Privacy amplification and nonmalleable extractors via character sums

Yevgeniy Dodis, Xin Li, Trevor D. Wooley, David Zuckerman

Research output: Contribution to journalArticle

Abstract

In studying how to communicate over a public channel with an active adversary, Dodis and Wichs introduced the notion of a nonmalleable extractor. A nonmalleable extractor dramatically strengthens the notion of a strong extractor. A strong extractor takes two inputs, a weakly random x and a uniformly random seed y, and outputs a string which appears uniform, even given y. For a nonmalleable extractor nmExt, the output nmExt(x, y) should appear uniform given y as well as nmExt(x,A(y)), where A is an arbitrary function with A(y) ≠= y. We show that an extractor introduced by Chor and Goldreich is nonmalleable when the entropy rate (the ratio between the entropy and the length of the weakly random string) is above half. It outputs a linear number of bits when the entropy rate is 1/2+a for any a > 0. Previously, no explicit construction was known for any entropy rate less than 1. To achieve a polynomial running time when outputting more than one bit, we rely on a widely believed conjecture about the distribution of prime numbers in arithmetic progressions. Our analysis involves character sum estimates, which may be of independent interest. Using our nonmalleable extractor, we obtain protocols for "privacy amplification": key agreement between two parties who share a weakly random secret. Our protocols work in the presence of an active adversary with unlimited computational power and have asymptotically optimal entropy loss. When the secret has entropy rate greater than 1/2, the protocol follows from a result of Dodis and Wichs and takes two (or three, for strongest security guarantees) rounds. When the secret has entropy rate d for any constant δ > 0, our new protocol takes a constant (polynomial in 1/δ) number of rounds. Our protocols run in polynomial time under the above well-known conjecture about primes.

Original languageEnglish (US)
Pages (from-to)800-830
Number of pages31
JournalSIAM Journal on Computing
Volume43
Issue number2
DOIs
StatePublished - 2014

Fingerprint

Character Sums
Extractor
Amplification
Privacy
Entropy
Polynomials
Output
Polynomial time
Strings
Distribution of Primes
Entropy Loss
Key Agreement
Arithmetic sequence
Asymptotically Optimal
Prime number
Seed
Polynomial
Arbitrary
Estimate

Keywords

  • Cryptography
  • Extractors
  • Nonmalleable
  • Privacy amplification
  • Randomness

ASJC Scopus subject areas

  • Mathematics(all)
  • Computer Science(all)

Cite this

Privacy amplification and nonmalleable extractors via character sums. / Dodis, Yevgeniy; Li, Xin; Wooley, Trevor D.; Zuckerman, David.

In: SIAM Journal on Computing, Vol. 43, No. 2, 2014, p. 800-830.

Research output: Contribution to journalArticle

Dodis, Yevgeniy ; Li, Xin ; Wooley, Trevor D. ; Zuckerman, David. / Privacy amplification and nonmalleable extractors via character sums. In: SIAM Journal on Computing. 2014 ; Vol. 43, No. 2. pp. 800-830.
@article{f3cec06ddefc4ab6ace66371352099fd,
title = "Privacy amplification and nonmalleable extractors via character sums",
abstract = "In studying how to communicate over a public channel with an active adversary, Dodis and Wichs introduced the notion of a nonmalleable extractor. A nonmalleable extractor dramatically strengthens the notion of a strong extractor. A strong extractor takes two inputs, a weakly random x and a uniformly random seed y, and outputs a string which appears uniform, even given y. For a nonmalleable extractor nmExt, the output nmExt(x, y) should appear uniform given y as well as nmExt(x,A(y)), where A is an arbitrary function with A(y) ≠= y. We show that an extractor introduced by Chor and Goldreich is nonmalleable when the entropy rate (the ratio between the entropy and the length of the weakly random string) is above half. It outputs a linear number of bits when the entropy rate is 1/2+a for any a > 0. Previously, no explicit construction was known for any entropy rate less than 1. To achieve a polynomial running time when outputting more than one bit, we rely on a widely believed conjecture about the distribution of prime numbers in arithmetic progressions. Our analysis involves character sum estimates, which may be of independent interest. Using our nonmalleable extractor, we obtain protocols for {"}privacy amplification{"}: key agreement between two parties who share a weakly random secret. Our protocols work in the presence of an active adversary with unlimited computational power and have asymptotically optimal entropy loss. When the secret has entropy rate greater than 1/2, the protocol follows from a result of Dodis and Wichs and takes two (or three, for strongest security guarantees) rounds. When the secret has entropy rate d for any constant δ > 0, our new protocol takes a constant (polynomial in 1/δ) number of rounds. Our protocols run in polynomial time under the above well-known conjecture about primes.",
keywords = "Cryptography, Extractors, Nonmalleable, Privacy amplification, Randomness",
author = "Yevgeniy Dodis and Xin Li and Wooley, {Trevor D.} and David Zuckerman",
year = "2014",
doi = "10.1137/120868414",
language = "English (US)",
volume = "43",
pages = "800--830",
journal = "SIAM Journal on Computing",
issn = "0097-5397",
publisher = "Society for Industrial and Applied Mathematics Publications",
number = "2",

