Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University

Motivation

Original Motivation [SV84,Vaz85,VV85,CG85,Vaz87,CW89,Zuc90,Zuc91] Randomization is pervasive in CS –Algorithm design, cryptography, distributed computing, … Typically assume perfect random source. –Unbiased, independent random bits –Unrealistic? Can we use a weak random source? –Source of biased & correlated bits. –More realistic model of physical sources. (Randomness) Extractors: convert a weak random source into an almost-perfect random source.

CS Theory Applications of Extractors Derandomization of (poly-time/log-space) algorithms [Sip88,NZ93,INW94, GZ97,RR99, MV99,STV99,GW02] Distributed & Network Algs [WZ95,Zuc97,RZ98,Ind02]. Hardness of Approximation [Zuc93,Uma99,MU01] Data Structures [Ta02] Metric Embeddings [Ind07] Unify many important pseudorandom objects –Hash Functions –Expander Graphs –Samplers –Pseudorandom Generators –Error-Correcting Codes

Crypto Applications of Extractors Privacy Amplification [BBR85] Pseudorandom Generators [HILL89] Protecting against Partial Key Exposure [CDHKS00] Crypto vs. Storage-bounded Adversaries [Lu02] Biometrics [DRS04] Statistically Hiding Commitments [NY89,DPP93] ׃

Outline Motivation Definition & Basics Cryptographic Applications Conclusions & a Glimpse Beyond

Definition & Basics

Weak Random Sources What is a source of biased & correlated bits? –Probability distribution X on {0,1} n. –Must contain some randomness. –Want: no independence assumptions ) one sample Measure of randomness –Shannon entropy: No good: –Better [Chor-Goldreich 85, Zuckerman 90] : min-entropy

Min-entropy Def: X is a k -source if H 1 ( X ) ¸ k. i.e. Pr [ X = x ] · 2 -k for all x Examples: –Unpredictable Source [SV84]: 8 i 2 [ n ], b 1,..., b i-1 2 {0,1}, –Bit-fixing [CGH+85,BL85,LLS87,CW89]: Some k coordinates of X uniform, rest fixed (or even depend arbitrarily on others). –Flat k -source: Uniform over S µ {0,1} n, |S|=2 k Fact [CG85]: every k -source is convex combination of flat ones.

Extractors: 1 st attempt A function Ext : {0,1} n ! {0,1} m s.t. 8 k -source X, Ext ( X ) is close to uniform. Impossible! 9 set of 2 n-1 inputs x on which first bit of Ext(x) is constant ) flat (n- 1) - source X, bad for Ext. E XT k - source of length n m almost-uniform bits

Extractors [Nisan & Zuckerman `93] Def: A (k, ) -extractor is Ext : {0,1} n £ {0,1} d ! {0,1} m s.t. 8 k -source X, Ext ( X,U d ) is -close to U m. d random bits seed Key point: seed can be much shorter than output. Goals: minimize seed length, maximize output length. E XT k - source of length n m almost-uniform bits

Definitional Details U t = uniform distribution on {0,1} t Measure of closeness: statistical difference (a.k.a. variation distance) –T = statistical test or distinguisher –metric, 2 [0,1], very well-behaved Def: X, Y -close if (X,Y) ·.

Strong extractors Output looks random even after seeing the seed. (important in most crypto applications) Def: Ext is a (k, ) strong extractor if Ext 0 (x,y) = y ± Ext(x,y) is a (k, ) extractor i.e. 8 k -sources X, for a 1- 0 frac. of y 2 {0,1} d Ext ( X,y) is 0 -close to U m In this talk, extractor ´ strong extractor

The Parameters The min-entropy k : –High min-entropy: k = n-a, a =o(n) –Constant entropy rate: k = (n) –Middle (hardest) range: k = n, 0< <1 –Low min-entropy: k = n o(1) The error : –In crypto apps, ¼ Pr[ adversary breaks scheme] (very small) The output length m : –Certainly m · k. –Can this be achieved?

The Optimal Extractor Thm [Sip88,RT97]: For every k · n, 9 a ( k, )-extractor w/ –Seed length d = log(n-k)+2log(1/ )+O(1) –Output length m = k -2log(1/ )-O(1) extract almost all the min-entropy w/logarithmic seed Pf Sketch: Probabilistic Method. –Show that for random Ext, Pr[Ext not (k, )- extractor ] < 1. –By union bound over flat k- sources X on {0,1} n and statistical tests T µ {0,1} m

The Optimal Extractor Thm: For every k · n, 9 a ( k, )-extractor w/ –Seed length d = log(n-k)+2log(1/ )+O(1) –Output length m = k -2log(1/ )-O(1) Thm [NZ93,RT97]: Above tight up to additive constants. For applications, need explicit extractors: –Ext(x,y) computable in time poly(n). –Random extractor requires space ¸ 2 n to even store! Long line of research has sought to approach above bounds with explicit constructions.

