 Hi everyone, this talk will be about improved computational extractors and their applications. This is based on joint work with Akshay Ram Srinivasan who is at TIFR. Let me begin by introducing you to our setting. We consider the problem of randomness extraction. Randomness is actually extremely useful for all sorts of cryptographic applications. It is often obtained from physical sources which are usually imperfect. In many settings an adversary may be able to obtain side information about the randomness that was generated and therefore be able to attack the system. And there have been in fact instances in the literature that have demonstrated that cryptography instantiated with imperfect randomness can often be broken completely. So the question that we look at is whether weak random sources can be converted into stronger ones. We study this question in various settings included in distributed settings where randomness is split between many sources some of which may be adversarial. Let me begin by making more precise what a weak source is. A weak source is represented by a distribution on n bits that has min entropy k where k is smaller than n. A min entropy of k bits corresponds to each point in the distribution being selected with probability at most 2 to the minus k. An example of a weak source with min entropy k is the uniform distribution on subset of size 2 to the k in 0,1 to the n. Randomness extractors help convert weak sources of entropy to nearly uniform sources. Say we have a weak random source with k bits of entropy on an n-bit input space. Ideally we would like to have a deterministic algorithm that converts this into a nearly uniformly random source on n bits where m can be as large as k. Unfortunately it turns out that this dream deterministic extractor simply cannot exist. Even for really weak parameter settings, say we just want to extract one bit of randomness and the source has almost full min entropy, it has min entropy n-1 and we want the resulting distribution to have a statistical distance of at most a fourth from the uniform distribution on a single bit. Even in these settings deterministic extractors are impossible. What is possible is actually a variant that takes the help of a short uniformly random seed to convert an n-bit source with min entropy k to an almost k-bit uniform distribution. This is pictorially represented on the slide here as an algorithm that on input a source and a seed outputs a distribution that's close to uniform. In fact the size of the seed can actually be much smaller than the min entropy of the input source or the size of the output source. For example Guruswamy et al show that the min entropy can be as small as polylogarithmic. The size of the seed can also be polylogarithmic and in this setting the error can be a negligible function of the size of the source. The definition of a seeded extractor can be further strengthened to what is called a strong seeded extractor where the requirement is that the output distribution be statistically indistinguishable from random even given the seed. The problem with seeded extractors is that you need the seed which is itself a uniform independent source of randomness. The next primitive that we look at a two-source extractor relaxes this so that the source and the seed are both imperfect. A two-source extractor considers a setting where there are two weak sources of randomness that have a certain amount of min entropy and the only assumption is that the two sources are independent but neither of them needs to be uniform. They also don't necessarily need to be the same size or have the same amount of entropy and really the assumption is just that they should be independent. A two-source extractor is a deterministic algorithm that given such independent sources with sufficient entropy outputs a distribution that is close to uniformly random. And for a long time we only knew how to extract randomness in this setting when at least one of the sources had min entropy about half of n. A recent breakthrough work of Chatupadhyaya and Zuckerman broke down this barrier and built two source extractors in the setting where both sources have polylogarithmic min entropy. These factors were further improved in several works. In all these works that achieve polylogarithmic min entropy in the setting however the running time of the extractor turned out to be inversely proportional to the desired error. In particular this means that the error cannot be negligible in n as that would lead to inefficient constructions in these settings. The dream especially from a cryptographic point of view would be to have information theoretic two-source extractors where both sources can have as low as polylogarithmic min entropy and yet the error would be negligible in n and the running time of the extractor would still remain polynomial. Alternatively this means that we'd like the running time of the extractor to be inversely proportional to the log of 1 over epsilon. It is unclear if this is possible information theoretically and at least appears to be a hard problem. So while we work on trying to solve this problem, a natural question is whether two-source extractors with negligible error with low min entropy can be achieved under computational assumptions. While our work has indicated that if the assumptions are sufficiently strong then the answer is yes. In particular assuming an optimally exponentially hard one-way permutation, Kallay, Lee and Rao showed that one can in fact obtain negligible error extractors with 4 min entropy epsilon