Download presentation

Presentation is loading. Please wait.

Published byHugh Penick Modified over 2 years ago

1
Local correlation breakers and applications Gil Cohen

2
Breaking correlations 000011000000011 X Y X f(X,Y) The “breaking pairwise correlations” problem:

3
Breaking correlations The “breaking pairwise correlations” problem: * Yet, for applications in mind we do not have truly random bits. * Cannot be done deterministically. * A strengthening of an object used in [Li13].

4
Local correlation breakers (LCBs)

5
* Local correlation breakers * Applications * Mergers with weak-seeds * 3-source extractors * The LCB construction Roadmap * 2-source non-malleable extractors

6
[Ta-Shma96, LuReingoldVadhanWigderson03, Raz05, DvirShpilka07, Zuckerman07, DvirRaz08, DvirWigderson11, DvirKoppartySarafSudan09] * Existential argument works for Mergers with weak-seeds * Cannot be done deterministically. (n,k)

7
Theorem. There exists an explicit merger with weak-seeds for Mergers with weak-seeds via LCBs

8
* Local correlation breakers * Applications * Mergers with weak-seeds * 3-source extractors Roadmap * 2-source non-malleable extractors * The LCB construction

9
multi-source extractors [ChorGoldreich88, BarakImpagliazzoWigderson06, Bourgain05, Raz05, BarakKindlerShaltielSudakovWigderson05, Rao09, Li11, Li13, Li15] * Explicit 2-source extractors: * Explicit 3-source extractors: + lower exponent

10
Roadmap * The LCB construction * Seeded extractors * Two-steps look-ahead extractors * The construction

11
[NisanZuckerman96, …, Trevisan01, RazReingoldVadhan99, Ta-ShmaZuckermanSafra02, Shaltiel Umans01, GuruswamiUmansVadhan09, DvirKoppartySarafWigderson09, Ta-ShmaUmans12] * E is called strong if E(X,S) is uniform for almost all fixings S=s. Seeded extractors * Thou shalt have enough entropy in the source. * Thou shalt have a uniform seed. * Thou shalt not use correlated source and seed.

12
Hierarchy of independence W1W1 W2W2 WrWr Y AB

13
W1W1 W2W2 WrWr Y AB

14
W1W1 W2W2 WrWr Y AB * A of a uniform row is uniform.

15
Hierarchy of independence AB W1W1 W2W2 WrWr Y * B of a uniform row is uniform even given all A’s. * A of a uniform row is uniform.

16
[DziembowskiPietrzak07, DodisWichs09] A = E(Y,S ) Y T = E(W,A) B = E(Y,T) W 2-steps look-ahead extractors LA(W,Y) = (A,B) S

17
Theorem [DziembowskiPietrzak07]. Let W 1 be uniform and W 2 arbitrarily correlated with W 1. Let Y be an independent random variable. Let (A 1, B 1 ) = LA(W 1,Y), (A 2, B 2 ) = LA(W 2,Y). 2-steps look-ahead extractors [DziembowskiPietrzak07, DodisWichs09] Then, B 1 is uniform (even) given W 1, W 2, A 1, A 2.

18
A 1 = E(Y,S 1 ) Y W1W1 S1S1 W2W2 S2S2 A 2 = E(Y,S 2 ) T 1 = E(W 1,A 1 ) T 2 = E(W 2,A 2 ) B 1 = E(Y,T 1 ) B 2 = E(Y,T 2 ) 2-steps look-ahead extractors [DziembowskiPietrzak07, DodisWichs09]

19
A 1 = E(Y,s 1 ) Y W1W1 s1s1 W2W2 S2S2 A 2 = E(Y,S 2 ) T 1 = E(W 1,A 1 ) T 2 = E(W 2,A 2 ) B 2 = E(Y,T 2 ) Fixed 2-steps look-ahead extractors [DziembowskiPietrzak07, DodisWichs09] B 1 = E(Y,T 1 )

20
A 1 = E(Y,s 1 ) Y W1W1 s1s1 W2W2 s2s2 A 2 = E(Y,s 2 ) T 1 = E(W 1,A 1 ) T 2 = E(W 2,A 2 ) B 2 = E(Y,T 2 ) Fixed 2-steps look-ahead extractors [DziembowskiPietrzak07, DodisWichs09] Fixed B 1 = E(Y,T 1 )

