Characterizing pseudoentropy and simplifying pseudorandom generator constructions

We provide a characterization of pseudoentropy in terms of hardness of sampling: Let (X,B) be jointly distributed random variables such that B takes values in a polynomial-sized set. We show that B is computationally indistinguishable from a random variable of higher Shannon entropy given X if and only if there is no probabilistic polynomial-time S such that (X,S(X)) has small KL divergence from (X,B). This can be viewed as an analogue of the Impagliazzo Hardcore Theorem (FOCS '95) for Shannon entropy (rather than min-entropy). Using this characterization, we show that if f is a one-way function, then (f(Un),Un) has "next-bit pseudoentropy" at least n+log n, establishing a conjecture of Haitner, Reingold, and Vadhan (STOC '10). Plugging this into the construction of Haitner et al., this yields a simpler construction of pseudorandom generators from one-way functions. In particular, the construction only performs hashing once, and only needs the hash functions that are randomness extractors (e.g. universal hash functions) rather than needing them to support "local list-decoding" (as in the Goldreich--Levin hardcore predicate, STOC '89). With an additional idea, we also show how to improve the seed length of the pseudorandom generator to ~{O}(n3), compared to O(n4) in the construction of Haitner et al.

[1]  Y. Freund,et al.  Adaptive game playing using multiplicative weights , 1999 .

[2]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[3]  Omer Reingold,et al.  Efficiency improvements in constructing pseudorandom generators from one-way functions , 2010, STOC '10.

[4]  Salil Vadhan,et al.  A Uniform Min-Max Theorem with Applications in Cryptography , 2013, CRYPTO.

[5]  Thomas Holenstein,et al.  Pseudorandom Generators from One-Way Functions: A Simple Construction for Any Hardness , 2006, TCC.

[6]  Rafail Ostrovsky,et al.  Cryptography with constant computational overhead , 2008, STOC.

[7]  Oded Goldreich,et al.  Computational complexity: a conceptual perspective , 2008, SIGA.

[8]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[9]  Boaz Barak,et al.  The uniform hardcore lemma via approximate Bregman projections , 2009, SODA.

[10]  Russell Impagliazzo,et al.  Hard-core distributions for somewhat hard problems , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[11]  Oded Goldreich,et al.  Computational Indistinguishability: Algorithms vs. Circuits , 1998, Theor. Comput. Sci..

[12]  Omer Reingold,et al.  Efficiency improvements in constructing pseudorandom generators from one-way functions , 2010, STOC '10.

[13]  Chi-Jen Lu,et al.  Conditional Computational Entropy, or Toward Separating Pseudoentropy from Compressibility , 2007, EUROCRYPT.

[14]  M. Naor Evaluation May Be Easier than Generation , 1996 .

[15]  Luca Trevisan,et al.  Pseudorandom generators without the XOR lemma , 1999, Proceedings. Fourteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat.No.99CB36317).

[16]  Oded Goldreich,et al.  Comparing entropies in statistical zero knowledge with applications to the structure of SZK , 1999, Proceedings. Fourteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat.No.99CB36317).

[17]  Leonid Reyzin,et al.  Some Notions of Entropy for Cryptography ∗ , 2011 .

[18]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[19]  Ronitt Rubinfeld,et al.  On the learnability of discrete distributions , 1994, STOC '94.

[20]  Omer Reingold,et al.  Inaccessible entropy , 2009, STOC '09.

[21]  Avi Wigderson,et al.  Computational Analogues of Entropy , 2003, RANDOM-APPROX.

[22]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[23]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[24]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.

[25]  Thomas Holenstein,et al.  Key agreement from weak bit agreement , 2005, STOC '05.

[26]  Rocco A. Servedio,et al.  Boosting and hard-core sets , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[27]  Omer Reingold,et al.  Universal One-Way Hash Functions via Inaccessible Entropy , 2010, EUROCRYPT.

[28]  Leonid Reyzin,et al.  Computational Entropy and Information Leakage , 2012, IACR Cryptol. ePrint Arch..

[29]  Moni Naor,et al.  Evaluation may be easier than generation (extended abstract) , 1996, STOC '96.

[30]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[31]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[32]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[33]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..