Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic Applications of Randomness Extractors

Published byEva Andresen Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptographic Applications of Randomness Extractors"— Presentation transcript:

1 Cryptographic Applications of Randomness Extractors
Salil Vadhan Harvard University TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAA

2 Outline Definition & Basics Cryptographic Applications (overview)
Extracting Statistical Entropy in Crypto Extracting Computational Entropy in Crypto Caveats: informal, only small sample

3 Definition & Basics

4 Min-entropy Def: The min-entropy of X is H1(X):=minx log(1/Pr[X=x]). X is a k-source if H1(X) ¸ k, i.e. 8 x Pr[X=x] · 2-k Examples: Unpredictable Source [SV84]: 8 i2[n], b1, ..., bi-12 {0,1}, Bit-fixing [CGH+85,BL85,LLS87,CW89]: Some k coordinates of X uniform, rest fixed (or even depend arbitrarily on others). Flat k-source: Uniform over S µ {0,1}n, |S|=2k

5 Extractors [Nisan & Zuckerman `93]
Def: Ext : {0,1}n £{0,1}d ! {0,1}m is (strong) (k,e)-extractor if 8 k-source X, Ud ± Ext(X,Ud) is e-close to Ud ± Um. k-source of length n “seed” EXT d random bits maxT |Pr[X2 T]-Pr[Y2 T]| · m almost-uniform bits Goals: minimize seed length, maximize output length.

6 Extractors as Hash Functions
flat k-source, i.e. set of size 2k À 2m For most y, hy maps sets of size 2k almost uniformly onto range. {0,1}n {0,1}m

7 The Optimal Extractor Thm [Sip88,RT97]: For every k · n, 9 a (k,e)-extractor w/ Seed length d = log(n-k)+2log(1/)+O(1) Output length m = k -2log(1/)-O(1) “extract almost all the min-entropy w/logarithmic seed” ) in some apps, can eliminate need for truly random seed by trying all 2d = poly(n/) possibilities (e.g. simulating randomized algorithms w/k-source) Long line of work tries to match above nonconstructive bounds with explicit constructions.

8 Extractors from Hash Functions
Leftover Hash Lemma [BBR85,ILL89]: universal hash functions yield strong extractors output length: m= k-2log(1/)-O(1) seed length: d= n example: Ext(x,a)=first m bits of a¢x in GF(2n) Almost-universal hash functions [SZ94,GW94]: seed length: d= O(log n+m)

9 Cryptographic Applications

10 Crypto with Weak Random Sources?
Enumerating seeds doesn’t work. e.g. get several encryptions of a message, most of which are “secure” Thm [MP97,DOPS04]: Most crypto tasks are impossible with only an (n-1)-source. Encryption, commitment, secret sharing, zero knowledge,… Alternative: Seek “seedless” extractors for restricted classes of sources. Bit-fixing sources, several independent weak sources, efficiently samplable sources, low-degree sources… [many] Thm [BD07]: Secure encryption is only possible for classes of sources for which there exist seedless extractors.

11 Seeded Extractors in Crypto
Common setting: information gaps To parties A, B,…, string X has little or no “entropy” To parties E, F,…, string X has a lot of “entropy” After extraction: To parties A, B,…, r.v. Ext(X) still has little or no “entropy” To parties E, F,…, r.v. Ext(X) indistinguishable from uniform Challenges: Where to get seed? Working with computational entropy. Efficiency constraints Noise

12 Crypto with Statistical (Min-)Entropy

13 Privacy Amplification [BBR85]
Common setting: information gaps A,B share/access a random string X{0,1}n E has imperfect info about X  X |view(Eve) a k-source. After extraction: A, B share Ext(X,R) Ext(X ,R)|view’(Eve) e-close to Um  A,B can use Ext(X,R) as a key.

14 Partial Info & Min-Entropy
Adversary learning s bits of info about X reduces its min-entropy by roughly s. Cf. Shannon entropy: H(X|Z)  H(X)-H(Z)  H(X)-s Lemma: (X,Z) (correlated) random vars, X a k-source and |Z|=s w.p. ¸ 1-e over zÃZ, X|Z=z is a (k-s-log(1/e))-source. [DRS03]: H*(X|Z)  H(X) –H0(Z)  H(X) –s, where H*(X|Z) = log(1/Ez Z[maxx Pr[X=x|Z=z]])

15 Examples of Partial Info
Partial Key Exposure [CDHKS00]: adversary reads s actual bits of private key X X|view actually a “bit-fixing source” [CFGHRS85] Honest parties use Ext(X) (no seed necessary!) Bounded-storage model [M90,ADR99,L02,V03] adversary reads s-bit function of high-rate bitstream X honest parties compute Ext(X ; R), where R = private key need Ext that reads only few bits from X

