Extractors for Polynomial Sources over Fields of Constant Order and Small Characteristic *

A polynomial source of randomness over F n q is a random variable X = f (Z) where f is a polynomial map and Z is a random variable distributed uniformly over F r q for some integer r. The three main parameters of interest associated with a polynomial source are the order q of the field, the (total) degree D of the map f , and the base-q logarithm of the size of the range of f over inputs in F r q , denoted by k. For simplicity we call X a (q, D, k)-source. Informally, an extractor for (q, D, k)-sources is a function E : F n q → {0, 1} m such that the distribution of the random variable E(X) is close to uniform over {0, 1} m for any (q, D, k)-source X. Generally speaking, the problem of constructing extractors for such sources becomes harder as q and k decrease and as D increases. A rather large number of recent works in the area of derandomization have dealt with the problem of constructing extractors for (q, 1, k)-sources, also known as " affine " sources. Constructing an extractor for non-affine sources, i. e., for D > 1, is a much harder problem. Prior to the present work, only one construction was known, and that construction works only for fields of order much larger than n (Dvir et al., CCC 2009). In particular, even for D = 2, no construction was known for any fixed finite field. In this work we construct extractors for (q, D, k)-sources for fields of constant order. Our proof builds on the work of DeVos and Gabizon (CCC 2010) on extractors for affine sources. Like the DeVos–Gabizon paper, our result makes crucial use of a theorem of Hou, Leung and Xiang (J. Number Theory 2002) which gives a lower bound on the dimension of products of subspaces.

Abstract: A polynomial source of randomness over F n q is a random variable X = f (Z) where f is a polynomial map and Z is a random variable distributed uniformly over F r q for some integer r.The three main parameters of interest associated with a polynomial source are the order q of the field, the (total) degree D of the map f , and the base-q logarithm of the size of the range of f over inputs in F r q , denoted by k.For simplicity we call X a (q, D, k)-source.
Informally, an extractor for (q, D, k)-sources is a function E : F n q → {0, 1} m such that the distribution of the random variable E(X) is close to uniform over {0, 1} m for any (q, D, k)source X. Generally speaking, the problem of constructing extractors for such sources becomes harder as q and k decrease and as D increases.A rather large number of recent

Introduction
This paper is part of a long and active line of research devoted to the problem of "randomness extraction": Given a family of distributions all guaranteed to have a certain structure, devise a method that can convert a sample from any distribution in this family to a sequence of uniformly distributed bits-or at least a sequence statistically close to the uniform distribution.Usually, it is easy to prove that a random function is, with high probability, a good extractor for the given family, and the challenge is to give an explicit construction of such an extractor.
The first example of a randomness extraction problem was given by von Neumann [24], who gave an elegant solution 1 to the following problem: How can a biased coin with unknown bias be used to generate "fair" coin tosses?In this case the input distribution consists of independent identically distributed bits which makes the extraction task simpler.Since then many families of more complex distributions have been studied.Also, the concept of randomness extraction has proven to be useful for various applications.The reader is referred to the introduction of [10] for more details on the classes of distributions studied, references and motivation.
We now give a formal definition of extractors and related objects called dispersers.
Definition 1.1 (Extractors and dispersers).Let Γ and Ω be some finite domains.Let C be a class of random variables taking values in Γ.We say a random variable P taking values in Ω is ε-close to uniform if for every A ⊆ Ω, • Fix any 0 ≤ ε < 1.A function E : Γ → Ω is an ε-extractor for C if for every X ∈ C, the random variable E(X) is ε-close to uniform.
• A function D : Γ → Ω is a disperser for C if for every X ∈ C, the random variable D(X) takes more than one value in Ω with nonzero probability.

