Online Condensing of Unpredictable Sources via Random Walks

Doron, Dean; Moshkovitz, Dana; Oh, Justin; Zuckerman, David

doi:10.4230/LIPIcs.CCC.2025.30

Online Condensing of Unpredictable Sources via Random Walks

Dean Doron

Ben-Gurion University of the Negev, Beer-Sheva, Israel Dana Moshkovitz

University of Texas at Austin, TX, USA Justin Oh

University of Haifa, Israel David Zuckerman

University of Texas at Austin, TX, USA

Abstract

A natural model of a source of randomness consists of a long stream of symbols $X=X_{1}\circ\ldots\circ X_{t}$ , with some guarantee on the entropy of $X_{i}$ conditioned on the outcome of the prefix $x_{1},\dots,x_{i-1}$ . We study unpredictable sources, a generalization of the almost Chor–Goldreich (CG) sources considered in [9]. In an unpredictable source $X$ , for a typical draw of $x\sim X$ , for most $i$ -s, the element $x_{i}$ has a low probability of occurring given $x_{1},\dots,x_{i-1}$ . Such a model relaxes the often unrealistic assumption of a CG source that for every $i$ , and every $x_{1},\dots,x_{i-1}$ , the next symbol $X_{i}$ has sufficiently large entropy. Unpredictable sources subsume all previously considered notions of almost CG sources, including notions that [9] failed to analyze, and including those that are equivalent to general sources with high min entropy.

For a lossless expander $G=(V,E)$ with $m=\log|V|$ , we consider a random walk $V_{0},V_{1},\ldots,V_{t}$ on $G$ using unpredictable instructions that have sufficient entropy with respect to $m$ . Our main theorem is that for almost all the steps $t/2\leq i\leq t$ in the walk, the vertex $V_{i}$ is close to a distribution with min-entropy at least $m-O(1)$ .

As a result, we obtain seeded online condensers with constant entropy gap, and seedless (deterministic) condensers outputting a constant fraction of the entropy. In particular, our condensers run in space comparable to the output entropy, as opposed to the size of the stream, and even when the length $t$ of the stream is not known ahead of time. As another corollary, we obtain a new extractor based on expander random walks handling lower entropy than the classic expander based construction relying on spectral techniques [11].

As our main technical tool, we provide a novel analysis covering a key case of adversarial random walks on lossless expanders that [9] fails to address. As part of the analysis, we provide a “chain rule for vertex probabilities”. The standard chain rule states that for every $x\sim X$ and $i$ , $\Pr(x_{1},\dots,x_{i})=\Pr[X_{i}=x_{i}|X_{[1,i-1]}=x_{1},\dots,x_{i-1}]\cdot% \Pr(x_{1},\dots,x_{i-1})$ . If $W(x_{1},\dots,x_{i})$ is the vertex reached using $x_{1},\dots,x_{i}$ , then the chain rule for vertex probabilities essentially states that the same phenomena occurs for a typical $x$ :

\Pr[V_{i}=W(x_{1},\dots,x_{i})]\lesssim\Pr[X_{i}=x_{i}|X_{[1,i-1]}=x_{1},\dots% ,x_{i-1}]\cdot\Pr[V_{i-1}=W(x_{1},\dots,x_{i-1})],

where $V_{i}$ is the vertex distribution of the random walk at step $i$ using $X$ .

Keywords and phrases:

Randomness Extractors, Expander Graphs

Funding:

Dana Moshkovitz: Supported in part by NSF Grant CCF-2312573 and CCF-2200956.

Justin Oh: Supported by NSF Grant CCF-2312573. This work was done while a student at the University of Texas as Austin.

David Zuckerman: Supported in part by NSF Grant CCF-2312573 and a Simons Investigator Award (#409864).

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Expander graphs and randomness extractors

Editors:

Srikanth Srinivasan

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

Randomness is an extremely useful and ubiquitous tool in computer science. Algorithms, protocols and reductions often assume access to uniformly distributed bits. An inherent question is what kind of randomness we can reasonably obtain from nature (or engineering), and whether we can make such randomness as useful as uniform bits. This has spawned a long line of research with many deep and interesting results.

Random walks and their analysis are also an essential tool in computer science, as well as in mathematics and physics. It is natural, therefore, to ask

How do random walks behave when the instructions for each step are not truly uniform and independent?

Such a scenario occurs when the instructions come from a weak source of randomness. A common assumption about a weak source is that overall, it has min-entropy.¹¹1We say $X\sim\left\{{0,1}\right\}^{n}$ has min-entropy $k$ , $H_{\infty}(X)\geq k$ , if $\max_{x\sim X}\Pr[X=x]\leq 2^{-k}$ . We call such an $X$ a $k$ -source and $k/n$ the entropy rate. The hope is that the quality of the vertex distribution of the random walk is much better, and more useful, than that of the original source.

Gillman’s Chernoff bound for random walks on expanders [11] implies that most nodes on an expander random walk are close to uniform for any source with entropy rate very close to 1 (see, e.g., [21]). However, random walks cannot mix for general rate $1/2$ sources, since an adversary that controls half the steps can have the even numbered steps undo the odd numbered steps. It’s therefore interesting to ask if any structure in the source can enable random walks to mix for lower entropy rates. The first paper to address this question was [9], who showed that for certain low-rate sources random walks do mix well.

Successful analyses of such random walks give clean constructions of extractors and condensers, which purify the randomness in a weak source. Specifically, an extractor is a function $\mathsf{Ext}\colon\left\{{0,1}\right\}^{n}\times\left\{{0,1}\right\}^{\ell}\to% \left\{{0,1}\right\}^{m}$ that uses an independent and uniform $\ell$ -bit seed $Y$ to convert $X$ into a distribution $\mathsf{Ext}(X,Y)$ that is statistically close to uniform. A condenser is slightly weaker: It’s a function $\mathsf{Cond}\colon\left\{{0,1}\right\}^{n}\times\left\{{0,1}\right\}^{\ell}% \to\left\{{0,1}\right\}^{m}$ that converts $X$ into a distribution with high entropy rate. If $\mathsf{Cond}(X,Y)$ is close to a $k^{\prime}$ -source, then a successful condensing means that $k^{\prime}/m\gg k/n$ . The $\ell$ -bit string in both cases is called the seed. In certain cases, seedless (deterministic) extraction and condensing, where $\ell=0$ , is also possible.

A natural family of weak sources is one where $X$ is a long stream of short symbols, $X=X_{1}\circ\ldots\circ X_{t}\sim\left\{{0,1}\right\}^{dt=n}$ , with each symbol being revealed one at a time. Indeed, historically, some of the first definitions of weak sources [14, 5] were streaming models. Similarly, a very natural question is how well a random walk mixes when one uses the stream of short symbols as instructions. The streaming model of randomness also corresponds to common sources of randomness in practice. Probably the most popular sources of entropy involve the exact timing of interrupts from mouse movements, keyboard strokes, disk I/O, receiving network packets, and other unpredictable events. Other sources include thermal noise and repeatedly looking at the last few digits of a clock timed according to an independent clock.

To model such streaming sources, one needs some property that implies that each $X_{i}\sim\left\{{0,1}\right\}^{d}$ has some entropy, even conditioned on the previously observed $x_{1},\dots,x_{i-1}$ (we often abbreviate this as $x_{[1,i-1]}$ ). Commonly studied notions such as sequences of independent sources, Santha–Vazirani (SV) sources [14], and Chor–Goldreich (CG) sources [5] indeed have these properties. A $\delta$ -CG source is a sequence of random blocks $X=X_{1}\circ\ldots\circ X_{t}$ , each $X_{i}\sim\left\{{0,1}\right\}^{d}$ , such that for any $i$ and any prefix $a\in\left\{{0,1}\right\}^{d(i-1)}$ , it holds that $H_{\infty}(X_{i}|X_{[1,i-1]}=a)\geq\delta d$ . A previous work [9] shows that random walks using CG sources can in fact mix, and obtains excellent deterministic condensers as a result.

One distinct advantage of random walk based extractors and condensers is that they are readily online. That is, it is not necessary to know ahead of time how long the stream $X_{1},\dots,X_{t}$ is, and nevertheless, the procedure can utilize most of the total entropy $k$ within, by processing each symbol of the stream sequentially in a read-once fashion, and in space comparable to the amount of entropy $m$ we need, as opposed to the length of the stream $t$ . We emphasize that the notion of online extracting and condensing goes hand in hand with streaming models of randomness such as CG sources, which in turn goes hand in hand with random walks. Moreover, aside from a few works [7, 8, 9], online constructions for various types of sources are scarce.