Extractors as Hash Functions {0,1} n {0,1} m flat k -source, i.e. set of size 2 k À 2 m For most y, h y maps sets of size K almost uniformly onto range.

Extractors from Hash Functions Leftover Hash Lemma [BBR85,ILL89]: universal (ie pairwise independent) hash functions yield strong extractors –output length: m= k-2log(1/ )-O(1) –seed length: d= n+m –example: Ext(x,(a,b))= first m bits of a ¢ x+b in GF( 2 n ) Almost pairwise independence [SZ94,GW94]: –seed length: d= O(log n+k)

Application: Randomized algorithms w/a weak source [Zuckerman `90,`91] accept/reject Randomized Algorithm input x errs w.p. · 2( ) Run algorithm using all 2 d seeds & output majority. Only polynomial slowdown, provided d=O(log n) and Ext explicit. k - source m uniform bits d -bit seed + almost E XT

Cryptographic Applications

Crypto with Weak Random Sources? Enumerating seeds doesnt work. –e.g. get several encryptions of a message, most of which are secure Thm [MP97,DOPS04]: Most crypto tasks are impossible with only an (n-1)- source. –Encryption, commitment, secret sharing, zero knowledge,… Alternative: Seek seedless extractors for restricted classes of sources. –Bit-fixing sources [KZ03], several independent weak sources [CG88,BIW04,DEOR04,BKSSW04,Raz05,Rao06,BRSW06], efficiently samplable sources [TV00,KM04,KRVZ06], … Thm [BD07]: Secure encryption is only possible for classes of sources for which there exist seedless extractors.

Seeded Extractors in Crypto Common setting: entropy gaps –To parties A, B,…, string X has little or no entropy –To parties E, F,…, string X has a lot of entropy After extraction: –To parties A, B,…, r.v. Ext(X) still has little or no entropy –To parties E, F,…, r.v. Ext(X) indistinguishable from uniform Question: where to get seed? –Various solutions, depending on application

Privacy Amplification [Bennett,Brassard,Robert `85] Setting: honest parties A,B hold a string X about which adversary E has imperfect information X (close to) a k -source conditioned Es view Ext(X,R) close to uniform conditioned on Es view & R. Seed R may be sent in clear or shared in advance.

Key Agreement w/a Noisy Channel [BBR85] Noisy Communication Channel X à {0,1} n Z Y Alice Bob Eve ) w.h.p. Alice & Bob share some randomness unknown to Eve Information Reconciliation Protocol Alice Bob Y X whp X Z ) w.h.p. over z à Z, X | Z=z is a k -source for large k. K =Ext(X,R) Random seed R K =Ext(Y,R) Z =(Z,R) ) w.h.p. over z à Z, K| Z =z is -close to uniform.

The Bounded-Storage Model [Maurer 90] ) Output of extractor looks uniform to adversary [NZ93,Lu02] Storage s seed E XT length n High-rate source of truly random bits. Lemma: conditioned on adversarys state, have ( n-s)- source w.h.p. Adversary

Proof of Lemma Lemma: (X,Z) (correlated) random vars, Proof: Let BAD = { z : Pr[Z=z] · ¢ 2 -s }. Then X a k -source and |Z|=s w.p. ¸ 1- over z à Z, X | Z=z is a ( k-s- log(1/ ) ) -source.

The Bounded-Storage Model Storage s seed E XT length n Doing Cryptography: Seed = shared secret key Output of extractor = use for encryption (one-time pad), message authentication Strong extractor ) seed reusable, secure even if key compromised later (everlasting security [ADR99]) Adversary

The Bounded-Storage Model Storage s seed E XT length n Additional Constraint: honest parties should only have to read a small # bits from source i.e. E XT should be locally computable [L02,V03] (easily achieved using techniques in the extractor literature) Adversary

Extractors & Biometrics [Dodis, Reyzin, Smith `03] Goal: use biometric data (eg your fingerprint F ) as crypto keys Problem: biometric data not uniform But seems to have significant min-entropy ) use K = Ext(F,R) instead server K, R F clientuser R K = Ext(F,R) start session

Extractors & Biometrics Problem 2: biometric data not reliable Multiple readings will produce non-identical, but close (eg in Hamming distance) values Want: value C=C(F) s.t. F can be recovered from C and any F -close to F F still has high min-entropy given C server K, R clientuser R K = Ext(F,R) start session F F = Rec(F,C), C

