Note on averaging samplers Ingredient in the seed obtainer construction. We need to sample subsets of {1..n}. Sampling one element: log n bits. We already saw: Sampling based on ε-pairwise
dependence: log log n bits [EGLNV95,RSW00]. ?????? Possible because query complexity is huge
(n/log n). Note: We need samplers that hit very small
sets (size<n½)) and cannot use samplers based on (seeded) extractors.
Overview We construct deterministic
bit-fixing extractors that: Extract almost all
randomnes. Work even for small k.
Introduce “seed obtainers”.
Allow getting more random bits from deterministc bit-fixing extractors.
Construction for small k uses seeded bit-fixing extractor, that uses seed of length O(log log n) to “partition” source.
SeedObtainer
x1
x2
x3
xn
X
X’ Y
SeededExtractor
random output
Open problems
Improve error for small k (say k<n½).
Possible direction: Construct deterministic bit-fixing source with larger output (>>log k) for small k.
Can this technique be applied to seeded extractors? (probably not).
That’s it