Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington.

Published byMildred Neal Modified over 8 years ago

Similar presentations

Presentation on theme: "Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington."— Presentation transcript:

1 Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington U.), and Colin Jia Zheng (Harvard) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A Salil Vadhan Harvard University (on sabbatical at MSR-SVC and Stanford)

2 How I came to work on Pseudorandomness  Fall 93: CS226r “Efficient Algorithms,” Prof. M. Rabin –“The R word plays a role” –I am amazed by the power of randomness.  Spring 95: S. Rudich tells me about evidence that P=BPP. –I am skeptical.  1996-1999: I learn about pseudorandom generators & derandomization. –I need to work on this too!

3 One-Way Functions [DH76]  Candidate: f(x,y) = x ¢ y Formally, a OWF is f : {0,1} n ! {0,1} n s.t.  f poly-time computable  8 poly-time A Pr[A(f(X)) 2 f -1 (f(X))] = 1/n ! (1) for X Ã {0,1} n x f(x) easy hard

4 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HILL90] [R90] [HNORV07] [GGM86] [N89] [GMW86] [NY89][BCC86]

5 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HILL90] [R90] [HNORV07] [GGM86] [N89] [GMW86] [NY89][BCC86]

6 Computational Entropy [Y82,HILL90,BSW03] Question: How can we use the “raw hardness” of a OWF to build useful crypto primitives? Answer (today’s talk):  Every crypto primitive amounts to some form of “computational entropy”.  One-way functions already have a little bit of “computational entropy”.

7 Entropy Def: The Shannon entropy of r.v. X is H(X) = E x à X [log(1/Pr[X=x)]  H(X) = “Bits of randomness in X (on avg)”  0 · H(X) · log |Supp(X)|  Conditional Entropy: H(X|Y) = E y à Y [H(X| Y=y )] X concentrated on single point X uniform on Supp(X)

8 Conditional Entropy H(X|Y) = E y à Y [H(X| Y=y )]  Chain Rule: H(X,Y) = H(Y) + H(X|Y)  H(X)-H(Y) · H(X|Y) · H(X)  H(X|Y) = 0 iff 9 f X=f(Y).

9 Worst-Case Entropy Measures  Min-Entropy: H 1 (X) = min x log(1/Pr[X=x])  Max-Entropy: H 0 (X) = log |Supp(X)| H 1 (X) · H(X) · H 0 (X)

10 Computational Entropy  A poly-time algorithm may “perceive” the entropy of X to be very different from H(X).  Example: a pseudorandom generator G: {0,1} m ! {0,1} n –G(U m ) is computationally indistinguishable from U n –But H(G(U m )) · m.

11 Pseudoentropy Def [HILL90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t. 1.Y ´ c X 2.H(Y) ¸ k Interesting when k > H(X), i.e. Pseudoentropy > Real Entropy

12 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HILL90] [R90] [HNORV07] [GGM86] [N89] [GMW86] [NY89][BCC86] pseudoentropy

13 Application of Pseudoentropy Thm [HILL90]: 9 OWF ) 9 PRG Proof idea: OWF X with pseudo-min-entropy ¸ H 0 (X)+poly(n) X with pseudoentropy ¸ H(X)+1/poly(n) PRG to discuss repetitions hashing

14 Pseudoentropy from OWF  Intuition: for a 1-1 OWF f and X Ã {0,1} n –H(X|f(X))=0, but – 8 poly-time A Pr[A(f(X))=X] = 1/n ! (1) = 1/2 ! (log n) ) X has “unpredictability entropy” ! (log n) given f(X) [HLR07]  Challenges: –How to turn “unpredictability” into “pseudoentropy”? –When f not 1-1, unpredictability can be trivial.

15 Pseudoentropy from OWF  Thm [HILL90]: W=(f(X),H,H(X) 1,…H(X) J ) has pseudoentropy ¸ H(W)+ ! (log n)/n, where H : {0,1} n ! {0,1} n is a certain kind of hash function, X Ã {0,1} n, J Ã {1,…,n}.  Thm [HRV10,VZ11]: (f(X),X 1,…,X n ) has “next-bit pseudoentropy” ¸ n+ ! (log n). –No hashing! –Total amount of pseudoentropy known & > n. –Get full ! (log n) bits of pseudoentropy.

