Overcoming Weak Expectations

Transcription

1 Ovecoming Weak Expectations Yevgeniy Dodis Depatment of Compute Science New Yok Univesity (Invited Pape) Yu Yu Institute fo Intedisciplinay Infomation Sciences Tsinghua Univesity, Beijing, , P.R.China Abstact Recently, thee has been enewed inteest in basing cyptogaphic pimitives on weak secets, whee the only infomation about the secet is some non-tivial amount of (min-) entopy. Fom a fomal point of view, such esults equie to uppe bound the expectation of some function f(x), whee X is a weak souce in question. We show an elementay inequality which essentially uppe bounds such weak expectation by two tems, the fist of which is independent of f, while the second only depends on the vaiance of f unde unifom distibution. Quite emakably, as elatively simple coollaies of this elementay inequality, we obtain some unexpected esults, in seveal cases noticeably simplifying/impoving pio techniques fo the same poblem. Examples include non-malleable extactos, leakageesilient symmetic encyption, seed-dependent condenses and impoved entopy loss fo the leftove hash lemma. The full vesion of this (unefeeed) suvey is available hee [1]. I. INTRODUCTION Fomal cyptogaphic models take fo ganted the availability of pefect andomness. Howeve, in eality we may only obtain weak andom souces that ae fa fom unifom but only guaanteed with high unpedictability (fomalized with minentopy), such as biometic data [], [3], physical souces [4], [5], secets with patial leakage, and goup elements fom Diffie-Hellman key exchange [6], [7]. We efe to the fome as ideal model and the latte as eal model. Fom a fomal point of view, the standad (T, ε)-secuity (in the ideal model) of a cyptogaphic application P essentially equies that fo any advesay A with esouce 1 T, the expectation of f(u m ) is uppe bounded by ε, whee function f() denotes A s advantage conditioned on secet key being, and U m denotes unifom distibution ove {0,1} m. In the eal model, keys ae sampled fom some non-unifom distibution R and thus the esulting secuity is the expected value of f(r), which we call weak expectation. We would hope that if P is (T,ε)-secue in the ideal setting, then P is also (T,ε ) in the eal setting by eplacing U m with R of sufficiently high min-entopy, whee T and ε ae not much wose than T and ε espectively. In this pape, we pesent an elementay inequality that uppe bounds the weak expectation of f(r) by two tems: the fist tem only depends on the entopy iciency (i.e. the diffeence between the length of souce R and the amount of 1 We use the wod esouce to include all the efficiency measues we might cae about, such as unning time, cicuit size, numbe of oacle queies, etc. entopy it has), and the second is essentially the vaiance of f unde unifom distibution U m. Quite supisingly, some unexpected esults follow as simple coollaies of this inequality, such as non-malleable extactos [8], [9], [10], [11], leakage-esilient symmetic encyptions [1], seed-dependent condenses [13] and impoved entopy loss fo the leftove hash lemma [14]. We povide a unified poof fo these divesified poblems and in many cases significantly simply and/o impove known techniques fo the same poblems. II. PRELIMINARIES NOTATIONS AND DEFINITIONS. We use s S to denote sampling an element s accoding to distibution S. The minentopy of a andom vaiable X is ined as H (X) = log(max x P[X = x]). We use Col(X) to denote the collision pobability of X, i.e., Col(X) = x P[X = x] H (X), and collision entopy H (X) = log Col(X) H (X). We also ine aveage (aka conditional) collision entopy and aveage min-entopy of a andom vaiable X conditioned on anothe andom vaiable Z by H (X Z) = log ( [ ] ) E z Z x P[X = x Z = z] H (X Z) = log ( E z Z [ max x P[X = x Z = z] ] ) espectively, whee E z Z denotes the expected value ove z Z. We denote with D (X,Y ) the advantage of a cicuit D in distinguishing the andom vaiables X,Y : D (X,Y ) = P[D(X) = 1] P[D(Y ) = 1]. The statistical distance between two andom vaiables X,Y, denoted by SD(X,Y ), is ined by 1 P[X = x] P[Y = x] = max D (X,Y ) D x we wite SD(X,Y Z) as shothand fo SD((X,Z),(Y,Z)). ABSTRACT SECURITY GAMES. We fist ine the geneal type of applications whee ou technique applies. The secuity of an application P can be ined via an inteactive game between a pobabilistic attacke A and a pobabilistic challenge C(), whee A and C jointly compute function f on value (deived fom U m in the ideal setting and fom distibution R in the eal setting). The game can have an abitay stuctue, but at the end C() should output a bit, with output 1 indicating that A won the game and 0 othewise.