Polynomial sources
In this paper we construct extractors for polynomial sources, which are distributions that are sampled by applying low-degree polynomials to uniform inputs as defined next.Throughout this paper, if Ω is a finite set, we let U Ω denote the uniform distribution over Ω.By the individual degree of a multivariate polynomial f we mean the smallest d such that f has degree ≤ d in each variable.
Definition 1.2 (Polynomial sources).Fix integers n, k, d with k ≤ n and a field F q .We define M[n, k, d] to be the set of mappings f : F r q → F n q , where r is an integer counting the number of inputs to the source and • The range of f is of size at least q k .Formally, A (n, k, d)-polynomial source is a random variable of the form f (U F r q ) for some and f ∈ M[n, k, d] with r inputs.(When the parameters n, k, d are clear from the context, we shall omit them, and simply use the term "polynomial source.")Definition 1.3 (Polynomial-source extractors).Let Ω be some finite set.A function E : F n q → Ω is a (k, d, D, ε)-polynomial source extractor if for every f ∈ M[n, k, d] of total degree at most D and r inputs, E( f (U F r q )) is ε-close to uniform (where U F r q denotes the uniform distribution over F r q ).Remark 1.4.A few words are in order regarding Definition 1.2.
• The number of inputs used by our source, denoted by r in Definition 1.2, does not affect the parameters of our extractors, and hence we omit this parameter from the definition of polynomial sources and extractors.
• In the context of extractors what might have seemed more natural is to require the random variable f (U F r q ) to have min-entropy2 at least k • log q.Our requirement on the size of the range of f is seemingly weaker, and suffices for our construction to work.(In particular, our result implies that, for some settings of field order and degree, when f has large range the random variable f (U F r q ) is statistically close to a random variable that has at least a certain min-entropy.) • Individual degree plays a larger role than total degree in our results.In fact, the first stage of our construction-constructing a non-constant polynomial over F q -requires a field of order depending only on individual degree.This is why it is more convenient to limit individual degree and not total degree in the definition of Motivation To motivate our study of extractors for polynomial sources, we mention four distinct applications of such extractors for the simplest class of sources: affine ones, in which the degree of the source is 1 (see definition below).Demenkov and Kulikov [9] showed, using elementary methods, that any circuit over the full binary basis that computes an affine disperser for min-entropy rate o(1) must contain at least 3n(1 − o(1)) gates, and this matches the previous best circuit lower bound of Blum from 1984 [4].Another application of affine extractors was given by Viola [23] and independently by De and Watson [8] showing how to use them to construct extractors for bounded depth circuits.A third application was given by Ben-Sasson and Zewi [27] who showed how to construct two-source extractors and bipartite Ramsey graphs from affine extractors.Recent work of Guruswami [15] and of Dvir and Lovett [13] use "subspace evasive functions" which are closely related to affine extractors to get better algorithms for list-decoding of folded Reed-Solomon codes.These applications lead us to believe that extractors for general low-degree sources of the kind defined next will similarly be useful in other branches of computational complexity theory.

Previous work and our result
Polynomial-source extractors are a generalization of affine source extractors where the source is sampled by a degree-one map.There has been much work recently on affine-source extractors [2,5,26,14,10,17] and related objects called affine-source dispersers [3,22] where the output is required to be non-constant but not necessarily close to uniform.Turning to extractors for non-affine, low-degree sources, the only previous work is by Dvir, Gabizon and Wigderson [12], and it requires large fields.In particular, to extract a single bit [12] needs a field of order at least n c where c > 1 is a constant and n is number of inputs to the extractor, i. e., the number of outputs of the polynomial source.
(In a related albeit different vein, Dvir [11] constructed extractors for distributions that are uniform over low-degree algebraic varieties, which are sets of common zeros of a system of low-degree multivariate polynomials.) In this work we construct polynomial-source extractors over much smaller fields than previously known, assuming the characteristic of the field is significantly smaller than the order of the field.Theorem 1.5 (Main-Extractor).Fix a field F q of characteristic p, integers d, D, 4 ≤ k ≤ n where n ≥ 25, and a positive integer m In particular, when D, n/k, and p are constant, we get a polynomial-source extractor for fields of bounded order.We state such an instantiation.

