1.%20Joint%20withA.Ta-shma%20

1
Extractors via Low-degree Polynomials

1. Joint withA.Ta-shma D.Zuckerman2.
Improved R.Shaltiel and C. UmansSlides Adi
Akavia
2
Definitions

• Def The min-entropy of a random variable X over
  0, 1n is defined as
• Thus a random variable X has min-entropy at least
  k if PrXx2-k for all x. Maximum possible
  min-entropy for such a R.V. is n
• Def (statistical distance) Two distributions on
  a domain D are e-close if the probabilities they
  give to any A?D differ by at most e (namely, half
  the norm-1 of the distance)

3
Definitions

• Def A (k, e)- extractor is a function E 0,1n
  ? 0,1t ? 0,1ms.t. for any R.V. X with
  min-entropy k E(X,Ut) is e-close to Um(where
  Um denotes the uniform distribution over 0,1m)

4
Parameters

• The relevant parameters are
• min entropy of the weak random source
  k.Relevant values log(n)? k ? n (seed length is
  t log(n) hence no point consider lower min
  entropy).
• seed length t log(n)
• Quality of the output e
• Size of the output mf(k). The optimum is mk.

5
Extractors
High Min-Entropy distribution
Uniform-distribution seed
2t
2n
2m
E
Close to uniform output
6
Next Bit Predictors

• Claim to prove E is an extractor, it suffices to
  prove that for all 0ltiltm1 and all predictors
  f0,1i-1?0,1
• Proof Assume E is not an extractor then exists
  a distribution X s.t. E(X,Ut) is not e-close to
  Um, that is

7
Proof

• Now define the following hybrid distributions

8
Proof

• Summing the probabilities for the event
  corresponding to the set A for all distributions
  yields
• And because ?ai ?ai there exists an index
  0ltiltm1 for which

9
The Predictor

• We now define a function f0,1i-1 ? 0,1 that
  can predict the ith bit with probability at
  least ½e/m (a next bit predictor)
• The function f uniformly and independently draws
  the bits yi,,ym and outputs
• Note the above definition is not constructive,
  as A is not known!

10
Proof

• And f is indeed a next bit predictor
• Q.E.D.

11
Next-q-it List-Predictor

• f is allowed to output a small list of l possible
  next elements

12
q-ary Extractor

• Def Let F be a field with q elements.
• A (k, l) q-ary extractor is a function E 0,1n
  ? 0,1t ?Fms.t. for all R.V. X with min-entropy
  k
• and all 0ltiltm
• and all list-predictors fFi-1 ? Fl

13
Generator

• Def Define the generator matrix for the vector
  space Fd as a matrix A?dd, s.t. for any non-zero
  vector v?Fd
• (that is, any vector 0?v?Fd multiplied by all
  powers of A generates the entire vector space Fd
  except for 0)
• Lemma Such a generator matrix exists and can be
  found in time qO(d).

14
Strings as Low-degree Polynomials

• Let F be a field with q elements
• Let Fd be a vector space over F
• Let h be the smallest integer s.t.
• For x? 0,1n, let x denote the unique d-variate
  polynomial of total degree h-1 whose coefficients
  are specified by x.

15
The SU Extractor

• The definition of the q-ary extractor E
  0,1n ? 0,1d log q ? Fm

seed, interpreted as a vector v? Fd
Generator matrix
16
Main Theorem

• Thm For any n,q,d and h as previously defined,
  E is a (k, l) q-ary extractor if
• Alternatively, E is a (k, l) q-ary extractor if

17
Whats Ahead

• counting argument and how it works
• The reconstruction paradigm
• Basic example lines in space
• Proof of the main theorem

18
Extension Fields

• A field F2 is called an extension of another
  field F if F is contained in F2 as a subfield.
• Thm For every power pk (p prime, kgt0) there is
  a unique (up to isomorphism) finite field
  containing pk elements. These fields are denoted
  GF(pk)and comprise all finite fields.
• Def A polynomial is called irreducible in GF(p)
  if it does not factor over GF(p)
• Thm Let f(x) be an irreducible polynomial of
  degree k over GF(p). The set of degree k-1
  polynomials over Zp, with addition
  coordinate-wise and multiplication modulo f(x)
  form the finite field GF(pk)

19
Extension Fields - Example

• Construct GF(25) as follows
• Let the irreducible polynomial be
• Represent every k degree polynomial as a vector
  of k1 coefficient
• Addition over this field