2 Fo unpedictability games, f() is the expected value of C() taken ove the intenal coins of A and C so that f() [0;1]; and fo indistinguishability games, f() is the expectation of C() 1/, and hence f() [ 1/;1/]. We will efe to E(f(U m )) as the secuity in the ideal model (against A), and to E(f(R)), with H c (R) m d and c {, }, as the secuity in the (m d)-eal c model. Note that a secuity esult in the eal model is moe desiable than (and implies) that in the eal model. III. OVERCOMING WEAK EXPECTATIONS UNPREDICTABILITY APPLICATIONS. Fo unpedictability applications (with non-negative f), the following inequality implies that the secuity degades at most by a facto of d compaed with the ideal model (which is stated as Coollay 3.1), whee d is the entopy iciency. Lemma 3.1: Fo any (deteministic) eal-valued function f : {0,1} m R + {0} and any andom vaiable R with H (R) m d, we have Poof: E[f(R)] = E[f(R)] d E[f(U m )] (1) P[R = ] f() d 1 m f() Coollay 3.1: If an unpedictability application P is (T,ε)-squae secue in the ideal model, then P is (T, d ε)- secue in the (m d)-eal model. The above only applies to all unpedictability applications such as one-way functions, MACs and digital signatues. INDISTINGUISHABILITY APPLICATIONS. Unfotunately, Coollay 3.1 citically depends on the non-negativity of f, and is geneally false when f can be negative, which happens fo indistinguishability applications. In fact, fo cetain indistinguishability applications, such as one-time pad, pseudoandom- geneatos and functions (PRGs and PRFs), thee exists R with d = 1 such that E[f(U m )] is negligible (o even zeo!) but E[f(R)] = 1/ (see [14] fo moe discussions). Fotunately, below we give anothe inequality fo geneal f, which will be useful fo othe indistinguishability applications. Lemma 3.: Fo any (deteministic) eal-valued function f : {0,1} m R and any andom vaiable R with H (R) m d, we have E[f(R)] d E[f(U m ) ] () Poof: Denote p() = P[R = ], and also ecall the Cauchy-Schwatz inequality a i b i ( a i ) ( b i ). We have E[f(R)] = p() f() m 1 p() m f() = d E[f(U m ) ] Lemma 3. uppe bounds the (squaed) weak expectation by the poduct of d and E[f(U m ) ]. Intuitively, d gives the secuity loss due to the entopy iciency, and E[f(U m )] ines the ideal model secuity of the application in consideation, but notice we only get E[f(U m ) ], fo which we ine the notion of squae secuity. Lemma 3. essentially applies to squae secue applications, which we state as Coollay 3.. Definition 3.1 (Squae Secuity): An application P is (T,σ)-squae secue if fo any T -bounded advesay A we have E[f(U m ) ] σ, whee f() denotes A s advantage conditioned on key being. Coollay 3. (Squae secuity implies eal model secuity): If P is (T,σ)-squae secue, then P is (T, d σ)-secue in the (m d)-eal model. WHAT APPLICATIONS HAVE SQUARE SECURITY? Fist, all (T, ε)-secue unpedictability applications P ae (T, ε)-squae secue, since fo non-negative f we have E[f(U m ) ] E[f(U m )]. Hence, we immediately get d ε-secuity in (m d)-eal model fo such application. Moving to indistinguishability applications, it is known that PRGs, PRFs, one-time pads cannot have good squae secuity (see [14]). To see why, conside a 1-bit one time pad encyption c = m, whee m,,c {0,1} ae the message, the key and the ciphetext, espectively, and is exclusive OR. Conside also the attacke A who guesses that m = c. When the key = 0, A is ight and f(0) = 1 1 = 1. Similaly, when the key = 1, A is wong and