Secrecy Without Perfect Randomness: Cryptography with (Bounded) Weak Sources

Abstract

Cryptographic protocols are commonly designed and their security proven under the assumption that the protocol parties have access to perfect (uniform) randomness. Physical randomness sources deployed in practical implementations of these protocols often fall short in meeting this assumption, but instead provide only a steady stream of bits with certain high entropy. Trying to ground cryptographic protocols on such imperfect, weaker sources of randomness has thus far mostly given rise to a multitude of impossibility results, including the impossibility to construct provably secure encryption, commitments, secret sharing, and zero-knowledge proofs based solely on a weak source. More generally, indistinguishability-based properties break down for such weak sources. In this paper, we show that the loss of security induced by using a weak source can be meaningfully quantified if the source is bounded, e.g., for the well-studied Santha-Vazirani (SV) sources. The quantification relies on a novel relaxation of indistinguishability by a quantitative parameter. We call the resulting notion differential indistinguishability in order to reflect its structural similarity to differential privacy. More concretely, we prove that indistinguishability with uniform randomness implies differential indistinguishability with weak randomness. We show that if the amount of weak randomness is limited (e.g., by using it only to seed a PRG), all cryptographic primitives and protocols still achieve differential indistinguishability.

1 Introduction

Cryptographic protocols are commonly designed and their security proven under the assumption that the protocol parties have access to perfect, i.e., uniform, randomness. Actual physical randomness sources that cryptographic implementations rely on, however, rarely meet this assumption: instead of providing uniform randomness, they provide only a stream of bits with a certain high amount of entropy. Moreover, these so-called weak sources, such as the Santha-Vazirani (SV) sources [32], are often non-extractable [15, 32], i.e., it is computationally infeasible to extract more than a super-logarithmic amount of (almost) uniform randomness from them.

There have been several attempts to bridge this gap, i.e., to ground the security guarantees of cryptographic systems on such weak sources. As soon as indistinguishability-based secrecy properties are being desired, however, this line of research has mostly given rise to a multitude of impossibility results [7, 15, 29], only complemented by a few constructive results if additional assumptions are being imposed. For instance, encryption can be realized using weak sources, if one imposes strong assumptions on the entropy of encrypted messages [5], or if the weak source is restricted to the key generation algorithm and a perfect source is available for the actual encryption algorithm [18]. The plurality of impossibility results in this area, as well as the absence of comprehensive constructive results, indicates that traditional indistinguishability-based secrecy notions fall short in capturing the impact of weak randomness on cryptography. This constitutes an unsatisfactory situation, with several open questions looking for an answer:

• Is it possible to quantify the secrecy loss of cryptographic operations and primitives, if a weak source (such as an SV source) is being used?

• Imagine that today a cryptographic protocol (e.g., an e-voting system) is executed and tomorrow it turns out that the employed randomness was weak. Given that there are strong impossibility results [7, 15, 29] for indistinguishability, is all lost or can we still give quantitative guarantees about the secrecy of the system?

• Given that these quantitative guarantees will necessarily be weaker than traditional cryptographic guarantees, under which assumptions do they still provide reasonable practical security guarantees?

In this paper we address all of these questions.

1.1 Our Contributions

Relaxing Indistinguishability to Quantify the Secrecy Loss. We derive quantitative guarantees for all indistinguishability-based cryptographic constructions that are used with arbitrary weak sources that are additionally bounded in the following sense: in addition to imposing an upper bound on the probability of each individual bitstring (i.e., requiring a sufficiently high min-entropy), one additionally imposes a lower bound on these probabilities. These bounded weak sources include SV sources [32] and resemble balanced sources [23].

To quantify the secrecy loss that weak randomness imposes on cryptography, we define differential indistinguishability, a quantitative relaxation of cryptographic indistinguishability in the spirit of differential privacy [19, 30] and pseudodensity [31]. The necessity of a new, relaxed notion arises from the impossibility result of Dodis et al. [15] who showed that whenever only weak sources of randomness are available, traditional indistinguishability is provably impossible for cryptographic primitives that have a secrecy requirement, e.g., encryption, commitments, and zero-knowledge proofs. More concretely, one cannot ensure that the advantage in distinguishing two challenger machines \(\mathsf{X} _0\) and \(\mathsf{X} _1\) is negligible for every probabilistic polynomial-time adversary. However, it might still be the case that no adversary has a non-negligible advantage in performing a practical attack that breaks the security entirely, e.g., by reaching a state in which it is certain whether it interacts with \(\mathsf{X} _0\) or \(\mathsf{X} _1\). The notion of differential indistinguishability consequently aims at quantifying the resulting loss of secrecy without overestimating the adversary’s power to break the scheme entirely: Two games, i.e., interactions with two machines \(\mathsf{X} _0\) and \(\mathsf{X} _1\), are \((\varepsilon ,\delta )\)-differentially indistinguishable if for all interactive distinguisher machines \(\mathsf{A}\), the output probabilities for all outputs x are related by

$$\begin{aligned} {\Pr }\left[ \langle {\mathsf{A}} \vert {\mathsf{X} _0} \rangle = x \right] \le 2^\varepsilon \cdot {\Pr }\left[ \langle {\mathsf{A}} \vert {\mathsf{X} _1} \rangle = x \right] + \delta , \end{aligned}$$

where \( x \) is a possible output of \(\mathsf{A}\).¹ Here \(\varepsilon \ge 0\) is a reasonably small constant or a decreasing function such as \(1/{p(\cdot )}\) for a polynomial p. We allow only a negligible function for \(\delta \), which corresponds to a negligible probability to break the security of the scheme entirely. Differential indistinguishability thus offers quantitative parameters to reason about the loss of secrecy incurred by the use of imperfect randomness.

Guarantees for Cryptographic Primitives Using Weak Sources. As our main contribution we show that traditional indistinguishability (given a uniform randomness source) suffices to guarantee differential indistinguishability if the uniform source is replaced by an arbitrary bounded weak source. This result immediately entails meaningful quantitative lower security bounds in cases where indistinguishability-based definitions are provably impossible to achieve [15].

In particular, our methodology can be applied in hindsight and produces meaningful quantitative guarantees for all cryptographic primitives and protocols, provided that the amount of used imperfect randomness is bounded; there is no need for new cryptographic constructions for any of the existing primitives whose security is defined and proven by means of indistinguishability, including simulator-based notions.

Moreover, we show that if the bounded weak randomness is used only to seed a secure PRG, differential indistinguishability suffers only a negligible quantitative (additional) security loss under composition – just as traditional indistinguishability.

Intuitively, is not surprising that the provided secrecy does not degrade substantially if the quality of the randomness degrades within certain small bounds, because otherwise virtually all practical implementations of cryptography would be insecure due to the inherent imperfection of physical sources. Our work confirms this intuition and provides a framework to analyze the resulting loss of secrecy quantitatively.

Technically, Theorem 1 states that the interactions with two machines \(\mathsf{X} _0\) and \(\mathsf{X} _1\) are differentially indistinguishable for bounded weak distributions if they are indistinguishable for the uniform distribution. These machines \(\mathsf{X} _0\) and \(\mathsf{X} _1\) can then be instantiated by arbitrary challenger machines to immediately derive results for cryptographic notions. Theorem 1 comprises arbitrary classes of adversaries and thus covers information-theoretical and computational indistinguishability. To derive quantitative guarantees, the theorem only imposes the requirement that the entropy of the bounded weak randomness used by the primitive or protocol is bounded in terms of the security parameter. Thus all existing primitives that use a bounded amount of randomness can immediately be analyzed and their secrecy loss quantified by an additional multiplicative factor that only depends on the quality of the random source.

