15 research outputs found
An entropy lower bound for non-malleable extractors
A (k, ε)-non-malleable extractor is a function nmExt : {0, 1} n × {0, 1} d → {0, 1} that takes two inputs, a weak source X ~ {0, 1} n of min-entropy k and an independent uniform seed s E {0, 1} d , and outputs a bit nmExt(X, s) that is ε-close to uniform, even given the seed s and the value nmExt(X, s') for an adversarially chosen seed s' ≠ s. Dodis and Wichs (STOC 2009) showed the existence of (k, ε)-non-malleable extractors with seed length d = log(n - k - 1) + 2 log(1/ε) + 6 that support sources of min-entropy k > log(d) + 2 log(1/ε) + 8. We show that the foregoing bound is essentially tight, by proving that any (k, ε)-non-malleable extractor must satisfy the min-entropy bound k > log(d) + 2 log(1/ε) - log log(1/ε) - C for an absolute constant C. In particular, this implies that non-malleable extractors require min-entropy at least Ω(loglog(n)). This is in stark contrast to the existence of strong seeded extractors that support sources of min-entropy k = O(log(1/ε)). Our techniques strongly rely on coding theory. In particular, we reveal an inherent connection between non-malleable extractors and error correcting codes, by proving a new lemma which shows that any (k, ε)-non-malleable extractor with seed length d induces a code C ⊆ {0,1} 2k with relative distance 1/2 - 2ε and rate d-1/2k
A Quantum-Proof Non-Malleable Extractor, With Application to Privacy Amplification against Active Quantum Adversaries
In privacy amplification, two mutually trusted parties aim to amplify the
secrecy of an initial shared secret in order to establish a shared private
key by exchanging messages over an insecure communication channel. If the
channel is authenticated the task can be solved in a single round of
communication using a strong randomness extractor; choosing a quantum-proof
extractor allows one to establish security against quantum adversaries.
In the case that the channel is not authenticated, Dodis and Wichs (STOC'09)
showed that the problem can be solved in two rounds of communication using a
non-malleable extractor, a stronger pseudo-random construction than a strong
extractor.
We give the first construction of a non-malleable extractor that is secure
against quantum adversaries. The extractor is based on a construction by Li
(FOCS'12), and is able to extract from source of min-entropy rates larger than
. Combining this construction with a quantum-proof variant of the
reduction of Dodis and Wichs, shown by Cohen and Vidick (unpublished), we
obtain the first privacy amplification protocol secure against active quantum
adversaries
Quantum-Proof Extractors: Optimal up to Constant Factors
We give the first construction of a family of quantum-proof extractors that has optimal seed
length dependence O(log(n/ǫ)) on the input length n and error ǫ. Our extractors support any
min-entropy k = Ω(log n + log1+α
(1/ǫ)) and extract m = (1 − α)k bits that are ǫ-close to uniform,
for any desired constant α > 0. Previous constructions had a quadratically worse seed length or
were restricted to very large input min-entropy or very few output bits.
Our result is based on a generic reduction showing that any strong classical condenser is automatically
quantum-proof, with comparable parameters. The existence of such a reduction for
extractors is a long-standing open question; here we give an affirmative answer for condensers.
Once this reduction is established, to obtain our quantum-proof extractors one only needs to consider
high entropy sources. We construct quantum-proof extractors with the desired parameters
for such sources by extending a classical approach to extractor construction, based on the use of
block-sources and sampling, to the quantum setting.
Our extractors can be used to obtain improved protocols for device-independent randomness
expansion and for privacy amplification
Affine-malleable Extractors, Spectrum Doubling, and Application to Privacy Amplification
The study of seeded randomness extractors is a major line of research in theoretical computer science. The goal is to construct deterministic algorithms which can take a ``weak random source with min-entropy and a uniformly random seed of length , and outputs a string of length close to that is close to uniform and independent of . Dodis and Wichs~\cite{DW09} introduced a generalization of randomness extractors called non-malleable extractors (\nmExt) where \nmExt(X,Y) is close to uniform and independent of and \nmExt(X,f(Y)) for any function with no fixed points.
We relax the notion of a non-malleable extractor and introduce what we call an affine-malleable extractor (\AmExt: \F^n \times \F^d \mapsto \F) where \AmExt(X,Y) is close to uniform and independent of and has some limited dependence of \AmExt(X,f(Y)) - that conditioned on , (\AmExt(X,Y), \AmExt(X,f(Y))) is close to where is uniformly distributed in \F and A, B \in \F are random variables independent of \F.
We show under a plausible conjecture in additive combinatorics (called the Spectrum Doubling Conjecture) that the inner-product function \IP{\cdot,\cdot}:\F^n \times \F^n \mapsto \F is an affine-malleable extractor. As a modest justification of the conjecture, we show that a weaker version of the conjecture is implied by the widely believed Polynomial Freiman-Ruzsa conjecture.
We also study the classical problem of privacy amplification, where two parties Alice and Bob share a weak secret of min-entropy , and wish to agree on secret key of length over a public communication channel completely controlled by a computationally unbounded attacker Eve. The main application of non-malleable extractors and its many variants has been in constructing secure privacy amplification protocols.
