How to get more mileage from randomness extractors

1
How to get more mileage from randomness extractors

• Ronen Shaltiel
• University of Haifa

2
Outline of this talk

• Motivation for randomness extractors.
• Deterministic and seeded extractors.
• Our results.
• Something about the proof

3
Randomness extractors (motivation)
Do we have to tell that same old story again.
Daddy, how do computers get random bits?
4
Randomness extractors (motivation)

• Randomness is essential in Computer Science
• Cryptography
• Distributed Protocols
• Probabilistic Algorithms
• Algorithm designers always assume that we have
  access to a stream of independent unbiassed coin
  tosses.
• How do computers get random bits?

5
Refining randomness from nature

• We have access to distributions in nature
• Particle reactions
• Key strokes of user
• Timing of past events
• (Really used in real life)
• These distributions are somewhat random but not
  truly random.
• Solution Randomness Extractors

random coins
Somewhat random
Probabilistic algorithm
input
output
6
Outline of this talk

• Motivation for randomness extractors.
• Deterministic and seeded extractors.
• Our results.
• Something about the proof

7
Randomness Extractors Definition and two flavors

• C is a class of distributions over n bit strings
  containing k bits of (min)-entropy.
• A deterministic (seedless) C-extractor is a
  function E such that for every X?C, E(X) is
  e-close to uniform.
• A seeded C-extractor has an additional (short
  i.e. log n) independent random seed as input.

source distribution from C
Seeded
Deterministic

• A distribution X has min-entropy k if
  ?x PrXx 2-k
• Two distributions are e-close if the probability
  they assign to any event differs by at most e.

Extractors turn out to have lots of applications
in TCS.
8
A brief survey of randomness extractors

• Deterministic
• von-Neumann sources vN51.
• Markov Chains Blu84.
• Several independent sources SV86,V86,V87,VV88,CG8
  8,DEOR04,BIW04,BKSSW05,R05,R06,BRSW06.
• Bit-fixing sources CGHFRS85,KZ03,GRS04
• Samplable sources TV00,KRVZ06.
• Affine sources BKSSW05,GR05.

• Seeded
• C distributions with (min)-entropy k
  Z91,NZ93.
• Lower bound of log n on the seed length
  NZ93,RT99.
• Explicit constructions coming close to matching
  bound (mass of work).

9
Outline of this talk

• Motivation for randomness extractors.
• Deterministic and seeded extractors.
• Our results.
• Something about the proof

10
Getting more mileage from (deterministic)
extractors
Our result A general transformation (extending
GRS04)

• before

after
Deterministic C-Extractor
Deterministic C-Extractor
extracts few bits
extracts many bits
Applies to many classes C several independent
sources, samplable sources, bit-fixing sources,
affine sources.
Already follows from GRS04,GR05.
11
2-source extractors SV86

• Consider the class of distributions X(X1,X2)
  s.t.
• X1,X2 are independent distributions over n bits.
• X1,X2 have (min)-entropy k.
• Dfn A 2-source extractor (for threshold k) is a
  deterministic extractor for this class.

• Goals
• Achieve low entropy threshold e.g. ko(n), major
  open problem (related to Ramsey graphs).
• Extract as many bits as possible (for large
  threshold, say k ¾ n ). There are 2k random bits
  in source.

X1
X2
2-source extractor
12
Getting more mileage from 2-source extractors
¾ can be replaced with any constant gt ½
2-source extractors for entropy k¾n and elt1/n.
Proof Transform existing construction Raz05
into an extractor which extracts many bits.
Optimal except for the precise constant
multiplying log(1/e)!
13
Outline of this talk

• Motivation for randomness extractors.
• Deterministic and seeded extractors.
• Our results.
• Something about the proof

14
Getting more mileage from extractors naïve
approach
k random bits
Deterministic Extractor
Seeded Extractor
Seeded Extractors are only guaranteed to work
when the source and seed are independent.
random output
15
Getting more mileage by reusing the output

• GRS04 The naïve approach can work!
• For the restricted class of bit-fixing sources.
• Assuming some additional properties of the
  deterministic and seeded extractors.
• GR05 Also works for affine sources.
• This paper Extends the ideas of GRS04
• General sufficient conditions for an arbitrary
  class of sources.

16
The main theorem

• The naïve approach works if
• closeness condition satisfied.
• e lt 2t

• Let C be a class of distributions.
• Let X be a distribution in C.
• Let dE be a deterministic e-extractor for C.
• Let sE be a seeded extractor with seed length t.
• Assume the following closeness condition
• For every y?0,1t and every value a
  (XsE(X,y)a) is a distribution in C.
• Then dE(x)sE(x,dE(x)) is a deterministic
  O(e2t)-extractor for C.

17
Closer look at closeness condition

• Previous intuition for naïve construction
• dE extracts few bits and therefore
• (XdE(X)y) is a high entropy distribution.
• ? sE can extract from (XdE(X)y).
• Problem it could be the case that
  ?y y is a
  bad seed for the source (XdE(X)y).
• Closeness Condition For every y?0,1t and every
  value a (XsE(X,y)a) is a distribution in C.
• Comment (XsE(X,y)a) has lower entropy then X
  ? In order to extract from X we must use
  dE which extracts from lower entropy
  distributions.

Intuition and proof are different.
18
Outline of proof of main theorem(Simplifiying
assumption e0)
Uniform distribution
Use recycled bits
Use independent bits

• Goal prove that
• sE(X,dE(X)) sE(X,Y)
• Follows from ?y (sE(X,dE(X))dE(X)y)
  (sE(X,Y)Yy)
• ? (sE(X,y)dE(X)y) sE(X,y)
• Will follow if ?y sE(X,y) is independent of
  dE(X).
• and this follows from closeness condition
• Closeness Condition For every y?0,1t and every
  value a (XsE(X,y)a) is a distribution in
  C.
• Therefore dE extracts randomness from this
  distribution and
• (dE(X)sE(X,y)a) Uniform
• As this occurs ?a we get that ?y sE(X,y) is
  independent of dE(X).

Actual proof is more technical because e?0
19
Summary
Our result A general transformation (extending
GRS04)

• before

after
Deterministic C-Extractor
Deterministic C-Extractor
extracts few bits
extracts many bits

• Applies to many classes C
• Weve seen 2-independent sources.
• In paper Distributions samplable by small
  circuits (defined by TV)

20
Conclusions and open problems

• Technique can be applied to many deterministic
  extraction scenarios.
• Some additional work is needed to meet the
  closeness condition in various cases.
• At the moment we dont always have good
  deterministic extractors to start from (e.g. low
  entropy 2-source extractors, samplable sources).
• Come up with new constructions of 2-source
  extractors and extractors for samplable
  distributions.
• Can this technique be used to reduce the seed
  length of seeded extractors? We provide some
  counterexamples.

21
Thats it
having extracted many random bits they lived
happily ever after.