}

TY - JOUR

T1 - Privacy amplification and nonmalleable extractors via character sums

AU - Dodis, Yevgeniy

AU - Li, Xin

AU - Wooley, Trevor D.

AU - Zuckerman, David

PY - 2014

Y1 - 2014

N2 - In studying how to communicate over a public channel with an active adversary, Dodis and Wichs introduced the notion of a nonmalleable extractor. A nonmalleable extractor dramatically strengthens the notion of a strong extractor. A strong extractor takes two inputs, a weakly random x and a uniformly random seed y, and outputs a string which appears uniform, even given y. For a nonmalleable extractor nmExt, the output nmExt(x, y) should appear uniform given y as well as nmExt(x,A(y)), where A is an arbitrary function with A(y) ≠= y. We show that an extractor introduced by Chor and Goldreich is nonmalleable when the entropy rate (the ratio between the entropy and the length of the weakly random string) is above half. It outputs a linear number of bits when the entropy rate is 1/2+a for any a > 0. Previously, no explicit construction was known for any entropy rate less than 1. To achieve a polynomial running time when outputting more than one bit, we rely on a widely believed conjecture about the distribution of prime numbers in arithmetic progressions. Our analysis involves character sum estimates, which may be of independent interest. Using our nonmalleable extractor, we obtain protocols for "privacy amplification": key agreement between two parties who share a weakly random secret. Our protocols work in the presence of an active adversary with unlimited computational power and have asymptotically optimal entropy loss. When the secret has entropy rate greater than 1/2, the protocol follows from a result of Dodis and Wichs and takes two (or three, for strongest security guarantees) rounds. When the secret has entropy rate d for any constant δ > 0, our new protocol takes a constant (polynomial in 1/δ) number of rounds. Our protocols run in polynomial time under the above well-known conjecture about primes.

AB - In studying how to communicate over a public channel with an active adversary, Dodis and Wichs introduced the notion of a nonmalleable extractor. A nonmalleable extractor dramatically strengthens the notion of a strong extractor. A strong extractor takes two inputs, a weakly random x and a uniformly random seed y, and outputs a string which appears uniform, even given y. For a nonmalleable extractor nmExt, the output nmExt(x, y) should appear uniform given y as well as nmExt(x,A(y)), where A is an arbitrary function with A(y) ≠= y. We show that an extractor introduced by Chor and Goldreich is nonmalleable when the entropy rate (the ratio between the entropy and the length of the weakly random string) is above half. It outputs a linear number of bits when the entropy rate is 1/2+a for any a > 0. Previously, no explicit construction was known for any entropy rate less than 1. To achieve a polynomial running time when outputting more than one bit, we rely on a widely believed conjecture about the distribution of prime numbers in arithmetic progressions. Our analysis involves character sum estimates, which may be of independent interest. Using our nonmalleable extractor, we obtain protocols for "privacy amplification": key agreement between two parties who share a weakly random secret. Our protocols work in the presence of an active adversary with unlimited computational power and have asymptotically optimal entropy loss. When the secret has entropy rate greater than 1/2, the protocol follows from a result of Dodis and Wichs and takes two (or three, for strongest security guarantees) rounds. When the secret has entropy rate d for any constant δ > 0, our new protocol takes a constant (polynomial in 1/δ) number of rounds. Our protocols run in polynomial time under the above well-known conjecture about primes.

KW - Cryptography

KW - Extractors

KW - Nonmalleable

KW - Privacy amplification

KW - Randomness

UR - http://www.scopus.com/inward/record.url?scp=84899627290&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84899627290&partnerID=8YFLogxK

U2 - 10.1137/120868414

DO - 10.1137/120868414

M3 - Article

AN - SCOPUS:84899627290

VL - 43

SP - 800

EP - 830

JO - SIAM Journal on Computing

JF - SIAM Journal on Computing

SN - 0097-5397

IS - 2

ER -