Embed Size (px)
DESCRIPTION
Dispersers for affine sources with sub-polynomial entropy. Ronen Shaltiel University of Haifa. Randomness extractors and dispersers. Daddy, how do computers get random bits?. Computers can sample from: Electro-magnetic noise (Intel) Key strokes of user (Unix) - PowerPoint PPT Presentation
Citation preview
Dispersers for affine sources with sub-polynomial entropy
Ronen ShaltielUniversity of Haifa
Randomness extractors and dispersers
Daddy, how do
computers get random
bits?
“weak source of randomness”
Randomized
algorithm
Computers can sample from: Electro-magnetic noise (Intel) Key strokes of user (Unix) Timing of past events (Unix)These distributions are “somewhat
random” but not “truly random”.Paradigm: randomness extractorsInput: one sample from arbitrary
“weak source of randomness”. Output: independent coin tosses.
How do computers obtain random coin tosses (randomness extractors)
RandomnessExtractor
Extensively studied area, dates back to von-Neumann in 1951: “Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.”
output
input
How do computers obtain random coin tosses (randomness extractors)
“weak source of randomness”
Randomized
algorithm
RandomnessExtractor
output
input
Computers can sample from: Electro-magnetic noise (Intel) Key strokes of user (Unix) Timing of past events (Unix)These distributions are “somewhat
random” but not “truly random”.Paradigm: randomness extractorsInput: one sample from arbitrary
“weak source of randomness”. Output: independent coin tosses.
Extensively studied area, dates back to von-Neumann in 1951: “Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.”
Applications in many fields: Randomized complexity theory. Cryptography. Network design. Algorithm design. Ramsey theory. Coding theory. Combinatorics. Data structures.
Extractors have applications in many fields (often unrelated to randomness!).
Goal of field: Design explicit (polynomial time computable) extractors for interesting familes of distributions/sources.
Extensively studied area (see e.g. my survey paper(s)).
“weak source of randomness”
Randomized algorithm
RandomnessExtractor
input
output
Dfn: Let C be a set of distributions over {0,1}n.A function E:{0,1}n ! {0,1}m is an ²-extractor if X2C, E(X) ²-close to uniform. ²-disperser if X2C, supp(E(X)) ≥ (1-²)¢2m.
C = Affine sources over F2 = {0,1} of dim k.
Extractors and dispersers for affine sources
Dfn: A dim k affine subspace of Fn is a set X = {1≤i≤kai¢xi + x’} where x1,,xk2Fn are linearly independent, a1,,ak2F are scalars and x’2F is the “shift vector”.
Affine source X:=uniform distribution over some affine subspace.
Goal: construct poly-time computable ext/dis for small dim k. One bit zero error disperser for affine sources of dim k:E:{0,1}n ! {0,1} non-constant 8affine subspace of dim k.
“weak source of randomness”
RandomnessExtractor
Explicit constructions of extractors and dispersers for affine sources over F2.
comments type
Dimension k Reference
Non-costructive ext k=O(log n) Probabilistic method
Unpublished ext k>n/2 [Ben-Sasson,Hoory,Rozenman, Vadhan,Wigderson 2001]
One bit, zero error dis k=±¢n, 8±>0. [Barak,Kindler,Shaltiel, Sudakov,Wigderson 2005]
Many bits, small error
ext k=±¢n, 8±>0. [Bourgain 2007]
Many bits, small error
ext k=n/(log log n)1/2 [Yehudayoff 2010], [Li 2011]
Only for “low weight affine sources” which is a restricted family of affine sources.
ext k=polylog n [Rao 2009]
One bit, zero error dis k=(n4/5) [Ben-Sasson,Kopparty 2009]
One bit, zero error dis k=exp(log 0.9 n)=no(1)
Our result
First to beat k=n1/2 (which is a barrier in many extractor setups).
Our approach can be pushed to output m ≈ log log n bits. [GS08]: If one can achieve: m= polylog n ⇒ m= (k).
