Cryptographic Applications of Randomness Extractors Salil Vadhan Harvard University http://seas.harvard.edu/~salil TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAA

Outline Definition & Basics Cryptographic Applications (overview) Extracting Statistical Entropy in Crypto Extracting Computational Entropy in Crypto Caveats: informal, only small sample

Definition & Basics

Min-entropy Def: The min-entropy of X is H1(X):=minx log(1/Pr[X=x]). X is a k-source if H1(X) ¸ k, i.e. 8 x Pr[X=x] · 2-k Examples: Unpredictable Source [SV84]: 8 i2[n], b1, ..., bi-12 {0,1}, Bit-fixing [CGH+85,BL85,LLS87,CW89]: Some k coordinates of X uniform, rest fixed (or even depend arbitrarily on others). Flat k-source: Uniform over S µ {0,1}n, |S|=2k

Extractors [Nisan & Zuckerman `93] Def: Ext : {0,1}n £{0,1}d ! {0,1}m is (strong) (k,e)-extractor if 8 k-source X, Ud ± Ext(X,Ud) is e-close to Ud ± Um. k-source of length n “seed” EXT d random bits maxT |Pr[X2 T]-Pr[Y2 T]| · m almost-uniform bits Goals: minimize seed length, maximize output length.

Extractors as Hash Functions flat k-source, i.e. set of size 2k À 2m For most y, hy maps sets of size 2k almost uniformly onto range. {0,1}n {0,1}m

The Optimal Extractor Thm [Sip88,RT97]: For every k · n, 9 a (k,e)-extractor w/ Seed length d = log(n-k)+2log(1/)+O(1) Output length m = k -2log(1/)-O(1) “extract almost all the min-entropy w/logarithmic seed” ) in some apps, can eliminate need for truly random seed by trying all 2d = poly(n/) possibilities (e.g. simulating randomized algorithms w/k-source) Long line of work tries to match above nonconstructive bounds with explicit constructions.

Extractors from Hash Functions Leftover Hash Lemma [BBR85,ILL89]: universal hash functions yield strong extractors output length: m= k-2log(1/)-O(1) seed length: d= n example: Ext(x,a)=first m bits of a¢x in GF(2n) Almost-universal hash functions [SZ94,GW94]: seed length: d= O(log n+m)

Cryptographic Applications

Crypto with Weak Random Sources? Enumerating seeds doesn’t work. e.g. get several encryptions of a message, most of which are “secure” Thm [MP97,DOPS04]: Most crypto tasks are impossible with only an (n-1)-source. Encryption, commitment, secret sharing, zero knowledge,… Alternative: Seek “seedless” extractors for restricted classes of sources. Bit-fixing sources, several independent weak sources, efficiently samplable sources, low-degree sources… [many] Thm [BD07]: Secure encryption is only possible for classes of sources for which there exist seedless extractors.

Seeded Extractors in Crypto Common setting: information gaps To parties A, B,…, string X has little or no “entropy” To parties E, F,…, string X has a lot of “entropy” After extraction: To parties A, B,…, r.v. Ext(X) still has little or no “entropy” To parties E, F,…, r.v. Ext(X) indistinguishable from uniform Challenges: Where to get seed? Working with computational entropy. Efficiency constraints Noise

Crypto with Statistical (Min-)Entropy

Privacy Amplification [BBR85] Common setting: information gaps A,B share/access a random string X{0,1}n E has imperfect info about X  X |view(Eve) a k-source. After extraction: A, B share Ext(X,R) Ext(X ,R)|view’(Eve) e-close to Um  A,B can use Ext(X,R) as a key.

