Presentation is loading. Please wait.

Presentation is loading. Please wait.

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University

Published byMartha Flow Modified over 10 years ago

Similar presentations

Presentation on theme: "Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University"— Presentation transcript:

1 Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University http://eecs.harvard.edu/~salil

2 Motivation

3 Original Motivation [SV84,Vaz85,VV85,CG85,Vaz87,CW89,Zuc90,Zuc91] Randomization is pervasive in CS –Algorithm design, cryptography, distributed computing, … Typically assume perfect random source. –Unbiased, independent random bits –Unrealistic? Can we use a weak random source? –Source of biased & correlated bits. –More realistic model of physical sources. (Randomness) Extractors: convert a weak random source into an almost-perfect random source.

4 CS Theory Applications of Extractors Derandomization of (poly-time/log-space) algorithms [Sip88,NZ93,INW94, GZ97,RR99, MV99,STV99,GW02] Distributed & Network Algs [WZ95,Zuc97,RZ98,Ind02]. Hardness of Approximation [Zuc93,Uma99,MU01] Data Structures [Ta02] Metric Embeddings [Ind07] Unify many important pseudorandom objects –Hash Functions –Expander Graphs –Samplers –Pseudorandom Generators –Error-Correcting Codes

5 Crypto Applications of Extractors Privacy Amplification [BBR85] Pseudorandom Generators [HILL89] Protecting against Partial Key Exposure [CDHKS00] Crypto vs. Storage-bounded Adversaries [Lu02] Biometrics [DRS04] Statistically Hiding Commitments [NY89,DPP93] ׃

6 Outline Motivation Definition & Basics Cryptographic Applications Conclusions & a Glimpse Beyond

7 Definition & Basics

8 Weak Random Sources What is a source of biased & correlated bits? –Probability distribution X on {0,1} n. –Must contain some randomness. –Want: no independence assumptions ) one sample Measure of randomness –Shannon entropy: No good: –Better [Chor-Goldreich 85, Zuckerman 90] : min-entropy

9 Min-entropy Def: X is a k -source if H 1 ( X ) ¸ k. i.e. Pr [ X = x ] · 2 -k for all x Examples: –Unpredictable Source [SV84]: 8 i 2 [ n ], b 1,..., b i-1 2 {0,1}, –Bit-fixing [CGH+85,BL85,LLS87,CW89]: Some k coordinates of X uniform, rest fixed (or even depend arbitrarily on others). –Flat k -source: Uniform over S µ {0,1} n, |S|=2 k Fact [CG85]: every k -source is convex combination of flat ones.

10 Extractors: 1 st attempt A function Ext : {0,1} n ! {0,1} m s.t. 8 k -source X, Ext ( X ) is close to uniform. Impossible! 9 set of 2 n-1 inputs x on which first bit of Ext(x) is constant ) flat (n- 1) - source X, bad for Ext. E XT k - source of length n m almost-uniform bits

11 Extractors [Nisan & Zuckerman `93] Def: A (k, ) -extractor is Ext : {0,1} n £ {0,1} d ! {0,1} m s.t. 8 k -source X, Ext ( X,U d ) is -close to U m. d random bits seed Key point: seed can be much shorter than output. Goals: minimize seed length, maximize output length. E XT k - source of length n m almost-uniform bits

12 Definitional Details U t = uniform distribution on {0,1} t Measure of closeness: statistical difference (a.k.a. variation distance) –T = statistical test or distinguisher –metric, 2 [0,1], very well-behaved Def: X, Y -close if (X,Y) ·.

13 Strong extractors Output looks random even after seeing the seed. (important in most crypto applications) Def: Ext is a (k, ) strong extractor if Ext 0 (x,y) = y ± Ext(x,y) is a (k, ) extractor i.e. 8 k -sources X, for a 1- 0 frac. of y 2 {0,1} d Ext ( X,y) is 0 -close to U m In this talk, extractor ´ strong extractor

14 The Parameters The min-entropy k : –High min-entropy: k = n-a, a =o(n) –Constant entropy rate: k = (n) –Middle (hardest) range: k = n, 0< <1 –Low min-entropy: k = n o(1) The error : –In crypto apps, ¼ Pr[ adversary breaks scheme] (very small) The output length m : –Certainly m · k. –Can this be achieved?