Unfortunately, the assumptions of a CG source are quite strong, and may be unrealistic in practice. In a CG source, no matter the outcome of the previous symbols $x_{1},\dots,x_{i}$ , it must be the case that the next symbol $X_{i}$ has high entropy. In some sense, such a definition asserts that the randomness stream can contain no “errors” of a certain type. Although [9] effectively analyzes certain kinds of errors, for others, it completely fails.

Our work continues the line of inquiry in [9] by generalizing the notion of CG sources and asking whether online condensing of randomness streams is possible even in the presence of errors. We give a novel analysis of random walks using a stream of symbols, which may be of independent interest, showing that mixing is possible even in the presence of a very general notion of errors. Thus, we give online extractors and condensers for a more general and practical class of sources. The class of randomness streams we consider are what we call unpredictable sources.

Definition 1 (unpredictable source, simplified).

We say that $X=X_{1}\circ\ldots\circ X_{t}$ , each $X_{i}\sim\left\{{0,1}\right\}^{d}$ , is a $(\delta,\rho)$ (simplified) unpredictable source, if, for every $i$ , with probability at least $1-\rho$ over $\sigma\sim X$ , it holds that $\Pr[X_{i}=\sigma_{i}|X_{[1,i-1]}=\sigma_{[1,i-1]}]\leq 2^{-\delta d}$ .

In words, in an unpredictable source, for every $i$ , with high probability over a sample $\sigma\sim X$ , the next symbol $\sigma_{i}$ is unlikely, conditioned on its prefix. This notion forgoes the often demanding assumption of CG sources: It is no longer true that $X_{i}$ has high entropy regardless of the outcome of the previous symbols. (For another simplified instantiation of unpredictable sources, see Definition 6.)

We think of $\rho$ as the error parameter of the source. Intuitively, it represents the probability of seeing a low-entropy step. As we discuss later on, the analysis of [9] completely fails on unpredictable sources, and so online condensing of such sources is unknown. Our results even hold for a more general notion of unpredictable source, where only the average “error” over $i$ needs to be small.

Definition 2 (unpredictable source).

We say that $X=X_{1}\circ\ldots\circ X_{t}$ , each $X_{i}\sim\left\{{0,1}\right\}^{d}$ , is a $(\delta,\rho)$ unpredictable source, if, when defining

\rho_{i}(X,\delta)=\Pr_{x\sim X}\left[\Pr\left[X_{i}=x_{i}\mid X_{[1,i-1]}=x_{% [1,i-1]}\right]>2^{-\delta d}\right],

it holds that $\operatorname*{\mathbb{E}}_{i\sim[t]}[\rho_{i}(X,\delta)]\leq\rho$ .

We present and study this definition for two main reasons. The first is that it seems natural. In particular, it elegantly generalizes all previous notions of almost CG source considered in [9] (see Definition 6). The second is that, perhaps surprisingly, this notion is weak enough to capture arbitrary high-entropy sources. Indeed, not only are unpredictable sources close to having high min-entropy, but the converse is true as well: Arbitrary $(1-\rho)n$ -sources are $(1/2,2\rho)$ unpredictable sources! (see [10, Proposition 6.4], the full version of this extended abstract). Since $(1-\rho)n$ sources cannot be condensed (without seed) beyond their entropy rate (see e.g. [10, Claim A.1]), the following observation is immediate:

Observation 3.

For $\delta\leq 1/2$ , there is no deterministic condenser for $(\delta,\rho)$ unpredictable sources to entropy rate $>(1-\rho/2)$ .

Nevertheless, we give an elegant construction of a seeded condenser for such sources beyond this entropy rate, and a deterministic condenser for such sources close to this rate.

The crux of our result is an analysis that shows that random walks using unpredictable sources can “mix” sufficiently well.

Theorem 1 (main (informal)).

(See [10, Theorem 3.14, Corollary 3.16]) Let $\delta,\rho>0$ and $D=2^{d}>1$ be constants. Let $X=X_{1}\circ\dots\circ X_{t}$ , $X_{i}\sim\left\{{0,1}\right\}^{d}$ , be a $(\delta,\rho)$ unpredictable source. Let $G$ be a sufficiently good $D$ -regular lossless expander on an appropriately chosen number of vertices $M=2^{m}$ .²²2See Section 1.3 for a discussion about lossless expanders. $M=M(d,t,\delta,\rho)$ is chosen to be up to roughly $2^{k}$ , for $k$ being the (smooth) min-entropy of $X$ .

Suppose that the $X_{i}$ -s are used as instructions for a random walk on $G$ from an arbitrary starting vertex. Given $x\sim X$ , let $W_{i}(x)$ denote the vertex reached in the $i$ -th step using $x$ as instructions, and let $Z_{i}(x)=-\log\Pr_{x\sim X}[W_{i}(X)=W_{i}(x)]$ . Then,

\Pr_{i\in[t/2,t],x\sim X}[Z_{i}(x)<m-O(1)]\leq O(\rho)

In words, for most steps in the second half of the random walk, most of the vertices reached are unlikely. Thus, for a random $i$ , $W_{i}(X)$ is close to an extremely high entropy distribution, namely one with constant entropy gap! We emphasize again that the analysis requires a new technique, since the analysis in [9] fails to give anything useful for unpredictable sources. Moreover, this works for low entropy rate, unlike the high-entropy result that follows from Gillman’s Chernoff bound for random walks. Constructions of online condensers and extractors follow as corollaries to this analysis, and we discuss them next.

1.1 Online Extracting and Condensing

Due to the streaming nature of our source $X$ , one would like a condenser (or extractor) for such sources to process each symbol sequentially as it is received. The notion of online condensing achieves exactly this. As in the model from Dodis, Guo, Stephens-Davidowitz, and Xie [7, 8], in (deterministic) online condensing, the function $\mathsf{Cond}$ is implemented by a procedure that starts in a state $S_{0}$ , and makes a sequence of calls to an update procedure

S_{i+1}\leftarrow\mathsf{Update}(S_{i},X_{i+1}).

The length of each state $S_{i}$ should be not much larger than the final output length $m$ . The procedure may then output the final state $S_{t}\in\left\{{0,1}\right\}^{m}$ (or perhaps some function of $S_{t}$ ).

We clarify that the question of whether online condensing is possible is entirely orthogonal to the question of whether seeded condensing is possible. Indeed, a natural question to ask is whether (and how well) can general weak sources be condensed in an online manner. In the case of seeded online condensing (and in some regimes, we provably must use a seed), one may consider an update procedure that also takes as input a seed $Y\in\left\{{0,1}\right\}^{\ell}$ that is independent of the stream $X$ , and computes $S_{i+1}\leftarrow\mathsf{Update}(S_{i},X_{i+1},Y)$ .³³3 Since the seed length $\ell$ typically depends on $t$ , when the length of the stream $t$ is not known in advance, one can model the use of a uniform seed by also viewing it as a stream of uniform and independent bits. For example, the seed can be initialized to the empty string (or some constant length uniform string), and $\mathsf{Cond}$ may call, in conjunction with each update, an additional procedure, $Y\leftarrow\mathsf{ExtendSeed}(S_{i},Y)$ , that may choose to increase the length of $Y$ by one or several bits, depending on the current state $S_{i}$ . Generally, the choice to extend $Y$ will depend on how many symbols $\mathsf{Cond}$ has seen so far, which would be stored in the state. The guarantee of such a $\mathsf{Cond}$ should be that at any point in the stream $i$ , the state $S_{i}$ should contain most of the entropy seen so far in $X_{1},\dots,X_{i}$ (or about $|S_{i}|$ , if this length is smaller), and the length of $Y$ relative to $i$ should be small. The hope is that the update procedure accumulates the additional entropy from $X_{i}$ in each step into the state $S_{i}$ , and thus the final state $S_{t}$ contains most of the entropy in $X$ (or about the length of $|S_{t}|$ , if this length is smaller). As noted earlier, the advantages of such an online model of condensing are that it allows one to utilize the entropy that was overall contained in the entire stream $X$ , even if one does not know the length of the stream $t$ ahead of time. Moreover, when one only wishes to get $m$ bits of entropy out of a very long stream of length $t\gg m$ . An online construction would use space $m$ rather than $t$ .

1.2 Online Condensing via Random Walks

In [9], they showed that a natural way to condense a randomness stream is to use its symbols as instructions for a random walk over an expander $G$ , starting from an arbitrary fixed vertex (similarly to Theorem 1). The intuition is that if a step in a random walk makes progress towards mixing, then that step accumulates the entropy from the instruction into the vertex distribution. Thus, using the current vertex in the walk as our “state” yields a (deterministic) condenser with output length $m=\log M$ , where $M$ is the number of vertices of $G$ .⁴⁴4One may notice that committing to a graph of size $M$ may be problematic when the length of the stream is not known ahead of time, as one would like $m$ to be comparable to $t$ . This can be fixed with a trick of repeatedly increasing the size of the graph at regular intervals. We discuss this more in Section 1.5.1, and for most of the introduction, we will assume that $t$ is known ahead of time.

