 Alright, so thank you for tuning in. I'm Daniel Wix and I'm going to tell you how to extract randomness from extractor-dependent sources This is chained work with Ipgeni Dodis and Vinod by Kutanathan So randomness is incredibly useful in many areas of computer science. It's useful in algorithm design Distributed computing and many other areas and it's absolutely essential for cryptography And usually when we design cryptosystems, we just assume we are in some ideal model where we can Sample uniformly random bits on demand whenever the cryptosystem needs it Well, where does this randomness actually come from? And so usually when we think from a theory point of view how to design cryptosystem We just imagine we have this gnome who lives inside a computer and every time our cryptosystem needs a fresh random bit The gnome tosses a coin and tells us the outcome. So we can sample a bit with that zero one with probably a hat But when I talk to practitioners, they tell me that we don't actually have gnomes living inside computers So where does randomness really come from? Well, the system samples Measures various properties to derive random bits And that's all by measuring various properties of the environment. For example the timing of various system interrupts That's a very popular source of entropy or various mouse movements or other signals from input-output devices Can measure the internal temperature. There's even a company whose shtick is to point Video cameras at lava lamps and use the resulting images to derive to get randomness so To encompass all of these things we can just imagine that random randomness comes from various sources of nature from nature various measure measurable properties of the environment in which the system is Executing and so here's my abstract picture of nature which generates randomness And the problem is that the randomness the nature generate is likely to have entropy So for example the timing of interrupts is likely to have some randomness some have entropy inside it but it's unlikely to be Uniform to consist of uniformly random bits and So the solution to this problem is to use extractors that convert some sources of entropy into uniform randomness and the goal is to have some function x which takes as input some sample x that comes from a high entropy source and Output some value r which is just extractor applied on x and Ideally, this would guarantee that as long as x has entropy the output r would be a uniformly random bit strength So unfortunately, this is too good to be true and we know such extractors don't exist in general so instead we make do with something called seeded extractors and Essentially these use an additional component a random seat to help extract randomness So the idea is that there will be one uniformly random seed that Can be part of the extractor and it helps us it acts as an at catalyst and helps us extract randomness from the sample x and What we would want is that as long as the sample x has entropy and comes from some distribution Which is independent of the seed then the extracted randomness are would be uniformly random Even conditioned on the seed s so the randomness is actually coming from x not from s because the randomness Because the output is uniformly random even given the seed and The use case the way we envision using this is that we would choose the seed as once and for all and Hard-coded into various components and then we would use it to extract randomness from various samples that come from nature So here's the here's the image We have the seed as which is public and it's hard-coded in all kinds of systems and devices and Whenever we get some sample x from nature We feed it into this extractor and use the output are as The derived randomness that we then use in applications. Let's say the cryptography or whatever application we're using randomness for And the philosophy here is that nature is worst case but not adversarial So therefore even though we don't know the distribution that x that the sample x comes from we just assume it is entropy But we don't know what the exact distribution is We can assume that this distribution is not as independent of the seed s Even though s is public because nature is not real adversarial It's not trying to somehow choose the worst case x depending on s we can assume that it's independent and The main point of this dog is that this assumption might be too optimistic in this setting and The reason is that this extractor is going to be reused over time And that the outputs of the extractor can make their way back into nature and affect nature changing the distribution of the source of the samples in the future So for example, we might use some derived randomness that might make its way might make its way as an input Into some process and then we use timing interrupts that are related to that process to generate the next sample x Therefore the next sample the distribution of the next sample can depend on randomness extracted in previous times And therefore on the extractor itself Which with the seed hard-coated? And moreover just this extractor we're imagining that's used by many devices Which all can somehow affect nature and therefore it seems reasonable to assume that nature may be affected by the extractor itself So this brings us to the main motivation for this talk which is to consider extractor dependent sources So here we assume that the source that nature the source of randomness Can depend on the input-output behavior of the extractor with the particular seed s inside it So we're not assuming that the source's worst case can depend on s in the worst case matter It's not fully seed dependent, but it's not also fully independent It can depend on the seed s only through the input-output behavior of the extractor with the given seed In other words an extractor dependent source is a source that can make oracle queries to the extractor with the given seed s And so the main question for this talk is to construct Extractors that can extract randomness from all extractor dependent sources. So let me define and we'll call these ed extractors So let me define what I mean So here's the security game We sample a seed as a random and then we consider some adversarial sampling algorithm, which is Which models the worst case worst case nature and the sampler makes oracle queries to the extractor with the particular seed as hard-coded in it and eventually outputs some sample x Then we feed x into the extractor with the given seed and extract some randomness r and We give this extracted randomness r or a uniform value to a distinguisher and the goal the distinguishes to W sub r The distinguisher also gets the seed s because here we're matching the seed s is public and used by many many systems So this is the definition extra ed extractors We have to put some conditions on the sampler So the first condition is that the output x the sample that produces Should have some sufficient level sufficiently high level of entropy and this is the standard condition for randomness extractors The additional condition that we need here is that the sampler also can never have queried the oracle the extractor on the Sample x that it outputs and this is a necessary condition if it can query x the extractor on x then it can Sqewe the distribution can choose an x such as the extracted output. Let's see starts with a zero So it's a necessary condition. It's also a Meaningful or or a natural condition to make because we're assuming that the sampler somehow Uses fresh entropy to produce a sample x and therefore should not be equal to some value that it previously query the oracle So somehow the previous coastal extractor can affect the distribution But then when it