Presentation is loading. Please wait.

Presentation is loading. Please wait.

Correlation Extractors and Their Applications Yuval Ishai Technion Based on joint work with Eyal Kushilevitz Rafail Ostrovsky Amit Sahai.

Published byJulien Warf Modified over 10 years ago

Similar presentations

Presentation on theme: "Correlation Extractors and Their Applications Yuval Ishai Technion Based on joint work with Eyal Kushilevitz Rafail Ostrovsky Amit Sahai."— Presentation transcript:

1 Correlation Extractors and Their Applications Yuval Ishai Technion Based on joint work with Eyal Kushilevitz Rafail Ostrovsky Amit Sahai

2 What this talk is about Extension of randomness extraction and privacy amplification to correlated sources Motivated by cryptographic applications … but also think about communication channels: –Cleaning channels –Converting one channel to another –Building channels from scratch

3 What if x is not uniform? t-dirty: min-entropy n-t Privacy Amplification [BBR88,BBCM95,...] AliceBob secure channel x R {0,1} n x Eve What if x is partially leaked? t-leaky: Eve learns f(x), f:{0,1} n {0,1} t Solved by randomness extractors [NZ96] –Alice picks a fresh seed s and sends to Bob over a public channel –Both parties output Ext(s,x)

4 Cleaning other types of channels? AliceBob BSC x R {0,1} n y=x e e i ~Bern(p) Noise is useful for crypto! [Wyn75,Csi81,…, CK88,…] Noise can be dirty or leaky Can we build a clean BSC from a dirty BSC? –Main challenge: protecting against insiders

5 Correlation Extractors Generalize BSC example to any channel (X,Y) (n,m,t, ) correlation extractor for (X,Y): ab (a,b) - close to (X,Y) m AliceBob (a,b ) t-dirty (X,Y) n a b Classical case: X=Y R {0,1} also from point of view of Alice or Bob!

6 Randomness A valuable resource –essential for cryptography A scarce resource –clean randomness is hard to find –dirty sources more common in nature

7 Randomness Extractors dirty randomness clean randomness Ext Strong [NZ96]

8 Parameters n-bit source, m-bit output, d-bit seed t-dirty source: –Pr[X=x] 2 t 2 -n (H (X) n-t) –aka k-source, k=n-t -clean output: –| (R,Ext(X,R)) - U m+d | Thm [Sip88,RT97]: Almost every Ext:{0,1} n {0,1} d {0,1} m is a (t, ) (strong) extractor if –m = n-t - 2log(1/ ) - O(1) –d = log(t) + 2log(1/ ) + O(1) Explicit constructions: ILL89,NZ96,T96,GW97,Tre99,ISW00, RSW00,TZS01,SU01,LRVW03,GUV07, …

9 Distributed Randomness Alice Bob What do we want?

10 Public Randomness Alice Bob

11 Public Randomness How can we clean it? –Using standard extractors + few fresh random bits –Using deterministic extractors [vNu51, CFG+85, SV86, Vaz87, CG88, TV00, CDH+00, GRS04, BIW04, Raz05, BKS+05, Bou05, Rao06, KRVZ06, …] Apply to restricted high-entropy sources, e.g. bit-fixing sources What does it buy us? –Algorithms –Distributed computing –Cryptography

12 Private Randomness Alice Bob

13 Private Randomness How can we clean it? –Using standard extractors + few fresh random bits no need for full independence between sources –Using network extractor protocols [DO03, GSV05, KRZ08, …] require independence between sources What else does it buy us? –Distributed computing Byzantine agreement, leader election, collective coin flipping… –Cryptography Computational security under cryptographic assumptions

14 Shared Private Randomness Alice Bob Eve ???

15 Shared Private Randomness How can we clean it? –Two main scenarios Dirty shared source: imperfect but hidden from Eve Leaky shared source: perfect, but partially leaked to Eve –Both addressed by standard (strong) extractors Fresh randomness can be sent over a reliable public channel Fresh randomness generally necessary Privacy Amplification [BBR88,BBCM95,...] Eve learns t information bits except w/prob, source conditioned on Eve s view is (t+log(1/ ))-dirty

16 Correlated Randomness

17 What else does it buy us? –Unconditionally secure computation with no honest majority –… and better efficiency too! –Applications use many independent instances of a finite correlation (X,Y). How can we clean it? –Using correlation extractors –Topic of this talk

