Nearly-Linear Time Seeded Extractors with Short Seeds

Seeded extractors are fundamental objects in pseudorandomness and cryptography, and a deep line of work has designed polynomial-time seeded extractors with nearly-optimal parameters. However, existing constructions of seeded extractors with short seed length and large output length run in time $Ω(n \log(1/\varepsilon))$ and often slower, where $n$ is the input source length and $\varepsilon$ is the error of the extractor. Since cryptographic applications of extractors require $\varepsilon$ to be small, the resulting runtime makes these extractors impractical. Motivated by this, we explore constructions of strong seeded extractors with short seeds computable in nearly-linear time $O(n \log^c n)$, for any error $\varepsilon$. We show that an appropriate combination of modern condensers and classical approaches for constructing seeded extractors for high min-entropy sources yields such extractors. More precisely, we obtain strong extractors for $n$-bit sources with any min-entropy $k$ and any target error $\varepsilon$ with seed length $d=O(\log(n/\varepsilon))$ and output length $m=(1-η)k$ for an arbitrarily small constant $η>0$, running in nearly-linear time. When $k$ or $\varepsilon$ are very small, our construction requires a reasonable one-time preprocessing step. These extractors directly yield privacy amplification protocols with nearly-linear time complexity (possibly after a one-time preprocessing step), large output length, and low communication complexity. As a second contribution, we give an instantiation of Trevisan’s extractor that can be evaluated in truly linear time in the RAM model, as long as the number of output bits is at most $\frac{n}{\log(1/\varepsilon)polylog(n)}$. Previous fast implementations of Trevisan’s extractor ran in $\widetilde{O}(n)$ time in this setting.

💡 Research Summary

The paper addresses a long‑standing bottleneck in the practical deployment of seeded randomness extractors: achieving optimal seed length O(log (n/ε)) while also running in nearly linear time Õ(n) for arbitrary error ε. Classical constructions with optimal seed length (e.g., GUV09, LR‑VW03) require Ω(n log (1/ε)) time, which is prohibitive when cryptographic applications demand very small error. The authors propose a two‑stage framework that combines modern short‑seed condensers with high‑entropy extractors, and they carefully implement each stage in almost linear time, possibly after a modest one‑time preprocessing step.

Stage 1 – Condensation.
The input source X ∈ {0,1}ⁿ with min‑entropy k is first passed through a condenser with seed length O(log (n/ε)). Two condensers are used: (i) the lossless Kalev‑Ta‑Shma (KT) condenser, which preserves entropy without loss and can be evaluated in Õ(n) time; (ii) the lossy Reed‑Solomon‑based condenser of Guruswami‑Umans‑Vadhan (GUV09), which tolerates a small entropy loss but still runs in near‑linear time. By selecting the appropriate condenser based on the relationship between k and ε, the output X′ is ε‑close to a source with min‑entropy close to k.

Stage 2 – Extraction from High‑Entropy Sources.
Given X′, the authors apply a strong extractor designed for high‑entropy sources. They adapt the recursive constructions of Srinivasan‑Zuckerman (SZ99) and the later GUV09 extractor, but with several optimizations: the recursion depth is bounded by log* n, each recursive level performs three sub‑steps—block source generation, subsampling, and block‑source extraction—in Õ(n) time. Fast constructions of small‑bias sets, bounded‑independence samplers, and nearly‑linear‑time condensers are used as building blocks. The result is a strong (k, ε)‑extractor with seed length d ≤ C·log (n/ε) and output length m ≥ (1‑η)k for any constant η>0, computable in Õ(n) time. When k or ε are extremely small, a one‑time preprocessing step generates O(log* n) or O(log log n) small primes and primitive elements; this preprocessing can be done in polylog (n/ε) time with randomness, or in deterministic Õ(n) time using known number‑theoretic algorithms.

Non‑Recursive Construction.
In addition to the recursive scheme, the paper presents a “non‑recursive” construction that avoids the intricate recursion altogether. It directly composes a condenser, a sampler, and a block‑source extractor, achieving the same parameters when k ≫ polylog (1/ε). This approach simplifies implementation and may be preferable in practice.

Fast Instantiation of Trevisan’s Extractor.
Trevisan’s extractor is widely used because of its quantum‑proof security, but its standard implementation is costly for large output lengths. The authors propose a new instantiation that leverages fast multipoint evaluation of Reed‑Solomon codes and a pre‑computed combinatorial design. For any output length m ≤ n·log (1/ε)·polylog n, the extractor runs in true linear time O(n) on a RAM (log‑cost model), plus m·log (1/ε)·polylog n overhead after a preprocessing step of Õ(m·log (n/ε)). When m ≤ n·log (1/ε)·log⁽ᶜ⁾ n for a constant c, the preprocessing is unnecessary and the runtime is simply O(n). In the Turing model the runtime is Õ(n + m·log (1/ε)). This result fills a gap in the literature, providing a practically fast, quantum‑proof extractor for moderate to large output sizes.

Implications and Applications.
The main theorem yields a privacy‑amplification protocol that communicates only O(log (n/ε)) bits over an authenticated public channel while extracting almost the entire min‑entropy, with overall time Õ(n) (and a one‑time preprocessing cost when k or ε are tiny). The constructions also open the door to faster implementations of cryptographic primitives that rely on seeded extractors, such as leakage‑resilient encryption, non‑malleable codes, and quantum‑secure key distribution.

In summary, the paper delivers the first general‑purpose strong seeded extractor that simultaneously attains optimal seed length, near‑optimal output length, and nearly linear runtime for arbitrary error. It also provides a truly linear‑time version of Trevisan’s extractor for a wide range of output lengths, thereby substantially improving the practicality of extractor‑based cryptographic protocols.