We show that affine-malleable extractors along with affine-evasive sets can also be used to construct efficient privacy amplification protocols. We show that our protocol, under the Spectrum Doubling Conjecture, achieves near optimal parameters and achieves additional security properties like source privacy that have been the focus of some recent results in privacy amplification
Non-Malleable Extractors - New Tools and Improved Constructions
A non-malleable extractor is a seeded extractor with a very strong guarantee - the output of a non-malleable extractor obtained using a typical seed is close to uniform even conditioned on the output obtained using any other seed. The first contribution of this paper consists of two new and improved constructions of non-malleable extractors:
- We construct a non-malleable extractor with seed-length O(log(n) * log(log(n))) that works for entropy Omega(log(n)). This improves upon a recent exciting construction by Chattopadhyay, Goyal, and Li (STOC\u2716) that has seed length O(log^{2}(n)) and requires entropy Omega(log^{2}(n)).
- Secondly, we construct a non-malleable extractor with optimal seed length O(log(n)) for entropy n/log^{O(1)}(n). Prior to this construction, non-malleable extractors with a logarithmic seed length, due to Li (FOCS\u2712), required entropy 0.49*n. Even non-malleable condensers with seed length O(log(n)), by Li (STOC\u2712), could only support linear entropy.
We further devise several tools for enhancing a given non-malleable extractor in a black-box manner. One such tool is an algorithm that reduces the entropy requirement of a non-malleable extractor at the expense of a slightly longer seed. A second algorithm increases the output length of a non-malleable extractor from constant to linear in the entropy of the source. We also devise an algorithm that transforms a non-malleable extractor to the so-called t-non-malleable extractor for any desired t. Besides being useful building blocks for our constructions, we consider these modular tools to be of independent interest
Quantum-Proof Extractors: Optimal up to Constant Factors
We give the first construction of a family of quantum-proof extractors that has optimal seed
length dependence O(log(n/ǫ)) on the input length n and error ǫ. Our extractors support any
min-entropy k = Ω(log n + log1+α
(1/ǫ)) and extract m = (1 − α)k bits that are ǫ-close to uniform,
for any desired constant α > 0. Previous constructions had a quadratically worse seed length or
were restricted to very large input min-entropy or very few output bits.
Our result is based on a generic reduction showing that any strong classical condenser is automatically
quantum-proof, with comparable parameters. The existence of such a reduction for
extractors is a long-standing open question; here we give an affirmative answer for condensers.
Once this reduction is established, to obtain our quantum-proof extractors one only needs to consider
high entropy sources. We construct quantum-proof extractors with the desired parameters
for such sources by extending a classical approach to extractor construction, based on the use of
block-sources and sampling, to the quantum setting.
Our extractors can be used to obtain improved protocols for device-independent randomness
expansion and for privacy amplification
Non-Malleable Extractors and Codes, with their Many Tampered Extensions
Randomness extractors and error correcting codes are fundamental objects in
computer science. Recently, there have been several natural generalizations of
these objects, in the context and study of tamper resilient cryptography. These
are seeded non-malleable extractors, introduced in [DW09]; seedless
non-malleable extractors, introduced in [CG14b]; and non-malleable codes,
introduced in [DPW10].
However, explicit constructions of non-malleable extractors appear to be
hard, and the known constructions are far behind their non-tampered
counterparts.
In this paper we make progress towards solving the above problems. Our
contributions are as follows.
(1) We construct an explicit seeded non-malleable extractor for min-entropy
. This dramatically improves all previous results and gives a
simpler 2-round privacy amplification protocol with optimal entropy loss,
matching the best known result in [Li15b].
(2) We construct the first explicit non-malleable two-source extractor for
min-entropy , with output size and
error .
(3) We initiate the study of two natural generalizations of seedless
non-malleable extractors and non-malleable codes, where the sources or the
codeword may be tampered many times. We construct the first explicit
non-malleable two-source extractor with tampering degree up to
, which works for min-entropy , with
output size and error . We show that we can
efficiently sample uniformly from any pre-image. By the connection in [CG14b],
we also obtain the first explicit non-malleable codes with tampering degree
up to , relative rate , and error
.Comment: 50 pages; see paper for full abstrac
Two Source Extractors for Asymptotically Optimal Entropy, and (Many) More
A long line of work in the past two decades or so established close
connections between several different pseudorandom objects and applications.
These connections essentially show that an asymptotically optimal construction
of one central object will lead to asymptotically optimal solutions to all the
others. However, despite considerable effort, previous works can get close but
still lack one final step to achieve truly asymptotically optimal
constructions.
In this paper we provide the last missing link, thus simultaneously achieving
explicit, asymptotically optimal constructions and solutions for various well
studied extractors and applications, that have been the subjects of long lines
of research. Our results include:
Asymptotically optimal seeded non-malleable extractors, which in turn give
two source extractors for asymptotically optimal min-entropy of ,
explicit constructions of -Ramsey graphs on vertices with , and truly optimal privacy amplification protocols with an active adversary.
Two source non-malleable extractors and affine non-malleable extractors for
some linear min-entropy with exponentially small error, which in turn give the
first explicit construction of non-malleable codes against -split state
tampering and affine tampering with constant rate and \emph{exponentially}
small error.
Explicit extractors for affine sources, sumset sources, interleaved sources,
and small space sources that achieve asymptotically optimal min-entropy of
or (for space sources).
An explicit function that requires strongly linear read once branching
programs of size , which is optimal up to the constant in
. Previously, even for standard read once branching programs, the
best known size lower bound for an explicit function is .Comment: Fixed some minor error