Embed Size (px)
DESCRIPTION
Simple Extractors for all Min-Entropies. R.Shaltiel and C.Umans. Definitions. Def (min-entropy): The min-entropy of a random variable X over {0, 1} n is defined as: - PowerPoint PPT Presentation
Citation preview
11
R.Shaltiel and C.UmansR.Shaltiel and C.Umans
22
DefinitionsDefinitions
Def (min-entropy):Def (min-entropy): The min-entropy of a The min-entropy of a random variable random variable XX over over {0, 1}{0, 1}nn is defined as: is defined as:
Thus a random variable Thus a random variable XX has min-entropy at has min-entropy at least least kk if if Pr[X=x]≤2Pr[X=x]≤2-k-k for all for all xx. The maximum . The maximum possible min-entropy for such a R.V. is possible min-entropy for such a R.V. is nn
Def (statistical distance):Def (statistical distance): Two distributions on Two distributions on a domain a domain DD are are -close-close if the probabilities if the probabilities they give to any they give to any AADD differ by at most differ by at most (namely, using norm 1) (namely, using norm 1)
n 2
x 0,1H X Min log Pr X x
33
DefinitionsDefinitions
Def (extractor):Def (extractor): A ( A (k,k,)-extractor is a )-extractor is a functionfunction
E:E: n n ttmm
s.t. for any R.V. s.t. for any R.V. XX with min-entropy with min-entropy ≥k≥kE(X,UE(X,Utt)) is is -close to -close to UUmm
(where(where U Umm denotes the uniform distribution over denotes the uniform distribution over mm))
E
Weak random sourcen
Seedt
Random stringm
44
ParametersParametersThe relevant parameters are:The relevant parameters are: min entropy min entropy of the weak random source input – of the weak random source input –
kk. Relevant values . Relevant values log(n)log(n) k k n n (the seed length is (the seed length is t ≥ log(n)t ≥ log(n), , hence useless to consider lower min entropy).hence useless to consider lower min entropy).
seed lengthseed length t ≥ log(n) t ≥ log(n) .. Quality of the outputQuality of the output: : .. Size of the output Size of the output m=f(k)m=f(k). The optimum is . The optimum is m=km=k..
E
Weak random sourcen
Seedt
Random stringm
55
ExtractorsExtractors
2n 2m
2t
E
HighHigh Min-Entropy Min-Entropy distributiondistribution
Uniform-distribution Uniform-distribution seedseed
Close to Close to uniform outputuniform output
66
Next Bit PredictorsNext Bit Predictors
Claim:Claim: to prove to prove EE is an extractor, it suffices is an extractor, it suffices to prove that for all to prove that for all 0<i<m+10<i<m+1 and all and all predictorspredictors ff::i-1i-1
Proof:Proof: Assume Assume E E is not an extractor; then is not an extractor; then exists a distribution s.t. exists a distribution s.t. X X s.t. s.t. E(X,UE(X,Utt)) is is notnot -close to -close to UUmm, that is:, that is:
t t1...i 1 i
1Pr f E X,U E X,U
2 m
t t1...i 1 i
1Pr f E X,U E X,U
2 m
t m
m
s~U ,x~X y~U
A 0,1
P Pr E x,s A Pr y A
t m
m
s~U ,x~X y~U
A 0,1
P Pr E x,s A Pr y A
77
ProofProof
Now define the following hybrid distributions:Now define the following hybrid distributions:
0 m
1 t m 11
i 1 t m i 11..i 1
i t m i1..i
m t 1..m
H U
H E X,U U
...
H E X,U U
H E X,U U
...
H E X,U
0 m
1 t m 11
i 1 t m i 11..i 1
i t m i1..i
m t 1..m
H U
H E X,U U
...
H E X,U U
H E X,U U
...
H E X,U
88
ProofProofSumming the probabilities for the event Summing the probabilities for the event
corresponding to the set corresponding to the set AA for all distributions for all distributions yields:yields:
And because And because |∑a|∑aii|≤ ∑|a|≤ ∑|aii|| there exists an index there exists an index 0<i<m+10<i<m+1 for which: for which:
i i 1
m 0
m
x~H x~Hi 0
x~H x~H
Pr x A Pr x A
Pr x A Pr x A P ε
i i 1
m 0
m
x~H x~Hi 0
x~H x~H
Pr x A Pr x A
Pr x A Pr x A P ε
i 1 i
i i 1x~H x~H
H(A) H (A) Pr x A Pr x Am
i 1 ii i 1
x~H x~HH(A) H (A) Pr x A Pr x A
m
99
The PredictorThe Predictor
We now define a function We now define a function f:f:i-i-
11that can predict the that can predict the ii’th bit with ’th bit with probability at least probability at least ½+½+/m /m (“a next bit (“a next bit predictor”):predictor”):
The function The function ff uniformly and independently uniformly and independently draws the bits draws the bits yyii,…,y,…,ymm and outputs: and outputs:
NoteNote: the above definition is not : the above definition is not constructive, as constructive, as AA is not known! is not known!
i 1 i 1 i m1 i 1
i
y x ,...,x ,y...,y Af x ,...,x
y otherwise
i 1 i 1 i m1 i 1
i
y x ,...,x ,y...,y Af x ,...,x
y otherwise
1010
ProofProof
And And ffis indeed a next bit predictor:is indeed a next bit predictor:
Q.E.D.Q.E.D.
