Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich),...
-
Upload
mildred-neal -
Category
Documents
-
view
216 -
download
1
Transcript of Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich),...
Computational Entropy
Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich),
Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington U.), and Colin Jia Zheng (Harvard)
Salil VadhanHarvard University
(on sabbatical at MSR-SVC and Stanford)
How I came to work onPseudorandomness
Fall 93: CS226r “Efficient Algorithms,” Prof. M. Rabin– “The R word plays a role”– I am amazed by the power of randomness.
Spring 95: S. Rudich tells me about evidence that P=BPP.– I am skeptical.
1996-1999: I learn about pseudorandom generators & derandomization.– I need to work on this too!
One-Way Functions [DH76]
Candidate: f(x,y) = x¢y
Formally, a OWF is f : {0,1}n ! {0,1}n s.t.
f poly-time computable
8 poly-time A
Pr[A(f(X))2 f-1(f(X))] = 1/n!(1) for XÃ{0,1}n
x f(x)
easy
hard
OWFs & Cryptography
one-way functions
pseudorandomgenerators
target-collision-resistanthash functions (UOWHFs)
statistically hidingcommitments
pseudorandomfunctions
statistically bindingcommitments
zero-knowledgeproofs
statistical ZKarguments
private-keyencryption
MACsdigital
signatures
secure protocols & applications
[HILL90][R90]
[HNORV07]
[GGM86] [N89]
[GMW86]
[NY89] [BCC86]
OWFs & Cryptography
one-way functions
pseudorandomgenerators
target-collision-resistanthash functions (UOWHFs)
statistically hidingcommitments
pseudorandomfunctions
statistically bindingcommitments
zero-knowledgeproofs
statistical ZKarguments
private-keyencryption
MACsdigital
signatures
secure protocols & applications
[HILL90][R90]
[HNORV07]
[GGM86] [N89]
[GMW86]
[NY89] [BCC86]
Computational Entropy[Y82,HILL90,BSW03]
Question: How can we use the “raw hardness” of a OWF to build useful crypto primitives?
Answer (today’s talk):
Every crypto primitive amounts to some form of “computational entropy”.
One-way functions already have a little bit of “computational entropy”.
Entropy
Def: The Shannon entropy of r.v. X is
H(X) = ExÃX[log(1/Pr[X=x)]
H(X) = “Bits of randomness in X (on avg)”
0 · H(X) · log |Supp(X)|
Conditional Entropy: H(X|Y) = EyÃY[H(X|
Y=y)]
H(X ) = Exà X [log(1=Pr[X = x])]HHH(X ) =
X concentratedon single point
X uniform onSupp(X)
Worst-Case Entropy Measures
Min-Entropy: H1(X) = minx log(1/Pr[X=x])
Max-Entropy: H0(X) = log |Supp(X)|
H1(X) · H(X) · H0(X)
Computational Entropy
A poly-time algorithm may “perceive” the entropy of X to be very different from H(X).
Example: a pseudorandom generator G: {0,1}m!{0,1}n
– G(Um) is computationally indistinguishable from Un
– But H(G(Um))·m.
Pseudoentropy
Def [HILL90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t.1. Y ´c X2. H(Y) ¸ k
Interesting when k > H(X), i.e.
Pseudoentropy > Real Entropy
OWFs & Cryptography
one-way functions
pseudorandomgenerators
target-collision-resistanthash functions (UOWHFs)
statistically hidingcommitments
pseudorandomfunctions
statistically bindingcommitments
zero-knowledgeproofs
statistical ZKarguments
private-keyencryption
MACsdigital
signatures
secure protocols & applications
[HILL90] [R90][HNORV07]
[GGM86] [N89]
[GMW86]
[NY89] [BCC86]
pseudoentropy
Application of Pseudoentropy
Thm [HILL90]: 9 OWF ) 9 PRG
Proof idea:
OWF
X with pseudo-min-entropy ¸ H0(X)+poly(n)
X with pseudoentropy ¸ H(X)+1/poly(n)
PRG
to discuss
repetitions
hashing
Pseudoentropy from OWF
Intuition: for a 1-1 OWF f and XÃ{0,1}n
– H(X|f(X))=0, but– 8 poly-time A Pr[A(f(X))=X] = 1/n!(1) = 1/2!(log n)
) X has “unpredictability entropy” !(log n) given f(X) [HLR07]
Challenges:– How to turn “unpredictability” into
“pseudoentropy”?– When f not 1-1, unpredictability can be trivial.
Pseudoentropy from OWF
Thm [HILL90]: W=(f(X),H,H(X)1,…H(X)J)has pseudoentropy ¸ H(W)+!(log n)/n, where H : {0,1}n ! {0,1}n is a certain kind of hash function, XÃ{0,1}n, JÃ{1,…,n}.
