A Better Chain Rule for HILL Pseudoentropy - Beyond Bounded Leakage

Abstract

Chain rules are inequalities used to estimate by how much entropy decreases when conditioning on some extra knowledge. Their popular application is to argue about security, by proving that the entropy of a secret remains sufficiently high even in the presence of leakage. We provide a chain rule for HILL/Metric conditional pseudoentropy (applicable for leakage-resilient cryptography), with the following new features:

1. (a)

   Better quality loss - when conditioning on already conditioned distribution, the loss due to the “internal” conditional part is additive, not multiplicative as conjectured in folklore,

2. (b)

   Better quantity loss - the leakage length is replaced by the effective leakage length which equals the “pseudoentropy gap” of the leakage conditioned on the secret,

3. (c)

   Flexible quality loss - the loss can be continuously traded between both computational resources: time and advantage.

The relevance of these results is as follows: (a) is a result complementary to recent negative results (TCC’13) on the chain rule for HILL pseudoentropy - it explains that an efficient chain rule for HILL pseudoentropy is possible under certain conditions. With (b) we can extend some leakage resilient constructions, beyond the bounded leakage model, to capture noisy leakages (studied extensively in recent EUROCRYPT papers); interestingly, we show that the new chain rule can handle specific noisy leakages better than the noisy-leakage framework. Finally using (c) we can unify all previous results and techniques about pseudoentropy chain rules.

Appendices

A Proof of Corollary 2

Proof

Let \(Y^{*}\) be the distribution maximizing the expectation of \(\mathsf {D}\) as in Eq. (2) \(\mathsf {D}'\) be defined as in Lemma 2. Since \(\mathsf {D}'\)

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}\mathsf {D}'(X,Z)&= {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (X,Z)}\max (\mathsf {D}(x,z)-t(z),0) \nonumber \\&\geqslant {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (X,Z)}\mathsf {D}(x,z) - {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (X,Z)}t(z) \end{aligned}$$

(15)

$$\begin{aligned}&= {{\mathrm{\mathbb {E}}}}\mathsf {D}(X,Z) - {{\mathrm{\mathbb {E}}}}t(Z) \end{aligned}$$

(16)

Denote \({\mathbf {H}}_{\infty }\left( Y^{*}|Z=z\right) = k(z)\). We have \({{\mathrm{\mathbb {E}}}}_{z\sim Z} 2^{-k(z)} = 2^{-k}\). In the other hand, from Eq. (4) we have

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}\mathsf {D}'(Y^{*},Z)&= \sum _{x,z} \max \left( \mathsf {D}(x,z) -t(z), 0 \right) \cdot \mathbf {P}_{Y^{*},Z}(x,z) \nonumber \\&= \sum _{x,z}\left( \mathsf {D}(x,z) -t(z) \right) \cdot \mathbf {P}_{Y^{*},Z}(x,z) \nonumber \\&= {{\mathrm{\mathbb {E}}}}\mathsf {D}(Y^{*},Z) - {{\mathrm{\mathbb {E}}}}t(Z) \end{aligned}$$

(17)

Given Eqs. (16) and (17) we have

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}\mathsf {D}'(X,Z) \geqslant {{\mathrm{\mathbb {E}}}}\mathsf {D}'(Y^{*},Z) + \epsilon \end{aligned}$$

but in view of Corollary 1 this proves much more, namely

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}\mathsf {D}'(X,Z) \geqslant {{\mathrm{\mathbb {E}}}}\mathsf {D}'(Y,Z) + \epsilon \quad \text {for every }Y\text { such that }\widetilde{\mathbf {H}}_{\infty }\left( Y|Z\right) \geqslant k. \end{aligned}$$

(18)

   \(\square \)

B Proof of Theorem 3

Proof

Threshold transformation Assuming contrarily, for the sake of a contradiction, we have

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}\mathsf {D}(X,Z_1,Z_2) \geqslant {{\mathrm{\mathbb {E}}}}\mathsf {D}(Y,Z_1,Z_2) + \epsilon ' \end{aligned}$$

(19)

Then, according to Eq. (6) we have

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}\mathsf {D}'(X,Z_1,Z_2) - {{\mathrm{\mathbb {E}}}}\mathsf {D}'(Y,Z_1,Z_2) \geqslant \epsilon ' \end{aligned}$$

(20)

for every Y such that \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z_1,Z_2\right) \geqslant k\) and some \(\mathsf {D}\) of size \(s'\). and moreover, by Eq. (7), that for some \(t_0\)

$$\begin{aligned} \forall z_1,z_2: \sum _{x,z_1,z_2}\mathsf {D}'(x,z_1,z_2) = t_0. \end{aligned}$$

(21)