n where epsilon is smaller than half. More recently under the sub-exponential hardness of DDH in joint work with Ankit Gerg and Yael Kallay we showed that one can weaken the assumption to sub-exponential DDH. But this comes at the cost of assuming the existence of a common random string. In more detail this involves a trusted setup phase where a random string is sampled uniformly and fixed once and for all. Then a source distribution can be sampled arbitrarily depending on the string. This actually differs from the setting of seeded extractors where crucially the source and seed must be independent of each other. And so what this model basically does is reduce the need for true randomness to a single one-time requirement. In that work the amount of entropy that we could work with was sublinear for the first source and polylogarithmic for the second one. And like I said before ideally one would like to be able to deal with polylogarithmic man entropy for both sources and yet achieve negligible error. Subsequently Agarwal at all obtained sublinear entropy assuming quasi-pollinomial DDH and obtained extractors for polylogarithmic man entropy sources assuming optimally hard collision-resistant hashing and these are essentially exponential hardness assumptions. This brings me to the first part of our work where we perform a different analysis of the GKK extractor to obtain improved parameters. Just like in GKK which is the work I was just telling you about we also focus on the CRS model. In this model we perform a different analysis of the GKK extractor. While theirs was more general in some sense ours is more tailored to their specific construction. In contrast with GKK we are able to handle balanced sources meaning both sources are allowed to have the same length whereas GKK explicitly required some sort of imbalance between the sources. Moreover each source only needs to have polylogarithmic man entropy. On the other hand the analysis in GKK required sublinear entropy in one of the sources. And finally our extractors just like our analysis just like the one in GKK shows that the extractor has negligible in error. We also obtain improved parameters albeit in the computational setting for new types of primitives where randomness is required to be extracted even in the presence of adversarial attacks. Before going into the details of our analysis let me give you a high-level overview of the GKK extractor. They build their extractor in two steps. The first is to build what is called a computational non-malleable extractor for relatively high entropy sources in the CRS model. This is done by repurposing a construction due to Brever-Veneton. A non-malleable extractor is a strengthened version of an extractor that we will define in more detail on upcoming slides. For now once they have this non-malleable extractor in the CRS model they apply a template of Benaroya et al to compile any non-malleable extractor for sufficiently high entropy sources into a two-source extractor for low entropy sources. This template was originally designed for the information theoretic setting but GKK show how to apply it to the computational setting in the CRS model. Both these steps they show can be done with the error being only negligible. We will now go ahead and define what a non-malleable extractor is. A non-malleable extractor can be seeded that is involve an entropic source and a uniform seed or P2 source that is involve two independent entropic sources. For the purpose of this talk we will only consider strong seeded non-malleable extractors for which we have the following definition. Just like a seeded extractor a non-malleable extractor on input X sampled from the source distribution and a seed outputs a new output something that's supposed to be uniformly random but the security requirement here is stronger. This requirement is that the output of the non-malleable extractor be indistinguishable from uniform even given access to an oracle. This oracle can be queried on any string Y that is not equal to the seed and it returns the output of the non-malleable extractor computed on X and Y. In the information theoretic setting one typically needs to bound the number of times the adversary can query such an oracle. In the computational setting non-malleable extractors can be defined similarly. Like the information theoretic setting they can be seeded or to source. Again for the purposes of this talk we will care about strong seeded non-malleable extractors with computational indistinguishability from uniform in the CRS model. The one key difference from the information theoretic setting besides the existence of a CRS will be that the adversary will be allowed to query this oracle an arbitrary polynomial number of times and we will have no explicit a priori upper bound on this polynomial. This brings me back to the GKK template for computational two source extractors with negligible error. Recall that there were two steps. The first step built computational non-malleable extractors for high entropy sources in the CRS model and the second one compiled any computational non-malleable extractors to two source extractors for low entropy sources. Now the second step actually was based on a blueprint first introduced in the work of Benaroya et al and it turns out that the proof technique of Benaroya et al crucially had an inefficient reduction which means that given an efficient adversary for the two source extractor they actually ended up building an unbounded adversary for against the non-malleable extractor. Now while this works