1 i 1 i
1 i 1 i m i i 1 i 1 i m i i
1 i 1 i i 1 m i i 1 i 1 i m i i
i i 1 i
i i 1
Pr f x ...x x
Pr x ...x y...y A y x Pr x ,...,x ,y,...y A y x
Pr x ...x xy ...y A y x 1 Pr x ,...,x ,y,...y A y x
1 1 1H A 1 H A H A
2 2 21
H A H A2
12 m
1 i 1 i
1 i 1 i m i i 1 i 1 i m i i
1 i 1 i i 1 m i i 1 i 1 i m i i
i i 1 i
i i 1
Pr f x ...x x
Pr x ...x y...y A y x Pr x ,...,x ,y,...y A y x
Pr x ...x xy ...y A y x 1 Pr x ,...,x ,y,...y A y x
1 1 1H A 1 H A H A
2 2 21
H A H A2
12 m
1111
Basic Example – Basic Example – Safra, Ta-Shma, ZukermanSafra, Ta-Shma, Zukerman
ConstructionConstruction: : Let Let BC:FBC:F{0,1}{0,1}ss be a (inefficient) binary- be a (inefficient) binary-
codecode Given Given
xx, a weak random source, interpreted as a , a weak random source, interpreted as a polynomial polynomial :F:F22FF and and
ss, a seed, interpreted as a random point , a seed, interpreted as a random point (a,b)(a,b), , and an index and an index jj to a binary code. to a binary code.
DefDef:: j j j
E x,s BC a,b ,BC a,b 1 ,...,BC a,b m j j j
E x,s BC a,b ,BC a,b 1 ,...,BC a,b m
1212
Basic Example – Basic Example – Illustration of ConstructionIllustration of Construction
x x s = ((a,b), 2)s = ((a,b), 2)
E(x,s)=01001E(x,s)=01001
001 110 000 101 110
(inefficient) binary code
(a,b) (a,b+m)(a,b+1)
(a,b)(a,b) (a,b+1)(a,b+1) (a,b+m)(a,b+m)
001 110 000 101 110
1313
Basic Example – Basic Example – Proof SketchProof Sketch
Assume, by way of contradiction:Assume, by way of contradiction:exists a exists a next bit predicatornext bit predicator function function ff..
Next, show a Next, show a reconstructionreconstruction function function
RR
Conclude, a contradiction!Conclude, a contradiction!(to the min-entropy assumption of (to the min-entropy assumption of XX))
12
t ti 1...i 1Pr E X,U f E X,U l
1
2t ti 1...i 1
Pr E X,U f E X,U l
f
x X
1Pr z.R (z) x 2
f
x X
1Pr z.R (z) x 2
1414
Basic Example – Basic Example – Reconstruction FunctionReconstruction Function
Random line List decoding by
the predictor fResolve into one value on the line
Repeat using the new points, until all FFdd is evaluated
h ~ nh ~ n1/21/2
j ~ lgnj ~ lgnm ~ desired entropym ~ desired entropy
“advice”““Few” red Few” red
points: points: a=mjO(h)a=mjO(h)
1515
2n
X
For For YY X X, let , let (Y)=(Y)=yyYYPr[y] Pr[y] (“the weight of (“the weight of YY”)”)
Let Let R:{0,1}R:{0,1}aann, s.t. , s.t. PrPrx~Xx~X[[z R(z)=x]z R(z)=x] 1/2 1/2
(for a uniform (for a uniform XX, , |R(S)| |R(S)| |X|/2 |X|/2 ) ) For an arbitrary distribution For an arbitrary distribution XX, , (R(S)) (R(S)) (X)/2(X)/2 Let Let X ~ X ~ min-entropy min-entropy k k, ,
then then (R(S))(R(S)) 22a-ka-k (there are at most (there are at most 22aa strings in strings in R(S)R(S), and , and xxX Pr[x] X Pr[x] 2 2-k-k))
and therefore and therefore k k a - log a - log22(1/2)(1/2) ((1 = 1 = (X) (X) (R(S)) (R(S)) 22 22a-ka-k 22-1 -1 a-k a-k hence hence k k a+1 a+1))
Counting ArgumentCounting Argument
22aa
SS
R(S)R(S)R
1616
Problems with Problems with Safra, Ta-Shma, ZukermanSafra, Ta-Shma, Zukerman
Curse of dimensionality - too many Curse of dimensionality - too many lines!lines!Solution: generator matrix.Solution: generator matrix.
1717
Next-q-it List-PredictorNext-q-it List-Predictor
ff is allowed to output a small list of is allowed to output a small list of ll possible next elementspossible next elements
1818
q-ary Extractorq-ary Extractor
Def:Def: Let Let FF be a field with be a field with qq elements. elements.
