Abstract
In the ideal world, cryptographic models take for granted that the secret sources (e.g. secret keys and other secret randomness) are derived from uniform distribution. However, in reality, we may only obtain some ‘weak’ random sources guaranteed with high unpredictability (e.g. biometric data, physical sources, and secrets with partial leakage). Formally, the security of cryptographic models is measured by the expectation of some function, called ‘perfect’ expectation in the ideal model and ‘weak’ expectation in the real model respectively. We propose some elementary inequalities which show that the ‘weak’ expectation is not much worse than the ‘perfect’ expectation. Instead of discussing the results based on the min-entropy and collision entropy by Dodis and Yu [TCC 2013], we present how to overcome weak expectations dependent on the R\(\acute{e}\)nyi entropy and the expanded computational entropy. We achieve these results via employing the discrete form of the H\(\ddot{o}\)lder inequality. We also use some techniques to guarantee that the expanded computational entropy is useful in the security model. Thus our results are more general, and we also obtain some results from a computational perspective. The results apply to all ‘unpredictability’ applications and some indistinguishability applications including CPA-secure symmetric-key encryption schemes, weak Pseudorandom Functions and Weaker Computational Extractors.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
- Weak secret sources
- The r\(\acute{e}\)nyi entropy
- Computational entropy
- Symmetric-key encryption schemes
- Weak pseudorandom functions
- Computational extractors
1 Introduction
Traditionally, if a cryptographic system is secure, it means that it can be formally proved that it’s secure in a certain security model, which usually takes for granted that the secret is perfectly random. Unfortunately, in the real world the secret may only be obtained from non-uniform distribution. For example, if the secret source is biometric data [8, 11], physical sources [3, 4], secrets with partial leakage or group elements from Diffie-Hellman key exchange [16, 22], then it can’t satisfy perfect randomness.
Recently, there has been some interest in basing cryptographic primitives on weak secrets, where the only information about the secret is some non-trivial amount of entropy. Formally, the \((T, \varepsilon )\)–security (in the real model) of a cryptographic application \(P\) essentially requires that for any adversary \(\mathsf A \) with resource \(T\) and non-uniform distribution \(R\), the expectation of \(f(R)\), which we call ‘weak expectation’ is upper bounded by \(\varepsilon \), where the function \(f(r)\) denotes \(\mathsf A '\) s advantage conditioned on secret key being \(r\). In the ideal model, the non-uniform distribution \(R\) is replaced with uniform distribution. Dodis and Yu [13] have discovered an elementary inequality that upper bounds the weak expectation of \(f(R)\) by a product of two terms: the first term only depends on the entropy deficiency (i.e. the difference between m = length(R) and the amount of entropy it has), and the second is essentially the ‘variance’ of \(f\) under uniform distribution \(U_m\). However, in [13], only min-entropy is considered for some applications and collision entropy is considered for some other applications. It’s well known that as a measure of the diversity, uncertainty, or randomness of a system, the R\(\acute{e}\)nyi entropy [24] is the most general notion, which includes the Shannon entropy, the min-entropy, and the collision entropy. The advantage of the R\(\acute{e}\)nyi entropy compared with collision entropy was proposed by Hayashi [18, 19]. We’ll study the upper bound of the ‘weak expectation’ from the most general perspective of the entropy–the R\(\acute{e}\)nyi entropy. When the R\(\acute{e}\)nyi entropy is converted into min-entropy and collision entropy, the corresponding results are the same as those of [13]. Moreover, in [13], the entropy is information-theoretic. In reality, it’s infeasible to information-theoretically measure the ‘weak source’.
The discovery [6, 17, 25] that simple computational assumptions (namely the existence of one-way functions) make the computational and information-theoretic notions completely different has been one of the most fruitful results in computer science history, with impact on cryptography, complexity theory and computational learning theory. Two of the fundamental papers [17, 25] found it natural to extend information theory more generally to the computational setting, and attempt to define its most fundamental notion of entropy. The most used is due to H\(\dot{a}\)stad, Impagliazzo, Levin, and Luby [17] (called HILL entropy). In this paper, we’ll use an expanded version of the HILL entropy to study how to overcome ‘weak’ expectations.
APPLICATIONS. Firstly, we capitalize on the inequalities via the R\(\acute{e}\)nyi entropy and expanded computational entropy to all unpredictabilityFootnote 1 applications (e.g. one-way functions, MACs and digital signatures). Secondly, the inequalities dependent on the R\(\acute{e}\)nyi entropy can be applied to indistinguishabilityFootnote 2 applications including CPA-secure symmetric-key encryption schemes, weak Pseudorandom Functions, Extractors and Non-Malleable Extractors similar to the results of [13] that depend on collision entropy. Thirdly, for some indistinguishability applications, such as CPA-secure symmetric key encryption schemes and weak pseudorandom functions (PRF), we obtain some results based on the expanded computational entropy, while those [13] that depend on collision entropy are already greatly improved results as compared to state-of-the-art [23] with much simpler proofs. We also introduce the concept of weaker computational extractors, whose input is a source of sufficiently high computational entropy, while the output is close to a uniform distribution under the computational distance. Then we show a construction of a weaker computational extractor from any weak PRF.
OUR CONTRIBUTION AND TECHNIQUES. We employ the discrete form of the H\(\ddot{o}\)lder inequality, so that the weak expectation can be upper bounded by a product of two terms, the first of which is determined by the R\(\acute{e}\)nyi entropy, while the second only depends on the expectation of some function of \(f\) under uniform distribution. More formally, we get two main results:
Result 1
If an unpredictability application \(P\) is \((T, \varepsilon )-\)secure in the ideal model, then \(P\) is \((T, (2^d \cdot \varepsilon )^{\frac{1}{\alpha '}})-\)secure in the \((m-d)-\)real\(_\alpha \) model where \(\alpha \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\).
Result 2
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\). If an indistinguishability application \(P\) is \((T', \varepsilon )-\)secure and \((T', T, \gamma )\)-simulatable, then
-
(1)
If \(1 < \alpha ' < 2\), we have that \(P\) is \((T, \sigma )\)-\(\alpha '\)th power secure, where \(\sigma \le (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}\). In particular, \(P\) is \((T, [2^d \cdot (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}]^{\frac{1}{\alpha '}} )-\)secure in the \((m-d)-\)real\(_\alpha \) model.
