Leftover Hash Lemma, Revisited

  • Boaz Barak
  • Yevgeniy Dodis
  • Hugo Krawczyk
  • Olivier Pereira
  • Krzysztof Pietrzak
  • François-Xavier Standaert
  • Yu Yu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6841)


The famous Leftover Hash Lemma (LHL) states that (almost) universal hash functions are good randomness extractors. Despite its numerous applications, LHL-based extractors suffer from the following two limitations:

  • Large Entropy Loss: to extract v bits from distribution X of min-entropy m which are ε-close to uniform, one must set v ≤ m − 2log(1/ε), meaning that the entropy loss \(L^{def}_{=} m-v\ge 2log(1/\epsilon)\). For many applications, such entropy loss is too large.

  • Large Seed Length: the seed length n of (almost) universal hash function required by the LHL must be at least n ≥ min (u − v, v + 2log(1/ε)) − O(1), where u is the length of the source, and must grow with the number of extracted bits.

Quite surprisingly, we show that both limitations of the LHL — large entropy loss and large seed — can be overcome (or, at least, mitigated) in various important scenarios. First, we show that entropy loss could be reduced to L = log(1/ε) for the setting of deriving secret keys for a wide range of cryptographic applications.

Specifically, the security of these schemes with an LHL-derived key gracefully degrades from ε to at most \(\epsilon + \sqrt{\epsilon 2^{-L}}\). (Notice that, unlike standard LHL, this bound is meaningful even

when one extracts more bits than the min-entropy we have!) Based on these results we build a general computational extractor that enjoys low entropy loss and can be used to instantiate a generic key derivation function for any cryptographic application.

Second, we study the soundness of the natural expand-then-extract approach, where one uses a pseudorandom generator (PRG) to expand a short “input seed” S into a longer “output seed” S′, and then use the resulting S′ as the seed required by the LHL (or, more generally, by any randomness extractor). We show that, in general, the expand-then-extract approach is not sound if the Decisional Diffie-Hellman assumption is true. Despite that, we show that it is sound either: (1) when extracting a “small” (logarithmic in the security of the PRG) number of bits; or (2) in minicrypt. Implication (2) suggests that the expand-then-extract approach is likely secure when used with “practical” PRGs, despite lacking a reductionist proof of security!