In this work, we are primarily focused on sequences $X_{1},\dots,X_{t}$ that may not mix at every step, as is the case for unpredictable sources. We now give broad intuition on how such erroneous steps affect condensing. Suppose that a symbol $X_{i}$ is highly correlated with the previous instructions $x_{1},\dots,x_{i-1}$ . Also, assume that the vertex distribution at step $i-1$ is uniform on some set $S$ of size $K$ . If $G$ is a $D$ -regular graph, then an adversarially chosen $X_{i}$ may cause the walk to “consolidate” the vertices of $S$ into groups of size $D$ . This would result in a vertex distribution that is uniform on a set of size $K/D$ , and hence $d=\log D$ bits of entropy were lost. In general, one can show that this is the worst that can happen, and so if there are very few bad steps overall, then overwhelmingly, mixing, and thus condensing, indeed occurs. Realizing this intuition for unpredictable sources poses several challenges, that we discuss further in Section 1.5.

1.3 CG-Sources, Lossless Expanders, and the DMOZ Condenser

Towards discussing unpredictable sources, let us first review in more detail the previous work, [9], on condensers via random walks. Both here, and in [9], we study random walks on lossless expanders. A degree- $D$ $(K,\varepsilon)$ -lossless expander on $M$ vertices is an undirected graph $G$ such that for any set $S\subseteq V,|S|\leq K$ , the size of the neighborhood $\Gamma(S)$ satisfies $|\Gamma(S)|\geq(1-\varepsilon)D|S|$ .⁵⁵5More technically, we consider bipartite graphs $([M],[M],E)$ , as these are what the known explicit constructions yield. However, at a high level, this distinction is not necessary. [9] proved that a random walk using $X$ , starting from an arbitrary fixed vertex, on a sufficiently good lossless expander, accumulates entropy and thus yields a deterministic condenser.

Theorem 4 ([9], informal).

Let $\delta,\eta$ be constants. Suppose that for every $M=2^{m}$ , there exists an explicitly computable $D=2^{d}$ -regular $(K,\varepsilon)$ -lossless expander on $M$ vertices, with $\varepsilon\ll D^{-(1-\delta)}$ , and $K=M/{\rm poly}(D)$ . Then, for any positive integer $t$ , there exists an explicit function

\mathsf{Cond}\colon\left\{{0,1}\right\}^{n=dt}\rightarrow\left\{{0,1}\right\}^% {m=\Omega(\delta dt)}

such that given a $\delta$ -CG source $X$ , $\mathsf{Cond}(X)$ is $\eta$ -close to an $m-O(\log(1/\eta))$ -source. Moreover, $\mathsf{Cond}$ can be computed in an online manner.⁶⁶6[9], also handled almost $\delta$ -CG sources. In this definition, instead of each $X_{i}$ being a $\delta d$ -source for every prefix, each $X_{i}$ is only $\gamma$ -close to being a $\delta d$ -source.

That is, $\mathsf{Cond}$ condenses $X$ to within a constant entropy gap, where we say that the entropy gap (with error $\varepsilon$ ) of a distribution $Z\sim\left\{{0,1}\right\}^{m}$ is $\Delta$ if $Z$ is $\varepsilon$ -close to an $(m-\Delta)$ -source.

But in practice, it may be unreasonable to assert that for every $i$ and every prefix $x_{1},\dots,x_{i}$ , the next symbol $X_{i}$ is highly unpredictable. To address this, [9] does consider generalized versions of CG sources, although the guarantee about $\mathsf{Cond}(X)$ from Theorem 4 for such sources is much weaker there. In particular, the situation (before this work) becomes quite bleak when introducing the generalization coined $\rho$ -error in [9].

Definition 5 ( $\rho$ -almost CG source).

A $\rho$ -almost $\delta$ -CG source is a sequence of random variables $X=X_{1}\circ\ldots\circ X_{t}$ with $X_{i}\sim\left\{{0,1}\right\}^{d}$ , such that for each $i\in[t]$ , we have that for at least probability $1-\rho$ over the prefix $a\in\left\{{0,1}\right\}^{d(i-1)}\sim X_{1}\circ\ldots\circ X_{i-1}$ , it holds that $H_{\infty}(X_{i}|X_{[1,i-1]}=a)\geq\delta d$ .

It turns out that in the presence of $\rho$ -error (together with other error types discussed shortly), general min-entropy sources are almost CG sources in some regime of parameters (see [9, Section 8]). Thus, in general, deterministic condensing to within a constant entropy gap of such sources is impossible. Moreover, before this work, it was unknown whether or not a random walk using $\rho$ -almost CG sources mix well in any sense at all. In this paper we show that it is indeed the case that random walks mix, even under the more general notion of unpredictable sources, which captures all previously considered generalizations of CG sources.

1.4 Unpredictable Sources

As discussed previously, the notion of CG sources is quite strong – it assumes that every prefix leads to a high entropy distribution is quite strong. An unpredictable source does not make such an assumption. Indeed, notice that in the definition of an unpredictable source, we do not directly insist on any guarantee on the (smooth) min-entropy of the distribution $X_{i}|X_{[1,i-1]}=x_{[1,i-1]}$ , only that usually, the next symbol $x_{i}$ is unlikely conditioned on $x_{[1,i-1]}$ . We give unpredictable sources their name as it closely resembles the intermediate objects of the same name that show up in pseudorandom constructions such as reconstructive extractors [18, 15, 17] (for the precise definition of reconstructive extractors, see, e.g., [16]).

When talking about $(\delta,\rho)$ unpredictable sources, we informally refer to $\delta$ as the “entropy rate” of the unpredictable source, and $\rho$ as its “error rate”.⁷⁷7An $(\delta,\rho)$ unpredictable source is indeed, roughly, $\rho$ -close to an $\delta n$ sources. It is easy to see that this definition captures almost-CG sources with all previously considered error parameters.

Definition 6 (almost CG source with all error parameters).

We say that $X=X_{1}\circ\ldots\circ X_{t}$ , each $X_{i}\sim\left\{{0,1}\right\}^{d}$ , is a $(\delta,\gamma,\rho,\lambda)$ almost CG source, if, for at least $(1-\lambda)$ fraction of $i\in[t]$ , the following holds:

\Pr_{x\sim X}\left[H_{\infty}^{\gamma}\left(X_{i}|\left\{{X_{[1,i-1]}=x_{[1,i-% 1]}}\right\}\right)<\delta d\right]\leq\rho.

Indeed, a $(\delta,\gamma,\rho,\lambda)$ almost CG source is a $(\delta,\gamma+\rho+\lambda)$ unpredictable source.⁸⁸8It is also true that the converse holds via several averaging arguments, although with a large loss in parameters. We prefer to study and phrase our results for unpredictable sources, as the statements are clean, and with minimal artifacts of analysis. Additionally, as was the case for almost CG sources with all error parameters, every general source with $(1-\rho)n$ min entropy is an unpredictable source, with a much more straightforward argument, with fewer constraints on $\rho$ , and with less loss in converting $\rho$ into the error parameters of an almost CG source (see [10, Proposition 6.4]). In this work, we give the following result for unpredictable sources, analogous to Theorem 4:⁹⁹9Theorem 4 and 2 are analogous in the sense that they both yield a condenser with constant entropy gap for their respective class of sources. There is a key difference in that Theorem 4 is seedless, whereas 2 is seeded. This is necessary. As we have discussed before, general weak sources are unpredictable sources.

Theorem 2 (seeded condensing (informal); see Corollary 3.16 in [10]).

Let $\delta,\rho$ be constants, and let $D$ and $\varepsilon$ be constants that satisfy $\varepsilon<D^{-(1-\delta)}$ . Suppose that for every $M$ , there exists an explicitly computable $D=2^{d}$ -regular $(K,\varepsilon)$ -lossless expander on $\Theta(M)$ vertices, with $K=M/{\rm poly}(D)$ . Then, for any positive integer $t$ , there exists an explicit function

\mathsf{Cond}\colon\left\{{0,1}\right\}^{n=dt}\times\left\{{0,1}\right\}^{\ell% =\log t-1}\rightarrow\left\{{0,1}\right\}^{m=\Omega(\delta dt)}

such that given a $(\delta,\rho)$ unpredictable source $X$ and an independent and uniform $Y$ , $\mathsf{Cond}(X,Y)$ is $O\left(\frac{1}{\delta}(\varepsilon D^{1-\delta}+\rho)\right)$ -close to an $m-O(\log(1/\varepsilon))$ source. Moreover, $\mathsf{Cond}$ can be computed in an online manner.¹⁰¹⁰10See [10, Appendix B] for a more detailed description of the online version.

