Design extractors, non-malleable condensers and privacy amplification
STOC '12 Proceedings of the forty-fourth annual ACM symposium on Theory of computing
TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography
New independent source extractors with exponential improvement
Proceedings of the forty-fifth annual ACM symposium on Theory of computing
Hi-index | 0.00 |
In studying how to communicate over a public channel with an active adversary, Dodis and Wichs introduced the notion of a non-malleable extractor. A non-malleable extractor dramatically strengthens the notion of a strong extractor. A strong extractor takes two inputs, a weakly-random $x$ and a uniformly random seed $y$, and outputs a string which appears uniform, even given $y$. For a non-malleable extractor $\nm$, the output $\nm(x,y)$ should appear uniform given $y$ as well as $\nm(x,\adv(y))$, where $\adv$ is an arbitrary function with $\adv(y) \neq y$. We show that an extractor introduced by Chor and Gold reich is non-malleable when the entropy rate is above half. It outputs a linear number of bits when the entropy rate is $1/2 + \alpha$, for any $\alpha0$. Previously, no nontrivial parameters were known for any non-malleable extractor. To achieve a polynomial running time when outputting many bits, we rely on a widely-believed conjecture about the distribution of prime numbers in arithmetic progressions. Our analysis involves a character sum estimate, which may be of independent interest. Using our non-malleable extractor, we obtain protocols for ``privacy amplification & quot;: key agreement between two parties who share a weakly-random secret. Our protocols work in the presence of an active adversary with unlimited computational power, and have asymptotically optimal entropy loss. When the secret has entropy rate greater than $1/2$, the protocol follows from a result of Dodis and Wichs, and takes two rounds. When the secret has entropy rate $\delta$ for any constant~$\delta0$, our new protocol takes a constant (polynomial in $1/\delta$) number of rounds. Our protocols run in polynomial time under the above well-known conjecture about primes.