Non-Malleable Extractors with Short Seeds and Applications to Privacy Amplification

Motivated by the classical problem of privacy amplification, Dodis and Wichs [9] introduced the notion of a non-malleable extractor, significantly strengthening the notion of a strong extractor. A non-malleable extractor is a function nmExt : {0, 1}(n) x {0, 1}(d) -> {0, 1}(m) that takes two inputs: a weak source W and a uniform (independent) seed S, and outputs a string nmExt(W, S) that is nearly uniform given S as well as nmExt(W, S') for any seed S' not equal S that is determined as an arbitrary function of S. The first explicit construction of a non-malleable extractor was recently provided by Dodis, Li, Wooley and Zuckerman [7]. Their extractor works for any weak source with min-entropy rate 1/2 + delta, where delta > 0 is an arbitrary constant, and outputs up to a linear number of bits, but suffers from two drawbacks. First, the length of its seed is linear in the length of the weak source (which leads to privacy amplification protocols with high communication complexity). Second, the construction is conditional: when outputting more than a logarithmic number of bits (as required for privacy amplification protocols) its efficiency relies on a longstanding conjecture on the distribution of prime numbers. In this paper we present an unconditional construction of a non-malleable extractor with short seeds. For any integers n and d such that 2.01 . log n {0, 1}(m), with m = Omega(d), and error exponentially small in m. The extractor works for any weak source with min-entropy rate 1/2 + delta, where delta > 0 is an arbitrary constant. Moreover, our extractor in fact satisfies an even more general notion of non-malleability: its output nmExt(W, S) is nearly uniform given the seed S as well as the values nmExt(W, S-1),...,nmExt(W, S-t) for several seeds S-1,...,S-t that may be determined as an arbitrary function of S, as long as S is not an element of {S-1,.