On the (non)universality of the one-time pad

Randomization is vital in cryptography: secret keys should be randomly generated and most cryptographic primitives (e.g., encryption) must be probabilistic. We initiate the quantitative study concerning feasibility of building secure cryptographic primitives using imperfect random sources. Specifically, we concentrate on symmetric-key encryption and message authentication, where the shared secret key comes from an imperfect random source instead of being assumed truly random. In each case, we compare the class of "cryptographic" sources for the task at hand with the classes of "extractable" and "simulatable" sources, where: (1) "cryptographic" refers to sources for which the corresponding symmetric-key primitive can be built; (2) "extractable" refers to a very narrow class of sources from which one can extract nearly perfect randomness; and (3) "simulatable" refers to a very general class of weak random sources which are known to suffice for BPP simulation. For both encryption and authentication, we show that the corresponding cryptographic sources lie strictly in between extractable and simulatable sources, which implies that "cryptographic usage" of randomness is more demanding than the corresponding "algorithmic usage", but still does not require perfect randomness. Interestingly, cryptographic sources for encryption and authentication are also quite different from each other, which suggests that there might not be an elegant way to describe imperfect sources sufficient for "general cryptographic use". We believe that our initial investigation in this new area will inspire a lot of further research.

[1]  Luca Trevisan,et al.  Construction of extractors using pseudo-random generators (extended abstract) , 1999, STOC '99.

[2]  Douglas R. Stinson,et al.  Universal hashing and authentication codes , 1991, Des. Codes Cryptogr..

[3]  Oded Goldreich,et al.  Unbiased Bits from Sources of Weak Randomness and Probabilistic Communication Complexity , 1988, SIAM J. Comput..

[4]  Yevgeniy Dodis,et al.  New Imperfect Random Source with Applications to Coin-Flipping , 2001, ICALP.

[5]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[6]  Michael E. Saks,et al.  Some extremal problems arising from discrete control processes , 1989, Comb..

[7]  Manuel Blum Independent unbiased coin flips from a correlated biased source—A finite state markov chain , 1986, Comb..

[8]  Vijay V. Vazirani,et al.  Random polynomial time is equal to slightly-random polynomial time , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[9]  Benny Pinkas,et al.  On the Impossibility of Private Key Cryptography with Weakly Random Keys , 1990, CRYPTO.

[10]  Noam Nisan,et al.  Extracting Randomness: A Survey and New Constructions , 1999, J. Comput. Syst. Sci..

[11]  Paul M. B. Vitányi,et al.  Randomness , 2001, ArXiv.

[12]  Avi Wigderson,et al.  Extracting randomness via repeated condensing , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[13]  Douglas R. Stinson,et al.  Almost k-wise Independent Sample Spaces and Their Cryptologic Applications , 1997, EUROCRYPT.

[14]  Gustavus J. Simmons,et al.  An Introduction to Shared Secret and/or Shared Control Schemes and Their ApplicationThis work was performed at Sandia National Laboratories and supported by the U.S. Department of Energy under contract number DEAC0476DPOO789. , 1992 .

[15]  José D. P. Rolim,et al.  Weak Random Sources, Hitting Sets, and BPP Simulations , 1999, SIAM J. Comput..

[16]  Thomas Johansson,et al.  On Families of Hash Functions via Geometric Codes and Concatenation , 1993, CRYPTO.

[17]  Tor Helleseth,et al.  Universal Hash Functions from Exponential Sums over Finite Fields and Galois Rings , 1996, CRYPTO.

[18]  Amit Sahai,et al.  On Perfect and Adaptive Security in Exposure-Resilient Cryptography , 2001, EUROCRYPT.

[19]  Avi Wigderson,et al.  Dispersers, deterministic amplification, and weak random sources , 1989, 30th Annual Symposium on Foundations of Computer Science.

[20]  Oded Goldreich,et al.  The bit extraction problem or t-resilient functions , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[21]  Nathan Linial,et al.  The influence of large coalitions , 1993, Comb..

[22]  F. MacWilliams,et al.  Codes which detect deception , 1974 .

[23]  Umesh V. Vazirani,et al.  Strong communication complexity or generating quasi-random sequences from two communicating semi-random sources , 1987, Comb..

[24]  Gilles Brassard,et al.  Privacy Amplification by Public Discussion , 1988, SIAM J. Comput..

[25]  Nathan Linial,et al.  The influence of variables on Boolean functions , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[26]  Luca Trevisan,et al.  Extracting randomness from samplable distributions , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[27]  Joel Friedman,et al.  On the bit extraction problem , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[28]  Steven Skiena,et al.  Implementing discrete mathematics - combinatorics and graph theory with Mathematica , 1990 .

[29]  Miklos Santha,et al.  Generating Quasi-random Sequences from Semi-random Sources , 1986, J. Comput. Syst. Sci..

[30]  P. Elias The Efficient Construction of an Unbiased Random Sequence , 1972 .

[31]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[32]  Gustavus J. Simmons,et al.  Contemporary Cryptology: The Science of Information Integrity , 1994 .

[33]  Noam Nisan,et al.  Randomness is Linear in Space , 1996, J. Comput. Syst. Sci..