-
(2)
If \(\alpha ' \ge 2\), we have that \(P\) is \((T, \sigma )\)-\(\alpha '\)th power secure, where \(\sigma \le \frac{\varepsilon + \gamma }{2}\). In particular, \(P\) is \((T, (2^d \cdot \frac{\varepsilon + \gamma }{2})^{\frac{1}{\alpha '}} )-\)secure in the \((m-d)-\)real\(_\alpha \) model.
Compared to previous results, our results are more general, since in previous literature [13], only \(\alpha =\infty \) (i.e. the min entropy) and \(\alpha = 2\) (i.e. the collision entropy) are considered.
Though Barak and Dodis et al. [2, 13] proposed a double-run trick to study the connection between the security model and the square-security model for indistinguishability applications, it seems impossible to directly expand this trick to find the relationship between the security model and the \(\beta \)th power security model in the ideal world. Fortunately, we find that if the H\(\ddot{o}\)lder inequality is employed, then we can adopt the square-security model as a bridge between the security model and the \(\beta \)th power security model. Consequently, Result 2 can be obtained.
In [13], the randomness of a distribution is measured by its entropy which is information-theoretic. In reality, it’s infeasible to information-theoretically measure the ‘weak source’. Thus in this paper, we extend these objective measures to the computational case. By employing the R\(\acute{e}\)nyi entropy, we expand the computational entropy in [17] and study how to overcome the ‘weak’ expectation. We discover that if the attacker’s advantage circuit size is chosen to be the circuit size in the concept of expanded computational entropy, then this kind of computational entropy is useful in overcoming the ‘weak’ expectation, and some results similar to Result 1 and 2 can be obtained. We also show some indistinguishability applications including CPA-secure symmetric-key encryption schemes, weak Pseudorandom Functions and Weaker Computational Extractors.
ORGANIZATION. The rest of the paper is organized as follows. In the following section, we recall some concepts and notations to be used in the paper. In Sect. 3, we present how to overcome Weak Expectations via the R\(\acute{e}\)nyi Entropy. In Sect. 4, we use an expanded version of the HILL entropy to study how to overcome ‘weak’ expectations. Section 5 concludes the paper.
2 Preliminaries
In this section, we present some notations and definitions that will be used later.
Definition 2.1
([24]) The R\(\acute{e}\)nyi entropy of order \(\alpha \) of a random variable \(X\) is defined as
where \(\alpha \ge 0\) and \(\alpha \ne 1\).
Remark 2.1
If \(\alpha \rightarrow 1\), \(H_\alpha (X)\) converges to the Shannon entropy [9]:
If \(\alpha =2\), \(H_\alpha (X)\) is called the collision entropy of \(X\):
If \(\alpha \rightarrow \infty \), \(H_\alpha (X)\) converges to the min entropy:
It’s very natural to extend the average (aka conditional) collision entropy and min-entropy in [13] to the average (aka conditional) R\(\acute{e}\)nyi entropy, which is as follows.
Definition 2.2
The average (aka conditional) R\(\acute{e}\)nyi entropy of a random variable X conditioned on another random variable Z is defined as follows.
where \(z \leftarrow Z\) is denoted as sampling an element \(z\) according to distribution \(Z\), \(\alpha \ge 0\) and \(\alpha \ne 1\).
If \(\alpha =2 (resp. \infty )\), \(H_\alpha (X|Z)\) is the same as the definition of average (aka conditional) collision entropy (resp. min-entropy) in [13]. The difference between average (aka conditional) R\(\acute{e}\)nyi entropy (when \(1<\alpha \le 2\)) and collision entropy was discussed in [18, 19].
The advantage of a circuit \(C\) in distinguishing the random variables \(X\), \(Y\) is denoted as \(\varDelta _C(X, Y)= |Pr(C(X)=1)- Pr(C(Y)=1)|\). The statistical distance between two random variables \(X\), \(Y\) is defined by \(\mathsf{{SD}}(X, Y)= \frac{1}{2} \sum \limits _{x} |Pr(X=x)-Pr(Y=x)|= \max \limits _{C} \varDelta _C(X, Y)\). Given a circuit \(D\), define the computational distance \(\delta ^D\) between \(X\) and \(Y\) as \(\delta ^D(X, Y ) = |\mathbb {E}[D(X)]- \mathbb {E}[D(Y )]|\). We write \(\varDelta _C(X, Y|Z)\)(resp. \(\mathsf{{SD}}(X, Y|Z)\), \(\delta ^D(X, Y|Z)\)) as shorthand for \(\varDelta _C((X, Z), (Y, Z))\)(resp. \(\mathsf{{SD}}((X, Z), (Y, Z))\), \(\delta ^D((X, Z), (Y, Z))\)).
Let \(\mathcal {D}_s^{det, \{0, 1\}}\) (resp. \(\mathcal {D}_s^{det, [0, 1]}\)) be the set of all deterministic circuits of size \(s\) with binary output in \(\{0, 1\}\) (resp. \([0, 1]\)), and let \(\mathcal {D}_s^{rand, \{0, 1\}}\) (resp. \(\mathcal {D}_s^{rand, [0, 1]}\)) as the set of probabilistic circuits with output in \(\{0, 1\}\) (resp. \([0, 1]\)).
HILL computational entropy is parameterized by quality (how distinguishable is \(X\) from a variable \(Z\) that has true entropy) and quantity (how much true entropy is there in \(Z\)). Formally, it’s defined as follows.
Definition 2.3
([5, 17]) A distribution \(X\) has \(HILL\) entropy at least \(k\), denoted \(H_{\varepsilon , s}^{HILL} (X) \ge k\) if there exists a distribution \(Y\) where \(H_{\infty } (Y) \ge k\), such that \(\forall D \in \mathcal {D}_s^{det, [0, 1]}\), \(\delta ^D(X, Y) \le \varepsilon .\)
Definition 2.4
([21]) Let \((X, Y)\) be a pair of random variables. \(X\) has conditional HILL entropy at least \(k\) conditioned on \(Y\), denoted \(H^{HILL}_{\varepsilon , s}(X|Y) \ge k\), if there exists a collection of distributions \(Z_y\) for each \(y \in Y\), giving rise to a joint distribution \((Z, Y)\), such that \(H_\infty (Z|Y) \ge k\) and \(\forall D \in \mathcal {D}_s^{rand, [0, 1]}\), \(\delta ^D((X, Y), (Z, Y)) \le \varepsilon \).
