Minentropy and its Variations for Cryptography

Transcription

1 1 Minentropy and its Variations for Cryptography Leonid Reyzin May 23, th International Conference on Information Theoretic Security

2 2 guessability and entropy Many ays to measure entropy If I ant to guess your passord, hich entropy do I care about? This talk: minentropy = log (Pr [adversary predicts sample]) predictability W H (W)= log max Pr[]

3 3 hat is minentropy good for? Passords Message authentication n/2 n/2 key = a b m + GF(2 n/2 ) GF(2 n/2 ) MAC a,b (m) = σ = am + b [Wegman-Carter 81]

4 4 hat is minentropy good for? Passords Message authentication n/2 n/2 key = a b gap g minentropy k MAC a,b (m) = σ = am + b Let a,b = n, H (a,b) = k Let entropy gap n k = g Security: k n/2=n/2 g [Maurer-Wolf 03]

5 5 hat is minentropy good for? Passords Message authentication MAC a,b (m) = σ = am + b Secret key extraction ( encryption, etc.) reusable seed i minentropy k Ext jointly uniform (ε-close) [Bennett-Brassard-Robert 85, Impagliazzo-Levin-Luby 89, Nisan-Zuckerman 93] R

6 6 is it good for privacy amplification? Alice partially secret i Bob i Ext R i Ext R Eve knos something about Goal: from a partial secret agree on a uniform secret R [Bennett-Brassard-Robert 85] Simple solution: use an extractor But ait! What is the right value for H ()? Depends on Eve s knoledge Y So ho do e kno hat Ext to apply?

7 defining conditional entropy H (W Y) E.g., W is uniform, Y = Hamming Weight(W) Pr[Y = n/2] > 1/(2 n) Pr[Y = n]= 2 n But hat about H (W Y)? H (W Y = n/2) n ½log n 1 H (W Y = 0) = 0 predictability Recall: minentropy = log (predictability) H (W)= log max Pr[] What s the probability of predicting W given Y? H (W Y)= log E max Pr[ Y=y] y average minentropy but not average of minentropy: if min-entropy is 0 half the time, and 1000 half the time, you get log ( )/2 log 1/2 = 1. W [Dodis-Ostrovsky -R-Smith 04] 7

8 8 hat is H (W Y) good for? Passords Prob. of guessing by adversary ho knos Y: 2 H (W Y) Message authentication If key is W and adversary knos Y: security H (W Y) n/2 Secret key extraction ( encryption, etc.) All extractors ork [Vadhan 11] H (W Y)=k seed i Ext R jointly uniform given Y

9 hat is H (W Y) good for? Passords Prob. of guessing by adversary ho knos Y: 2 H (W Y) Message authentication If key is W and adversary knos Y: security H (W Y) n/2 Secret key extraction ( encryption, etc.) All extractors ork [Vadhan 11] Therefore, privacy amplification! partially secret Alice i Bob i Ext R i Ext R Eve knos something about 9

10 hat about information reconciliation? 10 i Alice S Ext Bob s R error-correcting info s,i Eve s Rec i Ext R Ho long an R can you extract? Depends on H (W Y, S)! Lemma: H (W Y, S) H (W, S Y) bit-length (S)

11 ho to build S? 11 Code C: {0,1} m {0,1} n encodes m-bit messages into n-bit codeords any to codeords differ in at least d locations feer than d/2 errors unique correct decoding C

12 12 ho to build S? Idea: hat if is a codeord in an ECC? Decoding finds from If not a codeord, simply shift the ECC S() is the shift to random codeord [Juels-Watenberg 02]: s = ECC(r) Recover: dec( s) s s s=s() +s dec

13 hat about information reconciliation? i Alice Ext Bob R s = ECC(r), i Eve s Rec i Lemma: H (W Y, S) H (W, S Y) bit-length (S) = H (W Y) + r H (W Y, S) H (W Y) + m n = = Entropy loss for a code from m bits to n bits: n m m n Ext R 13

14 active adversary Alice Bob E v R e or R or Starting in Maurer and Maurer-Wolf 1997 Interesting even if = Basic problem: authenticate extractor seed i Problem: if H (W Y)<n/2, can t be used as a MAC key Idea [Renner-Wolf 2003]: use interaction, one bit in to rounds 14

