Hardcore Set Size in Black-Box Constructions

For the generalized hardcore set lemma in Section 6.1, one may wonder whether we can find a larger binary hardcore set, for example, a set with density δ/D. In this section, we give an upper bound on the size of binary hardcore sets of black-box construction. First, we introduce a black-box construction of a hardcore set.

Definition 6.4.1. We say that an oracle algorithm Dec^(·) is a black-box (δ, ε, D) -

con-struction of a hardcore set, if the following holds. Given any function f :

{0, 1}^ℓ → [D], where ℓ = Ω(log D), and a family of functions G ={g^I|I ⊆ [D] with |I| = 2} satisfying that for each gI ∈ G and H ⊆ f⁻¹(I) with size s, Prx∈H[gI(x)6= f(x)] ≤ (1 − ε)/2, then Pr_x∈{0,1}^ℓ[Dec^G(x)6= f(x)] ≤ δ. We call s the size complexity of black-box construction.

Now, we give an upper bound on the size of binary hardcore sets.

Theorem 6.4.2. Suppose that Ω(1/D^c1)≤ δ for some constant c¹

, ε

≤ 1/5 and D ≥ 4.

Then, any black-box (δ, ε, D)-construction must have size complexity O(δ2

^ℓ/D²).

Proof. We use a probabilistic method to show that there exist a function f and a family of

functions G ={g^I|I ⊆ [D] with |I| = 2} satisfying that for each g^I ∈ G and H ⊆ f⁻¹(I) with size 10δ2^ℓ/D(D− 1), Prx∈H[g_I(x) 6= f(x)] ≤ (1 − ε)/2, but Prx∈{0,1}^ℓ[Dec^G(x) 6=

f (x)]≥ δ/2.

Suppose that Dec is a (δ, ε, D)-black-box construction. We choose a random function f and a random family of functions G = {g^I|I ⊆ [D] and |I| = 2} as follows. First, we pick ^D₂
disjoint sets A_{1,2}, A_{1,3},· · · , A{D−1,D} ⊆ {0, 1}^ℓ, each with size 4δ·2^ℓ/D(D−1), and then partition{0, 1}^ℓ\ S

i1<i2A_{i1,i2}
into D sets: B1, B2· · · , B^D (note that Bicould be empty). We define f as in Figure 6.7, and gI for each I ={i1, i2} ⊆ [D] as in Figure 6.8.

Next, we claim that for each gI ∈ G and H ⊆ f⁻¹(I) with size 10δ2^ℓ/D(D − 1), g^I predicts f well in H.

Claim 6.4.3. For each gI ∈ G, H ⊆ f⁻¹(I) with size 10δ2^ℓ/D(D− 1), and ε ≤ 1/5,

xPr∈H[g_I(x)6= f(x)] ≤ (1 − ε)/2.

Proof. Fix any I =

{i¹, i2} ⊆ [D], and H ⊆ f⁻¹(I) with size 10δ2^ℓ/D(D− 1). For each x ∈ H, let Zx,f,G be the indicator random variable for the event of gI(x)6= f(x). Note

• Input: x ∈ {0, 1}^ℓ

Proof. Note that for any x

∈ AI for some I ⊆ [D] with |I| = 2, we have that

f,GPr[Bx,f,G= 1] ≥ 1/2.

Hence, by the Chernoff bound of Lemma 2.7.6, we get

f,GPr



 X

x∈{0,1}^ℓ

Bx,f,G< δ2^ℓ 2



≤ Pr

f,G

"

X

x∈∪IA_I

Bx,f,G< δ2^ℓ 2

#

< e^{−Ω(δ2ℓ)}= o(1),

for ℓ = Ω(log D) and δ > 1/D^c1 for some constant c1.

From Claim 6.4.3, and 6.4.4, we conclude that there exist f and G = {gI|I ⊆ [D] with |I| = 2} such that for each g^I ∈ G and H ⊆ f⁻¹(I) with size 10δ2^ℓ/D(D− 1), Prx∈H[gI(x)6= f(x)] ≤ (1 − ε)/2, but Prx∈{0,1}^ℓ[Dec^G(x)6= f(x)] ≥ δ/2.