As shown in [15], HILL entropy (resp. conditional HILL entropy) drawing \(D\) from \(\mathcal {D}_s^{det, \{0, 1\}}\), \(\mathcal {D}_s^{det, [0, 1]}\), \(\mathcal {D}_s^{rand, \{0, 1\}}\), \(\mathcal {D}_s^{rand, [0, 1]}\) is essentially equivalent. However, the above definition is only limited to the min-entropy. It’s natural to expand it to the R\(\acute{e}\)nyi entropy. The expanded version is as follows.
Definition 2.5
A distribution \(X\) has Expanded \(HILL\) entropy at least \(k\), denoted \(H_{\alpha , \varepsilon , s}^{EHILL} (X) \ge k\) if there exists a distribution \(Y\) where \(H_\alpha (Y) \ge k\), such that \(\forall D \in \mathcal {D}_s^{det, [a, b]}\), \(\delta ^D(X, Y) \le \varepsilon ,\) where \(a < b\) and \(\alpha \ge 0\) and \(\alpha \ne 1\).
Definition 2.6
Let \((X, Y)\) be a pair of random variables. \(X\) has conditional EHILL entropy at least \(k\) conditioned on \(Y\), denoted \(H^{EHILL}_{\alpha , \varepsilon , s}(X|Y) \ge k\), if there exists a collection of distributions \(Z_y\) for each \(y \in Y\), giving rise to a joint distribution \((Z, Y)\), such that \(H_\alpha (Z|Y) \ge k\) and \(\forall D \in \mathcal {D}_s^{rand, [a, b]}\), \(\delta ^D((X, Y), (Z, Y)) \le \varepsilon ,\) where \(a < b\) and \(\alpha \ge 0\) and \(\alpha \ne 1\).
Similar to [15], Expanded \(HILL\) entropy (resp. conditional EHILL entropy) drawing \(D\) from \(\mathcal {D}_s^{det, \{a, b\}}\), \(\mathcal {D}_s^{det, [a, b]}\), \(\mathcal {D}_s^{rand, \{a, b\}}\), \(\mathcal {D}_s^{rand, [a, b]}\) is essentially equivalent.
ABSTRACT SECURITY GAMES. The security of an application \(P\) is defined via an interactive game between a probabilistic attacker \(\mathsf A \) and a probabilistic challenger \(\mathsf C (r)\), where \(\mathsf C \) is fixed by the definition of \(P\), and where the particular secret key \(r\) used by \(\mathsf C \) is derived from \(U_m\) in the ‘ideal’ setting, and from some distribution \(R\) in the ‘real’ setting. The game can have an arbitrary structure, but at the end \(\mathsf C (r)\) should output a bit, with output 1 indicating that \(\mathsf A \) ‘won’ the game and 0 otherwise.
Given a particular key \(r\), we define the advantage \(f_\mathsf{A }(r)\) of \(\mathsf A \) or \(r\) (against particular \(\mathsf C \) fixed by \(P\)) as follows. For unpredictability games, denote \(f_\mathsf{A }(r)\) as the expected value of \(\mathsf C (r)\) taken over the internal coins of \(\mathsf A \) and \(\mathsf C \); and for indistinguishability games, \(f_\mathsf{A }(r)\) is the expectation of \(\mathsf C (r)-\frac{1}{2}\), thus \(f_\mathsf{A } (r)= Pr_\mathsf{C , r}(\mathsf A ~ wins) - \frac{1}{2}\). \(f_\mathsf{A }\) is called \(\mathsf A \)’s advantage circuit.
Let \(U_m\) be the uniformly random distribution over \(\{0, 1\}^m\). Denote \(|\mathbb {E}(f_\mathsf{A }(U_m))|\) as the advantage of \(\mathsf A \) (in the ideal model). For \(c \ge 0\) and \(c \ne 1\) and all distributions \(R\) with \(H_c(R) \ge m-d\), denote \(\max _R|\mathbb {E}(f_\mathsf{A }(R))|\) as the advantage of \(\mathsf A \) in the \((m - d)-\)real\(_c\) model instead of limiting \(c\) to be \(\infty \) or 2 in [13]. Similarly, for \(\alpha \ge 0\) and \(\alpha \ne 1\), denote \(\max _R|\mathbb {E}(f_\mathsf{A }(R))|\), taken over all distributions \(R\) with \(H_{\alpha , \varepsilon , s}^{EHILL} (R)\ge m-d\), as the advantage of \(\mathsf A \) in the \((m-d)-\)real\(_{\alpha , \varepsilon , s}^{EHILL}\) modelFootnote 3.
Definition 2.7
([13]) An application \(P\) is \((T, s, \varepsilon )-\)secure (in the ideal model) if the advantage of any \(T-\)bounded \( \mathsf A \) with the advantage circuit size \(s\) is at most \(\varepsilon \).
For \(c \ge 0\) and \(c \ne 1\), an application \(P\) is \((T', \varepsilon ')-\)secure in the \((m-d)-\)real\(_c\) model if the advantage of any \(T'-\)bounded \(\mathsf A \) in the \((m-d)-\)real\(_c\) model is at most \(\varepsilon '\).
Definition 2.8
For \(\alpha \ge 0\) and \(\alpha \ne 1\), an application \(P\) is \((T', s', \varepsilon ')-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s'}^{EHILL}\) model if the advantage of any \(T'-\)bounded \(\mathsf A \) with the advantage circuit size \(s'\) in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s'}^{EHILL}\) model is at most \(\varepsilon '\).
3 Overcoming Weak Expectations via the R\(\acute{e}\)nyi Entropy
Since the unavailability of perfect random secret sources, it’s valuable to discover the connection between the advantages \(|\mathbb {E}(f_\mathsf{A }(U_m))|\) (in the ideal model) and \(\max _R|\mathbb {E}f_\mathsf{A }(R)|\) (in the \((m - d)-\)real\(_c\) model) where \(c \ge 0\) and \(c \ne 1\). Unfortunately, existing results [13] only considered the min-entropy for unpredictability applications and the collision entropy for indistinguishability applications. In the following, based on the R\(\acute{e}\)nyi Entropy and the discrete form of the H\(\ddot{o}\)lder inequality, we’ll present an inequality which unify the corresponding connection in both unpredictability and indistinguishability applications. Then we present its applications and discuss its form when side information exists.