produces a new sample x some fresh entropy should go into that and therefore shouldn't get the same sample that is very previous So this is the basic definition We're also going to consider strong strengthening of this definition Which we'll call ed extractors with auxiliary info and there the sample the sampler algorithm Can also produce some auxiliary info that it gives to a distinguisher as long as the sample x Has high enough entropy even condition on the auxiliary info And I want to mention that in the information theoretic setting where extractors have generally been studied You could consider definition with or without x info turns out doesn't make much of a difference Any extractor works without x info also works with x info. We're going to see that that's very different here So there has been some prior work on this problem There was a work by Coretta at all which essentially studied a special case of this problem where the extractor is a random oracle And they showed that a random oracle is a good good ed extractor even in the setting with auxiliary info And so the main point of our work is to study this problem in the standard model without random oracles So here's the results that we show First of all, we show that unfortunately cannot achieve this notion information theoretically This is in contrast to standard seeded extractors, which are information theoretic humanly computational assumptions and in fact will show that the sampler itself must be computationally bound in order to be able to achieve this notion and The existence of such extractors imply one-way functions. This is even for the weakest notion without auxiliary info Then we show a positive result that actually in the setting without auxiliary info It's fairly easy to construct these extractors. In fact any pseudonium function With sufficient level of security is a good extractor in the setting But this does not hold in the setting with auxiliary info. We have counter examples The positive result is very strong It even holds if the distinguisher is computationally unbounded So the output of the extractor is actually statistically close to uniform We get security even for unbounded distinguishers as long as the sampler is computationally bounded Then we move on to the setting of auxiliary info and there we give three constructions Using stronger assumptions So we have three different approaches based on some intermediate notions either constrained prs shift Hining shiftable functions or lossy slash injective functions And the last approach gives the most instantiations It can be based on ddh lw or decision Compasited residue acid assumptions So many most of the assumptions under which we have public ecrypto Also give us such extractors But here we only get security for computationally bounded distinguishers So that's in contrast to the previous setting where we even had it for unbounded ones And lastly we give a black box operation. We show that this is actually inherent in the auxiliary info setting The distinguisher needs to be computationally bounded At least if you hope to have a reduction from a standard assumption Okay, so these are the results and in this talk I'm going to tell you just about the first two results So first let me show you a bad result a negative result Which says that you cannot achieve this notion information theoretically And the idea is very simple An unbounded computation unbounded sampler that has access to this extractor oracle Can essentially learn the seed s by making queries to the oracle It's not fully true can't get it and it can't get the seed s info But it can learn it sufficiently well to be able to predict the output of the extractor on random values And that's enough for it to choose a random x subject to the extracted output of x starting with a zero So you can choose such an x without explicitly querying its oracle on this x And if it does so it satisfies the conditions But it ensures that the extracted output is easily distinguishable from uniform So this shows you cannot have a do this information theoretically Now let me show you the positive results, which is that in the setting without auxiliary info It's very easy to construct these extractors and if pseudo random function is a good extractor in the setting So our construction is just that the extractor of the seed s is a good pr at Where we think of the seed as the seed to the prf So actually we hear this result holds that the secure of the pr is sufficiently strong We'll need the security to be exponential in the output size. But for now, let's just consider the setting of a one bit output And the main difficulty here is how do we prove security? How do we get a reduction? That somehow uses an adversary against this extractor to break the pr security when here the distinguisher gets the seed of the prf And obviously we can argue security of a pr when the seed is given out Moreover here, we want to even argue secure against a computational and bounded distinguisher and therefore the reduction cannot from the distinguisher at all So we're not going to we're going to ignore the Distinguisher completely. We're just going to use the fact that the extracted output is statistically far from uniform even given the seed And what that means that actually translates into that the collision probability of r given s is larger than it should be For example, if r is just one bit If I sample the same bit twice for the same s I'm more likely to get the same bit So r is most more likely to collide than it would if I chose just to uniformly random and independent bits And we're going to use that to get a reduction the reduction is very simple given some oracle o which is either prf Or a truly random function. It's just going to run the sampler twice To get two values x and x prime It's also going to call the oracle one more on these values to get r and r prime and it will output one if r prime is equal to r and because uh, essentially using the fact that the extract output statistically far We can analyze the success problem of this reduction and show that it outputs one with higher probability a If the oracle is a pseudo random function, then if the oracle were truly random function And I want to note that this idea idea Fails really badly in the setting with auxiliary info and the reason is that if you take two runs of the sampler Then they will unlikely they're unlikely to give you the same auxiliary info and therefore you cannot You cannot somehow compare these two runs And in fact, not only does the proof idea fail There is all this falls we have counter examples where pr where we can construct prf That are not good extractors in the setting with auxiliary info So in that setting we have to work harder and actually a large part of the paper is Looking into these constructions in the setting with auxiliary info, but I don't have time to get into those So let me just conclude We saw definitions and constructions of these types of extractors in the setting with and without auxiliary info And probably the main open question like by this work is that we can construct these types of extractors in the setting with auxiliary info from The from just one way functions without relying on stronger assumptions that imply public heat photography All of our current constructions are based on things like dh and lw So stronger assumptions in cryptomania and it's we don't know whether we can construct them from one way functions alone And the other open question is I think this is a very interesting primitive Can you come up with other applications and connections? Between this new type of extractors that we defined here and other problems in cryptography Right. Well, thank you very much for listening