Corollary 1.6 (Extractor for quadratic sources of min-entropy rate half over fields of characteristic 2).
There is a universal constant C such that the following holds.For any ε > 0 and any q > C/ε 2 which is a power of 2, there is an explicit (n/2, 2, 2, ε)-polynomial source extractor E : F n q → {0, 1}.
Non-Boolean dispersers for smaller fields Along the way to our proof we construct a weaker object called a non-Boolean disperser.
THEORY OF COMPUTING, Volume 9 (21), 2013, pp.665-683 A non-Boolean disperser maps the source into a relatively small (but not {0, 1}) domain and guarantees the output is non-constant.The advantage of this part of the construction is that it works for smaller fields than the extractor, and moreover, the field order for which it works depends only on the individual degrees of the source polynomials.In the theorem and corollary below we use an implicit isomorphism of F n q and F q n .See an explanation of this in the beginning at the beginning of Section 3. Theorem 1.7 (Main-Disperser).Fix a prime power q = p .Fix integers k ≤ n and d < s such that n is prime and s is a power of p. Fix a non-trivial F q -linear map T : F n q → F q .Let u = (n − k)/(k − 1) .Define P : F n q → F q by P(x) T (x q into F q .We instantiate this result for F 4 which is the smallest field for which it works. Corollary 1.8 (Disperser for min-entropy rate half over F 4 ).Let n be prime.Define the function P : F n 4 → F 4 as follows.Think of the input x as an element of F 4 n and compute x 3 .Now output the first coordinate of the vector x 3 .Then for any to be the map that projects to the first coordinate.This gives u = 1, and thus P(x) = T (x 3 ) in this case.

Overview of the proof
Our goal is to describe an explicit function E : F n q → {0, 1} m such that for any (n, k, d)-polynomial source X we have that E(X) is ε-close to the uniform distribution over {0, 1} m .We do this in two steps.
First we construct a function E 0 , called a non-Boolean disperser, that is guaranteed to be non-constant on X, i. e., such that the random variable Y = E 0 (X) takes more than one value.This part is done in Section 4. Then we apply a second function E 1 to the output of E 0 and prove, using the fact that E 0 is a low-degree function in our case, that the distribution of This "disperser-to-extractor" part is described in Sections 5 and 6.We now informally describe the two functions assuming for simplicity that the field F q is of characteristic 2 and that n is prime.Before starting let us recall the notion of a Frobenius automorphism.If K is a finite field of characteristic 2 then the mapping The three elementary properties of this mapping that we use below are (ii) its distinctness: if K is an extension of F 2 of degree at least t and 0 ≤ i < j ≤ t − 1 then σ i and σ j are different, and (iii) its dimension-preservation: A different view of low-degree sources The first part of our analysis uses a somewhat nonstandard view of low-degree sources that we need to highlight.The random variable X ranges over F n q and is the output of n degree-d polynomials over F q .Let denote the set of monomials over F q of individual degree at most d where d < q. (We use Z variables to denote inputs of the polynomial source and X variables for its output.)Suppose the i-th coordinate of X is where a (i) M ∈ F q and Z 1 , . . ., Z r are independent random variables distributed uniformly over F q .Applying an F q -linear bijection φ : M , . . ., a M ) denote the sequence of coefficients of the monomials M, viewed now as a single element in F q n .Our nonstandard view is that our source is where the coefficients a M and the random variable X come from the "large" field F q n but the random variables Z 1 , . . ., Z r still range over the "small" field F q .This large-field-small-field view will be important in what comes next.In particular, we shall use the following claim which reduces the problem of constructing a non-Boolean disperser to that of constructing a polynomial whose coefficients span F q n over F q .
Claim 2.1 (Full-span polynomials are non-constant coordinate-wise).Suppose P has individual degree smaller than q.If the set of coefficients A = {a M | deg(M) > 0} appearing in (2.1) spans F q n over F q then X i = P (i) (Z 1 , . . ., Z r ) is a non-constant function on F r q for every i ∈ {1, . . ., n}.
Proof.By way of contradiction.If P (i) is constant on F r q and has individual degrees smaller than q, then as a formal polynomial it is constant.This implies that all elements of A, as vectors in F n q , are equal to zero in the i-th coordinate.Thus, A spans a strict subspace of F q n in contradiction to the assumption of the claim.

