Upload
sal
View
31
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Non-Malleable Extractors with Short Seeds and Applications to Privacy Amplification. Gil Cohen Weizmann Institute Joint work with Ran Raz and Gil Segev. Randomness Seeded-Extractors. Randomness Seeded-Extractors. truly random bits (seed). bits from an imperfect source - PowerPoint PPT Presentation
Citation preview
Non-Malleable Extractors with Short Seeds and Applications to
Privacy Amplification
Gil CohenWeizmann Institute
Joint work withRan Raz and Gil Segev
Randomness Seeded-Extractors
Randomness Seeded-Extractors
Ext almost-trulyrandom bits
bits from animperfect sourceof randomness
truly random bits(seed)
Randomness Seeded-Extractors
Ext almost-trulyrandom bits
bits from animperfect source
of randomness
truly random bits(seed)
If all points has probability , the source is called an -source.
For simplicity, think of it as “uniform hidden bits”.
Randomness Seeded-Extractors
Ext almost-trulyrandom bits
bits from animperfect sourceof randomness
truly random bits(seed)
Measured in statistical distance.
Strong Seeded-Extractors
For any -source and independent
is called strong if
Parameters
Given • Maximize • Minimize
Ext almost-trulyrandom bits
bits from an-source
truly random bits(seed)
Non-Constructive and Optimal [Sips88], [RTS00]
Almost matching explicit constructions (…,[LRVW03],[GUV07] ,[DW08],[DKSS09]).
Non-MalleableExtractors
Defined by [DW09]
Non-Malleable Extractors
𝐸𝑥𝑡 (𝑊 ;𝑆 ) 𝜖𝑈𝑚
(𝐸𝑥𝑡 (𝑊 ;𝑆 ) ,𝑆 ) 𝜖 (𝑈𝑚 ,𝑆 )
with no fixed point.
A Not Non-Malleable Extractor
Expanders are low-degree undirected graphs that “look random”.
Nodes Labeled neighbors (think of 1-16).
Are known to induce extractors.
A Not Non-Malleable Extractor
𝑤
A Not Non-Malleable Extractor
𝑤
A Not Non-Malleable Extractor
4
𝑤
A Not Non-Malleable Extractor
4
9
𝑤
A Not Non-Malleable Extractor
4
9
1
𝑤
A Not Non-Malleable Extractor
4
9
14
𝑤
A Not Non-Malleable Extractor
4
9
14
7
𝑤
A Not Non-Malleable Extractor
4
9
14
7
11
𝑤
A Not Non-Malleable Extractor
𝐸𝑥𝑡 (𝑤 ;𝑠 )
4
9
14
7
11
𝑤
A Not Non-Malleable Extractor
𝐸𝑥𝑡 (𝑤 ;𝑠 )
𝐸𝑥𝑡 (𝑤 ; 𝐴 (𝑠 ) )
4
9
14
7
11
10
Non-Constructive [DW09]
• Seed length • Output length
Compared with strong extractors• Seed length • Output length
Non-Constructive [DW09]
• Seed length • Output length
Compared with strong extractors• Seed length • Output length
Non-Constructive [DW09]
• Seed length • Output length
Compared with strong extractors• Seed length • Output length
The Explicit Construction of [DLWZ11]
• Conditional efficiency
The Explicit Construction of [DLWZ11]
• Conditional efficiency
The Explicit Construction of [DLWZ11]
• Conditional efficiency
The Explicit Construction of [DLWZ11]
• Conditional efficiency
Main Result
Main Result
• Unconditionally efficient
Main Result
• Unconditionally efficient
Main Result
• Unconditionally efficient
Main Result
• Unconditionally efficient
Main Result
• Unconditionally efficient
PrivacyAmplification
- passive adversary -
[BBR88], [Mau92],[BBCM95]
𝑤 𝑊
𝑅
Alice Bob
Eve
𝑅
?=
is an -source
Computationally unbounded!
Interesting Measures• Entropy loss• Communication complexity• Number of rounds
𝑤 𝑊
𝑅
Alice Bob
Eve
𝑅?=
Interesting Measures• Entropy loss• Communication complexity• Number of rounds
𝑤 𝑊
𝑅
Alice Bob
Eve
𝑅?=
from Eve’s point of view
Interesting Measures• Entropy loss• Communication complexity• Number of rounds
𝑤 𝑊
𝑅
Alice Bob
Eve
𝑅?=
Number of communicated bits
Interesting Measures• Entropy loss• Communication complexity• Number of rounds
𝑤 𝑊
𝑅
Alice Bob
Eve
𝑅?=
Strong Extractors to the Rescue
𝑤 𝑊
s 𝑈𝑑𝑠 𝑠
𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 ) 𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 )
Strong Extractors to the Rescue
• Entropy loss • Communication complexity • Number of rounds
𝑤 𝑊
s𝑠 𝑠
𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 ) 𝑅=𝐸𝑥𝑡 (𝑤 ,𝑠 )
PrivacyAmplification
- active adversary -
[Mau97],[MM97],[Wol98],[MW03],[RW03], [DKRS06],[DW09],[KR09],[CKOR10]
Privacy Amplification Protocol Active Adversary
• Correctness• Privacy• Authenticity
• Correctness• Privacy• Authenticity
If both parties are honest then they agree.