As suggested by prior discussion, the construction is again to simply use $X$ as instructions for a random walk on a lossless expander, with the random seed indicating the stopping time. In order to show that such a walk mixes, we develop a new analysis, different than that of [9], which we discuss in detail in Section 1.5.

Let us briefly discuss the error term in the theorem’s statement. First, roughly speaking, the term $\varepsilon D^{1-\delta}$ is the probability that a set $S$ “does not expand” in some sense. For example, $\varepsilon D^{1-\delta}$ is the probability over a uniformly chosen vertex $v\in S$ and uniform neighbor $\Gamma(v)$ , that $\Gamma(v)$ has another neighbor in $S$ . Broadly speaking, events such as this are undesirable: they represent “collisions” of paths in the random walk. Thus we expect such an error term, as it corresponds to the (inherent) error of the expander. We should also expect the error rate $\rho$ to appear for the same reason: this corresponds to the probability that “expansion does not occur” due to low quality randomness (as opposed to the expander’s error). Indeed, if one considers the $(1,\rho)$ unpredictable distribution $X$ that is $0^{n}$ with probability $\rho$ , and uniform otherwise, one can see that at every step of a random walk using $X$ , some vertex will have probability mass at least $\rho$ .

Finally, we comment on the relationship between these parameters. In general, as $\rho$ is an error probability over the entire space of $X$ , it is possible for it to be sub-constant. While $\rho$ can be subconstant, the constant- $\rho$ regime is more interesting, and our theorem handles the case when $\rho$ is in fact fairly large, for example $\rho\geq D^{-\delta}$ . Thus, the error term can be thought of as $O(\rho/\delta)$ , and in fact it is necessary that $\rho<\delta$ . Intuitively, using a $(\delta,\rho)$ unpredictable source, in a typical run of the random walk, one expects there to be roughly $t$ steps each accumulating $\delta d$ bits of entropy (for a total of $\delta dt$ entropy gained), and roughly $\rho t$ steps that lose $d$ bits of entropy (for a total of $\rho dt$ entropy lost). Thus overall, one should not expect anything good to happen when the entropy rate of the unpredictable source is smaller than the error rate.

We can also show that even without a random stopping time, we can use our new analysis of random walks to get a result about deterministic condensing, although, as expected, the entropy gap is not constant.

Theorem 3 (seedless condensing (informal); see Corollary 3.17 of [10]).

Let $\delta,\rho$ be constants and let $D$ and $\varepsilon$ be constants that satisfy $\varepsilon<D^{-(1-\delta)}$ . Suppose that for every $M$ , there exists an explicitly computable $D=2^{d}$ -regular $(K,\varepsilon)$ -lossless expander on $\Theta(M)$ vertices, with $K=M/{\rm poly}(D)$ . Then, for any positive integer $t$ , there exists an explicit function

\mathsf{Cond}\colon\left\{{0,1}\right\}^{n=dt}\rightarrow\left\{{0,1}\right\}^% {m=\Omega(\delta dt)}

such that given a $(\delta,\rho)$ unpredictable source $X$ , $\mathsf{Cond}(X)$ is $O\left(\sqrt{\varepsilon D^{1-\delta}+\rho}\right)$ -close to a $(1-\beta)m$ -source, where $\beta=O\left(\frac{1}{\delta}\cdot\sqrt{\varepsilon D^{1-\delta}+\rho}\right)$ . Moreover, $\mathsf{Cond}$ can be computed in an online manner.

Overall, Theorem 2 and Theorem 3 indicate that it is indeed possible to condense a very general class of sources in an online manner.

On Extracting from Unpredictable Sources

As a final note for this section, recall that we cannot hope to extract from arbitrary unpredictable sources without a seed. However, even if one only cares about extracting, rather than condensing, from unpredictable sources, our work is the first to do so in an online manner: Indeed, one can use Theorem 2 to within constant entropy gap, and then apply a known online construction for constant entropy gap. We stress that known constructions for arbitrary weak sources with linear entropy rate, such as [20, 21], are not online, and thus are unsatisfying for streams of randomness.

1.4.1 A Two-Stage Construction, and Recent Developments in Lossless Expanders

An expert reader may notice that the statements of Theorem 4, Theorem 2, and Theorem 3 are slightly weaker than what is actually achievable. In each of these theorems, we require explicit expanders with $\varepsilon\ll D^{-(1-\delta)}$ . In other words, as the entropy rate $\delta$ of the source gets smaller, the error of the expander that we use must improve. Optimal, non-explicit expanders (as well as random ones) can achieve a dependence of $\varepsilon\approx 1/D$ and would thus allow us to handle any constant entropy rate $\delta$ . However, the [2] explicit construction only achieves $\varepsilon\approx D^{1/6}$ , and more recent works can improve this to $\varepsilon\approx D^{1/2}$ [6, 12]. Thus, even considering recent improvements, Theorem 4, Theorem 2, and Theorem 3 can only support entropy rate $\delta>1/2$ .

Fortunately, explicit optimal constructions are not necessary. A trick from [9], the two-stage construction, utilizes constant-sized optimal expanders (found by brute force) to condense small blocks of the stream $X_{1},\dots,X_{t}$ into a higher entropy rate $\delta^{\prime}>\delta$ larger blocks, that is high enough to use the known (suboptimal) explicit constructions. For details of the construction for unpredictable sources, see [10, Section 4].

Nevertheless, we choose to present our results and phrase our theorems assuming optimal expanders for several reasons. The first is that the parameters are better, aesthetically simpler, and easier to analyze when no two stage construction is required. Moreover, we wish to highlight that the novelty of this work is the analysis of random walks on a single expander, without the trick of the two-stage construction. Finally, because of the two-stage construction, the current lack of better constructions of explicit expanders is not an inherent barrier to the plausibility of explicit condensing for smaller $\delta$ .

We give instantiations of Theorem 2, and Theorem 3 for any entropy rate $\delta>0$ in [10, Theorem 5.3 and Theorem 5.5] using currently known explicit expanders and the two-stage construction. As the statement is relevant for the next discussion, we give an informal version of the latter here, which considers deterministic condensing.

Theorem 4 (informal; see Theorem 5.5 of [10]).

Let $\delta>0$ be any constant, let $d\geq{\rm poly}(1/\delta)$ , and $\rho\leq{\rm poly}(\delta)$ . Then, for any positive integer $t$ , there exists an explicit function

\mathsf{Cond}\colon\left\{{0,1}\right\}^{n=dt}\to\left\{{0,1}\right\}^{m}

with $m=\Omega(\delta dt)$ such that for any $(\delta,\rho)$ unpredictable source $X=X_{1}\circ\dots\circ X_{t}$ with each $X_{i}\sim\{0,1\}^{d}$ , $\mathsf{Cond}(X)$ is $\approx\rho^{1/C}$ close to a $(1-\beta)m$ , source, where $\beta\approx\rho^{1/C}$ , for some universal constant $C$ .

1.4.2 Perspective: Condensing from Unpredictable Sources vs. General Sources

Having presented our main results about seeded condensing to within constant entropy gap, and deterministic condensing outputting a constant fraction of the entropy, we provide a few observations about the nature of unpredictable sources.

First, we know that general sources are unpredictable sources in the high entropy regime (see [10, Proposition 6.4]). Indeed, if $H(X)\geq(1-\rho)n$ , then $X$ is already a $(\delta=0.99,100\rho)$ unpredictable source. Thus, essentially for any $\delta$ , nontrivial condensing requires seed, and we provide a simple such condenser that is even online.

However, this does not imply that for every $\delta$ , an unpredictable source is as hard to deal with as a general source of the same entropy rate. Indeed, Theorem 4 shows that for small entropy rate $\delta$ , deterministic condensing is possible to with output entropy rate roughly $1-\rho^{1/C}$ . Thus, one can deterministically condense unpredictable sources from entropy rate $0.01$ to entropy rate $0.99$ . Such a feat is not possible for general sources! Indeed, if $X$ is a general source with entropy rate, say, $0.6$ , a simple argument shows that it cannot be deterministically condensed to entropy rate, say, $0.7$ (see [10, Claim A.1]). This suggests an interesting property about unpredictable sources: Deterministic condensing “past the entropy rate” of such sources is easy, while the hard part is condensing “past the error rate.” In particular, although our analysis only achieves an output entropy rate of $1-\rho^{1/C}$ , we suspect that deterministic condensing to an entropy rate of $1-O(\rho)$ is possible. Moreover, there is good reason to believe that there is a barrier to condensing past this error rate: When considering general $(1-\rho)n$ sources, the entropy gap $\rho$ becomes the error rate when thinking of it as an unpredictable source.

