Seeded extractors are fundamental objects in pseudorandomness and cryptography, and a deep line of work has designed polynomial-time seeded extractors with nearly-optimal parameters. However, existing constructions of seeded extractors with short seed length and large output length run in time $Ω(n \log(1/\varepsilon))$ and often slower, where $n$ is the input source length and $\varepsilon$ is the error of the extractor. Since cryptographic applications of extractors require $\varepsilon$ to be small, the resulting runtime makes these extractors impractical. Motivated by this, we explore constructions of strong seeded extractors with short seeds computable in nearly-linear time $O(n \log^c n)$, for any error $\varepsilon$. We show that an appropriate combination of modern condensers and classical approaches for constructing seeded extractors for high min-entropy sources yields such extractors. More precisely, we obtain strong extractors for $n$-bit sources with any min-entropy $k$ and any target error $\varepsilon$ with seed length $d=O(\log(n/\varepsilon))$ and output length $m=(1-η)k$ for an arbitrarily small constant $η>0$, running in nearly-linear time. When $k$ or $\varepsilon$ are very small, our construction requires a reasonable one-time preprocessing step. These extractors directly yield privacy amplification protocols with nearly-linear time complexity (possibly after a one-time preprocessing step), large output length, and low communication complexity. As a second contribution, we give an instantiation of Trevisan's extractor that can be evaluated in truly linear time in the RAM model, as long as the number of output bits is at most $\frac{n}{\log(1/\varepsilon)polylog(n)}$. Previous fast implementations of Trevisan's extractor ran in $\widetilde{O}(n)$ time in this setting.

翻译：种子提取器是伪随机性与密码学中的基本对象，一系列深入研究已设计出具有接近最优参数的、可在多项式时间内计算的种子提取器。然而，现有具有短种子长度和大输出长度的种子提取器构造的运行时间为 $Ω(n \log(1/\varepsilon))$ 甚至更慢，其中 $n$ 是输入源长度，$\varepsilon$ 是提取器的误差。由于提取器的密码学应用要求 $\varepsilon$ 很小，由此产生的运行时间使得这些提取器不实用。受此启发，我们探索了具有短种子、可在近线性时间 $O(n \log^c n)$ 内计算的强种子提取器的构造，适用于任意误差 $\varepsilon$。我们证明，将现代浓缩器与为高最小熵源构造种子提取器的经典方法进行适当结合，可以产生此类提取器。更精确地说，我们获得了针对 $n$ 比特源、具有任意最小熵 $k$ 和任意目标误差 $\varepsilon$ 的强提取器，其种子长度 $d=O(\log(n/\varepsilon))$，输出长度 $m=(1-η)k$（其中 $η>0$ 为任意小的常数），并在近线性时间内运行。当 $k$ 或 $\varepsilon$ 非常小时，我们的构造需要一个合理的一次性预处理步骤。这些提取器直接产生了具有近线性时间复杂度（可能在一次预处理之后）、大输出长度和低通信复杂度的隐私放大协议。作为第二项贡献，我们给出了Trevisan提取器的一个实例化，该实例化在RAM模型中可以在真正的线性时间内求值，只要输出比特数不超过 $\frac{n}{\log(1/\varepsilon)polylog(n)}$。在此设置下，先前Trevisan提取器的快速实现运行时间为 $\widetilde{O}(n)$。