Non-malleable Extractors with Shorter Seeds and Their Applications

Abstract

Motivated by the problem of how to communicate over a public channel with an active adversary, Dodis and Wichs (STOC’09) introduced the notion of a non-malleable extractor. A non-malleable extractor \(\textsf {nmExt}: \{0, 1\}^n \times \{0, 1\}^d \rightarrow \{0, 1\}^m\) takes two inputs, a weakly-random W and a uniformly random seed S, and outputs a string which is nearly uniform, given S as well as \(\textsf {nmExt}(W, \mathcal {A}(S))\), for an arbitrary function \(\mathcal {A}\) with \(\mathcal {A}(S) \ne S\).

In this paper, by developing the combination and permutation techniques, we improve the error estimation of the extractor of Raz (STOC’05), which plays an extremely important role in the constraints of the non-malleable extractor parameters including seed length. Then we present improved explicit construction of non-malleable extractors. Though our construction is the same as that given by Cohen, Raz and Segev (CCC’12), the parameters are improved. More precisely, we construct an explicit \((1016, \frac{1}{2})\)-non-malleable extractor \(\textsf {nmExt}: \{0, 1\}^{n} \times \{0, 1\}^d \rightarrow \{0, 1\}\) with \(n=2^{10}\) and seed length \(d=19\), while Cohen et al. showed that the seed length is no less than \(\frac{46}{63} + 66\). Therefore, our method beats the condition “\(2.01 \cdot \log n \le d \le n\)” proposed by Cohen et al., since d is just \(1.9 \cdot \log n\) in our construction. We also improve the parameters of the general explicit construction given by Cohen et al. Finally, we give their applications to privacy amplification.

Y. Yao—Most of this work was done while the author visited New York University.

Appendices

A Proof of Theorem 4

Proof

The explicit construction we present is the extractor constructed in [20]. Alon et al. [1] observed that for every \(k'\), \(N \ge 2\), the sequence of 0-1 random variables \(Z_1, \ldots , Z_N\) that is \(\epsilon \)-biased for linear tests of size \(k'\) can be explicitly constructed using \(2 \cdot \lceil \log (1/\epsilon ) + \log k' + \log \log N \rceil \) random bits. Therefore, let \(D=m \cdot 2^d\) and \(\epsilon =2^{-\frac{n}{2}+r}\) with \(r=1+ \log k' +\log \log D\), then we can construct a sequence of 0-1 random variables \(Z_1, \ldots , Z_D\) that is \(\epsilon \)-biased for linear tests of size \(k'\) using n random bits. Let \(k'=8m\). We interpret the set of indices [D] as the set \(\{ (i, s): i \in [m], s \in \{ 0, 1\}^d\}\). Define \(\textsf {Ext}: \{0, 1\}^n \times \{0, 1\}^d \rightarrow \{0, 1\}^m\) by \(\textsf {Ext}(w, s)=Z_{(1, s)}(w) \cdots ||Z_{(m, s)}(w),\) where “||” is the concatenation operator.

Let S be a random variable uniformly distributed over \(\{0, 1\}^d\).

Assume for contradiction that \(\textsf {Ext}\) is not a \((\alpha , 2^\theta )\)-non-malleable-extractor. Then there exists a source W of length n with min-entropy \(\alpha \), and an adversarial-function \(\mathcal {A}: \{0, 1\}^d \rightarrow \{0, 1\}^d\) such that

$$\Vert ( \textsf {Ext}(W, S), \textsf {Ext}(W, \mathcal {A}(S)), S) - (U_m, \textsf {Ext} (W, \mathcal {A}(S)), S)\Vert _1 > 2^\theta .$$

As in [5], suppose W is uniformly distributed over \(W' \subseteq \{0, 1\}^n\) of size \(2^{\alpha }\).

For every \(s \in \{0, 1\}^d\), let \(X_s\) be the random variable \(\textsf {Ext}(W, s)\). By Lemmas 2 and 3, we have \(\sum \limits _{\emptyset \ne \sigma \subseteq [m], \tau \subseteq [m]} \mathbb {E}_{s \sim S}[bias ((X_s)_\sigma \oplus (X_{\mathcal {A}(s) })_\tau )] > 2^ \theta .\) Let \(\sigma ^*, \tau ^* \subseteq [m]\) be the indices of (one of) the largest summands in the above sum. For every \(s \in \{0, 1\}^d\), let \(Y_s=(X_s)_{\sigma ^*} \oplus (X_{\mathcal {A}(s) })_{\tau ^*}.\) There is a set \(S'' \subseteq \{0, 1\}^d\) satisfying that

$$|S''| > \frac{2^\theta \cdot 2^{d-2}}{2^{mt} (2^m-1) (t+1)^2} = \frac{2^\theta \cdot 2^{d-2}}{2^{m+2} (2^m-1)}.$$

The \(S''\) here is the same as that in the proof of Theorem 1 by replacing t there with 1 and the error \(2^{-m}\) there with \(2^\theta \). Please see [6] for details.