We end the discussion by leaving as an open line of inquiry to determine the exact threshold of the output entropy rate of deterministic condensers.

1.5 Technical Overview: Random Walks Using Unpredictable Sources

We are now ready to present a technical overview of how we analyze random walks via unpredictable sources. Since unpredictable sources subsume CG sources, we’ll start with discussing the challenges inherent to both sources, and the previous solution for CG sources. An initial observation is that for both types of sources, spectral analysis fails, and for two main reasons. The first one is that spectral expanders may not be lossless, and even the best spectral expanders may only be $(K,\varepsilon=1/2)$ -lossless. Such expansion is insufficient for us, as it intuitively means that for a distribution on a set of vertices $S$ , at least half of all edges leaving $S$ may lead to collisions (with perhaps $D$ other nodes in $S$ ). Since, as discussed before, collisions imply a loss in entropy, even the good high entropy steps fail to mix, unless the steps were almost uniform.

The second reason is that random walks using CG sources and unpredictable sources are non-Markovian: The distribution of the next step depends on the entire history of the walk up until that point. Therefore, we cannot analyze the evolution of the vertex distribution at each step by repeatedly applying a transition matrix and bounding the norm of the corresponding probability vector. Moreover, the distribution of the next instruction $X_{i+1}$ , given a prefix $x_{1},\dots,x_{i}$ , can be adversarial. That is, whatever the vertex distribution $p_{i}$ may be for each $i$ , $X_{i+1}$ could be the worst possible edge distribution that yields the least amount of improvement for $p_{i+1}$ (while still satisfying the overall conditions on the source $X$ ).

Nevertheless, [9] provides a direct analysis that shows that the norm of the vertex distribution does evolve favorably over time. Specifically, they show that for the $q$ -norm, setting $q=1+\alpha$ , if $p_{i}$ is the vertex distribution of the random walk at step $i$ , then $\left\|p_{i+1}\right\|_{q}^{q}\leq\frac{1}{D^{\delta\alpha}}\left\|p_{i}\right% \|_{q}^{q}$ . More concretely they prove:

Theorem 7 (informal; see [9], Theorem 5).

Let $G=(U=[M],V=[M],E)$ be a sufficiently good lossless expander, and let $q=1+\alpha$ for some sufficiently small constant $\alpha$ .

Fix any $i$ , and let $r_{u}$ , for each $u\in\mathrm{Supp}(p_{i})$ , be a distribution over $\{0,1\}^{d}\equiv[D]$ , each being a $\delta d$ source. For any $u\in U$ and $v\in V$ let $r_{u}(u,v)$ denote the probability that the edge leading from $u$ to $v$ is chosen under $r_{u}$ . By definition, $p_{i+1}$ is defined as $p_{i+1}(v)=\sum_{u\in\Gamma(v)}r_{u}(u,v)p_{i}(u).$ Then,

\left\|p_{i+1}\right\|_{q}^{q}\leq O\left(\frac{1}{D^{\delta\alpha}}\right)% \cdot\left\|p_{i}\right\|_{q}^{q},

as long as $\left\|p_{i}\right\|_{q}^{q}$ is not already smaller than $1/K^{\alpha}$ .

This essentially implies that the entropy of the vertex distribution increases by at least $\delta d$ . Thus, inductively, the final distribution will have $\left\|p_{t}\right\|_{q}^{q}\leq\frac{1}{K^{\alpha}}$ , implying that it has min entropy roughly $k$ .

For ease of exposition, for the remainder of the section, we consider unpredictable sources where for every $i$ , $\rho_{i}=\rho$ for some constant $\rho$ . This case captures most of the intuition and difficulty at a high level.

The $𝒒$ -norm analysis fails

Unfortunately, in the case of unpredictable sources, the $q$ -norm analysis cannot give a good bound on the norm of the final vertex distribution, $\left\|p_{t}\right\|_{q}$ . To see this, consider a distribution $X$ that is $0^{n}$ with probability $\rho$ , and is a $\delta$ -CG source otherwise. This is both a CG source with $\rho$ -error and a $(\delta,\rho)$ -unpredictable source. However, the norm of the final vertex distribution will always be at least $\left\|p_{t}\right\|_{q}\geq\rho$ . Thus, the $q$ -norm will not help us to establish that the final (smoothed) min entropy is large. But note that it is true in this example, where clearly we are $\rho$ -close to having high min-entropy. It has been an open question since [9] to give an analysis that shows this is always the case.

Beating the union bound, once again

Naively, one might try to fix the $q$ -norm analysis as follows. For each $i$ , condition on the event that $X_{i+1}$ has “high entropy” given $x_{1},\dots,x_{i}$ . The original $q$ -norm analysis could then work on this conditional distribution, and since the probability that this event does not happen is at most $\rho$ , we can conclude that in the $i$ -th step, the $q$ -norm decreases “except with error $\rho$ .” Unfortunately, it is not clear how to chain such an argument multiple times over all steps $t$ , without using a union bound which would require $\rho<1/t$ .

We remark that originally, in the case of CG sources, [9] uses the $q$ -norm analysis in part to beat the union bound over the expander error $\varepsilon$ . As we’ve seen from the discussion above, the $q$ -norm analysis does not allow you to do the same for $\rho$ . Thus, beating the union bound over $\rho$ is yet another challenge to overcome.

Probability evolution, not distribution evolution: a “chain rule” for vertex probabilities

The issue with the approaches above is that they attempt to make a statement about the quality of the vertex distribution at every step $i$ . As discussed, it is not clear how to make any such statement. This leads us to search for an alternative approach. Denote by $W(x_{1},\dots,x_{i})$ as the vertex reached when taking the instructions $x_{1},\dots,x_{i}$ . In an unpredictable source, given a typical $x\sim X$ , one expects to see roughly $(1-\rho)t$ “good” steps $i$ in which

\Pr[X_{i}=x_{i}|X_{[1,\dots,i-1]}=x_{[1,\dots,i-1]}]\leq D^{-\delta},

and $\rho t$ “bad” steps in which $\Pr[X_{i}=x_{i}|X_{[1,\dots,i-1]}=x_{[1,\dots,i-1]}]>D^{-\delta}$ . One would like to argue that this directly translates to good steps and bad steps in the random walk. In other words, for every good step,

p_{i}(W(x_{1},\dots,x_{i}))\leq\frac{1}{D^{\delta}}\cdot p_{i}(W(x_{1},\dots,x% _{i-1})),

and for every bad step, $p_{i}(W(x_{1},\dots,x_{i}))\leq D\cdot p_{i}(W(x_{1},\dots,x_{i-1}))$ .

Notice that such an approach does not directly make a statement about the distribution at each step: we do not claim that for each $i$ , the overall entropy of $p_{i}$ increases. Rather, we say that individually, each path of vertices that the random walk takes is on its own journey of ups and and downs in individual probability, and typically there are few downs. We are able to make this approach concrete with the following key lemma.

Theorem 5 (chain rule for vertex probabilities; see Theorem 3.6, Corollary 3.7 of [10]).

Let $G$ be a $D$ -biregular $(K,\varepsilon)$ lossless expander. Let $X=X_{1}\circ\dots\circ X_{t}$ , each $X_{i}\sim\left\{{0,1}\right\}^{d}$ , and fix some $0<\delta\leq 1$ . Then, for any $i\in[t]$ , there is a subset $S_{i}\subseteq\left\{{0,1}\right\}^{n=dt}$ with $\Pr[X\in S_{i}]\geq 1-4\varepsilon D^{1-\delta}-2\rho$ , such that for every $x\in S_{i}$ ,

p_{i}(W(x_{1},\dots,x_{i}))\leq\max\left(\frac{2}{D^{\delta}}\cdot p_{i-1}(W(x% _{1},\dots,x_{i-1})),\frac{D^{O(\log 1/\varepsilon)}}{K}\right).

We believe that this chain rule for vertex probabilities is interesting in its own right. The standard chain rule for probability states that for every $x\in\mathrm{Supp}(X)$ , and every $i$ the probability of $x_{1},\dots,x_{i}$ decreases from the probability of $x_{1},\dots,x_{i-1}$ by a factor of $\Pr[X_{i}=x_{i}|X_{[1,i-1]}=x_{1,i-1}]$ . The chain rule for vertex probabilities states that the same evolution of probabilities occurs when considering $W(x_{1},\dots,x_{i})$ and $W(x_{1},\dots,x_{i-1})$ , as long as the conditional probability of $x_{i+1}$ “has entropy” (as is needed for expansion), and accounting for the probability of a collision due to the inherent error of the expander or the probability the next step has no entropy.¹¹¹¹11An expert reader might ask how the 5 compares to the standard statement about lossless expanders as lossless conductors. In the standard case, when $\delta=1$ and $\rho=0$ , the property of lossless conductors states that if $p_{i-1}$ is a source with min entropy $k^{\prime}<k=\log K$ , then $p_{i}$ is $\varepsilon$ -close to a $k+d$ -source. 5 on the other hand, requires no assumption on the entropy of the input source $p_{i-1}$ , and is still able to conclude that the distribution “improves” in one step.