6.5 Open Problems

In section 6.2, we show that our extractor for independent-symbol sources still works for computational independent-symbol sources. We would like to find a better extractor for computational independent-symbol sources or show that our extractor is optimal.

On the other hand, there are several ways to prove the well-known XOR lemma [20], and one is through the hardcore set lemma. In Section 6.3, we show how to prove the generalized XOR lemma using the generalized hardcore set lemma. It would be interesting to consider other proofs for the XOR lemma to prove the generalized XOR lemma.

Chapter 7

Conclusion and Future Works

In this thesis, we consider the problem of deterministically extracting almost perfect random bits from several classes of random sources. First, we consider multiple weakly random sources that are mutually independent. We generalize the well-known leftover hash lemma, and this lemma gives us a way to extract randomness from two independent sources as long as two sources have enough min-entropy. We also extend our construction to extract randomness from t≥ 3 independent sources as long as two of them have enough min-entropy. One nice feature is that the extractor still works even with all but one source exposed. Moreover, we apply our extractor for a cryptographic task in which a group of parties want to agree on a secret key for group communication over an insecure channel, without using ideal local randomness.

We also consider the independent-symbol sources which are the sources lie in between multiple independent sources and bit-fixing sources. Each independent-symbol source consists of a sequence of n independent symbols from {0, 1}^d, and the only randomness guarantee on such a source is that the whole source has min-entropy k. We give an explicit deterministic extractor which extracts about Ω(log k) bits, for any n, d, k∈ N. For sources with a larger min-entropy, we can extract even more randomness. When k ≥ n^1/2+γ, for any constant γ ∈ (0, 1/2), we can extract m = k − O(d log(1/ε)) bits with any error ε≥ 2^−Ω(nγ). When k≥ log^cn, for some constant c > 0, we can extract m = k− (1/ε)^O(1) bits with any error ε≥ k^−Ω(1). Our results generalize those of Kamp and Zuckerman [33]

and Gabizon et al. [17] which only work for bit-fixing sources (with d = 1 and each bit of the source being either fixed or perfectly random). Moreover, we show the existence of a

non-explicit deterministic extractor which can extract m = k−O(log(1/ε)) bits whenever k = ω(d + log(n/ε)). Finally, we show that even to extract from bit-fixing sources, any extractor, seeded or not, must suffer an entropy loss k−m = Ω(log(1/ε)). This generalizes a lower bound of Radhakrishnan and Ta-Shma on extracting from general sources.

Then, we go to the other direction to look for a more general class of sources from which seedless extraction is still possible. The sources we consider have the form of a conditional distribution (f (X )|X ), for some function f and some distribution X , and we say that such a source has computational min-entropy k if any circuit of size 2^k can only predict f (x) correctly with probability at most 2^−k given input x sampled from X . We first show that it is impossible to have a seedless extractor for one single source of this kind.

Then we show that it becomes possible if we are allowed a seed which is weakly random (instead of perfectly random) but contains some statistical min-entropy, or even a seed which is not random at all but contains some computational min-entropy. This can be seen as a step toward extending the study of multi-source extractors from the traditional, statistical setting to a computational setting. We reduce the task of constructing such extractors to a problem in learning theory: learning linear functions under arbitrary distribution with adversarial noise. For this problem, we provide a learning algorithm, which may have interest of its own.

Finally, we consider computational (n, D, k, s)-sources, which, just as (n, D, k)-sources, consist of n mutually independent parts, (f1(X¹)|X¹),· · · , (fⁿ(Xⁿ)|Xⁿ), each fi(Xⁱ) of length d such that for each i if given input x_i sampled from Xi, any circuit of size s can only predict fi(xi) with probability at most 2^−ki for some ki ≤ d, and the sum of k_i’s is k. Note that we can set the circuit size as a separate parameter to define the computational independent-symbol sources. We generalize the well-known hardcore set lemma to show that our extractor for independent-symbol sources still works for computa-tional independent-symbol sources. In addition, the result of extractors for computacomputa-tional independent-symbol sources implies a generalization of the well-known XOR lemma. Fi-nally, we show an upper bound on the size of a binary hardcore set in any black-box construction.