Connection to Differential Privacy. We analyze the relation between differential indistinguishability and the well-studied notion of differential privacy [19, 30], especially in terms of composition. Similar to the privacy loss in differential privacy when the privacy of several users is analyzed, differential indistinguishability suffers from a commensurate loss of entropy, which consequently leads to a secrecy loss in cases where several users use weak, potentially even dependent randomness. This relation is of particular interest in scenarios in which the users are not aware of using imperfect randomness and thus fail to deploy existing methods [12, 24, 26] to improve their randomness using multiple sources.

Organization. The rest of the paper is organized as follows: We recall important concepts and introduce our notation in Sect. 2. We define differential indistinguishability and present our main results in Sect. 3. We then demonstrate the utility of differential indistinguishability to public-key encryption and study composability of differentially indistinguishable primitives in Sect. 4. We interpret and analyze differential indistinguishability in Sect. 5, including a comparison between differential indistinguishability with differential privacy. Finally, we discuss related work in Sect. 6 and possible future directions in Sect. 7. To improve readability, we have shifted several proofs to the appendix.

2 Preliminaries and Notation

We denote sampling an element r from a distribution \(D \) by \(r \leftarrow D \). The probability of the event F(r), where r is sampled from the distribution \(D \), is denoted by \({\Pr }\left[ F(r) | r \leftarrow D \right] \) or more compactly by \({\Pr }\left[ F(D) \right] \). To keep the notation simple, we write \(f_{k}\) for the value of a function \(f(\cdot )\) applied to \({k}\), where \({k}\) is typically the security parameter. We drop the explicit dependence of parameters and security bounds (\(\alpha ,\beta ,\varepsilon , \gamma \)) on k whenever it is clear from the context. We denote by \(\{D _{{k}}\}_{{k} \in \mathbb N}\) a family of distributions such that for each \({k}\in \mathbb N\) the distribution \(D _{{{k}}} \) samples elements from \(\{0,1\}^{{{k}}}\). In particular, \(\{U _{{k}}\}_{{k} \in \mathbb N}\) is the family of uniform distributions, where \(U _{{{k}}} \) is the uniform distribution over \(\{0,1\}^{{{k}}}\).

Throughout the paper we consider (possibly interactive) Turing machines \(\mathsf{X} \) that always have implicitly access to a random tape with an infinite sequence of uniformly distributed random bits, even if the machines get an additional input drawn from some random source. Unless we mention that they run in probabilistic polynomial time (ppt) in the length of their first input, those machines are not bounded. The distribution on the outputs of \(\mathsf{X} \) when run on input x is denoted by \(\mathsf{X} (x)\). Similarly, we write \(\langle {\mathsf{X} (x)} \vert {\mathsf{Y} (y)}\rangle \) to denote the distribution on the output of the machine \(\mathsf{X} \) on input x in an interaction with the machine \(\mathsf{Y} \) on input y. We write \(\log := \log _2\) for the logarithm to base 2.

Randomness Sources. In addition to the commonly used min-entropy, we make use of a symmetrically defined counterpart, coined max-entropy by Haitner et. al. [23]: whereas min-entropy bounds the maximum likelihood event, max-entropy bounds the minimum likelihood event (and consequently requires probability distributions with full support).²

Definition 1

Let \(D _{{}} \) be a distribution over the set S. The min-entropy of \(D _{{}} \) is \(H_\textit{min}(D _{{}}) \,{:}{=}\,\min _{x \in S} (- \log {\Pr [D=x]})\); the max-entropy of \(D _{{}} \) is \(H_\textit{max}(D _{{}}) \,{:}{=}\,\max _{x \in S} (- \log {\Pr [D=x]})\).

These entropy measures allow us to define bounded weak sources, which must additionally provide a certain amount of max-entropy in comparison to weak sources.

Definition 2

A family of distributions \(\{D _{n}\}_{n \in \mathbb N}\), each over the set \(\{0,1\}^{n}\) of bitstrings of length n, is a \((\alpha ,\beta )\) -bounded weak source, if every \(D _{{n}} \) satisfies the following entropy requirements:

1. (i)

   \(D _{{n}} \) has min-entropy at least \(n - \alpha \), and

2. (ii)

   \(D _{{n}} \) has max-entropy at most \(n + \beta \).

If a family of distributions \(\{D _{n}\}_{n \in \mathbb N}\) satisfies only requirement (i), but not requirement (ii), we call it an \(\alpha \) -weak source (or a min-entropy source) instead.

The following generalization of Santha-Vazirani (SV) sources [32] to block sources [11, 15] is a special case of \((\alpha ,\beta )\)-bounded weak sources. Block sources are well-suited to describe both physical random sources as well as certain random sources that have been “tampered with” by an adversary [1].

Definition 3

(SV Block Source). A tuple of distributions \(D = (D ^1, \cdots , D ^{t})\), each over the set \(\{0,1\}^{n}\) of bitstrings of length n, is \((n,\gamma )\) -Santha-Vazirani (SV) (for \(0 < \gamma < 1\)) if for all \(0 \le i \le t\) and for all \(x_1, \cdots , x_i \in \{0,1\}^{n}\),

$$\begin{aligned} (1 -\gamma ) \cdot 2^{-n} \le {\Pr }\left[ D ^i = x_i\;\Big |\; x_1 \leftarrow D ^1, \cdots , x_{i-1} \leftarrow D ^{i-1} \right] \le (1+\gamma ) \cdot 2^{-n}. \end{aligned}$$

The original SV sources are a special case of Definition 3 that arises for \(n = 1\). Every \((n,\gamma )\)-SV block source over \(\{0,1\}^{tn}\) is an \((\alpha ,\beta )\)-bounded weak source where \(\alpha = t \cdot \log (1 + \gamma )\) and \(\beta = - t \cdot \log (1- \gamma )\).

Remark 1

Our complete analysis is also possible for sources that are only statistically close to \((\alpha ,\beta )\)-bounded weak sources such as sources in [23] that have a limited number of outliers. We refer to the full version [3] for both definitions and results for such sources.

3 Differential Indistinguishability

In this section we present our main results, which can be applied to a variety of cryptographic notions. Traditional cryptography defines two machines \(\mathsf{X} _0\) and \(\mathsf{X} _1\) to be indistinguishable for a certain class of distinguishers \(\mathcal {A}\) if no distinguisher \(\mathsf{A}\in \mathcal {A}\) in this class is able to notice a difference between an interaction with \(\mathsf{X} _0\) and an interaction with \(\mathsf{X} _1\). Formally, the concept of “noticing a difference” is captured by requiring that any possible view of a distinguisher is (almost) equally likely for both \(\mathsf{X} _0\) and \(\mathsf{X} _1\), i.e., the difference between the probability that \(\mathsf{A}\) outputs any given view in the interaction with \(\mathsf{X} _0\) and the probability that \(\mathsf{A}\) outputs the same view in the interaction with \(\mathsf{X} _1\) is negligible. We consider a variant of indistinguishability that allows these probabilities to be also related by a multiplicative factor \(2^\varepsilon > 1\), similar to the concept of mutual pseudodensity [31] and differential privacy [19, 30].

