1 / 25

Cryptographic Applications of Randomness Extractors

Cryptographic Applications of Randomness Extractors. Salil Vadhan Harvard University. http://seas.harvard.edu/~salil. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A. Outline. Definition & Basics Cryptographic Applications (overview)

jimbo
Download Presentation

Cryptographic Applications of Randomness Extractors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptographic Applicationsof Randomness Extractors Salil Vadhan Harvard University http://seas.harvard.edu/~salil TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAA

  2. Outline • Definition & Basics • Cryptographic Applications (overview) • Extracting Statistical Entropy in Crypto • Extracting Computational Entropy in Crypto Caveats: informal, only small sample

  3. Definition & Basics

  4. Min-entropy • Def: The min-entropy ofX isH1(X):=minx log(1/Pr[X=x]).X isa k-source if H1(X) ¸k, i.e. 8x Pr[X=x]·2-k • Examples: • Unpredictable Source [SV84]: 8i2[n], b1, ..., bi-12{0,1}, • Bit-fixing [CGH+85,BL85,LLS87,CW89]: Some k coordinates of X uniform, rest fixed (or even depend arbitrarily on others). • Flat k-source: Uniform over Sµ{0,1}n, |S|=2k

  5. Extractors [Nisan & Zuckerman `93] Def: Ext : {0,1}n£{0,1}d!{0,1}m is (strong) (k,e)-extractor if 8k-source X, Ud± Ext(X,Ud) is e-close to Ud± Um. k-source of length n “seed” EXT drandom bits maxT|Pr[X2 T]-Pr[Y2 T]|· malmost-uniform bits • Goals: minimize seed length, maximize output length.

  6. flat k-source, i.e. set of size 2k À 2m For mosty, hymaps sets of size2kalmost uniformly onto range. Extractors as Hash Functions {0,1}n {0,1}m

  7. The Optimal Extractor Thm [Sip88,RT97]:For every k·n, 9 a (k,e)-extractor w/ • Seed length d = log(n-k)+2log(1/)+O(1) • Output length m = k -2log(1/)-O(1) “extract almost all the min-entropy w/logarithmic seed” ) in some apps, can eliminate need for truly random seed by trying all 2d = poly(n/) possibilities(e.g. simulating randomized algorithms w/k-source) Long line of work tries to match above nonconstructive bounds with explicit constructions.

  8. Extractors from Hash Functions • Leftover Hash Lemma[BBR85,ILL89]:universal hash functions yield strong extractors • output length:m= k-2log(1/)-O(1) • seed length:d= n • example: Ext(x,a)=first m bits of a¢x in GF(2n) • Almost-universal hash functions [SZ94,GW94]: • seed length:d= O(log n+m)

  9. Cryptographic Applications

  10. Crypto with Weak Random Sources? • Enumerating seeds doesn’t work. • e.g. get several encryptions of a message, most of which are “secure” • Thm[MP97,DOPS04]: Most crypto tasks are impossible with only an (n-1)-source. • Encryption, commitment, secret sharing, zero knowledge,… • Alternative: Seek “seedless” extractors for restricted classes of sources. • Bit-fixing sources, several independent weak sources,efficiently samplable sources, low-degree sources… [many] • Thm[BD07]: Secure encryption is only possible for classes of sources for which there exist seedless extractors.

  11. Seeded Extractors in Crypto • Common setting: information gaps • To parties A, B,…, string X has little or no “entropy” • To parties E, F,…, string X has a lot of “entropy” • After extraction: • To parties A, B,…, r.v. Ext(X)still has little or no “entropy” • To parties E, F,…, r.v. Ext(X) indistinguishable from uniform • Challenges: • Where to get seed? • Working with computational entropy. • Efficiency constraints • Noise

  12. Crypto withStatistical (Min-)Entropy

  13. Privacy Amplification [BBR85] • Common setting: information gaps • A,B share/access a random stringX{0,1}n • E has imperfect info about X X |view(Eve) a k-source. • After extraction: • A, B share Ext(X,R) • Ext(X ,R)|view’(Eve) e-close to Um  A,B can use Ext(X,R) as a key.

