The Curve Merger (Dvir & Widgerson, 2008) Aviv Gil-Ad

Our schedule for today: Sources Mergers The curve merger Analysis

Sources A few definitions

Min-Entropy The min-entropy of a random variable 𝑋 is defined as 𝐻 ∞ 𝑋 = min 𝑥∈𝑠𝑢𝑝𝑝 𝑋 log 1 Pr 𝑋=𝑥 The uniform distribution 𝑈 𝑛 over 0,1 𝑛 satisfies 𝐻 ∞ 𝑈 𝑛 =𝑛.

Example 𝐻 ∞ 𝑋 =2 𝐻 ∞ 𝑌 =1

Statistical Distance The statistical distance between two random variables 𝑋,𝑌 distributed over Ω is defined as 𝑋−𝑌 1 = 1 2 𝑥∈Ω Pr 𝑋=𝑥 − Pr 𝑌=𝑥 = max 𝑆⊆Ω Pr 𝑋∈𝑆 − Pr 𝑌∈𝑆 𝑋 and 𝑌 are called “𝜖-close” if 𝑋−𝑌 1 ≤𝜖, and 𝜖-far otherwise.

Example 1 2 𝑥∈Ω Pr 𝑋=𝑥 − Pr 𝑌=𝑥 = 1 2 0.25+0.25+0.05+0.05 =0.3 max 𝑆⊆Ω Pr 𝑋∈𝑆 − Pr 𝑌∈𝑆 = Pr 𝑋∈ 1,2 − Pr 𝑌∈ 1,2 =0.3

Convex combinations 𝑋 is a convex combination of 𝑋 1 ,…, 𝑋 𝑛 if there exist 0≤ 𝑞 1 ,…, 𝑞 𝑛 ≤1 such that Pr 𝑋=𝑥 = 𝑖=1 𝑛 𝑞 𝑖 Pr 𝑋 𝑖 =𝑥 and 𝑖=1 𝑛 𝑞 𝑖 =1

Somewhere Random Sources Let 𝑋= 𝑋 1 ,…, 𝑋 𝑘 a random variable such that each 𝑋 𝑖 is distributed over 0,1 𝑛 . 𝑋 is a simple somewhere random source if there exists 𝑖∈ 𝑘 such that 𝑋 𝑖 = 𝑈 𝑛 . 𝑋 is a somewhere random source if it is a convex combination of simple somewhere random sources.

A challenge Let’s say we have two sources, 𝑋,𝑌, over 0,1 𝑛 . We flip a coin 𝑍. 𝑋|𝑍=0 and 𝑌|𝑍=1 are uniform. Can you extract a bit of randomness out of 𝑋,𝑌 ?

Mergers The main definition for today

What is a merger? A function 𝑀: 0,1 𝑛 𝑘 × 0,1 𝑑 → 0,1 𝑛 is an 𝑚,𝜖 - merger if for every somewhere random source 𝑋 over 0,1 𝑛 𝑘 , the distribution of 𝑀 𝑋, 𝑈 𝑑 is 𝜖-close to some distribution with min-entropy of at least 𝑚.

Another view 𝑀: 0,1 𝑛 𝑘 × 0,1 𝑑 → 0,1 𝑛 The input, composed of 𝑘 coordinates, each distributed over 0,1 𝑛 The output, a random variable over 0,1 𝑛 Random seed, uniform over 0,1 𝑑

Other parameters 𝜖 – the distance of the output from a “good” source. We want 𝜖 to be small. 𝑚 – the min-entropy of the output (±𝜖). Clearly, 𝑚≤𝑛. We want 𝑚 to be very close to 𝑛. We also want an explicit merger: a merger that we can compute in polynomial time.

The Curve Merger Finally, the main construction

A solution for our challenge Find a finite field 𝔽 𝑞 of sufficient size. Treat the input 𝑥,𝑦 as a member of 𝔽 𝑞 𝑟 × 𝔽 𝑞 𝑟 . Pass a line between 0,𝑥 and 1,𝑦 : 𝑀 𝑥,𝑦,𝑡 =𝑡𝑦+ 1−𝑡 𝑥 Return a random point on the line.

Constructing the merger Let 𝔽 be a finite field and 𝛾 1 ,…, 𝛾 𝑘 ∈𝔽 be distinct field elements. We define the following 𝑘 polynomials in 𝔽 𝑢 : 𝑐 𝑖 𝑢 ≔ 𝑖≠𝑗∈ 𝑘 𝑢− 𝛾 𝑗 𝛾 𝑖 − 𝛾 𝑗 Notice that 𝑐 𝑖 𝛾 𝑗 = 1 𝑗=𝑖 0 𝑗≠𝑖

Constructing the merger, continued We define the function 𝑀: 𝔽 𝑟 𝑘 ×𝔽→ 𝔽 𝑟 as follows: 𝑀 𝑥 1 ,…, 𝑥 𝑘 ,𝑢 ≔ 𝑖=1 𝑘 𝑐 𝑖 𝑢 ⋅ 𝑥 𝑖 Which is the polynomial curve of degree 𝑘−1 passing through all 𝛾 𝑖 , 𝑥 𝑖 .