Definition 4

(Differential Indistinguishability). Two probabilistic machines \(\mathsf{X} _0\) and \(\mathsf{X} _1\) are (\(\varepsilon \),\(\delta \))-differentially indistinguishable for a distribution \(\{D _{\ell }\}_{\ell \in \mathbb N}\) over \(\{0,1\}^{{\ell }}\) for a positive polynomial \(\ell \) and a class \(\mathcal {A}\) of adversaries (probabilistic machines) if for all \(\mathsf{A}\in \mathcal {A}\), for all sufficiently large \({k}\), for all possible outputs x of \(\mathsf{A}\), and for all \(b \in \{0,1\}\),

$$\begin{aligned} {\Pr }\left[ \langle {\mathsf{A}(1^{k})} \vert {\mathsf{X}_b(1^{k},D _{{\ell }})} \rangle = x \right] \le 2^{\varepsilon }\,{\Pr }\left[ \langle {\mathsf{A}(1^{k})} \vert {\mathsf{X}_{1-b}(1^{k},D _{{\ell }})} \rangle = x \right] + \delta _k. \end{aligned}$$

This definition allows to express many of the traditional cryptographic indistinguishability notions [21, 27]. We discuss the impact of the multiplicative factor, that can (and must) be interpreted carefully, in Sect. 5. For the traditional case of \(\varepsilon = 0\) we speak of \(\delta \)-indistinguishability. The definition covers interactive and non-interactive notions, as well as simulation-based notions. For perfect (information-theoretic) indistinguishability, the class of adversaries is the class \(\mathcal {A}_\infty \) of all probabilistic (possibly unbounded) machines and we have \(\delta = 0\).³ Statistical indistinguishability can be expressed with the same class of adversaries for \(\delta > 0\). Cryptographic (computational) indistinguishability can be achieved with the class \(\mathcal {A}_{\textit{ppt}}\) of ppt machines with \(\delta \) being a negligible function.⁴

3.1 Main Result

Traditional indistinguishability for uniform randomness directly implies differential indistinguishability for \((\alpha ,\beta )\)-bounded weak sources. This is captured by the following theorem. It allows us to easily give guarantees for cryptographic primitives whenever their security notions can be expressed in terms of Definition 4.

Theorem 1

If two probabilistic machines \(\mathsf{X} _0\) and \(\mathsf{X} _1\) are \(\delta \)-indistinguishable for a class of probabilistic machines \(\mathcal {A}\) and the family of uniform sources \(\{U _{n}\}_{n \in \mathbb N}\) over \(\{0,1\}^{n}\), then \(\mathsf{X} _0\) and \(\mathsf{X} _1\) are also \((\alpha +\beta ,2^{\alpha }\cdot \delta )\)-differentially indistinguishable for \(\mathcal {A}\) and any \((\alpha ,\beta )\)-bounded weak source over \(\{0,1\}^n\).

Proof

We show the theorem by first proving a technical lemma about bounded weak distributions: Even though an \((\alpha ,\beta )\)-bounded weak distribution is not negligibly close to a uniform distribution, the parameters \(\alpha \) and \(\beta \) give a bound on the discrepancy between the uniform distribution and the bounded weak distribution.

Lemma 1

Let \(\{D _{n}\}_{n \in \mathbb N}\) be an \((\alpha ,\beta )\)-bounded weak source over \(\{0,1\}^{n}\) and let \(\{U _{n}\}_{n \in \mathbb N}\) be a family of uniform sources over \(\{0,1\}^{n}\). For all probabilistic machines \(\mathsf{A}\), for all \(k\in \mathbb N\) and for all possible outputs x of \(\mathsf{A}\),

$$\begin{aligned} {\Pr }\left[ \mathsf{A}(1^{k},D _{{n}}) =x \right]&\le 2^{\alpha }\,{\Pr }\left[ \mathsf{A}(1^{k},U _{{n}})=x \right] \qquad \qquad \qquad \qquad \qquad \;\; (a) \\ and \qquad {\Pr }\left[ \mathsf{A}(1^{k},U _{{n}})=x \right]&\le 2^{\beta }\,{\Pr }\left[ \mathsf{A}(1^{k},D _{{n}})=x \right] . \qquad \qquad \qquad \qquad \qquad \; (b) \end{aligned}$$

Proof

Let \(\{D _{n}\}_{n \in \mathbb N}\) be an \((\alpha ,\beta )\)-bounded weak distribution over \(\{0,1\}^{n}\). By Definition 2, \(D _{{n}} \) has min-entropy at least \(n - \alpha \) and max-entropy at most \(n + \beta \). We start with (a). For all values \(r_0 \in \{0,1\}^{n}\),

$$\begin{aligned} \log \left( \frac{{\Pr }\left[ D _{{n}} =r_0 \right] }{{\Pr }\left[ U _{{n}} =r_0 \right] } \right)&= \log \left( {\Pr }\left[ D _{{n}} =r_0 \right] \right) - \log \left( 2^{-n}\right) \\&\le - \min \limits _{y \in \{0,1\}^{n}}\left( -\log \left( {{\Pr }\left[ D _{{n}} =y \right] } \right) \right) - \log \left( 2^{-n}\right) \\&\le - \left( n - \alpha \right) + n = \alpha . \end{aligned}$$

Using this inequality we can show (a) as follows. For all possible outputs x of \(\mathsf{A}\),

$$\begin{aligned} {\Pr }\left[ \mathsf{A}(1^k,D _{{n}})=x \right]&= \sum _{r_0 \in \{0,1\}^{n}} {\Pr }\left[ \mathsf{A}(1^k,r_0)=x \right] {\Pr }\left[ D _{{n}} =r_0 \right] \\&\le \sum _{r_0 \in \{0,1\}^{n}} {\Pr }\left[ \mathsf{A}(1^k,r_0)=x \right] \cdot 2^{\alpha } \cdot {\Pr }\left[ U _{{n}} =r_0 \right] \\&\le 2^{\alpha } \, {\Pr }\left[ \mathsf{A}(1^k,U _{{n}})=x \right] . \end{aligned}$$

This shows (a). For (b), note that for all values \(r_0 \in \{0,1\}^{n}\), the probability \({\Pr }\left[ D _{{n}} = r_0 \right] \) is strictly larger than zero because \(\beta <\infty \). For all values \(r_0 \in \{0,1\}^{n}\),

$$\begin{aligned} \log \left( \frac{{\Pr }\left[ U _{{n}} =r_0 \right] }{{\Pr }\left[ D _{{n}} =r_0 \right] } \right)&=\log \left( 2^{-n}\right) - \log \left( {{\Pr }\left[ D _{{n}} =r_0 \right] } \right) \\&\le \log \left( 2^{-n}\right) + \max \limits _{y \in \{0,1\}^{n}}\left( -\log \left( {{\Pr }\left[ D _{{n}} =y \right] } \right) \right) \\&\le -n + \left( n + \beta \right) = \beta . \end{aligned}$$

Using this equation we can show (b) as follows. For all possible outputs x of \(\mathsf{A}\),

$$\begin{aligned} {\Pr }\left[ \mathsf{A}(1^k,U _{{n}})=x \right]&= \sum _{r_0 \in \{0,1\}^{n}} {\Pr }\left[ \mathsf{A}(1^k,r_0)=x \right] {\Pr }\left[ U _{{n}} =r_0 \right] \\&\le \sum _{r_0 \in \{0,1\}^{n}} {\Pr }\left[ \mathsf{A}(1^k,r_0)=x \right] \cdot 2^{\beta } \cdot {\Pr }\left[ D _{{n}} =r_0 \right] \\&\le 2^{\beta }\,{\Pr }\left[ \mathsf{A}(1^k,D _{{n}})=x \right] . \end{aligned}$$

