(abstract shortened due to space constraints) Existing constructions of seeded extractors with short seed length and large output length run in time $\Omega(n \log(1/\varepsilon))$ and often slower, where $n$ is the input source length and $\varepsilon$ is the error of the extractor. Since cryptographic applications of extractors require $\varepsilon$ to be small, the resulting runtime makes these extractors unusable in practice. Motivated by this, we explore constructions of strong seeded extractors with short seeds computable in nearly-linear time $O(n \log^c n)$, for any error $\varepsilon$. We show that an appropriate combination of modern condensers and classical approaches for constructing seeded extractors for high min-entropy sources yields strong extractors for $n$-bit sources with any min-entropy $k$ and any target error $\varepsilon$ with seed length $d=O(\log(n/\varepsilon))$ and output length $m=(1-\eta)k$ for an arbitrarily small constant $\eta>0$, running in nearly-linear time, after a reasonable one-time preprocessing step (finding a primitive element of $\mathbb{F}_q$ with $q=poly(n/\varepsilon)$ a power of $2$) that is only required when $k<2^{C\log^* n}\cdot\log^2(n/\varepsilon)$, for a constant $C>0$ and $\log^*$ the iterated logarithm, and which can be implemented in time $polylog(n/\varepsilon)$ under mild conditions on $q$. As a second contribution, we give an instantiation of Trevisan's extractor that can be evaluated in truly linear time in the RAM model, as long as the number of output bits is at most $\frac{n}{\log(1/\varepsilon)polylog(n)}$. Previous fast implementations of Trevisan's extractor ran in $\widetilde{O}(n)$ time in this setting. In particular, these extractors directly yield privacy amplification protocols with the same time complexity and output length, and communication complexity equal to their seed length.
翻译:现有具有短种子长度和大输出长度的种子提取器构造的运行时间为$\Omega(n \log(1/\varepsilon))$且通常更慢,其中$n$为输入源长度,$\varepsilon$为提取器误差。由于提取器的密码学应用要求$\varepsilon$值较小,由此产生的运行时间使得这些提取器在实践中无法使用。受此启发,我们探索了可在近线性时间$O(n \log^c n)$内计算的短种子强种子提取器的构造,适用于任意误差$\varepsilon$。我们证明,将现代浓缩器与为高最小熵源构建种子提取器的经典方法适当结合,可产生适用于任意最小熵$k$和任意目标误差$\varepsilon$的$n$比特源强提取器,其种子长度$d=O(\log(n/\varepsilon))$,输出长度$m=(1-\eta)k$(其中$\eta>0$为任意小常数),在合理的单次预处理步骤(当$k<2^{C\log^* n}\cdot\log^2(n/\varepsilon)$时需执行,其中$C>0$为常数,$\log^*$为迭代对数,该步骤要求找到$\mathbb{F}_q$的本原元,$q=poly(n/\varepsilon)$为2的幂)后,可在近线性时间内运行,且该预处理步骤在$q$满足温和条件时可在$polylog(n/\varepsilon)$时间内实现。作为第二项贡献,我们给出了Trevisan提取器的一种实例化方案,在RAM模型中只要输出比特数不超过$\frac{n}{\log(1/\varepsilon)polylog(n)}$,即可在真正的线性时间内完成评估。此前Trevisan提取器的快速实现方案在此设置下需要$\widetilde{O}(n)$运行时间。特别地,这些提取器可直接生成具有相同时间复杂度和输出长度的隐私放大协议,其通信复杂度等于提取器的种子长度。