### Abstract

In studying how to communicate over a public channel with an active adversary, Dodis and Wichs introduced the notion of a nonmalleable extractor. A nonmalleable extractor dramatically strengthens the notion of a strong extractor. A strong extractor takes two inputs, a weakly random x and a uniformly random seed y, and outputs a string which appears uniform, even given y. For a nonmalleable extractor nmExt, the output nmExt(x, y) should appear uniform given y as well as nmExt(x,A(y)), where A is an arbitrary function with A(y) ≠= y. We show that an extractor introduced by Chor and Goldreich is nonmalleable when the entropy rate (the ratio between the entropy and the length of the weakly random string) is above half. It outputs a linear number of bits when the entropy rate is 1/2+a for any a > 0. Previously, no explicit construction was known for any entropy rate less than 1. To achieve a polynomial running time when outputting more than one bit, we rely on a widely believed conjecture about the distribution of prime numbers in arithmetic progressions. Our analysis involves character sum estimates, which may be of independent interest. Using our nonmalleable extractor, we obtain protocols for "privacy amplification": key agreement between two parties who share a weakly random secret. Our protocols work in the presence of an active adversary with unlimited computational power and have asymptotically optimal entropy loss. When the secret has entropy rate greater than 1/2, the protocol follows from a result of Dodis and Wichs and takes two (or three, for strongest security guarantees) rounds. When the secret has entropy rate d for any constant δ > 0, our new protocol takes a constant (polynomial in 1/δ) number of rounds. Our protocols run in polynomial time under the above well-known conjecture about primes.

Original language | English (US) |
---|---|

Pages (from-to) | 800-830 |

Number of pages | 31 |

Journal | SIAM Journal on Computing |

Volume | 43 |

Issue number | 2 |

DOIs | |

State | Published - 2014 |

### Fingerprint

### Keywords

- Cryptography
- Extractors
- Nonmalleable
- Privacy amplification
- Randomness

### ASJC Scopus subject areas

- Mathematics(all)
- Computer Science(all)

### Cite this

*SIAM Journal on Computing*,

*43*(2), 800-830. https://doi.org/10.1137/120868414

**Privacy amplification and nonmalleable extractors via character sums.** / Dodis, Yevgeniy; Li, Xin; Wooley, Trevor D.; Zuckerman, David.

Research output: Contribution to journal › Article

*SIAM Journal on Computing*, vol. 43, no. 2, pp. 800-830. https://doi.org/10.1137/120868414

}

TY - JOUR

T1 - Privacy amplification and nonmalleable extractors via character sums

AU - Dodis, Yevgeniy

AU - Li, Xin

AU - Wooley, Trevor D.

AU - Zuckerman, David

PY - 2014

Y1 - 2014

N2 - In studying how to communicate over a public channel with an active adversary, Dodis and Wichs introduced the notion of a nonmalleable extractor. A nonmalleable extractor dramatically strengthens the notion of a strong extractor. A strong extractor takes two inputs, a weakly random x and a uniformly random seed y, and outputs a string which appears uniform, even given y. For a nonmalleable extractor nmExt, the output nmExt(x, y) should appear uniform given y as well as nmExt(x,A(y)), where A is an arbitrary function with A(y) ≠= y. We show that an extractor introduced by Chor and Goldreich is nonmalleable when the entropy rate (the ratio between the entropy and the length of the weakly random string) is above half. It outputs a linear number of bits when the entropy rate is 1/2+a for any a > 0. Previously, no explicit construction was known for any entropy rate less than 1. To achieve a polynomial running time when outputting more than one bit, we rely on a widely believed conjecture about the distribution of prime numbers in arithmetic progressions. Our analysis involves character sum estimates, which may be of independent interest. Using our nonmalleable extractor, we obtain protocols for "privacy amplification": key agreement between two parties who share a weakly random secret. Our protocols work in the presence of an active adversary with unlimited computational power and have asymptotically optimal entropy loss. When the secret has entropy rate greater than 1/2, the protocol follows from a result of Dodis and Wichs and takes two (or three, for strongest security guarantees) rounds. When the secret has entropy rate d for any constant δ > 0, our new protocol takes a constant (polynomial in 1/δ) number of rounds. Our protocols run in polynomial time under the above well-known conjecture about primes.

AB - In studying how to communicate over a public channel with an active adversary, Dodis and Wichs introduced the notion of a nonmalleable extractor. A nonmalleable extractor dramatically strengthens the notion of a strong extractor. A strong extractor takes two inputs, a weakly random x and a uniformly random seed y, and outputs a string which appears uniform, even given y. For a nonmalleable extractor nmExt, the output nmExt(x, y) should appear uniform given y as well as nmExt(x,A(y)), where A is an arbitrary function with A(y) ≠= y. We show that an extractor introduced by Chor and Goldreich is nonmalleable when the entropy rate (the ratio between the entropy and the length of the weakly random string) is above half. It outputs a linear number of bits when the entropy rate is 1/2+a for any a > 0. Previously, no explicit construction was known for any entropy rate less than 1. To achieve a polynomial running time when outputting more than one bit, we rely on a widely believed conjecture about the distribution of prime numbers in arithmetic progressions. Our analysis involves character sum estimates, which may be of independent interest. Using our nonmalleable extractor, we obtain protocols for "privacy amplification": key agreement between two parties who share a weakly random secret. Our protocols work in the presence of an active adversary with unlimited computational power and have asymptotically optimal entropy loss. When the secret has entropy rate greater than 1/2, the protocol follows from a result of Dodis and Wichs and takes two (or three, for strongest security guarantees) rounds. When the secret has entropy rate d for any constant δ > 0, our new protocol takes a constant (polynomial in 1/δ) number of rounds. Our protocols run in polynomial time under the above well-known conjecture about primes.

KW - Cryptography

KW - Extractors

KW - Nonmalleable

KW - Privacy amplification

KW - Randomness

UR - http://www.scopus.com/inward/record.url?scp=84899627290&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84899627290&partnerID=8YFLogxK

U2 - 10.1137/120868414

DO - 10.1137/120868414

M3 - Article

VL - 43

SP - 800

EP - 830

JO - SIAM Journal on Computing

JF - SIAM Journal on Computing

SN - 0097-5397

IS - 2

ER -