This completes the proof of Lemma 1.    \(\square \)

Now we use the lemma to prove our main theorem. Let \(\{D _{n}\}_{n \in \mathbb N}\) be an \((\alpha ,\beta )\)-bounded weak source, and \(\{U _{n}\}_{n \in \mathbb N}\) be the uniform source, both over \(\{0,1\}^{n}\). Furthermore, let \(\mathsf{X} _0\), \(\mathsf{X} _1\) be probabilistic (not necessarily polynomially bounded) machines, and let \(\mathsf{A}\in \mathcal {A}\) be an adversary machine such that for a function \(\delta \),

$$\begin{aligned} {\Pr }\left[ \langle {\mathsf{A}(1^k)} \vert {\mathsf{X} _0(1^k,U _{{n}})} \rangle = x \right] \le {\Pr }\left[ \langle {\mathsf{A}(1^k)} \vert {\mathsf{X} _1(1^k,U _{{n}})} \rangle = x \right] + \delta . \end{aligned}$$

Using Lemma 1, we show that \(\mathsf{A}\) behaves similarly on \(D _{{n}} \), as otherwise a machine that simulates \(\langle {\mathsf{A}(1^k)} \vert {\mathsf{X} _0(1^k,r)}\rangle \) (or \(\langle {\mathsf{A}(1^k)} \vert {\mathsf{X} _1(1^k,r)}\rangle \)) could distinguish \(\{D _{n}\}_{n \in \mathbb N}\) and \(\{U _{n}\}_{n \in \mathbb N}\).

$$\begin{aligned} {\Pr }\left[ \langle {\mathsf{A}(1^k)} \vert {\mathsf{X} _0(1^k,D _{{n}})} \rangle = x \right]&\le 2^{\alpha }\, {\Pr }\left[ \langle {\mathsf{A}(1^k)} \vert {\mathsf{X} _0(1^k,U _{{n}})} \rangle = x \right] \end{aligned}$$

(1)

$$\begin{aligned}&\le 2^{\alpha }\, {\Pr }\left[ \langle {\mathsf{A}(1^k)} \vert {\mathsf{X} _1(1^k,U _{{n}})} \rangle = x \right] + 2^{\alpha } \cdot \delta \end{aligned}$$

(2)

$$\begin{aligned}&\le 2^{\alpha +\beta }\, {\Pr }\left[ \langle {\mathsf{A}(1^k)} \vert {\mathsf{X} _1(1^k,D _{{n}})} \rangle = x \right] + 2^{\alpha }\cdot \delta \end{aligned}$$

(3)

Here, inequalities (1) and (3) follow from inequalities (a) and (b) in Lemma 1, respectively. The remaining inequality (2) holds by assumption.    \(\square \)

Recall that every \((n,\gamma )\)-SV block source over \(\{0,1\}^{tn}\) (Definition 3) is an \((\alpha ,\beta )\)-bounded weak source where \(\alpha = t \cdot \log (1 + \gamma )\) and \(\beta = - t \cdot \log (1- \gamma )\). With \(\gamma < 1/2\), it holds that \(\beta \le 2t\gamma \) and \(\alpha \le 2t\gamma \). Thus, we can instantiate Theorem 1 for SV block sources as follows:

Corollary 1

If two probabilistic machines \(\mathsf{X} _0\) and \(\mathsf{X} _1\) are \(\delta \)-indistinguishable for a class of probabilistic machines \(\mathcal {A}\) and the family of uniform sources \(\{U _{nt}\}_{nt \in \mathbb N}\) over \(\{0,1\}^{nt}\), then \(\mathsf{X} _0\) and \(\mathsf{X} _1\) are also \((\varepsilon ,2^{\varepsilon }\delta )\)-differentially indistinguishable for \(\mathcal {A}\) and any family of \((n,\gamma )\)-SV block sources \(\{D _{nt}\}_{nt \in \mathbb N}\) over \(\{0,1\}^{tn}\) with \(\gamma \le \frac{1}{2}\), where \(\varepsilon = \gamma \cdot 4t\).

Remark 2

Lemma 1 can also be interesting for sources with unbounded max-entropy. In this case, \(\beta \) is infinitely large and consequently, inequality (b) does not yield interesting guarantees anymore. However, for restricting undesirable events that are not based on indistinguishability, inequality (a) suffices, which is in line with the results of Dodis and Yu [18]. We refer to Appendix B for a discussion.

3.2 Computational Differential Indistinguishability Guarantees

In the computational setting where adversaries are ppt machines, we can achieve a stronger result: If we rely on a pseudorandom generator (PRG), we can expand a short seed from a randomness source to polynomially many bits of pseudorandomness. This well-known property is especially interesting here, as it allows us to apply Theorem 1 in a much broader form: Virtually every classically secure protocol is differentially secure when only a short random seed has been drawn from a bounded weak source and then expanded via a PRG, as this puts a limit on the entropy loss imposed by the actual bounded weak source. We formalize this observation in the following corollary, which is central to our work.

Corollary 2

If two probabilistic machines \(\mathsf{X} _0\) and \(\mathsf{X} _1\) are computationally indistinguishable for a class of ppt machines \(\mathcal {A}\) and uniform randomness, then \(\mathsf{X} _0\) and \(\mathsf{X} _1\) are also \((\alpha +\beta ,2^{\alpha }\cdot \delta )\)-differentially indistinguishable for \(\mathcal {A}\) and for a negligible function \(\delta \), if they draw their randomness from a PRG that is seeded with a \((\alpha ,\beta )\)-bounded weak source.

The corollary also gives guarantees for protocols and security proofs in which the amount of necessary randomness can be influenced by the adversary, e.g., by sending requests to the machine.

4 Application to Cryptography

We apply differential indistinguishability to a common secrecy definition, namely indistinguishability under chosen ciphertext attacks for public-key encryption. This definition serves as example for how to instantiate the notion and how to apply our main results to quantify the secrecy loss under imperfect randomness.

Moreover, we analyze differential indistinguishability under composition. We obtain a general composability result for differential indistinguishability that comes, similar to the composability of differential privacy, with a loss of secrecy. We refer to the full version [3] for a discussion about additional examples (commitment schemes and zero-knowledge proofs).

4.1 Public-Key Encryption

For PKE, standard security definitions, e.g., indistinguishability under adaptive chosen ciphertext attack (IND-CCA) [21] can naturally be relaxed to use differential indistinguishability instead of traditional indistinguishability.

Definition 5

( \((\varepsilon ,\delta )\)-DIF-IND-CCA ). A pair \(\mathsf{A}=(\mathsf{A}_0,\mathsf{A}_1)\) of ppt oracle machines is an IND-CCA adversary if \(\mathsf{A}_0\) outputs two messages \(x_0\), \(x_1\) of the same length together with a state s, \(\mathsf{A}_1\) outputs a bit, and both \(\mathsf{A}_0\) and \(\mathsf{A}_1\) have access to decryption oracles as defined below. A PKE scheme \(\mathcal E = (\mathsf{Gen},\mathsf{Enc},\mathsf{Dec})\) has \((\varepsilon ,\delta )\) -differentially indistinguishable encryptions under adaptive chosen ciphertext attack for a randomness source \(\{D _{n}\}_{n \in \mathbb N}\) if for all IND-CCA adversaries and for all sufficiently large k and bitstrings z of polynomial length in k, it holds that \({\Pr }\left[ \mathsf{P}_{k,z}^{(0)}=1 \right] \le 2^{\varepsilon }\, {\Pr }\left[ \mathsf{P}_{k,z}^{(1)}=1 \right] + \delta \), where \(P_{k,z}^{(i)}\) is defined as:

$$\begin{aligned} \mathsf{P}_{k,z}^{(i)} \,{:}{=}\,&(e,d) \leftarrow \mathsf{Gen} (1^k); \ ((x_0,x_1), s ) \leftarrow \mathsf{A}_0^{\mathsf{Dec} (d, \cdot )} (1^k,e,z) \\&c \leftarrow \mathsf{Enc} (e,x_i;D _{{n}});\ output \mathsf{A}_1^{\mathsf{Dec} _c(d, \cdot )}(1^k, s ,c) \end{aligned}$$

Here, \(\mathsf{Dec} _c(d, \cdot )\) denotes a decryption oracle that answers on all ciphertexts except for c, where it returns an error symbol \(\bot \). The randomness used by the encryption algorithm \(\mathsf{Enc} \) is drawn from \(D _{{n}} \).