A A (k, l)(k, l) qq-ary extractor-ary extractor is a function is a functionE:E: n n ttFFmm
s.t. for all R.V. s.t. for all R.V. XX with min-entropy with min-entropy ≥k≥k
and all and all 0<i<m0<i<m
and all list-predictors and all list-predictors f:Ff:Fi-1i-1FFll
t ti 1...i 11Pr E X,U f E X,U
l t ti 1...i 1
1Pr E X,U f E X,Ul
1919
Generator MatrixGenerator Matrix
Def:Def: Define the Define the generator matrixgenerator matrix for the for the vector space vector space FFdd as a matrix as a matrix AAd×dd×d, s.t. for , s.t. for any non-zero vector any non-zero vector vvFFdd: :
(that is, any vector (that is, any vector 0≠v0≠vFFdd multiplied by all multiplied by all powers of powers of AA generates the entire vector generates the entire vector space space FFd d except for except for 00))
Lemma:Lemma: Such a generator matrix exists and Such a generator matrix exists and can be found in time can be found in time qqO(d)O(d)..
i d
iA v F \ 0 i d
iA v F \ 0
2020
ConstructionConstruction
Let Let FF be a field with be a field with qq elements, elements, Let Let FFdd be a vector space over be a vector space over FF. . Let Let hh be the smallest integer s.t. be the smallest integer s.t. For For xx nn, , let let denote the unique denote the unique dd-variate -variate
polynomial of total degree polynomial of total degree h-1h-1 whose coefficients whose coefficients are specified by are specified by xx..
h d nd logq
h d nd logq
Note that for such a polynomial, the number of coefficients is exactly:
(“choosing where to put d-1 bars between h-1 balls”)
h d nd logq
h d nd logq
2121
ConstructionConstruction
The definition of the The definition of the qq-ary extractor: -ary extractor: E:E: nn d log qd log qFFmm
1 2 mE x,v v , A v , A v ,..., A v 1 2 mE x,v v , A v , A v ,..., A v
AAmmvv
vv
AAiivv(v)(v)
(A(Aiiv)v)
(A(Ammvv)
FFdd
vv AAiivv AAmmvv
seed, seed, interpreted as interpreted as a vector a vector vv F Fdd
Generator Generator matrixmatrix
2222
Main TheoremMain Theorem
Thm:Thm: For any For any nn,,qq,,dd and and hh as as previously defined, previously defined, EE is a is a (k, l)(k, l) qq-ary -ary extractor if:extractor if:
Alternatively, Alternatively, EE is a is a (k, l)(k, l) qq-ary extractor if:-ary extractor if:
2 2 2
k mhdlogq log l
q h d l
2 2 2
k mhdlogq log l
q h d l
2
2
k mhdlog q log l
q l hdlogq
2
2
k mhdlog q log l
q l hdlogq
2323
What’s AheadWhat’s Ahead
Proving existence of a generator Proving existence of a generator matrixmatrix
How the counting argument worksHow the counting argument works The reconstruction paradigmThe reconstruction paradigm Basic example – Basic example – Safra, Ta-Shma, Safra, Ta-Shma,
ZukermanZukerman Proof of the main theoremProof of the main theorem From extractors to PRGsFrom extractors to PRGs
2424
Extension FieldsExtension Fields
A field A field F2F2 is called an extension of another field is called an extension of another field FF if if FF is contained in is contained in F2F2 as a subfield. as a subfield.
ThmThm: For every power : For every power ppkk ( (pp prime, prime, k>0k>0) there is a ) there is a uniqueunique (up to isomorphism) finite field containing (up to isomorphism) finite field containing ppkk elements. These fields are denoted elements. These fields are denoted GF(pGF(pkk))..All finite fields’ cardinality have that form.All finite fields’ cardinality have that form.
DefDef: A polynomial is called : A polynomial is called irreducibleirreducible in in GF(p)GF(p) if it if it does not factor over does not factor over GF(p)GF(p)
ThmThm: Let : Let f(x)f(x) be an irreducible polynomial of degree be an irreducible polynomial of degree kk over over GF(p)GF(p). The finite field . The finite field GF(pGF(pkk)) can be can be constructed using the set of degree constructed using the set of degree k-1k-1 polynomials over polynomials over ZZpp, with addition and , with addition and multiplication carried out modulo multiplication carried out modulo f(x)f(x)
2525
Extension Fields - ExampleExtension Fields - Example
Construct Construct GF(2GF(255)) as follows: as follows:
Let the irreducible polynomial be:Let the irreducible polynomial be:
Represent every Represent every kk degree polynomial as a vector of degree polynomial as a vector of k+1k+1 coefficient: coefficient:
Addition over this field:Addition over this field:
1)( 234 xxxxxf
)1(
)1(23
34
xxx
xxx
)1,1,1,1,1(1)( 234 xxxxxf
)0,0,1,0,1(
________
)1,1,1,1,0(
)1,1,0,1,1(
2626
Extension Fields - ExampleExtension Fields - Example
And multiplication:And multiplication:
And now modulo the irreducible polynomial:And now modulo the irreducible polynomial:
)1(
)1(3
34
xx
xxx
11110101
_________
___11011
__00000
_11011
11011
_________
)1,1,0,1,0(
)1,1,0,1,1(
)1( 34 xx
124567 xxxxx
1
mod
1
234
24567
xxxx
xxxxx
2727
Generator Matrix – Generator Matrix – Existence ProofExistence Proof
Denote byDenote by GF GF**(q(qdd)) the multiplicative group of the multiplicative group of the Galois Field the Galois Field GF(qGF(qdd).).
