Download presentation

Presentation is loading. Please wait.

Published byMartha Flow Modified over 3 years ago

1
Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University http://eecs.harvard.edu/~salil

2
Motivation

3
Original Motivation [SV84,Vaz85,VV85,CG85,Vaz87,CW89,Zuc90,Zuc91] Randomization is pervasive in CS –Algorithm design, cryptography, distributed computing, … Typically assume perfect random source. –Unbiased, independent random bits –Unrealistic? Can we use a weak random source? –Source of biased & correlated bits. –More realistic model of physical sources. (Randomness) Extractors: convert a weak random source into an almost-perfect random source.

4
CS Theory Applications of Extractors Derandomization of (poly-time/log-space) algorithms [Sip88,NZ93,INW94, GZ97,RR99, MV99,STV99,GW02] Distributed & Network Algs [WZ95,Zuc97,RZ98,Ind02]. Hardness of Approximation [Zuc93,Uma99,MU01] Data Structures [Ta02] Metric Embeddings [Ind07] Unify many important pseudorandom objects –Hash Functions –Expander Graphs –Samplers –Pseudorandom Generators –Error-Correcting Codes

5
Crypto Applications of Extractors Privacy Amplification [BBR85] Pseudorandom Generators [HILL89] Protecting against Partial Key Exposure [CDHKS00] Crypto vs. Storage-bounded Adversaries [Lu02] Biometrics [DRS04] Statistically Hiding Commitments [NY89,DPP93] ׃

6
Outline Motivation Definition & Basics Cryptographic Applications Conclusions & a Glimpse Beyond

7
Definition & Basics

8
Weak Random Sources What is a source of biased & correlated bits? –Probability distribution X on {0,1} n. –Must contain some randomness. –Want: no independence assumptions ) one sample Measure of randomness –Shannon entropy: No good: –Better [Chor-Goldreich 85, Zuckerman 90] : min-entropy

9
Min-entropy Def: X is a k -source if H 1 ( X ) ¸ k. i.e. Pr [ X = x ] · 2 -k for all x Examples: –Unpredictable Source [SV84]: 8 i 2 [ n ], b 1,..., b i-1 2 {0,1}, –Bit-fixing [CGH+85,BL85,LLS87,CW89]: Some k coordinates of X uniform, rest fixed (or even depend arbitrarily on others). –Flat k -source: Uniform over S µ {0,1} n, |S|=2 k Fact [CG85]: every k -source is convex combination of flat ones.

10
Extractors: 1 st attempt A function Ext : {0,1} n ! {0,1} m s.t. 8 k -source X, Ext ( X ) is close to uniform. Impossible! 9 set of 2 n-1 inputs x on which first bit of Ext(x) is constant ) flat (n- 1) - source X, bad for Ext. E XT k - source of length n m almost-uniform bits

11
Extractors [Nisan & Zuckerman `93] Def: A (k, ) -extractor is Ext : {0,1} n £ {0,1} d ! {0,1} m s.t. 8 k -source X, Ext ( X,U d ) is -close to U m. d random bits seed Key point: seed can be much shorter than output. Goals: minimize seed length, maximize output length. E XT k - source of length n m almost-uniform bits

12
Definitional Details U t = uniform distribution on {0,1} t Measure of closeness: statistical difference (a.k.a. variation distance) –T = statistical test or distinguisher –metric, 2 [0,1], very well-behaved Def: X, Y -close if (X,Y) ·.

13
Strong extractors Output looks random even after seeing the seed. (important in most crypto applications) Def: Ext is a (k, ) strong extractor if Ext 0 (x,y) = y ± Ext(x,y) is a (k, ) extractor i.e. 8 k -sources X, for a 1- 0 frac. of y 2 {0,1} d Ext ( X,y) is 0 -close to U m In this talk, extractor ´ strong extractor

14
The Parameters The min-entropy k : –High min-entropy: k = n-a, a =o(n) –Constant entropy rate: k = (n) –Middle (hardest) range: k = n, 0< <1 –Low min-entropy: k = n o(1) The error : –In crypto apps, ¼ Pr[ adversary breaks scheme] (very small) The output length m : –Certainly m · k. –Can this be achieved?

15
The Optimal Extractor Thm [Sip88,RT97]: For every k · n, 9 a ( k, )-extractor w/ –Seed length d = log(n-k)+2log(1/ )+O(1) –Output length m = k -2log(1/ )-O(1) extract almost all the min-entropy w/logarithmic seed Pf Sketch: Probabilistic Method. –Show that for random Ext, Pr[Ext not (k, )- extractor ] < 1. –By union bound over flat k- sources X on {0,1} n and statistical tests T µ {0,1} m

16
The Optimal Extractor Thm: For every k · n, 9 a ( k, )-extractor w/ –Seed length d = log(n-k)+2log(1/ )+O(1) –Output length m = k -2log(1/ )-O(1) Thm [NZ93,RT97]: Above tight up to additive constants. For applications, need explicit extractors: –Ext(x,y) computable in time poly(n). –Random extractor requires space ¸ 2 n to even store! Long line of research has sought to approach above bounds with explicit constructions.

