Simple Extractors for all Min-Entropies. R.Shaltiel and C.Umans. Definitions. Def (min-entropy): The min-entropy of a random variable X over {0, 1} n is defined as:
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Simple Extractors
for all Min-Entropies
R.Shaltiel and C.Umans
Def (min-entropy): The min-entropy of a random variable X over {0, 1}n is defined as:
Thus a random variable X has min-entropy at least k if Pr[X=x]≤2-k for all x. The maximum possible min-entropy for such a R.V. is n
Def (statistical distance): Two distributions on a domain D are e-close if the probabilities they give to any AD differ by at most e (namely, using norm 1)
Weak random source
n
E
Random string
m
Seed
t
Def (extractor): A (k,e)-extractor is a functionE:{0,1}n {0,1}t{0,1}ms.t. for any R.V. X with min-entropy ≥kE(X,Ut) is e-close to Um(where Um denotes the uniform distribution over {0,1}m)
Weak random source
n
E
Random string
m
Seed
t
The relevant parameters are:
High
Min-Entropy distribution
Uniform-distribution seed
2t
2n
2m
E
Close to uniform output
Claim: to prove E is an extractor, it suffices to prove that for all 0<i<m+1 and all predictorsf:{0,1}i-1{0,1}
Proof: Assume E is not an extractor; then exists a distribution s.t. X s.t. E(X,Ut) is note-close to Um, that is:
Now define the following hybrid distributions:
Summing the probabilities for the event corresponding to the set A for all distributions yields:
And because |∑ai|≤ ∑|ai| there exists an index 0<i<m+1 for which:
We now define a function f:{0,1}i-1{0,1} that can predict the i’th bit with probability at least ½+e/m (“a next bit predictor”):
The function f uniformly and independently draws the bits yi,…,ym and outputs:
Note: the above definition is not constructive, as A is not known!
And fis indeed a next bit predictor:
Q.E.D.
Construction:
(a,b+1)
(a,b+m)
x(a,b+m)
x(a,b)
x(a,b+1)
001
001
110
110
000
000
101
101
110
110
(a,b)
(inefficient) binary code
h ~ n1/2
j ~ lgn
m ~ desired entropy
Random line
“advice”
“Few” red points: a=mjO(h)
Repeat using the new points, until all Fd is evaluated
List decoding by the predictor f
Resolve into one value on the line
For Y X, let (Y)=yYPr[y] (“the weight of Y”)
Let R:{0,1}a{0,1}n, s.t. Prx~X[z R(z)=x] 1/2
2nX
R(S)
R
2aS
f is allowed to output a small list of l possible next elements
Def: Let F be a field with q elements.
A (k, l)q-ary extractor is a functionE:{0,1}n {0,1}tFms.t. for all R.V. X with min-entropy ≥k
and all 0<i<m
and all list-predictors f:Fi-1Fl
Def: Define the generator matrix for the vector space Fd as a matrix Ad×d, s.t. for any non-zero vector vFd:
(that is, any vector 0≠vFd multiplied by all powers of A generates the entire vector space Fd except for 0)
Lemma: Such a generator matrix exists and can be found in time qO(d).
Note that for such a polynomial, the number of coefficients is exactly:
(“choosing where to put d-1 bars between h-1 balls”)
x(Aiv)
Amv
x(v)
x(Amv)
Aiv
Fd
v
v
Aiv
Amv
seed, interpreted as a vector v Fd
Generator matrix
Thm: For any n,q,d and h as previously defined, E is a (k, l)q-ary extractor if:
Alternatively, E is a (k, l)q-ary extractor if:
A field F2 is called an extension of another field F if F is contained in F2 as a subfield.
Thm: For every power pk (p prime, k>0) there is a unique (up to isomorphism) finite field containing pk elements. These fields are denoted GF(pk).All finite fields’ cardinality have that form.
Def: A polynomial is called irreducible in GF(p) if it does not factor over GF(p)
Thm: Let f(x) be an irreducible polynomial of degree k over GF(p). The finite field GF(pk) can be constructed using the set of degree k-1 polynomials over Zp, with addition and multiplication carried out modulo f(x)
Construct GF(25) as follows:
Let the irreducible polynomial be:
Represent every k degree polynomial as a vector of k+1 coefficient:
Addition over this field:
And multiplication:
And now modulo the irreducible polynomial:
Denote by GF*(qd) the multiplicative group of the Galois Field GF(qd).