This multiplicative group of the Galois Field This multiplicative group of the Galois Field is cyclic, and thus has a generator is cyclic, and thus has a generator gg::
Let Let be the natural isomorphism between be the natural isomorphism between
the Galois Field the Galois Field GF(qGF(qdd) ) and the vector and the vector spacespace F Fdd, which matches a polynomial with , which matches a polynomial with its vector of coefficients:its vector of coefficients:
i d * dg | 0 i q GF q i d * dg | 0 i q GF q
4 3(x x x 1) (1,1,0,1,1) 4 3(x x x 1) (1,1,0,1,1)
2828
Generator Matrix – Generator Matrix – Existence ProofExistence Proof
Now define the Now define the generator matrix generator matrix AA of of FFdd as the as the linear transformation that corresponds to linear transformation that corresponds to multiplication by the generator in multiplication by the generator in GFGF**(q(qdd)) : :
AA is a linear transformation because of the is a linear transformation because of the distributive property of both the vector space and distributive property of both the vector space and the field the field GF(qGF(qdd)), according to the isomorphism , according to the isomorphism properties:properties:
1 2
1 2
A u u g x f x h x
g x f x g x h x
g x f x g x h x
A u A u
1 2
1 2
A u u g x f x h x
g x f x g x h x
g x f x g x h x
A u A u
d 1u F .Au g u d 1u F .Au g u
2929
Generator Matrix – Generator Matrix – Existence ProofExistence Proof
It remains to show that the It remains to show that the generator matrix generator matrix AA of of FFdd can be found in time can be found in time qqO(d)O(d). .
And indeed:And indeed: The Galois Field The Galois Field GF(qGF(qdd)) can be constructed in time can be constructed in time
qqO(d)O(d) using an irreducible polynomial of degree using an irreducible polynomial of degree dd over the field over the field ZZqq (and such a polynomial can also (and such a polynomial can also be found in time be found in time qqO(d)O(d) by exhaustive search). by exhaustive search).
The generator ofThe generator of GF(q GF(qdd)) can be found in time can be found in time qqO(d)O(d) by exhaustive searchby exhaustive search
Using the generator, for any basis of Using the generator, for any basis of FFdd, one can , one can construct construct dd independent equations so as to find independent equations so as to find the linear transformation the linear transformation AA.. This linear equation This linear equation system is also solvable in time system is also solvable in time qqO(d)O(d) . .
3030
““Reconstruction Proof Reconstruction Proof Paradigm”Paradigm”
Proof sketch:Proof sketch: For a certain R.V. For a certain R.V. XX with min-entropy at least with min-entropy at least kk, , assume a function assume a function f f that violates the properties of a that violates the properties of a
qq-ary extractor, -ary extractor,
construct another function, construct another function, R :R :aann, the , the ““reconstruction functionreconstruction function”. ”.
This function, using This function, using ff as a procedure, has the as a procedure, has the property that:property that:
Applying the “counting argument”, this is a Applying the “counting argument”, this is a contradiction to the assumption that contradiction to the assumption that XX has min- has min-entropy at least entropy at least kk
f
x~X
1Pr z.R z x 2 f
x~X
1Pr z.R z x 2
3131
Proof SketchProof Sketch Let Let XX be a random variable with min- be a random variable with min-
entropy at least entropy at least kk Assume, by way of contradiction:Assume, by way of contradiction:
exists a exists a next bit predicatornext bit predicator function function ff..
Next, show a Next, show a reconstructionreconstruction function function RR
Conclude, a contradiction!Conclude, a contradiction!(to the min-entropy assumption of (to the min-entropy assumption of XX))
f
x X
1Pr z.R z x 2 f
x X
1Pr z.R z x 2
12
t ti 1...i 1Pr E X,U f E X,U l
1
2t ti 1...i 1
Pr E X,U f E X,U l
3232
Main LemmaMain Lemma
Lemma:Lemma: Let Let n,q,d,hn,q,d,h be as in the main be as in the main theorem. There exists a probabilistic theorem. There exists a probabilistic function function R:R:aann with with a = O(mhd a = O(mhd logq)logq) such that for every such that for every xx on which: on which:
The following holds (the probability is over The following holds (the probability is over the random coins of the random coins of RR):):
12
1...i 1 ijy
1Pr j.f E x,y E x,y l2
12
1...i 1 ijy
1Pr j.f E x,y E x,y l2
f 1Pr z.R z x
2 f 1
Pr z.R z x2
3333
The Reconstruction Function The Reconstruction Function (R)(R)
TaskTask: allow many strings : allow many strings xx in the support in the support of of XX to be reconstructed from very short to be reconstructed from very short advice strings.advice strings.
