Post on 23-Dec-2015
Computational Entropy
Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich),
Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington U.), and Colin Jia Zheng (Harvard)
Salil VadhanHarvard University
(on sabbatical at MSR-SVC and Stanford)
How I came to work onPseudorandomness
Fall 93: CS226r “Efficient Algorithms,” Prof. M. Rabin– “The R word plays a role”– I am amazed by the power of randomness.
Spring 95: S. Rudich tells me about evidence that P=BPP.– I am skeptical.
1996-1999: I learn about pseudorandom generators & derandomization.– I need to work on this too!
One-Way Functions [DH76]
Candidate: f(x,y) = x¢y
Formally, a OWF is f : {0,1}n ! {0,1}n s.t.
f poly-time computable
8 poly-time A
Pr[A(f(X))2 f-1(f(X))] = 1/n!(1) for XÃ{0,1}n
x f(x)
easy
hard
OWFs & Cryptography
one-way functions
pseudorandomgenerators
target-collision-resistanthash functions (UOWHFs)
statistically hidingcommitments
pseudorandomfunctions
statistically bindingcommitments
zero-knowledgeproofs
statistical ZKarguments
private-keyencryption
MACsdigital
signatures
secure protocols & applications
[HILL90][R90]
[HNORV07]
[GGM86] [N89]
[GMW86]
[NY89] [BCC86]
OWFs & Cryptography
one-way functions
pseudorandomgenerators
target-collision-resistanthash functions (UOWHFs)
statistically hidingcommitments
pseudorandomfunctions
statistically bindingcommitments
zero-knowledgeproofs
statistical ZKarguments
private-keyencryption
MACsdigital
signatures
secure protocols & applications
[HILL90][R90]
[HNORV07]
[GGM86] [N89]
[GMW86]
[NY89] [BCC86]
Computational Entropy[Y82,HILL90,BSW03]
Question: How can we use the “raw hardness” of a OWF to build useful crypto primitives?
Answer (today’s talk):
Every crypto primitive amounts to some form of “computational entropy”.
One-way functions already have a little bit of “computational entropy”.
Entropy
Def: The Shannon entropy of r.v. X is
H(X) = ExÃX[log(1/Pr[X=x)]
H(X) = “Bits of randomness in X (on avg)”
0 · H(X) · log |Supp(X)|
Conditional Entropy: H(X|Y) = EyÃY[H(X|
Y=y)]
H(X ) = Exà X [log(1=Pr[X = x])]HHH(X ) =
X concentratedon single point
X uniform onSupp(X)
Worst-Case Entropy Measures
Min-Entropy: H1(X) = minx log(1/Pr[X=x])
Max-Entropy: H0(X) = log |Supp(X)|
H1(X) · H(X) · H0(X)
Computational Entropy
A poly-time algorithm may “perceive” the entropy of X to be very different from H(X).
Example: a pseudorandom generator G: {0,1}m!{0,1}n
– G(Um) is computationally indistinguishable from Un
– But H(G(Um))·m.
Pseudoentropy
Def [HILL90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t.1. Y ´c X2. H(Y) ¸ k
Interesting when k > H(X), i.e.
Pseudoentropy > Real Entropy
OWFs & Cryptography
one-way functions
pseudorandomgenerators
target-collision-resistanthash functions (UOWHFs)
statistically hidingcommitments
pseudorandomfunctions
statistically bindingcommitments
zero-knowledgeproofs
statistical ZKarguments
private-keyencryption
MACsdigital
signatures
secure protocols & applications
[HILL90] [R90][HNORV07]
[GGM86] [N89]
[GMW86]
[NY89] [BCC86]
pseudoentropy
Application of Pseudoentropy
Thm [HILL90]: 9 OWF ) 9 PRG
Proof idea:
OWF
X with pseudo-min-entropy ¸ H0(X)+poly(n)
X with pseudoentropy ¸ H(X)+1/poly(n)
PRG
to discuss
repetitions
hashing
Pseudoentropy from OWF
Intuition: for a 1-1 OWF f and XÃ{0,1}n
– H(X|f(X))=0, but– 8 poly-time A Pr[A(f(X))=X] = 1/n!(1) = 1/2!(log n)
) X has “unpredictability entropy” !(log n) given f(X) [HLR07]
Challenges:– How to turn “unpredictability” into
“pseudoentropy”?– When f not 1-1, unpredictability can be trivial.
Pseudoentropy from OWF
Thm [HILL90]: W=(f(X),H,H(X)1,…H(X)J)has pseudoentropy ¸ H(W)+!(log n)/n, where H : {0,1}n ! {0,1}n is a certain kind of hash function, XÃ{0,1}n, JÃ{1,…,n}.
Thm [HRV10,VZ11]: (f(X),X1,…,Xn) has “next-bit pseudoentropy” ¸n+!(log n).– No hashing!– Total amount of pseudoentropy known & > n.– Get full !(log n) bits of pseudoentropy.
Next-bit Pseudoentropy
Thm [HRV10,VZ11]: (f(X),X1,…,Xn) has “next-bit pseudoentropy” ¸ n+!(log n).
Note: (f(X),X) easily distinguishable from every random variable of entropy > n.
Next-bit pseudoentropy: 9 (Y1,…,Yn) s.t.– (f(X),X1,…,Xi) ´c (f(X),X1,…,Xi-1,Yi)
– H(f(X))+i H(Yi|f(X),X1,…,Xi-1) = n+!(log n).
Consequences
Simpler and more efficient construction of pseudorandom generators from one-way functions.
[HILL90,H06]: OWF f of input length n ) PRG G of seed length O(n8).
[HRV10,VZ11]: OWF f of input length n ) PRG G of seed length O(n3).
Unpredictability)Pseudoentropy[previous work]
Assume: Z has unpredictability entropy ¸ k given Y (i.e. 8 poly-time A Pr[A(Y)=Z]·2-k). [Y82]: If k¼|Z|, then (Y,Z) ´c (Y,Uk)
[GL89,HLR07]: (Y,H,H(Z)) ´c (Y,H,Uk-!(log n))
[I95,H05]: If |Z|=1, then 9 Z’ of “average min-entropy [DORS04]” k given X s.t. (X,Z) ´c (X,Z’)
Coping with info-theoretic unpredictability of X given f(X)?
[HILL90] Use Leftover Hash Lemma to analyze prefix of (f(X),H,H(X)1,…H(X)J).
Pseudoentropy , Hardness of Sampling
Thm [VZ11]: Let (Y,Z) 2 {0,1}n £ {0,1}O(log
n).
Z has pseudoentropy ¸ H(Z|Y)+k given Ym
There is no probabilistic poly-time A s.t.D((Y,Z)||(Y,A(Y)) · k.
[D = Kullback-Liebler Divergence]
Proof: variant of proofs of Impagliazzo’s Hardcore Lemma [I95,N95,H05,BHK09].
Pseudoentropy , Hardness of Sampling
Thm [VZ11]: Let (Y,Z) 2 {0,1}n £ {0,1}O(log
n).
Z has pseudoentropy ¸ H(Z|Y)+k given Ym
There is no probabilistic poly-time A s.t.D((Y,Z)||(Y,A(Y)) · k.
Cor [HRV10,VZ11]: (f(X),X1,…,Xn) has next-bit pseudoentropy n+!(log n).
OWFs & Cryptography
one-way functions
pseudorandomgenerators
target-collision-resistanthash functions (UOWHFs)
statistically hidingcommitments
pseudorandomfunctions
statistically bindingcommitments
zero-knowledgeproofs
statistical ZKarguments
private-keyencryption
MACsdigital
signatures
secure protocols & applications
[HRV10,VZ11]
[R90][HNORV07]
[GGM86] [N89]
[GMW86]
[NY89] [BCC86]
next-bitpseudoentropy
OWFs & Cryptography
one-way functions
pseudorandomgenerators
target-collision-resistanthash functions (UOWHFs)
statistically hidingcommitments
pseudorandomfunctions
statistically bindingcommitments
zero-knowledgeproofs
statistical ZKarguments
private-keyencryption
MACsdigital
signatures
secure protocols & applications
[HRV10,VZ11]
[GGM86] [N89]
[GMW86]
[NY89] [BCC86]
next-bitpseudoentropy inaccessible entropy [HRVW09,
HHRVW10]
Inaccessible Entropy [HRVW09,HHRVW10]
Example: if h : {0,1}n! {0,1}n-k is collision-resistant and XÃ {0,1}n, then– H(X|h(X)) ¸ k, but– To an efficient algorithm, once it produces
h(X), X is determined ) “accessible entropy” 0.– Accessible entropy ¿ Real Entropy!
Thm [HRVW09]: f a OWF ) (f(X)1,…,f(X)n,X) has accessible entropy n-!(log n).– Cf. (f(X),X1,…,Xn) has pseudoentropy n+!(log
n).
Conclusion
Complexity-based cryptography is possible because of gaps between real & computational entropy.
“Secrecy”pseudoentropy > real entropy
“Unforgeability”accessible entropy < real entropy
Research Directions
Formally unify inaccessible entropy and pseudoentropy.
OWF f : {0,1}n! {0,1}n ) Pseudorandom generators of seed length O(n)?
More applications of inaccessible entropy in crypto or complexity.