Non-Malleable Extractors with Short Seeds and Applications to
Privacy Amplification
Gil CohenWeizmann Institute
Joint work withRan Raz and Gil Segev
Randomness Seeded-Extractors
Randomness Seeded-Extractors
Ext almost-trulyrandom bits
bits from animperfect sourceof randomness
truly random bits(seed)
Randomness Seeded-Extractors
Ext almost-trulyrandom bits
bits from animperfect source
of randomness
truly random bits(seed)
If all points has probability , the source is called an -source.
For simplicity, think of it as βuniform hidden bitsβ.
Randomness Seeded-Extractors
Ext almost-trulyrandom bits
bits from animperfect sourceof randomness
truly random bits(seed)
Measured in statistical distance.
Strong Seeded-Extractors
For any -source and independent
is called strong if
Parameters
Given β’ Maximize β’ Minimize
Ext almost-trulyrandom bits
bits from an-source
truly random bits(seed)
Non-Constructive and Optimal [Sips88], [RTS00]
Almost matching explicit constructions (β¦,[LRVW03],[GUV07] ,[DW08],[DKSS09]).
Non-MalleableExtractors
Defined by [DW09]
Non-Malleable Extractors
πΈπ₯π‘ (π ;π ) πππ
(πΈπ₯π‘ (π ;π ) ,π ) π (ππ ,π )
with no fixed point.
A Not Non-Malleable Extractor
Expanders are low-degree undirected graphs that βlook randomβ.
Nodes Labeled neighbors (think of 1-16).
Are known to induce extractors.
A Not Non-Malleable Extractor
π€
A Not Non-Malleable Extractor
π€
A Not Non-Malleable Extractor
4
π€
A Not Non-Malleable Extractor
4
9
π€
A Not Non-Malleable Extractor
4
9
1
π€
A Not Non-Malleable Extractor
4
9
14
π€
A Not Non-Malleable Extractor
4
9
14
7
π€
A Not Non-Malleable Extractor
4
9
14
7
11
π€
A Not Non-Malleable Extractor
πΈπ₯π‘ (π€ ;π )
4
9
14
7
11
π€
A Not Non-Malleable Extractor
πΈπ₯π‘ (π€ ;π )
πΈπ₯π‘ (π€ ; π΄ (π ) )
4
9
14
7
11
10
Non-Constructive [DW09]
β’ Seed length β’ Output length
Compared with strong extractorsβ’ Seed length β’ Output length
Non-Constructive [DW09]
β’ Seed length β’ Output length
Compared with strong extractorsβ’ Seed length β’ Output length
Non-Constructive [DW09]
β’ Seed length β’ Output length
Compared with strong extractorsβ’ Seed length β’ Output length
The Explicit Construction of [DLWZ11]
β’ Conditional efficiency
The Explicit Construction of [DLWZ11]
β’ Conditional efficiency
The Explicit Construction of [DLWZ11]
β’ Conditional efficiency
The Explicit Construction of [DLWZ11]
β’ Conditional efficiency
Main Result
Main Result
β’ Unconditionally efficient
Main Result
β’ Unconditionally efficient
Main Result
β’ Unconditionally efficient
Main Result
β’ Unconditionally efficient
Main Result
β’ Unconditionally efficient
PrivacyAmplification
- passive adversary -
[BBR88], [Mau92],[BBCM95]
π€ π
π
Alice Bob
Eve
π
?=
is an -source
Computationally unbounded!
Interesting Measuresβ’ Entropy lossβ’ Communication complexityβ’ Number of rounds
π€ π
π
Alice Bob
Eve
π ?=
Interesting Measuresβ’ Entropy lossβ’ Communication complexityβ’ Number of rounds
π€ π
π
Alice Bob
Eve
π ?=
from Eveβs point of view
Interesting Measuresβ’ Entropy lossβ’ Communication complexityβ’ Number of rounds
π€ π
π
Alice Bob
Eve
π ?=
Number of communicated bits
Interesting Measuresβ’ Entropy lossβ’ Communication complexityβ’ Number of rounds
π€ π
π
Alice Bob
Eve
π ?=
Strong Extractors to the Rescue
π€ π
s πππ π
π =πΈπ₯π‘ (π€ ,π ) π =πΈπ₯π‘ (π€ ,π )
Strong Extractors to the Rescue
β’ Entropy loss β’ Communication complexity β’ Number of rounds
π€ π
sπ π
π =πΈπ₯π‘ (π€ ,π ) π =πΈπ₯π‘ (π€ ,π )
PrivacyAmplification
- active adversary -
[Mau97],[MM97],[Wol98],[MW03],[RW03], [DKRS06],[DW09],[KR09],[CKOR10]
Privacy Amplification Protocol Active Adversary
β’ Correctnessβ’ Privacyβ’ Authenticity
β’ Correctnessβ’ Privacyβ’ Authenticity
If both parties are honest then they agree.
