extracting randomness david zuckerman university of texas at austin
TRANSCRIPT
![Page 1: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/1.jpg)
Extracting Randomness
David ZuckermanUniversity of Texas at Austin
![Page 2: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/2.jpg)
Randomness extremely useful
• Algorithms– Approximation, optimization, factoring polys.
• Monte Carlo simulations
• Cryptography
• Distributed computing– Consensus, Byzantine agreement, load
balancing.
![Page 3: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/3.jpg)
Randomness wonderful, but …
• Computers typically don’t have access to true randomness.
![Page 4: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/4.jpg)
Is Randomness Necessary?
• Essential for distributed computing and cryptography:– Must choose secret key randomly.
• Unclear for algorithms.
![Page 5: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/5.jpg)
Is Randomness Necessary?
• Major open question in field: does every efficient randomized algorithm have an efficient deterministic counterpart?– Does RP = P?
![Page 6: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/6.jpg)
Is Randomness Necessary?
• Major open question in field: does every efficient randomized algorithm have an efficient deterministic counterpart?– Does RP = P? Appears very difficult.– Does RSPACE(S) = SPACE(S)? Difficult but
some hope.
![Page 7: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/7.jpg)
What is minimal randomness requirement?
• Can we eliminate randomness completely?
• If not:
– Can we minimize quantity of randomness?
– Can we minimize quality of randomness?• What does this mean?
![Page 8: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/8.jpg)
What is minimal randomness requirement?
• Can we eliminate randomness completely?
• If not:
– Can we minimize quantity of randomness?
• Pseudorandom generator
– Can we minimize quality of randomness?
• Extractor
![Page 9: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/9.jpg)
Pseudorandom Generators
• Computers rely on pseudorandom generators:
PRG71294 141592653589793238
short random string
long “random-enough”string
Classical approach: ad hoc. Many failures.Modern approach: provably good PRGs.
![Page 10: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/10.jpg)
Quality: von Neumann’s model
Extvery long
weakly random
long
random
• Bits independent.• Each bit has same bias:
–Pr[Xi=1] = p, p unknown.
• Can’t use directly.
Goal:
![Page 11: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/11.jpg)
Quality: von Neumann’s model
• Extractor:– Group bits in pairs.– Pr[01]=Pr[10] = p(1-p).– Map 01 to 0, 10 to 1, ignore 00 and 11.
• Example: 01 01 11 10 11 01 00 maps to
0 0 1 0
![Page 12: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/12.jpg)
Use in Practice
• Intel has random number generator (not PRG) which uses white noise.
• Temperature may influence bias.
• Intel applies von Neumann’s extractor to output.
![Page 13: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/13.jpg)
General Weakly Random Sources
• What if bits are correlated?
• Many models studied [Blum, Santha-Vazirani, Chor-Goldreich].
• Most general model - upper bound probability of each string [Zuckerman].
• Similar to lower bounding entropy.
![Page 14: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/14.jpg)
General Weakly Random Sources
• Weakly random distribution on n bits: each string has probability ≤ 2-k.
• Example: weakly random integer in [1,1000].
• Distribution unknown.0
0.0010.0020.0030.0040.0050.0060.0070.0080.009
0.01
1 2 3 4 5 6 7 8
weaklyrandomalmostrandomtrulyrandom
![Page 15: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/15.jpg)
Goal
Extvery long
weakly random
long
almost random
Should work for all (n,k) weakly random sources.
![Page 16: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/16.jpg)
Goal
Extvery long
weakly random
long
almost random
Should work for all (n,k) weakly random sources.
Problem: impossible.
![Page 17: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/17.jpg)
Solution: Extractor[Nisan-Zuckerman]
Extvery long
weakly random
long
almost random
short truly random
![Page 18: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/18.jpg)
Extractor Parameters[NZ,…, Lu-Reingold-Vadhan-Wigderson]
Ext n bits
weakly randomPr[each string] ≤ 2-k
.99k bits
almost random
O(log n) truly random
![Page 19: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/19.jpg)
Power of Extractors
• Sometimes can eliminate true randomness by cycling over all possibilities.
![Page 20: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/20.jpg)
Power of Extractors
• Sometimes can eliminate true randomness by cycling over all possibilities.
• Useful even when no weakly random source apparently present.
![Page 21: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/21.jpg)
Power of Extractors
• Sometimes can eliminate true randomness by cycling over all possibilities.
• Useful even when no weakly random source apparently present.
• Mathematical reason for power: extractor constructions beat “eigenvalue bound.”
