On Extractors and Exposure-Resilient Functions for Sublogarithmic Entropy

Randomness extractors are functions that extract almost-uniform bits from weak sources of randomness (which may have biases and/or correlations). Extractors can be used for simulating randomized algorithms and protocols with weak sources of randomness, have close connections to many other "pseudorandom objects" (such as expander graphs and error-correcting codes), and have a variety of other applications in theoretical computer science. The most extensively studied type of extractor is the seeded extractor, introduced by Nisan and Zuckerman [NZ]. These extractors are given as additional input a small "seed" of truly random bits to use as a catalyst for the randomness extraction, and this allows for extracting almost-uniform bits from very unstructured sources, where all we know is a lower bound on the min-entropy. In many applications, such as randomized algorithms, the need for truly random bits can be eliminated by trying all possible seeds and combining the results (e.g. by majority vote). However, prior to the Nisan-Zuckerman notion, there was a substantial interest in deterministic extractors (which have no random seed) for restricted classes of sources. Over the past decade, there has been a resurgence in the study of deterministic extractors, motivated by settings where enumerating all possible seeds does not work (e.g. distributed protocols) and by other applications in cryptography. In this paper, we study one of the most basic models: an oblivious bit-fixing source (OBFS) is an n-bit source where some n -k bits are fixed arbitrarily and the remaining k bits are uniformly random. Deterministic extractors for OBFSs, also known as resilient functions (RFs), were first studied in the mid-80's, motivated by cryptographic applications [Vaz, BBR, CGH + ]. A more relaxed notion is that of an exposure-resilient function (ERF), introduced in 2000 by Canetti et al. [CDH + ]. Here all n bits of the source are chosen uniformly at random, but n -k of them are seen by an adversary; an ERF should extract bits that are almost-uniform even conditioned on what the adversary sees. ERFs come in two types: static ERFs, where the adversary decides which n -k bits to see in advance, and adaptive ERFs, where the adversary reads the n -k bits adaptively. In recent years, there has been substantial progress in giving explicit constructions of both RFs and ERFs [CDH + , DSS, KZ, GRS]. In this paper, we focus on the case when k, the number of random bits unknown to the adversary, is very small, e.g. k < log n. While this case is not directly motivated by applications, it is interesting from a theoretical perspective for a couple of reasons: • For many other natural classes of sources (several independent sources [CG], samplable sources [TV], and affine sources [BKS + ]), at least logarithmic min-entropy is necessary for extraction. 1 • This is a rare case where a random function is not an optimal extractor. For example, the parity function extracts one completely unbiased bit from any bit-fixing source with k = 1 random bits, but we show that a random function will fail to extract from some such source with high probability. Our first results concern explicit constructions of extractors for OBFS with k sublogarithmic in n. • We simplify and improve an explicit construction of extractors for OBFSs with small k by Kamp and Zuckerman [KZ]. In particular, the error parameter of our construction can be exponentially small in k, whereas the 1 For the case of 2 independent sources, the need for logarithmic min-entropy is proven in [CG]. For sources samplable by circuits of size s = n 2 , it can be shown by noting that the uniform distribution on any 2 k elements of {0, 1} k+1 • 0 n-k-1 is samplable by a circuit of size O(n • 2 k ) (and we can pick 2 k elements on which the first bit of the extractor is constant). For affine sources, it can be shown by analyzing the k-th Gowers norm of the set of inputs on which the first bit of the extractor is constant (as pointed out to us by Ben Green). Kamp-Zuckerman construction achieves error that is polynomially small in k. Our extractor (like that of [KZ]) extracts only Θ(log k) almostuniform bits, in contrast to extractors for superlogarithmic k, which can extract nearly k bits. • We prove that, when k is sublogarithmic, the Θ(log k) output length of our extractor is optimal for extractors for OBFSs computable by spacebounded streaming algorithms with a certain "forgetlessness" property. The