This multiplicative group of the Galois Field is cyclic, and thus has a generator g:
Let jbe the natural isomorphism between the Galois Field GF(qd) and the vector space Fd, which matches a polynomial with its vector of coefficients:
Now define the generator matrix A of Fd as the linear transformation that corresponds to multiplication by the generator in GF*(qd) :
A is a linear transformation because of the distributive property of both the vector space and the field GF(qd), according to the isomorphism properties:
It remains to show that the generator matrix A of Fd can be found in time qO(d).
And indeed:
Proof sketch:
For a certain R.V. X with min-entropy at least k,
assume a function f that violates the properties of a q-ary extractor,
construct another function, R :{0,1}a{0,1}n, the “reconstruction function”.
This function, using f as a procedure, has the property that:
Applying the “counting argument”, this is a contradiction to the assumption that X has min-entropy at least k
Lemma: Let n,q,d,h be as in the main theorem. There exists a probabilistic function R:{0,1}a{0,1}n with a = O(mhd logq) such that for every x on which:
The following holds (the probability is over the random coins of R):
Next We Show: there exists a sequence of prediction stepsthat works for manyx in the support of X and requires few advice strings
Ai*(y2)
A(y2)
A2(y2)
A3(y2)
A2(y1)
Ai*(y1)
A(y1)
A3(y1)
A2(yr)
Ai*(yr)
A(yr)
A3(yr)
Ai*(y2)
Ai*(yr+1)
Ai*(y1)
Ai*(y2r)
Ai*(yr)
Amv
A(y2)
A2(y2)
A2(yr+1)
A(yr+1)
A(y1)
A2(y1)
A2(y2r)
A(y2r)
A(yr)
A(yr)
Amv
y2
Aiv
yr+1
Aiv
y1
y2r
yr
A2(yr+1))
yr+1
A(yr+1))
Ai*-1(yr+1))
v
t1
t2
tr
tr+1
A(y2r)
Ai*-1(y2r)
A2(y2r)
y2r
t2r
v
Fd
F
A(y2)
A2(y2)
A3(y2)
Ai*(y2)
Ai*(y1)
A2(y1)
A(y1)
A3(y1)
Ai*(yr)
A(yr)
A2(yr)
A3(yr)
Ai*(y2)
Ai*(yr+1)
Ai*(y1)
Ai*(y2r)
Ai*(yr)
Amv
A2(y2)
A(y2)
A2(yr+1)
A(yr+1)
A(y1)
A2(y1)
A(y2r)
A2(y2r)
A(yr)
A(yr)
y2
Aiv
yr+1
y1
y2r
yr
A(yr+1))
yr+1
A2(yr+1))
Ai*-1(yr+1))
v
t1
t2
tr
tr+1
y2r
A2(y2r)
Ai*-1(y2r)
A(y2r)
t2r
Cannot resolve into one value!
Fd
F
Ai*+1(y2)
A2(y2)
A(y2)
Ai*(y2)
A3(y2)
Ai*+1(y1)
Ai*+1(yr)
Ai*(y1)
A2(y1)
A(y1)
A3(y1)
A3(yr)
Ai*(yr)
A2(yr)
A(yr)
Ai*(y2)
Ai*(yr+1)
Ai*(y1)
Ai*(y2r)
Ai*(yr)
Amv
A2(y2)
A(y2)
A(yr+1)
A2(yr+1)
A(y1)
A2(y1)
A(y2r)
A2(y2r)
A(yr)
A(yr)
y2
Aiv
yr+1
y1
y2r
yr
yr+1
Ai*-1(yr+1))
A(yr+1))
A2(yr+1))
v
t1
t2
tr
tr+1
Ai*-1(y2r)
A(y2r)
y2r
A2(y2r)
t2r
Can resolve into one value using the second curve!
Fd
F
yr+1
y2r
Ai*+1(y2)
Ai*(y2)
A3(y2)
A(y2)
A2(y2)
Ai*+1(y1)
Ai*+1(yr)
A(y1)
Ai*(y1)
A3(y1)
A2(y1)
A(yr)
Ai*(yr)
A2(yr)
A3(yr)
Ai*(y2)
Ai*(yr+1)
Ai*(y1)
Ai*(y2r)
Ai*(yr)
Amv
A(y2)
A2(y2)
A(yr+1)
A2(yr+1)
A2(y1)
A(y1)
A(y2r)
A2(y2r)
A(yr)
A(yr)
y2
Aiv
yr+1
y1
y2r
yr
yr+1
A(yr+1))
Ai*-1(yr+1))
A2(yr+1))
v
t1
t2
tr
tr+1
y2r
A2(y2r)
Ai*-1(y2r)
A(y2r)
t2r
Can resolve into one value using the second curve!
