Papers
Topics
Authors
Recent
Search
2000 character limit reached

Robust Extractors

Updated 4 July 2026
  • Robust extractors are techniques designed to extract randomness, features, or structured data correctly even under noise, adversarial interference, and data perturbations.
  • They are applied across various settings—including randomness extraction, fuzzy extraction, web information extraction, and adversarial feature learning—each specifying its own failure model.
  • Methodologies such as leakage resilience, quantum-proof extraction, DOM pruning, and loss-guided data augmentation illustrate practical strategies for balancing accuracy and robustness.

Robust extractors are methods designed to preserve extraction quality under noise, uncertainty, adversarial interference, or distribution shift. The term is used in several distinct technical literatures: randomness extraction under weak or leaked entropy; fuzzy extraction from noisy biometric-style sources; information extraction from illicit, perturbed, or heterogeneous web data; structured web extraction under DOM churn; and feature extraction for adversarially robust representation learning. Across these settings, the common objective is not merely to extract information, randomness, or features, but to do so while maintaining correctness under explicitly modeled failure modes such as concept drift, structured leakage, bounded perturbations, malformed HTML, or helper-data tampering (Kejriwal et al., 2017).

1. Conceptual scope and recurring robustness criteria

The notion of robustness varies by field, but the recurring pattern is explicit resilience against structured deviations from an idealized source. In randomness extraction, robustness refers to security under computationally bounded generation, quantum side information, adversarial leakage, or heavy-point violations of min-entropy assumptions (Chattopadhyay et al., 2020). In fuzzy extractors, robustness means that tampering with helper data is detectable even when reconstruction must tolerate noisy source readings, and the strongest formulations combine robustness with reusability across multiple uses of the same source (0807.0799). In information extraction and web extraction, robustness refers to stability under atypical language, long-tail mentions, boilerplate, layout drift, and heterogeneous document structure (Zhu et al., 5 Mar 2025).

A useful way to compare the main usages is to distinguish the object being extracted, the perturbation model, and the guarantee being sought.

Area Extracted object Robustness target
Randomness extraction Nearly uniform bits Leakage, small-space sampling, quantum side information, heavy points
Fuzzy extraction Stable secret key from noisy source Helper-data tampering, reuse, post-application attacks
Information extraction Entities, attributes, relations, events Concept drift, perturbations, obfuscation, domain shift
Web structured extraction Schema fields or answers from HTML Boilerplate, DOM churn, malformed HTML, cross-site variation
Feature extraction Representations for classification White-box adversaries, local perturbations, noisy manifolds

This suggests a family resemblance rather than a single formal object. A plausible implication is that “robust extractor” has become a cross-disciplinary label for extraction mechanisms whose performance guarantee is stated relative to an explicit nuisance model rather than only on clean or i.i.d. inputs.

2. Randomness extraction under weak sources, leakage, and noisy measurements

In theoretical computer science and cryptography, robust extractors strengthen standard extractor guarantees by tolerating structural defects in the source model. For small-space sources over nn bits, a space-ss source is sampled by a width-2s2^s, length-nn branching program, and the min-entropy is H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x]). An explicit seedless extractor exists in the polynomial-error regime when kslogCnk \geq s \cdot \log^C n, with output length m=(k/s)Ω(1)m=(k/s)^{\Omega(1)} and error ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}; in the negligible-error regime, for any fixed δ(0,1/2]\delta\in(0,1/2], there is an explicit seedless extractor when kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}, with output length ss0 and error ss1 (Chattopadhyay et al., 2020). The underlying techniques include a reduction from small-space sources to affine sources and, for negligible error, a framework combining leakage-resilient “cylinder intersection” extractors with explicit extremal designs (Chattopadhyay et al., 2020).

