Overcoming Weak Expectations

Dodis, Yevgeniy; Yu, Yu

doi:10.1007/978-3-642-36594-2_1

Cited by 53 publications

(59 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is similar in spirit to a lemma of [DY13] which shows that, if we use a key with a small entropy gap for an unpredictability application, the security of the application is only reduced by at most a small amount. One difference that prevents us from using that lemma directly is that we need to explicitly include the seed of the condenser and the dependence between the condenser output and the seed.…”

Section: Definition 2 (Condenser) a Functionsupporting

confidence: 65%

“…Perhaps, for some such applications, one can argue that the derived key R = h s (X) is still "good enough" for P despite not being statistically close to U m (given s). This approach was recently pioneered by Barak et al [BDK + 11], and then further extended and generalized by Dodis et al [DRV12,DY13]. In these works the authors defined a special class of cryptographic applications, called square-friendly, where the pessimistic RT-bound can be provably improved.…”

Section: Our Main Resultsmentioning

confidence: 99%

See 1 more Smart Citation

Key Derivation without Entropy Waste

Dodis

Pietrzak

Wichs

2014

Advances in Cryptology – EUROCRYPT 2014

Self Cite

View full text Add to dashboard Cite

Abstract. We revisit the classical problem of converting an imperfect source of randomness into a usable cryptographic key. Assume that we have some cryptographic application P that expects a uniformly random m-bit key R and ensures that the best attack (in some complexity class) against P (R) has success probability at most δ. Our goal is to design a key-derivation function (KDF) h that converts any random source X of min-entropy k into a sufficiently "good" key h(X), guaranteeing that P (h(X)) has comparable security δ which is 'close' to δ.Seeded randomness extractors provide a generic way to solve this problem for all applications P , with resulting security δ = O(δ), provided that we start with entropy k ≥ m+2 log (1/δ)−O(1). By a result of Radhakrishnan and Ta-Shma, this bound on k (called the "RT-bound") is also known to be tight in general. Unfortunately, in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This motivates the study KDFs with less entropy waste by placing some restrictions on the source X or the application P .In this work we obtain the following new positive and negative results in this regard:-Efficient samplability of the source X does not help beat the RTbound for general applications. This resolves the SRT (samplable RT) conjecture of Dachman-Soled et al.[DGKM12] in the affirmative, and also shows that the existence of computationally-secure extractors beating the RT-bound implies the existence of one-way functions. -We continue in the line of work initiated by Barak et al. [BDK + 11] and construct new information-theoretic KDFs which beat the RTbound for large but restricted classes of applications. Specifically, we design efficient KDFs that work for all unpredictability applications P (e.g., signatures, MACs, one-way functions, etc.) and can either:(1) extract all of the entropy k = m with a very modest security loss δ = O(δ · log (1/δ)), or alternatively, (2) achieve essentially optimal security δ = O(δ) with a very modest entropy loss k ≥ m + loglog (1/δ). In comparison, the best prior results from [BDK -The weaker bounds of [BDK + 11] hold for a larger class of so-called "square-friendly" applications (which includes all unpredictability, but also some important indistinguishability, applications). Unfortunately, we show that these weaker bounds are tight for the larger class of applications.-We abstract out a clean, information-theoretic notion of (k, δ, δ )-unpredictability extractors, which guarantee "induced" security δ for any δ-secure unpredictability application P , and characterize the parameters achievable for such unpredictability extractors. Of independent interest, we also relate this notion to the previously-known notion of (min-entropy) condensers, and improve the state-of-the-art parameters for such condensers.

show abstract

Section: Definition 2 (Condenser) a Functionsupporting

confidence: 65%

Section: Our Main Resultsmentioning

confidence: 99%

Key Derivation without Entropy Waste

Dodis

Pietrzak

Wichs

2014

Advances in Cryptology – EUROCRYPT 2014

Self Cite

View full text Add to dashboard Cite

show abstract

“…Analogous observations were made in similar settings [1,5,4], where either the game is two-sided (e.g., indistinguishability applications) or the randomness is sampled from slightly defected min-entropy source. Plugging this lemma into [10] immediately yields a simpler proof for the key lemma of [10] (see Lemma 3.2), namely, "any k th iterate (instantiated with a regular OWF) is hard-to-invert".…”