20
Extension Fields - Example

• And multiplication
• And now modulo the irreducible polynomial

21
Generator Matrix Existence Proof

• Denote by GF(qd) the multiplicative group of the
  Galois Field GF(qd).
• This multiplicative group of the Galois Field is
  cyclic, and thus has a generator g
• Let j be the natural isomorphism between the
  Galois Field GF(qd) and the vector space Fd,
  which matches a polynomial with its vector of
  coefficients

22
Generator Matrix Existence Proof

• Now define the generator matrix A of Fd as the
  linear transformation that corresponds to
  multiplication by the generator in GF(qd)
• A is a linear transformation because of the
  distributive property of both the vector space
  and the field GF(qd), according to the
  isomorphism properties

23
Generator Matrix Existence Proof

• It remains to show that the generator matrix A of
  Fd can be found in time qO(d).
• And indeed
• The Galois Field GF(qd) can be constructed in
  time qO(d) using an irreducible polynomial of
  degree d over the field Zq (and such a polynomial
  can also be found in time qO(d) by exhaustive
  search).
• The generator of GF(qd) can be found in time
  qO(d) by exhaustive search
• Using the generator, for any basis of Fd, one can
  construct d independent equations so as to find
  the linear transformation A. This linear equation
  system is also solvable in time qO(d) .

24
Counting Argument

• For Y?? X, denote ?(Y)?y?YPry (the weight of
  Y)
• Assume a mapping R0,1a ? 0,1n, s.t.
  PrxX?z R(z)x ? ½
• Then
• for X uniform over a subset of 2n, X ? 2 R(S)
  
• for an arbitrary distribution X, ?(X) ? 2 ?(R(S))
  
• If X is of min-entropy k, then ?(R(S)) ? 2a2-k
  2a-k and therefore k ? a 1(1 ?(X) ?
  2?(R(S)) ? 21a-k)

2nX
R(S)
R
2aS
25
Reconstruction Proof Paradigm

• Proof sketch
• For a certain R.V. X with min-entropy k, assume
  by way of contradiction, a predictor f for the
  q-ary extractor.
• For altltk construct a function R0,1a ? 0,1n
  --the reconstruction function-- that uses f as
  an oracle and
• By the counting argument, this implies X has
  min-entropy much smaller than k

26
Basic Example Lines

• Construction
• Let BCF?0,1s be a (inefficient) binary-code
• Given
• x, a weak random source, interpreted as a
  polynomial xF2?F and
• s, a seed, interpreted as a random point (a,b),
  and an index j to a binary code.
• Def

27
Basic Example Illustration of Construction

• x ? x, s ((a,b), 2)
• E(x,s)01001

(a,b)
(inefficient) binary code
28
Basic Example Proof Sketch

• Assume, by way of contradiction, thereexists a
  predicator function f.
• Next, show a reconstruction function R, s.t.
• Conclude, a contradiction!(to the min-entropy
  assumption of X)

29
Basic Example Reconstruction Function
h n1/2 j lgn m desired entropy
Random line
advice Few red points amjO(h)
Repeat using the new points, until all Fd is
evaluated
List decoding by the predictor f
Resolve into one value on the line
30
Problems with the above Construction

• Too many lines!
• Takes too many bits to define a subspace

31
Proof Sketch

• Let X be a random variable with min-entropy at
  least k
• Assume, by way of contradictionexists a next
  bit predicator function f.
• Next, show a reconstruction function R
• Conclude, a contradiction!(to the min-entropy
  assumption of X)

32
Main Lemma

• Lemma Let n,q,d,h be as in the main theorem.
  There exists a probabilistic function
  R0,1a?0,1n with a O(mhd logq) such that
  for every x on which
• The following holds (the probability is over the
  random coins of R)

33
The Reconstruction Function (R)

• Task allow many strings x in the support of X to
  be reconstructed from very short advice strings.
• Outlines
• Use f in a sequence of prediction steps to
  evaluate z on all points of Fd,.
• Interpolate to recover coefficients of z,
• which gives x
• Next We Show there exists a sequence of
  prediction steps that works for many x in the
  support of X and requires few advice strings