Since the proofs of Lemma 4.4.3 and 5.4.2 are complicated, in the future, we would like to simplify these proofs. Moreover, we will go on to construct better extractors for

these classes of sources or prove that these extractors are optimal.

In addition, in the proof of the lower bound on entropy loss for independent-symbol sources, we provide a size lower bound on an ”almost” t-wise independent space, and this immediately implies a size lower bound on any approximate t-wise independent space. It may be interesting to find a better size lower bound on an approximate t-wise independent space.

On the other hand, there are several ways to prove the well-known XOR lemma [20], and one is through the hardcore set lemma. In Chapter 6, we generalize the hardcore set lemma to prove the generalized XOR lemma. It may be interesting to consider other proofs for the XOR lemma to prove the generalized XOR lemma.

Bibliography

[1] Noga Alon, L´aszl´o Babai, and Alon Itai. A fast and simple randomized parallel al-gorithm for the maximal independent set problem. Journal of Alal-gorithms, 7(4):567–

583, 1986.

[2] Noga Alon, Oded Goldreich, Johan H˚astad, and Ren´e Peralta. Simple constructions of almost k-wise independent random variables. In Proc. IEEE 31st Annual IEEE

Symposium on Foundations of Computer Science (FOCS’90), pages 544–553, 1990.

[3] Boaz Barak, Russell Impagliazzo, and Avi Wigderson. Extracting randomness using few independent sources. In Proc. IEEE 45th Annual IEEE Symposium on

Founda-tions of Computer Science (FOCS’04), pages 384–393, Rome, Italy, October 2004.

[4] Boaz Barak, Guy Kindler, Ronen Shaltiel, Benny Sudakov, and Avi Wigder-son. Simulating Independence: New Constructions of Condensers, Ramsey graphs, Dispersers, and Extractors. In Proc. 37th Annual ACM Symposium on Theory of

Computing (STOC’05), pages 1–10, Baltimore, MD, May 2005.

[5] Boaz Barak, Ronen Shaltiel, and Avi Wigderson. Computational analogues of en-tropy. In Proc. of APPROX 2003 and RANDOM 2003, pages 200–215, 2003.

[6] Mihir Bellare and John Rompel. Randomness-efficient oblivious sampling. In Proc.

IEEE 35th Annual Symposium on Foundations of Computer Science (FOCS’94),

pages 276–287, Santa Fe, New Mexico, November 1994.

[7] Avrim Blum, Adam Kalai, and Hal Wasserman. Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM, 50(4):506–519, 2003.

[8] Jean Bourgainu. More on the sum-product phenomenon in prime fields and its applications. International Journal of Number Theory, 1(1):1–32, 2005.

[9] J. Lawrence Carter and Mark N. Wegman. Universal classes of hash functions.

In Proc. 9th Annual ACM Symposium on Theory of Computing (STOC’77), pages 106–112, 1977.

[10] Benny Chor and Oded Goldreich. Unbiased bits from sources of weak random-ness and probabilistic communication complexity. SIAM J. Comput., 17(2):230–261, April 1988.

[11] Benny Chor, Oded Goldreich, Johan H˚astad, Joel Friedman, Steven Rudich, and Roman Smolensky. The bit extraction problem of t-resilient functions. In Proc.

IEEE 26th Annual Symposium on Foundations of Computer Science (FOCS’85),

pages 396–407, 1985.

[12] Philip J. Davis. Circulant Matrices. John Wiley, 1979.

[13] Yevgeniy Dodis, Ariel Elbaz, Roberto Oliveira, and Ran Raz. Improved randomness extraction from two independent sources. In APPROX-RANDOM, pages 334–344, Cambridge, MA, USA, August 2004.

[14] Yevgeniy Dodis and Roberto Oliveira. On extracting private randomness over a pub-lic channel. In APPROX-RANDOM, pages 252–263, Princeton, NY, USA, August 2003.

