Abstract
Computational notions of entropy (a.k.a. pseudoentropy) have found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The most important tools to argue about pseudoentropy are chain rules, which quantify by how much (in terms of quantity and quality) the pseudoentropy of a given random variable X decreases when conditioned on some other variable Z (think for example of X as a secret key and Z as information leaked by a side-channel). In this paper we give a very simple and modular proof of the chain rule for HILL pseudoentropy, improving best known parameters. Our version allows for increasing the acceptable length of leakage in applications up to a constant factor compared to the best previous bounds. As a contribution of independent interest, we provide a comprehensive study of all known versions of the chain rule, comparing their worst-case strength and limitations.
Krzysztof Pietrzak—Research supported by ERC starting grant (259668-PSPC).
Maciej Skórski—Research supported by the Ideas for Poland grant 2/2011 from the Foundation for Polish Science.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Let us stress that using the same letter Z for the 2nd term in (X, Z) and (Y, Z) means that we require that the marginal distribution Z of (X, Z) and (Y, Z) is the same.
- 2.
We consider the security of AES256 as a weak PRF, and not a standard PRF, because of non-uniform attacks which show that no PRF with a k bit key can have \(s/\epsilon \approx 2 ^k\) security [DTT09], at least unless we additionally require \(\epsilon \gg 2^{-k/2}\).
- 3.
Consider e.g. RSA, here given our current understanding of the hardness of factoring, \(\epsilon \) goes from basically 0 to 1 as the running time s reaches the time required to run the best factoring algorithms. In any case, it’s not reasonable to assume that \(s/\epsilon \) is almost constant over the entire range of s.
- 4.
It might be hard to find a high min-entropy distribution Y that fools a randomised distinguisher D, but this task can become easy once D’s randomness is fixed.
References
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudorandom bits. SIAM J. Comput. 13(4), 850–864 (1984)
Barak, B., Shaltiel, R., Wigderson, A.: Computational analogues of entropy. In: Arora, S., Jansen, K., Rolim, J.D.P., Sahai, A. (eds.) RANDOM 2003 and APPROX 2003. LNCS, vol. 2764, pp. 200–215. Springer, Heidelberg (2003)
Chung, K.-M., Kalai, Y.T., Liu, F.-H., Raz, R.: Memory delegation. Cryptology ePrint Archive, Report 2011/273 (2011). http://eprint.iacr.org/
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS, pp. 293–302 (2008)
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography in the standard model. IACR Cryptology ePrint Archive 2008, 240 (2008)
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004)
De, A., Trevisan, L., Tulsiani, M.: Non-uniform attacks against one-way functions and prgs. Electron. Colloquium Comput. Complex. (ECCC) 16, 113 (2009)
Dodis, Y., Yu, Y.: Overcoming weak expectations. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 1–22. Springer, Heidelberg (2013)
Fuller, B., O’Neill, A., Reyzin, L.: A unified approach to deterministic encryption: new constructions and a connection to computational entropy. Cryptology ePrint Archive, Report 2012/005 (2012). http://eprint.iacr.org/
Fuller, B., Reyzin, L.: Computational entropy and information leakage. Cryptology ePrint Archive, Report 2012/466 (2012). http://eprint.iacr.org/
Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. Cryptology ePrint Archive, Report 2010/610 (2010). http://eprint.iacr.org/
Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC 2011, pp. 99–108 (2011)
Hastad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Hsiao, C.-Y., Lu, C.-J., Reyzin, L.: Conditional computational entropy, or toward separating pseudoentropy from compressibility. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 169–186. Springer, Heidelberg (2007)
Haitner, I., Reingold, O., Vadhan, S.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: Proceedings of the 42nd ACM Symposium on Theory of Computing, STOC 2010, pp. 437–446. ACM, New York (2010)
Jetchev, D., Pietrzak, K.: How to fake auxiliary input. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 566–590. Springer, Heidelberg (2014)