class of streaming algorithms we analyze includes our construction as well as many natural random-walk based constructions. This is our main result. Next, we investigate properties of random functions as extractors for OBFS's and find that k ≈ log n appears to be a critical point for extractors for OBFSs in this setting as well. Specifically, we show that: • A random function is an extractor for OBFSs (with high probability) if and only if k is at least roughly log n. • In contrast, for the more relaxed concept of exposure-resilient functions, random functions suffice even for sublogarithmic k. For static ERFs, k can be as small as a constant, and for adaptive ERFs, k can be as small as log log n. All of the results concerning random functions yield resilient/exposure-resilient functions that output nearly k almost-uniform bits. Throughout, we will use the convention that a lowercase number (e.g. n) implicitly defines a corresponding capital number (N ) as its exponentiation with base 2 (i.e. N = 2 n ). Definition 2.1 (Statistical Distance). Let X and Y be two random variables taking values in a set S. The statistical distance ∆(X, Y ) between X and Y is We will write X ≈ ε Y to mean ∆(X, Y ) ≤ ε, and we will use U n to denote the uniform distribution on {0, 1} n . When U n appears twice in the same set of parentheses, it will denote the same random variable. For example, a string chosen from the distribution (U n , U n ) will always be of the form w • w for some w ∈ {0, 1} n . Note that (U n , U m ) still equals U n+m . Definition 2.2 (Oblivious Symbol-Fixing Source). An (n, k, d) oblivious symbolfixing source (OSFS) X is a source consisting of n symbols, each drawn from [d], of which all but k are fixed and the rest are chosen independently and uniformly at random. Definition 2.3 (Oblivious Bit-Fixing Source). An (n, k) oblivious bit-fixing source (OBFS) is an (n, k, 2) oblivious symbol-fixing source. We will use n to denote the set {L ⊂ [n] : |L| = } and, given some L ∈ n and a string a ∈ {0, 1} , we will write L a,n to denote the oblivious bit-fixing source that has the bits with positions in L fixed to the string a. Definition 2.4 (Deterministic Randomness Extractor). Let C be a class of sources on {0, 1} n . A deterministic ε-extractor for C is a function E : {0, 1} n → {0, 1} m such that for every X ∈ C we have E(X) ≈ ε U m . Here we will focus mainly on deterministic randomness extractors for oblivious bit-fixing sources, also known as resilient functions (RFs). Definition 2.5 (Resilient Function). A (k, ε)-RF is a function f : {0, 1} n → {0, 1} m that is a deterministic ε-extractor for (n, k) oblivious bit-fixing sources. We can also characterize extractors for OBFSs by their ability to fool a distinguisher: consider a computationally unbounded adversary A that can set some of f 's input bits in advance but must allow the rest to be chosen uniformly at random. Then f satisfies Definition 2.5 if and only if A is unable to distinguish between f 's output and the uniform distribution regardless of how A changes f 's input. When viewed through this lens, the notion of deterministic extraction from OBFSs has a natural relaxation obtained by restricting A to only read (rather than modify) a portion of f 's input bits. Functions that are able to fool adversaries of this type are called exposure-resilient functions (ERFs). We define below the two simplest variants of exposure-resilient functions, which correspond to whether A reads the bits of f 's input all at once or one at a time. Definition 2.6 (Static Exposure-Resilient Function). A static (k, ε)-ERF is a function f : {0, 1} n → {0, 1} m with the property that for every This definition can be restated in terms of average-case extraction using the following lemma, whose proof can be found in [Res]. Allowing the adversary to adaptively request bits of f 's input one at a time gives rise to the strictly stronger notion of an adaptive ERF: The following lemma will allow us to restrict our attention to algorithms A that simply output the values of the bits that they request as they receive them (rather than outputting some function of those bits). Lemma 2.9. Let A : {0, 1} n → {0, 1} * be an adaptive adversary that reads at most d bits of its input and let A r : {0, 1} n → {0, 1} * be the algorithm that adaptively reads the same bits as A and outputs them in the order that they were read. For every function f : Proof. First, modify A r by padding its output with 0's so that its output length is always d. Now define a second