Flexible Two-Source Extractors and their Applications

We introduce a new notion flexible extractor. It is a generalization of the standard concept of a two-source-extractor which require each of a sources to have some entropy, flexible extractor requires the sum of sources entropy to exceed fixed value. We distinguish between a strong and a weak flexible extractors and (similarly to two-source-extractors case) prove that every weak flexible extractor is also a strong extractor just with a slightly worse parameters. Moreover we prove that two common two-source extractors are in fact flexible which can be viewed as a generalization of the Leftover Hash Lemma for those extractors. We use that notion in joint work with Stefan Dziembowski and Tomasz Kazana “Non-Malleable Codes from Two-Source Extractors” currently under submission. In that work we use the flexible extractors to construct an efficient information-theoretically non-malleable code in the split-state model for one-bit messages. Non-malleable codes were introduced recently by Dziembowski, Pietrzak and Wichs (ICS 2010), as a general tool for storing messages securely on hardware that can be subject to tampering attacks. Informally, a code (Enc :M→ L×R,Dec : L×R →M) is non-malleable in the split-state model if any adversary, by manipulating independently L and R (where (L,R) is an encoding of some message M), cannot obtain an encoding of a messageM ′ that is not equal toM but is “related”M in some way. Until now it was unknown how to construct an information-theoretically secure code with such a property, even forM = {0, 1}. Our construction solves this problem. Additionally, it is leakage-resilient, and the amount of leakage that we can tolerate can be an arbitrary fraction ξ < 1/4 of the length of the codeword. Our code is based on the inner-product two-source extractor, but in general it can be instantiated by any two-source extractor that has the property of being flexible. We also show that the non-malleable codes for one-bit messages have an equivalent, perhaps simpler characterization, namely such codes can be defined as follows: if M is chosen uniformly from {0, 1} then the probability (in the experiment described above) that the output message M ′ is not equal to M can be at most 1/2 + .