Non-Boolean disperser
We start with the simplest nontrivial case to which our techniques apply and construct a non-Boolean disperser for homogeneous multilinear quadratic sources with min-entropy rate greater than half over the finite field with 4 elements (this is a special case of Corollary 1.8).Using [r]   2 to denote the set {(i, j) | 1 ≤ i < j ≤ r} and writing X as in (2.1) we get where Z 1 , . . ., Z r are uniformly and independently distributed over F 4 and X takes more than 4 n/2 distinct values.Let To do this we take the approach of DeVos and Gabizon [10] which uses the theorem of Hou, Leung and Xiang [16].Assuming n is prime, this theorem implies that if A, B ⊂ F q n are sets spanning spaces of respective dimensions d 1 , d 2 over F q , then the set of products spans a subspace of F q n over F q of dimension at least min{n, d 1 + d 2 − 1}.Returning to our case and taking A as in (2.3), our first observation is that dim(span(A)) > n/2 because X is contained in span(A).So the theorem of [16] mentioned above implies that span(A • A) = F 4 n .Consider what would happen if we could sample twice from X independently and take the product of the two samples in F 4 n .Using X , Z 1 , . . ., Z r to express the second sample we write this product as Opening the right-hand-side as a polynomial in Z 1 , . . ., Z r , Z 1 , . . ., Z r we see that its set of coefficients is A • A which spans F 4 n over F 4 , as desired. 3nfortunately we only have access to a single sample of X and have to make use of it.We use the fact that F 4 is a degree 2 extension of a smaller field (F 2 ) and hence has two distinct Frobenius automorphisms.And here comes our second observation: Taking the product of 2 distinct Frobenius automorphisms of a single sample of X has a similar effect to that of taking two independent samples of X! Indeed, take the product of σ 0 (X) and σ 1 (X) and, using the linearity of Frobenius mapping, expand as ) The main point is that every element in the set of products of A and A 2 a 2 | a ∈ A appears as the coefficient of a monomial in the polynomial above and these monomials are distinct over F 4 .And the dimension-preservation of σ 1 implies that dim(span(A 2 )) = dim(span(A)) > n/2.Consequently, the theorem of [16] implies that A • A 2 spans F 4 n over F 4 , so by Claim 2.1 the function E 0 (X), which outputs the first coordinate of X • X 2 , is non-constant for X and this completes the sketch of our non-Boolean disperser for the special case of homogenous, quadratic, multilinear polynomials over F 4 .
To extend this argument to general polynomial sources of individual degree ≤ d we carefully select a set of t distinct Frobenius automorphisms σ i 0 , . . ., σ i t−1 (assuming F q is an extension-field of degree at least t) such that the mapping f : is injective.Then we argue, just as in the case above, that the function g(X) ∏ t−1 j=0 σ i j (X) expands to a sum of distinct monomials with coefficients ranging over the product set [16] is applied t times to conclude that Â spans F q n over F q .Now we apply Claim 2.1 and get that the first coordinate of g(X) (viewing g(X) as a tuple of n polynomials over F q ) is a non-constant function.Details are provided in Section 4.
From dispersers to extractors This part is based on the work of Gabizon and Raz [14] and uses an important theorem of Weil [25].This theorem implies the following.Suppose we evaluate a polynomial g ∈ F q [Z 1 , . . ., Z r ] of small-enough degree deg(g) < √ q on a uniformly random sample in F r q and then take the first bit of this evaluation (when viewing it as a vector over F 2 ).Then, this bit will either be constant (in which case we then say that g is "degenerate," or close to the uniform distribution.Assuming our source is low-degree and the order q of the field is sufficiently large, we can argue that deg(E 0 (X)) < √ q because X is low-degree by assumption and E 0 is low-degree by construction.So to apply Weil's Theorem and get an extractor we only need to ensure that we have in hand a non-degenerate polynomial.Alas, we have relatively little control over the polynomial source so we need to transform it somehow into a non-degenerate one in a black-box manner.Here we apply another observation, proved by Swastik Kopparty, which says that (E 0 (X)) v is non-degenerate for odd4 v > 2. This part is explained in Section 5.So we take E 1 (Y ) to be the first5 bit of Y 3 and using this observation and Weil's Theorem conclude that E 1 (E 0 (X)) is close to uniform.Analysis of the resulting extractor is given in the appendix.

Preliminaries
Notation: When we discuss identities between polynomials we only mean identities as formal polynomials.We will frequently alternate between viewing x ∈ F n q as an element of either F n q or the field F q n .When we do this we assume it is using an implicit bijective map φ : F n q → F q n that is an isomorphism of vector spaces.That is, φ ) for any t 1 ,t 2 ∈ F q and a 1 , a 2 ∈ F n q .Such φ is efficiently computable using standard representations of F q n .(For details see for example the book of Lidl and Niederreiter [18].)For a set Ω we denote by U Ω the uniform distribution over Ω.

