Presentation is loading. Please wait.

Presentation is loading. Please wait.

Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001."— Presentation transcript:

1 Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001

2 Motivation Good extractors exist, but are either: Very complex (recursive, iterated, composed) Work only in high min-entropy (TZS) Either ( n ), or n 1/ c with log n +O( c 2 log m ) seed All previously-known PRGs are based on the original NW construction One other construction exists but requires stronger assumptions

3 Contributions of This Paper New extractor construction Similar to TZS Requires less min-entropy New PRG construction Based on the above extractor No big improvement in parameters Both match the current best But simpler, self-contained construction

4 Overview of This Talk Introduction TZS Reminder New extractors New ideas Construction Proof Introduction to PRGs New PRGs

5 TZS Extractors Basic idea: view input x as a bivariate* polynomial 2 F q [ y 1, y 2 ] View seed y as a pair Extractor output is: This is a q-ary extractor (output alphabet is F q )

6 Reconstruction Paradigm Assume a next-symbol predictor f : F i ! F c, for small c = -2 Show there exists a function R f ( z ), s.t.: For large fraction of x 2 X, There exists z s.t. R f ( z )= x If k >| z |, we get a contradiction.

7 TZS Reconstruction Let L be a random line in F 2 x | L is a low-degree univariate polynomial: need only h =deg( x | L ) points to know value of x on all L. Get h ( i -1) values from advice string for i -1 successive parallel lines Use predictor f to predict next line

8 Details, Details … Predictor f is often wrong Points on L are pairwise-independent Can use Chebyshev to bound prob. that less than h will be correct f predicts lists of  -2 possible values add to advice string true value of x on random point on L W.h.p., agrees only with true candidate Requires O ( m ) more values

9 Last Comments We described a bivariate extractor; this can be generalized to d -variate Reduces h, which is good However, we need to predict h d values, so we end up losing more than we gain We ’ ve already seen how to convert a q-ary extractor to a binary one.

10 Pseudo-Random Generators The computational equivalent of extractors: Many (theoretical) applications ExtractorsPRGs Short random seed Weak random sourceNo random source Output statistically indistinguishable from U m Output computationally indistinguishable from U m

11 PRG: Formal Definition An -PRG for size s is a function G :{0,1} t ! {0,1} m, s.t. for any circuit C of size < s: Equivalent to next-bit predictors: no function f of size s can satisfy:

12 q-ary PRGs Analogous to q-ary extractors A -q-ary PRG has no next-symbol predictor f : F q i -1 ! F q c s.t.: Where c =  2 Like extractors, q-ary PRG ’ s can be converted to binary ones.

13 Main Idea Basically, same as extractor Use a hard predicate x ( i ) instead of a weak random source PRGs imply hard predicates: polytime function that require large circuits. Prove using reconstruction paradigm A predictor implies we can compute the hard function with a small circuit

14 Problem … And Solution We need too many prediction steps Need to compute x for any i Increases circuit size Solution: predict in jumps of growing sizes 1, m, m 2, …, m ` -1 Use ` different PRG “candidates” Each uses different step size If none is really a PRG, we can predict The XOR of all candidates is a PRG.

15 Some Definitions Let x :{0,1} log n ! {0,1} be a hard function (no circuit smaller than s ) Let F ’ be a subspace of F, | F ’|= h Need h d > n Let A be the successor matrix of F d, and A ’ of F ’ d Let 1 be the all-ones vector in F d 1 2 F ’ d as well

16 Construction Define, for j =1, …, ` : Each of these corresponds to one of the jump lengths. To get a PRG, we XOR all of them.

17 Proof Need h to be a prime power, q a power of h. We want a polynomial x( A ’ i 1)= x ( i ) F ’ d is big enough to find one x has degree  h in all variables, total degree  hd Only takes values in F ’, and these have order  h

18 Proof (Cont.) Assume none of ` candidates is good Let f ( j ) be the predictor for G x ( j ) We will reconstruct x from those using a small circuit (contradiction!) Advice string contains value of x on m consecutive places Actually m consecutive curves Use same overlapped prediction process as before (almost…)

19 Stepping Scheme Denote first advice value by A a 1, and we want to get to i = A b 1 First, predict A c1 1, where c 1 has the same lowest m -ary digit as b Now, predict A c2 1, where c 2 has the same two lowest m -ary digits as b Go on, until we can predict i.