Distinguisher for conditional part removed Let \(Y=Y^{*}\) be the distribution maximizing \({{\mathrm{\mathbb {E}}}}\mathsf {D}'(Y,Z_1,Z_2)\) over the constraint \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z_1,Z_2\right) \geqslant k'\). For the maximizing distribution we can assume \(\widetilde{\mathbf {H}}_{\infty }\left( Y^{*}|Z_1,Z_2\right) = k'\). According to Eqs. (20) and (21) we have

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}_{z\sim Z_2}\left[ {{\mathrm{\mathbb {E}}}}\left. \mathsf {D}'((X,Z_1)\right| _{Z_2=z_2},z_2)\right]&= {{\mathrm{\mathbb {E}}}}\mathsf {D}'(X,Z_1,Z_2) \nonumber \\&\geqslant {{\mathrm{\mathbb {E}}}}\mathsf {D}'(Y^{*},Z_1,Z_2) + \epsilon ' \nonumber . \\&= 2^{-k'} t_0 + \epsilon ' \end{aligned}$$

Thus, for every \(\ell \) there exists a subset S of \(|S| = \ell \) elements \(z_2\) (more precisely: the set of values z corresponding to the biggest values of \({{\mathrm{\mathbb {E}}}}\left. \mathsf {D}'((X,Z_1)\right| _{Z_2=z_2},z_2) \) such that

$$\begin{aligned} \sum _{z_2\in S}\mathbf {P}_{Z_2}(z_2) {{\mathrm{\mathbb {E}}}}\mathsf {D}'(\left. (X,Z_1)\right| _{Z_2=z_2},z_2) \geqslant \frac{\ell }{2^{m_2}}\left( 2^{-k'}t_0 + \epsilon '\right) \end{aligned}$$

(22)

Note that

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (X,Z_1)} \max _{z_2\in S}\mathsf {D}'( x,z,z_2)&\geqslant \sum _{x,z_1}\mathbf {P}_{X,Z_1}(x,z_1)\sum _{z_2\in S}\mathbf {P}_{Z_2|X=x,Z_1=z_1}(z)\mathsf {D}'(x,z_1,z_2) \nonumber \\&= \sum _{z_2\in S}\mathbf {P}_{Z_2}(z_2) {{\mathrm{\mathbb {E}}}}\mathsf {D}'(\left. (X,Z_1)\right| _{Z_2=z_2},z_2) \end{aligned}$$

(23)

In turn, for every fixed value \(z_1\) by Eq. (21) we obtain

$$\begin{aligned} \frac{\ell }{2^{m_2}} \cdot 2^{-k'}t_0&= 2^{-k'-m_2}\cdot \sum _{x}\sum _{z_2 \in S} \mathsf {D}'(x,z_1,z_2) \nonumber \\&\geqslant 2^{-k'-m_2}\cdot \sum _{x}\max _{z_2\in S} \mathsf {D}'(x,z_1,z_2) \end{aligned}$$

(24)

Define

$$\begin{aligned} \mathsf {D}''(x,z_1) = \max _{z_2\in S}\mathsf {D}'( x,z_1,z_2) . \end{aligned}$$

(25)

Combining Eqs. (22) to (24) we obtain

$$\begin{aligned} \forall z_1:\quad {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (X,Z_1)}\mathsf {D}''(x,z) \geqslant 2^{-k'-m_2}\cdot \sum _{x}\mathsf {D}''(x,z_1) + \frac{\ell \epsilon '}{2^{m_2}} \end{aligned}$$

(26)

(note that only the right-hand side depends on \(z_1\)). Let Y be any distribution such that \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z_1\right) \geqslant k = k'+m_2\), and let \({\mathbf {H}}_{\infty }\left( \left. Y\right| _{Z_1=z}\right) = k(z)\). Note that we have

$$\begin{aligned} \max _{z_1}\left( 2^{-k'-m_2}\cdot \sum _{x}\mathsf {D}''(x,z_1) \right)&= 2^{-k}\cdot \max _{z_1}\left( \sum _{x}\mathsf {D}''(x,z_1) \right) \nonumber \\&\geqslant \sum _{z_1}\mathbf {P}_{Z_1}(z_1)\sum _{x}\mathsf {D}''(x,z_1) \cdot 2^{-k(z_1)} \nonumber \\&\geqslant \sum _{z_1}\mathbf {P}_{Z_1}(z_1)\sum _{x}\mathsf {D}''(x,z_1) \cdot \mathbf {P}_{\left. Y\right| _{Z_1=z_1}}(z_1) \nonumber \\&= {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (Y,Z_1)}\mathsf {D}''(Y,Z_1) \end{aligned}$$

(27)

Since Eq. (26) holds for every \(z_1\), Eq. (27) implies

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (X,Z_1)}\mathsf {D}''(x,z) \geqslant {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (Y,Z_1)}\mathsf {D}''(Y,Z_1) + \frac{\ell \epsilon '}{2^{m_2}}, \end{aligned}$$

(28)

for every Y such that \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z\right) \geqslant k\).