OutlinesOutlines: : Use Use ff in a sequence of prediction steps in a sequence of prediction steps
to evaluate to evaluate on on all pointsall points of of FFdd,.,. Interpolate to recover coefficients of Interpolate to recover coefficients of , , which giveswhich gives x x
Next We ShowNext We Show: there exists a : there exists a sequence of sequence of prediction stepsprediction steps that works for that works for manymany xx in in the support of the support of XX and requires and requires fewfew advice advice stringsstrings
3434
CurvesCurves Let Let r=r=(d)(d), , Pick random vectors and valuesPick random vectors and values
2r2r random points random points yy11,…,y,…,y2r2rFFdd, and, and 2r2r values values tt11,…,t,…,t2r2rFF, and, and
Define degree Define degree 2r-12r-1 polynomials polynomials pp11,p,p22 pp11:F:FFFdd defined by defined by pp11(t(tii)=y)=yii, , i=1,..,2ri=1,..,2r.. pp22:F:FFFdd defined by defined by pp22(t(tii)=Ay)=Ayii, , i=1,..,ri=1,..,r, and , and pp22(t(tii)=y)=yii, , i=r+1,..,2ri=r+1,..,2r..
Define vector sets Define vector sets PP11={p={p11(z)}(z)}zzFF and and PP22={p={p22(z)}(z)}zzFF
i>0i>0 define define PP2i+12i+1=AP=AP2i-12i-1 and and PP2i+22i+2=AP=AP2i2i(({Pi}{Pi}, the , the sequence of prediction stepssequence of prediction steps are low-degree are low-degree curves in curves in FFdd, chosen using the coin tosses of , chosen using the coin tosses of RR))
3535t1 t2 tr tr+1 t2r F
Fd
y1
y2
yr
yr+1
y2r
AAiivv
vv
AAmmvv
vv
AAiivv
AAmm
vv
A(y1)
A(y2)
A(yr)A(yr+1)
A(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)Ai*(yr+1)
Ai*(y2r)
A2(y1)
A2(y2)
A(yr)A2(yr+1)
A2(y2r)
A(y1)
A(y2)
A(yr)
yr+1
y2r
A2(y1)
A2(y2)
A2(yr)
A(yr+1))
A(y2r)
A3(y1)
A3(y2)
A3(yr)
A2(yr+1))
A2(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)
Ai*-1(yr+1))
Ai*-1(y2r)
CurvesCurves
3636
Simple ObservationsSimple Observations AA is non-singular linear-transform, hence is non-singular linear-transform, hence ii
PPii is is 2r-wise independent 2r-wise independent collection of pointscollection of points PPii and and PPi+1i+1 intersect at intersect at rr random points random points |Pi|Pi is a univariate polynomial of degree at most is a univariate polynomial of degree at most
2hr2hr.. Given evaluation of Given evaluation of on on Av,AAv,A22v,…,Av,…,Ammvv, we , we
may use the predictor function may use the predictor function ff to predict to predict (A(Am+1m+1v) v) to within to within ll values. values.
We needWe need advice stringadvice string: : 2hr2hr coefficients of coefficients of |Pi|Pi for for i=1,…,mi=1,…,m. . (l(length: at most mhr log q ≤ a))
3737t1 t2 tr tr+1 t2r F
Fd
y1
y2
yr
yr+1
y2r
vv
AAiivv
AAmm
vv
A(y1)
A(y2)
A(yr)A(yr+1)
A(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)Ai*(yr+1)
Ai*(y2r)
A2(y1)
A2(y2)
A(yr)A2(yr+1)
A2(y2r)
A(y1)
A(y2)
A(yr)
yr+1
y2r
A2(y1)
A2(y2)
A2(yr)
A(yr+1))
A(y2r)
A3(y1)
A3(y2)
A3(yr)
A2(yr+1))
A2(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)
Ai*-1(yr+1))
Ai*-1(y2r)
Using N.B.P.Using N.B.P.
Cannot resolve into one value!
3838
Using N.B.P.Using N.B.P.
t1 t2 tr tr+1 t2r F
Fd
y1
y2
yr
yr+1
y2r
vv
AAiivv
AAmm
vv
A(y1)
A(y2)
A(yr)A(yr+1)
A(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)Ai*(yr+1)
Ai*(y2r)
A2(y1)
A2(y2)
A(yr)A2(yr+1)
A2(y2r)
A(y1)
A(y2)
A(yr)
yr+1
y2r
A2(y1)
A2(y2)
A2(yr)
A(yr+1))
A(y2r)
A3(y1)
A3(y2)
A3(yr)
A2(yr+1))
A2(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)
Ai*-1(yr+1))
Ai*-1(y2r)
Ai*+1(y1)
Ai*+1(y2)
Ai*+1(yr)
Can resolve into one value using the second curve!
3939
Using N.B.P.Using N.B.P.
t1 t2 tr tr+1 t2r F
Fd
y1
y2
yr
yr+1
y2r
vv
AAiivv
AAmm
vv
A(y1)
A(y2)
A(yr)A(yr+1)
A(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)Ai*(yr+1)
Ai*(y2r)
A2(y1)
A2(y2)
A(yr)A2(yr+1)
A2(y2r)
A(y1)
A(y2)
A(yr)
yr+1
y2r
A2(y1)
A2(y2)
A2(yr)
A(yr+1))
A(y2r)
A3(y1)
A3(y2)
A3(yr)
A2(yr+1))
A2(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)
Ai*-1(yr+1))
Ai*-1(y2r)
Ai*+1(y1)
Ai*+1(y2)
Ai*+1(yr)
Can resolve into one value using the second curve!
yr+1
y2r
4040
Main Lemma Proof Cont.Main Lemma Proof Cont.