algorithm A p : {0, 1} d → {0, 1} * as follows: on an input x ∈ {0, 1} d , A p runs A, sequentially feeding it the bits of x in response to A's requests, and then outputs A's output. The fact that A = A p • A r then implies the desired result. In this section, we prove that when the entropy parameter k is sublogarithmic in the input length n, an output length of O(log k) is optimal for a natural class of space-bounded streaming algorithms, including algorithms that use the input bits to conduct a random walk on a graph. Before we state this lower bound, we give a simple improvement on the state of the art in explicit constructions of extractors for oblivious bit-fixing sources (i.e. resilient functions) for sublogarithmic entropy. Our lower bound then shows that the parameters achieved by this construction are optimal. We start with a simplification of a previous construction due to [KZ]. The previous construction is based on very good extractors for oblivious symbolfixing sources with d ≥ 3 symbols obtained by using the symbols of the input string to take a random walk on an expander graph of degree d. Since expander graphs do not exist with degree d = 2, this approach could not be used for oblivious bit-fixing sources. However, the construction of [KZ] uses the fact that while a random walk on an expander is not an option, a random walk on a cycle still extracts some randomness even when the entropy k of the input is very small. Our construction is a slight modification of this random walk that simplifies the argument and improves the error parameter. We can treat f as computing the endpoint of a walk on Z/M Z (where M = 2 m ) that starts at 0 and either adds 1 or 0 to its state with every bit that it reads. Since the endpoint of this walk does not depend on the order in which the input bits are processed, we may assume without loss of generality that all of the fixed bits in f 's input come at the beginning. These bits only change the starting vertex of the random walk and do not affect the distance from uniform of the resulting distribution. Therefore, to bound the distance from uniform of any distribution of the form f (L * ,n ) we need only bound the mixing time of a walk on Z/M Z consisting of k random steps. The following claim, whose proof we defer to the appendix, accomplishes this. Claim 3.2. Let W k be the distribution on the vertices of Z/M Z (where M = 2 m ) obtained by beginning at 0 and adding 1 or 0 with equal probability k times. The distance from uniform of W k is at most Since k ≥ M 2 , the bottom of the fraction in Claim 3.2 is bounded from below by 2(1 -e -3π 2 /2 ) > 1 and so we have bounded the distance from uniform by e -kπ 2 /2M 2 . With our setting of parameters this is at most ε log (e)π 2 /2 ≤ ε, as desired. The difference between this construction and that of [KZ] is that each step of the random walk carried out by f consists of adding either 1 or 0 rather than 1 or -1 to the current state. This has two advantages. First, the random walk in the construction of [KZ] cannot be carried out on a graph of size 2 m since any even-sized cycle is bipartite and the walk traverses an edge at each step. This necessitates an additional lemma about converting the output of the random walk to one that is almost uniformly distributed over {0, 1} m , which incurs at error polynomially related to k.3 By eliminating the need for this lemma, the construction of Theorem 3.1 manages to achieve an exponentially small error parameter. Second, setting m = 1 in the construction of Theorem 3.1 makes it clear that the idea underlying both it and the [KZ] construction is simply a generalization of bitwise addition modulo 2-the parity functionwhich extracts 1 uniformly random bit whenever k ≥ 1. As discussed previously, this construction achieves output length only logarithmic in k. This is considerably worse than the output length of k-2 log (1/ε)-O(1) which we show to be possible both for extractors for OBFSs with k > log n (Section 4.1) and for ERFs (Section 4.2). The lower bound we prove in the following section shows why this is the case. The extractor of Theorem 3.1 is a symmetric function; that is, its output is not sensitive to the order in which the input bits are arranged. We begin building our more general negative result by first showing that extractors for OBFSs with this property cannot have superlogarithmic output length. Proof. By the symmetry of f on the bits in [n] -L, the size of the support of f (X) is at most k. (The output depends only on the number of input