[15] Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin, and Adam Smith. Fuzzy extrac-tors: How to generate strong keys from biometrics and other noisy data. SIAM J.

Comput., 38(1):97–139, 2008.

[16] Vitaly Feldman, Parikshit Gopalan, Subhash Khot, and Ashok Kumar Ponnuswami.

New results for learning noisy parities and halfspaces. In Proc. 47th Annual IEEE

Symposium on Foundations of Computer Science (FOCS’06), pages 563–574, 2006.

[17] Ariel Gabizon, Ran Raz, and Ronen Shaltiel. Deterministic extractors for bit-fixing

sources by obtaining an independent seed. SIAM Journal on Computing, 36(4):1072–

1094, 2006.

[18] Oded Goldreich. Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press, Cambridge, 2001.

[19] Oded Goldreich and Leonid A. Levin. A hard-core predicate for all one-way functions.

In Proc. 21st Annual ACM Symposium on Theory of Computing (STOC’89), pages 25–32, 1989.

[20] Oded Goldreich, Noam Nisan, and Avi Wigderson. On Yao’s XOR lemma. Electronic

Colloquium on Computational Complexity (ECCC), 2(50), 1995.

[21] Oded Goldreich, Ronitt Rubinfeld, and Madhu Sudan. Learning polynomials with queries: the highly noisy case. SIAM J. Disc. Math., 13(4):535–570, 2000.

[22] Eldon R. Hansen. A Table of Series and Products. Prentice-Hall, Englewood Cliffs, N.J., 1975.

[23] Johan H˚astad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudo-random generator from any one-way function. SIAM J. Comput., 28(4):1364–1396, 1999.

[24] Shlomo Hoory, Nathan Linial, and Avi Wigderson. Expander graphs and their applications. Bulletin (New series) of the American Mathematical Society, 43(4).

[25] Chun-Yuan Hsiao, Chi-Jen Lu, and Leonid Reyzin. Conditional computational en-tropy, or toward separating pseudoentropy from compressibility. In Proc. Advances

in Cryptology - EUROCRYPT, pages 169–186, 2007.

[26] Russell Impagliazzo. Hard-core distributions for somewhat hard problems. In Proc.

36th Annual IEEE Symposium on Foundations of Computer Science (FOCS’95),

pages 538–545, 1995.

[27] Russell Impagliazzo, Ragesh Jaiswal, Valentine Kabanets, and Avi Wigderson. Uni-form direct product theorems: simplified, optimized, and derandomized. In Proc.

40th Annual ACM Symposium on Theory of Computing (STOC’08), pages 579–588,

2008.

[28] Russell Impagliazzo, Leonid A. Levin, and Michael Luby. Pseudo-random genera-tion from one-way funcgenera-tions. In Proc. 21st Annual ACM Symposium on Theory of

Computing (STOC’89), pages 12–24, 1989.

[29] Russell Impagliazzo, Ronen Shaltiel, and Avi Wigderson. Extractors and pseudo-random generators with optimal seed length. In Proc. 32nd Annual ACM Symposium

on Theory of Computing (STOC’00), pages 1–10, 2000.

[30] Stasys Jukna. Extremal Combinatorics. Springer-Verlag, 2001.

[31] Adam Tauman Kalai, Yishay Mansour, and Elad Verbin. On agnostic boosting and parity learning. In Proc. 40th Annual ACM Symposium on Theory of Computing

(STOC’08), pages 629–638, 2008.

[32] Jesse Kamp, Anup Rao, Salil P. Vadhan, and David Zuckerman. Deterministic extractors for small-space sources. In Proc. 38rd Annual ACM Symposium on Theory

of Computing (STOC’06), pages 691–700, 2006.

[33] Jesse Kamp and David Zuckerman. Deterministic extractors for bit-fixing sources and exposure-resilient cryptography. SIAM Journal on Computing, 36(5):1231–1247, 2007.

[34] Robert K¨onig and Ueli M. Maurer. Generalized strong extractors and deterministic privacy amplification. In Proc. Cryptography and Coding, pages 322–339, 2005.