18 Defining Correlation Extractors Goal: define (n,m,t, ) correlation extractor –seed length d will be ignored Need to define: –clean correlation source of length m –t-dirty correlation source of length n –extraction mechanism – -success

19 Clean (X,Y) Source (X,Y) : finite distribution over D A D B –All probabilities are rational Sample (a,b) from (X,Y) m (a D A m, b D B m ) Alice gets a, Bob gets b Alice Bob Alice Bob xxxxx

20 Dirty Source: Extractor Variant (A,B) is a t-dirty version of (A,B) if: –For all (a,b), Pr[(A,B)=(a,b)] 2 t Pr[(A,B)=(a,b)] –For all a support(A) and b, Pr[B=b | A=a] 2 t Pr[B=b | A=a] –For all b support(B) and a, Pr[A=a | B=b] 2 t Pr[A=a | B=b]

21 Dirty Source: Privacy Amplification Variant f [t] = t-leaky version of oracle f t-leaky correlation source is an oracle to ((X,Y) n ) [t] ideal oracle t-leaky oracle AliceBob ab f AliceBob ab f [t] Eve L:{0,1}* {0,1} t L(a,b)

22 Extraction Mechanism Alice and Bob can interact –necessary for nontrivial (X,Y), even in bit fixing case –interaction uses additional fresh randomness –interaction begins after leakage occurs Assumption: Alice and Bob follow the protocol –notion can be extended to active attacks Simplifying assumptions: –Alice, Bob can toss private coins –Alice, Bob can communicate over a secure channel Both resources can be extracted from the source when needed

23 Measuring Success Outputs should be -close to (X,Y) m even when conditioned on Eves view –Eve can be an outsider, or corrupt either Alice or Bob Can be formalized using conditional distributions More convenient: –Eves view can be -simulated in an ideal process for generating (X,Y) m –Simulation considered jointly with outputs of uncorrupted parties

24 Putting it Together An (n,m,t, ) correlation extractor for (X,Y) is an interactive two-party protocol P with inputs (a,b) and outputs (a,b) such that –Extractor variant: Whenever (a',b') are drawn from a t-dirty version of (X,Y) n, P realizes -securely the process of sampling (a,b) from (X,Y) m –Privacy amplification variant: P is an -secure reduction from (X,Y) m to ((X,Y) n ) [t]

25 Main Question Are there correlation extractors for arbitrary (X,Y)? –If so, how good can they be? Question largely unexplored –Different from previous extensions of privacy amplification to correlated or fuzzy sources [Wyn75,BBR88,Mau91,DRS04,DS05,…] Only concerned with secrecy against an external Eve –Special cases implicit in literature Special types of correlations, locally imperfect sources No prior study of global imperfections

26 Main Question Are there correlation extractors for arbitrary (X,Y)? –If so, how good can they be? Question still seems challenging even when –allowing non-explicit or heuristic constructions –allowing unlimited access to fresh randomness, secure communication Source of difficulty: Conflict between structure and secrecy Randomness extraction meets secure computation

27 Main Result For any finite (X,Y) there is an efficient, constant-round (n,m,t, ) correlation extractor with: –m= (n) [ clean instances ] –t= (n) [ source imperfection / leakage ] – = 2 - (n) [ extraction error ] –O(n) communication Assumes semi-honest parties. constant support size, rational probabilities [I-Kushilevitz-Ostrovsky-Sahai 2009]

28 Simple Correlations shared randomness private randomness binary symmetric channel X Y 0 1 01 finite correlation (X,Y) discrete memoryless channel p x y =Pr[Y=y|X=x] erasure channel / Rabin-OT (random) OT channel X=(s 0,s 1 ) Y=(r,s r ) Very useful for crypto! easy conversion to chosen input OTs [BG89,Bea95] basis for general secure two-party computation - requires O(circuit-size) instances of channel [GMW87,GV87,GHY87,Kil88, … ] [WW06]

29 OT Extractor Building block for general correlation extractors Common generalization of previous primitives OT Extractor OT Combiner [HKN+05, … ] Extractor Extractor for bit-fixing sources

30 Overview of Construction ((X,Y) n ) [t] (X,Y) m (OT n ) [t ] trivial cases OT m OT-based secure computation rational probabilities OT from nontrivial channels [Kil00,CMW04] OT Extractor some errors as well …

31 Efficient OT Extractors Careful combination of secure computation and randomness extraction techniques –Simpler with polylog(n,1/ ) loss in m,t Idea: Use O(m) leaky OTs as a resource for securely computing m fresh OTs. Problem: OT-based protocols propagate leakage! –Modify computed function to include an extraction step? –Leakage still propagates… Observation: random OTs are converted into chosen input OTs via XORing.

