Randomness merger explained

In extractor theory, a randomness merger is a function which extracts randomness out of a set of random variables, provided that at least one of them is uniformly random. Its name stems from the fact that it can be seen as a procedure which "merges" all the variables into one, preserving at least some of the entropy contained in the uniformly random variable. Mergers are currently used in order to explicitly construct randomness extractors.

Intuition and definition

Consider a set of

k

random variables,

X1,\ldots,Xk

, each distributed over

\{0,1\}n

at least one of which is uniformly random; but it is not known which one. Furthermore, the variables may be arbitrarily correlated: they may be functions of one another, they may be constant, and so on. However, since at least one of them is uniform, the set as a whole contains at least

n

bits of entropy.

The job of the merger is to output a new random variable, also distributed over

\{0,1\}n

, that retains as much of that entropy as possible. Ideally, if it were known which of the variables is uniform, it could be used as the output, but that information is not known. The idea behind mergers is that by using a small additional random seed, it is possible to get a good result even without knowing which one is the uniform variable.

A naive idea would be to take the xor of all the variables. If one of them is uniformly distributed and independent of the other variables, then the output would be uniform. However, if suppose

X1=X2

, and both of them are uniformly distributed, then the method would not work.

Definition (merger):

A function

M:(\{0,1\}n)k x \{0,1\}d\{0,1\}n

is called an

(m,\varepsilon)

-merger if for every set of random variables

(X1,\ldots,Xk)

distributed over

\{0,1\}n

, at least one of which is uniform, the distribution of

Z=M(X1,\ldots,Xk,Ud)

has smooth min-entropy
\varepsilon(Z)
H
infty

\geqm

. The variable

Ud

denotes the uniform distribution over

d

bits, and represents a truly random seed.

In other words, by using a small uniform seed of length

d

, the merger returns a string which is

\varepsilon

-close to having at least

m

min-entropy; this means that its statistical distance from a string with

m

min-entropy is no larger than

\varepsilon

.

Reminder: There are several notions of measuring the randomness of a distribution; the min-entropy of a random variable

Z

is defined as the largest

k

such that the most probable value of

Z

occurs with probability no more than

2-k

. The min-entropy of a string is an upper bound to the amount of randomness that can be extracted from it. [1]

Parameters

There are three parameters to optimize when building mergers:

  1. The output's min-entropy

m

should be as high as possible, for then more bits can be extracted from it.

\varepsilon

should be as small as possible, for then after applying an extractor to the merger's output, the result will be closer to uniform.
  1. The seed length

d

should be as small as possible, for then the merger requires fewer initial truly random bits to work.

Explicit constructions for mergers are known with relatively good parameters. For example, Dvir and Wigderson's construction gives:[2] For every

\alpha>0

and integer

n

, if

k\leq2o(n)

, there exists an explicit

(m,\varepsilon)

-merger

M:(\{0,1\}n)k x \{0,1\}d\{0,1\}n

such that:

m=(1-\alpha)n,

d=O(log(n)+log(k)),

\varepsilon=O\left(

1
nk

\right).

The proof is constructive and allows building such a merger in polynomial time in the given parameters.

Usage

It is possible to use mergers in order to produce randomness extractors with good parameters. Recall that an extractor is a function which takes a random variable that has high min-entropy, and returns a smaller random variable, but one that is close to uniform. An arbitrary min-entropy extractor can be obtained using the following merger-based scheme:[2] [3]

The essence of the scheme above is to use the merger in order to transform a string with arbitrary min-entropy into a smaller string, while not losing a lot of min-entropy in the process. This new string has very high min-entropy compared to its length, and it's then possible to use older, known, extractors which only work for those type of strings.

See also

Notes and References

  1. 0912.5514. Trevisan's extractor in the presence of quantum side information . SIAM Journal on Computing . 41 . 4 . 915–940 . De, Portmann, Vidick and Renner. 2009 . 10.1137/100813683 . 5387876 . Section 2.2.
  2. Web site: Kakeya sets, new mergers and old extractors. Zeev Dvir . Avi Wigderson . amp .
  3. Web site: Extracting Randomness: A Survey and New Constructions. Noam Nissan . Amnon Ta-Shma . amp . Section 4.3.
  4. Web site: Refining Randomness. Amnon Ta-Shma. Phd. Thesis.