Skip to main content
SpringerLink
Log in

Multi-instance Randomness Extraction and Security Against Bounded-Storage Mass Surveillance

  • Conference paper
  • First Online:
Theory of Cryptography (TCC 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14371))

Included in the following conference series:

Abstract

Consider a state-level adversary who observes and stores large amounts of encrypted data from all users on the Internet, but does not have the capacity to store it all. Later, it may target certain “persons of interest” in order to obtain their decryption keys. We would like to guarantee that, if the adversary’s storage capacity is only (say) \(1\%\) of the total encrypted data size, then even if it can later obtain the decryption keys of arbitrary users, it can only learn something about the contents of (roughly) \(1\%\) of the ciphertexts, while the rest will maintain full security. This can be seen as an extension of incompressible cryptography (Dziembowski CRYPTO’06, Guan, Wichs and Zhandry EUROCRYPT’22) to the multi-user setting. We provide solutions in both the symmetric key and public key setting with various trade-offs in terms of computational assumptions and efficiency.

As the core technical tool, we study an information-theoretic problem which we refer to as “multi-instance randomness extraction”. Suppose \(X_1, \ldots , X_t\) are correlated random variables whose total joint min-entropy rate is \(\alpha \), but we know nothing else about their individual entropies. We choose t random and independent seeds \(S_1,\ldots ,S_t\) and attempt to individually extract some small amount of randomness \(Y_i = \textsf{Ext}(X_i;S_i)\) from each \(X_i\). We’d like to say that roughly an \(\alpha \)-fraction of the extracted outputs \(Y_i\) should be indistinguishable from uniform even given all the remaining extracted outputs and all the seeds. We show that this indeed holds for specific extractors based on Hadamard and Reed-Muller codes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Global annual Internet traffic has long surpassed 1 zettabyte (\(10^{21}\) bytes) [4], while total world-wide datacenter storage is only a couple zettabytes in 2022 [11].

  2. 2.

    The work of [1] studied a notion of extractors for “Somewhere Honest Entropic Look Ahead” (SHELA) sources. The notions are largely different and unrelated. In particular: (i) in our work X is an arbitrary source of sufficient entropy while [1] places additional restrictions, (ii) we use a seeded extractor while [1] wants a deterministic extractor, (iii) we apply the seeded extractor separately on each \(X_i\) while [1] applies it jointly on the entire X, (iv) we guarantee that a large fraction of extracted outputs is uniform even if the adversary sees the rest, while in [1] the adversary cannot see the rest.

  3. 3.

    One subtlety is that, for all of our rate-1 constructions, we need a PRG secure against non-uniform adversaries, whereas the prior work could have used a PRG against uniform adversaries.

  4. 4.

    [6] explores CCA security, but in this work for simplicity we focus only on CPA security.

  5. 5.

    This strategy would allow us to only prove a very weak version of multi-instance extraction when the number of blocks t is sufficiently small. In this case we can afford to lose the t extracted output bits from the entropy of each block. However, in our setting, we think of the number of blocks t as huge, much larger than the size/entropy of each individual block.

  6. 6.

    We were initially convinced that the general result does hold and invested much effort trying to prove it via some variant of the above approach without success. We also mentioned the problem to several experts in the field who had a similar initial reaction, but were not able to come up with a proof.

  7. 7.

    For the sake of exposition, here we only show the case where the extractor output is a single bit. In Sect. 3, we construct extractors with multiple-bit outputs.

  8. 8.

    Think of the above as a 2 player game where one player chooses \(I_X\), the other chooses the distinguisher and the payout is the distinguishing advantage; the minimax theorem says that the value of the game is the same no matter which order the players go in.

  9. 9.

    Since the the input to the extractor is interpreted as a polynomial, we will denote it by f rather than the usual x to simplify notation.

  10. 10.

    Here we assume \(\textsf{SKE}\)’s keys are uniformly random n-bit strings. This is without loss of generality since we can always take the key to be the random coins for \(\textsf{Gen}\).

  11. 11.

    For the ease of syntax, we imagine the security parameters to be part of the public parameters always accessible to the adversary.

