How to extract useful randomness from unreliable sources Divesh - - PowerPoint PPT Presentation

how to extract useful randomness from unreliable sources
SMART_READER_LITE
LIVE PREVIEW

How to extract useful randomness from unreliable sources Divesh - - PowerPoint PPT Presentation

Oct 14, 2022 531 likes •787 views

How to extract useful randomness from unreliable sources Divesh Aggarwal Maciej Obremski Joo Ribeiro Luisa Siniscalchi Ivan Visconti University of Salerno CQT & National University of Singapore Imperial College London University of

slide-1
SLIDE 1

How to extract useful randomness from unreliable sources

Eurocrypt 2020

Divesh Aggarwal Maciej Obremski Luisa Siniscalchi

University of Salerno → Aarhus University

João Ribeiro

Imperial College London CQT & National University of Singapore

Ivan Visconti

University of Salerno

slide-2
SLIDE 2

Randomness and cryptography

Perfect randomness Cryptography

In practice, randomness sources are not perfect! bits of min-entropy Weaker assumption: min-entropy lower bound

slide-3
SLIDE 3

bits of min-entropy

Randomness extraction

(Ideally)

Ext

(arbitrary weak k-source) (statistically close to uniform)

IMPOSSIBLE! Multi-source extraction: combine several independent weak sources (e.g., sampled from different devices/locations)

slide-4
SLIDE 4

Multi-source randomness extraction

+ independence

Need to trust several devices at different locations!

(especially when dealing with public randomness!)

What happens if some sources are corrupted?

slide-5
SLIDE 5

SHELA sources: Multi-source randomness extraction without trust

  • SHELA source: Somewhere-Honest Entropic Look Ahead
  • 1. Adversary chooses blocks to corrupt
slide-6
SLIDE 6

SHELA sources: Multi-source randomness extraction without trust

  • 2. Adversary fixes corrupted block based on previous samples

Adversary knows positions and distributions of honest blocks Honest ’s are independent of each other and satisfy

  • SHELA source: Somewhere-Honest Entropic Look Ahead
  • 1. Adversary chooses blocks to corrupt
slide-7
SLIDE 7

Some other adversarial source models

Old: Santha-Vazirani sources Bit-fixing sources [Dodis 2001]: Bias-control limited sources Recent: [Austrin, Chung, Mahmoody, Pass, Seth 2014]: p-tampering attacks [Bentov, Gabizon, Zuckerman 2016]: p-resettable sources [Chattopadhyay, Goodman, Goyal, Li 2019]: Multi sources w/ local dependence [Dodis, Vaikuntanathan, Wichs 2019]: Extractor-dependent sources [Ball, Goldreich, Malkin 2019]: Somewhat-dependent sources

slide-8
SLIDE 8

Regime of interest: (constant fraction of corruptions), larger than some constant

Can we extract perfect randomness from SHELA sources? No

impossibility for p-resettable sources

[Bentov, Gabizon, Zuckerman 2016]

Holds even if honest blocks are uniform!

impossibility for SHELA sources must have error

Follows from impossibility for special subset of Santha-Vazirani sources

Can we extract “useful” randomness from SHELA sources?

slide-9
SLIDE 9

Guarantee: There exist such that

The next best thing: somewhere-random sources

  • SR source: Somewhere-Random

Interested in convex combinations of SR sources convSR sources convSR sources are very useful! SHELA great convSR sources

slide-10
SLIDE 10

SR sources and one-sided error

randomized algorithm with one-side error

Always outputs YES Outputs NO with probability 2/3, YES otherwise

Only guaranteed under uniform randomness!

YES if all output YES NO otherwise Also one-sided error!

SR source

Runtime: wish to: i) Minimize ii) Maximize length of ’s

slide-11
SLIDE 11

Crypto applications of SR sources

We construct (from generic complexity assumptions):

  • Non-interactive witness indistinguishable proof systems
  • Non-interactive commitments

Overall: non-interactive primitives with a “somewhere-random CRS” Elsewhere:

  • Publicly-verifiable proof systems [Scafuro, Siniscalchi, Visconti 2019]
slide-12
SLIDE 12

“Somewhere-extraction” from SHELA sources

Goal: Design such that for every -SHELA source , Want: #output blocks and error small, output block length large Naive approach: apply 2-source extractor to every pair of blocks of Why? If and are honest, then Cons: i) ii) Non-negligible error when Can we do better?

slide-13
SLIDE 13

Better somewhere-extraction from SHELA sources

slide-14
SLIDE 14

Better somewhere-extraction from SHELA sources

unbalanced 2-source extractors

(left source: low entropy, right source: high entropy)

slide-15
SLIDE 15

Better somewhere-extraction from SHELA sources

left source right source

unbalanced 2-source extractors

(left source: low entropy, right source: high entropy)

slide-16
SLIDE 16

Better somewhere-extraction from SHELA sources

left source right source

unbalanced 2-source extractors

(left source: low entropy, right source: high entropy)

slide-17
SLIDE 17

Better somewhere-extraction from SHELA sources

left source right source

unbalanced 2-source extractors

(left source: low entropy, right source: high entropy)

slide-18
SLIDE 18

Better somewhere-extraction from SHELA sources

left source right source

unbalanced 2-source extractors

(left source: low entropy, right source: high entropy)

slide-19
SLIDE 19

Better somewhere-extraction from SHELA sources

left source right source

unbalanced 2-source extractors

(left source: low entropy, right source: high entropy)

slide-20
SLIDE 20

Better somewhere-extraction from SHELA sources

left source right source

independent high min-entropy contains enough min-entropy independent high min-entropy contains enough min-entropy given

i) ii) whp over fixing of ,

works with only 2 honest blocks!

is -close to -convSR source in

unbalanced 2-source extractors

(left source: low entropy, right source: high entropy)

slide-21
SLIDE 21

Somewhere-extraction from low-entropy SHELA sources

Idea: Combine previous high-entropy construction with somewhere-condensers Want: Somewhere-extractor for -SHELA, for arbitrarily small constant

Essentially the same parameters:

works with only 2 honest blocks!

[Raz 2005], [Barak, Kindler, Shaltiel, Sudakov, Wigderson 2005], [Zuckerman 2007], [Li 2011]

slide-22
SLIDE 22

Somewhere-extraction from a weak source

Can we extract useful convSR sources without exploiting structure of SHELA sources?

Problem: Superpolynomial #blocks if error is negligible! Can we do better? Naive somewhere-extractor: any strong seeded extractor

SR source

Treat as

  • SHELA source

weak -source

slide-23
SLIDE 23

Somewhere-extraction from a weak source

No!

Somewhere-extractor for -sources with error , output block length

#output blocks

If isn’t small and is negligible, need superpolynomial #output blocks

Open Q: Prove analogous result when

Can we extract useful convSR sources without exploiting structure of SHELA sources?

Somewhere-extractor disperser, so can apply well-known lower bounds

Proof:

[Radhakrishnan, Ta-Shma 2000]

Treat as

  • SHELA source

weak -source

slide-24
SLIDE 24

Summing up

  • SHELA sources model multiple randomness sources corrupted by strong adversary
  • Can’t extract perfect randomness
  • Can extract great SR sources from low-entropy SHELA sources (only need 2 honest

blocks!)

  • SR sources are very useful (algorithms + crypto)
  • Can’t extract useful SR sources without exploiting structure of SHELA source

Thanks for watching!