1 / 35

Extracting Randomness

Extracting Randomness. David Zuckerman University of Texas at Austin. Randomness extremely useful. Algorithms Approximation, optimization, factoring polys. Monte Carlo simulations Cryptography Distributed computing Consensus, Byzantine agreement, load balancing.

leo-gentry
Télécharger la présentation

Extracting Randomness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extracting Randomness David Zuckerman University of Texas at Austin

  2. Randomness extremely useful • Algorithms • Approximation, optimization, factoring polys. • Monte Carlo simulations • Cryptography • Distributed computing • Consensus, Byzantine agreement, load balancing.

  3. Randomness wonderful, but … • Computers typically don’t have access to true randomness.

  4. Is Randomness Necessary? • Essential for distributed computing and cryptography: • Must choose secret key randomly. • Unclear for algorithms.

  5. Is Randomness Necessary? • Major open question in field: does every efficient randomized algorithm have an efficient deterministic counterpart? • Does RP = P?

  6. Is Randomness Necessary? • Major open question in field: does every efficient randomized algorithm have an efficient deterministic counterpart? • Does RP = P? Appears very difficult. • Does RSPACE(S) = SPACE(S)? Difficult but some hope.

  7. What is minimal randomness requirement? • Can we eliminate randomness completely? • If not: • Can we minimize quantity of randomness? • Can we minimize quality of randomness? • What does this mean?

  8. What is minimal randomness requirement? • Can we eliminate randomness completely? • If not: • Can we minimize quantity of randomness? • Pseudorandom generator • Can we minimize quality of randomness? • Extractor

  9. Pseudorandom Generators • Computers rely on pseudorandom generators: PRG 141592653589793238 71294 long “random-enough” string short random string Classical approach: ad hoc. Many failures. Modern approach: provably good PRGs.

  10. Quality: von Neumann’s model • Bits independent. • Each bit has same bias: • Pr[Xi=1] = p, p unknown. • • Can’t use directly. • Goal: very long Ext long weakly random random

  11. Quality: von Neumann’s model • Extractor: • Group bits in pairs. • Pr[01]=Pr[10] = p(1-p). • Map 01 to 0, 10 to 1, ignore 00 and 11. • Example: 01 01 11 10 11 01 00 maps to 0 0 1 0

  12. Use in Practice • Intel has random number generator (not PRG) which uses white noise. • Temperature may influence bias. • Intel applies von Neumann’s extractor to output.

  13. General Weakly Random Sources • What if bits are correlated? • Many models studied [Blum, Santha-Vazirani, Chor-Goldreich]. • Most general model - upper bound probability of each string [Zuckerman]. • Similar to lower bounding entropy.

  14. General Weakly Random Sources • Weakly random distribution on n bits: each string has probability ≤ 2-k. • Example: weakly random integer in [1,1000]. • Distribution unknown.

  15. Goal very long Ext long weakly random almost random Should work for all (n,k) weakly random sources.

  16. Goal very long Ext long weakly random almost random Should work for all (n,k) weakly random sources. Problem: impossible.

  17. Solution: Extractor[Nisan-Zuckerman] short truly random very long Ext long weakly random almost random

  18. Extractor Parameters[NZ,…, Lu-Reingold-Vadhan-Wigderson] O(log n) truly random n bits .99k bits Ext almost random weakly random Pr[each string] ≤ 2-k

  19. Power of Extractors • Sometimes can eliminate true randomness by cycling over all possibilities.

  20. Power of Extractors • Sometimes can eliminate true randomness by cycling over all possibilities. • Useful even when no weakly random source apparently present.

  21. Power of Extractors • Sometimes can eliminate true randomness by cycling over all possibilities. • Useful even when no weakly random source apparently present. • Mathematical reason for power: extractor constructions beat “eigenvalue bound.”

  22. Applications of Extractors • PRGs for Space-Bounded Computation [Nisan-Z] • PRGs for Random Sampling [Z] • Cryptography [Lu, Vadhan, Dodis-Smith] • Expander graphs and highly connected networks [Wigderson-Z] • Coding theory [Ta-Shma- Z] • Hardness of approximation [Z, Mossel-Umans] • Efficient deterministic sorting [Pippenger] • Time-space tradeoffs [Sipser] • Implicit data structures [Fiat-Naor, Z]

  23. New Extractor and Application[Z] • Extractor requires log n + O(1) random bits. • NP-complete to approximate MAX CLIQUE and CHROMATIC NUMBER to within n1-, any >0. • Previously same inapproximability ratio required NP  ZPP [Hastad, Feige-Kilian]. • We use new extractor to derandomize previous reductions.

  24. The Future for Extractors • Current extractors near optimal. • Where to go from here? • Two interesting directions: • Deterministic extractors for specialized sources. • Extractors for independent sources and a new technique.

  25. Bit-Fixing Sources • Adversary fixes all but k of the n bits. • Remaining k bits chosen randomly. • Parity can extract 1 bit if k≥1.

  26. Bit-Fixing Sources • Adversary fixes all but k of the n bits. • Remaining k bits chosen randomly. • Parity can extract 1 bit if k≥1. • This model seems unrealistic: • What good is it?

  27. Bit-Fixing Sources • Adversary fixes all but k of the n bits. • Remaining k bits chosen randomly. • Parity can extract 1 bit if k≥1. • This model seems unrealistic: • What good is it? • Applications in cryptography and more realistic models.

  28. Bit-Fixing Sources • Adversary fixes all but k of the n bits. • Remaining k bits chosen randomly. • Parity can extract 1 bit if k≥1. • To extract 2 truly random bits, need k>n/3. • Can extract k2/n almost-random bits deterministically [Kamp-Zuckerman]. • Improved to (1-o(1))k [Gabizon-Raz-Shaltiel].

  29. Exposure-Resilient Cryptography • Standard cryptography: secret keys totally secret. • What if adversary learns some bits of secret key? • Deterministic extractors for bit-fixing sources can help foil such adversaries [Dodis-Sahai-Smith]. Need exponentially small error. • Kamp-Z extractor has small enough error to apply ([GRS] error too large).

  30. More realistic sources: Generalizing von Neumann’s Model • Bits independent, allow different biases. • Deterministic extractors for bit-fixing sources also work for these new sources [Kamp-Vadhan-Zuckerman]. • Goal: deterministic extractors for more general sources. • Some preliminary results allowing correlations.

  31. Technique:Additive Number Theory • For set A, A+A={a1+a2: a1, a2 in A} • Thm: either |A+A|>|A|1.01 or |AA| > |A|1.01 [Bourgain-Katz-Tao, Konyagin]. • Can extract from 3 independent sources [Barak-Kindler-Shaltiel-Sudakov-Wigerson]. • Promising technique -- other applications? • Anup Rao: improvements without additive number theory.

  32. Conclusions • Extractors fundamental: diverse applications. • Future in extractors: • Deterministic extractors • 2-source extractors • More applications • Practical variants • Can we make progress towards RP=P or RSPACE(S) = SPACE(S)?

  33. Students • Jesse Kamp - extractors • Anindya Patthak - coding theory • Anup Rao - extractors

  34. Extractors in Cryptography • Alice and Bob know s = “secret” random 1000 bit string. • Eavesdropper Eve knows 600 bits of s. • Alice and Bob don’t know which 600 bits. • Eve can see all communication.

  35. Extractors in Cryptography • Alice and Bob compute a shared secret string of 300 bits, about which Eve has negligible information: • To Eve, s appears like output of known bit-fixing source. So Ext(s) will appear almost random. • Hence shared secret = Ext(s).

More Related