  14. Partial Info & Min-Entropy • Adversary learning sbits of info about X reduces its min-entropy by roughlys. • Cf. Shannon entropy: H(X|Z)  H(X)-H(Z)  H(X)-s • Lemma: (X,Z) (correlated) random vars, w.p. ¸ 1-e over zÃZ, X|Z=z is a (k-s-log(1/e))-source. X a k-source and |Z|=s • [DRS03]: H*(X|Z)  H(X) –H0(Z)  H(X) –s, where H*(X|Z) = log(1/Ez Z[maxx Pr[X=x|Z=z]])

  15. Examples of Partial Info Partial Key Exposure [CDHKS00]: • adversary readssactual bits of private key X • X|viewactually a “bit-fixing source” [CFGHRS85] • Honest parties use Ext(X) (no seed necessary!) Bounded-storage model [M90,ADR99,L02,V03] • adversary readss-bit function of high-rate bitstreamX • honest parties compute Ext(X ; R), where R = private key • need Ext that reads only few bits from X

  16. Examples of Partial Info (cont.) Biometrics [DRS03]: • need to derive key from unreliable fingerprintX • store seed R & short error-correcting info C on server(“information reconciliation” [BBR85]) • X|Ca k-source Ext(X;R)|C,RsUm • C = X mod (high-rate error-correcting code)

  17. Crypto withComputational (Min-)Entropy

  18. Computational Entropy • Def [HLR07]: X has unpredictability-entropy at least k if it can be predicted in poly-time w.p. at most 2-k • if fis a one-way function, then X|f(X) has unpredictability entropy (log n) • Can extract pseudorandom bits using an extractor with “efficient local list-decoding” [GL89,TZ01]. • Def [HILL90]: X has pseudoentropy at least k if X cY, Y a k-source. • Any poly-time extractor works!

  19. Extracting Computational Entropy (1-1) PRGs  OWF [HILL90]: • X|f(X) has unpredictability-entropy but no real entropy • Y=(f(X),Ext1(X)) has pseudoentropy > real entropy = |X|Ext1 = extractor with “local list-decoding” (eg GL) • Ext2[Y1,…,Yt] pseudorandomExt2 = any efficient extractor • Seeds for Ext1, Ext2: from PRG seed. • Hardcore Lemma [I95,STV01,H05]: unpredictability-entropy pseudoentropy for 1-bit r.v.’s

  20. Extracting Computational Entropy Bounded-Retrieval Model [D06,DP08] • Leakage over time may exceed |X|. • Idea: regain loss by X’ = PRG(Ext(X)). • Problem: X only pseudorandom • If X is pseudorandom and adversary knows s bits about X, then X|view has “metric pseudoentropy”  n-s [BSW03] • If s=O(log n), then metric pseudoentropy n-s  pseudoentropy n-s [RTV08,I08].

  21. Extracting Computational Entropy Leakage-Resilient Public-Key Encryption [AGV09] • Adversary learns s bits about X=SK, plus PK=f(SK). • Problem: encryptor doesn’t know SK, can’t extract • Leakage independent of PK: take longer SK, set PK = (f(Ext(SK;R)),R). • Leakage can depend on PK:show that encryption itself can be viewed as extracting from SK

  22. Statistically Hiding Commitments from CRHF[NY89,DPP93,HRVW09] CRHF { F : {0,1}n! {0,1}n-k } • H1(X|F(X),F) ¸ k • Hacc(X|F(X),F) = 0 • M -close to Ut given R’s view • Hacc(M) = 0 given S’s view S COMMIT R F M2{0,1}t XÃ{0,1}n F(X), R,M=Ext(X,R) REVEAL accept/reject (M,X) (M,K)

  23. Statistically Hiding Commitments from CRHF [NY89,DPP93,HRVW09] CRHF { F : {0,1}n! {0,1}n-k } • H1(X|F*(X),F*) ¸ k • Hacc (X*|F(X*),F) = 0 • M -close to Ut given R*’s view • Hacc(M) = 0 given S*’s view S COMMIT R F F(X),R,M=Ext(X,R) REVEAL accept/reject (M,X)

  24. Conclusions • Randomness extractors address a basic problem in crypto: exploiting assymetry of information • Language and basic results (about min-entropy, pseudoentropy, etc.) as important as the actual constructions. • Interplay between cryptography, theory of computation, probability & information theory(also combinatorics, algebra, …)

  25. Pointers • N. Nisan and A. Ta-Shma. Extracting randomness: a survey and new constructions. Journal of Computer & System Sciences, 58 (1):148-173, 1999. • R. Shaltiel. Recent developments in explicit constructions of extractors. Bulletin of EATCS, 77:67-95, June 2002. • S. Vadhan.Randomness extractors & their many guises. FOCS `02 tutorial.Randomness extractors & crypto applications. TCC `08 tutorial.Course Notes for CS225: Pseudorandomness. http://eecs.harvard.edu/~salil/cs225

More Related