A more recent line strengthens the leakage model further. For ss2 independent ss3-bit sources with only ss4 good sources, an explicit extractor ss5 outputs ss6 bits with error ss7 when the good sources have min-entropy ss8, and the guarantee remains valid even given the transcript of a bounded-communication number-on-forehead protocol (Chattopadhyay et al., 14 Jun 2025). The robustness notion is information-theoretic: for any such protocol ss9, if 2s2^s0 is its transcript, then

2s2^s1

The paper relates this leakage model to multi-source non-malleable extraction and presents strong average-case lower bounds against NOF distinguishers (Chattopadhyay et al., 14 Jun 2025).

Quantum side information yields another robustness axis. A quantum-proof strong seeded extractor 2s2^s2 is required to satisfy

2s2^s3

for every cq-state 2s2^s4 with 2s2^s5. One explicit construction attains seed length 2s2^s6, min-entropy requirement 2s2^s7, and output length 2s2^s8 (Chung et al., 2016). In the multi-source setting, the quantum Markov model requires 2s2^s9, and any classical multi-source extractor remains secure in that model with per-source entropy overhead nn0 and error at most nn1 (Arnon et al., 2015). For two-source extraction specifically, the Dodis–Elbaz–Oliveira–Raz extractor achieves the same parameters against quantum product-type side information as in the classical case, and in the quantum Markov model it satisfies

nn2

with output length

nn3

(Miller et al., 7 Mar 2025)

A different but related robustness notion appears in “robust extractors” for hardness-of-sampling. Here the extractor must remain sound even when a small number of points violate the min-entropy constraint. Formally, an nn4-robust extractor for a class nn5 requires both the usual extractor property and the existence of an output nn6 such that for every nn7,

nn8

where nn9 is the set of “light” points. This one-sided robustness enables explicit distributions that are H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x])0-far in total variation distance from the outputs of low-degree polynomial sources, small-space sources, communication sources, and related restricted samplers (Byramji et al., 28 Apr 2026).

Fuzzy extractors adapt robustness to noisy physical sources. In the classical robust fuzzy-extractor model, H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x])1 outputs a key H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x])2 and helper data H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x])3, while H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x])4 recovers H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x])5 when H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x])6 is close to H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x])7. Post-application robustness requires security even if H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x])8 is revealed before the adversary tampers with H(X)=k:=minxlog(1/Pr[X=x])H_\infty(X)=k:=\min_x \log(1/\Pr[X=x])9. One construction extracts up to kslogCnk \geq s \cdot \log^C n0 bits in the exact case, improving the previously best known kslogCnk \geq s \cdot \log^C n1 bound (0807.0799). More recently, for structured kslogCnk \geq s \cdot \log^C n2-sources, strongly robust and reusable fuzzy extractors were constructed in the standard model using a sample-then-lock design and an information-theoretic one-time MAC resistant to key-shift attacks; the robustness bound is

kslogCnk \geq s \cdot \log^C n3

(Panja et al., 2024)

3. Information extraction under perturbation, obfuscation, and concept drift

In information extraction, robust extractors are designed for domains where standard NLP assumptions fail. In illicit web domains such as human trafficking advertisements, pages exhibit deliberate misspellings, non-random obfuscation, unusual token sequences, sparse content, Unicode and punctuation noise, long-tail attribute distributions, and strong concept drift across sites and time (Kejriwal et al., 2017). A lightweight, feature-agnostic paradigm addresses this by combining high-recall recognizers with contextual classification trained on word representations learned from raw unlabeled text. The method uses Random Indexing with kslogCnk \geq s \cdot \log^C n4, kslogCnk \geq s \cdot \log^C n5, and a symmetric kslogCnk \geq s \cdot \log^C n6 context window, groups rare tokens into compound units such as high-idf-units, pure-num-units, alpha-num-units, pure-punct-units, alpha-punct-units, and nonascii-unicode-units, then trains a random forest classifier with 10 trees and kslogCnk \geq s \cdot \log^C n7 ANOVA feature selection (Kejriwal et al., 2017).

