### An Introduction to Randomness Extractors [chapter]

Ronen Shaltiel
2011 Lecture Notes in Computer Science
We give an introduction to the area of "randomness extraction" and survey the main concepts of this area: deterministic extractors, seeded extractors and multiple sources extractors. For each one we briefly discuss background, definitions, explicit constructions and applications. ⋆ The author is supported by ISF grant 686/07. Deterministic extractors In this section we discuss "deterministic extractors". The term "deterministic" is used to distinguish these extractors from "seeded extractors"
more » ... at we discuss in Section 3. We begin with some notation. Throughout this manuscript we use the terms "source" and "distribution" interchangeably. Two distributions that are ϵ-close assign essentially the same probability to all events. In particular, randomized algorithms and protocols retain their useful properties when run with distributions that are close to uniform (rather than uniform). The motivation given in Section 1 leads to the following formal definition of an extractor (we also define a weaker object called a "disperser"). Definition 2 (deterministic extractors and dispersers). Let m ≤ n be integers and let Note that every ϵ-extractor is in particular an ϵ-disperser. We plan to extract randomness from weak random sources and use this randomness in randomized algorithms and protocols. In the scenario described in Section 1 the "computer designer" can choose an implementation of the weak random source. Nevertheless, note that in the examples given there, this does not necessarily determines the distribution of the source (as the environment in which the computer operates may change). This leads to the following goal. Goal: Design extractors for "large" families of "interesting" sources. Min-entropy: measuring the number of random bits in a source Let us start with a simple observation. contradicting the correctness of the extractor as Pr[U m = E(x ′ )] = 2 −m and the two distributions E(X) and U m assign different probabilities to some event). Thus, a necessary condition for extracting m random bits from a distribution X is that for every x ∈ Supp(X), Pr[X = x] ≤ 2 −m . This leads to the following concept of entropy. Definition 3 (min-entropy). Let X be a distribution. The min-entropy of X We use min-entropy to measure the amount of random bits that can be extracted from a source. 1 Note that a distribution with min-entropy at least m has that for every x ∈ Supp(X), Pr[X = x] ≤ 2 −m . By the previous discussion having min-entropy at least m is a necessary condition for extracting m bits of randomness. 2 We could hope that it is a sufficient condition and that there exists an extractor E : {0, 1} n → {0, 1} m for all distributions with minentropy at least m. However, this does not hold. In fact, for every function E : {0, 1} n → {0, 1} there exists a distribution X over {0, 1} n such that H ∞ (X) ≥ n − 1 and yet E(X) is completely fixed. (For this, take X to be the uniform distribution over S = {x : E(x) = b} for b ∈ {0, 1} which gives |S| ≥ 2 n /2). Summing up, we cannot have an extractor that extracts even a single bit from all distributions with very large min-entropy. Furthermore, if we plan to use function E as an extractor for C, we cannot allow distributions that are uniform on {x : E(x) = b} to be in the family C. Explicitness By the previous discussion, deterministic extractors and dispersers E : {0, 1} n → {0, 1} m only exist for classes C of sources with some "special structure" where each X in C has H ∞ (X) ≥ m. By the probabilistic method it is easy to show existence of extractors for such classes C which contain "few sources". Existence of deterministic extractors: Let m ≤ n be integers, let ϵ > 0 and let C be a class with at most 2 poly(n/ϵ) distributions over {0, 1} n . There exist k = m + O(log n + log(1/ϵ)) such that if every X in C has H ∞ (X) ≥ k then there exists E : {0, 1} n → {0, 1} m that is an ϵ-extractor for C. However, for our intended application (as well as other applications that we will consider) we require extractors that can be efficiently computed. In this article we identify efficient computation with polynomial-time and this leads to the following definition of explicitness.