Complexity To complete the proof it remains to observe that \(\mathsf {D}''\) can be computed by a cicuit of size \(s=\ell s' + 2^{m_1}\ell +\ell \). Indeed, computing \(\mathsf {D}'(x,z_1,z_2) = \max ( \mathsf {D}(x,z_1,z_2)-t(z_1,z_2),0)\) for all possible values \(z_2\in S\) requires size \(\ell s'+2^{m_1}\ell +\ell \), and then computing \(\mathsf {D}''=\max _{z_2 \in S}\mathsf {D}'(x,z_1,z_2) \) from \(\mathsf {D}'\) requires an additive overhead \(\ell \) (maximum over \(\ell \) outputs).    \(\square \)

C Proof of Theorem 4

Proof

The proof is based on the proof of Theorem 3 and starts exactly in the same way as the proof of Theorem 3, repating its first step. The difference is in the second step, where we define the distinguisher. Similarly, we start with the inequality

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}_{z\sim Z_2}\left[ {{\mathrm{\mathbb {E}}}}\left. \mathsf {D}'((X,Z_1)\right| _{Z_2=z_2},z_2)\right]&= {{\mathrm{\mathbb {E}}}}\mathsf {D}'(X,Z_1,Z_2) \nonumber \\&\geqslant {{\mathrm{\mathbb {E}}}}\mathsf {D}'(Y^{*},Z_1,Z_2) + \epsilon ' \nonumber . \\&= 2^{-k'} t_0 + \epsilon '. \end{aligned}$$

Similarly to Eq. (22), for any \(\ell \) there is a set S of cardinality \(\ell \) (whose elements correspond to \(\ell \) biggest values being averaged on the left-hand side) such that

$$\begin{aligned} \sum _{z_2 \in S}\mathbf {P}_{Z_2}(z_2) {{\mathrm{\mathbb {E}}}}\mathsf {D}'(\left. (X,Z_1)\right| _{Z_2=z_2},z_2) \geqslant \frac{\ell }{2^{m_2}}\left( 2^{-k'}t_0 + \epsilon '\right) \end{aligned}$$

(29)

The left-hand side can be alternatively written as

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}\mathsf {D}''(X,Z_1,Z_2) = \sum _{z_2 \in S}\mathbf {P}_{Z_2}(z_2) {{\mathrm{\mathbb {E}}}}\mathsf {D}'(\left. (X,Z_1)\right| _{Z_2=z_2},z_2) \end{aligned}$$

where \(\mathsf {D}''(x,z_1,z_2) = \mathsf {D}'(x,z_1,z_2)\cdot \mathbf {1}_{S}(z_2)\), (here \(\mathbf {1}_{S}\) is the characteristic function of S). Suppose that \(\mathbf {H}^{\mathrm {Metric}}_{s'',\epsilon ''}(Z_2|Z_1,X) \geqslant m_2-\Delta \) where \(s''\) is bigger than the complexity of \(\mathsf {D}''\). Then there is \(Z_2'\) such that \(\widetilde{\mathbf {H}}_{\infty }\left( Z_2'|Z_1,X\right) = m_2-\Delta \) and \({{\mathrm{\mathbb {E}}}}\mathsf {D}''(X,Z_1,Z_2) \leqslant {{\mathrm{\mathbb {E}}}}\mathsf {D}''(X,Z_1,Z_2')+\epsilon ''\). Therefore, we have

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}\mathsf {D}''(X,Z_1,Z_2)-\epsilon ''&\leqslant {{\mathrm{\mathbb {E}}}}\mathsf {D}''(X,Z_1,Z_2') \nonumber \\&= \sum _{x,z_1}\mathbf {P}_{X,Z_1}(x,z_1)\sum _{z_2}\mathbf {P}_{Z_2'|Z_1=z_1,X=x}(z_2)\mathsf {D}''(x,z_1,z_2) \nonumber \\&= \sum _{x,z_1}\mathbf {P}_{X,Z_1}(x,z_1)\sum _{z_2\in S}\mathbf {P}_{Z_2'|Z_1=z_1,X=x}(z_2)\mathsf {D}'(x,z_1,z_2) \nonumber \\&\leqslant 2^{\Delta -m_2} t_0, \end{aligned}$$

where in the last line we used Eq. (21) and \(\widetilde{\mathbf {H}}_{\infty }\left( Z_2'|Z_1,X\right) = m_2-\Delta \). This can be rewritten as

$$\begin{aligned} \epsilon ''+ \sum _{x,z_1}\mathbf {P}_{X,Z_1}(x,z_1)\frac{\sum _{z_2 \in S}\mathsf {D}'(x,z_1,z_2)}{2^{m_2-\Delta }}&\geqslant \sum _{z_2 \in S}\mathbf {P}_{Z_2}(z_2) {{\mathrm{\mathbb {E}}}}\mathsf {D}'(\left. (X,Z_1)\right| _{Z_2=z_2},z_2) \end{aligned}$$