Privacy Amplification Protocol Active Adversary
• Correctness• Privacy• Authenticity
For any Eve, from Eve’s view.
Privacy Amplification Protocol Active Adversary
• Correctness• Privacy• Authenticity
For any Eve, .
Privacy Amplification Protocol Active Adversary
𝑤 𝑊
𝑦 𝑈𝑑1
𝑘𝑒𝑦=𝑛𝑚𝐸𝑥𝑡 (𝑤 ;𝑦 )𝑠′ 𝑈 𝑑2
𝑦 ′𝑘𝑒𝑦 ′=𝑛𝑚𝐸𝑥𝑡 (𝑤 ; 𝑦 ′ )
𝜎 ′=𝑀𝐴𝐶𝑘𝑒𝑦 ′ (𝑠 ′ )𝑠′ ,𝜎 ′𝑠 ,𝜎
If
𝑅𝐵=𝐸𝑥𝑡 (𝑤 ,𝑠 ′ )𝑅𝐴=𝐸𝑥𝑡 (𝑤 ,𝑠 )
Privacy Amplification Protocols
[DW09] [DKRS06] [MW97]
Number of rounds
Entropy loss
Communication complexity
Assumed min-entropy
[DS02, DW09] 1 round requires
[RW03] gave rounds for
[CKOR10] gave rounds for
2 Rounds Privacy Amplification Protocols ()
Our result 2
Our result 1
[DLWZ11] [DW09]Non-
constructive [DW09]
Entropy loss
Communication
complexity
Assumed min-entropy
The Extractorof [Raz05]
A sequence of r.v -fools linear tests of size if for every such that , it holds that
Fooling Linear Tests of Bounded Size
Good explicit constructions ([NN93], [AGHP92],…) and many applications.
𝑍1𝑍 2𝑍𝐷
Points of the
sample space(seed)
Random variables
A Central Lemma from [Raz05]Seed
Weak source
-fools linear tests of size .
Ext
is a (strong) seeded-extractor for .
Proof IdeaFor
Proof Idea
𝑍1𝑍 2 ⋯ 𝑍𝐷
Proof Idea
𝑊
𝑍1𝑍 2 ⋯ 𝑍𝐷
Proof Idea
𝑊
𝑠 𝐴 (𝑠 )
𝐸𝑥𝑡 (𝑊 ;𝑠 )𝐸𝑥𝑡 (𝑊 ; 𝐴 (𝑠 ) )
is typically biased (say towards 0)
Proof Idea
𝑊
𝑠 𝐴 (𝑠 )
𝐸𝑥𝑡 (𝑊 ;𝑠 )𝐸𝑥𝑡 (𝑊 ; 𝐴 (𝑠 ) )
is typically biased (say towards 0)
Proof Idea
𝑠 𝐴 (𝑠 )
𝑠𝐴 (𝑠 )
𝑏𝑖𝑎𝑠 (𝑌 𝑠 )
Proof Idea
𝑠 𝐴 (𝑠 )
𝑠𝐴 (𝑠 )
𝑏𝑖𝑎𝑠 (𝑌 𝑠 )Acyclic
Many vertices
Average edge weight is large
Proof Idea
𝑠 𝐴 (𝑠 )
𝑠𝐴 (𝑠 )
𝑏𝑖𝑎𝑠 (𝑌 𝑠 )Acyclic
Many vertices
Average edge weight is large
Proof Idea
⋯ 𝑍 𝑠⊕𝑍𝐴 (𝑠 )⋯
-fools linear tests of size
[Raz05] implies that this is also an
extractor
𝑊
stands in contradiction!
𝑌 𝑠=E 𝑥𝑡 (𝑊 ; 𝑠)⊕𝐸𝑥𝑡 (𝑊 ; 𝐴 (𝑠) )
A Few Words on the
Proof Ideafor Arbitrary
Arbitrary : Less-trivial lemma about graphs. Constructing the acyclic graph using a greedy algorithm.
Arbitrary : A generalization of the Parity Lemma - Conditional Parity Lemma (a similar lemma appears in [DLWZ11]).
Proof Idea for Arbitrary
Proof Idea for Arbitrary
‖𝑋 −𝑈𝑚‖12≤ ∑
∅ ≠𝜎⊆ [𝑚 ]𝑏𝑖𝑎𝑠2 (𝑋𝜎 )
‖(𝑋 ,𝑌 )− (𝑈𝑚 ,𝑌 )‖12≤ ∑
∅ ≠𝜎 ⊆ [𝑚 ]𝜏⊆ [𝑛 ]
𝑏𝑖𝑎𝑠2 (𝑋𝜎⊕𝑌𝜏 )❑
for
𝑌=𝑌 1…𝑌 𝑛
(Classic) Parity Lemma
Conditional Parity Lemma
Open Questions
1. Construct a non-malleable extractor for small min-entropies.
2. Devise a constant-round (hopefully 2) protocol with optimal entropy loss and communication complexity.
Open Questions
Thank You!