Overview of the construction
Affine block-wise sources
An 1≤i≤n partitions X into (X1,X2).
For affine sources H(X)=dim(X).
Chain rule (Shannon entropy): H(X)=H(X1)+H(X2|X1).
Dfn: index i splits X into a k’-block-wise source if
H(X1) ≥ k’ H(X2|X1) ≥ k’
Lem: affine source X of dim k, ∃i* that splits X into a k/2-b.w. source.
n
X2X1
X
i
Plan for constructing disperser (Imitate [BKSSW05,BRSW06])
Lem: 8affine source X of dim k,i* that splits X into a k/2-b.w. source.
1. Construct disperser bw-Disp(X,i*) that relies on receiving an i* that splits X into a b.w. source.
2. Construct procedure Find(X) s.t. affine source X of dim k, Find(X) = i*.
3. Final disperser: Disp(X) = bw-Disp( X, Find(X) ).
How can we find i* given a single sample from X?Nevertheless, this overall approach was used in
[BKSSW05,BRSW06] to construct dispersers for 2 independent sources/Ramsey graphs.
n
X2X1
X
i*
affine subspace X’ of X with dim(X’) ≥ k½, and i* that splits X’ into a b.w.-source, s.t. Find(X’)=i* (with prob. almost one over X’).
Disp(X) Disp(X’) = bw-Disp(X’,Find(X’))}
X
X’
i*
Roadmap of disperser construction
Disperser for affine sources
bw-Disp(X,i)
Find(X)
“Challenge-Response game”
Somewhere extractor Function SE(X)=R1,..,Rp s.t. 8affine source X of dim k t s.t. Rt is (close to) uniform.
Comes in two flavors:1. Few outputs: p < k.2. Linear Seeded:
p=poly(n), 8t, Rt linear function of X. Construction [T99,SU01].
Challenge-ResponseGame: win(X,i)
Dfn: bw-Disp(X,i) = win(X,i)
Thm: at i* both X1,X2 win w.p. > 0.
⇒ bw-Disp(X,i*) outputs both 1,2.
Clm 1: if H(X1) is large then
Pr[win(X,i)=1] ≥ 1-o(1).
Clm 2: if H(X2|X1) is large then
Pr[win(X,i)=2] ≥ 2-|C| > 0.
The correct i* splits X into a b.w.-source and so both cases hold. ⇒ Thm.
n
X2X1
X
i
C1
C2
C3
C
R1
R2
R3
R4
R5
=
Challenge of X1
Responses of X2
Somewhere- extractor with few outputs
(#outputs < k)
Linear seeded
somewhere-extractor (Rt linear in
X)Parameter: i
X2 wins if t: Rt=C.
win(X,i) := winner
Challenge-ResponseGame
Clm 1: if H(X1) is large then
Pr[win(X,i)=1] ≥ 1-o(1).
Prf: H(X1) is large ⇒ H(C) is large.
Clm: Moreover, t: H(C|Rt) is large.
(t,v: (X|Rt=v) is an affine source).
Clm ⇒ t: Pr[Rt=C] is tiny.
union bound ⇒ Pr[t: Rt=C] is small.
⇒ Pr[X2 wins] is small.
n
X2X1
X
i
C1
C2
C3
C
R1
R2
R3
R4
R5
=
Challenge of X1
Responses of X2
Somewhere- extractor with few outputs
(#outputs < k)
Linear seeded
somewhere-extractor (Rt linear in
X)Parameter: i
X2 wins if t: Rt=C.
win(X,i) := winner
Challenge-ResponseGame
Clm 2: if H(X2|X1) is large then
Pr[win(X,i)=2] ≥ 2-|C| > 0.
Prf: t: Rt is (very close to) uniform
and independent of X1 (and thus of C).
⇒ Pr[Rt=C] ≥ 2-|C| > 0.