Weil bounds for additive character sums
The seminal work of Weil [25] on the "Riemann hypothesis for curves over finite fields" implies very useful bounds on character sums.As we will see in this section, these bounds enable us to extract randomness from certain "low-degree distributions." For background on characters of finite fields see [21] or Section 3.2 of [14].The following version of the Weil bound was proved by Carlitz and Uchiyama [6].
Theorem 3.1 (Weil-Carlitz-Uchiyama bound).Let q = p for prime p and an integer .Let ψ be a non-trivial additive character of F q (that is, not identically 1).Let f (Z) be a polynomial in F q [Z] of degree d.Suppose that f is not of the form h p + h + c for any h ∈ F q [Z] and c ∈ F q .Then ∑ We require the following generalization of Vazirani's XOR Lemma from Rao [20], appearing there as Lemma 4.2.Lemma 3.2 (Rao's XOR lemma).Let X be a distribution on a finite abelian group G s.t.|E(ψ(X))| ≤ ε for any non-trivial character ψ of G. Then X is ε • |G|-close to uniform on G.
The above lemma implies it suffices to bound additive character sums of a distribution over F q in order to extract randomness.This is formalized in Lemma 3.4 below.To state the lemma we first define how to extract a few entries of an element in F p .Definition 3.3 (Prefix projection).Let q = p for prime p and an integer .Fix an isomorphism between F q and F p and view x ∈ F q as (x 1 , . . ., x ) ∈ F p .Fix an integer m ≤ .We define the prefix projection function E m : F q → F m p by E m (x) = E m ((x 1 , . . ., x )) (x 1 , . . ., x m ).
Lemma 3.4 (XOR lemma for prefix projections).Let q = p for prime p and an integer .Let X be a distribution on F q such that |E(ψ(X))| ≤ ε for any non-trivial additive character ψ of F q .Then E m (X) is p m/2 • ε-close to uniform.
Proof.We claim that a function of the form ψ (a) ψ(E m (a)) where ψ is a character of F m p , is a character of F q : Let ω ∈ C be a primitive p-th root of unity.The additive characters of F q are exactly the functions ψ : F q → C of the form ψ(a) = ω T (a) where T : F q → F p is an F p -linear function and T (a) is interpreted as an integer in {0, . . ., p − 1}.In particular, this includes such functions where T only looks at the first m coordinates of a (recall that we identify F q with F p ); and such functions in turn, are exactly those of the form ψ(E m (a)) where ψ is a character of F m p .Hence, from the assumption of the lemma Summing up the previous results we reach the statement that will be later used in analyzing our extractors.
Corollary 3.5 (Weil-Carlitz-Uchiyama for prefix projections).Let q = p for prime p and an integer .Let f (Z) be a polynomial in F q [Z] of degree d.Suppose that f is not of the form h(Z) p + h(Z) + c for any h(Z) ∈ F q [Z] and c ∈ F q .Then E m ( f Proof.Follows immediately from Theorem 3.1 and Lemma 3.4. THEORY OF COMPUTING, Volume 9 (21), 2013, pp.665-683

Dimension expansion of products
Recall that F q n is a vector space over F q isomorphic to F n q .For a set A ⊆ F q n we denote by dim(A) the dimension of the F q -span of A.
Hou, Leung and Xiang [16] show that such products expand in dimension.The following theorem is a corollary of Theorem 2.4 of [16].
Theorem 3.6 (Dimension expansion of products).Let F q be any field, and let n be prime. 6Let A and B be non-empty subsets of F q n such that A, B = {0}.Then In particular, if A 1 , . . ., A m are non-empty subsets of F q n such that for all Remark 3.7.The definition of A • B is somewhat different from that in [16] where it is defined only for subspaces, and as the span of all possible products.The definition above will be more convenient for us.
It is easy to see that Theorem 2.4 of [16] is equivalent to the theorem above with our definition.Still, we give a self-contained proof. 7roof.First we note that it is enough to prove the theorem for linear subspaces A and B of dimension at least one: Given arbitrary sets A and B, let A span(A) and B span(B).If A and B both contain a non-zero element (as required in the theorem), then A and B are linear subspaces of dimension at least one.So we have that where a i ∈ A, b j ∈ B and t i , s j ∈ F q .This is obviously in span(A • B).So A • B ⊆ span(A • B), and this implies span(A • B ) ⊆ span(A • B).Therefore, the equation above implies We now turn to proving the theorem for linear subspaces A and B of dimension at least one.We proceed by induction on dim(A).As a base, observe that the result holds trivially when dim(A) = 1.For the inductive step, we may then assume that dim(A) > 1.We may also assume that B = F q n as the theorem is immediate in this case.
Note that we may freely replace A by g • A (or B by g • B) for any g ∈ F q n as this has no effect on dim(A), dim(B), or dim(A • B).By this operation, we may assume that 1 ∈ A ∩ B. Since dim(A) > 1, we may choose a ∈ A \ F q .Let be the smallest nonnegative integer so that a ∈ B. Note that such exists since F q n = span(1, a, a 2 , . . ., a n−1 ) for any a ∈ F q n \ F q as there are no non-trivial subfields F q K F q n when n is prime, and B = F q n .Furthermore, > 0 by the assumption that 1 ∈ B. Next, replace B by the set a −( −1) • B. It now follows that 1 ∈ B and a ∈ B, so A ∩ B is a proper nonempty subset of A. In particular, 1 ≤ dim(A ∩ B) < dim(A).
Consider the F q -linear subspaces A ∩ B and A + B and observe that (A ∩ B) The next equation follows from this and the induction hypothesis applied to A ∩ B and A + B.
This completes the proof.