Define a random variable \(Y_{S''}\) over \(\{0, 1\}\) as follows: To sample a bit from \(Y_{S''}\), uniformly sample a string s from \(S''\), and then independently sample a string w uniformly from \(W'\). The sampled value is \(Y_s(w)\). We have that

$$bias(Y_{S''}) > \frac{2^\theta }{ 2^{mt+1} (2^m-1) (t+1) } = \frac{2^\theta }{ 2^{m+2} (2^m-1)}.$$

For every \(s \in S''\), let \( Y'_s = \oplus _{i \in \sigma ^* } Z_{(i, s)} \oplus ( \oplus _{j \in \tau ^* } Z_{(j, \mathcal {A}(s))}).\)

Let \(t=1\) in Claim 7.2 of [6], we get the following claim.

Claim 2’. The set \(\{Y'_s\}_{s \in S''} \epsilon \)-fools linear tests of size \( \frac{k'}{(t+1)m} =4.\)

We apply Theorem 2 on the random variables \(\{Y'_s \}_{s \in S''}\). For simplicity of presentation, we assume \(|S''|= 2^{d'}\). By Theorem 2, the distribution of \( \textsf {Ext}^{(1)}(W, S'')\) is \(\gamma _2\)-biased for \(\gamma _2= 2^{ \frac{n-\alpha }{k}} \cdot [2^{- \frac{d'k}{2}} \cdot (k-1) \cdot (k-3)\cdot \cdots \cdot 1 \cdot (1-\epsilon ) + \epsilon ]^{\frac{1}{k}}\). Let \(k=4\), then \(\gamma _2 = 2^{ \frac{n-\alpha }{4}} \cdot [2^{-2d'} \cdot 3 \cdot (1-\epsilon ) + \epsilon ]^{\frac{1}{4}}\). We note that \(\textsf {Ext}^{(1)}(W, S'')\) has the same distribution as \(Y_{S''}\). In particular, both random variables have the same bias. Therefore, we get

$$ 2^{ \frac{n-\alpha }{4}} \cdot [2^{-2d'} \cdot 3 \cdot (1-\epsilon ) + \epsilon ]^{\frac{1}{4}} \ge bias(Y_{S''}) > \frac{2^\theta }{ 2^{m+2} (2^m-1) }.$$

Moreover, since \(2^{d'} = |S''| > \frac{2^\theta \cdot 2^{d-2}}{2^{m+2} (2^m-1)}\), we have

$$ 2^{ \frac{n-\alpha }{4}} \cdot [(2^\theta )^{-2} \cdot 2^{-2d+2m+8} \cdot (2^m-1)^2 \cdot 3 \cdot (1-\epsilon ) + \epsilon ]^{\frac{1}{4}} > \frac{2^\theta }{2^{m+2} \cdot (2^m-1) }.$$

Hence, \(2^{n-\alpha } \cdot [2^{-2\theta } \cdot 2^{-2d+4m+8} \cdot 3 \cdot (1-\epsilon ) + \epsilon ] > \frac{2^{4 \theta }}{2^{8m+8}}.\) That is,

$$ 2^{ -2d} > \frac{ 2^{4 \theta -8m -8 -n + \alpha } -\epsilon }{3(1- \epsilon ) 2^{-2 \theta +4m +8}} $$

with \(\epsilon = 2^{ -\frac{n}{2} + 4+ \log d},\) which is in contradiction to the assumption of the theorem.    \(\square \)

B Analysis of the Assumption in Theorem 4

In order to construct an explicit non-malleable extractor, it’s enough to guarantee that the parameters satisfies

$$~~~0 < 2^{\log 3} \cdot (1- 2^{- \frac{n}{2}+4 + \log d } ) \cdot 2^{-2 \theta +4m +8} \le 2^{2d + 4 \theta -8m -8 -n + \alpha } - 2^{2d - \frac{n}{2}+4 + \log d }.~~~(b)$$

For simplicity, denote

$$\begin{aligned}&A' = \log 3 - 2 \theta + 4m +8, ~B' = \log 3 - \frac{n}{2}+4 + \log d -2 \theta + 4m +8,\\ {}&C' = 2d + 4 \theta -8m -8 -n+\alpha , ~ D' = 2d - \frac{n}{2}+4 + \log d, \end{aligned}$$

then \((b)~ holds~\Leftrightarrow 0 < 2^{A'} - 2^{B'} \le 2^{C'} - 2^{D'}\). We discuss what happens under the assumption (b) in three cases as follows.

Case 1. Assume that \(A' \ge C'\) and \(B' \ge D'\). Since “\(B' \ge D'\)” implies “\(A' \ge C'\)”, we only need to consider \(B' \ge D'\) (i.e., \(\log 3 -2\theta +4m + 8 \ge 2d\)). Let \(1- \epsilon =1- 2^{- \frac{n}{2}+4 + \log d} = 2^ {\rho '}\).