Note that \((0,\delta )\)-DIF-IND-CCA security is equivalent to traditional \(\delta \)-IND-CCA security.

Encryption with Imperfect Randomness. Both the encryption algorithm and the key generation algorithm require randomness. Dodis and Yu [18] show that even if weak sources are used for the key generation of IND-CCA secure encryption schemes, the security is preserved. However, this result does not apply when imperfect randomness is used by the encryption algorithm. The next theorem, an application of Theorem 1, quantifies the secrecy loss whenever the encryption algorithm has only access to an \((\alpha ,\beta )\)-bounded weak source.

Theorem 2

Let \(\mathcal E = (\mathsf{Gen},\mathsf{Enc},\mathsf{Dec})\) be any PKE scheme that is \(\delta \)-IND-CCA secure under the assumption that \(\mathsf{Enc} \) consumes at most n bits of uniform randomness. Then \(\mathcal E \) is \((\alpha +\beta ,2^{\alpha }\delta )\)-DIF-IND-CCA secure if \(\mathsf{Enc} \) uses an \((\alpha ,\beta )\)-bounded weak source \(\{D _{n}\}_{n \in \mathbb N}\) instead of a uniform source.

We refer to Appendix A.1 for a proof.

Discussion. Theorem 2 enables us to provide meaningful guarantees if an IND-CCA secure encryption scheme relies on imperfect randomness, as long as the randomness used to encrypt the ciphertext in question is drawn from a bounded weak source. If an encryption scheme is (\(\varepsilon \),\(\delta \))-DIF-IND-CCA secure, the adversary may learn that the probability that a ciphertext contains a particular message \(m_0\) is \(2^\varepsilon \) times higher than the probability that it contains another message \(m_1\). However, if \(\varepsilon \) is reasonably small, e.g., \(\varepsilon = 0.001\) (and thus \(2^\varepsilon \approx 1.001\)), both \(m_0\) and \(m_1\) are a plausible content of the ciphertext. In particular, the adversary cannot reasonably believe or even convince a third party that \(m_0\) is the value that has been encrypted. Moreover, the encryptor retains (a weak form of) deniability: She could indeed have encrypted any message.

Imperfect Randomness in Both Key Generation and Encryption. Our results also enable us to give a differential indistinguishability guarantee in the case when both the key generation algorithm \(\mathsf{Gen} \) and the encryption algorithm \(\mathsf{Enc} \) make use of a bounded weak source. If a PRG was used, seeded by a bounded weak random source, then we can immediately apply Corollary 2 to derive a differential indistinguishability guarantee. In contrast to the result of Dodis and Yu that requires the encryption scheme to be simulatable as defined by [18], which excludes, e.g., stateful schemes, we do not require any such structural property of the scheme.⁵ If, for some reason, no PRG was used, one can still apply Theorem 1, but this will naturally yield weaker guarantees, as the combined randomness of \(\mathsf{Gen} \) and \(\mathsf{Enc} \) needs to be taken into account (and moreover the security loss under composition is significant, as discussed below).

Multiple Encryptions. Theorem 2 states a guarantee only for a single encryption (namely the encryption of one challenge message). However, it can be extended to the encryption of a message vector. In particular, if a PRG is used (and thus the amount of bounded weak randomness is limited to the seed of the PRG), Corollary 2 yields immediately a differential indistinguishability guarantee with \(\varepsilon \) being independent of the number of encrypted messages. If however, the encryption algorithm \(\mathsf{Enc} \) is run several times with (fresh) imperfect randomness, the entropy loss of the randomness can increase linearly in the number of messages in the vector for SV block sources, and consequently, \(\varepsilon \) increases significantly.

Other Security Definitions. Although we focus on IND-CCA security for PKE in this section, the broad applicability of Theorem 1 allows to handle other security definitions such as indistinguishability under chosen plaintext attack (IND-CPA) similarly.

4.2 Composability

Traditional indistinguishability with a negligible function \(\delta \) and \(\varepsilon =0\) allows for polynomially many compositions, because a polynomial factor for the advantage of an adversary, which might come from seeing multiple samples, does not help the adversary substantially (the advantage remains negligible). This is not true for differential indistinguishability in general, because the (non-negligible) multiplicative factors can, under certain conditions, be accumulated as well.

For individual users we have shown that sequential composition of one or more primitives is possible without an (additional) loss of secrecy if a PRG is used (Corollary 2). If, however, several users within a protocol use imperfect randomness, the secrecy can degrade. Interestingly, we can give a bound on the loss of secrecy that is similar to the composition that occurs for differential privacy. We formulate a general composition lemma that we can instantiate to cope with several situations.

Lemma 2

Let \(\mathcal {A}\) be a class of adversaries. If \(\mathsf{X} _0\) and \(\mathsf{X} _1\) are \((\varepsilon ,\delta )\)-differentially indistinguishable for \(\mathcal {A}\), and \(\mathsf{X} _1\) and \(\mathsf{X} _2\) are \((\varepsilon ',\delta ')\)-differentially indistinguishable for \(\mathcal {A}\), then \(\mathsf{X} _0\) and \(\mathsf{X} _2\) are \((\varepsilon '',\delta '')\)-differentially indistinguishable for \(\mathcal {A}\) where \(\varepsilon ''=\varepsilon +\varepsilon '\) and \(\delta ''=2^{\varepsilon '}\delta +2^\varepsilon \delta '\).

We refer to Appendix A.2 for a proof.

A direct application of the lemma is the above described scenario in which multiple users (sequentially or concurrently) contribute to a protocol and use bad randomness. In this case, the machine \(\mathsf{X} _1\) can express an intermediate scenario that is used in a straightforward hybrid argument, where for two users \(\mathsf{X} _1\) is the only hybrid. Moreover, the lemma is applicable to scenarios where an individual user draws from a random source several times (for several primitives or protocols) instead of using a PRG, and also to compositions of differential indistinguishability guarantees in information-theoretical settings, where a PRG cannot be employed in the first place.

5 Interpretation and Analysis

In this section, we analyze and interpret the security guarantees provided by differential indistinguishability. In particular, we study the impact of a multiplication factor, and the influence of min- and max-entropy on differential indistinguishability. Furthermore, we discuss the relation between differential indistinguishability and differential privacy.