The empirical results are framed explicitly as robustness evidence. On five annotated human-trafficking datasets, the proposed method outperformed feature-centric CRF baselines by almost kslogCnk \geq s \cdot \log^C n8 F1 on average in both low- and high-supervision settings. In the low-supervision regime with kslogCnk \geq s \cdot \log^C n9 training data, the proposed method achieved average m=(k/s)Ω(1)m=(k/s)^{\Omega(1)}0, versus m=(k/s)Ω(1)m=(k/s)^{\Omega(1)}1 for the re-trained CRF and m=(k/s)Ω(1)m=(k/s)^{\Omega(1)}2 for the pre-trained CRF (Kejriwal et al., 2017). Concept drift was operationalized through corpus growth from D-10K to D-ALL, and average F1 degradation remained under m=(k/s)Ω(1)m=(k/s)^{\Omega(1)}3 as the raw corpus expanded by a factor of 18, from m=(k/s)Ω(1)m=(k/s)^{\Omega(1)}4M to m=(k/s)Ω(1)m=(k/s)^{\Omega(1)}5M tokens (Kejriwal et al., 2017).

Universal Information Extraction generalizes the setting to entities, relations, and events. Robustness here is defined as maintaining extraction performance under semantically consistent perturbations such as Replace Entity, Replace Triple, Replace Trigger, Change Context, Extend Sentence, Typo Injection, and Lowercase Conversion (Zhu et al., 5 Mar 2025). RUIE-Bench contains 11,580 adversarial examples with 14 perturbation types across NER, RE, and ED, generated primarily with GPT-4 and validated manually (Zhu et al., 5 Mar 2025). Evaluation is based on span-based offset Micro F1, with robustness measured by the drop from clean to perturbed settings. Existing UIE systems and LLMs show substantial degradation; for example, KnowCoder-7B has NER drop m=(k/s)Ω(1)m=(k/s)^{\Omega(1)}6, RE drop m=(k/s)Ω(1)m=(k/s)^{\Omega(1)}7, and ED drop m=(k/s)Ω(1)m=(k/s)^{\Omega(1)}8, while KnowCoder-7B-Robust_LDA reduces these to m=(k/s)Ω(1)m=(k/s)^{\Omega(1)}9, ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}0, and ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}1, respectively (Zhu et al., 5 Mar 2025).

The proposed solution is Loss-guided Data Augmentation, which iteratively selects hard adversarial examples by inference loss: ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}2 The algorithm sorts augmented examples by ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}3, selects the top ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}4, fine-tunes, halves ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}5, and stops when validation improvement is less than ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}6 (Zhu et al., 5 Mar 2025). Training with only ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}7 of the augmented data yields an average ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}8 relative performance improvement across NER, RE, and ED, and on unseen data the LDA variant attains average Micro F1 ϵ=nΩ(1)\epsilon=n^{-\Omega(1)}9, outperforming the full augmented model’s δ(0,1/2]\delta\in(0,1/2]0 (Zhu et al., 5 Mar 2025). This suggests that robustness in extraction can be improved not only by larger perturbation sets but also by prioritizing perturbations that expose brittle decision rules.

4. Robust web structured extraction through DOM pruning, grounding, and reusable wrappers

For web structured extraction, robustness is primarily architectural: the extractor must resist boilerplate, malformed or deeply nested HTML, multilingual content, layout drift, and domain shift while preserving traceability to source nodes. AXE treats the HTML DOM as a tree to be pruned rather than as plain text to be read, producing a distilled HTML context for a δ(0,1/2]\delta\in(0,1/2]1B Qwen model and grounding outputs by Grounded XPath Resolution (GXR) (Mansour et al., 2 Feb 2026). The pruner selects relevant mini-chunks under a token budget, and GXR maps each predicted field value δ(0,1/2]\delta\in(0,1/2]2 to an XPath δ(0,1/2]\delta\in(0,1/2]3 using lexical and fuzzy matching. On SWDE, AXE reaches zero-shot F1 δ(0,1/2]\delta\in(0,1/2]4, with token reduction from δ(0,1/2]\delta\in(0,1/2]5 preprocessed tokens to δ(0,1/2]\delta\in(0,1/2]6 after pruning, a δ(0,1/2]\delta\in(0,1/2]7 decrease (Mansour et al., 2 Feb 2026). Ablations show that removing GXR reduces SWDE F1 from δ(0,1/2]\delta\in(0,1/2]8 to δ(0,1/2]\delta\in(0,1/2]9, while removing the specialized adaptors reduces it to kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}0 (Mansour et al., 2 Feb 2026).

