Deterministic extractors for bit- fixing sources by obtaining an independent seed Ariel Gabizon Ran Raz Ronen Shaltiel Seedless

Randomness extractors (motivation) Randomness is essential in Computer Science: Cryptography (!!) Distributed Protocols (!) Probabilistic Algorithms (?) Algorithm designers always assume that we have access to a stream of independent unbiassed coin tosses. How can we obtain random bits?

Refining randomness from nature We have access to distributions in nature: Weather (?) Particle reactions Key strokes of user Timing of past events These distributions are “somewhat random” but not “truly random”. Solution: Randomness Extractors random coins Probabilistic algorithm input output Somewhat random Randomness Extractor

Randomness Extractors: Definition and two flavors C is a class of distributions over n bit strings. A deterministic (seedless) C-extractor is a function E such that for every XєC, E(X) is ε-close to uniform. A seeded C-extractor has an additional (short i.e. log n) independent random seed as input. source distribution from C Extractor seed random output DeterministicSeeded Two distributions are ε-close if the probability they assign to any event differs by at most ε.

A brief survey of randomness extractors Deterministic von-Neumann sources [vN51]. Markov Chains [Blu84]. Several independent sources [SV86,V86,V87,VV88,C G88,DEOR04,BIW04]. Samplable sources [TV00]. Seeded High min-entropy distributions [Z91,NZ93]. Lower bound of log n on the seed length [NZ93,RT99]. Explicit constructions coming close to matching bound (mass of work). Extractors turn out to have lots of applications in TCS.

Bit-fixing sources [CGHFRS85] An (n,k)-(oblivious) bit-fixing source is a distribution on n bit strings s.t. k bits are uniformly distributed (good bits). remaining n-k bits are fixed to arbitrary values (bad bits). x1x1 x2x2 x3x3 xnxn k random bits

Bit-fixing source extractors The exclusive or function extracts one perfectly random bit. Impossible to extract two perfect bits for k<n/3 [CGHFRS85]. A probablistic argument gives an extractor which extracts k-O(log(n/ε)) bits (for statistical distance ε from uniform). Best explicit construction extracts Ω(k 2 /n) bits [KZ03].

Our results: rangebits extracted [KZ03] bits extracted our result error k>n ½ Ω(k 2 /n)k-n ½+a (a>0 is an arbitrary constant) exp(-n a ) k<n ½ k>(log n) c Ω(log k)*k-k b (0<b<1 is a universal constant) k -b We extract (1-o(1))k bits even for small k.

Our approach Start with an extractor that extracts few bits. Convert into an extractor that extracts many bits.

Getting more mileage from extractors: first attempt x1x1 x2x2 x3x3 xnxn k random bits Deterministic Extractor random output Seeded Extractor Seeded Extractors are only guaranteed to work when the source and seed are independent. correlated!

Solution: Seed obtainers x1x1 x2x2 x3x3 xnxn k random bits Seed Obtainer random outputbit fixing source X X’X’ Y We require that X’ and Y are independent! We obtain a seed !

Seed obtainer: Definition A seed obtainer is a function F(X)=(X’,Y) s.t. For every (n,k)-bit-fixing source X: X’ is an (n’,k’)-bit-fixing source with (n’,k’)≈(n,k). Y is uniformly distributed. X’ and Y are independent. Seed Obtainer x1x1 x2x2 x3x3 xnxn X X’X’ Y F(X) is close to a convex combination of distributions X ’,Y s.t. Seeded Extractor random output Seed obtainers allow us to get more randomness from deterministic bit-fixing source extractors.

Construction of seed obtainers (erasing the correlation) k random bits random output bit fixing source X X’X’ Y Deterministic Extractor W seed for averaging sampler Seed obtainer Intuition: Erase parts that are correlated with Y We will pretend red bits are fixed! The extractor won ’ t know! Warning: Intuition is oversimplified! For any set (and in particular set of good bits) The sampled set hits it in the “ correct ” proportion. Set parameters so that: few red bits are in. Most red bits are out. correlated!

Construction for k>n ½ We use the [KZ03] deterministic extractor as basis for the seed- obtainer. Attach a good seeded extractor [RRV99]. Seed Obtainer x1x1 x2x2 x3x3 xnxn X X’X’ Y Seeded Extractor random output

The case of k<n ½ We need a deterministic bit-fixing source extractor to start with. The tecnique of [KZ03] also works for k<n ½, but extracts very few bits. Only Ω(log k) bits. For k=polylog n, we get only log log n bits. Not sufficient for seeded extractors! (Also not sufficient for standard averaging samplers.)

Solution: seeded bit-fixing source extractor. We construct a seeded bit-fixing source extractor that uses seed O(log log n) and extract (1-o(1))k bits. Apply it after the seed obtainer. Seed Obtainer x1x1 x2x2 x3x3 xnxn X X’X’ Y Seeded bit-fixing Extractor random output

A Seeded extractor for bit-fixing sources: log log n -> log n We partition the source into about log n blocks. Each bit tosses a coin to decide on its block. We use ε-pairwise dependent coins [NN93]. Cost: O(log log n) random bits. w.h.p. each block contains at least one good bit. Each block outputs the xor of its bits. log n Output log n random bits.

A Seeded extractor for bit-fixing sources: log n -> (1-o(1))k We have O(log log n) random bits as seed. Use O(log log n) random bits to partition into two blocks. Use seeded bit-fixing extractor from previous slide to extract log n bits. Use the output as a seed for a (standard) seeded extractor. To extract (1- o(1))k bits. log n bits Seeded extractor prvs n/log n

Note on averaging samplers Ingredient in the seed obtainer construction. We need to sample subsets of {1..n}. Sampling one element: log n bits. We already saw: Sampling based on ε-pairwise dependence: log log n bits [EGLNV95,RSW00]. ?????? Possible because query complexity is huge (n/log n). Note: We need samplers that hit very small sets (size<n ½) ) and cannot use samplers based on (seeded) extractors.

Overview We construct deterministic bit-fixing extractors that: Extract almost all randomnes. Work even for small k. Introduce “seed obtainers”. Allow getting more random bits from deterministc bit- fixing extractors. Construction for small k uses seeded bit-fixing extractor, that uses seed of length O(log log n) to “partition” source. Seed Obtainer x1x1 x2x2 x3x3 xnxn X X’X’ Y Seeded Extractor random output

Open problems Improve error for small k (say k<n ½ ). Possible direction: Construct deterministic bit-fixing source with larger output (>>log k) for small k. Can this technique be applied to seeded extractors? (probably not).

That’s it