ClaimClaim: with probability at least : with probability at least 1-1/8q1-1/8qdd over the over the coins tosses of coins tosses of RR: :
ProofProof: We use the following : We use the following tail boundtail bound::
Let Let t>4t>4 be an even integer, and be an even integer, and X1,…,XnX1,…,Xn be be tt--wise independent R.V. with values in wise independent R.V. with values in [0,1][0,1]. Let . Let X=X=XiXi, , =E[X]=E[X], and , and A>0. A>0. Then:Then:
i
i* 1 1j
z P
1Pr j.f A z ,..., A z z
4 l
i
i* 1 1j
z P
1Pr j.f A z ,..., A z z
4 l
t / 22
2
t tPr X A 8
A
t / 22
2
t tPr X A 8
A
4141
Main Lemma Proof Cont.Main Lemma Proof Cont.
According to the next bit predictor, the probability According to the next bit predictor, the probability for successful prediction is at least for successful prediction is at least 1/2√l1/2√l..
In the In the ii’th iteration we make ’th iteration we make qq predictions (as predictions (as many points as there are on the curve).many points as there are on the curve).
Using the tail bounds provides the result.Using the tail bounds provides the result.
Q.E.D (of the claim).Q.E.D (of the claim).
Main Lemma Proof (cont.)Main Lemma Proof (cont.): Therefore, w.h.p. there : Therefore, w.h.p. there are at least are at least q/4√lq/4√l evaluations points of evaluations points of PPii that that agree with the degree agree with the degree 2hr2hr polynomial on the polynomial on the ii’th ’th curve (out of a total of at most curve (out of a total of at most lqlq). ).
4242
Main Lemma Proof Cont.Main Lemma Proof Cont. A list decoding boundA list decoding bound: given : given n n distinct pairs distinct pairs
(x(xii,y,yii)) in field in field FF and Parameters and Parameters kk and and dd, with , with k>(2dn)k>(2dn)1/21/2, There are at most , There are at most 2n/k2n/k degree degree dd polynomials polynomials gg such that such that g(xg(xii)=y)=yii for at least for at least kk pairs. pairs.
Furthermore, a list of all such polynomials can Furthermore, a list of all such polynomials can be computed in time be computed in time poly(n,log|F|)poly(n,log|F|)..
Using this bound and the previous claim, at Using this bound and the previous claim, at most most 8l8l3/23/2 degree degree 2rh 2rh polynomials agree on this polynomials agree on this number of points (number of points (q/4√lq/4√l ). ).
4343
Lemma Proof Cont.Lemma Proof Cont.
Now, Now, PPii intersect intersect PPi-1i-1 at at rr random positions, and random positions, and we know the evaluation of we know the evaluation of at the points in at the points in PPi-1i-1
Two degree Two degree 2rh2rh polynomials can agree on at polynomials can agree on at most most 2rh/q2rh/q fraction of their points, fraction of their points,
So the probability that an “incorrect” So the probability that an “incorrect” polynomial among our candidates agrees on polynomial among our candidates agrees on all all rr random points in at most random points in at most
dr
rhl
8
1)
2)(8( 2/3
4444
Main Lemma Proof Cont.Main Lemma Proof Cont.
So, with probability at leastSo, with probability at least we learn points we learn points PPii successfully. successfully.
After After 2q2qdd prediction steps, we have prediction steps, we have learned learned on on FFdd\{0}\{0} (since (since AA is a is a generatorgenerator of of FFdd\{0}\{0}))
by the by the union boundunion bound, the probability that , the probability that every step of the reconstruction is every step of the reconstruction is successful is at least successful is at least ½½..
Q.E.D Q.E.D (main lemma)(main lemma)
dq8
11
4545
First,First, By averaging argument:By averaging argument:
Therefore, there must be a fixing of Therefore, there must be a fixing of the coins of the coins of RR, such that:, such that:
Proof of Main Theorem Cont.Proof of Main Theorem Cont.
llyxEyxEfj ijiyXx
2/12/1),()),((.PrPr *1*...1
llyxEyxEfj ijiyXx
2/12/1),()),((.PrPr *1*...1
lyxEyxEfj ijiyXx
/1]),()),((.[Pr *1*...1,
lyxEyxEfj iji
yXx/1]),()),((.[Pr *1*...1
,
ll
xzRz f
Xx 4
1
2
1
2
1)(.Pr
llxzRz f
Xx 4
1
2
1
2
1)(.Pr
4646
Using N.B.P. – Take 2Using N.B.P. – Take 2
t1 t2 tr tr+1 t2r F
Fd
y1
y2
yr
yr+1
y2r
vv
AAiivv
AAmm
vv
A(y1)
A(y2)
A(yr)A(yr+1)
A(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)Ai*(yr+1)
Ai*(y2r)
A2(y1)
A2(y2)
A(yr)A2(yr+1)
A2(y2r)
A(y1)
A(y2)
A(yr)
yr+1
y2r
A2(y1)
A2(y2)
A2(yr)
A(yr+1))
A(y2r)
A3(y1)
A3(y2)
A3(yr)
A2(yr+1))
A2(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)
Ai*-1(yr+1))
Ai*-1(y2r)
Ai*+1(y1)
Ai*+1(y2)
Ai*+1(yr)
Unse N.B.P over all points in F, so that we
get enough ”good evaluation”
4747
Proof of Main Theorem Cont.Proof of Main Theorem Cont.