20 Stepping Scheme: Example aa+m-1a+1 (a) m =134(b) m =302 m=5

21 Stepping Scheme: Example f (0) aa+m-1a+1 (a) m =134(b) m =302 m=5

22 Stepping Scheme: Example f (0) aa+m-1a+1a+m (a) m =134(b) m =302 m=5

23 Stepping Scheme: Example aa+m-1a+1a+ma+m+1 (a) m =134(b) m =302 m=5

24 Stepping Scheme: Example aa+m-1a+1a+ma+2m-1 (a) m =134(b) m =302 m=5

25 Stepping Scheme: Example aa+m-1 a+m 2 a+ma+1 (a) m =134(b) m =302 m=5

26 Stepping Scheme: Example ac1c1 a+ma+1 (a) m =134(b) m =302 (c 1 ) m =142 m=5 a+m 2

27 Stepping Scheme: Example (a) m =134(b) m =302 (c 1 ) m =142 a c 1 +m a+ma+1 c 1 +(m-1)m c 1 +3m m=5 a+m 2 c1c1

28 Stepping Scheme: Example f (1) c1c1 c 1 +4mc 1 +m (a) m =134(b) m =302 m=5 c 1 +m 2 (c 1 ) m =142

29 Stepping Scheme: Example (a) m =134(b) m =302 m=5 c1c1 c 1 +4mc 1 +mc 1 +m 2 c 1 +m 2 +m (c 1 ) m =142

30 Stepping Scheme: Example c 1 +m 3 (a) m =134(b) m =302 m=5 c1c1 c 1 +4mc 1 +mc 1 +m 2 (c 1 ) m =142

31 Stepping Scheme: Example c 1 +m 3 (a) m =134(b) m =302 m=5 c1c1 c 1 +4mc2c2 c 1 +m 2 (c 1 ) m =142 (c 2 ) m =202

32 Stepping Scheme: Example c 1 +m 3 (a) m =134(b) m =302 m=5 c1c1 c 1 +4mc2c2 c 1 +m 2 (c 1 ) m =142 C 2 +(m-1)m 2 (c 2 ) m =202

33 Stepping Scheme: Example c 1 +m 3 (a) m =134 (b) m =302 m=5 c1c1 c 1 +4mc2c2 c 1 +m 2 (c 1 ) m =142 C 2 +(m-1)m 2 (c 2 ) m =202 b

34 One More Snag We ’ re predicting along curves in interleaved fashion Curves need to intersect randomly But now we are changing step sizes For all i, and all step sizes S = m j, need A i p 1 and A i + S p 2 to intersect at r random points. Can be done if curve degree is `r.

35 Results Given a hard predicate on log n bits Computable in poly( n ) Minimum circuit size s We construct a 1/ m -PRG for size m m = s (1) Seed length t =O(log 2 n /log s ) Output length m Computable in poly( n )

Download ppt "Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001."

Similar presentations

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.

Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Chapter Three: Closure Properties for Regular Languages

Chapter Three: Closure Properties for Regular Languages
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
Simple Affine Extractors using Dimension Expansion. Matt DeVos and Ariel Gabizon.

Simple Affine Extractors using Dimension Expansion. Matt DeVos and Ariel Gabizon.
A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.

Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
Algorithms Recurrences. Definition – a recurrence is an equation or inequality that describes a function in terms of its value on smaller inputs Example.

Algorithms Recurrences. Definition – a recurrence is an equation or inequality that describes a function in terms of its value on smaller inputs Example.
Time vs Randomness a GITCS presentation February 13, 2012.

Time vs Randomness a GITCS presentation February 13, 2012.
Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.

Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.
Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.

Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.

Similar presentations

Ads by Google