Nearly-Linear Time Seeded Extractors with Short Seeds

TL;DR

This paper introduces nearly-linear time seeded extractors with short seeds that are practical for cryptography, achieving optimal parameters and enabling efficient privacy amplification and Trevisan's extractor evaluation.

Contribution

It presents a construction of strong seeded extractors with short seeds and nearly-linear runtime for any error, improving practicality in cryptographic applications.

Findings

Extractors with seed length O(log(n/ε)) and output length close to min-entropy k.

Runtime of the extractor is nearly-linear, O(n log^c n), for any ε.

A linear-time implementation of Trevisan's extractor in the RAM model.

Abstract

Seeded extractors are fundamental objects in pseudorandomness and cryptography, and a deep line of work has designed polynomial-time seeded extractors with nearly-optimal parameters. However, existing constructions of seeded extractors with short seed length and large output length run in time $\Omega(n \log(1/\varepsilon))$ and often slower, where $n$ is the input source length and $\varepsilon$ is the error of the extractor. Since cryptographic applications of extractors require $\varepsilon$ to be small, the resulting runtime makes these extractors impractical. Motivated by this, we explore constructions of strong seeded extractors with short seeds computable in nearly-linear time $O(n \log^c n)$, for any error $\varepsilon$. We show that an appropriate combination of modern condensers and classical approaches for constructing seeded extractors for high min-entropy sources yields such extractors. More precisely, we obtain strong extractors for $n$-bit sources with any min-entropy $k$ and any target error $\varepsilon$ with seed length $d=O(\log(n/\varepsilon))$ and output length $m=(1-\eta)k$ for an arbitrarily small constant $\eta>0$, running in nearly-linear time. When $k$ or $\varepsilon$ are very small, our construction requires a reasonable one-time preprocessing step. These extractors directly yield privacy amplification protocols with nearly-linear time complexity (possibly after a one-time preprocessing step), large output length, and low communication complexity. As a second contribution, we give an instantiation of Trevisan's extractor that can be evaluated in truly linear time in the RAM model, as long as the number of output bits is at most $\frac{n}{\log(1/\varepsilon)polylog(n)}$. Previous fast implementations of Trevisan's extractor ran in $\widetilde{O}(n)$ time in this setting.