f(1) = 0 1 = 1. This gives pefect ε = E[f(U 1 )] = 0, but σ = E[f(U 1 ) ] = 1 4. Fotunately, thee ae still many inteesting indistinguishability objects whose squae secuity is of oughly the same ode as thei egula secuity, such as stateless CPA- and CCAsecue (symmetic-key and public-key) encyption schemes, weak pseudo-andom functions (weak PRFs), and q-wise independent hash functions. We now discuss some examples. A. Application to Encyption Schemes and Weak PRFs We will only show that CPA-secue symmetic-key encyption schemes ae squae secue, and we pove that using the double-un technique fom [14]. Othe schemes (mentioned above) can be poven similaly by adapting the double-un tick to the actual secuity game (see [14] fo the subtleties). Lemma 3.3 ([14]): Assume P is a symmetic-key encyption scheme which is ε-secue, in the ideal model, against all chosen-plaintext attackes with unning time t + O(1) and making q + 1 queies. Then P is ε-squae secue against all chosen-plaintext attackes with unning time t, and making q queies. Hence, (T = (t+o(1),q+1),ε)-secuity implies ((t,q),ε)-secuity. DOUBLE-RUN TRICK. We sketch the poof of the above lemma fo completeness. It suffices to show that fo any This bound is weake than the d ε bound in Coollay 3.1, although it applies wheneve H (R) m d (instead of only when H (R) m d). Still, we will find Lemma 3. useful even fo unpedictability applications when we talk about key deivation functions in Section IV.

3 and any attacke A with unning time t and q queies, thee exists anothe attacke B with unning time oughly t and q + 1 queies such that B s advantage is twice the squaed advantage of A. The stategy of B is that it fist simulates the challenge C (using one quey), uns A against the simulated C, and then uns A against the eal C. If A wins the game in its fist un (against the simulated C), then B etuns A s answe in the second un, o othewise B eveses the answe of A. Thus, P[B wins] = P[A wins twice] + P[A loses twice] = ( 1 ± ε) + ( 1 ε) = 1 + ε The following theoem immediately follows fom Coollay 3. and Lemma 3.3. Theoem 3.1: Assume P is a ((t + O(1), q), ε)-cpa secue symmetic-key encyption scheme in the ideal model. Then P is also ((t,q), d ε)-secue in the (m d)-eal model. Same agument (as Theoem 3.1) woks fo all afoementioned squae secue applications, such as stateless (publickey and symmetic-key) CPA- and CCA- secue encyption schemes, and weak PRFs, simplifying [1]. MULTI-RUN EXTENSION. In the double-un game we use a test-un to estimate the sign of the advantage (whethe it s positive o not), which advises attacke B whethe o not to evese A s answe in the eal un. We can genealize this to a multi-un setting: the attacke B test-uns A fo some odd (i+1) times, and takes a majoity vote befoe the actual un, which gives B moe accuate estimate on the sign of the advantage (using the technique of Bakeski and Goldeich [15]). This applies to all double-un-fiendly applications (like the CPA encyption), but we only state it fo the case of weak PRF fo conceteness, and also because it simplifies [1] a lot. Coollay 3.3 (Weak PRFs on Weak Keys): Fo any ε, d and c O(1/ d ε), if P is a (((1 + c 4 )t,(1 + c 4 )q),ε)- secue weak PRF in the ideal model, then P is also ((t,q),o( 1 c d ε))-secue in the (m d)-eal model. B. Application to Altenative LHL and NM-Extactos We now show that -wise and 4-wise independent hash functions give ise to stong and non-malleable extactos espectively. Fo ou convenience, we use the following inition fo (q, δ)-wise independence (slightly weake than the taditional q-wise independence), whee one point s is andomly chosen and the est q 1 points can be abitaily dependent on s (as long as they ae distinct fom s). Definition 3. ((q,δ)-wise independence): A family H of functions {h : {0,1} n {0,1} l {0,1} m } is (q,δ)-wise independent, if fo U m, s U n, and fo s 1,,s q 1 {0,1} n that ae distinct fom and abitaily coelated to s, we have SD( h (s), U l s,h (s 1 ),,h (s q 1 ) ) δ Notice, we can natually view the above inition as a game between a challenge C and the attacke A, whee (q 1) measues the esouces of A (distinct fom s points whee he leans the tue value of h ), and δ is the advantage of distinguishing h (s) fom andom. Thus, we can natually ine the (q,σ q )-squae secuity of H (with andom key U m ) and then use Coollay 3. to bound the secuity of H in the (m d)-eal model, when using a weak key R with H (R) m d. In fact, we can successfully apply the doubleun tick above to show that if H is (q,δ)-wise independent, then its squae secuity σ q as a q-wise (athe than q-wise) independent hash function is at most σ q δ + q, whee q n accounts fo the pobability that the eal challenge point n (chosen unifomly at andom) collides with the q points of the test-un. Applying now Coollay 3., we get Theoem 3.: If function family H is (q, δ)-wise independent, then H is also (q,ε)-wise independent in the (m d)- eal model, whee ε = (δ + q ) d. n ALTERNATIVE LHL. We will fist conside the consequences fo q = 1, whee the notion of (1,ε)-wise independence in the k = (m d)-eal model becomes a andomness extacto. Definition 3.3 (Extactos): We say that an efficient function Ext : {0,1} m {0,1} n {0,1} l is a stong (k,ε)- extacto, if fo all R (ove {0,1} m ) with H (R) k and fo andom S (unifom ove {0,1} n ), we get SD( Ext(R;S), U l S) ε whee coins S U n is the andom seed of Ext. The value L = k l is called the entopy loss of Ext. Applying Theoem 3. to paiwise independent hash functions (i.e., q =, δ = 0, k = m d), we get: Coollay 3.4 (Altenative LHL): If H = {h : {0,1} n {0,1} l {0,1} m } is paiwise independent, then Ext(;s) = h (s) is a stong (k, m k n ) extacto. To compae this esult with the standad LHL [16], the optimal key length m fo a family of paiwise independent hash functions fom n to l bits is known to be m = n + l (e.g., using Toeplitz matices o augmented inne poduct discussed below). Plugging this to ou bound in ε above, we get the same bound ε = l k = L/ as the leftove hash lemma, whee in both cases l is output size and k is the entopy of the souce. Inteestingly, standad leftove hashing [16] uses univesal H (see Definition 4.3 below), which is weake, but sets Ext(;s) = h s (), swapping the oles of souce and seed. 3 NON-MALLEABLE EXTRACTORS. Next, we conside the case of q =, whee the notion of (,ε)-wise independence in the k = (m d)-eal model becomes a non-malleable extacto. Definition 3.4 (Non-Malleable Extactos): We say that an efficient function nmext : {0,1} m {0,1} n {0,1} l is a (k,ε)-non-malleable extacto, if fo all R (ove {0,1} m ) with 3 Cuiously, when l divides n, the following augmented inne poduct function h (s) is simultaneously an optimal paiwise independent hash function when keyed by, and an optimal univesal function when keyed by s: h (s) = 1 s p s p+ p+1, whee p = n/l, = ( 1,..., p+1 ), s = (s 1,..., s p), and i and s j ae intepeted as elements of GF[ l ].

