The Chain Rule for HILL Pseudoentropy, Revisited

Abstract

Computational notions of entropy (a.k.a. pseudoentropy) have found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The most important tools to argue about pseudoentropy are chain rules, which quantify by how much (in terms of quantity and quality) the pseudoentropy of a given random variable X decreases when conditioned on some other variable Z (think for example of X as a secret key and Z as information leaked by a side-channel). In this paper we give a very simple and modular proof of the chain rule for HILL pseudoentropy, improving best known parameters. Our version allows for increasing the acceptable length of leakage in applications up to a constant factor compared to the best previous bounds. As a contribution of independent interest, we provide a comprehensive study of all known versions of the chain rule, comparing their worst-case strength and limitations.

Krzysztof Pietrzak—Research supported by ERC starting grant (259668-PSPC).

Maciej Skórski—Research supported by the Ideas for Poland grant 2/2011 from the Foundation for Polish Science.

A Time-Success Ratio Analysis

1.1 A.1 Chain Rule Given by Vadhan and Zheng

Theorem 4

(Time-success Ratio for Chain Rule (e)). Suppose that X has n bits of HILL entropy of quality \((s,\epsilon )\) for every \(s/\epsilon \geqslant 2^{k}\). Then X conditioned on leakage of m bits has \(n-m\) bits of HILL entropy of quality \((s',\epsilon ')\) for every \(s'/\epsilon ' \geqslant 2^{t}\) where

$$\begin{aligned} t = \frac{k}{5}-\frac{m}{5} \end{aligned}$$

(14)

and this is the best possible bound guaranteed by chain rule (e).

Proof

(Proof of Theorem 4 ). Suppose that we have \(s' = s\cdot 2^{-m}\delta ^2-\delta ^{-2}-2^{m}\) and \(\epsilon '=\epsilon +\delta \). We want to find the minimum value of the ratio \(\frac{s'}{\epsilon '}\) under the assumption that \(\epsilon , \delta , s\) can be chosen in the possibly most plausible way. Therefore, we want to solve the following min-max problem

$$\begin{aligned} {\begin{array}{lll} \underset{\epsilon ',s'}{\mathrm {min}} &{}\underset{s,\epsilon ,\delta }{\mathrm {max}} &{} \frac{s'}{\epsilon '} \\ \mathrm {s.t.} &{}&{} \frac{s}{\epsilon } = 2^{k}, \ \epsilon +\delta = \epsilon ',\ s' = s\cdot 2^{-m}\delta ^2-\delta ^{-2}-2^{m} \\ \end{array}} \end{aligned}$$

(15)

First, we note that

$$\begin{aligned} s' = 2^{k-m}(\epsilon '-\delta )\delta ^2-\delta ^{-2} -2^{m} \end{aligned}$$

Also, since \(\delta < \epsilon '\), we need to assume \(\epsilon ' > 2^{-\frac{k-m}{5}}\) and \(\epsilon ' > 2^{-\frac{k-2m}{3}}\) to guarantee that \(s' > 0\). Now, for \(\delta = \varTheta (\epsilon ')\) we get

$$\begin{aligned} \frac{s'}{\epsilon '} = \varOmega \left( 2^{k-m}\epsilon '^{2}-\epsilon '^{-3} - 2^{m}\epsilon '^{-1}\right) = \varOmega \left( 2^{\max \left( \frac{3}{5}\cdot (k-m), \frac{k+m}{3} \right) } \right) \end{aligned}$$

(16)

provided that \(\epsilon ' \gg 2^{-\frac{k-m}{5}}\) and \(\epsilon ' \gg 2^{-\frac{k-2m}{3}}\).    \(\square \)

1.2 A.2 Chain Rule Given by Jetchev and Pietrzak

Theorem 5

(Time-success Ratio for Chain Rule (d)). Suppose that X has n bits of HILL entropy of quality \((s,\epsilon )\) for every \(s/\epsilon \geqslant 2^{k}\). Then X conditioned on leakage of m bits has \(n-m\) bits of HILL entropy of quality \((s',\epsilon ')\) for every \(s'/\epsilon ' \geqslant 2^{t}\) where

$$\begin{aligned} t = \frac{k}{3}-\frac{4m}{3} \end{aligned}$$

(17)

and this is the best possible bound guaranteed by chain rule (d).