Lemma 3.1
([1]) Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\), then for all \((x_1, x_2, \cdots , x_n), (y_1, y_2, \cdots , y_n) \in \mathbb {R}^n\), we have
which is the discrete form of the H\(\ddot{o}\)lder inequality.
Theorem 3.1
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\), then for any (deterministic) real-valued function \(f: \{0,1\}^m \rightarrow \mathbb {R}\) and any random variable \(R\) with \(H_\alpha (R)\ge m-d\), we have
Proof
From Definition 2.1, \(\sum \limits _{r} Pr(R=r)^\alpha = 2 ^{(1-\alpha ) H_\alpha (R)}\). According to Lemma 3.1, we have
Remark 3.1
-
If \(\alpha \rightarrow \infty \), we get \(|\mathbb {E}[f(R)]| \le 2^d \mathbb {E}[|f(U_m)|]\). Furthermore, if \(f\) is non-negative function, the result of Theorem 3.1 degenerates into the result of Lemma 3.1 in [13]. It was mentioned that when the value of \(f\) can be negative, the result in Corollary 3.1 of [13] (i.e. \(\mathbb {E}[f(R)] \le 2^d \mathbb {E}[f(U_m)]\)) is generally false, while our result shows that if the absolute value operation is added to both sides of the inequality, then the inequality holds.
-
If \(\alpha =2\), the result of Theorem 3.1 degenerates into the result of Lemma 3.2 in [13].
-
If \(\alpha \rightarrow 1\), using L’H\(\hat{o}\)pital’s rule, we get
$$\begin{aligned}&\lim \limits _{\alpha ' \rightarrow \infty } \{2^d \cdot \mathbb {E}[|f(U_m)|^{\alpha '}]\}^{\frac{1}{\alpha '}} = \lim \limits _{\alpha ' \rightarrow \infty } [\sum \limits _{r} |f(r)|^{\alpha '}]^{\frac{1}{\alpha '}}\\&= e^{\lim \limits _{\alpha ' \rightarrow \infty } \frac{\ln (\sum \limits _{r} |f(r)|^{\alpha '})}{\alpha '} }=e^{\lim \limits _{\alpha ' \rightarrow \infty } \frac{\sum \limits _{r} |f(r)|^{\alpha '} \ln |f(r)|}{\sum \limits _{r} |f(r)|^{\alpha '}}}=\max \limits _r |f(r)|.\\ \end{aligned}$$
On the other hand, we can easily get that \(|\mathbb {E}[f(R)]| \le \max \limits _r |f(r)|\) irrespective of the R\(\acute{e}\)nyi entropy. Thus it’s meaningless to discuss the result under Shannon entropy.
Corollary 3.1
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\), then for any (deterministic) real-valued function \(f : \{0, 1\}^m \rightarrow [0, 1]\) and any random variable \(R\) with \(H_\alpha (R) \ge m-d\), we have
Corollary 3.2
If an unpredictability application \(P\) is \((T, \varepsilon )-\)secure in the ideal model, then \(P\) is \((T, (2^d \cdot \varepsilon )^{\frac{1}{\alpha '}})-\)secure in the \((m-d)-\)real\(_\alpha \) model where \(\alpha \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\).
Remark 3.2
The above corollary shows a upper bound about the advantage of an adversary in the \((m-d)-\)real\(_\alpha \) model, though the upper bound is not tight. Since \( \lim \limits _{\alpha \rightarrow \infty } (2^d \cdot \varepsilon )^{\frac{1}{\alpha '}} = \lim \limits _{\alpha ' \rightarrow 1} (2^d \cdot \varepsilon )^{\frac{1}{\alpha '}} = 2^d \cdot \varepsilon \), we have that the above corollary degenerates into Corollary 3.1 of [13].
Corollary 3.2 can be applied to all “unpredictability” applications such as one-way functions, MACs and digital signatures. It shows that if the secret sources are derived from the real world only guaranteeing high R\(\acute{e}\)nyi entropy, then the unpredictable cryptosystems in ideality have not to be redesigned in the real model, and the security levels in reality can be measured by that in ideality and the R\(\acute{e}\)nyi entropy of the ‘weak’ random secret sources.
Definition 3.1
Consider \(\beta > 1\). An application \(P\) is \((T, \sigma )-\beta \)th power secure if for any \(T-\)bounded adversary \(\mathsf A \), we have \(\mathbb {E}[|f(U_m)|^\beta ] \le \sigma \), where \(f(r)\) denotes \(\mathsf A '\)s advantage conditioned on key being \(r\).
Corollary 3.3
If an indistinguishability application \(P\) is \((T, \sigma )-\alpha '\)th power secure in the ideal model, then \(P\) is \((T, (2^d \cdot \sigma )^{\frac{1}{\alpha '}})-\)secure in the \((m-d)-\)real\(_\alpha \) model where \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\).
Though the min-entropy can be generalized to the R\(\acute{e}\)nyi entropy for all unpredictability applications, it appears very difficult to connect \(\mathbb {E}[|f(U_m)|^{\alpha '}]\) and \(\mathbb {E}[f(U_m)]\) for indistinguishability applications. The reason is that for indistinguishability applications, the range of the function \(f(r)\) is \([-\frac{1}{2}, \frac{1}{2}]\), thus the absolute value operation on the right hand side of the inequality in Theorem 3.1 can’t be deleted. Fortunately, Dodis et al. [13] proposed the Double-Run Trick to connect \(\mathbb {E}[f_\mathsf{B }(U_m)]\) and \(\mathbb {E}[f_\mathsf{A }(U_m)^2]\) where \(\mathsf A \) and \(\mathsf B \) are two adversaries in the same kind of attack game with different number of oracle queries. We’ll adopt this technique and find the relationship between \(\mathbb {E}[f_\mathsf{A }(U_m)^2]\) and \(\mathbb {E}[|f_\mathsf{A }(U_m)|^{\alpha '}]\) with \(\alpha ' > 1\).
Dodis et al. [13] introduced the concept of simulatability about an indistinguishability application \(P\) and obtain the following Lemma (Lemma 3.2) via using the Double-Run Trick.
