1 / 24

Computational Entropy

Computational Entropy. Salil Vadhan Harvard University (on sabbatical at MSR-SVC and Stanford). Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich ), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington U.), a nd Colin Jia Zheng (Harvard).

moe
Download Presentation

Computational Entropy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computational Entropy SalilVadhanHarvard University (on sabbatical at MSR-SVC and Stanford) Joint works with IftachHaitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington U.), and Colin Jia Zheng (Harvard) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA

  2. How I came to work onPseudorandomness • Fall 93: CS226r “Efficient Algorithms,” Prof. M. Rabin • “The R word plays a role” • I am amazed by the power of randomness. • Spring 95: S. Rudichtells me about evidence that P=BPP. • I am skeptical. • 1996-1999: I learn about pseudorandom generators & derandomization. • I need to work on this too!

  3. One-Way Functions [DH76] easy • Candidate: f(x,y) = x¢y Formally, a OWF is f : {0,1}n! {0,1}n s.t. • f poly-time computable • 8 poly-time A Pr[A(f(X))2f-1(f(X))] = 1/n!(1) for XÃ{0,1}n x f(x) hard

  4. OWFs & Cryptography secure protocols & applications digitalsignatures zero-knowledgeproofs private-key encryption statistical ZKarguments MACs [GMW86] statistically bindingcommitments pseudorandom functions [NY89] [BCC86] [GGM86] [N89] pseudorandomgenerators statistically hiding commitments target-collision-resistant hash functions (UOWHFs) [R90] [HILL90] [HNORV07] one-way functions

  5. OWFs & Cryptography secure protocols & applications digitalsignatures zero-knowledgeproofs private-key encryption statistical ZKarguments MACs [GMW86] statistically bindingcommitments pseudorandom functions [NY89] [BCC86] [GGM86] [N89] pseudorandomgenerators statistically hiding commitments target-collision-resistant hash functions (UOWHFs) [R90] [HILL90] [HNORV07] one-way functions

  6. Computational Entropy[Y82,HILL90,BSW03] Question: How can we use the “raw hardness” of a OWF to build useful crypto primitives? Answer (today’s talk): • Every crypto primitive amounts to some form of “computational entropy”. • One-way functions already have a little bit of “computational entropy”.

  7. Entropy Def: The Shannon entropyof r.v. X is H(X) = ExÃX[log(1/Pr[X=x)] • H(X) = “Bits of randomness in X (on avg)” • 0 · H(X) · log|Supp(X)| • Conditional Entropy: H(X|Y) = EyÃY[H(X|Y=y)] X uniform onSupp(X) X concentratedon single point

  8. Worst-Case Entropy Measures • Min-Entropy: H1(X) = minx log(1/Pr[X=x]) • Max-Entropy: H0(X) = log |Supp(X)| H1(X) · H(X) · H0(X)

  9. Computational Entropy • A poly-time algorithm may “perceive” the entropy of X to be very different from H(X). • Example:a pseudorandom generator G: {0,1}m!{0,1}n • G(Um) is computationally indistinguishable from Un • But H(G(Um))·m.

  10. Pseudoentropy Def [HILL90]: X has pseudoentropy¸ k iff there exists a random variable Y s.t. • Y ´c X • H(Y) ¸ k Interesting when k > H(X), i.e. Pseudoentropy > Real Entropy

  11. OWFs & Cryptography secure protocols & applications digitalsignatures zero-knowledgeproofs private-key encryption statistical ZKarguments MACs [GMW86] statistically bindingcommitments pseudorandom functions [NY89] [BCC86] [GGM86] [N89] pseudorandomgenerators statistically hiding commitments target-collision-resistant hash functions (UOWHFs) [R90] [HILL90] pseudoentropy [HNORV07] one-way functions

  12. Application of Pseudoentropy Thm [HILL90]:9 OWF )9 PRG Proof idea: OWF to discuss X with pseudoentropy ¸ H(X)+1/poly(n) repetitions X with pseudo-min-entropy ¸ H0(X)+poly(n) hashing PRG

  13. Pseudoentropy from OWF • Intuition: for a 1-1 OWF f and XÃ{0,1}n • H(X|f(X))=0, but • 8 poly-time A Pr[A(f(X))=X] = 1/n!(1) = 1/2!(log n) ) X has “unpredictability entropy” !(log n) given f(X) [HLR07] • Challenges: • How to turn “unpredictability” into “pseudoentropy”? • When f not 1-1, unpredictability can be trivial.