17
Extractors as Hash Functions {0,1} n {0,1} m flat k -source, i.e. set of size 2 k À 2 m For most y, h y maps sets of size K almost uniformly onto range.

18
Extractors from Hash Functions Leftover Hash Lemma [BBR85,ILL89]: universal (ie pairwise independent) hash functions yield strong extractors –output length: m= k-2log(1/ )-O(1) –seed length: d= n+m –example: Ext(x,(a,b))= first m bits of a ¢ x+b in GF( 2 n ) Almost pairwise independence [SZ94,GW94]: –seed length: d= O(log n+k)

19
Application: Randomized algorithms w/a weak source [Zuckerman `90,`91] accept/reject Randomized Algorithm input x errs w.p. · 2( ) Run algorithm using all 2 d seeds & output majority. Only polynomial slowdown, provided d=O(log n) and Ext explicit. k - source m uniform bits d -bit seed + almost E XT

20
Cryptographic Applications

21
Crypto with Weak Random Sources? Enumerating seeds doesnt work. –e.g. get several encryptions of a message, most of which are secure Thm [MP97,DOPS04]: Most crypto tasks are impossible with only an (n-1)- source. –Encryption, commitment, secret sharing, zero knowledge,… Alternative: Seek seedless extractors for restricted classes of sources. –Bit-fixing sources [KZ03], several independent weak sources [CG88,BIW04,DEOR04,BKSSW04,Raz05,Rao06,BRSW06], efficiently samplable sources [TV00,KM04,KRVZ06], … Thm [BD07]: Secure encryption is only possible for classes of sources for which there exist seedless extractors.

22
Seeded Extractors in Crypto Common setting: entropy gaps –To parties A, B,…, string X has little or no entropy –To parties E, F,…, string X has a lot of entropy After extraction: –To parties A, B,…, r.v. Ext(X) still has little or no entropy –To parties E, F,…, r.v. Ext(X) indistinguishable from uniform Question: where to get seed? –Various solutions, depending on application

23
Privacy Amplification [Bennett,Brassard,Robert `85] Setting: honest parties A,B hold a string X about which adversary E has imperfect information X (close to) a k -source conditioned Es view Ext(X,R) close to uniform conditioned on Es view & R. Seed R may be sent in clear or shared in advance.

24
Key Agreement w/a Noisy Channel [BBR85] Noisy Communication Channel X Ã {0,1} n Z Y Alice Bob Eve ) w.h.p. Alice & Bob share some randomness unknown to Eve Information Reconciliation Protocol Alice Bob Y X whp X Z ) w.h.p. over z Ã Z, X | Z=z is a k -source for large k. K =Ext(X,R) Random seed R K =Ext(Y,R) Z =(Z,R) ) w.h.p. over z Ã Z, K| Z =z is -close to uniform.

25
The Bounded-Storage Model [Maurer 90] ) Output of extractor looks uniform to adversary [NZ93,Lu02] Storage s 00000000 00111011101000100000000100001100001 01100001 0100000100010101100000010 seed E XT length n High-rate source of truly random bits. Lemma: conditioned on adversarys state, have ( n-s)- source w.h.p. Adversary

26
Proof of Lemma Lemma: (X,Z) (correlated) random vars, Proof: Let BAD = { z : Pr[Z=z] · ¢ 2 -s }. Then X a k -source and |Z|=s w.p. ¸ 1- over z Ã Z, X | Z=z is a ( k-s- log(1/ ) ) -source.

27
The Bounded-Storage Model Storage s 00000000 00111011101000100000000100001100001 01100001 0100000100010101100000010 seed E XT length n Doing Cryptography: Seed = shared secret key Output of extractor = use for encryption (one-time pad), message authentication Strong extractor ) seed reusable, secure even if key compromised later (everlasting security [ADR99]) Adversary

28
The Bounded-Storage Model Storage s 00000000 00111011101000100000000100001100001 01100001 0100000100010101100000010 seed E XT length n Additional Constraint: honest parties should only have to read a small # bits from source i.e. E XT should be locally computable [L02,V03] (easily achieved using techniques in the extractor literature) Adversary

29
Extractors & Biometrics [Dodis, Reyzin, Smith `03] Goal: use biometric data (eg your fingerprint F ) as crypto keys Problem: biometric data not uniform But seems to have significant min-entropy ) use K = Ext(F,R) instead server K, R F clientuser R K = Ext(F,R) start session

30
Extractors & Biometrics Problem 2: biometric data not reliable Multiple readings will produce non-identical, but close (eg in Hamming distance) values Want: value C=C(F) s.t. F can be recovered from C and any F -close to F F still has high min-entropy given C server K, R clientuser R K = Ext(F,R) start session F F = Rec(F,C), C

31
Extractors & Biometrics Want: value C=C(F) s.t. F can be recovered from C and any F -close to F F still has high min-entropy given C Solution: C=F © Z Z random codeword in error-correcting code of relative minimum distance >2 and rate 1- Reduces min-entropy rate by at most server K, R, C F clientuser R, C K = Ext(F,R) start session F = Rec(F,C)

