Entropic Security and the Encryption of High Entropy Messages

  • Yevgeniy Dodis
  • Adam Smith
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3378)


We study entropic security, an information-theoretic notion of security introduced by Russell and Wang [24] in the context of encryption and by Canetti et al. [5,6] in the context of hash functions. Informally, a probabilitic map \(Y = \mathcal{E}(X)\) (e.g., an encryption sheme or a hash function) is entropically secure if knowledge of Y does not help predicting any predicate of X, whenever X has high min-entropy from the adversary’s point of view. On one hand, we strengthen the formulation of [5,6,24] and show that entropic security in fact implies that Y does not help predicting any function of X (as opposed to a predicate), bringing this notion closer to the conventioonal notion of semantic security [10]. On the other hand, we also show that entropic security is equivalent to indistinguishability on pairs of input distributions of sufficiently high entropy, which is in turn related to randomness extraction from non-uniform distributions [21].

We then use the equivalence above, and the connection to randomness extraction, to prove several new results on entropically-secure encryption. First, we give two general frameworks for constructing entropically secure encryption schemes: one based on expander graphs and the other on XOR-universal hash functions. These schemes generalize the schemes of Russell and Wang, yielding simpler constructions and proofs, as well as improved parameters. To encrypt an n-bit message of min-entropy t while allowing at most ε-advantage to the adversary, our best schemes use a shared secret key of length \(k = n - t + 2{\rm log} (\frac {1}{\epsilon})\). Second, we obtain lower bounds on the key length k for entropic security and indistinguishability. In particular, we show near tightness of our constructions: k > nt. For a large class of schemes — including all the schemes we study — the bound can be strengthened to \(k \geq n - t+{\rm log} (\frac {1}{\epsilon})-O(1)\).


Hash Function Encryption Scheme Cayley Graph Simple Construction Semantic Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alon, N., Goldreich, O., Håstad, J., Peralta, R.: Simple Constructions of Almost k-Wise Independent Random Variables. In: FOCS 1990, pp. 544–553 (1990)Google Scholar
  2. 2.
    Alon, N., Roichman, Y.: Random Cayley graphs and expanders. Random Structures & Algorithms 5, 271–284 (1994)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Bennett, C., Brassard, G., Robert, J.: Privacy Amplification by Public Discussion. SIAM J. on Computing 17(2), 210–229 (1988)CrossRefMathSciNetGoogle Scholar
  4. 4.
    Bennett, C., Brassard, G., Crépeau, C., Maurer, U.: Generalized Privacy Amplification. IEEE Transactions on Information Theory 41(6), 1915–1923 (1995)zbMATHCrossRefGoogle Scholar
  5. 5.
    Canetti, R.: Towards realizing random oracles: Hash functions that hide all partial information. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 455–469. Springer, Heidelberg (1997)Google Scholar
  6. 6.
    Canetti, R., Micciancio, D., Reingold, O.: Perfectly One-Way Probabilistic Hash Functions. In: Proc. 30th ACM Symp. on Theory of Computing, pp. 131–140 (1998)Google Scholar
  7. 7.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: Proc. IEEE Symp. on Foundations of Computer Science, pp. 136–145 (2001)Google Scholar
  8. 8.
    Cover, T., Thomas, J.: Elements of Information Theory. Wiley series in telecommunication, p. 542 (1991)Google Scholar
  9. 9.
    Dodis, Y., Smith, A.: Entropic Security and the Encryption of High Entropy Messages. Full version of this paper, Available at IACR Cryptology ePrint Archive, report 2004/219, at
  10. 10.
    Goldwasser, S., Micali, S.: Probabilistic encryption. JCSS 28(2), 270–299 (1984)zbMATHMathSciNetGoogle Scholar
  11. 11.
    Goldreich, O., Vadhan, S., Wigderson, A.: On Interactive Proofs with a Laconic Prover. Computational Complexity 11(1-2), 1–53 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Goldreich, O., Wigderson, A.: Tiny families of functions with random properties: A quality-size trade-off for hashing. Random Structures and Algorithms 11(4), 315–343 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Håstad, J., Impagliazzo, R., Levin, L., Luby, M.: A Pseudorandom generator from any one-way function. In: Proc. 21st ACM Symp. on Theory of Computing (1989)Google Scholar
  14. 14.
    Herzog, J.: Computational Soundness for Standard Assumptions of Formal Cryptography. Ph.D. Thesis, Massachusetts Institute of Technology (May 2004)Google Scholar
  15. 15.
    Impagliazzo, R., Zuckerman, D.: How to Recycle Random Bits. In: Proc. 30th IEEE Symp. on Foundations of Computer Science (1989)Google Scholar
  16. 16.
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994)Google Scholar
  17. 17.
    Lubotzky, A., Phillips, R., Sarnak, P.: Ramanujan graphs. Combinatorica 8(3), 261–277 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Maurer, U.: Conditionally-Perfect Secrecy and a Provably-Secure Randomized Cipher. J. Cryptology 5(1), 53–66 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Maurer, U.: Secret Key Agreement by Public Discussion. IEEE Trans. on Info. Theory 39(3), 733–742 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Naor, J., Naor, M.: Small-Bias Probability Spaces: Efficient Constructions and Applications. SIAM J. Comput. 22(4), 838–856 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Nisan, N., Zuckerman, D.: Randomness is Linear in Space. JCSS 52(1), 43–52 (1996)zbMATHMathSciNetGoogle Scholar
  22. 22.
    Pfitzmann, B., Waidner, M.: A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission. In: Proc. IEEE Symp. on Security and Privacy, pp. 184–200 (2001)Google Scholar
  23. 23.
    Radhakrishnan, J., Ta-Shma, A.: Tight bounds for depth-two superconcentrators. In: Proc. 38th IEEE Symp. on Foundations of Computer Science, pp. 585–594 (1997)Google Scholar
  24. 24.
    Russell, A.Y., Wang, H.: How to fool an unbounded adversary with a short key. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 133. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  25. 25.
    Shannon, C.: Communication Theory of Secrecy systems. Bell Systems Technical J. 28, 656–715 (1949); Note: The material in this paper appeared originally in a confidential report ‘A Mathematical Theory of Cryptography’, dated September 1, 1945, which has now been declassified zbMATHMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Adam Smith
    • 2
  1. 1.New York University 
  2. 2.Weizmann Institute of Science 

Personalised recommendations