Lemma 3.2
(see [13]) Assume \(P\) is \((T', \varepsilon )-\)secure and \((T', T, \gamma )\)-simulatableFootnote 4, then \(P\) is \((T, \sigma )\)-square secure, where \(\sigma \le \frac{\varepsilon + \gamma }{2} \).
In particular, \(P\) is \((T, \sqrt{2^{d-1}(\varepsilon + \gamma )})\)-secure in the \((m-d)\)-real\(_2\) model.
In the above lemma, only collision entropy is considered. We’ll amplify it to the R\(\acute{e}\)nyi entropy. Divesh Aggarwal observed that the following lemma can be employed to make the amplification.
Lemma 3.3
Consider \(1 < \beta < 2\). For any (deterministic) real-valued function \(f: \{0, 1\}^m \rightarrow [-\frac{1}{2}, \frac{1}{2}]\), we have
The proof of Lemma 3.3 is given in Appendix B.
Theorem 3.2
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\). Assume an indistinguishability application \(P\) is \((T', \varepsilon )-\)secure and \((T', T, \gamma )\)-simulatable, then
-
(1)
If \(1 < \alpha ' < 2\), we have that \(P\) is \((T, \sigma )\)-\(\alpha '\)th power secure, where \(\sigma \le (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}\). In particular, by Corollary 3.3, \(P\) is \((T, [2^d \cdot (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}]^{\frac{1}{\alpha '}} )-\)secure in the \((m-d)-\)real\(_\alpha \) model.
-
(2)
If \(\alpha ' \ge 2\), we have that \(P\) is \((T, \sigma )\)-\(\alpha '\)th power secure, where \(\sigma \le \frac{\varepsilon + \gamma }{2}\). In particular, by Corollary 3.3, \(P\) is \((T, (2^d \cdot \frac{\varepsilon + \gamma }{2})^{\frac{1}{\alpha '}} )-\)secure in the \((m-d)-\)real\(_\alpha \) model.
Proof
By Lemma 3.2, we have that \(P\) is \((T, \sigma ')\)-square secure, where \(\sigma ' \le \frac{\varepsilon + \gamma }{2}\).
(1) If \(1 < \alpha ' < 2\), from Lemma 3.3, we obtain that
Therefore, \(P\) is \((T, \sigma )\)-\(\alpha '\)th power secure, where \(\sigma \le (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}\).
(2) If \(\alpha ' \ge 2\), then \(\mathbb {E}[|f_\mathsf{A }(U_m)|^{\alpha '}] \le \mathbb {E}[|f_\mathsf{A }(U_m)|^2]\) according to \(f_\mathsf{A }(r) \in [-\frac{1}{2}, \frac{1}{2}]\) for all \(r \in \{0, 1\}^m\). Therefore, \(P\) is \((T, \sigma )\)-\(\alpha '\)th power secure, where \(\sigma \le \frac{\varepsilon + \gamma }{2}\).
Remark 3.3
Dodis et al. [13] enumerated the applications of Lemma 3.2 to CPA-secure symmetric-key encryption schemes, weak Pseudorandom Functions, Extractors and Non-Malleable Extractors. If the weak random sources are measured by the R\(\acute{e}\)nyi entropy instead of the collision entropy, we can obtain similar results via Theorem 3.2.
In some settings, the weak secret sources are derived using some procedure, during which the attacker gets some side information \(S\) about the secret sources. Therefore, it’s valuable to extend the inequality of Theorem 3.1 into the average (aka. conditional) setting. Then it can be employed similarly to study the relationship between the average-case ideal security quantity and real security quantity. The inequality is as follows.
Theorem 3.3
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\), then for any real-valued function \(f(z, s)\) and any random variables \((Z, S)\), where \(|Z|=m\) and \(H_\alpha (Z|S)\ge m-d\), we have
-
If \(\alpha \rightarrow \infty \) and \(f\) is a non-negative function, the above result degenerates into the result of Lemma 3.5 (a) in [13].
-
If \(\alpha =2\), the above result degenerates into the result of Lemma 3.5 (b) in [13].
Proof
From Definition 2.2, we have
Therefore, from Lemma 3.1, we have
4 Overcoming Weak Expectations via the Expanded Computational Entropy
Dodis and Yu [13] found some elegant results about overcoming weak expectations based on the min-entropy and the collision entropy, which are information-theoretic. In reality, the ‘weak source’ may only be measured by efficient algorithms. Thus, computational entropy may be a more valuable tool to study how to overcoming weak expectation. Two papers [17, 25] extended information theory more generally to the computational setting, and attempted to define its most fundamental notion of entropy. Due to the most usefulness of HILL entropy introduced by H\(\dot{a}\)stad, Impagliazzo, Levin, and Luby [17], in this section, we’ll use an expanded version of the HILL entropy (EHILL entropy) to study how to overcome ‘weak’ expectations. We choose the attacker’s advantage circuit size as the circuit size in the concept of expanded computational entropy, and obtain an inequality via the EHILL entropy. Then we present the relationship between the ideal security quantity and real security quantity via the EHILL entropy in all unpredictability applications and some indistinguishability applications. We also show some concrete indistinguishability applications. Finally, we discuss its form when side information exists.
Theorem 4.1
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\), then for any (deterministic) real-valued function \(f : \{0, 1\}^m \rightarrow [a, b]\) with size \(s\) and any random variable \(R\) with \(H_{\alpha , \varepsilon _0, s}^{EHILL} (R) \ge m-d\), we have \(|\mathbb {E}[f(R)]| \le \{2^d \cdot \mathbb {E}[|f(U_m)|^{\alpha '}]\}^{\frac{1}{\alpha '}} + \varepsilon _0.\)
Proof
Since \(H_{\alpha , \varepsilon _0, s}^{EHILL} (R) \ge m-d\), we get that there exists a distribution \(Y\) where \(H_\alpha (Y) \ge m-d\), such that \(\forall D \in \mathcal {D}_s^{det, [a, b]}\), \(\delta ^D(R, Y) \le \varepsilon _0.\)
From Theorem 3.1, we have that \(\mathbb {E}[f(Y)] \le \{2^d \cdot \mathbb {E}[|f(U_m)|^{\alpha '}]\}^{\frac{1}{\alpha '}}\). Since \(f \in \mathcal {D}_s^{det, [0, 1]}\), we have that \(|\mathbb {E}[f(R)]- \mathbb {E}[f(Y)]| \le \varepsilon _0\). Thus
Corollary 4.1
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\). For any (deterministic) real-valued function \(f : \{0, 1\}^m \rightarrow [0, 1]\) with size \(s\) and any random variable \(R\) with \(H_{\alpha , \varepsilon _0, s}^{EHILL} (R) \ge m-d\), we have
Corollary 4.2
If an unpredictability application \(P\) is \((T, \varepsilon )-\)secure in the ideal model, then \(P\) is \((T, (2^d \cdot \varepsilon ) ^{\frac{1}{\alpha '}} +\varepsilon _0)-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s}^{EHILL}\) model where \(\alpha \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\).
