How to get more mileage from randomness extractors Ronen Shaltiel University of Haifa
Outline of this talk Motivation for randomness extractors. Deterministic and seeded extractors. Our results. Something about the proof
Randomness extractors (motivation) Daddy, how do computers get random bits? Do we have to tell that same old story again.
Randomness extractors (motivation) Randomness is essential in Computer Science: Cryptography Distributed Protocols Probabilistic Algorithms Algorithm designers always assume that we have access to a stream of independent unbiassed coin tosses. How do computers get random bits?
Refining randomness from nature We have access to distributions in nature: Particle reactions Key strokes of user Timing of past events (Really used in real life) These distributions are “somewhat random” but not “truly random”. Solution: Randomness Extractors random coins Probabilistic algorithm input output Somewhat random Randomness Extractor
Outline of this talk Motivation for randomness extractors. Deterministic and seeded extractors. Our results. Something about the proof
Seeded Randomness Extractors: Definition and two flavors C is a class of distributions over n bit strings “containing” k bits of (min)-entropy. A deterministic (seedless) C- extractor is a function E such that for every XєC, E(X) is ε- close to uniform. A seeded C-extractor has an additional (short i.e. log n) independent random seed as input. source distribution from C Extractor seed random output Deterministic A distribution X has min-entropy ≥ k if ∀ x: Pr[X=x] ≤ 2 -k Two distributions are ε-close if the probability they assign to any event differs by at most ε. Extractors turn out to have lots of applications in TCS.
A brief survey of randomness extractors Deterministic von-Neumann sources [vN51]. Markov Chains [Blu84]. Several independent sources [SV86,V86,V87,VV88,CG88,DEOR04, BIW04,BKSSW05,R05,R06,BRSW06]. Bit-fixing sources [CGHFRS85,KZ03,GRS04] Samplable sources [TV00,KRVZ06]. Affine sources [BKSSW05,GR05]. Seeded C = {distributions with (min)-entropy k} [Z91,NZ93]. Lower bound of log n on the seed length [NZ93,RT99]. Explicit constructions coming close to matching bound (mass of work).
Outline of this talk Motivation for randomness extractors. Deterministic and seeded extractors. Our results. Something about the proof
Getting more mileage from (deterministic) extractors before Deterministic C-Extractor extracts few bits Our result: A general transformation (extending [GRS04]) Deterministic C-Extractor extracts many bits after Applies to many classes C: several independent sources, samplable sources, bit-fixing sources*, affine sources*. *Already follows from [GRS04,GR05].
2-source extractors [SV86]: Consider the class of distributions X=(X 1,X 2 ) s.t. X 1,X 2 are independent distributions over n bits. X 1,X 2 have (min)-entropy k. Dfn: A 2-source extractor (for threshold k) is a deterministic extractor for this class. X1X1 nn X2X2 2-source extractor Goals: Achieve low entropy threshold e.g. k=o(n), major open problem (related to Ramsey graphs). Extract as many bits as possible (for large threshold, say k= ¾ n ). There are 2k random bits in source.
Getting more mileage from 2-source extractors comment# of bits extracted reference E(x 1,x 2 )= mod 2. 1[CG88] Ω(n)[Vaz87] Almost all the bits from one source and some from the other. k+Ω(n)[DEOR04] 2k-O(log(1/ε))Our result Lower bound. (matched by probabilistic construction). <2k-2log(1/ε)[RT98] 2-source extractors for entropy k= ¾ n and ε<1/n. Optimal except for the precise constant multiplying log(1/ε)! Proof: Transform existing construction [Raz05] into an extractor which extracts many bits. ¾ can be replaced with any constant > ½
Outline of this talk Motivation for randomness extractors. Deterministic and seeded extractors. Our results. Something about the proof
Getting more mileage from extractors: naïve approach x1x1 x2x2 x3x3 xnxn k random bits Deterministic Extractor random output Seeded Extractor Seeded Extractors are only guaranteed to work when the source and seed are independent. correlated!
Getting more mileage by reusing the output [GRS04]: The naïve approach can work! For the restricted class of bit-fixing sources. Assuming some additional properties of the deterministic and seeded extractors. [GR05]: Also works for affine sources. This paper: Extends the ideas of [GRS04] General sufficient conditions for an arbitrary class of sources.
The main theorem Let C be a class of distributions. Let X be a distribution in C. Let dE be a deterministic ε-extractor for C. Let sE be a seeded extractor with seed length t. Assume the following closeness condition: For every y ∊{0,1} t and every value a: (X|sE(X,y)=a) is a distribution in C. Then dE’(x)=sE(x,dE(x)) is a deterministic O(ε2 t )-extractor for C. The na ï ve approach works if: closeness condition satisfied. ε < 2 t
Closer look at closeness condition Previous intuition for naïve construction: dE extracts few bits and therefore (X|dE(X)=y) is a high entropy distribution. ⇒ sE can extract from (X|dE(X)=y). Problem: it could be the case that ∀ y: y is a bad seed for the source (X|dE(X)=y). Closeness Condition: For every y ∊{0,1} t and every value a: (X|sE(X,y)=a) is a distribution in C. Comment: (X|sE(X,y)=a) has lower entropy then X ⇒ In order to extract from X we must use dE which extracts from lower entropy distributions. Intuition and proof are different.
Outline of proof of main theorem (Simplifiying assumption ε=0) Goal: prove that: sE(X,dE(X)) ≈ sE(X,Y) Follows from: ∀ y: (sE(X,dE(X))|dE(X)=y) ≈ (sE(X,Y)|Y=y) (sE(X,y)|dE(X)=y) ≈ sE(X,y) Will follow if ∀ y: sE(X,y) is independent of dE(X). and this follows from closeness condition: Closeness Condition: For every y ∊{0,1} t and every value a: (X|sE(X,y)=a) is a distribution in C. Therefore dE extracts randomness from this distribution and (dE(X)|sE(X,y)=a) ≈ Uniform As this occurs ∀ a we get that ∀ y: sE(X,y) is independent of dE(X). Use recycled bits Use independent bits Uniform distribution Actual proof is more technical because ε≠0
Summary before Deterministic C-Extractor extracts few bits Our result: A general transformation (extending [GRS04]) Deterministic C-Extractor extracts many bits after Applies to many classes C: We ’ ve seen: 2-independent sources. In paper: Distributions samplable by small circuits (defined by [TV])
Conclusions and open problems Technique can be applied to many deterministic extraction scenarios. Some additional work is needed to meet the closeness condition in various cases. At the moment we don’t always have good deterministic extractors to start from (e.g. low entropy 2-source extractors, samplable sources). Come up with new constructions of 2-source extractors and extractors for samplable distributions. Can this technique be used to reduce the seed length of seeded extractors? We provide some counterexamples.
That’s it… … having extracted many random bits they lived happily ever after.