Krenn, S., Pietrzak, K., Wadia, A., Wichs, D.: A counterexample to the chain rule for conditional HILL entropy. IACR Cryptology ePrint Archive 2014, 678 (2014)
Luby, M.: Pseudorandomness and Cryptographic Applications. Princeton Computer Science Notes. Princeton University Press, Princeton (1996)
Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009)
Reyzin, L.: Some notions of entropy for cryptography (invited talk). In: Fehr, S. (ed.) ICITS 2011. LNCS, vol. 6673, pp. 138–142. Springer, Heidelberg (2011)
Reingold, O., Trevisan, L., Tulsiani, M., Vadhan, S.P.: Dense subsets of pseudorandom sets. In: Proceedings of the 2008 49th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2008, pp. 76–85. IEEE Computer Society, Washington, DC (2008)
Skórski, M., Golovnev, A., Pietrzak, K.: Condensed unpredictability. In: Halldórsson, M.M., Iwama, K., Kobayashi, N., Speckmann, B. (eds.) ICALP 2015. LNCS, vol. 9134, pp. 1046–1057. Springer, Heidelberg (2015)
Skorski, M.: Metric pseudoentropy: characterizations, transformations and applications. In: Lehmann, A., Wolf, S. (eds.) Information Theoretic Security. LNCS, vol. 9063, pp. 105–122. Springer, Heidelberg (2015)
Vadhan, S., Zheng, C.J.: A uniform min-max theorem with applications in cryptography. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 93–110. Springer, Heidelberg (2013)
Yao, A.C.-C.: Theory and applications of trapdoor functions (extended abstract). In: FOCS, pp. 80–91 (1982)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Time-Success Ratio Analysis
A Time-Success Ratio Analysis
1.1 A.1 Chain Rule Given by Vadhan and Zheng
Theorem 4
(Time-success Ratio for Chain Rule (e)). Suppose that X has n bits of HILL entropy of quality \((s,\epsilon )\) for every \(s/\epsilon \geqslant 2^{k}\). Then X conditioned on leakage of m bits has \(n-m\) bits of HILL entropy of quality \((s',\epsilon ')\) for every \(s'/\epsilon ' \geqslant 2^{t}\) where
and this is the best possible bound guaranteed by chain rule (e).
Proof
(Proof of Theorem 4 ). Suppose that we have \(s' = s\cdot 2^{-m}\delta ^2-\delta ^{-2}-2^{m}\) and \(\epsilon '=\epsilon +\delta \). We want to find the minimum value of the ratio \(\frac{s'}{\epsilon '}\) under the assumption that \(\epsilon , \delta , s\) can be chosen in the possibly most plausible way. Therefore, we want to solve the following min-max problem
First, we note that
Also, since \(\delta < \epsilon '\), we need to assume \(\epsilon ' > 2^{-\frac{k-m}{5}}\) and \(\epsilon ' > 2^{-\frac{k-2m}{3}}\) to guarantee that \(s' > 0\). Now, for \(\delta = \varTheta (\epsilon ')\) we get
provided that \(\epsilon ' \gg 2^{-\frac{k-m}{5}}\) and \(\epsilon ' \gg 2^{-\frac{k-2m}{3}}\). \(\square \)
1.2 A.2 Chain Rule Given by Jetchev and Pietrzak
Theorem 5
(Time-success Ratio for Chain Rule (d)). Suppose that X has n bits of HILL entropy of quality \((s,\epsilon )\) for every \(s/\epsilon \geqslant 2^{k}\). Then X conditioned on leakage of m bits has \(n-m\) bits of HILL entropy of quality \((s',\epsilon ')\) for every \(s'/\epsilon ' \geqslant 2^{t}\) where
and this is the best possible bound guaranteed by chain rule (d).
Proof
(Proof of Theorem 5 ). Suppose that we have \(s' = s\cdot 2^{-3m}\delta ^2-2^{m}\) and \(\epsilon '=\epsilon +\delta \). We want to find the minimum value of the ratio \(\frac{s'}{\epsilon '}\) under the assumption that \(\epsilon , \delta , s\) can be chosen in the possibly most plausible way. Therefore, we want to solve the following min-max problem
First, we note that
Also, since \(\delta < \epsilon '\), we need to assume \(\epsilon ' > 2^{-\frac{k-4m}{3}}\) to guarantee that \(s' > 0\). Now, setting \(\delta = \varTheta (\epsilon ')\) we have
provided that \(\epsilon ' \gg 2^{-\frac{k-4m}{3}}\). \(\square \)
1.3 A.3 Chain Rule Given by Gentry and Wichs
Theorem 6
(Time-success Ratio for Chain Rule (f)). Suppose that X has n bits of HILL entropy of quality \((s,\epsilon )\) for every \(s/\epsilon \geqslant 2^{k}\). Then X conditioned on leakage of m bits has \(n-m\) bits of HILL entropy of quality \((s',\epsilon ')\) for every \(s'/\epsilon ' \geqslant 2^{t}\) where
and this is the best possible bound guaranteed by chain rule (f).