5.1 Impact of a Multiplicative Factor

Similar to differential privacy, differential indistinguishability adds a multiplicative factor to the inequality used in the traditional indistinguishability notion. We observe that a multiplicative bound may express properties that are inexpressible by an additive bound. While every multiplicative bound of the form \({\Pr }\left[ A \right] \le 2^\varepsilon \, {\Pr }\left[ B \right] + \delta \) implies a purely additive bound \({\Pr }\left[ A \right] \le {\Pr }\left[ B \right] + \delta + 2^\varepsilon - 1 \approx {\Pr }\left[ B \right] + \delta + \varepsilon \), the converse does not hold in general. No matter which additive bound can be shown between two probabilistic events, there does not necessarily exist a multiplicative bound. In particular, there are machines that are \(\delta \)-indistinguishable for some \(\delta \) but not \((\varepsilon ,\delta ')\)-indistinguishable for any \(\varepsilon \) such that \(\delta '<\delta \). We refer to Appendix A.3 for a formal counterexample.

For secrecy properties, traditional indistinguishability intuitively states that no adversary can learn any information about the secret, except with negligible probability. The multiplicative factor generalizes indistinguishability to additionally allow the adversary to learn information about the secret with more than a negligible probability, as long as the loss of secrecy is bounded; e.g., if \(\varepsilon \) is a small constant, then differential indistinguishability ensures that the owner of the secret retains deniability by introducing doubt for the adversary.

Besides differential privacy, a multiplicative factor has also been used to achieve a specialized relaxation of semantic security in the presence of efficient adversaries that may tamper with an SV source [1, App B.4], and additionally for a security analysis of anonymous communication protocols [2].

Example. Let us assume that Alice participates in an e-voting protocol based on, e.g., a commitment scheme. If the random source that she uses to seed her PRG turns out to be an \((\alpha ,\beta )\)-bounded weak source, the commitments are still \(\varepsilon \) -differentially hiding (see the full version [3] for a formal definition), where \(\varepsilon = \alpha +\beta \) is a small constant. Assume that Alice can vote for one of two popular candidates, say, Bob and Charlie, and she chooses to vote for Bob. In the traditional indistinguishability case, a non-negligible additive difference in the guarantee could result from a non-negligible probability of leaking the vote, which is highly unsatisfactory. The multiplicative factor \(2^\varepsilon \), however, allows us to guarantee that both cases will still maintain non-zero probability and no distinguisher can be sure whether Alice voted for Bob or for Charlie. Consider a distinguisher that only outputs, say ‘1’ if it is certain that the vote was cast for Bob, and ‘0’ in all other cases. Such a distinguisher is affected by the multiplicative bound as the output ‘1’ is almost equally probable in all cases. Moreover, if the probability of outputting ‘1’ is zero when the vote was cast for Charlie, then differential indistinguishability implies that the probability of outputting ‘1’ is zero when the vote was cast for Bob.

Notice that the same analysis applies if a negligible additive value \(\delta \ne 0\) is present. In this case, there might be a negligible chance for the adversary to be certain about the vote, but in all other cases, deniability is preserved.

5.2 Influence of Min- and Max-Entropy

The literature on imperfect randomness has focused on “weak (entropy) sources” (called \(\alpha \)-weak sources in this paper), because a non-trivial amount of min-entropy suffices for many applications. It is known to be sufficient to achieve unpredictability-based definitions, i.e., security notions in which the adversary has to guess a whole bitstring, e.g., the binding property of commitments and unforgeability of signatures and message authentication codes [13, 15, 28] (see also Appendix B).

Recently, Dodis and Yu [18] have extended this result significantly by showing that if such an unpredictability game can be considered a part of an indistinguishability game (e.g., for an encryption scheme with a weakly generated key) and if a simulatability condition proposed by the authors holds, then min-entropy also suffices for the indistinguishability game. In particular, they consider a primitive that can be divided into a setup phase (generating setup elements such as a key pair) and a simulatable (i.e., stateless and repeatable) indistinguishability game phase. They show that indistinguishability for such a primitive that can be preserved despite the setup phase (but not the game phase!) employing an \(\alpha \)-weak source instead of uniform randomness. Here, the security notion under consideration is indeed divided. The setup phase has some, usually not explicitly specified, unpredictability notion (e.g., no adversary must be able to guess a correct key), and a corresponding game. Nevertheless, due to the impossibility result by Dodis et al. [15], whenever only min-entropy is ensured, a secrecy guarantee cannot be achieved in general, but only for certain schemes and under certain conditions. We discuss this in detail for public-key encryption in Sect. 4.1.

If, however, the randomness source has additionally a bounded max-entropy (and thus, among other properties, a full support), generic results are possible. In particular, a differential secrecy guarantee is still possible for a secrecy notion that is not simulatable (as defined by Dodis and Yu [18]), when an \((\alpha ,\beta )\)-bounded weak source is used for generating the key. More importantly, such a differential guarantee is achievable when bounded weak randomness is used by the encryption algorithm itself.

Interestingly, max-entropy on its own is not sufficient for giving meaningful guarantees. If only the max-entropy of a source is bounded, the source could still output one individual element with a very high probability such that the probability over the other elements is evenly distributed. Therefore, we require both min-entropy and max-entropy measures for giving reasonable quantitative guarantees in all cases for which none of the specialized (e.g., unpredictability-based) solutions is applicable.

5.3 Relation to Differential Privacy and Sensitivity

Differential privacy [19] quantifies the privacy provided by database query mechanisms: Intuitively, differential privacy requires that the output of a query mechanism should not allow to distinguish similar databases better than with a small multiplicative factor. Both in terms of the definition and in terms of the small but usually non-negligible multiplicative factor, differential privacy and differential indistinguishability are closely related. We find this relation to be helpful for interpreting the guarantees and for understanding the drawbacks of differential indistinguishability. Differential privacy is influenced by the sensitivity of a statistical query, i.e., the amount of influence individual database records can have on the output of the query. Typical differential private mechanisms sanitize their output by adding random noise to guarantee a certain \(\varepsilon \)-level of privacy; the amount of added noise directly depends on the sensitivity.

Although there are neither databases nor the concept of utility (in the same sense as in differential privacy) in our setting, the fact that a bounded weak source is differentially indistinguishable from a uniform source is analogous to the differential privacy of a query mechanism. From this point of view, the missing entropy of the weak source corresponds to the sensitivity in differential privacy.

This relation between sensitivity and entropy is interesting for sources that can be analyzed in a block-by-block manner, e.g., \((n,\gamma )\)-SV sources. For such a source the entropy loss and thus the “sensitivity” is directly associated with the parameter \(\gamma \) and the amount of blocks that are drawn from this source. The higher the sensitivity, i.e., the more randomness is drawn by honest parties, the smaller \(\gamma \) must be to allow for guaranteeing \(\varepsilon \)-differential indistinguishability for a given value of \(\varepsilon \). Clearly, the bias and thus the entropy loss in a \((1,\gamma )\)-SV source can be arbitrarily increased, e.g., by drawing more random bits and taking the majority vote over them. Although this amplification does not make a difference for uniform randomness, it may increase the bias of the bits for SV sources. Therefore, for SV sources, the amount of randomness is a necessary parameter that influences the security.

6 Related Work

The effect of imperfect randomness on traditional cryptography is well-studied. On the negative side, several papers demonstrate the inherent limitations of indistinguishability-based cryptographic guarantees with imperfect randomness [1, 7, 15, 16]. Remarkably, Dodis et al. [15] show that traditional indistinguishability required for encryption, commitments, secret sharing, and zero-knowledge cannot be realized if a bounded weak source is used, which constitutes the main motivation for our work. More precisely, they prove that no protocol for any of these primitives can be secure against certain block sources, which include bounded weak sources. These sources sample blocks (i.e., several bits at once) that are \(1/\textit{poly}(k)\) close to the uniform distribution [11, 15, 32] for an arbitrary polynomial, where k is the security parameter.