bits in [n] -L that equal 1.) Thus, the distance between f (X) and U m is at least We can use Lemma 3.3 to show that no symmetric function with large output length can be even a static ERF. Proof. From Lemma 2.7, we have that for f to be a static ERF, it must satisfy, for all sets It follows by averaging that there exists a set L and a string a such that f (L a,n ) ≈ ε U m . Application of Lemma 3.3 to the source L a,n then yields the result. Since every deterministic ε-extractor for (n, k)-OBFSs is a static (k, ε)-ERF and every adaptive (k, ε)-ERF is also a static (k, ε)-ERF, Proposition 3.4 applies to extractors for OBFSs and adaptive ERFs as well. Thus, Proposition 3.4 shows that constructions like that of Theorem 3.1 and that of [KZ] are optimal. However, there are many natural candidates for extraction from OBFSs that are similar to that of Theorem 3.1 but are not symmetric, such as the analogous random walk on a directed version of a 3-regular or 4-regular expander graph. For instance, we could try the graph with vertex set F p where the edge labelled 0 from vertex x goes to x + 1 and the edge labelled 1 goes to x -1 (or 0 in case x = 0). The undirected version of this graph is known to be an expander [Lub], so we might hope that with k random steps we can reach an almost uniform vertex even for p = 2 Ω(k) and thus output Ω(k) almost-uniform bits. F p with inverse cords rather than an undirected cycle. It turns out that such constructions do no better, as we now show by extending the above lower bound for extractors for OBFSs to a large class of small-source streaming algorithms. We start by defining the model of computation that we will assume. Definition 3.5 (Streaming Algorithm). A streaming algorithm A : {0, 1} n → {0, 1} m is given by a 5-tuple (V, v 0 , Σ 0 , Σ 1 , ϕ), where V is the state space, v 0 ∈ V is the initial state, Σ 0 = (σ 0 1 , . . . , σ 0 n ) and Σ 1 = (σ 1 1 , . . . , σ 1 n ) are two sequences of functions from V to itself, and ϕ is a function from V to {0, 1} m . On an input sequence (b 1 , . . . , b n ) ∈ {0, 1} n , A computes by updating its state using the rule The function ϕ is called the output function of A, and the space of A is log |V |. We say that A is forgetless if and only if for every i at least one of either σ i 0 or σ i 1 is a permutation. (Thus, if the i-th bit is fixed to a certain value, A does not "forget" anything about its state when reading that bit.) Forgetless streaming algorithms include random walks on 2-regular digraphs that are consistently labelled (meaning that the edges labelled b form a permutation, for each b ∈ {0, 1}), like the graph on F p mentioned above. However, forgetless streaming algorithms are more general in the sense that they can compute random walks in which each step of the walk is conducted on a different graph. We now show that forgetless streaming algorithms with small space cannot compute extractors for OBFSs with large output length (for small k). This is our main result. Theorem 3.6. Suppose that f : {0, 1} n → {0, 1} m is a deterministic ε-extractor for (n, k)-OBFSs that can be computed by a forgetless streaming algorithm with space s ≤ log (n/k)/k. Then m ≤ log (k/(1 -ε)). Proof. Fix an ε-extractor for (n, k)-OBFSs f : {0, 1} n → {0, 1} m and let A be a forgetless streaming algorithm with space s ≤ log (n/k)/k that computes f . To show that m ≤ log (k/(1 -ε)), we will first reduce to a special case in which we can make some simplifying assumptions about A. We will then construct an oblivious bit-fixing source X such that f is symmetric on the set of bit positions not fixed by X. This will allow us to apply Lemma 3.3 to obtain our result since f must map X close to uniform. Reduction to the special case: Let Σ 0 and Σ 1 be the sequences of functions used by A, and let ϕ be its output function. We reduce to the special case that every element of Σ 0 is the identity. Since A is forgetless, we can switch some of the functions σ 0 i and σ 1 i to make every function in Σ 0 a permutation while preserving the fact that A computes a (k, ε)-RF. (This corresponds to just negating some input bits.) This allows us to define a new sequence of functions F = {f 1 , . . . , f n } and a new output function ψ by the following relations. Then (V, v 0 , (id, id, . . . , id), (f 1 , . . . , f n ), ψ) can be verified to be a streaming algorithm that computes the same function as (V, v 0 , Σ 0 , Σ 1 , ϕ). Constructing the source X: Letting S = 2 s , we can choose a set F 1 ⊂ F of size at least n/S such that all the functions