According to the counting argument, this implies According to the counting argument, this implies that: that:
Recall that Recall that r=r=(d).(d). A contradiction to the parameter choice:A contradiction to the parameter choice:
Q.E.D (main theorem)!Q.E.D (main theorem)!
)log2()4
log()4
log( qmhrOadvicek
)log2()4
log()4
log( qmhrOadvicek
)1
log()log(l
qmhdk )1
log()log(l
qmhdk
4848
4949
From q-ary extractors to From q-ary extractors to (regular) extractors(regular) extractors
The simple technique - using error correcting codes:The simple technique - using error correcting codes:
Lemma:Lemma: Let Let FF be a field with be a field with qq elements. Let elements. Let C:C:k=log(q)k=log(q)nn be a binary error correcting be a binary error correcting code with distance at least code with distance at least 0.5-O(0.5-O(22) ) . If . If
E: E: nnttFFmm is a is a (k,O((k,O()))) q-ary extractor, q-ary extractor, then then
E’: E’: nnt+log(n)t+log(n)FFmm defined by: defined by:
1 j m jE'(x;(y, j)) C(E(x;y) ) ... C(E(x;y) ) Is a Is a (k,(k,m)m) binary extractor. binary extractor.
5050
From q-ary extractors to From q-ary extractors to (regular) extractors(regular) extractors
A more complex transformation from q-ary A more complex transformation from q-ary extractors to binary extractors achieves the extractors to binary extractors achieves the following parameters:following parameters:
Thm:Thm: Let Let FF be a field with be a field with q<2q<2mm elements. There is elements. There is a polynomial time computable function:a polynomial time computable function:
*logq log m 1O(log ) (mlog )
mB: F {0,1} {0,1}
Such that for any Such that for any (k,(k,)) q-ary extractor E, q-ary extractor E, E’(x;E’(x;(y,j))=B(E(x;y),j)(y,j))=B(E(x;y),j) is a is a (k,(k,log*m)log*m) binary extractor. binary extractor.
5151
From q-ary extractors to From q-ary extractors to (regular) extractors(regular) extractors
The last theorem allows using theorem The last theorem allows using theorem 1 for 1 for = O( = O(/log*m)/log*m) , and implies a , and implies a (k,(k,)) extractor with seed length extractor with seed length t=O(log n)t=O(log n) and output length and output length m=k/(log n)m=k/(log n)O(1)O(1)
5252
Extractor Extractor PRG PRG Identify: Identify:
string string xx{0,1}{0,1}log nlog n with the with the function function x:{0,1}x:{0,1}log nlog n{0,1}{0,1} by setting by setting x(i)=xx(i)=xii
Denote by Denote by S(x)S(x) the size of the smallest circuit the size of the smallest circuit computing function computing function xx
Def (PRG)Def (PRG): an : an -PRG-PRG for size for size ss is a function is a function G:G:{0,1}{0,1}tt{0,1}{0,1}mm with the following property: with the following property: 11iimm and all function and all function f:{0,1}f:{0,1}i-1i-1{0,1}{0,1}ii with size with size ss circuits, circuits,
Pr[f(G(UPr[f(G(Utt))1...i-11...i-1)=G(U)=G(Utt))ii] ] ½ + ½ + /m/mThis imply:This imply:for all size for all size s-O(1)s-O(1) circuits circuits CC
|Pr[C(G(Ut))=1] – Pr[C(Um)=1]||Pr[C(G(Ut))=1] – Pr[C(Um)=1]|
5353
q-ary PRGq-ary PRG
Def (q-ary PRG)Def (q-ary PRG): Let : Let FF be the field with be the field with qq elements. A elements. A --qq-ary PRG-ary PRG for size for size ss is a is a function function G:{0,1}G:{0,1}ttFFmm with the following with the following property: property: 11iimm and all function and all function f:Ff:Fi-i-
11FF((-2)-2) with size with size ss circuits, circuits,
Pr[Pr[j f(G(Uj f(G(Utt))1...i-11...i-1))jj=G(U=G(Utt))ii] ]
FactFact:: O( O()-q)-q-ary PRG for size -ary PRG for size ss can be can be transformed into (regular) transformed into (regular) mm--PRG for size PRG for size not much smaller than not much smaller than ss
5454
The ConstructionThe Construction
Plan for building a PRG Plan for building a PRG GGxx:{0,1}:{0,1}tt {0,1} {0,1}mm:: use a hard function use a hard function x:{0,1}x:{0,1}log nlog n {0,1} {0,1} let let be the low-degree extension of be the low-degree extension of xx obtain obtain ll “candidate” PRGs, where “candidate” PRGs, where l=d(log l=d(log
q / log m) q / log m) as follows:as follows:For For 00j<lj<l define define GGxx
(j)(j):{0,1}:{0,1}d log qd log q F Fmm by byGGxx
(j)(j)(v) = (v) = (A(A11mmjjv) v) (A(A22mmjj
v) v) ...... (A(AMMmmjjv)v)
where where AA is a generator of is a generator of FFdd\{0}\{0}
