Extracting Randomness David Zuckerman University of Texas at Austin.

Slides:

Advertisements

Similar presentations

Randomness Conductors Expander Graphs Randomness Extractors Condensers Universal Hash Functions

Advertisements

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Hardness of Reconstructing Multivariate Polynomials. Parikshit Gopalan U. Washington Parikshit Gopalan U. Washington Subhash Khot NYU/Gatech Rishi Saket.

The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

Invertible Zero-Error Dispersers and Defective Memory with Stuck-At Errors Ariel Gabizon Ronen Shaltiel.

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Deterministic Extractors for Small Space Sources Jesse Kamp, Anup Rao, Salil Vadhan, David Zuckerman.

Computing with adversarial noise Aram Harrow (UW -> MIT) Matt Hastings (Duke/MSR) Anup Rao (UW)

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University

Cuts, Trees, and Electrical Flows Aleksander Mądry.

Randomness Extraction: A Survey

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Deterministic extractors for bit- fixing sources by obtaining an independent seed Ariel Gabizon Ran Raz Ronen Shaltiel Seedless.

Are lower bounds hard to prove? Michal Koucký Institute of Mathematics, Prague.

The Power of Randomness in Computation David Zuckerman University of Texas at Austin.

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Simple extractors for all min- entropies and a new pseudorandom generator Ronen Shaltiel Chris Umans.

DNF Sparsification and Counting Raghu Meka (IAS, Princeton) Parikshit Gopalan (MSR, SVC) Omer Reingold (MSR, SVC)

Expander Graphs, Randomness Extractors and List-Decodable Codes Salil Vadhan Harvard University Joint work with Venkat Guruswami (UW) & Chris Umans (Caltech)

The Unified Theory of Pseudorandomness Salil Vadhan Harvard University See also monograph-in-progress Pseudorandomness

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

Randomized Algorithms Kyomin Jung KAIST Applied Algorithm Lab Jan 12, WSAC

Time vs Randomness a GITCS presentation February 13, 2012.

Constant Degree, Lossless Expanders Omer Reingold AT&T joint work with Michael Capalbo (IAS), Salil Vadhan (Harvard), and Avi Wigderson (Hebrew U., IAS)

3-source extractors, bi-partite Ramsey graphs, and other explicit constructions Boaz barak rOnen shaltiel Benny sudakov avi wigderson Joint work with GUY.

1 Streaming Computation of Combinatorial Objects Ziv Bar-Yossef U.C. Berkeley Omer Reingold AT&T Labs – Research Ronen.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

BB84 Quantum Key Distribution 1.Alice chooses (4+  )n random bitstrings a and b, 2.Alice encodes each bit a i as {|0>,|1>} if b i =0 and as {|+>,|->}

The Power of Randomness in Computation 呂及人中研院資訊所.

EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.

Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.

Simulating independence: new constructions of Condensers, Ramsey Graphs, Dispersers and Extractors Boaz Barak Guy Kindler Ronen Shaltiel Benny Sudakov.

Códigos y Criptografía Francisco Rodríguez Henríquez A Short Introduction to Stream Ciphers.

One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.

Pseudorandomness Emanuele Viola Columbia University April 2008.

Why Extractors? … Extractors, and the closely related “Dispersers”, exhibit some of the most “random-like” properties of explicitly constructed combinatorial.

RANDOMNESS AND PSEUDORANDOMNESS Omer Reingold, Microsoft Research and Weizmann.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness Seeded.

Polynomials Emanuele Viola Columbia University work partially done at IAS and Harvard University December 2007.

Approximate Inference: Decomposition Methods with Applications to Computer Vision Kyomin Jung ( KAIST ) Joint work with Pushmeet Kohli (Microsoft Research)

When is Randomness Extraction Possible? David Zuckerman University of Texas at Austin.

1 Explicit Two-Source Extractors and Resilient Functions Eshan Chattopadhyay David Zuckerman UT Austin.

Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness.

My Favorite Ten Complexity Theorems of the Past Decade II Lance Fortnow University of Chicago.