From \( \log 3 +8 + 4m \ge 2d + 2 \theta \), \(\alpha \le n\), \(m \ge 1\), and \(\theta < 0\), we get

$$\begin{aligned}&-16 > -8m -8 + 4 \theta -n + \alpha \\ {}&~~~~~~~= (\log 3 +8 + 4m) + 4 \theta -12m -16 - \log 3 -n + \alpha \\ {}&~~~~~~~\ge 2d + 2 \theta + 4 \theta -12m -16 - \log 3 -n + \alpha . \end{aligned}$$

Let \(\rho ' \ge -16\). Then we have \( \rho ' > 2d + 2 \theta + 4 \theta -12m -16 - \log 3 -n + \alpha \).

Therefore, \(\log 3 + \rho ' -2 \theta +4m +8 > 2d + 4 \theta -8m -8 -n + \alpha \), which is in contradiction to the inequality (b).

Consequently, when \(\epsilon \in (0, 1- 2^{-16}]\), \(A' \ge C'\), and \(B' \ge D'\), (b) does not hold. From Theorem 2, only if \(\epsilon \) is small enough, the corresponding seeded extractor is useful. Therefore, we assume that \(\epsilon \in (0, 1- 2^{-16}]\).

Case 2. Assume that \(A' \ge C'\) and \(B' < D'\), then it’s in contradiction to the inequality (b).

Case 3. Assume that \(A' < C'\), then it’s trivial that \( B' < D'\). Thus, we only need to consider \(A' < C'\). Since \(A' > B'\), we have \(C' > D'\), that is, \( 4 \theta -8m -12 - \frac{n}{2} + \alpha > \log d\).

Therefore, we obtain the following corollary.

Corollary. Assume that \(\epsilon = 2^{- \frac{n}{2}+4 + \log d} \in (0, 1- 2^{-16}]\) and

$$ 2^{\log 3} \cdot (1- 2^{- \frac{n}{2}+4 + \log d } ) \cdot 2^{-2 \theta +4m +8} \le 2^{2d + 4 \theta -8m -8 -n + \alpha } - 2^{2d - \frac{n}{2}+4 + \log d }. $$

Then there exists an explicit \(( \alpha , 2^\theta )\) -non-malleable extractor \(\textsf {nmExt}: \{0,1\}^n \times \{0, 1\}^d \rightarrow \{0, 1\}^m\).

In particular, the parameters of the non-malleable extractor can be chosen according to the inequality system

$$\begin{aligned} \left\{ \begin{array}{l} \log 3 - 6 \theta + 16 +12m + n- \alpha < 2d\\ 4 \theta -8m -12 - \frac{n}{2} + \alpha > \log d\\ 2^{- \frac{n}{2}+4 + \log d} \le 1- 2^{-16}\\ \end{array} \right. \end{aligned}$$

(1)

then check whether they satisfy the inequality

$$2^{\log 3 -2 \theta +4m +8 } - 2^{\log 3 - \frac{n}{2}+4 + \log d -2 \theta +4m +8 } \le 2^{2d + 4 \theta -8m -8 -n + \alpha } - 2^{2d - \frac{n}{2}+4 + \log d }.$$

Remark. \(\alpha \) can’t be less than \(\frac{n}{2}\), since \(4 \theta -8m -12 - \frac{n}{2} + \alpha > \log d\).

C The Concept of Privacy Amplification Protocol

Definition 5

(see [6, 9]) In an \((n, \alpha , m, \eta )\)-privacy amplification protocol (or information-theoretic key agreement protocol), Alice and Bob share a weak secret W, and have two candidate keys \( r_A, r_B \in \{0, 1\}^m \cup \bot \), respectively. For any adversarial strategy employed by Eve, denote two random variables \(R_A\), \(R_B\) as the values of the candidate keys \( r_A, r_B\) at the conclusion of the protocol execution, and random variable \(T_E\) as the transcript of the (entire) protocol execution as seen by Eve. We require that for any weak secret W with min-entropy at least \(\alpha \) the protocol satisfies the following three properties:

• Correctness: If Eve is passive, then one party reaches the state, the other party reaches the \( \textsf {KeyConfirmed}\) state, and \(R_A = R_B\).

• Privacy: Denote \(\textsf {KeyDerived}_A\) and \(\textsf {KeyDerived}_B\) as the indicators of the events in which Alice and Bob reach the KeyDerived state, respectively. Then during the protocol execution, for any adversarial strategy employed by Eve, if Bob reaches the \(\textsf {KeyDerived}_B\) state then SD \(((R_B, T_E), (U_m, T_E) ) \le \eta \); if Alice reaches the \(\textsf {KeyDerived}_A\) state, then SD \(((R_A, T_E), (U_m, T_E) ) \le \eta \).

• Authenticity: Denote KeyConfirmed \(_A\) and KeyConfirmed \(_B\) as the indicators of the events in which Alice and Bob reach the KeyConfirmed state, respectively. Then, for any adversarial strategy employed by Eve, it holds that

  $$\Pr [( \textsf {KeyConfirmed}_A \vee \textsf {KeyConfirmed}_B) \wedge R_A \ne R_B] \le \eta .$$