Non-Malleable Extractors with Short Seeds and Applications to Privacy Amplification

Non-Malleable Extractors with Short Seeds and Applications to

Privacy Amplification

Gil CohenWeizmann Institute

Joint work withRan Raz and Gil Segev

Randomness Seeded-Extractors

Ext almost-trulyrandom bits

bits from animperfect sourceof randomness

truly random bits(seed)

bits from animperfect source

of randomness

If all points has probability , the source is called an -source.

For simplicity, think of it as “uniform hidden bits”.

bits from animperfect sourceof randomness

Measured in statistical distance.

Strong Seeded-Extractors

For any -source and independent

is called strong if

Parameters

Given • Maximize • Minimize

bits from an-source

Non-Constructive and Optimal [Sips88], [RTS00]

Almost matching explicit constructions (…,[LRVW03],[GUV07] ,[DW08],[DKSS09]).

Non-MalleableExtractors

Defined by [DW09]

Non-Malleable Extractors

𝐸𝑥𝑡 (𝑊 ;𝑆 ) 𝜖𝑈𝑚

(𝐸𝑥𝑡 (𝑊 ;𝑆 ) ,𝑆 ) 𝜖 (𝑈𝑚 ,𝑆 )

with no fixed point.

A Not Non-Malleable Extractor

Expanders are low-degree undirected graphs that “look random”.

Nodes Labeled neighbors (think of 1-16).

Are known to induce extractors.

𝐸𝑥𝑡 (𝑤 ;𝑠 )

𝐸𝑥𝑡 (𝑤 ; 𝐴 (𝑠 ) )

Non-Constructive [DW09]

• Seed length • Output length

Compared with strong extractors• Seed length • Output length

The Explicit Construction of [DLWZ11]

• Conditional efficiency

Main Result

• Unconditionally efficient

Main Result

PrivacyAmplification

- passive adversary -

[BBR88], [Mau92],[BBCM95]

𝑤 𝑊

Alice Bob

is an -source

Computationally unbounded!

Interesting Measures• Entropy loss• Communication complexity• Number of rounds

𝑤 𝑊

Alice Bob

𝑅?=

𝑤 𝑊

Alice Bob

𝑅?=

from Eve’s point of view

𝑤 𝑊

Alice Bob

𝑅?=

Number of communicated bits

𝑤 𝑊

Alice Bob

𝑅?=

Strong Extractors to the Rescue

𝑤 𝑊

s 𝑈𝑑𝑠 𝑠

𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 ) 𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 )

Strong Extractors to the Rescue

• Entropy loss • Communication complexity • Number of rounds

𝑤 𝑊

s𝑠 𝑠

𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 ) 𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 )

PrivacyAmplification

- active adversary -

[Mau97],[MM97],[Wol98],[MW03],[RW03], [DKRS06],[DW09],[KR09],[CKOR10]

Privacy Amplification Protocol Active Adversary

• Correctness• Privacy• Authenticity

If both parties are honest then they agree.

For any Eve, from Eve’s view.

For any Eve, .

𝑤 𝑊

𝑦 𝑈𝑑1

𝑘𝑒𝑦=𝑛𝑚𝐸𝑥𝑡 (𝑤 ;𝑦 )𝑠′ 𝑈 𝑑2

𝑦 ′𝑘𝑒𝑦 ′=𝑛𝑚𝐸𝑥𝑡 (𝑤 ; 𝑦 ′ )

𝜎 ′=𝑀𝐴𝐶𝑘𝑒𝑦 ′ (𝑠 ′ )𝑠′ ,𝜎 ′𝑠 ,𝜎

𝑅𝐵=𝐸𝑥𝑡 (𝑤 ,𝑠 ′ )𝑅𝐴=𝐸𝑥𝑡 (𝑤 ,𝑠 )

Privacy Amplification Protocols

[DW09] [DKRS06] [MW97]

Number of rounds

Entropy loss

Communication complexity

Assumed min-entropy

[DS02, DW09] 1 round requires

[RW03] gave rounds for

[CKOR10] gave rounds for

2 Rounds Privacy Amplification Protocols ()

Our result 2

Our result 1

[DLWZ11] [DW09]Non-

constructive [DW09]

Entropy loss

Communication

complexity

Assumed min-entropy

The Extractorof [Raz05]

A sequence of r.v -fools linear tests of size if for every such that , it holds that

Fooling Linear Tests of Bounded Size

Good explicit constructions ([NN93], [AGHP92],…) and many applications.

𝑍1𝑍 2𝑍𝐷

Points of the

sample space(seed)

Random variables

A Central Lemma from [Raz05]Seed

Weak source

-fools linear tests of size .

is a (strong) seeded-extractor for .