16 Examples of Partial Info (cont.)
Biometrics [DRS03]: need to derive key from unreliable fingerprint X store seed R & short error-correcting info C on server (“information reconciliation” [BBR85]) X|C a k-source  Ext(X;R)|C,R s Um C = X mod (high-rate error-correcting code)

17 Crypto with Computational (Min-)Entropy

18 Computational Entropy
Def [HLR07]: X has unpredictability-entropy at least k if it can be predicted in poly-time w.p. at most 2-k if f is a one-way function, then X|f(X) has unpredictability entropy (log n) Can extract pseudorandom bits using an extractor with “efficient local list-decoding” [GL89,TZ01]. Def [HILL90]: X has pseudoentropy at least k if X c Y, Y a k-source. Any poly-time extractor works!

19 Extracting Computational Entropy
(1-1) PRGs  OWF [HILL90]: X|f(X) has unpredictability-entropy but no real entropy Y=(f(X),Ext1(X)) has pseudoentropy > real entropy = |X| Ext1 = extractor with “local list-decoding” (eg GL) Ext2[Y1,…,Yt] pseudorandom Ext2 = any efficient extractor Seeds for Ext1, Ext2: from PRG seed. Hardcore Lemma [I95,STV01,H05]: unpredictability-entropy  pseudoentropy for 1-bit r.v.’s

20 Extracting Computational Entropy
Bounded-Retrieval Model [D06,DP08] Leakage over time may exceed |X|. Idea: regain loss by X’ = PRG(Ext(X)). Problem: X only pseudorandom If X is pseudorandom and adversary knows s bits about X, then X|view has “metric pseudoentropy”  n-s [BSW03] If s=O(log n), then metric pseudoentropy n-s  pseudoentropy n-s [RTV08,I08].

21 Extracting Computational Entropy
Leakage-Resilient Public-Key Encryption [AGV09] Adversary learns s bits about X=SK, plus PK=f(SK). Problem: encryptor doesn’t know SK, can’t extract Leakage independent of PK: take longer SK, set PK = (f(Ext(SK;R)),R). Leakage can depend on PK: show that encryption itself can be viewed as extracting from SK

22 Statistically Hiding Commitments from CRHF [NY89,DPP93,HRVW09]
CRHF { F : {0,1}n! {0,1}n-k } H1(X|F(X),F) ¸ k Hacc(X|F(X),F) = 0 M -close to Ut given R’s view Hacc(M) = 0 given S’s view COMMIT S R F XÃ{0,1}n M2{0,1}t F(X), R,M=Ext(X,R) REVEAL (M,K) (M,X) accept/ reject

23 Statistically Hiding Commitments from CRHF [NY89,DPP93,HRVW09]
CRHF { F : {0,1}n! {0,1}n-k } H1(X|F*(X),F*) ¸ k Hacc (X*|F(X*),F) = 0 M -close to Ut given R*’s view Hacc(M) = 0 given S*’s view COMMIT S R F F(X),R,M=Ext(X,R) REVEAL (M,X) accept/ reject

24 Conclusions Randomness extractors address a basic problem in crypto: exploiting assymetry of information Language and basic results (about min-entropy, pseudoentropy, etc.) as important as the actual constructions. Interplay between cryptography, theory of computation, probability & information theory (also combinatorics, algebra, …)

25 Pointers N. Nisan and A. Ta-Shma. Extracting randomness: a survey and new constructions. Journal of Computer & System Sciences, 58 (1): , 1999. R. Shaltiel. Recent developments in explicit constructions of extractors. Bulletin of EATCS, 77:67-95, June 2002. S. Vadhan. Randomness extractors & their many guises. FOCS `02 tutorial. Randomness extractors & crypto applications. TCC `08 tutorial. Course Notes for CS225: Pseudorandomness.

Download ppt "Cryptographic Applications of Randomness Extractors"

Similar presentations

Invertible Zero-Error Dispersers and Defective Memory with Stuck-At Errors Ariel Gabizon Ronen Shaltiel.

Invertible Zero-Error Dispersers and Defective Memory with Stuck-At Errors Ariel Gabizon Ronen Shaltiel.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.

Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.
Extracting Randomness David Zuckerman University of Texas at Austin.

Extracting Randomness David Zuckerman University of Texas at Austin.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.

Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Strong Key Derivation from Biometrics

Strong Key Derivation from Biometrics
Expander Graphs, Randomness Extractors and List-Decodable Codes Salil Vadhan Harvard University Joint work with Venkat Guruswami (UW) & Chris Umans (Caltech)

Expander Graphs, Randomness Extractors and List-Decodable Codes Salil Vadhan Harvard University Joint work with Venkat Guruswami (UW) & Chris Umans (Caltech)
Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness.

Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

Similar presentations

Ads by Google