Randomness merger explained
In extractor theory, a randomness merger is a function which extracts randomness out of a set of random variables, provided that at least one of them is uniformly random. Its name stems from the fact that it can be seen as a procedure which "merges" all the variables into one, preserving at least some of the entropy contained in the uniformly random variable. Mergers are currently used in order to explicitly construct randomness extractors.
Intuition and definition
Consider a set of
random variables,
, each distributed over
at least one of which is uniformly random; but it is not known which one. Furthermore, the variables may be arbitrarily correlated: they may be functions of one another, they may be constant, and so on. However, since at least one of them is uniform, the set as a whole contains at least
bits of entropy.
The job of the merger is to output a new random variable, also distributed over
, that retains as much of that entropy as possible. Ideally, if it were known which of the variables is uniform, it could be used as the output, but that information is not known. The idea behind mergers is that by using a small additional random seed, it is possible to get a good result even without knowing which one is the uniform variable.
A naive idea would be to take the xor of all the variables. If one of them is uniformly distributed and independent of the other variables, then the output would be uniform. However, if suppose
, and both of them are uniformly distributed, then the method would not work.
Definition (merger):
A function
M:(\{0,1\}n)k x \{0,1\}d → \{0,1\}n
is called an
-merger if for every set of random variables
distributed over
, at least one of which is uniform, the distribution of
has smooth min-entropy
. The variable
denotes the uniform distribution over
bits, and represents a truly random seed.
In other words, by using a small uniform seed of length
, the merger returns a string which is
-close to having at least
min-entropy; this means that its
statistical distance from a string with
min-entropy is no larger than
.
Reminder: There are several notions of measuring the randomness of a distribution; the min-entropy of a random variable
is defined as the largest
such that the most probable value of
occurs with probability no more than
. The min-entropy of a string is an upper bound to the amount of randomness that can be extracted from it.
[1] Parameters
There are three parameters to optimize when building mergers:
- The output's min-entropy
should be as high as possible, for then more bits can be extracted from it.
should be as small as possible, for then after applying an extractor to the merger's output, the result will be closer to uniform.
- The seed length
should be as small as possible, for then the merger requires fewer initial truly random bits to work.
Explicit constructions for mergers are known with relatively good parameters. For example, Dvir and Wigderson's construction gives:[2] For every
and integer
, if
, there exists an explicit
-merger
M:(\{0,1\}n)k x \{0,1\}d → \{0,1\}n
such that:
\varepsilon=O\left(
\right).
The proof is constructive and allows building such a merger in polynomial time in the given parameters.
Usage
It is possible to use mergers in order to produce randomness extractors with good parameters. Recall that an extractor is a function which takes a random variable that has high min-entropy, and returns a smaller random variable, but one that is close to uniform. An arbitrary min-entropy extractor can be obtained using the following merger-based scheme:[2] [3]
- Given a source of high min-entropy, partition it into blocks. By a known result,[4] at least one of these partitions will also have high min-entropy as a block-source.
- Apply a block extractor separately to all the blocks. This is a weaker sort of extractor, and good constructions for it are known.[2] Since at least one of the blocks has high min-entropy, at least one of the outputs is very close to uniform.
- Use the merger to combine all the previous outputs into one string. If a good merger is used, then the resultant string will have very high min-entropy compared to its length.
- Use a known extractor that works only for very high min-entropy sources to extract the randomness.
The essence of the scheme above is to use the merger in order to transform a string with arbitrary min-entropy into a smaller string, while not losing a lot of min-entropy in the process. This new string has very high min-entropy compared to its length, and it's then possible to use older, known, extractors which only work for those type of strings.
See also
Notes and References
- 0912.5514. Trevisan's extractor in the presence of quantum side information . SIAM Journal on Computing . 41 . 4 . 915–940 . De, Portmann, Vidick and Renner. 2009 . 10.1137/100813683 . 5387876 . Section 2.2.
- Web site: Kakeya sets, new mergers and old extractors. Zeev Dvir . Avi Wigderson . amp .
- Web site: Extracting Randomness: A Survey and New Constructions. Noam Nissan . Amnon Ta-Shma . amp . Section 4.3.
- Web site: Refining Randomness. Amnon Ta-Shma. Phd. Thesis.