Analyzing a full random walk

So far, we’ve shown that at every step, there is a high probability over $x\sim X$ that the corresponding vertex probabilities decrease. Notice we have made no assertion yet about how drastically the vertex probability might increase when the event $S_{i}$ does not occur. However, it is not too hard to show that it is extremely unlikely for the probability to increase drastically. Overall, we can argue that in expectation over $x\sim X$ , there are roughly $(1-\rho)t$ steps for which the vertex probability goes down by a factor of roughly $D^{-\delta}$ , more accurately, $p_{i}(W(x_{1},\dots,x_{i})\leq\frac{2}{D^{\delta}}\cdot p_{i-1}(W(x_{1},\dots,% x_{i-1}))$ , and the total factor increase from the remaining $\rho t$ steps, is roughly $D^{\rho t}$ .

This argument so far is essentially all we need to obtain Theorem 3: When $\rho$ is small, for a typical $x$ , the number of good steps is overwhelmingly large comparing to the number of bad steps, and therefore one expects most runs of the random walk to end up at a vertex that has probability at most $p_{t}(W(x_{1},\dots,x_{t}))\leq D^{-(\delta t-\rho t)}$ .

Using a random stopping time

To obtain a seeded condenser with constant entropy gap, as in Theorem 2, we must characterize a bit more accurately how a typical run of the random walk behaves. In reality, Theorem 5 states that if $i$ is a good step for $x_{1},\dots,x_{t}$ (that is, $x\in S_{i}$ ), then the probability of the vertex reached at step $i$ decreases by $\approx\frac{1}{D}$ as long as the vertex probability has not already reached the “capacity” $D^{O(\log 1/\varepsilon)}/K$ , which is a constant factor smaller than $1/M$ , for $M$ being the number of vertices in the expander.¹²¹²12In general, for constant degree lossless expanders, $K=M/{\rm poly}(D)$ . If we can prove that over a random $x\sim X$ , and a random stopping time $i$ , that the vertex probability is at capacity with high probability, then we have proven Theorem 2.

Suppose we choose $M$ to be noticeably less than $D^{\delta t}$ , say, $D^{(\delta/2)t}$ . Then, we expect that in a typical run of the random walk, the vertex probability reaches the capacity (or is close to it) after $t/2$ steps. We can assume for simplicity that the vertex probability is exactly at capacity after $t/2$ steps. Now, let us consider what happens in the last $t/2$ steps, under this assumption. There are only $\rho t<t/2$ steps for which the vertex probability can increase, each of which increases it by a factor of roughly $D$ . Thus, most of the other $t/2$ steps either keep the vertex probability at capacity, or “repairs” a deficit from capacity by a factor of $1/D^{\delta}$ . Overall, this means that over a random stopping time in the last $t/2$ steps, the probability of not being at capacity (meaning the walk has recently taken one of the $\rho t$ bad steps, or one of the $(\rho/\delta)t$ “repairing” good steps), is roughly $\rho+\rho/\delta=O(\rho/\delta)$ .

1.5.1 Making Our Condensers Fully Online

A random walks based condenser is online if each symbol $X_{i}$ is processed and used to update the state sequentially in a “read-once” fashion. However, there is an issue when the length of the stream $t$ is not known ahead of time. Indeed, if one must settle on a graph of size $M$ ahead of time, then one cannot hope for a final output entropy larger than $m$ . This is problematic if the length of the stream $t$ is not known ahead of time, and ends up being much larger than $m$ , as we will miss out on most of the entropy of the stream. Broadly speaking, the workaround to this issue is as follows: If we know how much entropy we expect overall in each $X_{1},\dots,X_{i}$ , then we can repeatedly increase the size of the graph at regular intervals, to accommodate the additional entropy expected. This allows us to maintain the guarantee that the entropy of the vertex distribution is close to $m$ for all (or most) steps.

In a bit more detail, for simplicity, assume that the total length of the stream is a power of two (although still unknown). We begin the random walk from a fixed vertex on a small $D$ -regular graph of size $2^{C}$ for some constant $C$ . If we see more than $\approx C$ symbols from the stream, we embed the current vertex into a $D$ -regular graph of size $2^{2C}$ and walk for another $C$ steps. If a node in the smaller graph is represented by $v\in\left\{{0,1}\right\}^{C}$ , then one can embed it in the larger graph as $v\circ 0^{C}$ . Such an embedding provides a one-to-one mapping from the vertex distribution in the small graph to one with the same entropy in the large graph. We repeat this embed-and-walk process until the stream ends. This idea essentially suffices to implement the deterministic condenser of Theorem 3 in an online fashion.

To implement the condenser from Theorem 2, we use the same embed-and-walk process, but we must take care to implement the random stopping time in an online fashion as well. Once again, for simplicity, assume that $t$ is a power of two. We once again begin the walk on a constant sized graph of size $2^{C}$ , and initialize a seed of length $\approx c=\log C$ to pick a random stopping time in case $t\leq c$ . When the random stopping time is reached, we save the resulting vertex additionally in the state, and we continue the random walk until time $c$ . If the stream ends at time $c$ , output the saved vertex. Otherwise, we embed the current vertex into a graph of size $2^{2C}$ , and use $\mathsf{ExtendSeed}$ to add one more bit to the seed. Now, $Y$ represents a random stopping time between $1$ and $2c$ , and we can repeat this process until the stream ends. Ultimately, this shows that for every $i\in[t]$ that is a power of two, the distribution obtained from using $X_{1},\dots,X_{i}$ as a random walk (with a random stopping time) contains most of the entropy $k$ seen so far, within a graph whose size $M$ is not too much larger than $K=2^{k}$ , all the while only needing to generate $\log i$ bits of seed.

As the details of such an online implementation are mostly minor alterations to the main results of our work, we defer a more detailed explanation to [10, Appendix B].

1.6 Improved Random Walk-Based Extractors for High Min-Entropy Sources

So far, the main takeaway from our results is that lossless expanders can handle unpredictable sources with low entropy rate. On the other hand, spectral expanders can handle unpredictable sources with high entropy rate, as can be seen by looking at the classic random walks based extractor.

However, even for the case of sources with high entropy, the lossless expander random walk yields a quantitatively better result. In the classic expander random walk extractor (or sampler), based on the expander Chernoff bound, in order to achieve an error of $\rho$ in the output distribution, it is necessary for the entropy of the input source $X$ to be at least $(1-\rho^{2}/C)n$ for some constant $C$ .

Theorem 8 (standard RW-based extractor).

There exists a universal constant $C$ such that the following holds. For every positive integer $n$ , and any $\rho>0$ , there exists an explicit $(k,\rho)$ extractor

\mathsf{Ext}\colon\left\{{0,1}\right\}^{n}\times\left\{{0,1}\right\}^{\ell=% \log n-O(1)}\to\left\{{0,1}\right\}^{m=\Omega(k)}

for any $k\geq(1-\rho^{2}/C)n+\log(1/\rho)$ .

The $\rho^{2}$ factor is inherent in the use of the expander Chernoff bound. On the other hand, if one uses our new lossless expander random walk to condense to constant entropy gap (and then apply known constructions of extractors for sources with constant entropy gap with short seed length), one only needs the input source to have entropy $(1-\rho/C^{\prime})n$ for some constant $C^{\prime}$ in order to obtain final output error $\rho$ . In addition, all of this can be implemented in a fully online manner, even when $n$ is not known ahead of time.

Theorem 6 (new RW-based extractor; see Theorem 6.6 of [10]).

There exist universal constants $\rho_{0}\in(0,1)$ and $C>1$ such that the following holds. For every positive integer $n$ , and any constant $\rho\in(0,\rho_{0})$ , there exists an explicit $(k,\rho)$ extractor

\mathsf{Ext}\colon\left\{{0,1}\right\}^{n}\times\left\{{0,1}\right\}^{\ell=% \log n+O(\log(1/\rho))}\to\left\{{0,1}\right\}^{m=\Omega(k)},

for any $k\geq(1-\rho/C)n$ .

1.7 Related Work

Before introducing $\rho$ -almost CG sources, [9] first generalizes CG sources by introducing what is coined $\lambda$ -error.

Definition 9 ( $\lambda$ -almost CG source).

