Extractors: applications and

constructionsAvi WigdersonIAS, Princeton

Randomness

Extractors: original motivation

Unbiased,

independent

Probabilistic

algorithms

Cryptography

Game

Theory

Applications

:

Analyzed on

perfect

randomness biased,

dependentReality:

Sources of

imperfect

randomnessStock market

fluctuationsSun spots

Radioactive

decay

Extractor Theory

Running probabilistic algorithms

with weak random bits

Probabilistic algorithmInput Output

Error prob <δ

EXTunbiased,independent

biased,dependent

Monte-Carlo algorithmswith few random bits

Setting: Statistical mechanics model (Ising, Potts, Percolation, Spin Glass,….)Task: Estimate parameters (free entropy, partition function, long-range correlations,…)Algorithm: Sample a random state from Gibbs dist. (Glauber dynamics, Metropolis algorithm,…)

StateSpace{0,1}n

n sites

Monte-Carlo algorithmswith few random bits

Resources of the typical Monte-Carlo algorithm- Space: ~ n-Time: t < poly(n)-Randomness: ~ tn bits[Nisan-Zuckerman] Randomness = space! Deterministically expand n tn bits, with rt ~ uniform !

StateSpace{0,1}n

any r1 r2 ri rt ~ uniform

Certifying randomness

What if the device/detectors are faulty?[Colbeck ‘06, Pioroni et al ‘10, Vidick-Vazirani ‘12,…]Amplification & certification of randomness:

QM

Algorithm

QM device

k bits 2k bits

With High Probability:If device good: output ~ uniformIf device faulty: rejectsNo

signali

ng

Extractor

Insnside

Applications of Extractors

• Using weak random sources in prob algorithms [B84,SV84,V85,VV85,CG85,V87,CW89,Z90-91]• Randomness-efficient error reduction of prob algorithms [Sip88, GZ97, MV99,STV99]

• Derandomization of space-bounded algorithms [NZ93, INW94, RR99, GW02]

• Distributed Algorithms [WZ95, Zuc97, RZ98, Ind02].• Hardness of Approximation [Zuc93, Uma99, MU01]• Cryptography [CDHKS00, MW00, Lu02 Vad03]• Data Structures [Ta02]• Coding Theory [TZ01,TZS01]• Certifying & expanding randomness [Col09,Pir+09,VV12]

•

Unifying Role of Extractors

Extractors are intimately related to:• Hash Functions [ILL89,SZ94,GW94]• Expander Graphs [WZ93, RVW00, TUZ01, CRVW02]

• Samplers [G97, Z97]• Pseudorandom Generators [Tre99, …]• Error-Correcting Codes [TZ01, TZS01, SU01, U02]

• Ergodic Theory [Lindenstrauss 07]• Exponential sums

Unify the theory of pseudorandomness.

Definitions

Weak random sourcesDistributions X on {0,1}n with “some” entropy:

X=(X1,X2,…,Xn)• [vN] sources: n coins of unknown fixed bias• [SV] sources: Pr[Xi+1 =1|X1=b1,…,Xi=bi] (δ, 1-δ)• [LLS] sources: n coins, some “sticky”• …..

• [Z] k-sources: H∞(X) ≥ k x Pr[X = x] 2-k

e.g X uniform with support ≥ 2k

k – the entropy in the weak source

{0,1}n

X

Randomness Extractors(1st attempt)

EXT

X k-source of length n

m (almost) uniform bits

Ext : {0,1}n {0,1}m

Impossible even if k=n-1 and m=1

“weak” random

source X

k can be e.g

n/2, √n, log

n,…

Ext=0

Ext=1

{0,1}n

Xm ≤ k

Extractors [Nisan & Zuckerman `93]

EXT

k-source of length n

m bits-close to uniform

d random bits

(short) “seed”

{0,1}n

X

{0,1}m

Exti(X)

i {0,1}d

Want: efficient Ext, small d, , large m

Explicit & Efficient Extractors

Non-constructive & optimal [Sip88,NZ93,RT97]:– Seed length d = log n + O(1).– Output length m = k - O(1).

[...B86,SV86,CG87, NZ93, WZ93, GW94, SZ94, SSZ95, Zuc96, Ta96, Ta98, Tre99, RRV99a, RRV99b, ISW00, RSW00, RVW00, TUZ01, TZS01, SU01, LRVW03,…]

Explicit constructions [GUV07, DW08] - Seed length d = O(log n)

- Output length m = .99k

Running probabilistic algorithms

with weak random bitsk-source of length n

m random bits

EXTd random bits

Probabilistic algorithmInput

(upto L1 error)

Output

Error prob <δ+

Try all possible2d = poly(n) seeds. Take majority vote.

Efficient!

k=2m

Constructionsvia the Kakeya Problem

Mergers[Ta96] – very special case

d random bits seed

Mer

X Y

m ≥.99k

k k

k

X,Y Fqk q

~ n100

X or Y is randomX,Y correlated!

[LRVW] Mer = aX+bY a,b Fq ( d=2log q )

Major problems in analysis and geometry!

Wolf: Smallest set in Fqk containing a line in

every direction?

Kakeya: Smallest set in R2 cont. a needle in every direction?

Besikovich: Smallest set in R2 has area <ε for every ε>0!

Dvir: Smallest set in Fqk has volume > (cq)k.

Polynomial method!

Thanks!