Proof

(Proof of Theorem 5 ). Suppose that we have \(s' = s\cdot 2^{-3m}\delta ^2-2^{m}\) and \(\epsilon '=\epsilon +\delta \). We want to find the minimum value of the ratio \(\frac{s'}{\epsilon '}\) under the assumption that \(\epsilon , \delta , s\) can be chosen in the possibly most plausible way. Therefore, we want to solve the following min-max problem

$$\begin{aligned} {\begin{array}{lll} \underset{\epsilon ',s'}{\mathrm {min}}&{}\underset{s,\epsilon ,\delta }{\mathrm {max}} &{} \frac{s'}{\epsilon '} \\ \mathrm {s.t.} &{}&{} \frac{s}{\epsilon } = 2^{k}, \ \epsilon +\delta = \epsilon ',\ s' = s\cdot 2^{-3m}\delta ^2-2^{m} \\ \end{array}} \end{aligned}$$

(18)

First, we note that

$$\begin{aligned} s' = 2^{k-3m}(\epsilon '-\delta )\delta ^2-2^{m} \end{aligned}$$

Also, since \(\delta < \epsilon '\), we need to assume \(\epsilon ' > 2^{-\frac{k-4m}{3}}\) to guarantee that \(s' > 0\). Now, setting \(\delta = \varTheta (\epsilon ')\) we have

$$\begin{aligned} \frac{s'}{\epsilon '} = \varOmega \left( 2^{k-m}\epsilon '^{2}\right) -2^{m}\epsilon '^{-1} = \varOmega \left( 2^{\frac{k-2m}{3}}\right) \end{aligned}$$

(19)

provided that \(\epsilon ' \gg 2^{-\frac{k-4m}{3}}\).    \(\square \)

1.3 A.3 Chain Rule Given by Gentry and Wichs

Theorem 6

(Time-success Ratio for Chain Rule (f)). Suppose that X has n bits of HILL entropy of quality \((s,\epsilon )\) for every \(s/\epsilon \geqslant 2^{k}\). Then X conditioned on leakage of m bits has \(n-m\) bits of HILL entropy of quality \((s',\epsilon ')\) for every \(s'/\epsilon ' \geqslant 2^{t}\) where

$$\begin{aligned} t = \frac{k}{3}-\frac{2m}{3} \end{aligned}$$

(20)

and this is the best possible bound guaranteed by chain rule (f).

Proof

(Proof of Theorem 6 ). Suppose that we have \(s' = s\cdot 2^{-m}\delta ^2-2^{m}\) and \(\epsilon '=\epsilon +\delta \). We want to find the minimum value of the ratio \(\frac{s'}{\epsilon '}\) under the assumption that \(\epsilon , \delta , s\) can be chosen in the possibly most plausible way. Therefore, we want to solve the following min-max problem

$$\begin{aligned} {\begin{array}{lll} \underset{\epsilon ',s'}{\mathrm {min}}&{} \underset{s,\epsilon ,\delta }{\mathrm {max}} &{} \frac{s'}{\epsilon '} \\ \mathrm {s.t.} &{}&{} \frac{s}{\epsilon } = 2^{k}, \ \epsilon +\delta = \epsilon ',\ s' = s\cdot 2^{-m}\delta ^2-2^{m} \\ \end{array}} \end{aligned}$$

(21)

First, we note that

$$\begin{aligned} s'&= 2^{k-m}(\epsilon '-\delta )\delta ^2-2^{m} \end{aligned}$$

Also, since \(\delta < \epsilon '\), we need to assume \(\epsilon ' > 2^{-\frac{k-2m}{3}}\) to guarantee that \(s' > 0\). Now, setting \(\delta = \varTheta (\epsilon ')\) we have

$$\begin{aligned} \frac{s'}{\epsilon '} = \varOmega \left( 2^{k-m}\epsilon '^{2}\right) -2^{m}\epsilon '^{-1} = \varOmega \left( 2^{\frac{k+m}{3}}\right) \end{aligned}$$

(22)

provided that \(\epsilon ' \gg 2^{-\frac{k-2m}{3}}\).    \(\square \)

1.4 A.4 Chain Rule Given by Fuller and Reyzin

Theorem 7

(Time-success Ratio for Chain Rule (c)). Suppose that X has n bits of HILL entropy of quality \((s,\epsilon )\) for every \(s/\epsilon \geqslant 2^{k}\). Then X conditioned on leakage of m bits has \(n-m\) bits of HILL entropy of quality \((s',\epsilon ')\) for every \(s'/\epsilon ' \geqslant 2^{t}\) where

$$\begin{aligned} t = \frac{k}{3}-\frac{m}{3} \end{aligned}$$

(23)

and this is the best possible bound guaranteed by chain rule (c).