References

  1. Aggarwal, D., Obremski, M., Ribeiro, J., Siniscalchi, L., Visconti, I.: How to extract useful randomness from unreliable sources. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 343–372. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_13

    Chapter  Google Scholar 

  2. Albrecht, M., Cid, C., Paterson, K.G., Tjhai, C.J., Tomlinson, M.: Nts-kem. NIST Submissions 2, 4–13 (2019)

    Google Scholar 

  3. Bardet, M., et al.: Big quake binary goppa quasi-cyclic key encapsulation. NIST Submissions (2017)

    Google Scholar 

  4. Barnett Jr., T.: The zettabyte era officially begins (how much is that?). https://blogs.cisco.com/sp/the-zettabyte-era-officially-begins-how-much-is-that

  5. Bernstein, D.J., et al.: Classic mceliece: conservative code-based cryptography. NIST Submissions (2017)

    Google Scholar 

  6. Branco, P., Döttling, N., Dujmovic, J.: Rate-1 incompressible encryption from standard assumptions. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, Part II. LNCS, vol. 13748, pp. 33–69. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22365-5_2

  7. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4

    Chapter  Google Scholar 

  8. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  9. Damgård, I.B., Fehr, S., Renner, R., Salvail, L., Schaffner, C.: A tight high-order entropic quantum uncertainty relation with applications. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 360–378. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_20

    Chapter  Google Scholar 

  10. Damgård, I., Jurik, M.: A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_9

    Chapter  MATH  Google Scholar 

  11. Department, S.R.: Data center storage capacity worldwide from 2016 to 2021, by segment. https://www.statista.com/statistics/638593/worldwide-data-center-storage-capacity-cloud-vs-traditional/

  12. Dinur, I., Stemmer, U., Woodruff, D.P., Zhou, S.: On differential privacy and adaptive data analysis with bounded space. Cryptology ePrint Archive, Report 2023/171 (2023). https://eprint.iacr.org/2023/171

  13. Dodis, Y., Quach, W., Wichs, D.: Authentication in the bounded storage model. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part III. LNCS, vol. 13277, pp. 737–766. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07082-2_26

  14. Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_31

    Chapter  Google Scholar 

  15. Dziembowski, S.: On forward-secure storage. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 251–270. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_15

    Chapter  Google Scholar 

  16. Dziembowski, S., Kazana, T., Zdanowicz, M.: Quasi chain rule for min-entropy. Inf. Process. Lett. 134, 62–66 (2018). https://doi.org/10.1016/j.ipl.2018.02.007. https://www.sciencedirect.com/science/article/pii/S002001901830036X

  17. Guan, J., Wichs, D., Zhandry, M.: Incompressible cryptography. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, vol. 13275, pp. 700–730. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-06944-4_24

  18. Guan, J., Wichs, D., Zhandry, M.: Multi-instance randomness extraction and security against bounded-storage mass surveillance. Cryptology ePrint Archive (2023)

    Google Scholar 

  19. Günther, C.G.: An identity-based key-exchange protocol. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_5

    Chapter  Google Scholar 

  20. Guruswami, V.: List Decoding of Error-Correcting Codes. LNCS, vol. 3282. Springer, Heidelberg (2005). https://doi.org/10.1007/b104335

    Book  Google Scholar 

  21. Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 78–95. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_5

    Chapter  Google Scholar 

  22. Moran, T., Wichs, D.: Incompressible encodings. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 494–523. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_17

    Chapter  Google Scholar 

  23. Nisan, N.: Psuedorandom generators for space-bounded computation. In: 22nd ACM STOC, pp. 204–212. ACM Press (1990). https://doi.org/10.1145/100216.100242

  24. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16

    Chapter  Google Scholar 

  25. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press (2005). https://doi.org/10.1145/1060590.1060603

  26. Vadhan, S.P., et al.: Pseudorandomness. Found. Trends® Theor. Comput. Sci. 7(1–3), 1–336 (2012)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Princeton University, Princeton, NJ, 08544, USA

    Jiaxin Guan

  2. Northeastern University, Boston, MA, 02115, USA

    Daniel Wichs

  3. NTT Research, Inc., Sunnyvale, CA, 94085, USA

    Daniel Wichs & Mark Zhandry

Authors
  1. Jiaxin Guan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Wichs
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mark Zhandry
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mark Zhandry .

Editor information

Editors and Affiliations

  1. Apple, Cupertino, CA, USA

    Guy Rothblum

  2. NTT Research, Sunnyvale, CA, USA

    Hoeteck Wee

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (zip 16 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Guan, J., Wichs, D., Zhandry, M. (2023). Multi-instance Randomness Extraction and Security Against Bounded-Storage Mass Surveillance. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14371. Springer, Cham. https://doi.org/10.1007/978-3-031-48621-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-48621-0_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-48620-3

  • Online ISBN: 978-3-031-48621-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation