Non-Malleable Extractors with Short Seeds and Applications to Privacy Amplification

Non-Malleable Extractors with Short Seeds and Applications to

Privacy Amplification

Gil CohenWeizmann Institute

Joint work withRan Raz and Gil Segev

Randomness Seeded-Extractors


Ext almost-trulyrandom bits

bits from animperfect sourceof randomness

truly random bits(seed)



bits from animperfect source

of randomness


If all points has probability , the source is called an -source.

For simplicity, think of it as “uniform hidden bits”.



bits from animperfect sourceof randomness


Measured in statistical distance.

Strong Seeded-Extractors

For any -source and independent

is called strong if

Parameters

Given • Maximize • Minimize


bits from an-source


Non-Constructive and Optimal [Sips88], [RTS00]

Almost matching explicit constructions (…,[LRVW03],[GUV07] ,[DW08],[DKSS09]).

Non-MalleableExtractors

Defined by [DW09]

Non-Malleable Extractors

𝐸𝑥𝑡 (𝑊 ;𝑆 ) 𝜖𝑈𝑚

(𝐸𝑥𝑡 (𝑊 ;𝑆 ) ,𝑆 ) 𝜖 (𝑈𝑚 ,𝑆 )

with no fixed point.

A Not Non-Malleable Extractor

Expanders are low-degree undirected graphs that “look random”.

Nodes Labeled neighbors (think of 1-16).

Are known to induce extractors.


𝑤


𝑤


4

𝑤


4

9

𝑤


4

9

1

𝑤


4

9

14

𝑤


4

9

14

7

𝑤


4

9

14

7

11

𝑤


𝐸𝑥𝑡 (𝑤 ;𝑠 )

4

9

14

7

11

𝑤


𝐸𝑥𝑡 (𝑤 ;𝑠 )

𝐸𝑥𝑡 (𝑤 ; 𝐴 (𝑠 ) )

4

9

14

7

11

10

Non-Constructive [DW09]

• Seed length • Output length

Compared with strong extractors• Seed length • Output length







The Explicit Construction of [DLWZ11]

• Conditional efficiency







Main Result

Main Result

• Unconditionally efficient

Main Result


Main Result


Main Result


Main Result


PrivacyAmplification

- passive adversary -

[BBR88], [Mau92],[BBCM95]

𝑤 𝑊

𝑅

Alice Bob

Eve

𝑅

?=

is an -source

Computationally unbounded!

Interesting Measures• Entropy loss• Communication complexity• Number of rounds

𝑤 𝑊

𝑅

Alice Bob

Eve

𝑅?=


𝑤 𝑊

𝑅

Alice Bob

Eve

𝑅?=

from Eve’s point of view


𝑤 𝑊

𝑅

Alice Bob

Eve

𝑅?=

Number of communicated bits


𝑤 𝑊

𝑅

Alice Bob

Eve

𝑅?=

Strong Extractors to the Rescue

𝑤 𝑊

s 𝑈𝑑𝑠 𝑠

𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 ) 𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 )

Strong Extractors to the Rescue

• Entropy loss • Communication complexity • Number of rounds

𝑤 𝑊

s𝑠 𝑠

𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 ) 𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 )

PrivacyAmplification

- active adversary -

[Mau97],[MM97],[Wol98],[MW03],[RW03], [DKRS06],[DW09],[KR09],[CKOR10]

Privacy Amplification Protocol Active Adversary

• Correctness• Privacy• Authenticity


If both parties are honest then they agree.



For any Eve, from Eve’s view.



For any Eve, .


𝑤 𝑊

𝑦 𝑈𝑑1

𝑘𝑒𝑦=𝑛𝑚𝐸𝑥𝑡 (𝑤 ;𝑦 )𝑠′ 𝑈 𝑑2

𝑦 ′𝑘𝑒𝑦 ′=𝑛𝑚𝐸𝑥𝑡 (𝑤 ; 𝑦 ′ )

𝜎 ′=𝑀𝐴𝐶𝑘𝑒𝑦 ′ (𝑠 ′ )𝑠′ ,𝜎 ′𝑠 ,𝜎

If

𝑅𝐵=𝐸𝑥𝑡 (𝑤 ,𝑠 ′ )𝑅𝐴=𝐸𝑥𝑡 (𝑤 ,𝑠 )

Privacy Amplification Protocols

[DW09] [DKRS06] [MW97]

Number of rounds

Entropy loss

Communication complexity

Assumed min-entropy

[DS02, DW09] 1 round requires

[RW03] gave rounds for

[CKOR10] gave rounds for

2 Rounds Privacy Amplification Protocols ()

Our result 2

Our result 1

[DLWZ11] [DW09]Non-

constructive [DW09]

Entropy loss

Communication

complexity

Assumed min-entropy

The Extractorof [Raz05]

A sequence of r.v -fools linear tests of size if for every such that , it holds that

Fooling Linear Tests of Bounded Size

Good explicit constructions ([NN93], [AGHP92],…) and many applications.

𝑍1𝑍 2𝑍𝐷

Points of the

sample space(seed)

Random variables

A Central Lemma from [Raz05]Seed

Weak source

-fools linear tests of size .

Ext

is a (strong) seeded-extractor for .

Proof IdeaFor

Proof Idea

𝑍1𝑍 2 ⋯ 𝑍𝐷

Proof Idea

𝑊

𝑍1𝑍 2 ⋯ 𝑍𝐷

Proof Idea

𝑊

𝑠 𝐴 (𝑠 )

𝐸𝑥𝑡 (𝑊 ;𝑠 )𝐸𝑥𝑡 (𝑊 ; 𝐴 (𝑠 ) )

is typically biased (say towards 0)

Proof Idea

𝑊

𝑠 𝐴 (𝑠 )

𝐸𝑥𝑡 (𝑊 ;𝑠 )𝐸𝑥𝑡 (𝑊 ; 𝐴 (𝑠 ) )

is typically biased (say towards 0)

Proof Idea

𝑠 𝐴 (𝑠 )

𝑠𝐴 (𝑠 )

𝑏𝑖𝑎𝑠 (𝑌 𝑠 )

Proof Idea

𝑠 𝐴 (𝑠 )

𝑠𝐴 (𝑠 )

𝑏𝑖𝑎𝑠 (𝑌 𝑠 )Acyclic

Many vertices

Average edge weight is large

Proof Idea

𝑠 𝐴 (𝑠 )

𝑠𝐴 (𝑠 )

𝑏𝑖𝑎𝑠 (𝑌 𝑠 )Acyclic

Many vertices

Average edge weight is large

Proof Idea

⋯ 𝑍 𝑠⊕𝑍𝐴 (𝑠 )⋯

-fools linear tests of size

[Raz05] implies that this is also an

extractor

𝑊

stands in contradiction!

𝑌 𝑠=E 𝑥𝑡 (𝑊 ; 𝑠)⊕𝐸𝑥𝑡 (𝑊 ; 𝐴 (𝑠) )

A Few Words on the

Proof Ideafor Arbitrary

Arbitrary : Less-trivial lemma about graphs. Constructing the acyclic graph using a greedy algorithm.

Arbitrary : A generalization of the Parity Lemma - Conditional Parity Lemma (a similar lemma appears in [DLWZ11]).

Proof Idea for Arbitrary

Proof Idea for Arbitrary

‖𝑋 −𝑈𝑚‖12≤ ∑

∅ ≠𝜎⊆ [𝑚 ]𝑏𝑖𝑎𝑠2 (𝑋𝜎 )

‖(𝑋 ,𝑌 )− (𝑈𝑚 ,𝑌 )‖12≤ ∑

∅ ≠𝜎 ⊆ [𝑚 ]𝜏⊆ [𝑛 ]

𝑏𝑖𝑎𝑠2 (𝑋𝜎⊕𝑌𝜏 )❑

for

𝑌=𝑌 1…𝑌 𝑛

(Classic) Parity Lemma

Conditional Parity Lemma

Open Questions

1. Construct a non-malleable extractor for small min-entropies.

2. Devise a constant-round (hopefully 2) protocol with optimal entropy loss and communication complexity.

Open Questions

Thank You!

Documents

Non-Malleable Extractors with Short Seeds and Applications to Privacy Amplification