Section: Introductionmentioning

confidence: 83%

“…4 The Rényi entropy deficiency of a random variable W over set W refers to the difference between entropies of UW and W , i.e., log |W| − H2(W ), where UW denotes the uniform distribution over W and H2(W ) is the Rényi entropy of W . 5 We should not confuse "weakly-regular" with "weakly-one-way", where the former "weakly" describes regularity (i.e., regular on a noticeable fraction as in Definition 2.4) and the latter is used for one-way-ness (i.e., hard-to-invert on a noticeable fraction [19]). …”

Section: Introductionmentioning

confidence: 99%

The Randomized Iterate, Revisited - Almost Linear Seed Length PRGs from a Broader Class of One-Way Functions

et al. 2015

Theory of Cryptography

Self Cite

View full text Add to dashboard Cite

We revisit "the randomized iterate" technique that was originally used by Goldreich, Krawczyk, and Luby (SICOMP 1993) and refined by Haitner, Harnik and Reingold (CRYPTO 2006) in constructing pseudorandom generators (PRGs) from regular one-way functions (OWFs). We abstract out a technical lemma (which is folklore in leakage resilient cryptography), and use it to provide a simpler and more modular proof for the Haitner-Harnik-Reingold PRGs from regular OWFs.We introduce a more general class of OWFs called "weakly-regular one-way functions" from which we construct a PRG with seed length O(n·logn). More specifically, consider an arbitrary one-way function f with range divided into setsWe say that f is weakly-regular if there exists a (not necessarily efficient computable) cut-off point max such that Y max is of some noticeable portion (say n −c for constant c), and Y max+1 , . . ., Y n only sum to a negligible fraction. We construct a PRG by makingÕ(n 2c+1 ) calls to f and achieve seed length O(n · logn) using bounded space generators. This generalizes the approach of Haitner et al., where regular OWFs fall into a special case for c = 0. We use a proof technique that is similar to and extended from the method by Haitner, Harnik and Reingold for hardness amplification of regular weakly-one-way functions.Our work further explores the feasibility and limits of the "randomized iterate" type of black-box constructions. In particular, the underlying f can have an arbitrary structure as long as the set of images with maximal preimage size has a noticeable fraction. In addition, our construction is much more seed-length efficient and security-preserving (albeit less general) than the HILL-style generators where the best known construction by Vadhan and Zheng (STOC 2012) requires seed lengthÕ(n 3 ).

show abstract

“…Such wPRFs exist assuming only that one-way functions exist [HILL99,GGM86]. The work of [Pie09] (see also [DY12]) shows that any wPRF is also an ℓ-LR-wPRF for a logarithmic ℓ = O(log(λ)). Constructions of ℓ-LR wPRF for larger ℓ can be derived from prior works on leakage-resilient public-key encryption [NS09], but only under strong public-key assumptions such as DDH.…”

Section: We Define the Advantage Of The Attacker A As Advmentioning

confidence: 99%

Leakage-Resilient Cryptography from Minimal Assumptions

et al. 2015

View full text Add to dashboard Cite

We present new constructions of leakage-resilient cryptosystems, which remain provably secure even if the attacker learns some arbitrary partial information about their internal secret key. For any polynomial ℓ, we can instantiate these schemes so as to tolerate up to ℓ bits of leakage. While there has been much prior work constructing such leakage-resilient cryptosystems under concrete number-theoretic and algebraic assumptions, we present the first schemes under general and minimal assumptions. In particular, we construct:• Leakage-resilient public-key encryption from any standard public-key encryption.• Leakage-resilient weak pseudorandom functions, symmetric-key encryption, and messageauthentication codes from any one-way function.These are the first constructions of leakage-resilient symmetric-key primitives that do not rely on public-key assumptions. We also get the first constructions of leakage-resilient public-key encryption from "search assumptions", such as the hardness of factoring or CDH. Although our schemes can tolerate arbitrarily large amounts of leakage, the tolerated rate of leakage (defined as the ratio of leakage-amount to key-size) is rather poor in comparison to prior results under specific assumptions. As a building block of independent interest, we study a notion of weak hash-proof systems in the public-key and symmetric-key settings. While these inherit some of the interesting security properties of standard hash-proof systems, we can instantiate them under general assumptions.

show abstract

Overcoming Weak Expectations

Cited by 53 publications

References 29 publications

Key Derivation without Entropy Waste

Key Derivation without Entropy Waste

The Randomized Iterate, Revisited - Almost Linear Seed Length PRGs from a Broader Class of One-Way Functions

Leakage-Resilient Cryptography from Minimal Assumptions

Contact Info

Product

Resources

About