Frobenius automorphisms of F q
Let q = p for prime p and let i ≥ 0 be an integer.Raising to power p i in F q is known as a Frobenius automorphism of F q over F p and will play an important role.We record two useful and well-known properties of this automorphism that will be used in our proofs.
• Linearity: ∀a, b ∈ F q , (a + b) p i = a p i + b p i .
• Bijection: The map x → x p i over F q is bijective.In particular, for c ∈ F q , c 1/p i is always (uniquely) defined.
A useful fact following from these properties is that "taking the p-th power" of a set does not change its dimension.Claim 3.8 (Dimension preservation).Let q = p from prime p and an integer .For an integer i ≥ 1 and a set A ⊆ F q n let A p i {a p i | a ∈ A}.Then dim(A) = dim(A p i ).
Proof.Let {a 1 , . . ., a k } ⊆ A be a basis for the F q -span of A. Choose any c 1 , . . ., c k ∈ F q that are not all zero.Then, Thus {a p i 1 , . . ., a p i k } are independent over F q and therefore dim(A p i ) ≥ dim(A).The reverse inequality is similar.

The main construction
As before, we use r to denote the number of inputs of f (Z 1 , . . ., Z r ) ∈ M[n, k, d].We denote by D the product set {0, . . ., d} r .We use bold letters to denote vectors in F r q .For example, Z = (Z 1 , . . ., Z r ).For an element S = (s 1 , . . ., s r ) ∈ D we use the notation With the notation above, for S ∈ D let a S (a 1,S , . . ., a n,S ) ∈ F n q .Using the isomorphism of the vectors spaces F n q and F q n , we can view a S as an element of F q n and write That is, we view f as a multivariate polynomial with coefficients in F q n .A crucial observation is that when f has large range the coefficients of f have large dimension.
Proof.The range of f over inputs in F r q is contained in an affine shift of the F q -linear span of {a S } S∈D\{0} .Since this range is of size at least q k , we must have dim{a S } S∈D\{0} ≥ k.
A simple but crucial observation from [10] is that a polynomial with coefficients in F q n whose nonconstant coefficients span F q n over F q can be "projected" to a non-constant polynomial with coefficients in F q .We formalize this in the definition and lemma below.Definition 4.2 (Full-span polynomial).We say that a polynomial G ∈ F q n [Z] = F q n [Z 1 , . . ., Z r ] has full span if the coefficients of the non-constant monomials of G span F q n over F q .Lemma 4.3 (Disperser for full-span polynomials).Suppose G ∈ F q n [Z] has full span.Let T : F q n → F q be a non-trivial F q -linear mapping.Then T (G(Z)), as a function from F r q to F q , agrees with a non-constant polynomial in F q [Z] whose total and individual degrees are at most those of G.
Proof.We write G(Z) = ∑ S∈R a S • Z S for a S ∈ F q n , where R ⊂ N r denotes the set of tuples corresponding to the monomials of G.For every x = (x 1 , . . ., x r ) ∈ F r q , we have where the last inequality used the F q -linearity of T .Thus T (G(Z)) agrees on all inputs in F r q with the polynomial F(Z) ∑ S∈R T (a S ) • Z S which is in F q [Z].The full span of G means that dim{a S } S∈R\{0} = n.Since T is a nontrivial linear map there is some S ∈ R such that T (a S ) = 0 and S = 0 and so F is a non-constant polynomial.As the monomials with non-zero coefficients in F are a subset of the monomials with non-zero coefficients in G, it is clear that the total and individual degrees of F are at most those of G.
The previous lemma implies that to construct a disperser for polynomial sources it suffices to produce a function that increases the span of low-degree polynomials.We do this in the next theorem which is of paramount importance to this paper.
Note that A = B s 0 • • • B s u .For all 0 ≤ i ≤ u, by Lemma 4.1 and Claim 3.8 we have dim(B s i ) ≥ k.Therefore, by Theorem 3.6 we get dim(A) ≥ min{n, k • (u + 1) − u} = n .
Our theorem follows by noticing that the coefficients of the non-constant monomials in f 1+s+s 2 +•••+s u contain the set A, hence f 1+s+•••+s u has full span.
Combining the lemma and theorem above we "project" into F q and get a non-constant polynomial with coefficients in F q .