  14. Pseudoentropy from OWF • Thm[HILL90]: W=(f(X),H,H(X)1,…H(X)J)has pseudoentropy¸ H(W)+!(log n)/n, whereH : {0,1}n! {0,1}n is a certain kind of hash function, XÃ{0,1}n, JÃ{1,…,n}. • Thm[HRV10,VZ11]: (f(X),X1,…,Xn) has “next-bit pseudoentropy” ¸n+!(log n). • No hashing! • Total amount of pseudoentropy known & > n. • Get full !(log n) bits of pseudoentropy.

  15. Next-bit Pseudoentropy • Thm[HRV10,VZ11]: (f(X),X1,…,Xn) has “next-bit pseudoentropy” ¸ n+!(log n). • Note: (f(X),X) easily distinguishable from every random variable of entropy > n. • Next-bit pseudoentropy: 9 (Y1,…,Yn) s.t. • (f(X),X1,…,Xi) ´c (f(X),X1,…,Xi-1,Yi) • H(f(X))+iH(Yi|f(X),X1,…,Xi-1) = n+!(log n).

  16. Consequences • Simpler and more efficient construction of pseudorandom generators from one-way functions. • [HILL90,H06]: OWF f of input length n ) PRG G of seed length O(n8). • [HRV10,VZ11]: OWF f of input length n ) PRG G of seed length O(n3).

  17. Unpredictability)Pseudoentropy[previous work] Assume: Z has unpredictability entropy ¸ k given Y (i.e. 8poly-time A Pr[A(Y)=Z]·2-k). • [Y82]: If k¼|Z|, then (Y,Z) ´c (Y,Uk) • [GL89,HLR07]: (Y,H,H(Z)) ´c (Y,H,Uk-!(log n)) • [I95,H05]: If |Z|=1, then 9 Z’ of “average min-entropy [DORS04]” k given X s.t. (X,Z) ´c (X,Z’) Coping with info-theoretic unpredictability of X given f(X)? • [HILL90] Use Leftover Hash Lemma to analyze prefix of (f(X),H,H(X)1,…H(X)J).

  18. Pseudoentropy, Hardness of Sampling • Thm[VZ11]: Let (Y,Z) 2 {0,1}n£ {0,1}O(log n). Z has pseudoentropy¸ H(Z|Y)+k given YmThere is no probabilistic poly-time A s.t.D((Y,Z)||(Y,A(Y)) · k. [D = Kullback-Liebler Divergence] • Proof: variant of proofs of Impagliazzo’s Hardcore Lemma [I95,N95,H05,BHK09].

  19. Pseudoentropy, Hardness of Sampling • Thm[VZ11]: Let (Y,Z) 2 {0,1}n£ {0,1}O(log n). Z has pseudoentropy¸ H(Z|Y)+k given YmThere is no probabilistic poly-time A s.t.D((Y,Z)||(Y,A(Y)) · k. • Cor[HRV10,VZ11]:(f(X),X1,…,Xn) has next-bit pseudoentropy n+!(log n).

  20. OWFs & Cryptography secure protocols & applications digitalsignatures zero-knowledgeproofs private-key encryption statistical ZKarguments MACs [GMW86] statistically bindingcommitments pseudorandom functions [NY89] [BCC86] [GGM86] [N89] pseudorandomgenerators statistically hiding commitments target-collision-resistant hash functions (UOWHFs) next-bitpseudoentropy [HRV10,VZ11] [R90] [HNORV07] one-way functions

  21. OWFs & Cryptography secure protocols & applications digitalsignatures zero-knowledgeproofs private-key encryption statistical ZKarguments MACs [GMW86] statistically bindingcommitments pseudorandom functions [NY89] [BCC86] [GGM86] [N89] pseudorandomgenerators statistically hiding commitments target-collision-resistant hash functions (UOWHFs) next-bitpseudoentropy [HRV10,VZ11] [HRVW09,HHRVW10] inaccessible entropy one-way functions

  22. Inaccessible Entropy [HRVW09,HHRVW10] • Example: if h : {0,1}n! {0,1}n-k is collision-resistant and XÃ {0,1}n, then • H(X|h(X)) ¸ k, but • To an efficient algorithm, once it produces h(X), X is determined ) “accessible entropy” 0. • Accessible entropy ¿ Real Entropy! • Thm[HRVW09]: f a OWF ) (f(X)1,…,f(X)n,X) has accessible entropy n-!(log n). • Cf. (f(X),X1,…,Xn) has pseudoentropy n+!(log n).

  23. Conclusion Complexity-based cryptography is possible because of gaps between real & computational entropy. “Secrecy”pseudoentropy > real entropy “Unforgeability”accessible entropy < real entropy

  24. Research Directions • Formally unify inaccessible entropy and pseudoentropy. • OWF f : {0,1}n! {0,1}n) Pseudorandom generators of seed length O(n)? • More applications of inaccessible entropy in crypto or complexity.

More Related