in F 1 map the initial state v 0 to some common state (call it v 1 ). We can then choose a set F 2 ⊂ F 1 of size at least n/S 2 such that all functions in F 2 map v 1 to some common state, which we call v 2 . Continuing in this way, we obtain a set F k ⊂ F of size at least n/S k and a sequence (v 0 , . . . , v k ) with the property that every We now define X to be the oblivious bit-fixing source that has the bits at positions that correspond to functions in F k un-fixed and the rest of the bits fixed to 0. By our assumption that s ≤ log (n/k)/k, we have |F k | ≥ n/S k ≥ k, meaning that X has at least k unfixed bits. Obtaining the desired bound: For any string w in the support of X, f 's output will be ψ(v H(w) ) where H(w) is the Hamming weight of w. Therefore f is a symmetric function of the bits in positions not fixed by X. Since X contains at least k independent, uniformly random bits and f is a (k, ε)-resilient function, Lemma 3.3 yields m ≤ log (k/(1 -ε)) as desired. What does this theorem tell us about extraction in low-entropy settings? If we set s = m ≤ k (as in the walk on the cycle of Theorem 3.1) then The-orem 3.6 implies that when k < √ log n -log log n we are confined to output length m ≤ log (k/(1 -ε)). In other words, the output length of Ω(log k) offered by Theorem 3.1 is close to optimal for extractors in this model when k < √ log n. We note here a separate, trivial space lower bound that applies even to the forgetful case: since streaming algorithms under our model cannot produce any output bits until they have read all the input bits, we have s > m -1 when ε < 1/2. This bound can in fact be generalized to streaming algorithms that are allowed to output bits at any point in their computation by a simple adaptation of a space lower bound for strong extractors proven in [BRST]. The resulting lower bound says that s ≥ m -4 when ε ≤ 1/8 and k ≤ n/2 for extractors for OBFSs computable by any streaming algorithm. We now turn to determining for what values of the entropy parameter k it is possible to achieve output length m = Ω(k) using the probabilistic method. Here we find that the results are roughly in agreement with our explicit lower bounds from the previous section. That is, a randomly chosen function f : {0, 1} n → {0, 1} m will almost always be an extractor for OBFSs with output length m = Ω(k) when k is larger than log n, and this output length cannot be achieved using the probabilistic method when k < log n. We then show that random functions can do better in the more relaxed realm of exposure-resilient functions: a randomly chosen function is almost always a static ERF with optimal output length for any k, and an adaptive ERF with optimal output length when k is larger than log log n. Before we proceed, we state a Chernoff bound and a partial converse to it that we will use in proving these results. A sketch of the proof of Lemma 4.2 is given in the appendix. Lemma 4.1 (A Chernoff bound). Let X 1 , . . . , X t be independent random variables taking values in [0, 1], and let X = ( i X i )/t and µ = E[X]. Then for every 0 < ε < 1, we have Lemma 4.2 (Partial converse of Chernoff bound). Let X 1 , . . . , X t represent the results of independent, unbiased coin flips, and let X = ( i X i )/t. Then for every 0 ≤ ε ≤ 1/2, we have Theorem 4.3 below, which follows from a straightforward application of the Chernoff bound stated in Lemma 4.1, shows that the probabilistic methods gives extractors for OBFSs with k > log n. Theorem 4.4 then shows that k > log n is the best we can do using the probabilistic method. Theorem 4.3. For every n ∈ N, k ∈ [n], and ε > 0, a randomly chosen function f : 1) is a deterministic ε-extractor for (n, k)-OBFSs with probability at least 1 -2 -Ω(Kε 2 ) , where K = 2 k . Proof. Fix an (n, k)-OBFS X. Choosing the function f consists of independently assigning a string in {0, 1} m to each string in the support of X. In order for f to map X close to uniform, we need to have chosen it such that, for every fixed statistical test T ⊂ {0, 1} m , the fraction of strings in X mapped by f into T is very close to the density of T in {0, 1} m . This is expressed formally by the condition below. |f Now fix one specific test T ⊂ {0, 1} m . For each string w in the support of X, define the indicator variable I w to be 1 if f (w) ∈ T and 0 otherwise. Then Lemma 4.1 (our Chernoff bound) applied to ( w I w ) /2 k = |f -1 (T )|/2 k shows that f fails the condition above with probability at most 2 -Ω(Kε 2 ) . There are 2 M possible tests T ⊂ {0, 1} m (where