Alternating Extractors and Leakage-Resilient Stream Ciphers

Last time we proved the Leftover Hash Lemma, which states that if X is a random variable with universe U and H∞(X) ≥ k, ε > 0, and H is a universal hash family of size 2 with output length l = k − 2 log(1/ε), then Ext(x, h) = h(x) is a (k, ε/2) extractor with seed length d and output length m. In other words, Ext(x, h) extracts l bits from x that are ε-close to uniform, with ε = 12 √ 2−l. For a xed ε, the amount of extracted bits l is optimal up to an additive constant, as shown in [5]. (In other words, the loss 2 log(1/ε) bits is necessary.) The only drawback of this extractor is that d (seed length) is high. We need extractors with shorter seeds for the Alternating Extraction game presented in the next section; we will not show how to build them, but they do exist, with seeds as short as Θ(log 1/ε+ log n), where n is the number of bits in elements of X.