Theorem 4.5.Fix a prime power q = p .Fix integers k ≤ n and d < s such that n is prime and s is a power of p. Fix a non-trivial F q -linear map T : F q n → F q .Let u = (n − k)/(k − 1) .Define P : F q n → F q by P(x) T (x 1+s+s 2 +•••+s u ).Fix any f (Z 1 , . . ., Z r ) ∈ M[n, k, d] of total degree D. Then P( f (Z)), as a function on F r q , agrees with a non-constant polynomial in F q [Z] of total degree at most D Proof.Follows immediately from Lemma 4.3 and Theorem 4.4.
An immediate corollary is a construction of a "non-Boolean disperser" for polynomial sources.
Corollary 4.6.Fix a prime power q = p .Fix integers k ≤ n and d < s such that n is prime and s is a power of p. Fix a non-trivial F q -linear map T : F q n → F q .Let u = (n − k)/(k − 1) .Define P : F q n → F q by P(x) T (x 1+s+s 2 +•••+s u ).Assume that q > d • (s u+1 − 1)/(s − 1).Then, for any f (Z 1 , . . ., Z r ) ∈ M[n, k, d] we have that P( f (Z)) is a non-constant function from F r q into F q .
Proof.Follows immediately from Theorem 4.5 by noticing that if P( f ) agrees with a non-constant polynomial whose individual degrees are smaller than q, then it is a non-constant function from F r q into F q .

A useful criteria for the Weil bound
To get our main result we shall apply the Weil-Carlitz-Uchiyama bound for prefix projections (Corollary 3.5) to a certain polynomial f ∈ F q [Z], and so we have to ensure that f is not of the "degenerate" form h p + h + c precluded by that bound.The common way to do this is to require gcd(deg( f ), p) = 1 (cf., [14,10]).However we have less control over the degree of the polynomial f we need to work with.For this reason, the following lemma will be very helpful to us.It gives us a simple way to "alter" f and get a polynomial that is not of the form h p + h + c.The proof of the following lemma was shown to us by Swastik Kopparty.Lemma 5.1 (Criteria for non-degenerateness).Let q = p for prime p and let v ≥ 2 be an integer such that p v. Let f ∈ F q [Z] be a non-constant polynomial.If f is of the form g v for some g ∈ F q [Z], it is not of the form h p + h + c for any h ∈ F q [Z] and c ∈ F q .
Proof.Suppose by way of contradiction there exists f ∈ for some g, h ∈ F q [Z] and c ∈ F q .Fix such an f with minimal degree d ≥ 1.It follows that deg(g) = d/v and deg(h) = d/p.Taking a derivative in F q [Z] of all 3 parts of the above equation we get where in the rightmost part we used the fact that the derivative of h p is zero.Notice that v = 0 in F q since p v. If g ≡ 0 then this implies deg(h (For the last inequality we use p ≥ 2 and v ≥ 2.) So g and h are the zero polynomial.It is not hard to see that this implies that all powers in g and h are multiples of p.So g = g p 1 and h = h p 1 for some g that a p-th root always exists in F q .)Since g v 1 has positive degree smaller than deg( f ) = d, this contradicts the minimality of d and proves the lemma.
Reducing the multivariate case to the univariate case, we get the version of the Weil bound we need.Lemma 5.2.Let q = p for a prime p and integer > 0. Let f (Z 1 , . . ., Z r ) ∈ F q [Z 1 , . . ., Z r ] be a nonconstant polynomial of total degree d < q.Assume that f = g v for an integer v ≥ 2 with p v and some g ∈ F q [Z 1 , . . ., Z r ].Let m < be a positive integer.Then E m ( f Proof.We note first that there must be an a = (a 1 , . . ., a r ) ∈ F r q such that the univariate "line restriction" polynomial where f d is the d-homogeneous part of f , i. e., the sum of monomials of degree exactly d in f .By the Schwartz-Zippel lemma as d < q, there is an a ∈ F r q such that f d (a) = 0 and therefore f a (Z) has degree d. and so f a,b is a v-th power of a polynomial in F q [Z], and so by Lemma 5.1 is not of the form h p + h + c for any h ∈ F q [Z] and c ∈ F q .As the distribution f (U F r q ) is a convex combination of the distributions f a,b (U F q ) for the different "shifts" b ∈ F r q , the claim now follows from the Weil-Carlitz-Uchiyama bound for prefix projections (Corollary 3.5).

