The Leakage-Resilience Limit of a Computational Problem Is Equal to Its Unpredictability Entropy

A cryptographic assumption is the (unproven) mathematical statement that a certain computational problem (e.g. factoring integers) is computationally hard. The leakage-resilience limit of a cryptographic assumption, and hence of a computational search problem, is the maximal number of bits of information that can be leaked (adaptively) about an instance, without making the problem easy to solve. This implies security of the underlying scheme against arbitrary side channel attacks by a computationally unbounded adversary as long as the number of leaked bits of information is less than the leakage resilience limit. The hardness of a computational problem is typically characterized by the running time of the fastest (known) algorithm for solving it. We propose to consider, as another natural complexity-theoretic quantity, the success probability of the best polynomial-time algorithm (which can be exponentially small). We refer to its negative logarithm as the unpredictability entropy of the problem (which is defined up to an additive logarithmic term). A main result of the paper is that the leakage-resilience limit and the unpredictability entropy are equal. This demonstrates, for the first time, the practical relevance of studying polynomial-time algorithms even for problems believed to be hard, and even if the success probability is too small to be of practical interest. With this view, we look at the best probabilistic polynomial time algorithms for the learning with errors and lattice problems that have in recent years gained relevance in cryptography. We also introduce the concept of witness compression for computational problems, namely the reduction of a problem to another problem for which the witnesses are shorter. The length of the smallest achievable witness for a problem also corresponds to the non-adaptive leakage-resilience limit, and it is also shown to be equal to the unpredictability entropy of the problem. The witness compression concept is also of independent theoretical interest. An example of an implication of our result is that 3-SAT for n variables can be witness compressed from n bits (the variable assignments) to 0.41 n bits.

[1]  Jonathan Gregg On Factoring Integers and Evaluating Discrete Logarithms , 2003 .

[2]  Moni Naor Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings , 2007, EUROCRYPT.

[3]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[4]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[5]  Guy N. Rothblum,et al.  Leakage-Resilient Signatures , 2010, TCC.

[6]  Moni Naor,et al.  On the Compressibility of NP Instances and Cryptographic Applications , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[7]  Yael Tauman Kalai,et al.  Robustness of the Learning with Errors Assumption , 2010, ICS.

[8]  Adi Shamir,et al.  Efficient Factoring Based on Partial Information , 1985, EUROCRYPT.

[9]  Eyal Kushilevitz,et al.  Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[10]  Yael Tauman Kalai,et al.  Public-Key Encryption Schemes with Auxiliary Inputs , 2010, TCC.

[11]  Pavel Pudlák,et al.  Satisfiability Coding Lemma , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[12]  Pavel Pudlák,et al.  On the complexity of circuit satisfiability , 2010, STOC '10.

[13]  Chi-Jen Lu,et al.  Conditional Computational Entropy, or Toward Separating Pseudoentropy from Compressibility , 2007, EUROCRYPT.

[14]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[15]  Moti Yung,et al.  A New Randomness Extraction Paradigm for Hybrid Encryption , 2009, EUROCRYPT.

[16]  Michael Sipser,et al.  A complexity theoretic approach to randomness , 1983, STOC.

[17]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[18]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems Based on Voronoi Cell Computations , 2013, SIAM J. Comput..

[19]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[20]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[21]  U. Schöning A probabilistic algorithm for k-SAT and constraint satisfaction problems , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[22]  Yael Tauman Kalai,et al.  On cryptography with auxiliary input , 2009, STOC '09.

[23]  Yevgeniy Dodis,et al.  Survey: Leakage Resilience and the Bounded Retrieval Model , 2009, ICITS.

[24]  Lance Fortnow,et al.  Infeasibility of instance compression and succinct PCPs for NP , 2007, J. Comput. Syst. Sci..

[25]  David Eppstein,et al.  3-coloring in time 0(1.3446/sup n/): a no-MIS algorithm , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[26]  Larry J. Stockmeyer,et al.  The complexity of approximate counting , 1983, STOC.

[27]  Vinod Vaikuntanathan,et al.  Signature Schemes with Bounded Leakage Resilience , 2009, ASIACRYPT.

[28]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[29]  Richard Beigel,et al.  Finding maximum independent sets in sparse and general graphs , 1999, SODA '99.

[30]  Fabrizio Grandoni,et al.  Measure and conquer: a simple O(20.288n) independent set algorithm , 2006, SODA '06.

[31]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[32]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[33]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[34]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[35]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[36]  Moti Yung,et al.  A block cipher based pseudo random number generator secure against side-channel key recovery , 2008, ASIACCS '08.

[37]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[38]  Daniele Micciancio,et al.  On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem , 2009, CRYPTO.

[39]  Krzysztof Pietrzak,et al.  A Leakage-Resilient Mode of Operation , 2009, EUROCRYPT.

[40]  Jon M. Kleinberg,et al.  A deterministic (2-2/(k+1))n algorithm for k-SAT based on local search , 2002, Theor. Comput. Sci..

[41]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[42]  Shlomo Shamai,et al.  Information Theoretic Security , 2009, Found. Trends Commun. Inf. Theory.

[43]  Moni Naor,et al.  Public-Key Cryptosystems Resilient to Key Leakage , 2009, SIAM J. Comput..

[44]  Oded Goldreich,et al.  On the Limits of Nonapproximability of Lattice Problems , 2000, J. Comput. Syst. Sci..

[45]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[46]  Leslie G. Valiant,et al.  NP is as easy as detecting unique solutions , 1985, STOC '85.

[47]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, Theory of Cryptography Conference.

[48]  Ueli Maurer On the oracle complexity of factoring integers , 2005, computational complexity.

[49]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[50]  Klaus Dohmen,et al.  Improved Bonferroni Inequalities via Abstract Tubes: Inequalities and Identities of Inclusion-Exclusion Type , 2003 .

[51]  Rolf Niedermeier,et al.  Worst-case upper bounds for MAX-2-SAT with an application to MAX-CUT , 2003, Discret. Appl. Math..

[52]  Oded Goldreich,et al.  Computational complexity: a conceptual perspective , 2008, SIGA.

[53]  Jesper Makholm Byskov Algorithms for k-colouring and finding maximal independent sets , 2003, SODA '03.

[54]  Vinod Vaikuntanathan,et al.  Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[55]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[56]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[57]  Yevgeniy Dodis,et al.  Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model , 2009, CRYPTO.

[58]  Moni Naor,et al.  On the Compressibility of NP Instances and Cryptographic Applications , 2010, SIAM J. Comput..

[59]  Franz Pichler,et al.  Advances in Cryptology — EUROCRYPT’ 85 , 2000, Lecture Notes in Computer Science.