Hash Function Stream Cipher Security Parameter Seed Length Pseudorandom Generator 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Barak, B., Dodis, Y., Krawczyk, H., Pereira, O., Pietrzak, K., Standaert, F.-X., Yu, Y.: Leftover hash lemma, revisited. Cryptology ePrint Archive, Report 2011/088 (2011),
  2. 2.
    Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: ACM CCS (2005)Google Scholar
  3. 3.
    Barak, B., Shaltiel, R., Tromer, E.: True Random Number Generators Secure in a Changing Environment. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 166–180. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Bennett, C.H., Brassard, G., Robert, J.-M.: Privacy amplification by public discussion. SIAM Journal on Computing 17(2), 210–229 (1988)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Boyen, X., Dodis, Y., Katz, J., Ostrovsky, R., Smith, A.: Secure Remote Authentication Using Biometric Data. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 147–163. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Dodis, Y., Halevi, S., Kushilevitz, E., Sahai, A.: Exposure-resilient functions and all-or-nothing transforms. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 453. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Carter, J.L., Wegman, M.N.: Universal classes of hash functions. Journal of Computer and System Sciences 18, 143–154 (1979)MathSciNetzbMATHCrossRefGoogle Scholar
  8. 8.
    Chevalier, C., Fouque, P.-A., Pointcheval, D., Zimmer, S.: Optimal randomness extraction from a diffie-hellman element. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the cbc, cascade and hmac modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, Springer, Heidelberg (2004)Google Scholar
  10. 10.
    Dodis, Y., Katz, J., Reyzin, L., Smith, A.: Robust fuzzy extractors and authenticated key agreement from close secrets. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing 38(1), 97–139 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
  12. 12.
    Dubrov, B., Ishai, Y.: On the randomness complexity of efficient sampling. In: STOC (2006)Google Scholar
  13. 13.
    Dziembowski, S.: On Forward-Secure Storage. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 251–270. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Gennaro, R., Krawczyk, H., Rabin, T.: Secure hashed diffie-hellman over non-ddh groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Goldreich, O., Levin, L.: A hard-core predicate for all one-way functions. In: STOC (1989)Google Scholar
  16. 16.
    Guruswami, V., Umans, C., Vadhan, S.: Unbalanced expanders and randomness extractors from parvaresh–vardy codes. J. ACM 56(4) (2009)Google Scholar
  17. 17.
    Hast, G.: Nearly one-sided tests and the goldreich?levin predicate. J. Cryptology 17(3), 209–229 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  18. 18.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: Construction of pseudorandom generator from any one-way function. SIAM Journal on Computing 28(4), 1364–1396 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  19. 19.
    Holenstein, T.: Key agreement from weak bit agreement. In: STOC (2005)Google Scholar
  20. 20.
    Holenstein, T.: Strengthening Key Agreement using Hard-Core Sets. PhD thesis, ETH Zurich, Zurich, Switzerland (2006)Google Scholar
  21. 21.
    Hsiao, C.-Y., Reyzin, L.: Finding Collisions on a Public Road, or Do Secure Hash Functions Need Secret Coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004)Google Scholar
  22. 22.
    Impagliazzo, R.: A personal view of average-case complexity. In: Structure in Complexity Theory Conference, pp. 134–147 (1995)Google Scholar
  23. 23.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: STOC (1989)Google Scholar
  24. 24.
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Cryptography with constant computational overhead. In: STOC (2008)Google Scholar
  25. 25.
    Krawczyk, H.: Cryptographic Extraction and Key Derivation: The HKDF Scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010)Google Scholar
  26. 26.
    Maurer, U., Wolf, S.: Privacy amplification secure against active adversaries. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, Springer, Heidelberg (1997)Google Scholar
  27. 27.
    Mitzenmacher, M., Vadhan, S.P.: Why simple hash functions work: exploiting the entropy in a data stream. In: SODA (2008)Google Scholar
  28. 28.
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: FOCS (1997)Google Scholar
  29. 29.
    Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, Springer, Heidelberg (2009)CrossRefGoogle Scholar
  30. 30.
    Nevelsteen, W., Preneel, B.: Software Performance of Universal Hash Functions. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 24. Springer, Heidelberg (1999)Google Scholar
  31. 31.
    Nisan, N., Zuckerman, D.: Randomness is linear in space. Journal of Computer and System Sciences 52(1), 43–53 (1996)MathSciNetzbMATHCrossRefGoogle Scholar
  32. 32.
    Pietrzak, K.: Composition implies adaptive security in minicrypt. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  33. 33.
    Pietrzak, K., Sjödin, J.: Weak pseudorandom functions in minicrypt. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 423–436. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  34. 34.
    Radhakrishnan, J., Ta-Shma, A.: Bounds for dispersers, extractors, and depth-two superconcentrators. SIAM Journal on Computing 13(1), 2–24 (2000)MathSciNetzbMATHGoogle Scholar
  35. 35.
    Renner, R., Wolf, S.: Unconditional authenticity and privacy from an arbitrarily weak secret. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  36. 36.
    Shaltiel, R.: Recent developments in explicit constructions of extractors. Bulletin of the EATCS 77, 67–95 (2002)MathSciNetzbMATHGoogle Scholar
  37. 37.
    Stinson, D.R.: Universal hashing and authentication codes. Designs, Codes, and Cryptography 4(4), 369–380 (1994)MathSciNetzbMATHCrossRefGoogle Scholar
  38. 38.
    Stinson, D.R.: Universal hash families and the leftover hash lemma, and applications to cryptography and computing. Journal of Combinatorial Mathematics and Combinatorial Computing 42, 3–31 (2002), MathSciNetzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Boaz Barak
    • 1
  • Yevgeniy Dodis
    • 2
  • Hugo Krawczyk
    • 3
  • Olivier Pereira
    • 4
  • Krzysztof Pietrzak
    • 5
  • François-Xavier Standaert
    • 4
  • Yu Yu
    • 6
  1. 1.Microsoft ResearchNew England
  2. 2.New York UniversityUSA
  3. 3.IBM ResearchIsrael
  4. 4.Université Catholique de LouvainBelgium
  5. 5.CWI AmsterdamThe Netherlands
  6. 6.East China Normal UniversityHongkong

Personalised recommendations