Co-Scraper emphasizes a different robustness target: reusable scraper synthesis under DOM churn. It first performs query-aware DOM pruning with Qwen-HTML, reducing average SWDE page length from kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}1K tokens to kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}2K tokens, then synthesizes multi-field wrappers from three pruned seed pages per site (Wang et al., 12 Jun 2026). The induced programs prioritize unique attributes, stable parent anchors, and text-matching fallbacks. On SWDE, Co-Scraper achieves end-to-end F1 kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}3 on the out-of-domain University split and kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}4 on the non-University split, with field-level reuse success kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}5 and kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}6, respectively (Wang et al., 12 Jun 2026). This framework treats robustness operationally: the output is not only a prediction but an executable wrapper that survives moderate structural variation.

A related program-synthesis perspective is provided by Landmarks and Regions. Instead of processing whole documents globally, LRSyn first finds stable landmarks, defines a region of interest kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}7, summarizes the region by a blueprint, and then synthesizes a local extraction program (Parthasarathy et al., 2022). The extraction semantics iterate through tuples kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}8, locating a landmark, deriving a region, checking blueprint similarity, and extracting a field only when kCn1/2+δs1/2δk \geq C \cdot n^{1/2+\delta} \cdot s^{1/2-\delta}9 (Parthasarathy et al., 2022). On HTML itineraries, the method achieves F1 above ss00 on all 53 longitudinal fields and perfect ss01 F1 on 49 of them; on image-based M2H documents, with only 10 training images per field, it achieves average F1 ss02 versus ss03 for Azure Form Recognizer (Parthasarathy et al., 2022). The result is a robust extractor in the narrow sense that unrelated global format changes are intentionally excluded from the decision process.

A broader preprocessing perspective appears in HTML-to-text extraction for LLM pretraining. Different extractors—resiliparse, trafilatura, and jusText—lead to substantially different surviving page sets under the same filtering pipeline: only ss04 of pages survive across more than one extractor, and ss05 are unique to a single extractor (Li et al., 23 Feb 2026). A union-of-extractors intervention increases token yield by up to ss06 while maintaining general benchmark performance, and for structured content the extractor choice causes differences of up to 10 percentage points on WikiTQ and 3 percentage points on HumanEval (Li et al., 23 Feb 2026). This suggests that robustness at web scale may require extractor diversity rather than commitment to a single universal heuristic.

5. Robust feature extractors in adversarial and geometric representation learning

In machine learning, robust extractors are feature mappings designed to suppress perturbation-sensitive structure while preserving task-relevant information. Robust Transferable Feature Extractors are adversarially trained pre-processing networks ss07 placed in front of frozen classifiers ss08, so that ss09 remains accurate under white-box attacks (Cann et al., 2022). Training fixes the classifier and optimizes ss10 using adversarial examples generated on the composite model: ss11 while minimizing a Huber logit loss between defended and clean logits (Cann et al., 2022). On CIFAR-10 with a ResNet-18 guide and PGD-20, RTFE reaches robust accuracy ss12 at ss13, compared with ss14 for adversarial training and ss15 for joint adversarial training (Cann et al., 2022). Its defining robustness property is transfer: when trained with ResNet-18 on CIFAR-10, the same RTFE gives defended ResNet-18 robust accuracy ss16 and defended MobileNetV2 robust accuracy ss17 at ss18, whereas the JAT defense does not transfer (Cann et al., 2022).

