A Counterexample to the Chain Rule for Conditional HILL Entropy

Krenn, Stephan; Pietrzak, Krzysztof; Wadia, Akshay

doi:10.1007/978-3-642-36594-2_2

Cited by 10 publications

(9 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition, if Tr X (ρ XB ) = Tr X (σ XB ), we say X conditioned on B has (regular) HILL pseudoentropy H HILL s,ε (X|B) ρ ≥ k. As in the definition of conditional relaxed-HILL pseudoentropy [HLR07], we do not require the reduced states ρ B and σ B being equal in relaxed-HILL pseudoentropy. In the classical case, the relaxed HILL notion satisfies a chain rule even when a prior knowledge Z is present, while for the regular HILL pseudoentropy, a counterexample exists (under a standard assumption) [KPW13]. Another remark here is that when the length of B is O(log n), it is not hard to see that the two definitions are equivalent in the classical case.…”

Section: Computational Min-entropymentioning

confidence: 97%

“…(Note that under standard cryptographic assumptions, the analogous statement for (standard) HILL pseudoentropy is false [KPW13].) The leakage chain rule is an important property for pseudoentropy and has a number of applications in cryptography, such as leakage-resilient cryptography [DP08], memory delegation [CKLR11], and deterministic encryption [FOR15].…”

Section: Leakage Chain Rulementioning

confidence: 99%

“…If there is no prior knowledge Z and |B| = O(log n), then HILL pseudoentropy and relaxed-HILL pseudoentropy are equivalent. If prior information Z is allowed, Krenn et al [KPW13] showed that the leakage lemma is unlikely to hold for standard HILL pseudoentropy. Specifically, assuming the existence of a perfect binding commitment scheme, they constructed random variables X, Z, and B, where B is a single random bit, such that H HILL (X|Z) ≥ n, but H HILL (X|Z, B) ≤ 1.…”

Section: Computational Leakage Chain Rulementioning

confidence: 99%

See 2 more Smart Citations

Computational Notions of Quantum Min-Entropy

Chen¹,

Chung²,

Lai³

et al. 2017

Preprint

View full text Add to dashboard Cite

We initiate the study of computational entropy in the quantum setting. We investigate to what extent the classical notions of computational entropy generalize to the quantum setting, and whether quantum analogues of classical theorems hold. Our main results are as follows.(1) The classical Leakage Chain Rule for pseudoentropy can be extended to the case that the leakage information is quantum (while the source remains classical). Specifically, if the source has pseudoentropy at least k, then it has pseudoentropy at least k − ℓ conditioned on an ℓqubit leakage. (2) As an application of the Leakage Chain Rule, we construct the first quantum leakage-resilient stream-cipher in the bounded-quantum-storage model, assuming the existence of a quantum-secure pseudorandom generator. (3) We show that the general form of the classical Dense Model Theorem (interpreted as the equivalence between two definitions of pseudo-relativemin-entropy) does not extend to quantum states. Along the way, we develop quantum analogues of some classical techniques (e.g., the Leakage Simulation Lemma, which is proven by a Nonuniform Min-Max Theorem or Boosting). On the other hand, we also identify some classical techniques (e.g., Gap Amplification) that do not work in the quantum setting. Moreover, we introduce a variety of notions that combine quantum information and quantum complexity, and this raises several directions for future work.

show abstract

Section: Computational Min-entropymentioning

confidence: 97%

Section: Leakage Chain Rulementioning

confidence: 99%

Section: Computational Leakage Chain Rulementioning

confidence: 99%

See 1 more Smart Citation

Computational Notions of Quantum Min-Entropy

Chen¹,

Chung²,

Lai³

et al. 2017

Preprint

View full text Add to dashboard Cite

show abstract

“…Unfortunately, this conjecture is false in general [KPW13]. On the positive side, some progress towards proving it for restricted definitions of entropy has been recently made [FR12,CKLR11,Rey11,GW10].…”

Section: Leakage Chain Rule For Computational Entropy -Negative and P...mentioning

confidence: 99%

“…The computational leakage chain rule was proved only for specific scenarios, either by adding strong assumptions to definitions [FR12,CKLR11], or by changing definitions (see [Rey11] for the discussion of computational relaxed entropy based on Leakage Lemma [GW10]). Recently, a counterexample to the chain rule for computational min entropy has been found [KPW13]. It shows that the computational entropy of X|Z 1 Z 2 can decrease dramaticaly with respect to the entropy of X|Z 1 , even if Z 2 is just a one bit.…”

Section: Introductionmentioning

confidence: 99%

Modulus Computational Entropy

Skorski

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The so-called leakage-chain rule is a very important tool used in many security proofs. It gives an upper bound on the entropy loss of a random variable X in case the adversary who having already learned some random variables Z1, . . . , Z ℓ correlated with X, obtains some further information Z ℓ+1 about X. Analogously to the information-theoretic case, one might expect that also for the computational variants of entropy the loss depends only on the actual leakage, i.e. on Z ℓ+1 . Surprisingly, Krenn et al. have shown recently that for the most commonly used definitions of computational entropy this holds only if the computational quality of the entropy deteriorates exponentially in |(Z1, . . . , Z ℓ )|. This means that the current standard definitions of computational entropy do not allow to fully capture leakage that occurred "in the past", which severely limits the applicability of this notion. As a remedy for this problem we propose a slightly stronger definition of the computational entropy, which we call the modulus computational entropy, and use it as a technical tool that allows us to prove a desired chain rule that depends only on the actual leakage and not on its history. Moreover, we show that the modulus computational entropy unifies other,sometimes seemingly unrelated, notions already studied in the literature in the context of information leakage and chain rules. Our results indicate that the modulus entropy is, up to now, the weakest restriction that guarantees that the chain rule for the computational entropy works. As an example of application we demonstrate a few interesting cases where our restricted definition is fulfilled and the chain rule holds.

show abstract

Unifying Leakage Classes: Simulatable Leakage and Pseudoentropy

Fuller

Hamlin

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Leakage-resilient cryptography builds systems that withstand partial adversary knowledge of secret state. Ideally, leakage-resilient systems withstand current and future attacks; restoring confidence in the security of implemented cryptographic systems. Understanding the relation between classes of leakage functions is an important aspect.In this work, we consider the memory leakage model, where the leakage class contains functions over the system's entire secret state. Standard classes include functions with bounded output length, functions that retain (pseudo) entropy in the secret, and functions that leave the secret computationally unpredictable.Standaert, Pereira, and Yu (Crypto, 2013) introduced a new class of leakage functions they call simulatable leakage. A leakage function is simulatable if a simulator can produce indistinguishable leakage without access to the true secret state. We extend their notion to general applications and consider two versions. For weak simulatability: the simulated leakage must be indistinguishable from the true leakage in the presence of public information. For strong simulatability, this requirement must also hold when the distinguisher has access to the true secret state. We show the following:

show abstract

A Counterexample to the Chain Rule for Conditional HILL Entropy

Cited by 10 publications

References 23 publications

Computational Notions of Quantum Min-Entropy

Computational Notions of Quantum Min-Entropy

Modulus Computational Entropy

Unifying Leakage Classes: Simulatable Leakage and Pseudoentropy

Contact Info

Product

Resources

About