A $\lambda$ -almost $\delta$ -CG source is a sequence of random variables $X=X_{1}\circ\ldots\circ X_{t}$ with $X_{i}\sim\left\{{0,1}\right\}^{d}$ , such that for at least $(1-\lambda)t$ of $i\in[t]$ , we have that for any prefix $a\in\left\{{0,1}\right\}^{d(i-1)}$ , it holds that $H_{\infty}(X_{i}|X_{[1,i-1]}=a)\geq\delta d$ .

Unlike $\rho$ -error, for $\lambda$ -error, [9] is still able to construct condensers by running a random walk using $X$ , although not with a constant entropy gap. Instead, the gap is roughly $\lambda m$ , for reasons inherent to the random walk construction itself. Intuitively, for the $\lambda$ fraction of bad indices $i$ , $X_{i}$ could be completely determined (and adversarially chosen) based on $x_{i-1}$ . Therefore, whatever edge $x_{i-1}$ instructs the walk to take, $x_{i}$ could instruct to return via the same edge, effectively wiping out the progress made from $x_{i-1}$ . Overall, when all the bad indices are at the end, it can wipe out $\lambda t$ steps of entropy accumulation, leaving an entropy gap of $\lambda t$ .¹³¹³13When $\lambda>0$ but the $\lambda$ -fraction of bad blocks is nicely distributed in the sense that each suffix contains at most $\lambda$ -fraction of bad blocks (up to an additive term), we can regain constant entropy gap. See [9, Section 3.1], where this property is called suffix friendliness. The case of $\lambda$ -error is interesting in its own right. In fact, a recent work of Chattopadhyay, Gurumukhani, and Ringach [4], shows that deterministic condensing of $\lambda$ -almost $\delta$ -CG sources is impossible, even with large entropy gap, in the regime where $\lambda\geq\frac{1}{2}$ .

Goodman, Li, and Zuckerman [13] showed how to condense CG sources even when the blocks are long, and the entropy rate is subconstant. However, their constructions are not online, and they don’t address the case of almost CG sources.¹⁴¹⁴14However, their constructions work for suffix-friendly CG sources.

Previous works that directly consider (deterministic) online extraction [7, 8] assume a strong notion of unpredictability, wherein the $X_{i}$ -s are independent (but with some min-entropy). In their model, they assume that for every $i$ , $|S_{i}|=|X_{i}|=n$ , with the length of the stream $t$ sufficiently long that the total entropy $k$ of $X$ is at least $n$ . Recall that in our work, we generally think of each $X_{i}\sim\left\{{0,1}\right\}^{d}$ for some constant $d$ , $n=dt$ , and $|S_{t}|\approx k\ll n$ . More specifically, [7] considers how entropy accumulates for specific update functions that are based off of practical random number generation. They show that entropy accumulates when the $X_{i}$ -s are independent draws from certain classes of distributions known as 2-monotone distributions. [8], considers linear update functions and shows that entropy accumulates when the $X_{i}$ -s are independent $k$ -sources.

Other previously studied notions of sequential sources include Somewhere Honest Entropy Look Ahead (SHELA) sources [1], also known as online Non-Oblivious Symbol Fixing (oNOSF) sources [4]. Such sources are essentially the $\lambda$ -error CG sources discussed above, except for two distinctions. The first is that the good steps are all high entropy distributions that are independent from each other. The second is that each bad step only depends on previous blocks.¹⁵¹⁵15The latter property is why those sources are called “online” – an adversary corrupts the bad blocks while only knowing the history. They do not give online condensers for such sources. Aggarwal et a. [1] shows that extracting from oNOSF sources is impossible, however one can convert oNOSF sources into uniform oNOSF sources. Chattopadhyay, Gurumukhani, and Ringach explored the limits of online condensing of such sources [4], and later achieved constructions with essentially optimal parameters [3].

A recent work by Xun and Zuckerman [19] provides constructions of strong offline extractors whose seed length has nearly optimal dependence on $n$ and $\varepsilon$ : for any desired $\alpha>0$ , their construction gives an extractor with seed length $(1+\alpha)\log(n-k)+(2+\alpha)\log 1/\varepsilon+O(1)$ , as long as the entropy rate $k/n$ is sufficiently close to $1$ (depending on $\alpha$ ). To compare, our results discussed in Section 1.6 provide online extractors with seed length $\log n+O(\log 1/\varepsilon)+O(1)$ when $k/n\geq 1-\Theta(\varepsilon)$ .

References

[1] Divesh Aggarwal, Maciej Obremski, João Ribeiro, Luisa Siniscalchi, and Ivan Visconti. How to extract useful randomness from unreliable sources. In Advances in Cryptology–EUROCRYPT 2020: 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 343–372. Springer, 2020. doi:10.1007/978-3-030-45721-1_13.
[2] Michael Capalbo, Omer Reingold, Salil Vadhan, and Avi Wigderson. Randomness conductors and constant-degree lossless expanders. In Proceedings of the 34th Annual Symposium on Theory of Computing (STOC), pages 659–668. ACM, 2002. doi:10.1145/509907.510003.
[3] Eshan Chattopadhyay, Mohit Gurumukhani, and Noam Ringach. Condensing against online adversaries. In Electronic Colloquium on Computational Complexity (ECCC), 2024. URL: https://eccc.weizmann.ac.il/report/2024/171.
[4] Eshan Chattopadhyay, Mohit Gurumukhani, and Noam Ringach. On the existence of seedless condensers: Exploring the terrain. In Proceedings of the 65th Annual Symposium on Foundations of Computer Science (FOCS), pages 1451–1469. IEEE, 2024. doi:10.1109/FOCS61266.2024.00093.
[5] Benny Chor and Oded Goldreich. Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM Journal on Computing, 17(2):230–261, 1988. doi:10.1137/0217015.
[6] Itay Cohen, Roy Roth, and Amnon Ta-Shma. HDX condensers. In Proceedings of the 64th Annual Symposium on Foundations of Computer Science (FOCS), pages 1649–1664. IEEE, 2023. doi:10.1109/FOCS57990.2023.00100.
[7] Yevgeniy Dodis, Siyao Guo, Noah Stephens-Davidowitz, and Zhiye Xie. No time to hash: On super-efficient entropy accumulation. In Advances in Cryptology–CRYPTO 2021: 41st Annual International Cryptology Conference, pages 548–576. Springer, 2021. doi:10.1007/978-3-030-84259-8_19.
[8] Yevgeniy Dodis, Siyao Guo, Noah Stephens-Davidowitz, and Zhiye Xie. Online linear extractors for independent sources. In Proceedings of the 2nd Conference on Information-Theoretic Cryptography (ITC), pages 14:1–14:14. Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2021. doi:10.4230/LIPICS.ITC.2021.14.
[9] Dean Doron, Dana Moshkovitz, Justin Oh, and David Zuckerman. Almost Chor–Goldreich sources and adversarial random walks. In Proceedings of the 55th Annual Symposium on Theory of Computing (STOC), pages 1–9. ACM, 2023. doi:10.1145/3564246.3585134.
[10] Dean Doron, Dana Moshkovitz, Justin Oh, and David Zuckerman. Online condensing of unpredictable sources via random walks. Electron. Colloquium Comput. Complex., TR24-165, 2024. URL: https://eccc.weizmann.ac.il/report/2024/165.
[11] David Gillman. A Chernoff bound for random walks on expander graphs. SIAM Journal on Computing, 27(4):1203–1220, 1998. doi:10.1137/S0097539794268765.
[12] Louis Golowich. New explicit constant-degree lossless expanders. In Proceedings of the 35th Annual Symposium on Discrete Algorithms (SODA), pages 4963–4971. ACM-SIAM, 2024. doi:10.1137/1.9781611977912.177.
[13] Jesse Goodman, Xin Li, and David Zuckerman. Improved condensers for Chor-Goldreich sources. In Proceedings of the 65th Annual Symposium on Foundations of Computer Science (FOCS), pages 1513–1549. IEEE, 2024. doi:10.1109/FOCS61266.2024.00096.
[14] Miklos Santha and Umesh V. Vazirani. Generating quasi-random sequences from semi-random sources. Journal of Computer and System Sciences, 33(1):75–87, 1986. doi:10.1016/0022-0000(86)90044-9.
[15] Ronen Shaltiel and Christopher Umans. Simple extractors for all min-entropies and a new pseudorandom generator. Journal of the ACM, 52(2):172–216, 2005. doi:10.1145/1059513.1059516.
[16] Amnon Ta-Shma and Christopher Umans. Better lossless condensers through derandomized curve samplers. In Proceedings of the 47th Annual Symposium on Foundations of Computer Science (FOCS), pages 177–186. IEEE, 2006. doi:10.1109/FOCS.2006.18.
[17] Amnon Ta-Shma, David Zuckerman, and Shmuel Safra. Extractors from Reed–Muller codes. Journal of Computer and System Sciences, 72:786–812, 2006. doi:10.1016/J.JCSS.2005.05.010.
[18] Luca Trevisan. Extractors and pseudorandom generators. Journal of the ACM, 48(4):860–879, 2001. doi:10.1145/502090.502099.
[19] Zhiyang Xun and David Zuckerman. Near-optimal averaging samplers. Electron. Colloquium Comput. Complex., TR24-097, 2024. URL: https://eccc.weizmann.ac.il/report/2024/097.
[20] David Zuckerman. Randomness-optimal oblivious sampling. Random Structures and Algorithms, 11(4):345–367, 1997. doi:10.1002/(SICI)1098-2418(199712)11:4\%3C345::AID-RSA4\%3E3.0.CO;2-Z.
[21] David Zuckerman. Linear degree extractors and the inapproximability of Max Clique and Chromatic Number. Theory of Computing, 3:103–128, 2007. doi:10.4086/TOC.2007.V003A006.