This impossibility result has been refined and generalized over the last few years. Bosley and Dodis [7] show that information-theoretically secure encryption of more than \(\log (n)\) bits is possible only if more than \(\log (n)\) almost-uniform bits can be extracted from the source in the first place. In the universal composability (UC) setting [9], Canetti, Pass, and Shelat [10] show that even for (sampleable) sources for which a deterministic extractor exists, UC-secure commitments are not possible. Austrin et. al. [1] refined the impossibility result by Dodis et. al. [15] to show that it holds even when the adversary that tampers with the SV source is required to be efficient. Recently, Dodis and Yao [17] proposed a novel classification of random sources that groups them into “separable” and “expressive” sources. They apply their notions to rule out even one-bit encryption, commitment, and zero-knowledge proofs for many weak sources.

On the positive side, one line of research examines the extraction of (almost) perfect randomness from several kinds of imperfect randomness sources [6, 11, 12, 26, 33, 34]. However, extraction generally requires the source to have a certain degree of independence, whereas the only main requirement for bounded weak sources is to provide some entropy.

Aiming at particular applications, it has been shown that a few primitives can be securely instantiated even if only imperfect randomness is available [1, 14, 25], e.g., signatures [15] and Byzantine agreement [22].

Dodis et al. [14] prove that differential privacy of statistical queries can be preserved even when the noise is generated using an imperfect random source. In particular, they ask whether differential privacy is possible if no uniform randomness is available, and give a positive answer for SV sources by presenting a \(\gamma \)-differentially private algorithm that works on these sources. Relevant to our observations, they note that traditional indistinguishability-based privacy is a stronger notion as compared to, e.g., unforgeability.

A multiplicative factor as in this work has also been used to achieve a specialized relaxation of semantic security in the presence of efficient adversaries that may tamper with an SV source [1, App. B.4]. Moreover, such a factor has proven useful for a security analysis of anonymous communication protocols [2].

Most closely related to our work, Dodis and Yu [18] show that for all unpredictability-based primitives as well as for a class of restricted indistinguishability-based primitives, randomness sources with high min-entropy suffice to guarantee security whenever a uniform random source already guarantees security. While this is related to our result for unpredictability-based primitives (Corollary 3), Dodis and Yu establish a traditional indistinguishability guarantee (i.e., \(\varepsilon =0\)) for a restricted class of indistinguishability-based primitives under weaker assumptions on the randomness source, clearly surpassing our results in these cases. However, the imposed gray-box requirements on indistinguishability games rule out many common and interesting cases. In particular, their analysis applies only to scenarios in which imperfect randomness is used at the beginning of a game, i.e., typically as input to a key generation algorithm. This leads to the observation that, e.g., for encryption, their result is restricted to imperfectly generated keys, and does not take care of the case where the encryption algorithm has access only to imperfect randomness.⁶ In contrast, while our method provides only a differential guarantee, it is capable of obliviously analyzing essentially all indistinguishability games that make use of imperfect randomness, without imposing restrictions on the usage of this imperfect randomness. We refer to Sect. 5.2 for a more thorough analysis of our requirements on randomness and the possible results.

Kamara and Katz [25] propose a notion of security for symmetric-key encryption that is able to cope with imperfect randomness. However, their notion applies only if the challenge messages are encrypted using uniform randomness. While we consider their approach orthogonal to ours, it turns out that a combination with our approach is possible. In the public-key setting, Bellare et al. [5] define and realize the notion of hedged public-key encryption, which provides secrecy guarantees even in the case of randomness failures, as long as the encrypted message has enough entropy.

7 Future Directions

Our work presents a novel view on the relation between weak randomness and indistinguishability, and it naturally leads to many more interesting questions.

From a theoretical point of view, we can ask whether it can be used in more scenarios such as for leakage-resilient cryptography [8, 20]. In particular, is it possible to give differential guarantees in cases where the adversary learns more than allowed by existing leakage-resilient schemes?

On the practical side, a natural next step is to apply our results to real applications and to random sources that are used in practice: Can we use entropy measurements of real randomness generators (both hardware generators and software generators) together with differential indistinguishability to give cryptographic guarantees?

Appendices

A Postponed Proofs

1.1 A.1 Proof of Theorem 2 (Public-Key Encryption)

Proof

Let \(\mathcal E = (\mathsf{Gen},\mathsf{Enc},\mathsf{Dec})\) be a public-key encryption scheme, let \(\mathcal {A}_{\textit{ppt}}\) be the class of ppt machines, and let \(\{D _{n}\}_{n \in \mathbb N}\) be an \((\alpha ,\beta )\)-bounded weak source. To simplify the notation we write \(P_{k,z}^{(b,r)}\) for simulating \(P_{k,z}^{(b)}\) and using \(r \in \{0,1\}^{{n}}\) as the randomness for \(\mathsf{Enc} \). Let \(\mathsf{X} _0(1^{k},r) \,{:}{=}\,P_{k,z}^{(0,r)}\) and \(\mathsf{X} _1 \,{:}{=}\,P_{k,z}^{(1,r)}\) with the modification that \(\mathsf{X} _0\) and \(\mathsf{X} _1\) additionally provide a decryption oracle (as defined in Definition 5) to the adversary. Observe that by our definition of \(\mathsf{X} _0\) and \(\mathsf{X} _1\), the following two statements hold:

1. (i)

   \(\mathsf{X} _0(1^{k},U _{{n}})\) and \(\mathsf{X} _1(1^{k},U _{{n}})\) are indistinguishable for the class \(\mathcal {A}_{\textit{ppt}}\) of adversaries if and only if \(\mathcal E\) is IND-CCA.

2. (ii)

   \(\mathsf{X} _0(1^{k},D _{{n}})\) and \(\mathsf{X} _1(1^{k},D _{{n}})\) are \((\varepsilon ,\delta )\)-differential indistinguishability for the class \(\mathcal {A}_{\textit{ppt}}\) of adversaries if and only if \(\mathcal E\) is \((\varepsilon ,\delta )\)-DIF-IND-CCA for \(\{D _{n}\}_{n \in \mathbb N}\).

Thus, the claim follows immediately from Theorem 1.    \(\square \)

1.2 A.2 Proof of Lemma 2 (General Composition)

Proof

Given any adversary \(\mathsf{A}\in \mathcal {A}\), for sufficiently large k and every possible output x of \(\mathsf{A}\), applying the definition of differential indistinguishability for \(\mathsf{X} _0\) and \(\mathsf{X} _1\) as well as \(\mathsf{X} _1\) and \(\mathsf{X} _2\) yields

$$\begin{aligned} \Pr \left[ \langle {\mathsf{A}(1^{k})} \vert {\mathsf{X} _0(1^{k})} \rangle =x\right]&\le 2^{{\varepsilon }} \Pr \left[ \langle {\mathsf{A}(1^{k})} \vert {\mathsf{X} _1(1^{k})} \rangle =x\right] + \delta \\&\le 2^{\varepsilon } (2^{{\varepsilon '}}\Pr \left[ \langle {\mathsf{A}(1^{k}} \vert {\mathsf{X} _2(1^{k})} \rangle =x\right] + \delta ') +\delta \\&\le 2^{{\varepsilon }+{\varepsilon '}} \Pr \left[ \langle {\mathsf{A}(1^{k})} \vert {\mathsf{X} _2(1^{k})} \rangle =x\right] + 2^{{\varepsilon '}}\delta +2^{\varepsilon }\delta '. \end{aligned}$$