The above corollary shows that if the secret sources are derived from the real world only guaranteeing high expanded computational entropy, then the unpredictable cryptosystems in ideality have not to be redesigned in the real model, and the security levels in reality can be measured by that in ideality and the expanded computational entropy of the ‘weak’ random secret sources.
For indistinguishability applications, since \(f(r) \in [-\frac{1}{2}, \frac{1}{2}]\), we can’t get the inequality like Corollary 4.1. We’ll instead introduce the following definition.
Definition 4.1
Consider \(\beta > 1\). An application \(P\) is \((T, s, \sigma )-\beta \)th power secure if for any \(T-\)bounded adversary \(\mathsf A \) with the advantage circuit size \(s\), we have \(\mathbb {E}[|f(U_m)|^\beta ] \le \sigma \), where \(f(r)\) denotes \(\mathsf A '\)s advantage conditioned on key being \(r\).
Applying this definition to Theorem 4.1, we get that \(\alpha '\)th power security implies real model security as follows.
Corollary 4.3
If an application \(P\) is \((T, s, \sigma )-\alpha '\)th power secure, then \(P\) is \((T, s, (2^d \cdot \sigma )^{\frac{1}{\alpha '}} + \varepsilon _0)-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s}^{EHILL}\) model where \(\alpha \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\).
In the following we’ll obtain the relationship between the ideal security quantity and real security quantity.
Theorem 4.2
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\). Assume \(P\) is a \((T', s', \varepsilon )-\)secure and \(((T', s'), (T, s), \gamma )-\)simulatableFootnote 5, then
-
(1)
If \(1 < \alpha ' < 2\), we have that \(P\) is \((T, s, \sigma )\)-\(\alpha '\)th power secure, where \(\sigma \le (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}\). In particular, by Corollary 4.3, \(P\) is \((T, s, [2^d \cdot (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}]^{\frac{1}{\alpha '}} + \varepsilon _0)-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s}^{EHILL}\) model.
-
(2)
If \(\alpha ' \ge 2\), we have that \(P\) is \((T, s, \sigma )\)-\(\alpha '\)th power secure, where \(\sigma \le \frac{\varepsilon + \gamma }{2}\). In particular, by Corollary 4.3, \(P\) is \((T, s, (2^d \cdot \frac{\varepsilon + \gamma }{2})^{\frac{1}{\alpha '}} + \varepsilon _0 )-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s}^{EHILL}\) model.
Proof
From Theorem 3.2, we get this result.
In the following, we show that the above result can be successfully applied to CPA-secure symmetric-key encryption schemes, weak Pseudorandom Functions and Weaker Computational Extractors.
Theorem 4.3
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\). Assume \(P\) is a \(((2t, 2q), s', 0)-\) CPA secure symmetric-key encryption scheme in the ideal model. Then
-
(1)
If \(1 < \alpha ' < 2\), then \(P\) is \(((t, q), s, [2^d \cdot (\frac{\varepsilon }{2})^{\frac{\alpha '}{2}}]^{\frac{1}{\alpha '}} + \varepsilon _0)-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s}^{EHILL}\) model.
-
(2)
If \(\alpha ' \ge 2\), then \(P\) is \(((t, q), s, (2^d \cdot \frac{\varepsilon }{2})^{\frac{1}{\alpha '}} + \varepsilon _0 )-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s}^{EHILL}\) model.
Proof
From Theorem 4.2, we get this result.
Definition 4.2
A family \(\mathcal {H}\) of functions \(\{h_r : \{0, 1\}^n \rightarrow \{0, 1\}^l | r \in \{0, 1\}^m\}\) is \(((t, q), s, \delta )-\)secure weak PRF, if for any \(t-\)bounded attacker \(\mathsf A \) with the advantage circuit size \(s\), and random \(x\), \(x_1\), \(\cdots \), \(x_{q-1} \leftarrow U_n\) and \(r \leftarrow U_m\), we have
The concept of weak PRF here is essentially equivalent to the one in [13], as the definition here is produced via adding the parameter \(s\) to the one in [13]. Just like CPA-secure symmetric-key encryption schemes, weak PRFs are easily seen to be \((((2t, 2q), s'), ((t, q), s), 0)-\)simulatable. By Theorem 4.2, we have
Theorem 4.4
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\). Assume \(P\) is a \(((2t, 2q), s', \delta )-\)secure weak PRF in the ideal model. Then
-
(1)
If \(1 < \alpha ' < 2\), we have that \(P\) is \(((t, q), s, \sigma )\)-\(\alpha '\)th power secure, where \(\sigma \le (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}\). In particular, \(P\) is \(((t, q), s, [2^d \cdot (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}]^{\frac{1}{\alpha '}} + \varepsilon _0)-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s}^{EHILL}\) model.
-
(2)
If \(\alpha ' \ge 2\), we have that \(P\) is \(((t, q), s, \sigma )\)-\(\alpha '\)th power secure, where \(\sigma \le \frac{\varepsilon + \gamma }{2}\). In particular, \(P\) is \(((t, q), s, (2^d \cdot \frac{\varepsilon + \gamma }{2})^{\frac{1}{\alpha '}} + \varepsilon _0 )-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s}^{EHILL}\) model.
Extractors have many applications such as key generation, leakage-resilient encryption and derandomization of BPP and IP, but its existence is still not enough under computational perspective. Therefore, we introduce an expanded definition of Extractors.