21
a 1 = E(Y,s 1 ) Y W1W1 s1s1 W2W2 s2s2 A 2 = E(Y,s 2 ) T 1 = E(W 1,a 1 ) T 2 = E(W 2,A 2 ) B 2 = E(Y,T 2 ) Fixed 2-steps look-ahead extractors [DziembowskiPietrzak07, DodisWichs09] Fixed B 1 = E(Y,T 1 ) Fixed

22
a 1 = E(Y,s 1 ) Y W1W1 s1s1 W2W2 s2s2 a 2 = E(Y,s 2 ) T 1 = E(W 1,a 1 ) T 2 = E(W 2,a 2 ) B 2 = E(Y,T 2 ) Fixed 2-steps look-ahead extractors [DziembowskiPietrzak07, DodisWichs09] Fixed B 1 = E(Y,T 1 ) Fixed

23
a 1 = E(Y,s 1 ) Y W1W1 s1s1 W2W2 s2s2 a 2 = E(Y,s 2 ) t 1 = E(W 1,a 1 ) T 2 = E(W 2,a 2 ) B 2 = E(Y,T 2 ) Fixed 2-steps look-ahead extractors [DziembowskiPietrzak07, DodisWichs09] Fixed B 1 = E(Y,t 1 ) Fixed

24
Roadmap * The LCB construction * Seeded extractors * Two-steps look-ahead extractors * The construction

25
X1X1 AB W’ 1 = E(X 1,B 1 ) W’ 2 = E(X 2,A 2 ) W’ 3 = E(X 3,A 3 ) A’B’ A’’B’’ X2X2 X3X3 Z 1 = E(X 1,A’’ 1 ) Z 2 = E(X 2,A’’ 2 ) Z 3 = E(X 3,B’’ 3 ) W’’ 1 = E(X 1,A’ 1 ) W’’ 2 = E(X 2,B’ 2 ) W’’ 3 = E(X 3,A’ 3 ) 3-LCB for 3 rows Y W1W1 W2W2 W3W3 (A 1, B 1 ) = LA(W 1,Y) (A 2, B 2 ) = LA(W 2,Y) (A 3, B 3 ) = LA(W 3,Y) (A’ 1, B’ 1 ) = LA(W’ 1,Y) (A’ 2, B’ 2 ) = LA(W’ 2,Y) (A’ 3, B’ 3 ) = LA(W’ 3,Y) (A’’ 1, B’’ 1 ) = LA(W’’ 1,Y) (A’’ 2, B’’ 2 ) = LA(W’’ 2,Y) (A’’ 3, B’’ 3 ) = LA(W’’ 3,Y) (Z 1,Z 2,Z 3 ) = LCB((X 1,X 2,X 3 ),Y)

26
X1X1 AB W’ 1 = E(X 1,B 1 ) W’ 2 = E(X 2,A 2 ) W’ 3 = E(X 3,A 3 ) A’B’ A’’B’’ X2X2 X3X3 Z 1 = E(X 1,A’’ 1 ) Z 2 = E(X 2,A’’ 2 ) Z 3 = E(X 3,B’’ 3 ) W’’ 1 = E(X 1,A’ 1 ) W’’ 2 = E(X 2,B’ 2 ) W’’ 3 = E(X 3,A’ 3 ) 3-LCB for 3 rows Y W1W1 W2W2 W3W3 (Z 1,Z 2,Z 3 ) = LCB((X 1,X 2,X 3 ),Y)

27
X1X1 AB W’ 1 = E(X 1,B 1 ) W’ 2 = E(X 2,A 2 ) W’ 3 = E(X 3,A 3 ) A’B’ A’’B’’ X2X2 X3X3 Z 1 = E(X 1,A’’ 1 ) Z 2 = E(X 2,A’’ 2 ) Z 3 = E(X 3,B’’ 3 ) W’’ 1 = E(X 1,A’ 1 ) W’’ 2 = E(X 2,B’ 2 ) W’’ 3 = E(X 3,A’ 3 ) 3-LCB for 3 rows Y W1W1 W2W2 W3W3 (Z 1,Z 2,Z 3 ) = LCB((X 1,X 2,X 3 ),Y)