[bib.bib1] [1] Divesh Aggarwal, Maciej Obremski, João Ribeiro, Luisa Siniscalchi, and Ivan Visconti. How to extract useful randomness from unreliable sources. In Advances in Cryptology–EUROCRYPT 2020: 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 343–372. Springer, 2020. doi:10.1007/978-3-030-45721-1_13.

[bib.bib2] [2] Michael Capalbo, Omer Reingold, Salil Vadhan, and Avi Wigderson. Randomness conductors and constant-degree lossless expanders. In Proceedings of the 34th Annual Symposium on Theory of Computing (STOC), pages 659–668. ACM, 2002. doi:10.1145/509907.510003.

[bib.bib3] [3] Eshan Chattopadhyay, Mohit Gurumukhani, and Noam Ringach. Condensing against online adversaries. In Electronic Colloquium on Computational Complexity (ECCC), 2024. URL: https://eccc.weizmann.ac.il/report/2024/171.

[bib.bib4] [4] Eshan Chattopadhyay, Mohit Gurumukhani, and Noam Ringach. On the existence of seedless condensers: Exploring the terrain. In Proceedings of the 65th Annual Symposium on Foundations of Computer Science (FOCS), pages 1451–1469. IEEE, 2024. doi:10.1109/FOCS61266.2024.00093.

[bib.bib5] [5] Benny Chor and Oded Goldreich. Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM Journal on Computing, 17(2):230–261, 1988. doi:10.1137/0217015.

[bib.bib6] [6] Itay Cohen, Roy Roth, and Amnon Ta-Shma. HDX condensers. In Proceedings of the 64th Annual Symposium on Foundations of Computer Science (FOCS), pages 1649–1664. IEEE, 2023. doi:10.1109/FOCS57990.2023.00100.

[bib.bib7] [7] Yevgeniy Dodis, Siyao Guo, Noah Stephens-Davidowitz, and Zhiye Xie. No time to hash: On super-efficient entropy accumulation. In Advances in Cryptology–CRYPTO 2021: 41st Annual International Cryptology Conference, pages 548–576. Springer, 2021. doi:10.1007/978-3-030-84259-8_19.

[bib.bib8] [8] Yevgeniy Dodis, Siyao Guo, Noah Stephens-Davidowitz, and Zhiye Xie. Online linear extractors for independent sources. In Proceedings of the 2nd Conference on Information-Theoretic Cryptography (ITC), pages 14:1–14:14. Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2021. doi:10.4230/LIPICS.ITC.2021.14.

[bib.bib9] [9] Dean Doron, Dana Moshkovitz, Justin Oh, and David Zuckerman. Almost Chor–Goldreich sources and adversarial random walks. In Proceedings of the 55th Annual Symposium on Theory of Computing (STOC), pages 1–9. ACM, 2023. doi:10.1145/3564246.3585134.

[bib.bib10] [10] Dean Doron, Dana Moshkovitz, Justin Oh, and David Zuckerman. Online condensing of unpredictable sources via random walks. Electron. Colloquium Comput. Complex., TR24-165, 2024. URL: https://eccc.weizmann.ac.il/report/2024/165.

[bib.bib11] [11] David Gillman. A Chernoff bound for random walks on expander graphs. SIAM Journal on Computing, 27(4):1203–1220, 1998. doi:10.1137/S0097539794268765.

[bib.bib12] [12] Louis Golowich. New explicit constant-degree lossless expanders. In Proceedings of the 35th Annual Symposium on Discrete Algorithms (SODA), pages 4963–4971. ACM-SIAM, 2024. doi:10.1137/1.9781611977912.177.

[bib.bib13] [13] Jesse Goodman, Xin Li, and David Zuckerman. Improved condensers for Chor-Goldreich sources. In Proceedings of the 65th Annual Symposium on Foundations of Computer Science (FOCS), pages 1513–1549. IEEE, 2024. doi:10.1109/FOCS61266.2024.00096.

[bib.bib14] [14] Miklos Santha and Umesh V. Vazirani. Generating quasi-random sequences from semi-random sources. Journal of Computer and System Sciences, 33(1):75–87, 1986. doi:10.1016/0022-0000(86)90044-9.

[bib.bib15] [15] Ronen Shaltiel and Christopher Umans. Simple extractors for all min-entropies and a new pseudorandom generator. Journal of the ACM, 52(2):172–216, 2005. doi:10.1145/1059513.1059516.

[bib.bib16] [16] Amnon Ta-Shma and Christopher Umans. Better lossless condensers through derandomized curve samplers. In Proceedings of the 47th Annual Symposium on Foundations of Computer Science (FOCS), pages 177–186. IEEE, 2006. doi:10.1109/FOCS.2006.18.

[bib.bib17] [17] Amnon Ta-Shma, David Zuckerman, and Shmuel Safra. Extractors from Reed–Muller codes. Journal of Computer and System Sciences, 72:786–812, 2006. doi:10.1016/J.JCSS.2005.05.010.

[bib.bib18] [18] Luca Trevisan. Extractors and pseudorandom generators. Journal of the ACM, 48(4):860–879, 2001. doi:10.1145/502090.502099.

[bib.bib19] [19] Zhiyang Xun and David Zuckerman. Near-optimal averaging samplers. Electron. Colloquium Comput. Complex., TR24-097, 2024. URL: https://eccc.weizmann.ac.il/report/2024/097.

[bib.bib20] [20] David Zuckerman. Randomness-optimal oblivious sampling. Random Structures and Algorithms, 11(4):345–367, 1997. doi:10.1002/(SICI)1098-2418(199712)11:4\%3C345::AID-RSA4\%3E3.0.CO;2-Z.

[bib.bib21] [21] David Zuckerman. Linear degree extractors and the inapproximability of Max Clique and Chromatic Number. Theory of Computing, 3:103–128, 2007. doi:10.4086/TOC.2007.V003A006.

Online Condensing of Unpredictable Sources via Random Walks

Abstract

Keywords and phrases:

Funding:

Copyright and License:

2012 ACM Subject Classification:

Related Version:

DOI:

Event:

Editors:

Series and Publisher:

1 Introduction

Definition 1 (unpredictable source, simplified).

Definition 2 (unpredictable source).

Observation 3.

Theorem 1 (main (informal)).

1.1 Online Extracting and Condensing

1.2 Online Condensing via Random Walks

1.3 CG-Sources, Lossless Expanders, and the DMOZ Condenser

Theorem 4 ([9], informal).

Definition 5 (ρ-almost CG source).

1.4 Unpredictable Sources

Definition 6 (almost CG source with all error parameters).

Theorem 2 (seeded condensing (informal); see Corollary 3.16 in [10]).

Theorem 3 (seedless condensing (informal); see Corollary 3.17 of [10]).

On Extracting from Unpredictable Sources

1.4.1 A Two-Stage Construction, and Recent Developments in Lossless Expanders

Theorem 4 (informal; see Theorem 5.5 of [10]).

1.4.2 Perspective: Condensing from Unpredictable Sources vs. General Sources

1.5 Technical Overview: Random Walks Using Unpredictable Sources

Theorem 7 (informal; see [9], Theorem 5).

The 𝒒-norm analysis fails

Beating the union bound, once again

Probability evolution, not distribution evolution: a “chain rule” for vertex probabilities

Theorem 5 (chain rule for vertex probabilities; see Theorem 3.6, Corollary 3.7 of [10]).

Analyzing a full random walk

Using a random stopping time

1.5.1 Making Our Condensers Fully Online

1.6 Improved Random Walk-Based Extractors for High Min-Entropy Sources

Theorem 8 (standard RW-based extractor).

Theorem 6 (new RW-based extractor; see Theorem 6.6 of [10]).

1.7 Related Work

Definition 9 (λ-almost CG source).

References

Definition 5 ( $\rho$ -almost CG source).

The $𝒒$ -norm analysis fails

Definition 9 ( $\lambda$ -almost CG source).