Correlation Extractors and Their Applications Yuval Ishai Technion Based on joint work with Eyal Kushilevitz Rafail Ostrovsky Amit Sahai

What this talk is about Extension of randomness extraction and privacy amplification to correlated sources Motivated by cryptographic applications … but also think about communication channels: –Cleaning channels –Converting one channel to another –Building channels from scratch

What if x is not uniform? t-dirty: min-entropy n-t Privacy Amplification [BBR88,BBCM95,...] AliceBob secure channel x R {0,1} n x Eve What if x is partially leaked? t-leaky: Eve learns f(x), f:{0,1} n {0,1} t Solved by randomness extractors [NZ96] –Alice picks a fresh seed s and sends to Bob over a public channel –Both parties output Ext(s,x)

Cleaning other types of channels? AliceBob BSC x R {0,1} n y=x e e i ~Bern(p) Noise is useful for crypto! [Wyn75,Csi81,…, CK88,…] Noise can be dirty or leaky Can we build a clean BSC from a dirty BSC? –Main challenge: protecting against insiders

Correlation Extractors Generalize BSC example to any channel (X,Y) (n,m,t, ) correlation extractor for (X,Y): ab (a,b) - close to (X,Y) m AliceBob (a,b ) t-dirty (X,Y) n a b Classical case: X=Y R {0,1} also from point of view of Alice or Bob!

Randomness A valuable resource –essential for cryptography A scarce resource –clean randomness is hard to find –dirty sources more common in nature

Randomness Extractors dirty randomness clean randomness Ext Strong [NZ96]

Parameters n-bit source, m-bit output, d-bit seed t-dirty source: –Pr[X=x] 2 t 2 -n (H (X) n-t) –aka k-source, k=n-t -clean output: –| (R,Ext(X,R)) - U m+d | Thm [Sip88,RT97]: Almost every Ext:{0,1} n {0,1} d {0,1} m is a (t, ) (strong) extractor if –m = n-t - 2log(1/ ) - O(1) –d = log(t) + 2log(1/ ) + O(1) Explicit constructions: ILL89,NZ96,T96,GW97,Tre99,ISW00, RSW00,TZS01,SU01,LRVW03,GUV07, …

Distributed Randomness Alice Bob What do we want?

Public Randomness Alice Bob

Public Randomness How can we clean it? –Using standard extractors + few fresh random bits –Using deterministic extractors [vNu51, CFG+85, SV86, Vaz87, CG88, TV00, CDH+00, GRS04, BIW04, Raz05, BKS+05, Bou05, Rao06, KRVZ06, …] Apply to restricted high-entropy sources, e.g. bit-fixing sources What does it buy us? –Algorithms –Distributed computing –Cryptography

Private Randomness Alice Bob

Private Randomness How can we clean it? –Using standard extractors + few fresh random bits no need for full independence between sources –Using network extractor protocols [DO03, GSV05, KRZ08, …] require independence between sources What else does it buy us? –Distributed computing Byzantine agreement, leader election, collective coin flipping… –Cryptography Computational security under cryptographic assumptions

Shared Private Randomness Alice Bob Eve ???

Shared Private Randomness How can we clean it? –Two main scenarios Dirty shared source: imperfect but hidden from Eve Leaky shared source: perfect, but partially leaked to Eve –Both addressed by standard (strong) extractors Fresh randomness can be sent over a reliable public channel Fresh randomness generally necessary Privacy Amplification [BBR88,BBCM95,...] Eve learns t information bits except w/prob, source conditioned on Eve s view is (t+log(1/ ))-dirty

Correlated Randomness

What else does it buy us? –Unconditionally secure computation with no honest majority –… and better efficiency too! –Applications use many independent instances of a finite correlation (X,Y). How can we clean it? –Using correlation extractors –Topic of this talk