![Page 22: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/22.jpg)
Applications of Extractors• PRGs for Space-Bounded Computation [Nisan-Z]• PRGs for Random Sampling [Z]• Cryptography [Lu, Vadhan, Dodis-Smith]• Expander graphs and highly connected networks[Wigderson-Z]• Coding theory [Ta-Shma- Z]• Hardness of approximation [Z, Mossel-Umans]• Efficient deterministic sorting [Pippenger]• Time-space tradeoffs [Sipser]• Implicit data structures [Fiat-Naor, Z]
![Page 23: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/23.jpg)
New Extractor and Application[Z]
• Extractor requires log n + O(1) random bits.
• NP-complete to approximate MAX CLIQUE and CHROMATIC NUMBER to within n1-, any >0.– Previously same inapproximability ratio
required NP ZPP [Hastad, Feige-Kilian].– We use new extractor to derandomize previous
reductions.
![Page 24: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/24.jpg)
The Future for Extractors
• Current extractors near optimal.
• Where to go from here?
• Two interesting directions:– Deterministic extractors for specialized sources.– Extractors for independent sources and a new
technique.
![Page 25: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/25.jpg)
Bit-Fixing Sources
• Adversary fixes all but k of the n bits.• Remaining k bits chosen randomly.• Parity can extract 1 bit if k≥1.
![Page 26: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/26.jpg)
Bit-Fixing Sources
• Adversary fixes all but k of the n bits.• Remaining k bits chosen randomly.• Parity can extract 1 bit if k≥1.• This model seems unrealistic:
– What good is it?
![Page 27: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/27.jpg)
Bit-Fixing Sources
• Adversary fixes all but k of the n bits.• Remaining k bits chosen randomly.• Parity can extract 1 bit if k≥1.• This model seems unrealistic:
– What good is it?
• Applications in cryptography and more realistic models.
![Page 28: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/28.jpg)
Bit-Fixing Sources
• Adversary fixes all but k of the n bits.• Remaining k bits chosen randomly.• Parity can extract 1 bit if k≥1.• To extract 2 truly random bits, need k>n/3.• Can extract k2/n almost-random bits
deterministically [Kamp-Zuckerman].• Improved to (1-o(1))k [Gabizon-
Raz-Shaltiel].
![Page 29: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/29.jpg)
Exposure-Resilient Cryptography
• Standard cryptography: secret keys totally secret.• What if adversary learns some bits of secret key?• Deterministic extractors for bit-fixing sources can
help foil such adversaries [Dodis-Sahai-Smith]. Need exponentially small error.
• Kamp-Z extractor has small enough error to apply ([GRS] error too large).
![Page 30: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/30.jpg)
More realistic sources: Generalizing von Neumann’s Model• Bits independent, allow different biases.• Deterministic extractors for bit-fixing
sources also work for these new sources [Kamp-Vadhan-Zuckerman].
• Goal: deterministic extractors for more general sources.
• Some preliminary results allowing correlations.
![Page 31: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/31.jpg)
Technique:Additive Number Theory
• For set A, A+A={a1+a2: a1, a2 in A}• Thm: either |A+A|>|A|1.01 or |AA| > |A|1.01
[Bourgain-Katz-Tao, Konyagin].• Can extract from 3 independent sources
[Barak-Kindler-Shaltiel-Sudakov-Wigerson].
• Promising technique -- other applications?• Anup Rao: improvements without additive
number theory.
![Page 32: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/32.jpg)
Conclusions
• Extractors fundamental: diverse applications.• Future in extractors:
– Deterministic extractors
– 2-source extractors
– More applications
– Practical variants
• Can we make progress towards RP=P or RSPACE(S) = SPACE(S)?
![Page 33: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/33.jpg)
Students
• Jesse Kamp - extractors
• Anindya Patthak - coding theory
• Anup Rao - extractors
![Page 34: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/34.jpg)
Extractors in Cryptography
• Alice and Bob know s = “secret” random 1000 bit string.• Eavesdropper Eve knows 600 bits of s.• Alice and Bob don’t know which 600 bits.• Eve can see all communication.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
![Page 35: Extracting Randomness David Zuckerman University of Texas at Austin](https://reader035.vdocuments.site/reader035/viewer/2022062511/551b205655034607418b5a95/html5/thumbnails/35.jpg)
Extractors in Cryptography
• Alice and Bob compute a shared secret string of 300 bits, about which Eve has negligible information:
• To Eve, s appears like output of known bit-fixing source. So Ext(s) will appear almost random.
• Hence shared secret = Ext(s).