Note: Note: GGxx(j)(j) corresponds to using our corresponds to using our qq-ary -ary
extractor construction with the “successor extractor construction with the “successor function” function” AAmmjj
We show: We show: xx is hard is hard at least one at least one GGxx
(j)(j) is a is a qq-ary PRG-ary PRG
5555
Getting into DetailsGetting into Details
Let Let F’F’ be a subfield of be a subfield of FF of size of size hhLemmaLemma: there exist invertible : there exist invertible dddd
matrices matrices AA and and A’A’ with entries from with entries from FF which satisfy:which satisfy:
vvFFdd s.t. v s.t. v0, {A0, {Aiiv}v}ii=F=Fdd\{0}\{0} vvF’F’dd s.t. v s.t. v0, {A’0, {A’iiv}v}ii=F’=F’dd\{0}\{0} A’=AA’=App for for p=(qp=(qdd-1)/(h-1)/(hdd-1)-1) AA and and A’A’ can be found in time can be found in time qqO(d)O(d)
think of think of FFdd as both a vector space and the as both a vector space and the extension field of extension field of FF
Note Note F’F’dd is a subset of is a subset of FFddperhaps we should just say: immediate perhaps we should just say: immediate from the correspondence between the from the correspondence between the cyclic group GF(qcyclic group GF(qdd) and F) and Fdd\{0} ??? \{0} ??? otherwise in details we may say:otherwise in details we may say:
ProofProof: : There exists a natural correspondence There exists a natural correspondence between between FFdd and and GF(qGF(qdd)), and between , and between F’F’dd and and GF(hGF(hdd)),,GF(qGF(qdd)) is cyclic of order qd-1, i.e. there here exists a generator exists a generator ggggpp generates the generates the uniqueunique subgroup of subgroup of order order hhdd-1-1, the multiplicative group of , the multiplicative group of GF(hGF(hdd))..AA and and A’A’ are the linear transforms are the linear transforms corresponding to corresponding to gg and and ggpp respectively. respectively.
5656
require require hhdd>n>n Define Define as followsas follows (A’(A’ii11)=x(i))=x(i), where , where 11 is is
the all the all 11 vector (low degree extension). vector (low degree extension). Recall: For Recall: For 00j<lj<l define define GGxx
(j)(j):{0,1}:{0,1}d log qd log q FFmm by byGGxx
(j)(j)(v) = (v) = (A(A11mmjjv) v) (A(A22mmjj
v) v) ...... (A(AMMmmjjvv
Theorem (PRG main)Theorem (PRG main): for every : for every nn,,dd, and , and hh satisfying satisfying hhdd>n>n, at least one of , at least one of GGxx
(j)(j) is an is an --qq-ary PRG for size -ary PRG for size ((-4 -4 h dh d22 log log22q). q). Furthermore, all the Furthermore, all the GGxx
(j)(j)ss are computable are computable in time in time poly(qpoly(qdd,n),n) with oracle access to with oracle access to xx..
sincesince h hdd>n>n, there are enough “slots” to , there are enough “slots” to embed all embed all xx in a in a dd dimensional cube of dimensional cube of size size hhdd
and since and since A’ A’ generates generates F’F’dd\{0}\{0}, indeed , indeed xx is embedded in a is embedded in a dd dimensional cube of dimensional cube of size size hhdd
Note Note hh denotes the degree denotes the degree in individual individual variables, and the total degree is at most variables, and the total degree is at most hdhd
The computation of The computation of from from xx can be done can be done in in poly(n,qpoly(n,qdd)=q)=qO(d) O(d) timetime
5757
5858
5959
Extension FieldExtension Field
DefDef: if : if FF is a subset of is a subset of EE, then we say , then we say that that EE is an is an extension fieldextension field of of FF..
LemmaLemma: let: let EE be an be an extension fieldextension field of of FF,, f(x)f(x) be a polynomial over be a polynomial over FF ((i.e.i.e.
f(x)f(x)F[X]F[X])),, ccEE,,
then then f(x)f(x)f(c)f(c) is an is an homomorphism homomorphism of of F[X]F[X] into into EE..
6060
Construction of the Galois Field Construction of the Galois Field GF(qGF(qdd))
ThmThm: let : let p(x)p(x) be irreducible in be irreducible in F[X]F[X], , then there exists then there exists EE, an extension , an extension field of field of FF, where there exists a root of , where there exists a root of p(x)p(x)..
Proof SketchProof Sketch: : add a add a (a new element) to F. (a new element) to F. is to be a root of p(x). is to be a root of p(x).
In F[In F[] (polynomials with variable ] (polynomials with variable ))
6161
Example: Example: F=realsF=reals p(x)=xp(x)=x22+1+1