[35] Chia-Jung Lee, Chi-Jen Lu, Shi-Chun Tsai, and Wen-Guey Tzeng. Extracting ran-domness from multiple independent sources. IEEE Transactions on Information

Theory, 51(6):2224–2227, 2005.

[36] Chi-Jen Lu. Encryption against storage-bounded adversaries from on-line strong extractors. Journal of Cryptology, 17(1):27–42, 2004.

[37] Chi-Jen Lu, Omer Reingold, Salil P. Vadhan, and Avi Wigderson. Extractors: Op-timal up to constant factors. In Proc. 35th Annual ACM Symposium on Theory of

Computing (STOC’03), pages 602–611, San Diego, California, June 2003.

[38] Alexander Lubotzky, R. Phillips, and Peter Sarnak. Ramanujan graphs.

Combina-torica, 8(3):261–277, 1988.

[39] Michael Mitzenmacher and Eli Upfal. Probability and Computing: Randomized

Al-gorithms and Probabilistic Analysis. Cambridge University Press, 2005.

[40] Joseph Naor and Moni Naor. Small-bias probability spaces: efficient constructions and applications. SIAM Journal on Computing, 22(4):838–856, 1993.

[41] Noam Nisan and Amnon Ta-Shma. Extracting randomness: A survey and new constructions. J. Comput. Syst. Sci., 58(1):148–173, 1999.

[42] Noam Nisan and David Zuckerman. Randomness is linear in space. Journal of

Computer and System Sciences, 52(1):43–52, February 1996.

[43] Jaikumar Radhakrishnan and Amnon Ta-Shma. Bounds for dispersers, extractors, and depth-two superconcentrators. SIAM Journal on Discrete Mathematics, 13(1):2–

24, 2000.

[44] Anup Rao. Extractors for a constant number of polynomially small mentropy in-dependent sources. In Proc. 38th Annual ACM Symposium on Theory of Computing

(STOC’06), pages 497–506, 2006.

[45] Ran Raz. Extractors with weak random seeds. In Proc. 37th Annual ACM

Sympo-sium on Theory of Computing (STOC’05), pages 11–20, Baltimore, MD, USA, May

2005.

[46] Ran Raz, Omer Reingold, and Salil P. Vadhan. Extracting all the randomness and reducing the error in Trevisan’s extractors. In Proc. 31st Annual ACM Symposium

on Theory of Computing (STOC’99), pages 149–158, Atlanta, Georgia, USA, May

1999.

[47] Omer Reingold, Ronen Shaltiel, and Avi Wigderson. Extracting randomness via repeated condensing. In Proc. IEEE 41st Annual Symposium on Foundations of

Computer Science (FOCS’00), pages 12–14, 2000.

[48] Ronen Shaltiel. Recent developments in explicit constructions of extractors. Bulletin

of the EATCS, 77:67–95, 2002.

[49] Ronen Shaltiel and Christopher Umans. Simple extractors for all min-entropies and a new pseudo-random generator. In Proc. IEEE 42nd Annual IEEE Symposium on

Foundations of Computer Science (FOCS’01), pages 648–657, 2001.

[50] Michael Sipser. Expanders, randomness, or time versus space. Journal of Computer

and System Sciences, 36(3):379–383, 1988.

[51] Madhu Sudan, Luca Trevisan, and Salil Vadhan. Pseudorandom generators without the XOR lemma. Journal of Computer and System Sciences, 62(2):236–266, 2001.

[52] Amnon Ta-Shma, Christopher Umans, and David Zuckerman. Loss-less condensers, unbalanced expanders, and extractors. In Proc. 33rd Annual ACM Symposium on

Theory of Computing (STOC’01), pages 143–152, Crete, Greece, July 2001.

[53] Amnon Ta-Shma and David Zuckerman. Extractor codes. IEEE Trans. Info. Theory, 50(12):3015–3025, 2004.

[54] Luca Trevisan. Extractors and pseudorandom generators.

Journal of ACM,

48(4):860–879, 2001.