well in the information theoretic setting it breaks down completely when the non-malleable extractor is only computationally secure because of the lack of an efficient reduction. To counter this barrier GKK used the leakage lemma of Gentry Viggs and J.F. Petrizag and Chung et al to efficiently simulate inefficient steps in the reduction of Benaroya et al and it is this use that led to them requiring unbalanced sources and was one of the reasons that their analysis did not achieve polylogarithmic min entropy. In the new analysis in this current work we give up on having step two be a general compiler that compiles any computational non-malleable extractor to a two-source extractor. Instead we give a more specific analysis that is specific to the non-malleable extractor obtained in step one. This allows us to perform a monolithic analysis of steps one and two together first stripping off all computational components until we obtain an information theoretic hypothetical experiment and it is only in this experiment that we must invert the disperser. This allows us to sidestep the need for inefficiencies and in the Benaroya et al transformation and make a more optimal use of our computational resources. Unfortunately I don't have time to go into further details of this analysis. In the rest of this talk I'm going to talk about some of the applications of these techniques to other extractor settings. The first setting is that of network extractors. In a network extractor protocol there is a set of processors that each have independent sources. They would like to communicate with each other potentially in several rounds such that at the end of this communication they each end up with what is supposedly a uniformly random string. In this setting an adversary is allowed to corrupt some subset of the players and the guarantee that is typically desired is that the outputs of honest parties be close to uniform even conditioned on the view of these adversaries. That is given the transcript and the adversarial source distributions the output of honest players is required to still be indistinguishable from uniform. Let me now describe some prior work on network extractor network extractors. This concept was introduced dating back to the works of Dodis and Olivera and Goldwasser et al but was explicitly studied in the works of Kallai starting with the work of Kallai et al who obtained network extractors for sources with min entropy 2 to the log n to the epsilon but were only a fraction of honest parties obtained uniformly random bits. In contrast we would like all honest parties to obtain uniform randomness. The recent work of Goya et al tackled exactly this problem where they were able to have all honest parties obtain uniform randomness but needed relatively high min entropy. In the computational setting the work of Kallai Lee and Rao showed how to obtain network extractors where all parties obtain uniform randomness but assuming omega n min entropy and assuming exponential hardness of one way permutations. In this work using techniques that are very similar to the construction of two source extractors we obtain a one round network extractor protocol with negligible error for up to polynomially many parties that tolerates up to all but two corruptions meaning that we require only two parties to be honest. This is optimal because recall that in the setting of a single honest party this boils down to the problem of deterministic extractors which cannot exist. Moreover we require each source to only have polylogic rhythmic min entropy and assume the sub exponential hardness of the dh. Our second application is to the setting of extractors for adversarial sources. Here one considers many sources some of which may be adversarial but the guarantee is that there are at least some K honest sources again K must be at least two and the remaining sources can be adversarily chosen depending on the honest sources. In particular each adversarial source is allowed to depend on up to D honest sources and the resulting extractor is called a KD extractor. The guarantee that is required in this setting is that the output of the extractor applied to all these sources where some of the sources may be adversarial be close to uniform. In the information theoretic setting this problem was introduced and studied in the work of Chattopadhyayathol who obtained adversarial source extractors for a setting of at least P to the 1-r honest sources out of a total of P sources where r is a constant and where each corrupted source was allowed to depend on at most K to the r sources and they were able to obtain such extractors for the setting of polylogarithmic minentropy. On the other hand in the computational setting our work assuming sub exponential hardness of dh achieves adversarial source extractors where there are two honest sources out of a total of P sources. Each corrupted source depends on at most one of the two sources and we achieve polylogarithmic minentropy with negligible error. Let me conclude with some open problems that I find exciting. The first is whether we can eliminate the CRS and still rely on nice assumptions like dh. The second is whether we can eliminate the need for sub exponential hardness and only rely on polynomial hardness assumptions. And finally can we explore relationships of these objects with other primitives like leakage resilient codes, non-malleable codes in the computational setting as well as other cryptographic primitives such as non-malleable commitments. That brings me to the end of my talk. Thank you.