Thm [HRV10,VZ11]: (f(X),X1,…,Xn) has “next-bit pseudoentropy” ¸n+!(log n).– No hashing!– Total amount of pseudoentropy known & > n.– Get full !(log n) bits of pseudoentropy.
Next-bit Pseudoentropy
Thm [HRV10,VZ11]: (f(X),X1,…,Xn) has “next-bit pseudoentropy” ¸ n+!(log n).
Note: (f(X),X) easily distinguishable from every random variable of entropy > n.
Next-bit pseudoentropy: 9 (Y1,…,Yn) s.t.– (f(X),X1,…,Xi) ´c (f(X),X1,…,Xi-1,Yi)
– H(f(X))+i H(Yi|f(X),X1,…,Xi-1) = n+!(log n).
Consequences
Simpler and more efficient construction of pseudorandom generators from one-way functions.
[HILL90,H06]: OWF f of input length n ) PRG G of seed length O(n8).
[HRV10,VZ11]: OWF f of input length n ) PRG G of seed length O(n3).
Unpredictability)Pseudoentropy[previous work]
Assume: Z has unpredictability entropy ¸ k given Y (i.e. 8 poly-time A Pr[A(Y)=Z]·2-k). [Y82]: If k¼|Z|, then (Y,Z) ´c (Y,Uk)
[GL89,HLR07]: (Y,H,H(Z)) ´c (Y,H,Uk-!(log n))
[I95,H05]: If |Z|=1, then 9 Z’ of “average min-entropy [DORS04]” k given X s.t. (X,Z) ´c (X,Z’)
Coping with info-theoretic unpredictability of X given f(X)?
[HILL90] Use Leftover Hash Lemma to analyze prefix of (f(X),H,H(X)1,…H(X)J).
Pseudoentropy , Hardness of Sampling
Thm [VZ11]: Let (Y,Z) 2 {0,1}n £ {0,1}O(log
n).
Z has pseudoentropy ¸ H(Z|Y)+k given Ym
There is no probabilistic poly-time A s.t.D((Y,Z)||(Y,A(Y)) · k.
[D = Kullback-Liebler Divergence]
Proof: variant of proofs of Impagliazzo’s Hardcore Lemma [I95,N95,H05,BHK09].
Pseudoentropy , Hardness of Sampling
Thm [VZ11]: Let (Y,Z) 2 {0,1}n £ {0,1}O(log
n).
Z has pseudoentropy ¸ H(Z|Y)+k given Ym
There is no probabilistic poly-time A s.t.D((Y,Z)||(Y,A(Y)) · k.
Cor [HRV10,VZ11]: (f(X),X1,…,Xn) has next-bit pseudoentropy n+!(log n).
OWFs & Cryptography
one-way functions
pseudorandomgenerators
target-collision-resistanthash functions (UOWHFs)
statistically hidingcommitments
pseudorandomfunctions
statistically bindingcommitments
zero-knowledgeproofs
statistical ZKarguments
private-keyencryption
MACsdigital
signatures
secure protocols & applications
[HRV10,VZ11]
[R90][HNORV07]
[GGM86] [N89]
[GMW86]
[NY89] [BCC86]
next-bitpseudoentropy
OWFs & Cryptography
one-way functions
pseudorandomgenerators
target-collision-resistanthash functions (UOWHFs)
statistically hidingcommitments
pseudorandomfunctions
statistically bindingcommitments
zero-knowledgeproofs
statistical ZKarguments
private-keyencryption
MACsdigital
signatures
secure protocols & applications
[HRV10,VZ11]
[GGM86] [N89]
[GMW86]
[NY89] [BCC86]
next-bitpseudoentropy inaccessible entropy [HRVW09,
HHRVW10]
Inaccessible Entropy [HRVW09,HHRVW10]
Example: if h : {0,1}n! {0,1}n-k is collision-resistant and XÃ {0,1}n, then– H(X|h(X)) ¸ k, but– To an efficient algorithm, once it produces
h(X), X is determined ) “accessible entropy” 0.– Accessible entropy ¿ Real Entropy!
Thm [HRVW09]: f a OWF ) (f(X)1,…,f(X)n,X) has accessible entropy n-!(log n).– Cf. (f(X),X1,…,Xn) has pseudoentropy n+!(log
n).
Conclusion
Complexity-based cryptography is possible because of gaps between real & computational entropy.
“Secrecy”pseudoentropy > real entropy
“Unforgeability”accessible entropy < real entropy
Research Directions
Formally unify inaccessible entropy and pseudoentropy.
OWF f : {0,1}n! {0,1}n ) Pseudorandom generators of seed length O(n)?
More applications of inaccessible entropy in crypto or complexity.