Definition 4.3
(Weaker Computational Extractors) We say that an efficient function \(E_{wc}: \{0, 1\}^m \times \{0, 1\}^n \rightarrow \{0, 1\}^l \) is a \((k, H_{\alpha , \varepsilon _0, s}^{EHILL}, \varepsilon )-\)weaker computational extractor, if for all \(R\) (over \(\{0, 1\}^m\)) with \(H_{\alpha , \varepsilon _0, s}^{EHILL}(R)\ge k\), for random \(S\) (uniform over \(\{0, 1\}^n\)), and \(\forall \) \(D \in \mathcal {D}_s^{ran, [0, 1]}\), we get
where \(\alpha \ge 0\), \(\alpha \ne 1\), and \(S \leftarrow U_n\) is the random seed of \(E_{wc}\). The value \(L = k-l\) is called the entropy loss of \(E_{wc}\).
Remark 4.1
It should be noticed that computational extractors and weak computational extractors have been studied in [10]. Essentially, computational extractors are efficient functions that map a source of sufficiently high min-entropy to an output, requiring that the joint distribution of output and seed be computationally indistinguishable from uniform. A weak computational extractor is defined similarly, but only requiring that the output of the function (without the seed) be indistinguishable from uniform. While in this paper, it only requires the computational distance between the uniform distribution and the joint distribution of output and seed be upper bounded by \(\varepsilon \), in this sense, the output of the function is further relaxed.
Corollary 4.4
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\). If \(\mathcal {H} \overset{def}{=}\{h_r : \{0, 1\}^n \rightarrow \{0, 1\}^l | r \in \{0, 1\}^m\}\) is \(((2t, 2), s', \delta )-\)secure weak PRF in the ideal model, then
-
(1)
If \(1 < \alpha ' < 2\), then \(E_{wc} (r; z) \overset{def}{=} h_r(z)\) is \(((t, 1), s, [2^d \cdot (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}]^{\frac{1}{\alpha '}} + \varepsilon _0)-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s}^{EHILL}\) model. Hence, \(E_{wc} (r; z)\) is a \((m-d,H_{\alpha , \varepsilon _0, s}^{EHILL}\), \([2^d \cdot (\frac{\varepsilon + \gamma }{2})^{\frac{\alpha '}{2}}]^{\frac{1}{\alpha '}} + \varepsilon _0)\)-weaker computational extractor.
-
(2)
If \(\alpha ' \ge 2\), then \(E_{wc} (r; z) \overset{def}{=} h_r(z)\) is \(((t, 1), s, (2^d \cdot \frac{\varepsilon + \gamma }{2})^{\frac{1}{\alpha '}} + \varepsilon _0 )-\)secure in the \((m-d)-\)real\(_{\alpha , \varepsilon _0, s}^{EHILL}\) model. Hence, \(E_{wc} (r; z)\) is a \((m-d, H_{\alpha , \varepsilon _0, s}^{EHILL}, (2^d \cdot \frac{\varepsilon + \gamma }{2})^{\frac{1}{\alpha '}} + \varepsilon _0)\)-weaker computational extractor.
In the following, we study how to extend the inequality of Theorem 3.1 into the average (aka. conditional) setting. It’s as follows.
Theorem 4.5
Let \(\alpha , \alpha ' \in (1, \infty )\) and \(\frac{1}{\alpha } + \frac{1}{\alpha '}=1\), then for any real-valued function \(f(r, s)\) with size \(s_0\) and any random variables \((R, S)\), where \(|R|=m\) and \(H^{EHILL}_{\alpha , \varepsilon _0, s_0} (R|S)\ge m-d\), we have
Proof
Since \(H^{EHILL}_{\alpha , \varepsilon _0, s_0} (R|S)\ge m-d\), we have that there exists a joint distribution \((Z, S)\), such that \(H_\infty (Z|S) \ge m-d\) and for \(\forall D \in \mathcal {D}_s^{ran, [0, 1]}\), \(\delta ^D((R, S), (Z, S)) \le \varepsilon _0\).
According to Theorem 3.3, we have \(|\mathbb {E}[f(Z, S)]| \le \{2^d \cdot \mathbb {E}[|f(U_m, S)|^{\alpha '}]\}^{\frac{1}{\alpha '}}\).
Since \( f \in \mathcal {D}_s^{ran, [a, b]}\), we have \(|\mathbb {E}[f(Z, S)]- \mathbb {E}[f(R, S)] | \le \varepsilon _0\). Thus,
5 Conclusion
In the ideal world, a cryptographic system is considered to be secure, if it can be formally proved that it’s secure in certain security model, which takes for granted the secret is perfectly random. However, in the real world, the secret may only be obtained from non-uniform distribution with some non-trivial amount of entropy. The security of cryptographic models is measured by the expectation of some function, with called ‘perfect’ expectation in the ideal model and ‘weak’ expectation in the real model respectively. We propose some elementary inequalities via the R\(\acute{e}\)nyi entropy and the expanded computational entropy, which show that the ‘weak’ expectation is not much worse than the ‘perfect’ expectation. The results apply to all ‘unpredictability’ applications and some indistinguishability applications including CPA-secure symmetric-key encryption schemes, weak Pseudorandom Functions and Weaker Computational Extractors. Compared to the results based on the min-entropy and collision entropy by Dodis and Yu [TCC 2013], our results are more general, and we also obtain some results from a computational perspective.
Notes
- 1.
“unpredictability” means the adversary’s unpredictable property in the security game.
- 2.
“indistinguishability” means the adversary’s indistinguishable property in the security game.
- 3.
- 4.
For space limitation, this definition is in Appendix A.
- 5.
For space limitation, this definition is in Appendix A.