15 The Optimal Extractor Thm [Sip88,RT97]: For every k · n, 9 a ( k, )-extractor w/ –Seed length d = log(n-k)+2log(1/ )+O(1) –Output length m = k -2log(1/ )-O(1) extract almost all the min-entropy w/logarithmic seed Pf Sketch: Probabilistic Method. –Show that for random Ext, Pr[Ext not (k, )- extractor ] < 1. –By union bound over flat k- sources X on {0,1} n and statistical tests T µ {0,1} m

16 The Optimal Extractor Thm: For every k · n, 9 a ( k, )-extractor w/ –Seed length d = log(n-k)+2log(1/ )+O(1) –Output length m = k -2log(1/ )-O(1) Thm [NZ93,RT97]: Above tight up to additive constants. For applications, need explicit extractors: –Ext(x,y) computable in time poly(n). –Random extractor requires space ¸ 2 n to even store! Long line of research has sought to approach above bounds with explicit constructions.

17 Extractors as Hash Functions {0,1} n {0,1} m flat k -source, i.e. set of size 2 k À 2 m For most y, h y maps sets of size K almost uniformly onto range.

18 Extractors from Hash Functions Leftover Hash Lemma [BBR85,ILL89]: universal (ie pairwise independent) hash functions yield strong extractors –output length: m= k-2log(1/ )-O(1) –seed length: d= n+m –example: Ext(x,(a,b))= first m bits of a ¢ x+b in GF( 2 n ) Almost pairwise independence [SZ94,GW94]: –seed length: d= O(log n+k)

19 Application: Randomized algorithms w/a weak source [Zuckerman `90,`91] accept/reject Randomized Algorithm input x errs w.p. · 2( ) Run algorithm using all 2 d seeds & output majority. Only polynomial slowdown, provided d=O(log n) and Ext explicit. k - source m uniform bits d -bit seed + almost E XT

20 Cryptographic Applications

21 Crypto with Weak Random Sources? Enumerating seeds doesnt work. –e.g. get several encryptions of a message, most of which are secure Thm [MP97,DOPS04]: Most crypto tasks are impossible with only an (n-1)- source. –Encryption, commitment, secret sharing, zero knowledge,… Alternative: Seek seedless extractors for restricted classes of sources. –Bit-fixing sources [KZ03], several independent weak sources [CG88,BIW04,DEOR04,BKSSW04,Raz05,Rao06,BRSW06], efficiently samplable sources [TV00,KM04,KRVZ06], … Thm [BD07]: Secure encryption is only possible for classes of sources for which there exist seedless extractors.

22 Seeded Extractors in Crypto Common setting: entropy gaps –To parties A, B,…, string X has little or no entropy –To parties E, F,…, string X has a lot of entropy After extraction: –To parties A, B,…, r.v. Ext(X) still has little or no entropy –To parties E, F,…, r.v. Ext(X) indistinguishable from uniform Question: where to get seed? –Various solutions, depending on application

23 Privacy Amplification [Bennett,Brassard,Robert `85] Setting: honest parties A,B hold a string X about which adversary E has imperfect information X (close to) a k -source conditioned Es view Ext(X,R) close to uniform conditioned on Es view & R. Seed R may be sent in clear or shared in advance.

24 Key Agreement w/a Noisy Channel [BBR85] Noisy Communication Channel X à {0,1} n Z Y Alice Bob Eve ) w.h.p. Alice & Bob share some randomness unknown to Eve Information Reconciliation Protocol Alice Bob Y X whp X Z ) w.h.p. over z à Z, X | Z=z is a k -source for large k. K =Ext(X,R) Random seed R K =Ext(Y,R) Z =(Z,R) ) w.h.p. over z à Z, K| Z =z is -close to uniform.