A different formulation is the Robust Information Bottleneck, which augments the classical information bottleneck with a Fisher-information penalty ss19 to control local sensitivity of extracted features ss20 to input perturbations (Pensia et al., 2019). The MI-based objective is

ss21

and a simplified version sets ss22 (Pensia et al., 2019). The paper shows that local KL change satisfies

ss23

and that ss24, so robustness of features transfers to robustness of the downstream classifier (Pensia et al., 2019). In the Gaussian case, the optimal robust feature is jointly Gaussian and linear-plus-noise. Empirically, InAE-like robustness trade-offs reappear: on MNIST, InAE achieves error ss25, improving over DAE at ss26 and CAE at ss27, while on CIFAR-10 it reaches ss28 versus ss29 for DAE and ss30 for CAE (Li et al., 2017).

Incremental Auto-Encoders pursue robustness through manifold contraction. They retain denoising-autoencoder reconstruction from corrupted inputs but add a graph-diffusion reversal term. The noisy feature manifold ss31 is modeled by

ss32

with implicit update

ss33

or equivalently through the regularizer

ss34

(Li et al., 2017) The paper argues that DAE reconstruction alone may leave a noisy feature manifold, whereas iterative contraction yields more discriminative and stable representations (Li et al., 2017).

6. Limitations, tensions, and open directions

Across these literatures, robustness is always paired with a constraint. In randomness extraction, stronger robustness models still leave bottlenecks: negligible-error affine extractors remain unavailable at low entropy, the reduction to total-entropy sources faces a ss35 barrier, and explicit hardness for ss36 sources remains open (Chattopadhyay et al., 2020). In quantum and multi-source extraction, the Markov assumption is essential for the fully general lifting theorem, and extending security beyond quantum Markov or product-type side information remains open (Arnon et al., 2015). In robust-extractor-based hardness of sampling, improving the ss37 lower bound from ss38 toward ss39 is explicitly identified as an open challenge (Byramji et al., 28 Apr 2026).

For fuzzy extractors, robustness and reusability come with entropy and helper-data costs. In the setup-free, information-theoretic model, post-application robust extraction is impossible when ss40, and the fuzzy setting further loses entropy to secure sketches and error-ball volume (0807.0799). The structured-source srrFE constructions mitigate this with sample-then-lock techniques, but require CRS and source families satisfying the ss41-property, leaving general low-entropy sources beyond reach (Panja et al., 2024).

In information extraction and web extraction, the central limitation is coverage. Illicit-domain IE still struggles with ambiguous tokens and weak local context, while universal IE robustness benchmarks do not yet cover all real-world noise types (Kejriwal et al., 2017). AXE depends on static HTML unless a renderer is introduced, and Co-Scraper remains vulnerable to radical template churn, login-gated content, and heavy client-side rendering (Mansour et al., 2 Feb 2026). HTML-to-text extraction for pretraining reveals that even strong general-language performance can mask substantial extractor-induced coverage differences, especially for tables and code (Li et al., 23 Feb 2026). A plausible implication is that future “robust extractor” designs will increasingly combine multiple extractors, explicit grounding, and task-aware selection policies rather than rely on a single extractor family.

In representation learning, robustness also trades off against utility. The Robust Information Bottleneck formalizes an accuracy–robustness tension via Fisher information and van Trees–type bounds, while RTFEs often sacrifice clean accuracy to gain white-box robustness and transferability (Pensia et al., 2019). Incremental Auto-Encoders assume a graph-based manifold model whose quality depends on the neighborhood graph, and adversarial defenses based on PGD remain empirical rather than certified (Li et al., 2017).

Taken together, the literature indicates that robust extraction is not one technique but a design principle: specify the nuisance model, make the failure mode explicit, and tie extraction quality to that model rather than to clean-input performance alone.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Robust Extractors.