Umans Complexity Theory Lectures Lecture 17: Natural Proofs.

Lattice-based cryptography and quantum Oded Regev Tel-Aviv University.

Randomness Extraction Beyond the Classical World Kai-Min Chung Academia Sinica, Taiwan 1 Based on joint works with Xin Li, Yaoyun Shi, and Xiaodi Wu.

RANDOMNESS VS. MEMORY: Prospects and Barriers Omer Reingold, Microsoft Research and Weizmann With insights courtesy of Moni Naor, Ran Raz, Luca Trevisan,

Hardness amplification proofs require majority Emanuele Viola Columbia University Work also done at Harvard and IAS Joint work with Ronen Shaltiel University.

Pseudo-random generators Talk for Amnon ’ s seminar.

Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.

Pseudorandomness: New Results and Applications Emanuele Viola IAS April 2007.

Complexity Theory and Explicit Constructions of Ramsey Graphs Rahul Santhanam University of Edinburgh.

Pseudorandomness when the odds are against you

Background: Lattices and the Learning-with-Errors problem

Umans Complexity Theory Lectures

When are Fuzzy Extractors Possible?

When are Fuzzy Extractors Possible?

The Weizmann Institute

On Derandomizing Algorithms that Err Extremely Rarely

Presentation transcript:

Extracting Randomness David Zuckerman University of Texas at Austin

Randomness extremely useful Algorithms –Approximation, optimization, factoring polys. Monte Carlo simulations Cryptography Distributed computing –Consensus, Byzantine agreement, load balancing.

Randomness wonderful, but … Computers typically don’t have access to true randomness.

Is Randomness Necessary? Essential for distributed computing and cryptography: –Must choose secret key randomly. Unclear for algorithms.

Is Randomness Necessary? Major open question in field: does every efficient randomized algorithm have an efficient deterministic counterpart? –Does RP = P?

Is Randomness Necessary? Major open question in field: does every efficient randomized algorithm have an efficient deterministic counterpart? –Does RP = P? Appears very difficult. –Does RSPACE(S) = SPACE(S)? Difficult but some hope.

What is minimal randomness requirement? Can we eliminate randomness completely? If not: –Can we minimize quantity of randomness? –Can we minimize quality of randomness? What does this mean?

What is minimal randomness requirement? Can we eliminate randomness completely? If not: –Can we minimize quantity of randomness? Pseudorandom generator –Can we minimize quality of randomness? Extractor

Pseudorandom Generators Computers rely on pseudorandom generators: PRG short random string long “random-enough” string Classical approach: ad hoc. Many failures. Modern approach: provably good PRGs.

Quality: von Neumann’s model Ext very long weakly random long random Bits independent. Each bit has same bias: –Pr[X i =1] = p, p unknown. Can’t use directly. Goal:

Quality: von Neumann’s model Extractor: –Group bits in pairs. –Pr[01]=Pr[10] = p(1-p). –Map 01 to 0, 10 to 1, ignore 00 and 11. Example: maps to

Use in Practice Intel has random number generator (not PRG) which uses white noise. Temperature may influence bias. Intel applies von Neumann’s extractor to output.

General Weakly Random Sources What if bits are correlated? Many models studied [Blum, Santha-Vazirani, Chor-Goldreich]. Most general model - upper bound probability of each string [Zuckerman]. Similar to lower bounding entropy.

General Weakly Random Sources Weakly random distribution on n bits: each string has probability ≤ 2 -k. Example: weakly random integer in [1,1000]. Distribution unknown.

Goal Ext very long weakly random long almost random Should work for all (n,k) weakly random sources.

Goal Ext very long weakly random long almost random Should work for all (n,k) weakly random sources. Problem: impossible.

Solution: Extractor [Nisan-Zuckerman] Ext very long weakly random long almost random short truly random

Extractor Parameters [NZ,…, Lu-Reingold-Vadhan-Wigderson] Ext n bits weakly random Pr[each string] ≤ 2 -k.99k bits almost random O(log n) truly random

Power of Extractors Sometimes can eliminate true randomness by cycling over all possibilities.