Another example, 𝑘=3 𝑀 𝑥 0 , 𝑥 1 , 𝑥 2 ,𝑡 = 𝑡−1 𝑡−2 −1 ⋅ −2 𝑥 0 + 𝑡 𝑡−2 1⋅ −1 𝑥 1 + 𝑡 𝑡−1 2⋅1 𝑥 2

Analysis Proving the existence of good mergers

The main theorem For every 𝛼>0, there exists an explicit 𝑚,𝜖 -merger 𝑀: 0,1 𝑛 𝑘 × 0,1 𝑑 → 0,1 𝑛 , with: 𝑚= 1−𝛼 𝑛 𝑑=𝑂 log 𝑛 + log 𝑘 𝜖=𝑂 𝑛𝑘 −1

Parameters Let 𝔽 be a finite field of size 𝑞= 2 𝑑 such that 𝑛𝑘 4 𝛼 <𝑞≤2 𝑛𝑘 4 𝛼 We will assume w.l.o.g that 𝑟≔ 𝑛 𝑑 ∈ℕ (otherwise we can lose a constant number of bits of entropy). Therefore, we can treat each 𝑋 𝑖 as distributed over 𝔽 𝑟 . Our merger will be 𝑀: 𝔽 𝑟 𝑘 ×𝔽→ 𝔽 𝑟 from the previous construction.

Parameters, continued Notice that 𝑑= log 𝑞 =𝑂 log 𝑛 + log 𝑘 . Let 𝜖= 𝑞 − 𝛼 4 ≤2 𝑛𝑘 4 𝛼 . We will assume w.l.o.g that 𝑋 is a simple somewhere random source and that 𝑋 1 is uniform.

Proof sketch Assume the output of our merger is bad. Find a way to distinguish between our output and any source with high min-entropy. Use it to construct something impossible.

Proof, part 1 Let 𝑍=𝑀 𝑋, 𝑈 𝑑 denote the output of our merger. Assume 𝑍 is 𝜖-far from having min-entropy 1−𝛼 𝑛.

Proof, part 2 Define 𝑇= 𝑧∈ 𝔽 𝑟 Pr 𝑍=𝑧 ≥ 2 − 1−𝛼 𝑛 . Notice that 𝑇 ≤ 2 1−𝛼 𝑛 = 𝑞 𝑟 1−𝛼 and Pr 𝑍∈𝑇 ≥𝜖. Let 𝑠= 𝑞 1− 𝛼 2 . Observe that: 𝑠 𝑟 𝑟 ≥ 𝑞 1− 𝛼 2 𝑞 𝛼 4 𝑟 ≥ 𝑞 𝑟 1−𝛼 ≥ 𝑇

Proof, part 3 𝑠 𝑟 𝑟 is a lower bound on the number of monomials of 𝑟 variables and degree at most 𝑠. (Why?) Therefore, we can solve a series of linear equations and find a non-zero polynomial 𝑔∈𝔽 𝑦 1 ,…, 𝑦 𝑟 of degree ≤𝑠 such that 𝑔 𝑦 =0 for all 𝑦∈𝑇. We will show that 𝑔 has many more zeroes in 𝔽 𝑟 , thus deriving a contradiction.

Finding the zeroes For each 𝑥∈ 𝔽 𝑟 let 𝑝 𝑥 = Pr 𝑍∈𝑇 𝑋 1 =𝑥 . Let 𝐺= 𝑥∈ 𝔽 𝑟 𝑝 𝑥 ≥ 𝜖 2 . By an averaging argument, Pr 𝑋 1 ∈𝐺 ≥ 𝜖 2 . 𝜖≤ Pr 𝑍∈𝑇 = Pr 𝑋 1 ∈𝐺 Pr 𝑍∈𝑇 𝑋 1 ∈𝐺 + Pr 𝑋 1 ∉𝐺 Pr 𝑍∈𝑇 𝑋 1 ∉𝐺 ≤1 ≤1 ≤ 𝜖 2

Nested proof Claim: for all 𝑥∈𝐺, 𝑔 𝑥 =0. Proof: Let 𝑥 1 ∈𝐺. Since Pr 𝑍∈𝑇 𝑋 1 = 𝑥 1 ≥ 𝜖 2 , we can fix all other 𝑋 𝑖 in a way that “preserves our advantage”, meaning: Pr 𝑍∈𝑇 𝑋= 𝑥 1 ,…, 𝑥 𝑘 ≥ 𝜖 2 (Where does this randomness come from?) Let 𝐶= 𝑀 𝑥 1 ,…, 𝑥 𝑘 ,𝑢 𝑢∈𝔽 .

Nested proof, continued Proof (cont.): The restriction of 𝑔 to 𝐶 is given by the polynomial ℎ 𝑢 =𝑔 𝑀 𝑥 1 ,…, 𝑥 𝑛 ,𝑢 , which has degree ≤𝑠 𝑘−1 . ℎ 𝑢 is zero on at least 𝜖 2 of the points in 𝔽 (why?) and since 𝑠 𝑘−1 <𝑠𝑘< 𝑞 1− 𝛼 2 ⋅ 𝑞 − 𝛼 4 <𝑞⋅2 𝑞 − 𝛼 4 =𝑞⋅ 𝜖 2 We get from the degree mantra that ℎ is the zero polynomial. Therefore 0=ℎ 𝛾 1 =𝑔 𝑖=1 𝑘 𝑐 𝑖 𝑢 ⋅ 𝑥 𝑖 =𝑔 𝑥 1 . ∎

Back to the main proof So far, we have proved that 𝑔 is a non-zero polynomial of degree 𝑠, such that 𝑔 is zero on all 𝐺. We now get a contradiction, since 𝐺 ≥ 𝜖 2 ⋅ 𝑞 𝑟 >𝑠⋅ 𝑞 𝑟−1 Thus, such 𝑔 does not exist, such 𝑇 does not exist, and 𝑀 is indeed a 𝑚= 1−𝛼 𝑛,𝜖 merger. ∎