A polynomial-source extractor
We can now state and prove our main technical theorem, which immediately implies our main theorem on extractors for polynomial sources (Theorem 1.5). .Assume that q ≥ 2 • α 2 .There is an explicit (k, d, D, ε)-polynomial source extractor E : F n q → F m p with error ε = p m/2 • α • q −1/2 .Theorem 1.5 follows from the previous theorem by noticing that for 4 ≤ k ≤ n, Proof of Theorem 6.1.Choose a prime n ≤ n ≤ 1.2 • n (which always exists for n ≥ 25 according to Nagura's improvement of the Bertrand-Chebychev Theorem [19]).Given f (Z 1 , . . ., Z r ) ∈ M[n, k, d] of total degree D we think of f as an element of M[n , k, d] by padding its output with zeros.Let s be the smallest power of p greater than d.Note that s ≤ p • d.Let P : F n q → F q be the polynomial in Theorem 4.5 using s as above.If p = 2 let v = 3 and otherwise let v = 2. Let E : F n q → F m p be defined as E(x) E m (P v (x)).From Theorem 4. Hence, from Lemma 5.2 we see that E m (P v ( f (U F r q ))) is ε-close to uniform for THEORY OF COMPUTING, Volume 9 (21), 2013, pp.665-683 Fix such an a ∈ F r q .It follows that for allb = (b 1 , . . ., b r ) ∈ F r q , f a,b (Z) f (a • Z + b) = f (a 1 • Z + b 1 , . . ., a r • Z + b r ) is non-constant, as the coefficient of Z d in f a,b is also f d (a).Furthermore, for any b ∈ F r q f a,b = f (a 1 • Z + b 1 , . . ., a r • Z + b r ) = g v (a 1 • Z + b 1 , . . ., a r • Z + b r ) ,
set of coefficients appearing in (2.2).In light of Claim 2.1 it suffices to construct E 0 such that E 0 (X), when written as a polynomial over Z 1 , . . ., Z r , has a set of coefficients that spans F 4 n over F 4 .(Then we "project" this polynomial onto, say, the first coordinate and get a non-constant function mapping into F 4 , i. e., a non-Boolean disperser.) THEORY OF COMPUTING, Volume 9 (21), 2013, pp.665-683 denote the 2. Israel ariel gabizon gmail com https://sites.google.com/site/arielgabizon1/ABOUTTHEAUTHORS ELI BEN-SASSON graduated from the Hebrew University in 2001.His advisor was AviWigderson.He believes that the internet has killed the ritual of "telling a joke" (as opposed to forwarding it).He is sometimes described as "relaxed" though feels stressed, and enjoys the company of his wife and four kids.ARIEL GABIZON graduated from the Weizmann Institue in 2008.His advisors were Ran Raz and Ronen Shaltiel.He is interested in using nice algebraic techniques for computer science problems, and in figuring out how powerful the randomized complexity classes are.He is a big supporter of practicing Vipassana meditation, and humanity gradually becoming vegan.He loves anything to do with creativity and free expression, like theater improv, singing, writing songs and dancing.