Proof
(Proof of Theorem 6 ). Suppose that we have \(s' = s\cdot 2^{-m}\delta ^2-2^{m}\) and \(\epsilon '=\epsilon +\delta \). We want to find the minimum value of the ratio \(\frac{s'}{\epsilon '}\) under the assumption that \(\epsilon , \delta , s\) can be chosen in the possibly most plausible way. Therefore, we want to solve the following min-max problem
First, we note that
Also, since \(\delta < \epsilon '\), we need to assume \(\epsilon ' > 2^{-\frac{k-2m}{3}}\) to guarantee that \(s' > 0\). Now, setting \(\delta = \varTheta (\epsilon ')\) we have
provided that \(\epsilon ' \gg 2^{-\frac{k-2m}{3}}\). \(\square \)
1.4 A.4 Chain Rule Given by Fuller and Reyzin
Theorem 7
(Time-success Ratio for Chain Rule (c)). Suppose that X has n bits of HILL entropy of quality \((s,\epsilon )\) for every \(s/\epsilon \geqslant 2^{k}\). Then X conditioned on leakage of m bits has \(n-m\) bits of HILL entropy of quality \((s',\epsilon ')\) for every \(s'/\epsilon ' \geqslant 2^{t}\) where
and this is the best possible bound guaranteed by chain rule (c).
Proof
(Proof of Theorem 7 ). Suppose that we have \(s' = s\cdot \delta ^2\) and \(\epsilon '=2^{m}\epsilon +\delta \). We want to find the minimum value of the ratio \(\frac{s'}{\epsilon '}\) under the assumption that \(\epsilon , \delta , s\) can be chosen in the possibly most plausible way. Therefore, we want to solve the following min-max problem
First, we note that
Also, since \(\delta < \epsilon '\), we need to assume \(\epsilon ' > 2^{-\frac{k-m}{3}}\) to guarantee that \(s' > 1\). Now, setting \(\delta = \varTheta (\epsilon ')\) we have
provided that \(\epsilon ' > 2^{-\frac{k-m}{3}}\). \(\square \)
1.5 A.5 Chain Rule in This Paper
Theorem 8
(Time-success Ratio for Chain Rule (g)). Suppose that X has n bits of HILL entropy of quality \((s,\epsilon )\) for every \(s/\epsilon \geqslant 2^{k}\). Then X conditioned on leakage of m bits has \(n-m\) bits of HILL entropy of quality \((s',\epsilon ')\) for every \(s'/\epsilon ' \geqslant 2^{t}\) where
and this is the best possible bound guaranteed by chain rule (g).
Proof
(Proof of Theorem 8 ). Suppose that we have \(s' = s\cdot 2^{-m}\delta ^2-2^{m}\delta ^2\) and \(\epsilon '=\epsilon +\delta \). We want to find the minimum value of the ratio \(\frac{s'}{\epsilon '}\) under the assumption that \(\epsilon , \delta , s\) can be chosen in the possibly most plausible way. Therefore, we want to solve the following min-max problem
First, we note that
Also, since \(\delta < \epsilon '\), we need to assume \(\epsilon ' > 2^{-(k-2m)}\) and \(\epsilon ' > 2^{-\frac{k-m}{3}}\) to guarantee that \(s' > 0\). Setting \(\delta = \varTheta (\epsilon ')\) we obtain
provided that \(\epsilon ' \gg 2^{-(k-2m)}\) and \(\epsilon ' > 2^{-\frac{k-m}{3}}\). If t is the security level, we must have \(t < \min \left( k-2m,\frac{k-m}{3}\right) \) and \(k-m-2t > t\). \(\square \)
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Pietrzak, K., Skórski, M. (2015). The Chain Rule for HILL Pseudoentropy, Revisited. In: Lauter, K., Rodríguez-Henríquez, F. (eds) Progress in Cryptology -- LATINCRYPT 2015. LATINCRYPT 2015. Lecture Notes in Computer Science(), vol 9230. Springer, Cham. https://doi.org/10.1007/978-3-319-22174-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-22174-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22173-1
Online ISBN: 978-3-319-22174-8
eBook Packages: Computer ScienceComputer Science (R0)