15 authenticating a bit b [Renner-Wolf 03] x Alice Ext t challenge x response t = Ext x () iff b=1; else just send 0 Note: Eve can make Bob s vie Alice s vie x x E x Ext t t ve t Bob Accept 1 if Ext x () is correct x Ext t Claim: Eve can t change 0 to 1! (To prevent change of 1 to 0, make #0s = #1s) Lemma [Kanukurthi-R. 09] H (Ext(W;X) X,Y) min ( t, log 1 ε ) 1 As long as H (W Y) is high enough for Ext to ensure quality ε; but e can measure it: each bit authenticated reduces it by t 15

16 improving entropy loss 16 Alice Bob challenge x x Ext t response t = Ext x () Accept 1 if Ext x () iff b=1; else just send 0 is correct Problem: For λ security, t λ, so each round loses λ entropy Getting optimal entropy loss [Chandran-Kanukurthi-Ostrovsky-R 10]: -- Make t = constant. -- No Eve can change/insert/delete at most constant fraction of bits -- Encode hatever you are sending in an edit distance code [Schulman-Zuckerman99] of const. rate, correcting constant fraction

17 improving entropy loss Alice Bob challenge x x Ext t response t = Ext x () Accept 1 if Ext x () iff b=1; else just send 0 is correct Problem: For λ security, t λ, so each round loses λ entropy Getting optimal entropy loss [Chandran-Kanukurthi-Ostrovsky-R 10]: -- Make t = constant. -- No Eve can change/insert/delete at most constant fraction of bits Ho to prove? Can e use H (Ext(W;X) X,Y) min ( t, log 1 ε ) 1? It talks about unpredictability of a single value; but doesn t say anything about independence of to 17

18 improving entropy loss Alice Bob challenge x x Ext t response t = Ext x () Accept 1 if Ext x () iff b=1; else just send 0 is correct Can e use H (Ext(W;X) X,Y) min ( t, log 1 ε ) 1? It talks about unpredictability of a single value; avg entropy still useful but doesn t say anything about independence of to Step 1: H (W all variables Eve sees) is sufficient Step 2: H (W a specific transcript) is sufficient ith high prob Step 3: H (W at every Ext step) is sufficient ith high prob Lemma: If H (W) is sufficient, then H (Ext(W; x) x) t 1 ith high prob. just minentropy 18

19 19 If (conditional) min-entropy is so useful in information-theoretic crypto, hat about computational analogues?

20 20 computational entropy (HILL) Min-Entropy H (W)= log max Pr[] W predictability W HILL [Håstad,Impagliazzo,Levin,Luby]: H δ,s (W) k if Z such that H (Z) = k and W Z To more parameters relating to hat means -- maximum size s of distinguishing circuit D -- maximum advantage δ ith hich D ill distinguish

21 hat is HILL entropy good for? HILL H δ,s (W) k if Z such that H (Z) = k and W Z seed i HILL entropy k Ext R looks (ε+δ)-close to uniform to circuits of size s Many uses: indistinguishability is a poerful notion. In the proofs, substitute Z for W; a bounded adversary on t notice 21

22 22 hat about conditional? Very common: entropic secret: g ab observer knos g a, g b entropic secret: SK observer knos leakage entropic secret: Sign SK (m) observer knos PK entropic secret: PRG(x) observer knos Enc(x)

23 23 conditioning HILL entropy on a fixed event Recall: ho does conditioning reduce minentropy? By the probability of the condition! H (W Y = y) H (W) log 1/Pr[y] E.g., W is uniform, Y = Hamming Weight(W) Pr[Y = n/2] > 1/(2 n) H (W Y = n/2) n ½log n 1