4 H (R) k, fo andom S (unifom ove {0,1} n ), and fo all functions g : {0,1} n {0,1} n, s.t. g(s) s fo all s, we get SD( nmext(r;s), U l S,nmExt(R;g(S)) ) ε Applying Theoem 3. to 4-wise independent hash functions (i.e., q = 4, δ = 0, k = m d), we get: Coollay 3.5 (Non-Malleable Extactos): If H = {h : {0,1} n {0,1} l {0,1} m } is 4-wise independent, then nmext(;s) = h (s) is a (k, m k n+1 )-non-malleable extacto. Fo a simple instantiation, let H be the following (optimal) 4-wise independent hash function with known paametes n = m/ and l = m/4 (using BCH codes; see [11]). The key {0,1} m is viewed as a tuple of 4 elements ( 1,, 3, 4 ) in GF[ m/4 ] = GF[ l ], and a seed s {0,1} n \0 n is viewed as a non-zeo point in GF[ n ]. Then, the m-bit value of (s s 3 ) is viewed as 4 elements (s 1,s,s 3,s 4 ) in GF[ l ], and the l-bit output of the function is set to h (s) = 1 s s 4. Using Coollay 3.5, this simple function is a (k, m/ k+1 )- non-malleable extacto, which impoves the constuction of [9] and matches the ecent esults of [11] with a much simplified poof. IV. KEY DERIVATION FUNCTIONS So fa we use weak souces diectly on ε-squae secue objects (and we still get extactos), which equies entopy iciency d < log (1/ε). Fo low entopy souces whee d log (1/ε), we need to apply a key deivation function (KDF) that pepocess the souce to get some bette andomness (by discading some bad bits), whee the setting is mainly chaacteized by the entopy of the souce k and the output size of the KDF m. Definition 4.1: (k,m)-eal c model (fo c {, }) efes to the key deivation setting whee a given KDF h with ange {0,1} m is applied to any souce X with H c (X) k to get a secet key R = h(x) (fo some application in question). Next we popose andomness condenses as genealization of extactos, and justify the use of condenses as key deivation functions. Intuitively, a condense is a pobabilistic function that educes entopy iciency. Definition 4. (Condenses): Let c {, }. We say that an efficient function Cond : {0,1} n {0,1} v {0,1} m is a ( k n m d m ) c-condense if fo H c (X) k and unifomly andom S we have H c ( Cond(X;S) S ) m d. Both H - and H - condenses ae useful in cyptogaphy. The fome connects well with Lemma 3.1, and the latte is moe in line with Lemma 3.. In the sequel, though, we will only use H (and let c = heeafte) since it seems to give stonge final bounds (even fo unpedictability applications), and applies to moe cases (e.g. indistinguishability applications). See [13] fo moe discussion. A. Impoved Leftove Hash Lemma We know by the standad leftove hash lemma [16] that univesal hash functions ae efficient extactos and thus ae good KDFs, but the entopy loss L (entopy of the souce minus the length of extacted andomness) must be positive. Below we ecall the notion of univesal hashing [17], and state thei condensing popeties. We show if they ae used as KDFs fo all squae-fiendly applications, 4 we impove L (educing it by half) and make it meaningful even fo L 0, whee entopy iciency d L. Definition 4.3 (Univesal Hashing): A family of functions G = {g s : {0,1} n {0,1} m s {0,1} v } is univesal, if fo any distinct x 1,x {0,1} n we have P [g s (x 1 ) = g s (x )] = m s U v Lemma 4.1: Univesal hash function family G = {g s : {0,1} n {0,1} m s {0,1} v } ines a ( k n m d m ) -condense Cond(x;s) d = 1 + m k. Poof: P[g S (X 1 ) = g S (X )] = g s (x), whee P[X 1 = X ] + P[ g S (X 1 ) = g S (X ) X 1 X ] k + m = m ( m k + 1) = d m We use a slightly diffeently vesion of Lemma 3. (whose poof is vey simila as well) fo the impoved entopy loss esults. Lemma 4. ([14]): Fo any (deteministic) eal-valued function f : {0,1} m R and any andom vaiable R with H (R) m d, we have E[f(R)] E[f(U m )] d 1 E[f(U m ) ] (3) Coollay 4.1 (Using Univesal Hashing as KDF): If P is (T,ε)-secue and (T,σ)-squae secue, then using R = g s (X) makes P (T,ε )-secue in the (k,m)-eal model, whee R {0,1} m, H (X) k, and ε ε + σ m k. REDUCED ENTROPY LOSS FOR LEFTOVER HASH LEMMA. Recall that we can have σ ε fo many squae-secue applications. Let L = k m denote entopy loss. To achieve ε ε we need to set L = log (1/ε), while the standad leftove hash lemma achieved a weake bound ε ε+ m k, and equied L = log (1/ε). Moeove, ou entopy loss is meaningful even fo negative L, in which case entopy iciency of R = g s (X) is d L and ε ε L ε d. B. Seed-Dependent Key Deivation We now genealize the notion of a condense to the seeddependent setting, whee the advesaial sample A can depend on the seed S but is computationally bounded. This challenging setting was consideed by [18] in the context of seeddependent extactos, whee the authos made a pessimistic conclusion that the complexity of the seed-dependent extacto 4 As obseved by [14], we can also compose univesal hashing with (squaefiendly) weak PRFs to also handle all computational (even non-squaefiendly ) applications, such as PRFs and PRGs.