Cor: If H(X) is large and H(X1) is small
then affine subspace X’ of X s.t.Pr[win(X’,i)=2] = 1 and
H(X’2)≈H(X2|X1)
n
X2X1
X
i
C1
C2
C3
C
R1
R2
R3
R4
R5
=
Challenge of X1
Responses of X2
Somewhere- extractor with few outputs
(#outputs < k)
Linear seeded
somewhere-extractor (Rt linear in
X)Parameter: i
X2 wins if t: Rt=C.
win(X,i) := winner
X’ is achieved by:• Fix X1 arbitrarily.• Condition on
{Rt=C}.
Roadmap of disperser construction
Disperser for affine sources
bw-Disp(X,i)
Find(X)
“Challenge-Response game”
Somewhere extractor Function SE(X)=R1,..,Rp s.t. 8affine source X of dim k t s.t. Rt is (close to) uniform.
Comes in two flavors:1. Few outputs: p < k.2. Linear Seeded:
p=poly(n), 8t, Rt linear function of X. Construction [T99,SU01].
Using the game to find i* and split X into a b.w.-source
Let i be a parameter and assume that H(X) is large.
If H(X1) is large then
Pr[win(X,i)=1] ≥ 1-o(1).
If H(X1) is small then
affine subspace X’ of X s.t. Pr[win(X’,i)=2] = 1 and H(X’2)≈H(X2|X1).
We can effectively distinguish!
* Assuming we don’t mind going to subspaces.
* At the cost of fixing X1 in case H(X1) is small.
Procedure Find(X) Set i to k/2. Play game between X1,X2. If X1 wins return i* := i. else, increase i and repeat.
If X2 wins, analysis fixes entropy left of i.
If X1 wins, we can’t allow it to steal all the entropy. ⇒ H(X2|X1) is large.
n
X2X1
X
i
By how much?
i
k>n½ Recall that we only need that: affine subspace X’ of X, andi* that splits X’ into b.w. src s.t. Pr[Find(X’)=i*] ≥ 1-o(1).
i
n
X
Recursive win-win analysis to implement Find for k<n½.
Split X into t parts of length n/t. (t << n½).Chain rule ΣH(Xj|X1,..,Xj-1)≥k. Either j s.t. H(Xj) is large and H(Xj+1,..,Xn|Xj) is
large.⇒ j splits X into a b.w.-source not relying on parts left
of Xj. Or else, one part Xj stole almost all entropy in X.⇒ Xj has higher entropy rate than X.We would like to apply the disperser recursively on
Xj.
Requires the ability to test the amount of entropy in a part!
Achieved by a more complicated version of challenge response game (similar idea in [BRSW06]).
X1 X2 X3 .. .. Xt
n If k<n/t all the entropy
can be in one block
Roadmap of disperser construction (continued)
Disperser for affine sources
bw-Disp(X,i)
Find(X)
“Challenge-Response game”
Somewhere extractor
“Extractor for affine block-wise sources with O(log n/log k)
blocks”Function SE(X)=R1,..,Rp s.t. 8affine source X of dim k t s.t. Rt is (close to) uniform.
SE is only guaranteed to work on some subspace X’ of original source X.
“weak”
Complicated, recursive application of challenge
response game.
Conclusion and open problems
Result: Disperser for affine sources of dim k=no(1). E:{0,1}n!{0,1} non-const. 8affine subspace of dim k.
Strategy imitates [BKSSW05,BRSW06] (which give dispersers for 2 independent sources).
Construction quite involved (yet simpler than [BKSSW05,BRSW06]). Affine sources are easier (H instead of H). Easier to construct components for affine sources.
Open problems: Construct extractors for affine sources of dim < n1/2. Construct dispersers for affine sources of dim polylog(n). Construct simple somewhere-extractors for affine sources
⇒ Simplify disperser construction. (Details in paper). More applications of Challenge-Response approach?
Thank you…