Extractors & Biometrics Want: value C=C(F) s.t. F can be recovered from C and any F -close to F F still has high min-entropy given C Solution: C=F © Z Z random codeword in error-correcting code of relative minimum distance >2 and rate 1- Reduces min-entropy rate by at most server K, R, C F clientuser R, C K = Ext(F,R) start session F = Rec(F,C)

Comparing Applications ApplicationLow EntropyHigh EntropyAddl Properties Privacy Amplification H(X|Honest)H 1 (X|Adversary ) Bounded-Storage Model '' Locally computable Biometrics (Fuzzy Ext) '' Handle noisy X

(M,X) REVEAL F(X), Statistically Hiding Commitments from CRHF [Naor-Yung `89, Damgard-Petersen-Pfitzmann `93] COMMIT accept/ reject S R M 2 {0,1} t (M,K) CRHF { F : {0,1} n ! {0,1} n-k } H 1 (X|F(X),F) ¸ k H com (X|F(X),F) = 0 M -close to U t given Rs view H com (M) = 0 given Ss view F X Ã {0,1} n R,M=Ext(X,R)

REVEAL F(X),R,M=Ext(X,R) Statistically Hiding Commitments from CRHF [Naor-Yung `89, Damgard-Petersen-Pfitzmann] COMMIT accept/ reject S R (M,X) CRHF { F : {0,1} n ! {0,1} n-k } H 1 (X|F * (X),F * ) ¸ k H com (X * |F(X * ),F) = 0 M -close to U t given R * s view H com (M) = 0 given S * s view F

Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] Goal: transform one-to-one OWF f : {0,1} n ! {0,1} m into a PRG G : {0,1} a ! {0,1} b H(X|f(X))=0 (b/c f one-to-one) X computationally unpredictable given f(X) H(G(Y)) = a G(Y) computationally indistinguishable from U b

Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H( h X,R i | f(X),R) = 0 h X,R i indistinguishable from U 1 given f(X),R H(X|f(X))=0 (b/c f one-to-one) X computationally unpredictable given f(X) hardcore bit [GL89]

Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H( h X,R i | f(X),R) = 0 h X,R i indistinguishable from U 1 given f(X),R H(X|f(X))=0 H u 1 (X|f(X)) = (log n) hardcore bit [GL89]

Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(Ext 1 (X,R) | f(X),R) = 0 Ext 1 (X,R) indistinguishable from U log n given f(X),R Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R))

Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F(Z)) = |Z| Ext 1 (X,R) indistinguishable from U log n given f(X),R Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R))

Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F(Z)) = |Z| F(Z) comp. indist. from dist. w/min-entropy |Z|+log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) pseudoentropy generator

Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F(Z)) = |Z| H pe 1 (F(Z)) = |Z|+log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) pseudoentropy generator

Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F k (Z k )) = |Z k | H pe 1 (F k (Z k )) = |Z k |+k ¢ log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) pseudoentropy generator

Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F k (Z k )) = |Z k | H pe 1 (F k (Z k )) = |Z k |+k ¢ log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) Efficient extractor H(G(Z k,S)) · |S|+|Z k | G(Z k,S) indist. from (S,U |Z k |+1 ) G(Z k,S) = (S,Ext 2 (F k (Z k ),S))

Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F k (Z k )) = |Z k | H pe 1 (F k (Z k )) = |Z k |+k ¢ log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) Efficient extractor H(G(Y)) · |Y| G(Y) indist. from U |Y|+1 G(Z k,S) = (S,Ext 2 (F k (Z k ),S))

Comparing Applications ApplicationLow EntropyHigh EntropyAddl Properties Privacy Amplification H(X|Honest)H 1 (X|Adversary ) Bounded-Storage Model '' Locally computable Biometrics (Fuzzy Ext) '' Handle noisy X CRHF ) SHCH com (X * |F(X * ),F)H 1 (X|F * (X),F * ) 1-1 OWF ) PEGH(X|f(X))H u 1 (X|f(X))Efficient list- decoding PEG ) PRGF(Z)H pe 1 (F(Z))Efficient extractor

Conclusions Randomness extractors address a basic problem in crypto: exploiting assymetry of information Language and basic results as important as the actual constructions. Interplay between cryptography, theory of computation, probability & information theory (also combinatorics, algebra, …)

Further Reading N. Nisan and A. Ta-Shma. Extracting randomness: a survey and new constructions. Journal of Computer & System Sciences, 58 (1): , R. Shaltiel. Recent developments in explicit constructions of extractors. Bulletin of EATCS, 77:67-95, June S. Vadhan. Randomness extractors & their many guises. Slides from tutorial at FOCS `02. S. Vadhan. Course Notes for CS225: Pseudorandomness.