Seeded extractors are fundamental objects in pseudorandomness and cryptography, and a deep line of work has designed polynomial-time seeded extractors with nearly-optimal parameters.
However, existing constructions of seeded extractors with short seed length and large output length run in time $\Omega(n \log(1/\varepsilon))$ and often slower, where $n$ is the input source length and $\varepsilon$ is the error of the extractor.
Since cryptographic applications of extractors require $\varepsilon$ to be small, the resulting runtime makes these extractors impractical.

Motivated by this, we explore constructions of strong seeded extractors with short seeds computable in nearly-linear time $O(n \log^c n)$, for any error $\varepsilon$.
We show that an appropriate combination of modern condensers and classical approaches for constructing seeded extractors for high min-entropy sources yields such extractors.
More precisely, we obtain strong extractors for $n$-bit sources with any min-entropy $k$ and any target error $\varepsilon$ with seed length $d=O(\log(n/\varepsilon))$ and output length $m=(1-\eta)k$ for an arbitrarily small constant $\eta>0$, running in nearly-linear time.
When $k$ or $\varepsilon$ are very small, our construction requires a reasonable one-time preprocessing step.
These extractors directly yield privacy amplification protocols with nearly-linear time complexity (possibly after a one-time preprocessing step), large output length, and low communication complexity.
As a second contribution, we give an instantiation of Trevisan's extractor that can be evaluated in \emph{truly} linear time in the RAM model, as long as the number of output bits is at most $\frac{n}{\log(1/\varepsilon)poly(\log(n))}$.
Previous fast implementations of Trevisan’s extractor ran in $\widetilde{O}(n)$ time in this setting.

Seeded extractors are fundamental objects in pseudorandomness and cryptography, and a deep line of work has designed polynomial-time seeded extractors with nearly-optimal parameters. However, existing constructions of seeded extractors with short seed length and large output length run in time $\Omega(n \log(1/\varepsilon))$ and often slower, where $n$ is the input source length and $\varepsilon$ is the error of the extractor. Since cryptographic applications of extractors require $\varepsilon$ to be small, the resulting runtime makes these extractors unusable in practice.

Motivated by this, we explore constructions of strong seeded extractors with short seeds computable in nearly-linear time $O(n \log^c n)$, for any error $\varepsilon$. We show that an appropriate combination of modern condensers and classical approaches for constructing seeded extractors for high min-entropy sources yields strong extractors for $n$-bit sources with any min-entropy $k$ and any target error $\varepsilon$ with seed length $d=O(\log(n/\varepsilon))$ and output length $m=(1-\eta)k$ for an arbitrarily small constant $\eta>0$, running in nearly-linear time, after a reasonable one-time preprocessing step (finding a primitive element of $\mathbb{F}_q$ with $q=\mathrm{poly}(n/\varepsilon)$ a power of $2$) that is only required when $k0$ and $\log^*$ the iterated logarithm, and which can be implemented in time $\mathrm{polylog}(n/\varepsilon)$ under mild conditions on $q$. As a second contribution, we give an instantiation of Trevisan's extractor that can be evaluated in \emph{truly} linear time in the RAM model, as long as the number of output bits is at most $\frac{n}{\log(1/\varepsilon)\mathrm{polylog}(n)}$. Previous fast implementations of Trevisan’s extractor ran in $\widetilde{O}(n)$ time in this setting. In particular, these extractors directly yield privacy amplification protocols with the same time complexity and output length, and communication complexity equal to their seed length.

Seeded extractors are fundamental objects in pseudorandomness and cryptography, and a deep line of work has designed polynomial-time seeded extractors with nearly-optimal parameters. However, existing constructions of seeded extractors with short seed length and large output length run in time $\Omega(n \log(1/\varepsilon))$ and often slower, where $n$ is the input source length and $\varepsilon$ is the error of the extractor. Since cryptographic applications of extractors require $\varepsilon$ to be small, the resulting runtime makes these extractors unusable in practice.

Motivated by this, we explore constructions of strong seeded extractors with short seeds computable in nearly-linear time $O(n \log^c n)$, for any error $\varepsilon$. We show that an appropriate combination of modern condensers and classical approaches for constructing seeded extractors for high min-entropy sources yields strong extractors for $n$-bit sources with any min-entropy $k$ and any target error $\varepsilon$ with seed length $d=O(\log(n/\varepsilon))$ and output length $m=(1-\eta)k$ for an arbitrarily small constant $\eta>0$, running in nearly-linear time, after a reasonable one-time preprocessing step (finding a primitive element of $\mathbb{F}_q$ with $q=\mathrm{poly}(n/\varepsilon)$ a power of $2$) that is only required when $k0$ and $\log^*$ the iterated logarithm, and which can be implemented in time $\mathrm{polylog}(n/\varepsilon)$ under mild conditions on $q$. As a second contribution, we give an instantiation of Trevisan's extractor that can be evaluated in \emph{truly} linear time in the RAM model, as long as the number of output bits is at most $\frac{n}{\log(1/\varepsilon)\mathrm{polylog}(n)}$. Previous fast implementations of Trevisan’s extractor ran in $\widetilde{O}(n)$ time in this setting. In particular, these extractors directly yield privacy amplification protocols with the same time complexity and output length, and communication complexity equal to their seed length.