Proof

(Proof of Theorem 7 ). Suppose that we have \(s' = s\cdot \delta ^2\) and \(\epsilon '=2^{m}\epsilon +\delta \). We want to find the minimum value of the ratio \(\frac{s'}{\epsilon '}\) under the assumption that \(\epsilon , \delta , s\) can be chosen in the possibly most plausible way. Therefore, we want to solve the following min-max problem

$$\begin{aligned} {\begin{array}{lll} \underset{\epsilon ',s'}{\mathrm {min}} &{} \underset{s,\epsilon ,\delta }{\mathrm {max}} &{} \frac{s'}{\epsilon '} \\ \mathrm {s.t.} &{}&{} \frac{s}{\epsilon } = 2^{k}, \ 2^{m}\epsilon +\delta = \epsilon ',\ s' = s\cdot \delta ^2 \\ \end{array}} \end{aligned}$$

(24)

First, we note that

$$\begin{aligned} s'&= 2^{k-m}(\epsilon '-\delta )\delta ^2 \end{aligned}$$

Also, since \(\delta < \epsilon '\), we need to assume \(\epsilon ' > 2^{-\frac{k-m}{3}}\) to guarantee that \(s' > 1\). Now, setting \(\delta = \varTheta (\epsilon ')\) we have

$$\begin{aligned} \frac{s'}{\epsilon '} = \varOmega \left( 2^{k-m}\epsilon '^{2}\right) = \varOmega \left( 2^{\frac{k-m}{3}}\right) \!\!, \end{aligned}$$

(25)

provided that \(\epsilon ' > 2^{-\frac{k-m}{3}}\).   \(\square \)

1.5 A.5 Chain Rule in This Paper

Theorem 8

(Time-success Ratio for Chain Rule (g)). Suppose that X has n bits of HILL entropy of quality \((s,\epsilon )\) for every \(s/\epsilon \geqslant 2^{k}\). Then X conditioned on leakage of m bits has \(n-m\) bits of HILL entropy of quality \((s',\epsilon ')\) for every \(s'/\epsilon ' \geqslant 2^{t}\) where

$$\begin{aligned} t = \frac{k}{3}-\frac{m}{3} \end{aligned}$$

(26)

and this is the best possible bound guaranteed by chain rule (g).

Proof

(Proof of Theorem 8 ). Suppose that we have \(s' = s\cdot 2^{-m}\delta ^2-2^{m}\delta ^2\) and \(\epsilon '=\epsilon +\delta \). We want to find the minimum value of the ratio \(\frac{s'}{\epsilon '}\) under the assumption that \(\epsilon , \delta , s\) can be chosen in the possibly most plausible way. Therefore, we want to solve the following min-max problem

$$\begin{aligned} \begin{array}{llll} \underset{\epsilon ',s'}{\mathrm {min}} &{} \underset{s,\epsilon ,\delta }{\mathrm {max}} &{} \frac{s'}{\epsilon '} &{}\\ \mathrm {s.t.} &{}&{} \frac{s}{\epsilon } = 2^{k}, \ \epsilon +\delta = \epsilon ',\ s' = s\cdot 2^{-m}\delta ^2-2^{m}\delta ^2 &{}\\ \end{array} \end{aligned}$$

(27)

First, we note that

$$\begin{aligned} s'&= 2^{k-m}(\epsilon '-\delta )\delta ^2-2^{m}\delta ^2 \end{aligned}$$

Also, since \(\delta < \epsilon '\), we need to assume \(\epsilon ' > 2^{-(k-2m)}\) and \(\epsilon ' > 2^{-\frac{k-m}{3}}\) to guarantee that \(s' > 0\). Setting \(\delta = \varTheta (\epsilon ')\) we obtain

$$\begin{aligned} \frac{s'}{\epsilon '} = \varOmega \left( 2^{k-m}\epsilon '^{2}\right) -2^{m}\epsilon '^{} = \varOmega \left( 2^{k-m}\epsilon '^2\right) \end{aligned}$$

(28)

provided that \(\epsilon ' \gg 2^{-(k-2m)}\) and \(\epsilon ' > 2^{-\frac{k-m}{3}}\). If t is the security level, we must have \(t < \min \left( k-2m,\frac{k-m}{3}\right) \) and \(k-m-2t > t\).    \(\square \)