34
Curves

• Let rQ(d),
• Pick random vectors and values
• 2r random points y1,,y2r?Fd, and
• 2r values t1,,t2r?F, and
• Define degree 2r-1 polynomials p1,p2
• p1F?Fd defined by p1(ti)yi, ?i1,..,2r.
• p2F?Fd defined by p2(ti)Ayi, ?i1,..,r, and
  p2(ti)yi, ?ir1,..,2r.
• Define vector sets P1p1(z)z?F and
  P2p2(z)z?F
• ?igt0 define P2i1AP2i-1 and P2i2AP2i(Pi,
  the sequence of prediction steps are low-degree
  curves in Fd, chosen using the coin tosses of R)

35
Curves
Fd
F
36
Simple Observations

• A is non-singular linear-transform, hence ?i
• Pi is 2r-wise independent collection of points
• Pi and Pi1 intersect at r random points
• zPi is a univariate polynomial of degree at most
  2hr.
• Given evaluation of z on Av,A2v,,Amv, we may use
  the predictor function f to predict z(Am1v) to
  within l values.
• We need advice string 2hr coefficients of zPi
  for i1,,m. (length at most mhr log q a)

37
Using N.B.P.
Cannot resolve into one value!
Fd
F
38
Using N.B.P.
Can resolve into one value using the second curve!
Fd
F
39
Using N.B.P.
Can resolve into one value using the second curve!
Fd
F
40
Open Problems

• Is the SU extractor optimal? Just run it for
  longer sequences
• Reconstruction technique requires interpolation
  from h (the degree) points, hence maximal entropy
  extracted is k/h
• The seed --a point-- requires logarithmic number
  of bits

41
Main Lemma Proof Cont.

• Claim with probability at least 1-1/8qd over the
  coins tosses of R
• Proof We use the following tail bound
• Let tgt4 be an even integer, and X1,,Xn be
  t-wise independent R.V. with values in 0,1. Let
  X?Xi, ?EX, and Agt0. Then

42
Main Lemma Proof Cont.

• According to the next bit predictor, the
  probability for successful prediction is at least
  1/2vl.
• In the ith iteration we make q predictions (as
  many points as there are on the curve).
• Using the tail bounds provides the result.
• Q.E.D (of the claim).
• Main Lemma Proof (cont.) Therefore, w.h.p. there
  are at least q/4vl evaluations points of Pi that
  agree with the degree 2hr polynomial on the ith
  curve (out of a total of at most lq).

43
Main Lemma Proof Cont.

• A list decoding bound given n distinct pairs
  (xi,yi) in field F and Parameters k and d, with
  kgt(2dn)1/2, There are at most 2n/k degree d
  polynomials g such that g(xi)yi for at least k
  pairs.
• Furthermore, a list of all such polynomials can
  be computed in time poly(n,logF).
• Using this bound and the previous claim, at most
  8l3/2 degree 2rh polynomials agree on this number
  of points (q/4vl ).

44
Lemma Proof Cont.

• Now,
• Pi intersect Pi-1 at r random positions, and
• we know the evaluation of z at the points in Pi-1
• Two degree 2rh polynomials can agree on at most
  2rh/q fraction of their points,
• So the probability that an incorrect polynomial
  among our candidates agrees on all r random
  points in at most

45
Main Lemma Proof Cont.

• So, with probability at least we learn points
  Pi successfully.
• After 2qd prediction steps, we have learned z on
  Fd\0 (since A is a generator of Fd\0)
• by the union bound, the probability that every
  step of the reconstruction is successful is at
  least ½.
• Q.E.D (main lemma)

46
Proof of Main Theorem Cont.

• First,
• By averaging argument
• Therefore, there must be a fixing of the coins of
  R, such that

47
Using N.B.P. Take 2
Unse N.B.P over all points in F, so that we get
enough good evaluation
Fd
F
48
Proof of Main Theorem Cont.

• According to the counting argument, this implies
  that
• Recall that rQ(d).
• A contradiction to the parameter choice
• Q.E.D (main theorem)!

49
From q-ary extractors to (regular) extractors

• The simple technique - using error correcting
  codes
• Lemma Let F be a field with q elements. Let
  C0,1klog(q)?0,1n be a binary error
  correcting code with distance at least 0.5-O(?2)
  . If
• E 0,1n 0,1t -gt Fm is a (k,O(r)) q-ary
  extractor, then
• E 0,1n 0,1tlog(n) -gt Fm defined by

Is a (k,rm) binary extractor.
50
From q-ary extractors to (regular) extractors

• A more complex transformation from q-ary
  extractors to binary extractors achieves the
  following parameters
• Thm Let F be a field with qlt2m elements. There
  is a polynomial time computable function

