Nearly-Linear Time Seeded Extractors with Short Seeds

(abstract shortened due to space constraints) Existing constructions of seeded extractors with short seed length and large output length run in time $\Omega(n \log(1/\varepsilon))$ and often slower, where $n$ is the input source length and $\varepsilon$ is the error of the extractor. Since cryptographic applications of extractors require $\varepsilon$ to be small, the resulting runtime makes these extractors unusable in practice. Motivated by this, we explore constructions of strong seeded extractors with short seeds computable in nearly-linear time $O(n \log^c n)$, for any error $\varepsilon$. We show that an appropriate combination of modern condensers and classical approaches for constructing seeded extractors for high min-entropy sources yields strong extractors for $n$-bit sources with any min-entropy $k$ and any target error $\varepsilon$ with seed length $d=O(\log(n/\varepsilon))$ and output length $m=(1-\eta)k$ for an arbitrarily small constant $\eta>0$, running in nearly-linear time, after a reasonable one-time preprocessing step (finding a primitive element of $\mathbb{F}_q$ with $q=poly(n/\varepsilon)$ a power of $2$) that is only required when $k<2^{C\log^* n}\cdot\log^2(n/\varepsilon)$, for a constant $C>0$ and $\log^*$ the iterated logarithm, and which can be implemented in time $polylog(n/\varepsilon)$ under mild conditions on $q$. As a second contribution, we give an instantiation of Trevisan's extractor that can be evaluated in truly linear time in the RAM model, as long as the number of output bits is at most $\frac{n}{\log(1/\varepsilon)polylog(n)}$. Previous fast implementations of Trevisan's extractor ran in $\widetilde{O}(n)$ time in this setting. In particular, these extractors directly yield privacy amplification protocols with the same time complexity and output length, and communication complexity equal to their seed length.