[55] Luca Trevisan and Salil P. Vadhan. Extracting randomness from samplable distri-butions. In Proc. IEEE 41st Annual IEEE Symposium on Foundations of Computer

Science (FOCS’00), pages 32–42, 2000.

[56] Salil P. Vadhan. Constructing locally computable extractors and cryptosystems in the bounded-storage model. J. Cryptology, 17(1):43–77, 2004.

[57] John von Neumann. Various techniques used in connection with random digits.

National Bureau of Standards Applied Mathematics Series, 12:36–38, 1951.

[58] Avi Wigderson and David Zuckerman. Expanders that beat the eigenvalue bound:

Explicit construction and applications. Combinatorica, 19(1):125–138, 1999.

[59] Andrew Chi-Chih Yao. Theory and applications of trapdoor functions. In Proc. IEEE

23rd Annual IEEE Symposium on Foundations of Computer Science (FOCS’82),

pages 80–91, 1982.

[60] David Zuckerman. Lecture notes for CS 395T - pseudorandomness and combinato-rial constructions. http://userweb.cs.utexas.edu/users/diz/.

[61] David Zuckerman. General weak random sources. In Proc. IEEE 31st Annual

Sym-posium on Foundations of Computer Science (FOCS’90), pages 534–543, 1990.

[62] David Zuckerman. Simulating BPP using a general weak random source.

Algorith-mica, 16(4/5):367–391, 1996.

[63] David Zuckerman. Randomness-optimal oblivious sampling. Random Structures and

Algorithms, 11:345–367, 1997.

Appendix A

An Example of Pair-wise Independent Hash Family

We claim that the best result of [13] is a special case of generalized leftover hash lemma.

Let A¹, . . . , A^m be n× n matrices over GF [2], such that, ∀S ⊆ [m], S 6= ∅, the rank of A^{S def}= P

i∈SAⁱ is n. Define a family of hash functions H = {fx|fx :{0, 1}ⁿ → {0, 1}^m} by

fx(y) =hA¹x, yi ◦ hA²x, yi ◦ · · · ◦ hA^mx, yi where Aⁱx is a matrix-vector multiplication over GF [2].

We show that the family H is pair-wise independent. For any y, y^′ ∈ {0, 1}ⁿ, y 6= y^′, define z = z1◦ · · · ◦ zn = y− y^′ 6= 0. Let wt(z) denote the Hamming weight of z. Since z 6= 0, wt(z) = k for some 1 ≤ k ≤ n. W.L.O.G., suppose that z¹ = z2 =· · · = z^k = 1, and z_k+1 = z_k+2 = z_n = 0. Let Aⁱ_j denote the transpose of the jth row of Aⁱ, and let x = x1◦ · · · ◦ xⁿ. Then we obtain

fxPr∈H[fx(y) = fx(y^′)] = Pr

fx∈H[∀i, hAⁱx, yi = hAⁱx, y^′i]

= Pr

fx∈H[∀i, hAⁱx, zi = 0]

= Pr

fx∈H[∀i, hAⁱ1, xiz1+· · · + hAⁱn, xizn= 0]

= Pr

fx∈H[∀i, hAⁱ1, xi + hAⁱ2, xi + · · · + hAⁱk, xi = 0]

= Pr

fx∈H[∀i, hAⁱ1+ Aⁱ₂+· · · + Aⁱk, xi = 0]

where + is the addition over GF [2].

Now we evaluate the number of x = x₁ ◦ · · · ◦ xn satisfying the following system of equations:

hA¹1+ A¹₂+· · · + A¹k, xi = 0 hA²1+ A²₂+· · · + A²k, xi = 0

...

hA^m1 + A^m₂ +· · · + A^mk, xi = 0

Suppose that some of the above m equations are dependent, then there exist b1, . . . , bt

for some 2≤ t ≤ m such that

(A^b₁¹ + A^b₂¹+· · · + A^bk¹) + (A^b₁² + A^b₂² +· · · + A^bk²) +· · · + (A^b1^t + A^b₂^t +· · · + A^bk^t) = 0 It means that the sum of the first k rows of A^b1 + A^b2 +· · · + A^bt is 0, contradict A^b1 + A^b2 +· · · + A^bt having full rank. Hence these m equations are independent. There are 2^n−m different values of x to satisfy the above system of m different equations and n variables, hence

fxPr∈RH[fx(y) = fx(y^′)] = Pr

fx∈RH[∀i, hAⁱx, y− y^′i = 0] = 1 2^m. We complete the proof.