Privacy Amplification Protocol Active Adversary
β’ Correctnessβ’ Privacyβ’ Authenticity
For any Eve, from Eveβs view.
Privacy Amplification Protocol Active Adversary
β’ Correctnessβ’ Privacyβ’ Authenticity
For any Eve, .
Privacy Amplification Protocol Active Adversary
π€ π
π¦ ππ1
πππ¦=πππΈπ₯π‘ (π€ ;π¦ )π β² π π2
π¦ β²πππ¦ β²=πππΈπ₯π‘ (π€ ; π¦ β² )
π β²=ππ΄πΆπππ¦ β² (π β² )π β² ,π β²π ,π
If
π π΅=πΈπ₯π‘ (π€ ,π β² )π π΄=πΈπ₯π‘ (π€ ,π )
Privacy Amplification Protocols
[DW09] [DKRS06] [MW97]
Number of rounds
Entropy loss
Communication complexity
Assumed min-entropy
[DS02, DW09] 1 round requires
[RW03] gave rounds for
[CKOR10] gave rounds for
2 Rounds Privacy Amplification Protocols ()
Our result 2
Our result 1
[DLWZ11] [DW09]Non-
constructive [DW09]
Entropy loss
Communication
complexity
Assumed min-entropy
The Extractorof [Raz05]
A sequence of r.v -fools linear tests of size if for every such that , it holds that
Fooling Linear Tests of Bounded Size
Good explicit constructions ([NN93], [AGHP92],β¦) and many applications.
π1π 2ππ·
Points of the
sample space(seed)
Random variables
A Central Lemma from [Raz05]Seed
Weak source
-fools linear tests of size .
Ext
is a (strong) seeded-extractor for .
Proof IdeaFor
Proof Idea
π1π 2 β― ππ·
Proof Idea
π
π1π 2 β― ππ·
Proof Idea
π
π π΄ (π )
πΈπ₯π‘ (π ;π )πΈπ₯π‘ (π ; π΄ (π ) )
is typically biased (say towards 0)
Proof Idea
π
π π΄ (π )
πΈπ₯π‘ (π ;π )πΈπ₯π‘ (π ; π΄ (π ) )
is typically biased (say towards 0)
Proof Idea
π π΄ (π )
π π΄ (π )
ππππ (π π )
Proof Idea
π π΄ (π )
π π΄ (π )
ππππ (π π )Acyclic
Many vertices
Average edge weight is large
Proof Idea
π π΄ (π )
π π΄ (π )
ππππ (π π )Acyclic
Many vertices
Average edge weight is large
Proof Idea
β― π π βππ΄ (π )β―
-fools linear tests of size
[Raz05] implies that this is also an
extractor
π
stands in contradiction!
π π =E π₯π‘ (π ; π )βπΈπ₯π‘ (π ; π΄ (π ) )
A Few Words on the
Proof Ideafor Arbitrary
Arbitrary : Less-trivial lemma about graphs. Constructing the acyclic graph using a greedy algorithm.
Arbitrary : A generalization of the Parity Lemma - Conditional Parity Lemma (a similar lemma appears in [DLWZ11]).
Proof Idea for Arbitrary
Proof Idea for Arbitrary
βπ βππβ12β€ β
β β πβ [π ]ππππ 2 (ππ )
β(π ,π )β (ππ ,π )β12β€ β
β β π β [π ]πβ [π ]
ππππ 2 (ππβππ )β
for
π=π 1β¦π π
(Classic) Parity Lemma
Conditional Parity Lemma
Open Questions
1. Construct a non-malleable extractor for small min-entropies.
2. Devise a constant-round (hopefully 2) protocol with optimal entropy loss and communication complexity.
Open Questions
Thank You!