5 must be lage than that of the sample A, making this notion not vey useful fo key deivation in pactical applications. In contast, we show that (stong enough) collision-esistant hash functions (CRHFs) must be seed-dependent condenses, and thus can be used as KDFs fo all squae secue applications, despite having much smalle complexity than the complexity of the sample A. This patially explains the use of CRHFs as KDFs in pactical applications. Definition 4.4 (Seed-Dependent Condenses): An efficient function Cond : {0,1} n {0,1} v {0,1} m is a ( k n m d m,t) -seed-dependent condense if fo all pobabilistic advesaies A of size t who take a andom seed s U v and output (using moe coins) a sample X A(s) of entopy H (X S) k, we have H ( Cond(X;S) S ) m d. Definition 4.5 (CRHF): A family of hash functions G = {g s : {0,1} n {0,1} m s {0,1} v } is (t,δ) -collisionesistant if fo any (non-unifom) attacke B of size t, we have P[g s (x 1 ) = g s (x ) x 1 x ] δ whee s U v and (x 1,x ) B(s). Lemma 4.3 (CRHFs ae seed-dependent condenses): A family of (t, D(t) )-collision-esistant hash functions m G = {g s : {0,1} n {0,1} m s {0,1} v } ines a seed-dependent ( k n m d m,t) -condense Cond(x;s) = g s (x), whee d = m k + D(t). Poof: P[g S (X 1 ) = g S (X )] P[X 1 = X ] + P[ g S (X 1 ) = g S (X ) X 1 X ] k + D(t) m = m ( m k + D(t)) = d m In the above, entopy iciency d is essentially the logaithm of D(t), which is a function on the sample s complexity t. We note D(t) = Ω(t ) due to bithday attacks, and this bound can be achieved in the andom oacle model. In geneal, it is easonable to assume D(t) = poly(t) fo stong enough CRHFs. Then, using the inition of condenses and Coollay 3., we get the following supising esult, which patially explains the pevalent use of CRHFs (which do not appea to have any extaction popeties based on thei inition) fo key deivation: Coollay 4. (Using CRHFs as KDFs): If P is (T, σ)- squae secue, {g s } is a family of (t, poly(t) )-CRHFs, and X m is a souce poduced by a sample A(s) of complexity at most t and having H (X S) k m O(log t), then using R = g s (X) makes P (T,ε )-secue, whee ε O( σ poly(t)). Fom an asymptotic point of view, fo squae-fiendly applications (e.g. CPA-secue encyptions, weak PRFs, unpedictability pimitives) with negligible ideal ε (and hence negligible σ ε), and all souce samples unning in polynomial time t (all in the secuity paamete ), we get negligible secuity ε =O( σ poly(t)) in the eal model. ACKNOWLEDGMENT We would like to thank ou co-authos in [14], [13] fo useful comments and suggestions. Yevgeniy Dodis was suppoted by NSF Gants CNS , CNS , CNS , CNS and Google Faculty Awad. Yu Yu was suppoted by the National Basic Reseach Pogam of China Gant 011CBA00300, 011CBA00301, the National Natual Science Foundation of China Gant , , , , , , and REFERENCES [1] Y. Dodis and Y. Yu, Ovecoming weak expectactions, 01, full vesion of this (unefeeed) suvey. Available at dodis/ps/weak-expe.pdf. [] Y. Dodis, R. Ostovsky, L. Reyzin, and