Multiplicative Extractors for Samplable Distributions

Trevisan and Vadhan (FOCS 2000) introduced the notion of (seedless) extractors for samplable distributions as a way to extract random keys for cryptographic protocols from weak sources of randomness. They showed that under a very strong complexity theoretic assumption, there exists a constant α > 0 such that for every constant c ≥ 1, there is an extractor Ext: (Equation presented), such that for every distribution X over {0, 1}ⁿ with H∞(X) ≥ (1 − α) · n that is samplable by size n^c circuits, the distribution Ext(X) is ϵ-close to uniform for (Equation presented), and furthermore, Ext is computable in time poly(n^c). Recently, Ball, Goldin, Dachman-Soled and Mutreja (FOCS 2023) gave a substantial improvement, and achieved the same conclusion under the weaker (and by now standard) assumption that there exists a constant β > 0, and a problem in E = DTIME(2^O(n)) that requires size 2^βn nondeterministic circuits. In this paper we give an alternative proof of this result with the following advantages: Our extractors have “multiplicative error”: It is guaranteed that for every event A ⊆ {0, 1}^m, Pr[Ext(X) ∈ A] ≤ (1 + ϵ) · Pr[Um ∈ A]. (This should be contrasted with the standard notion that only implies Pr[Ext(X) ∈ A] ≤ ϵ + Pr[Um ∈ A]). Consequently, unlike the (additive) extractors of Trevisan and Vadhan, and Ball et al., our multiplicative extractors guarantee that in the application of selecting keys for cryptographic protocols, if when choosing a random key, the probability that an adversary can steal the honest party's money is n^−ω(1), then this also holds when using the output of the extractor as a key. Our multiplicative extractors are a key component in the recent subsequent work of Ball, Shaltiel and Silbak (STOC 2025) that constructs extractors for samplable distributions with low min-entropy. This is another demonstration of the usefulness of multiplicative extractors. We remark that a related notion of multiplicative extractors was defined by Applebaum, Artemenko, Shaltiel and Yang (CCC 2015) who showed that black-box techniques cannot yield extractors with additive error ϵ = n^−ω(1), under the assumption assumed by Ball et al. or Trevisan and Vadhan. This motivated Applebaum et al. to consider multiplicative extractors, and they gave constructions based on the original hardness assumption of Trevisan and Vadhan. Our proof is significantly simpler, and more modular than that of Ball et al. (and arguably also than that of Trevisan and Vadhan). A key observation is that the extractors that we want to construct, easily follow from a seed-extending pseudorandom generator against nondeterministic circuits (with the twist that the error is measured multiplicatively, as in computational differential privacy). We then proceed to construct such pseudorandom generators under the hardness assumption. This turns out to be easier (utilizing amongst other things, ideas by Trevisan and Vadhan, and by Ball et al.) Trevisan and Vadhan also asked whether lower bounds against nondeterministic circuits are necessary to achieve extractors for samplable distributions. While we cannot answer this question, we show that the proof techniques used in our paper (as well as those used in previous work) produce extractors which imply seed-extending PRGs against nondeterministic circuits, which in turn imply lower bounds against nondeterministic circuits.