M = 2 m ). A union bound over all these tests therefore gives that the probability that f fails to map X to within ε of uniform is at most 2 M -Ω(Kε 2 ) . We can perform a similar union bound over the possible choices of the source X: there are n k N/K such sources, yielding that the probability that f is not a (k, ε)-RF is at most provided K ≥ max{log ( N K ), log n k }c/ε 2 for a sufficiently large constant c and M ≤ c Kε 2 for a sufficiently small constant c . Taking logarithms gives the result. The max{log (n -k), log log n k } term in the statement of Theorem 4.3 is always at most log n, so the theorem always holds when k ≥ log n + 2 log (1/ε) + O(1), as discussed earlier. In the following theorem, we prove a limitation on the extraction properties of random functions which shows that this bound on k is in fact nearly tight. Theorem 4.4. There is a constant c such that for every n ∈ N, k ∈ [n], and ε ∈ [0, 1/2] satisfying k ≤ log (n -k) + 2 log (1/ε) -c, a random function f : {0, 1} n → {0, 1} will fail to be a deterministic ε-extractor for (n, k)-OBFSs with probability at least 1 -2 - N/K , where N = 2 n and K = 2 k . Proof. Fix an input size n and a set L of n -k fixed bits (say, L = [n -k]). To say that f an ε-extractor for (n, k)-OBFSs is to say that all 2 n-k sets S of the form L * ,n satisfy the following condition. Pr Since f (w) is chosen independently for each string w ∈ S, we can use the converse of our Chernoff bound (Lemma 4.2) to say that the probability that f satisfies this condition for a fixed set S is at most 1 -2 -O(Kε 2 ) , where Since there are N/K subsets of the form L * ,n and they are disjoint, the probability that f will fail the above condition on none of them (i.e. the probability that f is a resilient function) is at most If the O Kε2 term is less than or equal to 1, this probability is at most 2 -N/K . Otherwise, it is at most 2 - N/K provided that N/K ≥ 2 CKε 2 for a sufficiently large constant C = 2 c . Taking logarithms twice completes the proof. Theorem 4.4 does not establish that extractors for OBFSs with the stated parameters do not exist; indeed, as mentioned earlier, the parity function (i.e. f (x 1 , . . . , x n ) = ⊕x i ) is a perfect resilient function for even k = 1. What the theorem does show, however, is that k ≈ log n represents a critical point below which these extractors become very rare. This seems consistent with the lower bound on k proven in Theorem 3.6. We now show that probabilistically constructing exposure-resilient functions is easier than constructing extractors for OBFSs. This is because, while the adversary can choose input sources in the extractor setting, here it can only expose them. The probabilistic constructions of static and adaptive ERFs both proceed by counting the number of adversaries that must be fooled and then applying Lemma 4.5 (below), which is an upper bound on the probability that a randomly chosen function will fail to fool a fixed adversary. This lemma applies equally both to static and adaptive adversaries; the difference in achievable parameters between static and adaptive ERFs therefore stems solely from the fact that there are many more adversaries in the adaptive setting. Lemma 4.5. Let A : {0, 1} n → {0, 1} * be an algorithm that reads at most d bits of its input, let ε > 0, and choose a function f : {0, 1} n → {0, 1} m uniformly at random with m = n -d -2 log (1/ε) -O(1). Then f will fail to satisfy with probability at most 2 -Ω(N ε 2 ) , where N = 2 n . Proof. Lemma 2.9 allows us to assume without loss of generality that A adaptively reads d bits and outputs them in the order that they were read. Under this assumption, we have (A(U n ), U m ) = U d+m . We therefore need only to bound the probability that ( For every w ∈ {0, 1} n , define I w to be 1 if (A(w), f (w)) ∈ T and 0 otherwise, and notice that Pr and so by the regularity of A the expectation of 1 2 n w I w over the choice of f is |T |/2 d+m . A Chernoff bound (Lemma 4.1) then gives that the probability over the choice of f that Equation (4.1) is not satisfied is at most 2 -Ω(N ε 2 ) . Since there are 2 DM possible choices of T in the above analysis (where D = 2 d , M = 2 m ), a union bound shows that the probability that (A(U n ), f (U n )) will fail one or more of them is at most 2 Having established that a random function will tend to fool a fixed adversary, we now establish the existence of static and adaptive exposure-resilient functions. In both cases, we do so by taking a union bound over all potential adversaries and applying