25 The Bounded-Storage Model [Maurer 90] ) Output of extractor looks uniform to adversary [NZ93,Lu02] Storage s 00000000 00111011101000100000000100001100001 01100001 0100000100010101100000010 seed E XT length n High-rate source of truly random bits. Lemma: conditioned on adversarys state, have ( n-s)- source w.h.p. Adversary

26 Proof of Lemma Lemma: (X,Z) (correlated) random vars, Proof: Let BAD = { z : Pr[Z=z] · ¢ 2 -s }. Then X a k -source and |Z|=s w.p. ¸ 1- over z à Z, X | Z=z is a ( k-s- log(1/ ) ) -source.

27 The Bounded-Storage Model Storage s 00000000 00111011101000100000000100001100001 01100001 0100000100010101100000010 seed E XT length n Doing Cryptography: Seed = shared secret key Output of extractor = use for encryption (one-time pad), message authentication Strong extractor ) seed reusable, secure even if key compromised later (everlasting security [ADR99]) Adversary

28 The Bounded-Storage Model Storage s 00000000 00111011101000100000000100001100001 01100001 0100000100010101100000010 seed E XT length n Additional Constraint: honest parties should only have to read a small # bits from source i.e. E XT should be locally computable [L02,V03] (easily achieved using techniques in the extractor literature) Adversary

29 Extractors & Biometrics [Dodis, Reyzin, Smith `03] Goal: use biometric data (eg your fingerprint F ) as crypto keys Problem: biometric data not uniform But seems to have significant min-entropy ) use K = Ext(F,R) instead server K, R F clientuser R K = Ext(F,R) start session

30 Extractors & Biometrics Problem 2: biometric data not reliable Multiple readings will produce non-identical, but close (eg in Hamming distance) values Want: value C=C(F) s.t. F can be recovered from C and any F -close to F F still has high min-entropy given C server K, R clientuser R K = Ext(F,R) start session F F = Rec(F,C), C

31 Extractors & Biometrics Want: value C=C(F) s.t. F can be recovered from C and any F -close to F F still has high min-entropy given C Solution: C=F © Z Z random codeword in error-correcting code of relative minimum distance >2 and rate 1- Reduces min-entropy rate by at most server K, R, C F clientuser R, C K = Ext(F,R) start session F = Rec(F,C)

32 Comparing Applications ApplicationLow EntropyHigh EntropyAddl Properties Privacy Amplification H(X|Honest)H 1 (X|Adversary ) Bounded-Storage Model '' Locally computable Biometrics (Fuzzy Ext) '' Handle noisy X

33 (M,X) REVEAL F(X), Statistically Hiding Commitments from CRHF [Naor-Yung `89, Damgard-Petersen-Pfitzmann `93] COMMIT accept/ reject S R M 2 {0,1} t (M,K) CRHF { F : {0,1} n ! {0,1} n-k } H 1 (X|F(X),F) ¸ k H com (X|F(X),F) = 0 M -close to U t given Rs view H com (M) = 0 given Ss view F X Ã {0,1} n R,M=Ext(X,R)

34 REVEAL F(X),R,M=Ext(X,R) Statistically Hiding Commitments from CRHF [Naor-Yung `89, Damgard-Petersen-Pfitzmann] COMMIT accept/ reject S R (M,X) CRHF { F : {0,1} n ! {0,1} n-k } H 1 (X|F * (X),F * ) ¸ k H com (X * |F(X * ),F) = 0 M -close to U t given R * s view H com (M) = 0 given S * s view F

35 Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] Goal: transform one-to-one OWF f : {0,1} n ! {0,1} m into a PRG G : {0,1} a ! {0,1} b H(X|f(X))=0 (b/c f one-to-one) X computationally unpredictable given f(X) H(G(Y)) = a G(Y) computationally indistinguishable from U b

36 Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H( h X,R i | f(X),R) = 0 h X,R i indistinguishable from U 1 given f(X),R H(X|f(X))=0 (b/c f one-to-one) X computationally unpredictable given f(X) hardcore bit [GL89]

37 Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H( h X,R i | f(X),R) = 0 h X,R i indistinguishable from U 1 given f(X),R H(X|f(X))=0 H u 1 (X|f(X)) = (log n) hardcore bit [GL89]

38 Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(Ext 1 (X,R) | f(X),R) = 0 Ext 1 (X,R) indistinguishable from U log n given f(X),R Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R))