Defining Correlation Extractors Goal: define (n,m,t, ) correlation extractor –seed length d will be ignored Need to define: –clean correlation source of length m –t-dirty correlation source of length n –extraction mechanism – -success

Clean (X,Y) Source (X,Y) : finite distribution over D A D B –All probabilities are rational Sample (a,b) from (X,Y) m (a D A m, b D B m ) Alice gets a, Bob gets b Alice Bob Alice Bob xxxxx

Dirty Source: Extractor Variant (A,B) is a t-dirty version of (A,B) if: –For all (a,b), Pr[(A,B)=(a,b)] 2 t Pr[(A,B)=(a,b)] –For all a support(A) and b, Pr[B=b | A=a] 2 t Pr[B=b | A=a] –For all b support(B) and a, Pr[A=a | B=b] 2 t Pr[A=a | B=b]

Dirty Source: Privacy Amplification Variant f [t] = t-leaky version of oracle f t-leaky correlation source is an oracle to ((X,Y) n ) [t] ideal oracle t-leaky oracle AliceBob ab f AliceBob ab f [t] Eve L:{0,1}* {0,1} t L(a,b)

Extraction Mechanism Alice and Bob can interact –necessary for nontrivial (X,Y), even in bit fixing case –interaction uses additional fresh randomness –interaction begins after leakage occurs Assumption: Alice and Bob follow the protocol –notion can be extended to active attacks Simplifying assumptions: –Alice, Bob can toss private coins –Alice, Bob can communicate over a secure channel Both resources can be extracted from the source when needed

Measuring Success Outputs should be -close to (X,Y) m even when conditioned on Eves view –Eve can be an outsider, or corrupt either Alice or Bob Can be formalized using conditional distributions More convenient: –Eves view can be -simulated in an ideal process for generating (X,Y) m –Simulation considered jointly with outputs of uncorrupted parties

Putting it Together An (n,m,t, ) correlation extractor for (X,Y) is an interactive two-party protocol P with inputs (a,b) and outputs (a,b) such that –Extractor variant: Whenever (a',b') are drawn from a t-dirty version of (X,Y) n, P realizes -securely the process of sampling (a,b) from (X,Y) m –Privacy amplification variant: P is an -secure reduction from (X,Y) m to ((X,Y) n ) [t]

Main Question Are there correlation extractors for arbitrary (X,Y)? –If so, how good can they be? Question largely unexplored –Different from previous extensions of privacy amplification to correlated or fuzzy sources [Wyn75,BBR88,Mau91,DRS04,DS05,…] Only concerned with secrecy against an external Eve –Special cases implicit in literature Special types of correlations, locally imperfect sources No prior study of global imperfections

Main Question Are there correlation extractors for arbitrary (X,Y)? –If so, how good can they be? Question still seems challenging even when –allowing non-explicit or heuristic constructions –allowing unlimited access to fresh randomness, secure communication Source of difficulty: Conflict between structure and secrecy Randomness extraction meets secure computation

Main Result For any finite (X,Y) there is an efficient, constant-round (n,m,t, ) correlation extractor with: –m= (n) [ clean instances ] –t= (n) [ source imperfection / leakage ] – = 2 - (n) [ extraction error ] –O(n) communication Assumes semi-honest parties. constant support size, rational probabilities [I-Kushilevitz-Ostrovsky-Sahai 2009]

Simple Correlations shared randomness private randomness binary symmetric channel X Y finite correlation (X,Y) discrete memoryless channel p x y =Pr[Y=y|X=x] erasure channel / Rabin-OT (random) OT channel X=(s 0,s 1 ) Y=(r,s r ) Very useful for crypto! easy conversion to chosen input OTs [BG89,Bea95] basis for general secure two-party computation - requires O(circuit-size) instances of channel [GMW87,GV87,GHY87,Kil88, … ] [WW06]

OT Extractor Building block for general correlation extractors Common generalization of previous primitives OT Extractor OT Combiner [HKN+05, … ] Extractor Extractor for bit-fixing sources