A. Smith, Fuzzy extactos: How to geneate stong keys fom biometics and othe noisy data, SIAM Jounal on Computing, vol. 38, no. 1, pp , 008. [3] X. Boyen, Y. Dodis, J. Katz, R. Ostovsky, and A. Smith, Secue emote authentication using biometic data, in Advances in Cyptology EUROCRYPT 005, se. LNCS, R. Came, Ed., vol Spinge- Velag, 005, pp [4] B. Baak, R. Shaltiel, and E. Tome, Tue andom numbe geneatos secue in a changing envionment, in Poceedings of the 5th Cyptogaphic Hadwae and Embedded Systems, 003, pp [5] B. Baak and S. Halevi, A model and achitectue fo pseudo-andom geneation with applications to /dev/andom, in Poceedings of the 1th ACM Confeence on Compute and Communication Secuity, 005, pp [6] R. Gennao, H. Kawczyk, and T. Rabin, Secue hashed diffie-hellman ove non-ddh goups, in Advances in Cyptology EUROCRYPT 004, se. LNCS, C. Cachin and J. Camenisch, Eds., vol Spinge- Velag, 004, pp [7] H. Kawczyk, Cyptogaphic Extaction and Key Deivation: The HKDF Scheme, in Advances in Cyptology - CRYPTO 010, se. LNCS, T. Rabin, Ed., vol. 63. Spinge-Velag, 010, pp [8] Y. Dodis and D. Wichs, Non-malleable extactos and symmetic key cyptogaphy fom weak secets, in Poceedings of the 41st Annual ACM Symposium on Theoy of Computing, M. Mitzenmache, Ed. Bethesda, MD, USA: ACM, 009, pp [9] Y. Dodis, X. Li, T. D. Wooley, and D. Zuckeman, Pivacy amplification and non-malleable extactos via chaacte sums, in Poceedings of the 5nd IEEE Symposium on Foundation of Compute Science, 011, pp [10] G. Cohen, R. Raz, and G. Segev, Non-malleable extactos with shot seeds and applications to pivacy amplification, in Poceedings of the 7th Computational Complexity, 01, pp [11] X. Li, Non-malleable extactos, two-souce extactos and pivacy amplification, in Poceedings of the 53d IEEE Symposium on Foundation of Compute Science, 01, pp. xxx xxx. [1] K. Pietzak, A leakage-esilient mode of opeation, in Advances in Cyptology - EUROCRYPT 009, se. LNCS, A. Joux, Ed., vol Spinge-Velag, 009, pp [13] Y. Dodis, T. Ristenpat, and S. P. Vadhan, Randomness condenses fo efficiently samplable, seed-dependent souces, in 9th Theoy of Cyptogaphy Confeence, 01, pp [14] B. Baak, Y. Dodis, H. Kawczyk, O. Peeia, K. Pietzak, F.-X. Standaet, and Y. Yu, Leftove hash lemma, evisited, in CRYPTO, se. LNCS, P. Rogaway, Ed. Spinge, 011, pp [15] Z. Bakeski and O. Goldeich, Fom absolute distinguishability to positive distinguishability, Electonic Colloquium on Computational Complexity (ECCC), vol. 16, p. 31, 009. [16] J. Håstad, R. Impagliazzo, L. Levin, and M. Luby, Constuction of pseudoandom geneato fom any one-way function, SIAM Jounal on Computing, vol. 8, no. 4, pp , [17] J. Cate and M. Wegman, Univesal classes of hash functions, Jounal of Compute and System Sciences, vol. 18, pp , [18] L. Tevisan and S. Vadhan, Extacting andomness fom samplable distibutions, in 41st Annual Symposium on Foundations of Compute Science. Redondo Beach, Califonia: IEEE, Nov. 000, pp. 3 4.