Power of Extractors Sometimes can eliminate true randomness by cycling over all possibilities. Useful even when no weakly random source apparently present.

Power of Extractors Sometimes can eliminate true randomness by cycling over all possibilities. Useful even when no weakly random source apparently present. Mathematical reason for power: extractor constructions beat “eigenvalue bound.”

Applications of Extractors PRGs for Space-Bounded Computation [Nisan-Z] PRGs for Random Sampling [Z] Cryptography [Lu, Vadhan, Dodis-Smith] Expander graphs and highly connected networks [Wigderson-Z] Coding theory [Ta-Shma- Z] Hardness of approximation [Z, Mossel-Umans] Efficient deterministic sorting [Pippenger] Time-space tradeoffs [Sipser] Implicit data structures [Fiat-Naor, Z]

New Extractor and Application [Z] Extractor requires log n + O(1) random bits. NP-complete to approximate MAX CLIQUE and CHROMATIC NUMBER to within n 1- , any  >0. –Previously same inapproximability ratio required NP  ZPP [Hastad, Feige-Kilian]. –We use new extractor to derandomize previous reductions.

The Future for Extractors Current extractors near optimal. Where to go from here? Two interesting directions: –Deterministic extractors for specialized sources. –Extractors for independent sources and a new technique.

Bit-Fixing Sources Adversary fixes all but k of the n bits. Remaining k bits chosen randomly. Parity can extract 1 bit if k≥1.

Bit-Fixing Sources Adversary fixes all but k of the n bits. Remaining k bits chosen randomly. Parity can extract 1 bit if k≥1. This model seems unrealistic: –What good is it?

Bit-Fixing Sources Adversary fixes all but k of the n bits. Remaining k bits chosen randomly. Parity can extract 1 bit if k≥1. This model seems unrealistic: –What good is it? Applications in cryptography and more realistic models.

Bit-Fixing Sources Adversary fixes all but k of the n bits. Remaining k bits chosen randomly. Parity can extract 1 bit if k≥1. To extract 2 truly random bits, need k>n/3. Can extract k 2 /n almost-random bits deterministically [Kamp-Zuckerman]. Improved to (1-o(1))k [Gabizon-Raz-Shaltiel].

Exposure-Resilient Cryptography Standard cryptography: secret keys totally secret. What if adversary learns some bits of secret key? Deterministic extractors for bit-fixing sources can help foil such adversaries [Dodis-Sahai-Smith]. Need exponentially small error. Kamp-Z extractor has small enough error to apply ([GRS] error too large).

More realistic sources: Generalizing von Neumann’s Model Bits independent, allow different biases. Deterministic extractors for bit-fixing sources also work for these new sources [Kamp-Vadhan-Zuckerman]. Goal: deterministic extractors for more general sources. Some preliminary results allowing correlations.

Technique: Additive Number Theory For set A, A+A={a 1 +a 2 : a 1, a 2 in A} Thm: either |A+A|>|A| 1.01 or |A  A| > |A| 1.01 [Bourgain-Katz-Tao, Konyagin]. Can extract from 3 independent sources [Barak-Kindler-Shaltiel-Sudakov-Wigerson]. Promising technique -- other applications? Anup Rao: improvements without additive number theory.

Conclusions Extractors fundamental: diverse applications. Future in extractors: –Deterministic extractors –2-source extractors –More applications –Practical variants Can we make progress towards RP=P or RSPACE(S) = SPACE(S)?

Students Jesse Kamp - extractors Anindya Patthak - coding theory Anup Rao - extractors

Extractors in Cryptography Alice and Bob know s = “secret” random 1000 bit string. Eavesdropper Eve knows 600 bits of s. Alice and Bob don’t know which 600 bits. Eve can see all communication.

Extractors in Cryptography Alice and Bob compute a shared secret string of 300 bits, about which Eve has negligible information: To Eve, s appears like output of known bit- fixing source. So Ext(s) will appear almost random. Hence shared secret = Ext(s).