Overview of Construction ((X,Y) n ) [t] (X,Y) m (OT n ) [t ] trivial cases OT m OT-based secure computation rational probabilities OT from nontrivial channels [Kil00,CMW04] OT Extractor some errors as well …

Efficient OT Extractors Careful combination of secure computation and randomness extraction techniques –Simpler with polylog(n,1/ ) loss in m,t Idea: Use O(m) leaky OTs as a resource for securely computing m fresh OTs. Problem: OT-based protocols propagate leakage! –Modify computed function to include an extraction step? –Leakage still propagates… Observation: random OTs are converted into chosen input OTs via XORing.

-biased secure computation Goal: Generate m fresh OTs using O(m) calls to an OT oracle while making Bobs oracle inputs -biased Masking with outputs of leaky oracle will keep Bobs fresh OT selections private [AR94,GW97] Need to reverse & repeat the process for protecting Alice. Alice Bob OT

Building Block Explicit family of linear codes C n :F k(n) F n such that –F has characteristic 2 –The dual distance of C n is (n) –The linear code C 2 n spanned by pointwise products of c i,c j C n has minimal distance (n) Examples: –RS codes (non-constant F) [BGW88,…] –AG codes (constant F) [CC06, CCX11] Cant use random codes (even non-explicitly) –last requirement implies efficient decoding [CDG+05]

-biased protocol for AND m Alices input: a {0,1} m Bobs input: b {0,1} m Bobs output: a b Alice Bob a b a b C C 0 z C 2

-biased protocol for AND m a b+z is the suffix of a random codeword from C 2 which starts with a b reveals no info beyond a b Alice Bob a b a b C C 0 z C 2

-biased protocol for AND m a b+z is the suffix of a random codeword from C 2 which starts with a b reveals no info beyond a b –Good distance of C 2 guarantees that a b can be recovered Alice Bob a b a b 0 z 1-round OT-based protocol [Kil88, … ] -biased?

-biased protocol for AND m Good dual distance of C, |F|=2 c b is (m)-wise independent –But not -biased! Apply random 3-bit majority encoding to each bit of b –Makes b -biased with =2 - (m) –Incorporate decoding into OT-based secure computation protocol Alice Bob a b a b 0 z 1-round OT-based protocol [Kil88, … ] -biased?

Applications Protecting protocols against leakage Efficient reductions between channels Communication-efficient secure computation

protecting against leakage OT-based protocol OT Extractor OT generation process leaky storage

efficient reductions between channels Much work on OT from noisy channels –BSC, unfair channels, Gaussian channels, … –poly(k) invocations of Ch1 per OT instance, even in semi- honest model OT extractors constant-rate OTs from any nontrivial channel –Bonus feature: leakage-resilience Alice Bob Ch1 Ch2 OT

communication-efficient secure computation Secure two-party computation, standard model Communication of typical protocols: poly(k) per gate [Gentry09]: poly(k) (|input|+|output|) overall! But… sometimes life is a sequence of finite tasks –circuit of size O(|output|) –even [Gentry09] requires poly(k) communication per gate Application of OT extractors –Constant-rate OT protocol under -Hiding Assumption [CMS99,GR05] general circuit evaluation with O(1) bits per gate constant-rate realization of any discrete channel! –Previously known under a nonstandard assumption [IKOS08]

Conclusions Defined correlation extractors Constructed (n,m,t, ) extractor for every finite (X,Y) –m= (n) –t= (n) – = 2 - (n) –O(n) communication Several applications, all with constant rate –Cleaning channels –Reducing channels to each other –Building channels from scratch! Computationally, under -hiding assumption

Further Research Better parameters –Maximize leakage resilience and rate –Minimize round complexity –Better dependence on domain size? Malicious parties Multi-party setting Computational setting –Protecting computationally-secure two-party protocols against side-channel attacks