Symmetrically, we obtain the opposite bound

$$\begin{aligned} \Pr \left[ \langle {\mathsf{A}(1^{k})} \vert {\mathsf{X} _2(1^{k})} \rangle =x\right] \le 2^{{\varepsilon '}+{\varepsilon }} \Pr \left[ \langle {\mathsf{A}(1^{k})} \vert {\mathsf{X} _0(1^{k})} \rangle =x\right] + 2^{\varepsilon }\delta '+2^{{\varepsilon '}}\delta . \end{aligned}$$

   \(\square \)

1.3 A.3 On Additive and Multiplicative Bounds (Sect. 5.1)

Given any arbitrary function \(\delta \) with \(1 \ge \delta _{k}> 0\), we construct a commitment scheme \(\mathcal C\) such that for every adversary there is an additive bound of \(\delta \) (\(\mathcal C\) is \(\delta \)-hiding), but there is no pair \((\varepsilon ,\delta ')\) with \(\delta _{k}' < \delta _{k}\) (for sufficiently large k) such that \(\mathcal C\) is \((\varepsilon ,\delta ')\)-\(\mathrm {differentially\ hiding}\). No matter which additive bound can be shown between two probabilistic events, there does not necessarily exist a non-trivial multiplicative bound, i.e., a multiplicative bound that could be used to improve on the additive bound.

Proof

Let \(\mathcal C _ IT \) be an information-theoretically hiding commitment scheme. We construct \(\mathcal C = (\mathsf{S}, \mathsf{R})\) from \(\mathcal C _ IT \) as follows. For security parameter \({k}\), \(\mathcal C \) behaves like \(\mathcal C _ IT \) but with probability \(\delta _{k}\), the algorithm \(\mathsf{S} \) additionally leaks the message. Clearly the scheme is \(\delta \)-hiding. Consider the distinguisher \(\mathsf{A}\) that sends two messages \(m_0, m_1\) to the challenger for the hiding game. Only if \(\mathsf{S} \) leaks \(m_0\), \(\mathsf{A}\) outputs 0. In all other cases, \(\mathsf{A}\) outputs 1. Let \(\varepsilon \ge 0\) and \(\delta \) be functions with \(\delta '_{k}< \delta _{k}\) for sufficiently large k. For such k,

$$\begin{aligned} {\Pr }\left[ \langle {\mathsf{A}(1^{k})} \vert {\mathsf{S} (1^{k},m_0)} \rangle = 0 \right] = \delta&> \delta ' = 2^{\varepsilon } \, 0 + \delta '\\&= 2^{\varepsilon } \, {\Pr }\left[ \langle {\mathsf{A}(1^{k})} \vert {\mathsf{S} (1^{k},m_1)} \rangle = 0 \right] + \delta '. \end{aligned}$$

Consequently, \(\mathcal C \) is not \((\varepsilon ,\delta ')\)-\(\mathrm {differentially\ hiding}\).    \(\square \)

B Unpredictability

So far we only considered the effect of (bounded) weak randomness on cryptographic indistinguishability notions. The security games for notions such as the binding property of commitments, unforgeability of signatures and message authentication codes, or guessing the key of an encryption scheme do not require indistinguishability. Instead, the adversary typically has to predict a particular bitstring, which should only be possible with negligible probability. It is well-known that such unpredictability (or unbreakability) notions are achievable even if an \(\alpha \)-weak source is employed [13, 15, 18, 28].

We further analyze how imperfect randomness influences the probability for guessing a whole bitstring, e.g., for breaking the binding property of a commitment. The corresponding security definitions typically require that no adversary has more than a negligible chance to reach a certain bad event. We generalize the intuition of breaking a scheme by dividing a game \(\mathsf{Z}\) into two parts. The “normal game” \(\mathsf{Z}_0\) and a judge \(\mathsf{Z}_1\) that decides whether or not a given string constitutes a break of the scheme. Technically, the output of an adversary \(\mathsf{A}\) in interaction with \(\mathsf{Z}_0\) is fed into \(\mathsf{Z}_1\), which finally outputs a bit \(b \in \{0,1\}\) indicating whether the adversary has won.

Definition 6

(Unpredictability). Let \(\mathsf{Z}= (\mathsf{Z}_0,\mathsf{Z}_1)\) be a probabilistic machine that may keep state. We say that \(\mathsf{Z}\) is \(\delta \)-unpredictable for a class \(\mathcal {A}\) of adversaries and for a distribution \(\{D _{n}\}_{n \in \mathbb N}\), if for all \(\mathsf{A}\in \mathcal {A}\) and for sufficiently large \({k}\),

$$\begin{aligned} {\Pr }\left[ \mathsf{Z}_1\left( \langle {\mathsf{A}(1^{k})} \vert {\mathsf{Z}_0(1^{k}, D _{{n}})} \rangle \right) = 1 \right] \le \delta . \end{aligned}$$

We show that for all games that can be described as a unpredictability game and for which the probability to win is negligible under uniform randomness, the probability is still negligible if an \(\alpha \)-weak source is used. Similar to our comments in Remark 2, we notice that min-entropy suffices for this result.

Corollary 3

If a probabilistic machine \(\mathsf{Z}= (\mathsf{Z}_0,\mathsf{Z}_1)\) that may keep state is \(\delta \)-unpredictable for a class of probabilistic machines \(\mathcal {A}\) and consumes at most n bits of uniform randomness, then \(\mathsf{Z}\) is \((2^{\alpha }\delta )\)-unpredictable for \(\mathcal {A}\) for any \(\alpha \)-weak source \(\{D _{n}\}_{n \in \mathbb N}\).

Proof

We reduce this corollary to Lemma 1 as follows: Let \(\mathsf{Z}= (\mathsf{Z}_0,\mathsf{Z}_1)\) be a probabilistic (not necessarily polynomially bounded) machine that may keep state. Given any adversary \(\mathsf{A}\in \mathcal {A}\), we construct a probabilistic machine \(\mathsf{B}\) on input \(r \in \{0,1\}^{{n}}\) as follows. \(\mathsf{B}\) simulates the interaction between \(\mathsf{A}\) and \(\mathsf{Z}_0(1^k,r)\), yields an output a and simulates \(\mathsf{Z}_1\) on a. If \(\mathsf{Z}_0\) keeps state for \(\mathsf{Z}_1\), \(\mathsf{B}\) also simulates this behavior. It holds that

$$\begin{aligned}&{\Pr }\left[ \mathsf{Z}_{1}(a) =1 \; \Big | \; a \leftarrow \, \langle {\mathsf{A}(1^k)}\vert {\mathsf{Z}_{0}(1^{k}, D _{{n}})}\rangle \right] \end{aligned}$$

(B.1)

$$\begin{aligned}&= {\Pr }\left[ {\mathsf{B}(1^{k},D _{{n}})=1} \right] \le 2^{\alpha } \, {\Pr }\left[ {\mathsf{B}(1^{k},U _{{n}})=1} \right] \end{aligned}$$

(B.2)

$$\begin{aligned}&=2^{\alpha } \, {\Pr }\left[ \mathsf{Z}_{1}(a)=1 \; \Big | \; a \leftarrow \, \langle {\mathsf{A}(1^k)} \vert {\mathsf{Z}_{0}(1^{k}, U _{{n}})}\rangle \right] \le 2^{\alpha } \, \delta . \end{aligned}$$

(B.3)

Inequality (B.2) follows from Lemma 1 and inequality (B.3) holds by assumption.    \(\square \)