(30)

From Eqs. (29) and (30) we conclude that

$$\begin{aligned} \epsilon ''+ 2^{\Delta } {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (X,Z_1)} \left[ \frac{\sum _{z_2 \in S}\mathsf {D}'( x,z,z_2)}{2^{m_2}}\right]&\geqslant \frac{\ell }{2^{m_2}} \left( 2^{-k'}t_0 + \epsilon '\right) \end{aligned}$$

or equivalently

$$\begin{aligned} \frac{2^{m_2}\epsilon ''}{\ell }+ 2^{\Delta } {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (X,Z_1)} \left[ \frac{\sum _{z_2 \in S}\mathsf {D}'( x,z,z_2)}{\ell }\right]&\geqslant \left( 2^{-k'}t_0 + \epsilon '\right) \end{aligned}$$

(31)

In turn, for every fixed value \(z_1\) by Eq. (21) we obtain

$$\begin{aligned} 2^{-k'}t_0&= 2^{-k'}\ell ^{-1}\cdot \sum _{x}\sum _{z_2 \in S} \mathsf {D}'(x,z_1,z_2) \nonumber \\&= 2^{-k'}\cdot \sum _{x}\frac{\sum _{z_2\in S} \mathsf {D}'(x,z_1,z_2)}{\ell } \end{aligned}$$

(32)

Defining a new distinguisher \(\mathsf {D}''\) as the average over S from \(\mathsf {D}'\) (note that it outputs numbers between 0 and 1)

$$\begin{aligned} \mathsf {D}''(x,z_1) = \frac{\sum _{z_2\in S}\mathsf {D}'(x,z_1,z_2)}{\ell } \end{aligned}$$

(33)

we can combine Eqs. (31) and (32) with Eq. (21) as

$$\begin{aligned} \forall z_1:\quad \frac{ 2^{m}\epsilon ''}{2^\Delta \ell }+ {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (X,Z_1)}\mathsf {D}''(x,z) \geqslant 2^{-k'-{\Delta }}\cdot \sum _{x} \mathsf {D}''(x,z_1) + \frac{\epsilon '}{2^{\Delta }} \end{aligned}$$

(34)

Let Y be any distribution such that \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z_1\right) \geqslant k = k'+\Delta \), and let \({\mathbf {H}}_{\infty }\left( \left. Y\right| _{Z_1=z}\right) = k(z)\). Note that we have

$$\begin{aligned} \max _{z_1}\left( 2^{-k'-\Delta }\cdot \sum _{x}\mathsf {D}''(x,z_1) \right)&= 2^{-k}\cdot \max _{z_1}\left( \sum _{x}\mathsf {D}''(x,z_1) \right) \nonumber \\&\geqslant \sum _{z_1}\mathbf {P}_{Z_1}(z_1)\sum _{x}\mathsf {D}''(x,z_1) \cdot 2^{-k(z_1)} \nonumber \\&\geqslant \sum _{z_1}\mathbf {P}_{Z_1}(z_1)\sum _{x}\mathsf {D}''(x,z_1) \cdot \mathbf {P}_{\left. Y\right| _{Z_1=z_1}}(z_1) \nonumber \\&= {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (Y,Z_1)}\mathsf {D}''(Y,Z_1) \end{aligned}$$

(35)

Since Eq. (35) holds for every \(z_1\), Eq. (34) implies

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (X,Z_1)}\mathsf {D}''(x,z) \geqslant {{\mathrm{\mathbb {E}}}}_{(x,z)\sim (Y,Z_1)}\mathsf {D}''(Y,Z_1) + \frac{\epsilon '-2^{m}\ell ^{-1}\epsilon ''}{2^{\Delta }}, \end{aligned}$$

(36)

for every Y such that \(\widetilde{\mathbf {H}}_{\infty }\left( Y|Z\right) \geqslant k\).

Step 3: Complexity To complete the proof it remains to observe that \(\mathsf {D}''\) can be computed by a cicuit of size \(s=\ell s' + 2^{m_1}\ell + \ell \). Indeed, computing \(\mathsf {D}'(x,z_1,z_2) = \max ( \mathsf {D}(x,z_1,z_2)-t(z_1,z_2),0)\) for all possible values \(z_2\in S\) requires size \(\ell s'+2^{m_1}\ell +\ell \), and then computing \(\mathsf {D}''= \ell ^{-1}\sum _{z_2}\mathsf {D}'(x,z_1,z_2) \) from \(\mathsf {D}'\) requires an additive overhead \(\ell \) (average over \(\ell \) outputs).    \(\square \)