Such that for any (k,r) q-ary extractor E,
E(x(y,j))B(E(xy),j) is a (k,r logm) binary
extractor.
51
From q-ary extractors to (regular) extractors

• The last theorem allows using theorem 1 for ?
  O(e/logm) , and implies a (k,e) extractor with
  seed length tO(log n) and output length mk/(log
  n)O(1)

52
Extractor ? PRG

• Identify
• string x?0,1log n with the
• function x0,1log n?0,1 by setting x(i)xi
• Denote by S(x) the size of the smallest circuit
  computing function x
• Def (PRG) an ?-PRG for size s is a function
  G0,1t?0,1m with the following property
  ?1?i?m and all function f0,1i-1?0,1i with
  size s circuits,
• Prf(G(Ut)1...i-1)G(Ut)i ? ½ ?/m
• This imply
• for all size s-O(1) circuits C
• PrC(G(Ut))1 PrC(Um)1? ?

53
q-ary PRG

• Def (q-ary PRG) Let F be the field with q
  elements. A ?-q-ary PRG for size s is a function
  G0,1t?Fm with the following property ?1?i?m
  and all function fFi-1?F(?-2) with size s
  circuits,
• Pr?j f(G(Ut)1...i-1)jG(Ut)i ? ?
• Fact O(?)-q-ary PRG for size s can be
  transformed into (regular) m?-PRG for size not
  much smaller than s

54
The Construction
Note Gx(j) corresponds to using our q-ary
extractor construction with the successor
function Amj
We show x is hard ? at least one Gx(j) is a
q-ary PRG

• Plan for building a PRG Gx0,1t ? 0,1m
• use a hard function x0,1log n ? 0,1
• let z be the low-degree extension of x
• obtain l candidate PRGs, where ld(log q / log
  m) as followsFor 0?jltl define Gx(j)0,1d log
  q ? Fm byGx(j)(v) z(A1?mjv) ? z(A2?mjv) ?...?
  z(AM?mjv)where A is a generator of Fd\0

55
Getting into Details
Note Fd is a subset of Fd
think of Fd as both a vector space and the
extension field of F

• perhaps we should just say immediate from the
  correspondence between the cyclic group GF(qd)
  and Fd\0 ??? otherwise in details we may say
• Proof
• There exists a natural correspondence between Fd
  and GF(qd), and between Fd and GF(hd),
• GF(qd) is cyclic of order qd-1, i.e. there exists
  a generator g
• gp generates the unique subgroup of order hd-1,
  the multiplicative group of GF(hd).
• A and A are the linear transforms corresponding
  to g and gp respectively.

• Let F be a subfield of F of size h
• Lemma there exist invertible d?d matrices A and
  A with entries from F which satisfy
• ? v?Fd s.t. v?0, AiviFd\0
• ? v?Fd s.t. v?0, AiviFd\0
• AAp for p(qd-1)/(hd-1)
• A and A can be found in time qO(d)

56

• since hdgtn, there are enough slots to embed all
  x in a d dimensional cube of size hd
• and since A generates Fd\0, indeed x is
  embedded in a d dimensional cube of size hd

• Note h denotes the degree in individual
  variables, and the total degree is at most hd

• The computation of z from x can be done in
  poly(n,qd)qO(d) time

• require hdgtn
• Define z as follows z(Ai1)x(i), where 1 is the
  all 1 vector (low degree extension).
• Recall For 0?jltl define Gx(j)0,1d log q ? Fm
  byGx(j)(v) z(A1?mjv) ? z(A2?mjv) ?...?
  z(AM?mjv
• Theorem (PRG main) for every n,d, and h
  satisfying hdgtn, at least one of Gx(j) is an
  ?-q-ary PRG for size ?(?-4 h d2 log2q).
  Furthermore, all the Gx(j)s are computable in
  time poly(qd,n) with oracle access to x.

57

• ??????

58
(No Transcript)
59
Extension Field

• Def if F is a subset of E, then we say that E is
  an extension field of F.
• Lemma let
• E be an extension field of F,
• f(x) be a polynomial over F (i.e. f(x)?FX),
• c?E,
• then f(x)?f(c) is an homomorphism of FX into E.

60
Construction of the Galois Field GF(qd)

• Thm let p(x) be irreducible in FX, then there
  exists E, an extension field of F, where there
  exists a root of p(x).
• Proof Sketch
• add a ?? (a new element) to F.? is to be a root
  of p(x).
• In F? (polynomials with variable ?)

61

• Example
• Freals
• p(x)x21