24 conditioning HILL entropy on a fixed event Recall: ho does conditioning reduce minentropy? By the probability of the condition! H (W Y = y) H (W) log 1/Pr[y] Theorem: same holds for computational entropy: metric* H δ/pr[y],s (W Y = y) H δ,s metric* (W) log 1/Pr[y] [Fuller-R 11] (variant of Dense Model Theorem of [Green-Tao 04, Tao-Ziegler 06, Reingold-Trevisan-Tulsiani-Vadhan 08, Dziemboski-Pietrzak 08] Warning: this is not H HILL! Weaker entropy notion: a different Z for each distinguisher ( metric* ) metric* H δ,s (W) k if distinguisher D Z s.t. H (Z) = k and W DZ (moreover, D is limited to deterministic distinguishers) It can be converted to H HILL ith a loss in circuit size s [Barak, Shaltiel, Wigderson 03] 24

25 conditioning HILL entropy on a fixed event It can be converted to H HILL ith a loss in circuit size s [Barak, Shaltiel, Wigderson 03] 25 Long story, but simple message: metric* H δ/pr[y],s (W Y = y) H δ,s metric* (W) log 1/Pr[y]

26 Hasn t found many uses because it s hard to measure (but it can be extracted from by reconstructive extractors!) 26 hat about conditioning on average? entropic secret: g ab observer knos g a, g b entropic secret: SK observer knos leakage entropic secret: Sign SK (m) observer knos PK entropic secret: PRG(x) observer knos Enc(x) Again, e may not ant to reason about specific values of Y [Hsiao-Lu-R 04]: HILL Def: H δ,s (W Y) k if Z such that H (Z Y) = k and (W, Y) (Z, Y) Note: W changes, Y doesn t What is it good for? Original purpose: negative result Computational Compression (Yao) Entropy can be > HILL

27 27 conditioning HILL entropy on average Recall: suppose Y is over b-bit strings H (W Y ) H (W) b Average-Case Entropy Version of Dense Model Theorem: metric* H δ2 b,s (W Y ) H δ,s metric* metric* (W) b Follos from H δ/pr[y],s (W Y = y) H δ,s metric* (W) log 1/Pr[y] Can ork ith metric* and then covert to HILL hen needed (loss in s)

28 conditioning the conditional metric* metric* H δ2 b,s (W Y ) H δ,s (W) b The theorem can be applied multiple times, of course: metric* metric* H δ2 b 1 +b 2,s (W Y 1, Y 2 ) H δ,s (W) b 1 b 2 (here support of Y i has size 2 b i) metric* metric* But e can t prove: H δ2 b 2,s (W Y 1, Y 2 ) H δ,s (W Y 1 ) b 2 (bad case: W = plaintext, Y 1 = PK; because for any given y 1, W has no entropy!) Note: Gentry-Wichs 11 implies: HILL-relaxed HILL-relaxed H 2δ,s/poly(δ, 2 b 2 ) (W Y 1, Y 2 ) H δ,s (W Y 1 ) b 2 Defn: H δ,s HILL-relaxed (W Y) k if (Z, T) such that H (Z T) = k and (W, Y) (Z, T) 28

29 29 unpredictability entropy Why should computational min-entropy be defined through indistinguishability? Why not model unpredictability directly? [Hsiao-Lu-R. 04] predictability W H (W)= log max Pr[] W H s Unp (W Z) k if for all A of size s, Pr[A(z) = ] 2 k Lemma: H Yao (W Z) H Unp (W Z) H HILL (W Z) Corollary: Reconstructive extractors ork for H Unp Lemma: H s Unp (W Y 1, Y 2 ) H s Unp (W, Y 1 ) b 2

30 hat is it good for? H s Unp (W Z) = k if for all A of size s, Pr[A(z) = ] 2 k Examples: H HILL =0 Why bother? Diffie-Hellman: g ab g a, g b One-Way Functions: x f(x) Signatures: Sign SK (m) PK Hardcore bit results (e.g., [Goldreich&Levin,Ta-Shma&Zuckerman]) are typically stated only for OWF, but used everyhere They are actually reconstructive extractors H Unp (X Z) + reconstructive extractors simple generalization language Leakage-resilient crypto (assuming strong hardness) 30

31 the last slide Minentropy is often the right measure Conditional Entropy useful natural extension Easy to use because of simple bit counting Computational Case is trickier A fe possible extensions Bit counting sometimes orks Some definitions (such as H Unp ) only make sense conditionally Separations and conversions beteen definitions exist Still, can simply proofs! 31