Fd
F
Let t>4 be an even integer, and X1,…,Xn be t-wise independent R.V. with values in [0,1]. Let X=Xi, =E[X], and A>0. Then:
Q.E.D (of the claim).
Main Lemma Proof (cont.): Therefore, w.h.p. there are at least q/4√l evaluations points of Pithat agree with the degree 2hr polynomial on the i’th curve (out of a total of at most lq).
Furthermore, a list of all such polynomials can be computed in time poly(n,log|F|).
Q.E.D (main lemma)
Ai*+1(y2)
A2(y2)
A(y2)
Ai*(y2)
A3(y2)
Ai*+1(y1)
Ai*+1(yr)
Ai*(y1)
A2(y1)
A(y1)
A3(y1)
A3(yr)
Ai*(yr)
A2(yr)
A(yr)
Ai*(y2)
Ai*(yr+1)
Ai*(y1)
Ai*(y2r)
Ai*(yr)
Amv
A2(y2)
A(y2)
A(yr+1)
A2(yr+1)
A(y1)
A2(y1)
A(y2r)
A2(y2r)
A(yr)
A(yr)
y2
Aiv
yr+1
y1
y2r
yr
yr+1
Ai*-1(yr+1))
A(yr+1))
A2(yr+1))
v
t1
t2
tr
tr+1
Ai*-1(y2r)
A(y2r)
y2r
A2(y2r)
t2r
Unse N.B.P over all points in F, so that we get enough ”good evaluation”
Fd
F
Q.E.D (main theorem)!
The simple technique - using error correcting codes:
Lemma: Let F be a field with q elements. Let C:{0,1}k=log(q){0,1}n be a binary error correcting code with distance at least 0.5-O(2) . If
E: {0,1}n *{0,1}t ->Fm is a (k,O(r)) q-ary extractor, then
E’: {0,1}n *{0,1}t+log(n) ->Fm defined by:
Is a (k,rm) binary extractor.
A more complex transformation from q-ary extractors to binary extractors achieves the following parameters:
Thm: Let F be a field with q<2m elements. There is a polynomial time computable function:
Such that for any (k,r) q-ary extractor E, E’(x;(y,j))=B(E(x;y),j) is a (k,r log*m) binary extractor.
The last theorem allows using theorem 1 for = O(e/log*m) , and implies a (k,e) extractor with seed length t=O(log n) and output length m=k/(log n)O(1)
Def (PRG): an -PRG for size s is a function G:{0,1}t{0,1}m with the following property: 1im and all function f:{0,1}i-1{0,1}i with size s circuits,
Pr[f(G(Ut)1...i-1)=G(Ut)i] ½ + /m
This imply:
for all size s-O(1) circuits C
|Pr[C(G(Ut))=1] – Pr[C(Um)=1]|
Def (q-ary PRG): Let F be the field with q elements. A -q-ary PRG for size s is a function G:{0,1}tFm with the following property: 1im and all function f:Fi-1F(-2) with size s circuits,
Pr[j f(G(Ut)1...i-1)j=G(Ut)i]
Fact: O()-q-ary PRG for size s can be transformed into (regular) m-PRG for size not much smaller than s
Note: Gx(j) corresponds to using our q-ary extractor construction with the “successor function” Amj
We show: x is hard at least one Gx(j) is a q-ary PRG
Plan for building a PRG Gx:{0,1}t {0,1}m:
Note F’d is a subset of Fd
think of Fd as both a vector space and the extension field of F
perhaps we should just say: immediate from the correspondence between the cyclic group GF(qd) and Fd\{0} ??? otherwise in details we may say:
Proof:
Let F’ be a subfield of F of size h
Lemma: there exist invertible dd matrices A and A’ with entries from F which satisfy:
Theorem (PRG main): for every n,d, and h satisfying hd>n, at least one of Gx(j) is an -q-ary PRG for size (-4 h d2 log2q). Furthermore, all the Gx(j)s are computable in time poly(qd,n) with oracle access to x.
Def: if F is a subset of E, then we say that E is an extension field of F.
Lemma: let
then f(x)f(c) is an homomorphism of F[X] into E.
Thm: let p(x) be irreducible in F[X], then there exists E, an extension field of F, where there exists a root of p(x).
Proof Sketch: