Pseudoentropy: Lower-Bounds for Chain Rules and Transformations

Computational notions of entropy have recently found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The two main types of results which make computational notions so useful are 1 Chain rules, which quantify by how much the computational entropy of a variable decreases if conditioned on some other variable 2 Transformations, which quantify to which extend one type of entropy implies another. Such chain rules and transformations typically lose a significant amount in quality of the entropy, and are the reason why applying these results one gets rather weak quantitative security bounds. In this paper we for the first time prove lower bounds in this context, showing that existing results for transformations are, unfortunately, basically optimal for non-adaptive black-box reductions and it's hard to imagine how non black-box reductions or adaptivity could be useful here. A variable X has k bits of HILL entropy of quality $$\epsilon ,s$$∈,s if there exists a variable Y with k bits min-entropy which cannot be distinguished from X with advantage $$\epsilon $$∈ by distinguishing circuits of size s. A weaker notion is Metric entropy, where we switch quantifiers, and only require that for every distinguisher of size s, such a Y exists. We first describe our result concerning transformations. By definition, HILL implies Metric without any loss in quality. Metric entropy often comes up in applications, but must be transformed to HILL for meaningful security guarantees. The best known result states that if a variable X has k bits of Metric entropy of quality $$\epsilon ,s$$∈,s, then it has k bits of HILL with quality $$2\epsilon ,s\cdot \epsilon ^2$$2∈,si¾?∈2. We show that this loss of a factor $${\varOmega }\epsilon ^{-2}$$Ω∈-2 in circuit size is necessary. In fact, we show the stronger result that this loss is already necessary when transforming so called deterministic real valued Metric entropy to randomised boolean Metric both these variants of Metric entropy are implied by HILL without loss in quality. The chain rule for HILL entropy states that if X has k bits of HILL entropy of quality $$\epsilon ,s$$∈,s, then for any variable Z of length m, X conditioned on Z has $$k-m$$k-m bits of HILL entropy with quality $$\epsilon ,s\cdot \epsilon ^2/ 2^{m}$$∈,si¾?∈2/2m. We show that a loss of $${\varOmega }2^m/\epsilon $$Ω2m/∈ in circuit size necessary here. Note that this still leaves a gap of $$\epsilon $$∈ between the known bound and our lower bound.

[1]  Chi-Jen Lu,et al.  Conditional Computational Entropy, or Toward Separating Pseudoentropy from Compressibility , 2007, EUROCRYPT.

[2]  Thomas Watson,et al.  Advice Lower Bounds for the Dense Model Theorem , 2015, TOCT.

[3]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, IACR Cryptol. ePrint Arch..

[4]  Hugo Krawczyk,et al.  On the existence of pseudorandom generators , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[5]  Maciej Skorski Simulating Auxiliary Inputs, Revisited , 2016, TCC.

[6]  Jiapeng Zhang On the query complexity for Showing Dense Model , 2011, Electron. Colloquium Comput. Complex..

[7]  Maciej Skorski Metric Pseudoentropy: Characterizations, Transformations and Applications , 2015, ICITS.

[8]  Thomas Holenstein,et al.  Constructing a Pseudorandom Generator Requires an Almost Linear Number of Calls , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[9]  Leonid Reyzin,et al.  Computational Entropy and Information Leakage , 2012, IACR Cryptol. ePrint Arch..

[10]  Salil Vadhan,et al.  A Uniform Min-Max Theorem with Applications in Cryptography , 2013, CRYPTO.

[11]  Yael Tauman Kalai,et al.  Memory Delegation , 2011, CRYPTO.

[12]  Maciej Skorski,et al.  The Chain Rule for HILL Pseudoentropy, Revisited , 2015, LATINCRYPT.

[13]  Russell Impagliazzo,et al.  Limits on the Provable Consequences of One-way Permutations , 1988, CRYPTO.

[14]  Avi Wigderson,et al.  Computational Analogues of Entropy , 2003, RANDOM-APPROX.

[15]  Thomas Holenstein,et al.  Pseudorandom Generators from One-Way Functions: A Simple Construction for Any Hardness , 2006, TCC.

[16]  Suela Kodra Fuzzy extractors : How to generate strong keys from biometrics and other noisy data , 2015 .

[17]  Madhur Tulsiani,et al.  Dense Subsets of Pseudorandom Sets , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[18]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[19]  Salil P. Vadhan,et al.  Characterizing pseudoentropy and simplifying pseudorandom generator constructions , 2012, STOC '12.

[20]  Leonid Reyzin,et al.  Some Notions of Entropy for Cryptography - (Invited Talk) , 2011, ICITS.

[21]  Krzysztof Pietrzak,et al.  How to Fake Auxiliary Input , 2014, IACR Cryptol. ePrint Arch..

[22]  Krzysztof Pietrzak,et al.  A Leakage-Resilient Mode of Operation , 2009, EUROCRYPT.

[23]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[24]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[25]  Chi-Jen Lu,et al.  On the Complexity of Hard-Core Set Constructions , 2007, ICALP.

[26]  Leonid Reyzin,et al.  A Unified Approach to Deterministic Encryption: New Constructions and a Connection to Computational Entropy , 2012, TCC.

[27]  Stephan Krenn,et al.  A counterexample to the chain rule for conditional HILL entropy , 2013, computational complexity.

[28]  Maciej Skorski A Better Chain Rule for HILL Pseudoentropy - Beyond Bounded Leakage , 2016, ICITS.

[29]  John Gill,et al.  Relativizations of the P =? NP Question , 1975, SIAM J. Comput..

[30]  R. Solovay,et al.  Relativizations of the $\mathcal{P} = ?\mathcal{NP}$ Question , 1975 .

[31]  Daniel R. Simon,et al.  Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[32]  Omer Reingold,et al.  Efficiency improvements in constructing pseudorandom generators from one-way functions , 2010, STOC '10.