32 -biased secure computation Goal: Generate m fresh OTs using O(m) calls to an OT oracle while making Bobs oracle inputs -biased Masking with outputs of leaky oracle will keep Bobs fresh OT selections private [AR94,GW97] Need to reverse & repeat the process for protecting Alice. Alice Bob OT

33 Building Block Explicit family of linear codes C n :F k(n) F n such that –F has characteristic 2 –The dual distance of C n is (n) –The linear code C 2 n spanned by pointwise products of c i,c j C n has minimal distance (n) Examples: –RS codes (non-constant F) [BGW88,…] –AG codes (constant F) [CC06, CCX11] Cant use random codes (even non-explicitly) –last requirement implies efficient decoding [CDG+05]

34 -biased protocol for AND m Alices input: a {0,1} m Bobs input: b {0,1} m Bobs output: a b Alice Bob a b a b C C 0 z C 2

35 -biased protocol for AND m a b+z is the suffix of a random codeword from C 2 which starts with a b reveals no info beyond a b Alice Bob a b a b C C 0 z C 2

36 -biased protocol for AND m a b+z is the suffix of a random codeword from C 2 which starts with a b reveals no info beyond a b –Good distance of C 2 guarantees that a b can be recovered Alice Bob a b a b 0 z 1-round OT-based protocol [Kil88, … ] -biased?

37 -biased protocol for AND m Good dual distance of C, |F|=2 c b is (m)-wise independent –But not -biased! Apply random 3-bit majority encoding to each bit of b –Makes b -biased with =2 - (m) –Incorporate decoding into OT-based secure computation protocol Alice Bob a b a b 0 z 1-round OT-based protocol [Kil88, … ] -biased?

38 Applications Protecting protocols against leakage Efficient reductions between channels Communication-efficient secure computation

39 protecting against leakage OT-based protocol OT Extractor OT generation process leaky storage

40 efficient reductions between channels Much work on OT from noisy channels –BSC, unfair channels, Gaussian channels, … –poly(k) invocations of Ch1 per OT instance, even in semi- honest model OT extractors constant-rate OTs from any nontrivial channel –Bonus feature: leakage-resilience Alice Bob Ch1 Ch2 OT

41 communication-efficient secure computation Secure two-party computation, standard model Communication of typical protocols: poly(k) per gate [Gentry09]: poly(k) (|input|+|output|) overall! But… sometimes life is a sequence of finite tasks –circuit of size O(|output|) –even [Gentry09] requires poly(k) communication per gate Application of OT extractors –Constant-rate OT protocol under -Hiding Assumption [CMS99,GR05] general circuit evaluation with O(1) bits per gate constant-rate realization of any discrete channel! –Previously known under a nonstandard assumption [IKOS08]

42 Conclusions Defined correlation extractors Constructed (n,m,t, ) extractor for every finite (X,Y) –m= (n) –t= (n) – = 2 - (n) –O(n) communication Several applications, all with constant rate –Cleaning channels –Reducing channels to each other –Building channels from scratch! Computationally, under -hiding assumption

43 Further Research Better parameters –Maximize leakage resilience and rate –Minimize round complexity –Better dependence on domain size? Malicious parties Multi-party setting Computational setting –Protecting computationally-secure two-party protocols against side-channel attacks

Download ppt "Correlation Extractors and Their Applications Yuval Ishai Technion Based on joint work with Eyal Kushilevitz Rafail Ostrovsky Amit Sahai."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan And improvements with Kai-Min Chung.

Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan And improvements with Kai-Min Chung.
Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
How to get more mileage from randomness extractors Ronen Shaltiel University of Haifa.

How to get more mileage from randomness extractors Ronen Shaltiel University of Haifa.
Extracting Randomness David Zuckerman University of Texas at Austin.

Extracting Randomness David Zuckerman University of Texas at Austin.
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Similar presentations

Ads by Google