On the Problem of Local Randomness in Privacy Amplification with an Active Adversary

We study the problem of privacy amplification with an active adversary in the information theoretic setting. In this setting, two parties Alice and Bob start out with a shared $n$-bit weak random string $W$, and try to agree on a secret random key $R$ over a public channel fully controlled by an active and unbounded adversary. Typical assumptions are that these two parties have access to local private uniform random bits. In this paper we seek to minimize the requirements on the local randomness used by the two parties. We make two improvements over previous results. First, we reduce the number of random bits needed for each party to $\Theta(\ell+\log n)$, where $\ell$ is the security parameter, as long as $W$ has min-entropy $n^{\Omega(1)}$. Previously, the best known result needs to use $\Theta((\ell+\log n)\log n)$ bits. Our result is also asymptotically optimal. Second, we generalize the problem to the case where the two parties only have local weak random sources instead of truly uniform random bits. We show that when each party has a local weak random source with min-entropy $> n/2$, there is an efficient privacy amplification protocol that works nearly as good as if the two parties have access to local uniform random bits. Next, in the case where each party only has a weak random source with arbitrarily linear min-entropy, we give an efficient privacy amplification protocol where we can achieve security parameter up to $\Omega(\log k)$. Our results give the first protocols that achieve privacy amplification when each party only has access to a local weak random source.

💡 Research Summary

The paper tackles privacy amplification in the information‑theoretic model against an active, computationally unbounded adversary who fully controls the public communication channel. Traditionally, two parties, Alice and Bob, start with a shared weak random string W of length n and min‑entropy k, and each is assumed to have access to private uniform random bits (local seeds). The goal is to agree on a secret key R while ensuring that the adversary learns essentially no information about R, even though it may tamper with every transmitted message.

Main Contributions

1. Optimal Local Randomness – The authors show that, provided W has min‑entropy n^{Ω(1)}, each party needs only Θ(ℓ + log n) random bits to achieve a security parameter ℓ. This improves on the prior best bound of Θ((ℓ + log n)·log n) and matches a proven lower bound, making the result asymptotically optimal. The reduction is achieved by employing state‑of‑the‑art non‑malleable extractors together with a “seed‑reuse” technique: a short seed is used first to generate an authentication tag that detects any active tampering, and then the same seed (augmented with a small amount of fresh randomness) is used in a second extraction step that yields the final key. Because the extractor is non‑malleable, any adversarial modification of the first message cannot influence the second extraction in a way that helps the adversary, limiting its success probability to 2^{‑ℓ}.

2. Weak Local Random Sources – The paper departs from the uniform‑seed assumption and studies two regimes of weak local randomness:

   • High‑entropy weak sources (> n/2): When each party possesses an independent source with min‑entropy exceeding n/2, a recent two‑source extractor can be applied. This extractor needs only O(log n) bits of additional seed and outputs a string that is statistically close to uniform. Consequently, the protocol’s performance (communication rounds, computational cost, and security) is essentially identical to the uniform‑seed case.
   • Linear‑entropy weak sources (αn, 0 < α < 1): For sources with only linear min‑entropy, the authors design a multi‑round protocol that attains a security parameter up to Ω(log k). Each round extracts a modest number of bits from the weak source, hashes them with an authenticated hash function, and uses the resulting tag to both detect tampering and to “bootstrap” entropy for the next round. After O(log k) rounds, a final non‑malleable extraction yields the secret key. The adversary’s advantage remains bounded by 2^{‑Ω(log k)}.

Technical Ingredients

• Non‑Malleable Extractors: Central to both contributions, these extractors guarantee that even if an adversary sees the output on one seed and adaptively changes the seed, the output on the tampered seed remains independent of the original. The authors leverage recent constructions with seed length O(ℓ + log n) and error 2^{‑ℓ}.
• Two‑Source Extractors: For the > n/2 case, the protocol uses a strong two‑source extractor that works with min‑entropy > n/2 and requires only a logarithmic‑size seed, effectively turning two weak sources into a uniform one.
• Authenticated Hashing & Error‑Correcting Codes: To detect active manipulation, each round includes a tag generated by a universal hash function combined with an error‑correcting code of sufficient distance. This ensures that any modification by the adversary is caught with overwhelming probability.
• Seed Reuse and Entropy Amplification: The protocol cleverly reuses the same short seed across multiple extraction steps, saving randomness while preserving security. In the linear‑entropy regime, entropy is amplified gradually across rounds, a technique reminiscent of “entropy accumulation” in cryptographic protocols.

Security Proof Sketch
The authors provide a hybrid argument that transitions from the real protocol to an ideal world where the adversary receives only the public transcript and no information about R. At each hybrid step, the non‑mal­leability of the extractor guarantees that the distribution of the extracted key remains statistically close to uniform, despite any adaptive changes to the seed or messages. The authentication tags ensure that any tampering leads to abort with probability at least 1 − 2^{‑ℓ}. For the linear‑entropy case, the accumulation of entropy across O(log k) rounds yields a final min‑entropy of Ω(log k), which is then extracted securely.

Efficiency
All operations are polynomial in n. Communication consists of a constant number of rounds for the high‑entropy case and O(log k) rounds for the linear‑entropy case. The total number of local random bits used matches the lower bound Θ(ℓ + log n). The protocols are thus both theoretically optimal and practically implementable, especially in constrained environments where generating high‑quality randomness is costly.

Implications and Future Work
By minimizing the amount of truly uniform randomness required and by showing that even weak local sources suffice, the paper opens the door to privacy‑amplification in settings such as low‑power IoT devices, sensor networks, and hardware‑constrained platforms where high‑quality randomness is scarce. Future research directions include extending the techniques to sub‑linear entropy sources, improving the concrete constants in the non‑mal­leable extractor constructions, and exploring real‑world implementations that integrate these protocols with existing cryptographic stacks.