39 Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F(Z)) = |Z| Ext 1 (X,R) indistinguishable from U log n given f(X),R Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R))

40 Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F(Z)) = |Z| F(Z) comp. indist. from dist. w/min-entropy |Z|+log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) pseudoentropy generator

41 Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F(Z)) = |Z| H pe 1 (F(Z)) = |Z|+log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) pseudoentropy generator

42 Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F k (Z k )) = |Z k | H pe 1 (F k (Z k )) = |Z k |+k ¢ log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) pseudoentropy generator

43 Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F k (Z k )) = |Z k | H pe 1 (F k (Z k )) = |Z k |+k ¢ log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) Efficient extractor H(G(Z k,S)) · |S|+|Z k | G(Z k,S) indist. from (S,U |Z k |+1 ) G(Z k,S) = (S,Ext 2 (F k (Z k ),S))

44 Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F k (Z k )) = |Z k | H pe 1 (F k (Z k )) = |Z k |+k ¢ log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) Efficient extractor H(G(Y)) · |Y| G(Y) indist. from U |Y|+1 G(Z k,S) = (S,Ext 2 (F k (Z k ),S))

45 Comparing Applications ApplicationLow EntropyHigh EntropyAddl Properties Privacy Amplification H(X|Honest)H 1 (X|Adversary ) Bounded-Storage Model '' Locally computable Biometrics (Fuzzy Ext) '' Handle noisy X CRHF ) SHCH com (X * |F(X * ),F)H 1 (X|F * (X),F * ) 1-1 OWF ) PEGH(X|f(X))H u 1 (X|f(X))Efficient list- decoding PEG ) PRGF(Z)H pe 1 (F(Z))Efficient extractor

46 Conclusions Randomness extractors address a basic problem in crypto: exploiting assymetry of information Language and basic results as important as the actual constructions. Interplay between cryptography, theory of computation, probability & information theory (also combinatorics, algebra, …)

47 Further Reading N. Nisan and A. Ta-Shma. Extracting randomness: a survey and new constructions. Journal of Computer & System Sciences, 58 (1):148-173, 1999. R. Shaltiel. Recent developments in explicit constructions of extractors. Bulletin of EATCS, 77:67-95, June 2002. S. Vadhan. Randomness extractors & their many guises. Slides from tutorial at FOCS `02. S. Vadhan. Course Notes for CS225: Pseudorandomness. http://eecs.harvard.edu/~salil/cs225 http://eecs.harvard.edu/~salil/cs225

Download ppt "Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University"

Similar presentations

Randomness Conductors Expander Graphs Randomness Extractors Condensers Universal Hash Functions............

Randomness Conductors Expander Graphs Randomness Extractors Condensers Universal Hash Functions
Pseudorandom Walks: Looking Random in The Long Run or All The Way? Omer Reingold Weizmann Institute.

Pseudorandom Walks: Looking Random in The Long Run or All The Way? Omer Reingold Weizmann Institute.
Hardness of Reconstructing Multivariate Polynomials. Parikshit Gopalan U. Washington Parikshit Gopalan U. Washington Subhash Khot NYU/Gatech Rishi Saket.

Hardness of Reconstructing Multivariate Polynomials. Parikshit Gopalan U. Washington Parikshit Gopalan U. Washington Subhash Khot NYU/Gatech Rishi Saket.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.

Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Average-case Complexity Luca Trevisan UC Berkeley.

Average-case Complexity Luca Trevisan UC Berkeley.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
How to get more mileage from randomness extractors Ronen Shaltiel University of Haifa.

How to get more mileage from randomness extractors Ronen Shaltiel University of Haifa.
Deterministic extractors for bit- fixing sources by obtaining an independent seed Ariel Gabizon Ran Raz Ronen Shaltiel Seedless.

Deterministic extractors for bit- fixing sources by obtaining an independent seed Ariel Gabizon Ran Raz Ronen Shaltiel Seedless.
Extracting Randomness David Zuckerman University of Texas at Austin.

Extracting Randomness David Zuckerman University of Texas at Austin.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Similar presentations

Ads by Google