Lemma 4.5. Thus, the parameters achieved are those that bring the number of adversaries to below 2 N ε 2 . Theorem 4.6. For every n ∈ N, k ∈ [n], and ε ≥ c n/2 n where c is a universal constant, a randomly chosen function Proof. Every static adversary that tries to distinguish the output of f from uniform is an algorithm A : {0, 1} n → {0, 1} n-k that reads exactly n -k bits of its input. We can therefore apply Lemma 4.5 with d = n -k to get that the probability that f will fail to fool any one adversary is at most 2 -Ω(N ε 2 ) . Taking a union bound over the n k possible adversaries, we get that the probability that f will not fool all adversaries is at most where the final equality is given by the constraint on ε. Counting the number of adversaries in the adaptive setting is a bit more work, but Lemma 2.9 from our preliminaries simplifies this task. Theorem 4.7. For every n ∈ N, k ∈ [n], and ε > 0, a randomly chosen function f : {0, 1} n → {0, 1} m with m ≤ k-2 log (1/ε)-O(1) and k ≥ log log n+ 2 log (1/ε)+O( 1) is an adaptive (k, ε)-ERF with probability at least 1-2 -Ω(N ε 2 ) , where N = 2 n . Proof. The proof is identical to that of Theorem 4.6 except that we have to count the number of adaptive adversaries. We do so below. First we note that Lemma 2.9 implies that if f fools all adaptive adversaries that output the bits they read as they read them, then f fools all adaptive adversaries. We therefore only need to count this smaller set of adversaries. The process by which such an adversary chooses which bits to request can be modelled by a decision tree of depth n-k-1 whose internal nodes are labelled by elements of [n]. Since the number of nodes in such a tree is 2 n-k-1 -1 < N/2K, where N = 2 n and K = 2 k , we can bound the total number of trees-and therefore adversaries-by n N/2K . Proceeding with the same kind of union bound as in the proof of Theorem 4.6, we see that the probability that f will not fool all adaptive adversaries is at most n N/2K 2 -Ω(N ε 2 ) = 2 -Ω(N ε 2 ) , provided that K ≥ (c log n)/ε 2 for a sufficiently large constant c. Taking logarithms yields the theorem. The general question of whether there exist resilient functions with large output length in the low-entropy range studied here is still unresolved. Open Question 1. Does there exist, for all n ∈ N and some growing function 0 < k(n) < log n, a deterministic ε-extractor for (n, k(n)-OBFSs with output length m = Ω(k(n)) and ε constant? Theorem 3.6 shows that to resolve this question in the positive direction requires a function that is either not computable by a forgetless streaming algorithm or uses a considerable amount of space. In the other direction, an interesting step towards a negative result would be to at least remove the forgetlessness condition from the space lower bound proven in that theorem. We can ask an analogous question for the case of adaptive ERFs with k < log log n. Open Question 2. Does there exist, for all n ∈ N and some growing function 0 < k(n) < log log n, an adaptive (k(n), ε)-ERF with output length m = Ω(k(n)) and ε constant? In this case, we cannot even rule out the possibility that a more clever use of the probabilistic method will resolve this question positively. Thus, a first step toward a negative result might be to prove an analogue to Theorem 4.4 that shows that adaptive ERFs with near-optimal output length become very rare when k < log log n. A third open problem arising from this work is that of finding an explicit construction of a static ERF with the parameters achieved using the probabilistic method in Theorem 4.6. Currently, an output length of Ω(k) is achieved in [DSS] using strong extractors, but the construction works only when k > log n. For k smaller than log n, there is no known construction of a static ERF that is not also an RF, making the construction of Theorem 3.6 the current state of the art. This leaves us with the following open question: Open Question 3. Does there exist, for all n ∈ N and some growing function 0 < k(n) < log n, an explicit static (k(n), ε)-ERF with output length m = Ω(k(n)) and ε constant? In other words, A is a binary decision tree of depth n -k -1 with leaves labelled by its output strings and each internal node labelled by the position of the bit that A requests at that juncture. This additional error was overlooked in[KZ], and their Theorem 1.2 erroneously claims an error exponentially small in k. n w I w . For x ∈ {0, 1} d , let T x denote T ∩ ({x} × {0, 1} m ). Then, for a fixed w, the expectation of I w over the