Proof IdeaFor

Proof Idea

𝑍1𝑍 2 ⋯ 𝑍𝐷

Proof Idea

𝑍1𝑍 2 ⋯ 𝑍𝐷

Proof Idea

𝑠 𝐴 (𝑠 )

𝐸𝑥𝑡 (𝑊 ;𝑠 )𝐸𝑥𝑡 (𝑊 ; 𝐴 (𝑠 ) )

is typically biased (say towards 0)

Proof Idea

𝑠 𝐴 (𝑠 )

𝐸𝑥𝑡 (𝑊 ;𝑠 )𝐸𝑥𝑡 (𝑊 ; 𝐴 (𝑠 ) )

is typically biased (say towards 0)

Proof Idea

𝑠 𝐴 (𝑠 )

𝑠𝐴 (𝑠 )

𝑏𝑖𝑎𝑠 (𝑌 𝑠 )

Proof Idea

𝑠 𝐴 (𝑠 )

𝑠𝐴 (𝑠 )

𝑏𝑖𝑎𝑠 (𝑌 𝑠 )Acyclic

Many vertices

Average edge weight is large

Proof Idea

𝑠 𝐴 (𝑠 )

𝑠𝐴 (𝑠 )

𝑏𝑖𝑎𝑠 (𝑌 𝑠 )Acyclic

Many vertices

Average edge weight is large

Proof Idea

⋯ 𝑍 𝑠⊕𝑍𝐴 (𝑠 )⋯

-fools linear tests of size

[Raz05] implies that this is also an

extractor

stands in contradiction!

𝑌 𝑠=E 𝑥𝑡 (𝑊 ; 𝑠)⊕𝐸𝑥𝑡 (𝑊 ; 𝐴 (𝑠) )

A Few Words on the

Proof Ideafor Arbitrary

Arbitrary : Less-trivial lemma about graphs. Constructing the acyclic graph using a greedy algorithm.

Arbitrary : A generalization of the Parity Lemma - Conditional Parity Lemma (a similar lemma appears in [DLWZ11]).

Proof Idea for Arbitrary

‖𝑋 −𝑈𝑚‖12≤ ∑

∅ ≠𝜎⊆ [𝑚 ]𝑏𝑖𝑎𝑠2 (𝑋𝜎 )

‖(𝑋 ,𝑌 )− (𝑈𝑚 ,𝑌 )‖12≤ ∑

∅ ≠𝜎 ⊆ [𝑚 ]𝜏⊆ [𝑛 ]

𝑏𝑖𝑎𝑠2 (𝑋𝜎⊕𝑌𝜏 )❑

𝑌=𝑌 1…𝑌 𝑛

(Classic) Parity Lemma

Conditional Parity Lemma

Open Questions

1. Construct a non-malleable extractor for small min-entropies.

2. Devise a constant-round (hopefully 2) protocol with optimal entropy loss and communication complexity.

Open Questions

Thank You!

Non-Malleable Extractors with Short Seeds and Applications to Privacy Amplification

Documents

Forward Secure Fuzzy Extractors

Multi-Source Non-Malleable Extractors and …zTsinghua University, Email: mrbrtpt@gmail.com. Work partially done while visiting CMU. 1 extractor protocol for min-entropy (n) that tolerates

Extractors sapr3

Non-malleable extractors and symmetric key cryptography From weak secrets

guitar and bass amplification · guitar amplification bass amplification acoustic amplification keyboard amplification accessories the family carlsbroamps @carlsbromusic Founded in

Welding Fume Extractors(Rev9612)

Spray Extractors

Creation of Custom Extractors

Section 2 Galvanised Malleable Iron Pipe Fittings · 29 GALVANISED MALLEABLE IRON PIPE FITTINGS [2] Galvanised Malleable Hexagon Bush Galvanised Malleable Hexagon Bush AAP CODE

Section 2 Galvanised Malleable Iron Pipe · PDF file 29 GALVANISED MALLEABLE IRON PIPE FITTINGS [2] Galvanised Malleable Hexagon Bush Galvanised Malleable Hexagon Bush AAP CODE

Extractors: applications and constructions

PRODUCT OVERVIEW - primuslaundry.com · professional hard mounted washer-extractors washer extractors professional dryers soft mounted washer extractors medical barrier washer-extractors

DFD Extractors

BW Extractors

mALLEABLE IRON - SuppliesDepot.com

Malleable Music Video

BI EXTRACTORS

BI Content & Extractors

Non-Malleable Extractors

Self-Contained Extractors