32
Comparing Applications ApplicationLow EntropyHigh EntropyAddl Properties Privacy Amplification H(X|Honest)H 1 (X|Adversary ) Bounded-Storage Model '' Locally computable Biometrics (Fuzzy Ext) '' Handle noisy X

33
(M,X) REVEAL F(X), Statistically Hiding Commitments from CRHF [Naor-Yung `89, Damgard-Petersen-Pfitzmann `93] COMMIT accept/ reject S R M 2 {0,1} t (M,K) CRHF { F : {0,1} n ! {0,1} n-k } H 1 (X|F(X),F) ¸ k H com (X|F(X),F) = 0 M -close to U t given Rs view H com (M) = 0 given Ss view F X Ã {0,1} n R,M=Ext(X,R)

34
REVEAL F(X),R,M=Ext(X,R) Statistically Hiding Commitments from CRHF [Naor-Yung `89, Damgard-Petersen-Pfitzmann] COMMIT accept/ reject S R (M,X) CRHF { F : {0,1} n ! {0,1} n-k } H 1 (X|F * (X),F * ) ¸ k H com (X * |F(X * ),F) = 0 M -close to U t given R * s view H com (M) = 0 given S * s view F

35
Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] Goal: transform one-to-one OWF f : {0,1} n ! {0,1} m into a PRG G : {0,1} a ! {0,1} b H(X|f(X))=0 (b/c f one-to-one) X computationally unpredictable given f(X) H(G(Y)) = a G(Y) computationally indistinguishable from U b

36
Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H( h X,R i | f(X),R) = 0 h X,R i indistinguishable from U 1 given f(X),R H(X|f(X))=0 (b/c f one-to-one) X computationally unpredictable given f(X) hardcore bit [GL89]

37
Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H( h X,R i | f(X),R) = 0 h X,R i indistinguishable from U 1 given f(X),R H(X|f(X))=0 H u 1 (X|f(X)) = (log n) hardcore bit [GL89]

38
Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(Ext 1 (X,R) | f(X),R) = 0 Ext 1 (X,R) indistinguishable from U log n given f(X),R Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R))

39
Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F(Z)) = |Z| Ext 1 (X,R) indistinguishable from U log n given f(X),R Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R))

40
Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F(Z)) = |Z| F(Z) comp. indist. from dist. w/min-entropy |Z|+log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) pseudoentropy generator

41
Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F(Z)) = |Z| H pe 1 (F(Z)) = |Z|+log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) pseudoentropy generator

42
Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F k (Z k )) = |Z k | H pe 1 (F k (Z k )) = |Z k |+k ¢ log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) pseudoentropy generator

43
Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F k (Z k )) = |Z k | H pe 1 (F k (Z k )) = |Z k |+k ¢ log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) Efficient extractor H(G(Z k,S)) · |S|+|Z k | G(Z k,S) indist. from (S,U |Z k |+1 ) G(Z k,S) = (S,Ext 2 (F k (Z k ),S))

44
Pseudorandom Generators from 1-1 OWF [Hastad-Impagliazzo-Levin-Luby `89] H(F k (Z k )) = |Z k | H pe 1 (F k (Z k )) = |Z k |+k ¢ log n Extractor w/efficient list-decoding [TZ01] H(X|f(X))=0 H u 1 (X|f(X)) = (log n) F(X,R) = (f(X),R,Ext 1 (X,R)) Efficient extractor H(G(Y)) · |Y| G(Y) indist. from U |Y|+1 G(Z k,S) = (S,Ext 2 (F k (Z k ),S))

45
Comparing Applications ApplicationLow EntropyHigh EntropyAddl Properties Privacy Amplification H(X|Honest)H 1 (X|Adversary ) Bounded-Storage Model '' Locally computable Biometrics (Fuzzy Ext) '' Handle noisy X CRHF ) SHCH com (X * |F(X * ),F)H 1 (X|F * (X),F * ) 1-1 OWF ) PEGH(X|f(X))H u 1 (X|f(X))Efficient list- decoding PEG ) PRGF(Z)H pe 1 (F(Z))Efficient extractor

46
Conclusions Randomness extractors address a basic problem in crypto: exploiting assymetry of information Language and basic results as important as the actual constructions. Interplay between cryptography, theory of computation, probability & information theory (also combinatorics, algebra, …)

47
Further Reading N. Nisan and A. Ta-Shma. Extracting randomness: a survey and new constructions. Journal of Computer & System Sciences, 58 (1):148-173, 1999. R. Shaltiel. Recent developments in explicit constructions of extractors. Bulletin of EATCS, 77:67-95, June 2002. S. Vadhan. Randomness extractors & their many guises. Slides from tutorial at FOCS `02. S. Vadhan. Course Notes for CS225: Pseudorandomness. http://eecs.harvard.edu/~salil/cs225 http://eecs.harvard.edu/~salil/cs225

Similar presentations

OK

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on meeting skills checklist Ppt on group development process Ppt on wifi technology free download Ppt on biodegradable and nonbiodegradable waste Ppt on interest rate risk Ppt on mvc architecture Ppt on speed control of dc shunt motor Ppt on shapes for kindergarten Ppt on equity mutual funds Ppt on sanskrit grammar for class 10