Appendix B

An Elementary Proof of Extractors for Independent-Symbol Sources

We give an explicit seedless extractor for independent-symbol sources, which works for any min-entropy k but only extracts about log k bits.

Theorem B.0.1. For any n, k, D∈ N and any prime number M ≥ D, there is an explicit (n, D, k, ε)-extractor Ext0 : [D]ⁿ→ [M], with ε ≤ ¹₂ ·√

M · e^{−k/(8M2log D)}

.

Note that for k ≥ Ω(M²log²D), our extractor has ε≤ 2^{−Ω(k/(M2log D))}. Alternatively, for any ε∈ (0, 1), our extractor can extract Ω(log k − log log D − log log(1/ε)) bits. This achieves the same asymptotic bound as the recent result in [32], but here we provide a different and completely elementary proof.

To extract randomness, we will work on the group ZM, for a prime M, and see any symbolXⁱ ∈ [D] of the source as an element in Z^M. Throughout this section, operation + or− on elements in ZM is understood as an operation over the group ZM. Our extractor Ext₀ : [D]ⁿ→ [M] is then defined as

Ext₀(X ) = X

t∈[n]

Xt,

which can be seen as taking an n-step walk on the group ZM, using the n symbols from the source in the following way. Each time when we are at some state v ∈ Z^M (initially at 0 ∈ ZM) and read a symbol a from the source, we go to the state v + a ∈ ZM. The

extractor of Kamp and Zuckerman [33] for bit-fixing sources can be seen as a special case of ours, with D = 2 andXt ∈ {−1, 1}.

As in [33], we will show that each step of the walk brings the distribution closer to uniform if the symbol read from the source contains some randomness. See a distribution over ZM as an M-dimensional vector in the natural way. Suppose the current distribution isP = (P1, . . . ,PM) and the next symbol in the source has a distribution β = (β1, . . . , βM) shows the progress we can make after each step.

Lemma B.0.2. k¯δk²2 ≤ kδk²2· (1 − H∞(β)/(4M²log D)).

where the last line follows from the fact that P

jβ_j²+P

j6=ℓβ_jβ_ℓ = (P

jβ_j)² = 1. Then we need the following two claims.

Claim B.0.3. For any nonzero s∈ Z^M, P

of Z_M. Thus, there exists an integer t ∈ [1, M − 1] such that i1 = i₀+ ts over Z_M. By a

which by the Cauchy-Schwartz inequality of Lemma 2.7.2 is at least

X

Using the bounds of the claims in our derivation before, we have

k¯δk²2 ≤ kδk²2· 1−X

Now let us see how it can be used to prove the theorem.

Proof. (of Theorem B.0.1)

From Lemma B.0.2, we know that after reading the t’th symbol X^t from the source, the L2-distance between the resulting distribution and the uniform one decreases by a factor

1− H∞(Xt)/(4M²log D)≤ e^{−H∞(Xt)/(4M2log D)}.

Therefore, we have

kExt0(X ) − Uk²2 ≤ Y

t∈[n]

e^{−H∞(Xt)/(4M2log D)} = e^{−Pt∈[n]H∞(Xt)/(4M2log D)}.

Since the n symbols of the source are independent of each other, we haveP

t∈[n]H_∞(X^t) = H_∞(X ) = k, so the bound above becomes e^{−k/(4M2log D)}. Then by the Cauchy-Schwartz inequality of Lemma 2.7.2,

kExt0(X ) − Uk1 ≤√

M· kExt0(X ) − Uk2 ≤√

M · e^{−k/(8M2log D)}.

在文檔中 非種子萃取器之設計與分析 (頁 108-0)