Abstract
Chain rules are inequalities used to estimate by how much entropy decreases when conditioning on some extra knowledge. Their popular application is to argue about security, by proving that the entropy of a secret remains sufficiently high even in the presence of leakage. We provide a chain rule for HILL/Metric conditional pseudoentropy (applicable for leakage-resilient cryptography), with the following new features:
-
(a)
Better quality loss - when conditioning on already conditioned distribution, the loss due to the “internal” conditional part is additive, not multiplicative as conjectured in folklore,
-
(b)
Better quantity loss - the leakage length is replaced by the effective leakage length which equals the “pseudoentropy gap” of the leakage conditioned on the secret,
-
(c)
Flexible quality loss - the loss can be continuously traded between both computational resources: time and advantage.
The relevance of these results is as follows: (a) is a result complementary to recent negative results (TCC’13) on the chain rule for HILL pseudoentropy - it explains that an efficient chain rule for HILL pseudoentropy is possible under certain conditions. With (b) we can extend some leakage resilient constructions, beyond the bounded leakage model, to capture noisy leakages (studied extensively in recent EUROCRYPT papers); interestingly, we show that the new chain rule can handle specific noisy leakages better than the noisy-leakage framework. Finally using (c) we can unify all previous results and techniques about pseudoentropy chain rules.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Theoretically, this could be also a bit of the output and then it can be distinguished from random with advantage close to \(\frac{1}{2}\).
- 2.
Our setting is non-uniform so here we think of circuit size as “time”.
- 3.
We note that in a more standard notion the entire stream \(X_1,\ldots ,X_{q}\) is indistinguishable from random. This is implied by the notion above by a standard hybrid argument, with a loss of a multiplicative factor of q in the distinguishing advantage.
References
Barak, B., Shaltiel, R., Wigderson, A.: Computational analogues of entropy. In: Arora, S., Jansen, K., Rolim, J.D.P., Sahai, A. (eds.) APPROX/RANDOM 2003. LNCS, vol. 2764, pp. 200–215. Springer, Heidelberg (2003)
Chung, K.-M., Kalai, Y.T., Liu, F.-H., Raz, R.: Memory delegation. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 151–168. Springer, Heidelberg (2011)
Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)
Dodis, Y., Pietrzak, K., Wichs, D.: Key derivation without entropy waste. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 93–110. Springer, Heidelberg (2014)
Dodis, Y., Yu, Y.: Overcoming weak expectations. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 1–22. Springer, Heidelberg (2013)
Duc, A., Dziembowski, S., Faust, S.: Unifying leakage models: from probing attacks to noisy leakage. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 423–440. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_24
Dziembowski, S., Faust, S., Skorski, M.: Noisy leakage revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 159–188. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46803-6_6
Dziembowski, S., Faust, S., Skórski, M.: Optimal amplification of noisy leakages. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 291–318. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49099-0_11
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: Proceedings of the 2008 49th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2008, pp. 293–302. IEEE Computer Society, Washington, DC, USA (2008)
Faust, S., Pietrzak, K., Schipper, J.: Practical leakage-resilient symmetric cryptography. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 213–232. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33027-8_13
Fuller, B., O’Neill, A., Reyzin, L.: A unified approach to deterministic encryption: new constructions and a connection to computational entropy. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 582–599. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28914-9_33
Fuller, B., Reyzin, L.: Computational entropy and information leakage. Cryptology ePrint Archive, Report 2012/466 (2012). http://eprint.iacr.org/