Partial Info & Min-Entropy Adversary learning s bits of info about X reduces its min-entropy by roughly s. Cf. Shannon entropy: H(X|Z)  H(X)-H(Z)  H(X)-s Lemma: (X,Z) (correlated) random vars, X a k-source and |Z|=s w.p. ¸ 1-e over zÃZ, X|Z=z is a (k-s-log(1/e))-source. [DRS03]: H*(X|Z)  H(X) –H0(Z)  H(X) –s, where H*(X|Z) = log(1/Ez Z[maxx Pr[X=x|Z=z]])

Examples of Partial Info Partial Key Exposure [CDHKS00]: adversary reads s actual bits of private key X X|view actually a “bit-fixing source” [CFGHRS85] Honest parties use Ext(X) (no seed necessary!) Bounded-storage model [M90,ADR99,L02,V03] adversary reads s-bit function of high-rate bitstream X honest parties compute Ext(X ; R), where R = private key need Ext that reads only few bits from X

Examples of Partial Info (cont.) Biometrics [DRS03]: need to derive key from unreliable fingerprint X store seed R & short error-correcting info C on server (“information reconciliation” [BBR85]) X|C a k-source  Ext(X;R)|C,R s Um C = X mod (high-rate error-correcting code)

Crypto with Computational (Min-)Entropy

Computational Entropy Def [HLR07]: X has unpredictability-entropy at least k if it can be predicted in poly-time w.p. at most 2-k if f is a one-way function, then X|f(X) has unpredictability entropy (log n) Can extract pseudorandom bits using an extractor with “efficient local list-decoding” [GL89,TZ01]. Def [HILL90]: X has pseudoentropy at least k if X c Y, Y a k-source. Any poly-time extractor works!

Extracting Computational Entropy (1-1) PRGs  OWF [HILL90]: X|f(X) has unpredictability-entropy but no real entropy Y=(f(X),Ext1(X)) has pseudoentropy > real entropy = |X| Ext1 = extractor with “local list-decoding” (eg GL) Ext2[Y1,…,Yt] pseudorandom Ext2 = any efficient extractor Seeds for Ext1, Ext2: from PRG seed. Hardcore Lemma [I95,STV01,H05]: unpredictability-entropy  pseudoentropy for 1-bit r.v.’s

Extracting Computational Entropy Bounded-Retrieval Model [D06,DP08] Leakage over time may exceed |X|. Idea: regain loss by X’ = PRG(Ext(X)). Problem: X only pseudorandom If X is pseudorandom and adversary knows s bits about X, then X|view has “metric pseudoentropy”  n-s [BSW03] If s=O(log n), then metric pseudoentropy n-s  pseudoentropy n-s [RTV08,I08].

Extracting Computational Entropy Leakage-Resilient Public-Key Encryption [AGV09] Adversary learns s bits about X=SK, plus PK=f(SK). Problem: encryptor doesn’t know SK, can’t extract Leakage independent of PK: take longer SK, set PK = (f(Ext(SK;R)),R). Leakage can depend on PK: show that encryption itself can be viewed as extracting from SK

Statistically Hiding Commitments from CRHF [NY89,DPP93,HRVW09] CRHF { F : {0,1}n! {0,1}n-k } H1(X|F(X),F) ¸ k Hacc(X|F(X),F) = 0 M -close to Ut given R’s view Hacc(M) = 0 given S’s view COMMIT S R F XÃ{0,1}n M2{0,1}t F(X), R,M=Ext(X,R) REVEAL (M,K) (M,X) accept/ reject

Statistically Hiding Commitments from CRHF [NY89,DPP93,HRVW09] CRHF { F : {0,1}n! {0,1}n-k } H1(X|F*(X),F*) ¸ k Hacc (X*|F(X*),F) = 0 M -close to Ut given R*’s view Hacc(M) = 0 given S*’s view COMMIT S R F F(X),R,M=Ext(X,R) REVEAL (M,X) accept/ reject

Conclusions Randomness extractors address a basic problem in crypto: exploiting assymetry of information Language and basic results (about min-entropy, pseudoentropy, etc.) as important as the actual constructions. Interplay between cryptography, theory of computation, probability & information theory (also combinatorics, algebra, …)

Pointers N. Nisan and A. Ta-Shma. Extracting randomness: a survey and new constructions. Journal of Computer & System Sciences, 58 (1):148-173, 1999. R. Shaltiel. Recent developments in explicit constructions of extractors. Bulletin of EATCS, 77:67-95, June 2002. S. Vadhan. Randomness extractors & their many guises. FOCS `02 tutorial. Randomness extractors & crypto applications. TCC `08 tutorial. Course Notes for CS225: Pseudorandomness. http://eecs.harvard.edu/~salil/cs225