28
X1X1 AB W’ 1 = E(X 1,B 1 ) W’ 2 = E(X 2,A 2 ) W’ 3 = E(X 3,A 3 ) A’B’ A’’B’’ X2X2 X3X3 Z 1 = E(X 1,A’’ 1 ) Z 2 = E(X 2,A’’ 2 ) Z 3 = E(X 3,B’’ 3 ) W’’ 1 = E(X 1,A’ 1 ) W’’ 2 = E(X 2,B’ 2 ) W’’ 3 = E(X 3,A’ 3 ) 3-LCB for 3 rows Y W1W1 W2W2 W3W3 (Z 1,Z 2,Z 3 ) = LCB((X 1,X 2,X 3 ),Y) The assumption on the input is maintained

29
X1X1 AB W’ 1 = E(X 1,B 1 ) W’ 2 = E(X 2,A 2 ) W’ 3 = E(X 3,A 3 ) A’B’ A’’B’’ X2X2 X3X3 Z 1 = E(X 1,A’’ 1 ) Z 2 = E(X 2,A’’ 2 ) Z 3 = E(X 3,B’’ 3 ) W’’ 1 = E(X 1,A’ 1 ) W’’ 2 = E(X 2,B’ 2 ) W’’ 3 = E(X 3,A’ 3 ) 3-LCB for 3 rows Y W1W1 W2W2 W3W3 (Z 1,Z 2,Z 3 ) = LCB((X 1,X 2,X 3 ),Y)

30
X1X1 AB W’ 1 = E(X 1,B 1 ) W’ 2 = E(X 2,A 2 ) W’ 3 = E(X 3,A 3 ) A’B’ A’’B’’ X2X2 X3X3 Z 1 = E(X 1,A’’ 1 ) Z 2 = E(X 2,A’’ 2 ) Z 3 = E(X 3,B’’ 3 ) W’’ 1 = E(X 1,A’ 1 ) W’’ 2 = E(X 2,B’ 2 ) W’’ 3 = E(X 3,A’ 3 ) 3-LCB for 3 rows Y W1W1 W2W2 W3W3 (Z 1,Z 2,Z 3 ) = LCB((X 1,X 2,X 3 ),Y) The good row gains its independence when given the lead

31
X1X1 AB W’ 1 = E(X 1,B 1 ) W’ 2 = E(X 2,A 2 ) W’ 3 = E(X 3,A 3 ) A’B’ A’’B’’ X2X2 X3X3 Z 1 = E(X 1,A’’ 1 ) Z 2 = E(X 2,A’’ 2 ) Z 3 = E(X 3,B’’ 3 ) W’’ 1 = E(X 1,A’ 1 ) W’’ 2 = E(X 2,B’ 2 ) W’’ 3 = E(X 3,A’ 3 ) 3-LCB for 3 rows Y W1W1 W2W2 W3W3 (Z 1,Z 2,Z 3 ) = LCB((X 1,X 2,X 3 ),Y)

32
X1X1 AB W’ 1 = E(X 1,B 1 ) W’ 2 = E(X 2,A 2 ) W’ 3 = E(X 3,A 3 ) A’B’ A’’B’’ X2X2 X3X3 Z 1 = E(X 1,A’’ 1 ) Z 2 = E(X 2,A’’ 2 ) Z 3 = E(X 3,B’’ 3 ) W’’ 1 = E(X 1,A’ 1 ) W’’ 2 = E(X 2,B’ 2 ) W’’ 3 = E(X 3,A’ 3 ) 3-LCB for 3 rows Y W1W1 W2W2 W3W3 (Z 1,Z 2,Z 3 ) = LCB((X 1,X 2,X 3 ),Y) The independence is preserved when other rows are given the lead

33
Reducing the number of rounds 1 2 3 4 5 67 8 9 B A B A B A …

34
1 2 3 4 5 67 8 9 A B B A Use arbitrary cuts in a “flip-flop”. …

35
Reducing the number of rounds 1 2 3 4 5 67 8 9 A B B A Use a sequence of log(r) cuts such that for any two distinct vertices there is a cut that separates them. Use arbitrary cuts in a “flip-flop”.

36
* We’ve introduced and constructed LCBs. Summary and problem problems * Applications: * Mergers with weak-seeds with double-logarithmic entropy. * 3-source extractors with one double-logarithmic entropy source. A possible future research direction * Improved two-source extractors - perhaps further ideas can be used to remove the need for the third loglog(n)-entropy source. Thank you! * 2-source non-malleable extractors.

Similar presentations

OK

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google