Hastad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Hsiao, C.-Y., Lu, C.-J., Reyzin, L.: Conditional computational entropy, or toward separating pseudoentropy from compressibility. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 169–186. Springer, Heidelberg (2007). doi:10.1007/978-3-540-72540-4_10
Jetchev, D., Pietrzak, K.: How to fake auxiliary input. In: Sahai, A. (ed.) TCC 2014. LNCS, vol. 8349, pp. 566–590. Springer, Heidelberg (2014)
Krenn, S., Pietrzak, K., Wadia, A.: A counterexample to the chain rule for conditional HILL entropy. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 23–39. Springer, Heidelberg (2013)
George, M., Michael, L.: Pseudorandomness and Cryptographic Applications. Princeton University Press, Princeton (1994)
Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009)
Pietrzak, K., Skórski, M.: The chain rule for HILL pseudoentropy, revisited. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 81–98. Springer, Heidelberg (2015). doi:10.1007/978-3-319-22174-8_5
Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38348-9_9
Reingold, O., Trevisan, L., Tulsiani, M., Vadhan, S.: Dense subsets of pseudorandom sets. In: Proceedings of the 2008 49th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2008, pp. 76–85. IEEE Computer Society, Washington (2008)
Shaltiel, R.: An introduction to randomness extractors. In: Loeckx, J. (ed.) ICALP 2011. LNCS, vol. 14, pp. 21–41. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22012-8_2
Skórski, M.: Modulus computational entropy. In: Lehmann, A., Wolf, S. (eds.) ICITS 2013. LNCS, vol. 9063, pp. 179–199. Springer, Heidelberg (2014)
Skorski, M.: Metric pseudoentropy: characterizations, transformations and applications. In: Lehmann, A., Wolf, S. (eds.) ICITS 2015. LNCS, vol. 9063, pp. 105–122. Springer, Heidelberg (2015). doi:10.1007/978-3-319-17470-9_7
Skórski, M., Golovnev, A., Pietrzak, K.: Condensed unpredictability. In: Halldórsson, M.M., Iwama, K., Kobayashi, N., Speckmann, B. (eds.) ICALP 2015. LNCS, vol. 9134, pp. 1046–1057. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47672-7_85
Vadhan, S., Zheng, C.J.: A uniform min-max theorem with applications in cryptography. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 93–110. Springer, Heidelberg (2013)
Yu, Y., Standaert, F.-X.: Practical leakage-resilient pseudorandom objects with minimum public randomness. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 223–238. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36095-4_15
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Corollary 2
Proof
Let \(Y^{*}\) be the distribution maximizing the expectation of \(\mathsf {D}\) as in Eq. (2) \(\mathsf {D}'\) be defined as in Lemma 2. Since \(\mathsf {D}'\)
Denote \({\mathbf {H}}_{\infty }\left( Y^{*}|Z=z\right) = k(z)\). We have \({{\mathrm{\mathbb {E}}}}_{z\sim Z} 2^{-k(z)} = 2^{-k}\). In the other hand, from Eq. (4) we have
Given Eqs. (16) and (17) we have
but in view of Corollary 1 this proves much more, namely
\(\square \)
B Proof of Theorem 3
Proof
Threshold transformation Assuming contrarily, for the sake of a contradiction, we have
Then, according to Eq. (6) we have
for every Y such that \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z_1,Z_2\right) \geqslant k\) and some \(\mathsf {D}\) of size \(s'\). and moreover, by Eq. (7), that for some \(t_0\)
Distinguisher for conditional part removed Let \(Y=Y^{*}\) be the distribution maximizing \({{\mathrm{\mathbb {E}}}}\mathsf {D}'(Y,Z_1,Z_2)\) over the constraint \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z_1,Z_2\right) \geqslant k'\). For the maximizing distribution we can assume \(\widetilde{\mathbf {H}}_{\infty }\left( Y^{*}|Z_1,Z_2\right) = k'\). According to Eqs. (20) and (21) we have
Thus, for every \(\ell \) there exists a subset S of \(|S| = \ell \) elements \(z_2\) (more precisely: the set of values z corresponding to the biggest values of \({{\mathrm{\mathbb {E}}}}\left. \mathsf {D}'((X,Z_1)\right| _{Z_2=z_2},z_2) \) such that
Note that
In turn, for every fixed value \(z_1\) by Eq. (21) we obtain
Define
Combining Eqs. (22) to (24) we obtain
(note that only the right-hand side depends on \(z_1\)). Let Y be any distribution such that \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z_1\right) \geqslant k = k'+m_2\), and let \({\mathbf {H}}_{\infty }\left( \left. Y\right| _{Z_1=z}\right) = k(z)\). Note that we have
Since Eq. (26) holds for every \(z_1\), Eq. (27) implies
for every Y such that \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z\right) \geqslant k\).