16 Next-bit Pseudoentropy  Thm [HRV10,VZ11]: (f(X),X 1,…,X n ) has “next-bit pseudoentropy” ¸ n+ ! (log n).  Note: (f(X),X) easily distinguishable from every random variable of entropy > n.  Next-bit pseudoentropy: 9 (Y 1,…,Y n ) s.t. –(f(X),X 1,…,X i ) ´ c (f(X),X 1,…,X i-1,Y i ) – H(f(X))+  i H(Y i |f(X),X 1,…,X i-1 ) = n+ ! (log n).

17 Consequences  Simpler and more efficient construction of pseudorandom generators from one-way functions.  [HILL90,H06]: OWF f of input length n ) PRG G of seed length O(n 8 ).  [HRV10,VZ11]: OWF f of input length n ) PRG G of seed length O(n 3 ).

18 Unpredictability ) Pseudoentropy [previous work] Assume: Z has unpredictability entropy ¸ k given Y (i.e. 8 poly-time A Pr[A(Y)=Z] · 2 -k ).  [Y82]: If k ¼ |Z|, then (Y,Z) ´ c (Y,U k )  [GL89,HLR07]: (Y,H,H(Z)) ´ c (Y,H,U k- ! (log n) )  [I95,H05]: If |Z|=1, then 9 Z’ of “average min- entropy [DORS04]” k given X s.t. (X,Z) ´ c (X,Z’) Coping with info-theoretic unpredictability of X given f(X)?  [ HILL90] Use Leftover Hash Lemma to analyze prefix of (f(X),H,H(X) 1,…H(X) J ).

19 Pseudoentropy, Hardness of Sampling  Thm [VZ11]: Let (Y,Z) 2 {0,1} n £ {0,1} O(log n). Z has pseudoentropy ¸ H(Z|Y)+k given Y m There is no probabilistic poly-time A s.t. D((Y,Z)||(Y,A(Y)) · k. [D = Kullback-Liebler Divergence]  Proof: variant of proofs of Impagliazzo’s Hardcore Lemma [I95,N95,H05,BHK09].

20 Pseudoentropy, Hardness of Sampling  Thm [VZ11] : Let (Y,Z) 2 {0,1} n £ {0,1} O(log n). Z has pseudoentropy ¸ H(Z|Y)+k given Y m There is no probabilistic poly-time A s.t. D((Y,Z)||(Y,A(Y)) · k.  Cor [HRV10,VZ11] : (f(X),X 1,…,X n ) has next-bit pseudoentropy n+ ! (log n).

21 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HRV10, VZ11] [R90] [HNORV07] [GGM86] [N89] [GMW86] [NY89][BCC86] next-bit pseudoentropy

22 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HRV10, VZ11] [GGM86] [N89] [GMW86] [NY89][BCC86] next-bit pseudoentropy inaccessible entropy [HRVW09, HHRVW10]

23 Inaccessible Entropy [HRVW09,HHRVW10]  Example: if h : {0,1} n ! {0,1} n-k is collision- resistant and X Ã {0,1} n, then –H(X|h(X)) ¸ k, but –To an efficient algorithm, once it produces h(X), X is determined ) “accessible entropy” 0. –Accessible entropy ¿ Real Entropy!  Thm [HRVW09]: f a OWF ) (f(X) 1,…,f(X) n,X) has accessible entropy n- ! (log n). –Cf. (f(X),X 1,…,X n ) has pseudoentropy n+ ! (log n).

24 Conclusion Complexity-based cryptography is possible because of gaps between real & computational entropy. “Secrecy” pseudoentropy > real entropy “Unforgeability” accessible entropy < real entropy

25 Research Directions  Formally unify inaccessible entropy and pseudoentropy.  OWF f : {0,1} n ! {0,1} n ) Pseudorandom generators of seed length O(n)?  More applications of inaccessible entropy in crypto or complexity.

Download ppt "Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington."

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan.

On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan.
On Black-Box Separations in Cryptography

On Black-Box Separations in Cryptography
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University
Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.

Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan.

Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan.
F(x 1 )h h( x 1 ) 1 … n+|h|+ 1 bits of next-block pseudoentropy f(x 2 )h h( x 2 )f(x t )h h( x t ) g(x t,h t )= g(x 2,h 2 )= g(x 1,h 1 )= G(x 1,h 1 …,x.

F(x 1 )h h( x 1 ) 1 … n+|h|+ 1 bits of next-block pseudoentropy f(x 2 )h h( x 2 )f(x t )h h( x t ) g(x t,h t )= g(x 2,h 2 )= g(x 1,h 1 )= G(x 1,h 1 …,x.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

Similar presentations

Ads by Google