References
Abualrub, M.S., Sulaiman, W.T.: A note on Hölder’s inequality. Int. Math. Forum 4(40), 1993–1995 (2009)
Barak, B., Dodis, Y., Krawczyk, H., Pereira, O., Pietrzak, K., Standaert, F.-X., Yu, Y.: Leftover hash lemma, revisited. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 1–20. Springer, Heidelberg (2011)
Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Proceedings of the 12th ACM Conference on Computer and Communication Security, pp. 203–212 (2005)
Barak, B., Shaltiel, R., Tromer, E.: True random number generators secure in a changing environment. In: Proceedings of the 5th Cryptographic Hardware and Embedded Systems, pp. 166–180 (2003)
Barak, B., Shaltiel, R., Wigderson, A.: Computational analogues of entropy. In: Arora, S., Jansen, K., Rolim, J., Sahai, A. (eds.) RANDOM 2003 and APPROX 2003. LNCS, vol. 2764, pp. 200–215. Springer, Heidelberg (2003)
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13(4), 850–864 (1984)
Boneh, D., Shoup, V.: A graduate Course in Applied Cryptography. http://cs.nyu.edu/courses/fall12/CSCI-GA.3210-001/index.html
Boyen, X., Dodis, Y., Katz, J., Ostrovsky, R., Smith, A.: Secure remote authentication using biometric data. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 147–163. Springer, Heidelberg (2005)
Bromiley, P.A., Thacker, N.A., Bouhova-Thacker, E., Shannon Entropy, R\(\acute{e}\)nyi Entropy, and Information (2004)
Dachman-Soled, D., Gennaro, R., Krawczyk, H., Malkin, T.: Computational extractors and pseudorandomness. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 383–403. Springer, Heidelberg (2012)
Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)
Dodis, Y., Ristenpart, T., Vadhan, S.P.: Randomness condensers for efficiently samplable, seed-dependent sources. In: 9th Theory of Cryptography Conference, pp. 618–635 (2012)
Dodis, Y., Yu, Y.: Overcoming weak expectations. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 1–22. Springer, Heidelberg (2013)
Fuller, B., O’Neill, A., Reyzin, L.: A unified approach to deterministic encryption: new constructions and a connection to computational entropy. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 582–599. Springer, Heidelberg (2012)
Fuller, B., Reyzin, L.: Computational entropy and information leakage. Technical report, IACR Cryptology e-Print Archive http://eprint.iacr.org/2012/466.pdf (2012)
Gennaro, R., Krawczyk, H., Rabin, T.: Secure hashed diffie-hellman over non-DDH groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 361–381. Springer, Heidelberg (2004)
Hȧstad, J., Impagliazzo, R., Levin, L.A., Luby, L.M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Hayashi, M.: Exponential decreasing rate of leaked information in universal random privacy amplification. IEEE Trans. Inf. Theory 57(6), 3989–4001 (2011)
Hayashi, M.: Tight exponential evaluation for universal composablity with privacy amplification and its applications. Accepted in IEEE Trans. Inf. Theory (arXiv:1010.1358) (2010)
Holenstein, T., Maurer, U.M., Sjödin, J.: Complete classification of bilinear hard-core functions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 73–91. Springer, Heidelberg (2004)
Hsiao, C.-Y., Lu, C.-J., Reyzin, L.: Conditional computational entropy, or toward separating pseudoentropy from compressibility. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 169–186. Springer, Heidelberg (2007)
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010)
Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009)
R\(\acute{e}\)nyi, A.: On measures of information and entropy. In: Proceedings of the 4th Berkeley Symposium on Mathematics, Statistics and Probability, pp. 547–561 (1960)
Yao Andrew, C.: Theory and applications of trapdoor functions. In: Proceedings of 23rd FOCS, pp. 80–91. IEEE (1982)
Acknowledgments
We would like to thank Yevgeniy Dodis and Divesh Aggraval for helpful discussions. In particular, Divesh showed us Lemma 3.3 and how to prove it. We also wish to thank the anonymous reviewers for useful comments. This work is supported by the Natural Science Foundation of China (60973105, 61370126, 61170189, and 61170107), the Fund for the Doctoral Program of Higher Education of China (20111102130003 and20101303110004), the Fund of the State Key Laboratory of Software Development Environment ( SKLSDE-2013ZX-19, SKLSDE-2012ZX-11), the Innovation Foundation of Beihang University for Ph.D. Graduates under Grant No. 2011106014, the Fund of the Scholarship Award for Excellent Doctoral Student granted by Ministry of Education under Grant No.400618, and the Fund for CSC Scholarship Programme under Grant No. 201206020063.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Definitions
Definition 1
(see [13]) We say that an indistinguishability application \(P\) is \(((T', T, \gamma )\)-simulatable, if for any secret key \(r\) and any legal, \(T\)-bounded attacker \(\mathsf A \), there exists a (possibly illegal!) \(T'-\)bounded attacker \(\mathsf B \) (for some \(T' \ge T\)) such that:
-
(1)
The execution between \(\mathsf B \) and ‘real’ \(\mathsf C (r)\) defines two independent executions between a copy \(\mathsf A _i\) of \(\mathsf A \) and a ‘simulated’ challenger \(\mathsf C _i(r)\) , for \(i = 1, 2\). In particular, except reusing the same \(r\), \(\mathsf A _1\), \(\mathsf C _1(r)\), \(\mathsf A _2\), \(\mathsf C _2(r)\) use fresh and independent randomness, including independent challenge bits \(b_1\) and \(b_2\).
-
(2)
The challenge \(b\) used by ‘real’ \(\mathsf C (r)\) is equal to the challenge \(b_2\) used by ‘simulated’ \(\mathsf C _2\).
-
(3)
Before making its guess \(b'\) of the challenge bit \(b\), \(B\) learns the values \(b_1\), \(b'_1\) and \(b'_2\).
-
(4)
The probability of \(\mathsf B \) violating the failure predicate \(F\) is at most \(\gamma \).
Definition 2
We say that an indistinguishability application \(P\) is \(((T', s'), (T, s), \gamma )-\)simulatable, if for any secret key \(r\) and any legal, \(T\)-bounded attacker \(\mathsf A \) with the advantage circuit size \(s\), there exists a (possibly illegal!) \(T'-\)bounded attacker \(\mathsf B \) (for some \(T' \ge T\)) with the advantage circuit size \(s'\) such that it satisfies items (1)-(4) of Definition 1.
Remark
The definition here is essentially equivalent to Definition 1, as the definition here is obtained via adding the parameters \(s\) and \(s'\) to Definition 1.
B Proof
Proof
Since \(1 < \beta < 2\), we have \(\frac{2}{\beta } > 1\). From the H\(\ddot{o}\)lder inequality, we have
Therefore,
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Yao, Y., Li, Z. (2014). Overcoming Weak Expectations via the R\(\acute{e}\)nyi Entropy and the Expanded Computational Entropy. In: Padró, C. (eds) Information Theoretic Security. ICITS 2013. Lecture Notes in Computer Science(), vol 8317. Springer, Cham. https://doi.org/10.1007/978-3-319-04268-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-04268-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04267-1
Online ISBN: 978-3-319-04268-8
eBook Packages: Computer ScienceComputer Science (R0)