Complexity To complete the proof it remains to observe that \(\mathsf {D}''\) can be computed by a cicuit of size \(s=\ell s' + 2^{m_1}\ell +\ell \). Indeed, computing \(\mathsf {D}'(x,z_1,z_2) = \max ( \mathsf {D}(x,z_1,z_2)-t(z_1,z_2),0)\) for all possible values \(z_2\in S\) requires size \(\ell s'+2^{m_1}\ell +\ell \), and then computing \(\mathsf {D}''=\max _{z_2 \in S}\mathsf {D}'(x,z_1,z_2) \) from \(\mathsf {D}'\) requires an additive overhead \(\ell \) (maximum over \(\ell \) outputs). \(\square \)
C Proof of Theorem 4
Proof
The proof is based on the proof of Theorem 3 and starts exactly in the same way as the proof of Theorem 3, repating its first step. The difference is in the second step, where we define the distinguisher. Similarly, we start with the inequality
Similarly to Eq. (22), for any \(\ell \) there is a set S of cardinality \(\ell \) (whose elements correspond to \(\ell \) biggest values being averaged on the left-hand side) such that
The left-hand side can be alternatively written as
where \(\mathsf {D}''(x,z_1,z_2) = \mathsf {D}'(x,z_1,z_2)\cdot \mathbf {1}_{S}(z_2)\), (here \(\mathbf {1}_{S}\) is the characteristic function of S). Suppose that \(\mathbf {H}^{\mathrm {Metric}}_{s'',\epsilon ''}(Z_2|Z_1,X) \geqslant m_2-\Delta \) where \(s''\) is bigger than the complexity of \(\mathsf {D}''\). Then there is \(Z_2'\) such that \(\widetilde{\mathbf {H}}_{\infty }\left( Z_2'|Z_1,X\right) = m_2-\Delta \) and \({{\mathrm{\mathbb {E}}}}\mathsf {D}''(X,Z_1,Z_2) \leqslant {{\mathrm{\mathbb {E}}}}\mathsf {D}''(X,Z_1,Z_2')+\epsilon ''\). Therefore, we have
where in the last line we used Eq. (21) and \(\widetilde{\mathbf {H}}_{\infty }\left( Z_2'|Z_1,X\right) = m_2-\Delta \). This can be rewritten as
From Eqs. (29) and (30) we conclude that
or equivalently
In turn, for every fixed value \(z_1\) by Eq. (21) we obtain
Defining a new distinguisher \(\mathsf {D}''\) as the average over S from \(\mathsf {D}'\) (note that it outputs numbers between 0 and 1)
we can combine Eqs. (31) and (32) with Eq. (21) as
Let Y be any distribution such that \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z_1\right) \geqslant k = k'+\Delta \), and let \({\mathbf {H}}_{\infty }\left( \left. Y\right| _{Z_1=z}\right) = k(z)\). Note that we have
Since Eq. (35) holds for every \(z_1\), Eq. (34) implies
for every Y such that \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z\right) \geqslant k\).
Step 3: Complexity To complete the proof it remains to observe that \(\mathsf {D}''\) can be computed by a cicuit of size \(s=\ell s' + 2^{m_1}\ell + \ell \). Indeed, computing \(\mathsf {D}'(x,z_1,z_2) = \max ( \mathsf {D}(x,z_1,z_2)-t(z_1,z_2),0)\) for all possible values \(z_2\in S\) requires size \(\ell s'+2^{m_1}\ell +\ell \), and then computing \(\mathsf {D}''= \ell ^{-1}\sum _{z_2}\mathsf {D}'(x,z_1,z_2) \) from \(\mathsf {D}'\) requires an additive overhead \(\ell \) (average over \(\ell \) outputs). \(\square \)
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Skórski, M. (2016). A Better Chain Rule for HILL Pseudoentropy - Beyond Bounded Leakage. In: Nascimento, A., Barreto, P. (eds) Information Theoretic Security. ICITS 2016. Lecture Notes in Computer Science(), vol 10015. Springer, Cham. https://doi.org/10.1007/978-3-319-49175-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-49175-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49174-5
Online ISBN: 978-3-319-49175-2
eBook Packages: Computer ScienceComputer Science (R0)