Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington.

Published byAlexandra May Modified over 8 years ago

Similar presentations

Presentation on theme: "Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington."— Presentation transcript:

1 Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington U.), and Colin Jia Zheng (Harvard) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A Salil Vadhan Harvard University (on sabbatical at Microsoft Research SVC and Stanford)

2 Complexity-Based Cryptography  Shannon `49: Information-theoretic security is infeasible. –|Key| ¸ |All Encrypted Data| –On a standard, insecure communication channel.  Diffie & Hellman `76: Complexity-based cryptography –Assume adversary has limited computational resources –Base cryptography on hard computational problems –Enables public-key crypto, digital signatures, …

3 One-Way Functions [DH76]  Candidate: f(x,y) = x ¢ y Formally, a OWF is f : {0,1} n ! {0,1} n s.t.  f poly-time computable  8 poly-time A Pr[A(f(X)) 2 f -1 (f(X))] = 1/n ! (1) for X Ã {0,1} n x f(x) easy hard

4 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HILL90] [R90] [HNORV07] [GGM86] [N89] [GMW86] [NY89][BCC86]

5 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HILL90] [R90] [HNORV07] [GGM86] [N89] [GMW86] [NY89][BCC86]

6 Computational Entropy [Y82,HILL90,BSW03] Question: How can we use the “raw hardness” of a OWF to build useful crypto primitives? Answer (today’s talk):  Every crypto primitive amounts to some form of “computational entropy”.  One-way functions already have a little bit of “computational entropy”.

7 Entropy Def: The Shannon entropy of r.v. X is H(X) = E x à X [log(1/Pr[X=x)]  H(X) = “Bits of randomness in X (on avg)”  0 · H(X) · log |Supp(X)|  Conditional Entropy: H(X|Y) = E y à Y [H(X| Y=y )] X concentrated on single point X uniform on Supp(X)

8 Worst-Case Entropy Measures  Min-Entropy: H 1 (X) = min x log(1/Pr[X=x])  Max-Entropy: H 0 (X) = log |Supp(X)| H 1 (X) · H(X) · H 0 (X)

9 Computational Entropy A poly-time algorithm may “perceive” the entropy of X to be very different from H(X). Example: X=output of a “pseudorandom generator”

10 Computational Entropy A poly-time algorithm may “perceive” the entropy of X to be very different from H(X).  Example: a pseudorandom generator [BM82,Y82] G: {0,1} m ! {0,1} n –G(U m ) “computationally indistinguishable” from U n –But H(G(U m )) · m. e.g. G(N,x) = (lsb(x),lsb(x 2 mod N), lsb(x 4 mod N),…) for N=pq, x 2 Z N * is a PRG if factoring is hard [BBS82,ACGS82]. Def [GM82] : X ´ c Y iff 8 poly-time T Pr[T(X)=1] ¼ Pr[T(Y)=1]

11 Pseudoentropy Def [HILL90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t. 1.Y ´ c X 2.H(Y) ¸ k Interesting when k > H(X), i.e. Pseudoentropy > Real Entropy

12 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HILL90] [R90] [HNORV07] [GGM86] [N89] [GMW86] [NY89][BCC86] pseudoentropy

13 Application of Pseudoentropy Thm [HILL90]: 9 OWF ) 9 PRG Proof idea: OWF X with pseudo-min-entropy ¸ H 0 (X)+poly(n) X with pseudoentropy ¸ H(X)+1/poly(n) PRG to discuss repetitions hashing

14 Computational Setting: For 1-1 OWF f, X Ã {0,1} n : H(X|f(X))=0, but Information Theory: For jointly distributed (X,Y): ? Pseudoentropy from OWF: Intuition 8 poly-time A Pr[A(f(X))=X] · 1/n ! (1) X has “unpredictability entropy” ¸ ! (log n) given f(X) X has pseudoentropy ! (log n) given f(X) 8 function A Pr[A(Y)=X] · p X has “average min-entropy” ¸ log(1/p) given Y H(X|Y) ¸ log(1/p) def [HLR07] def [DORS04]

15 Computational Setting: For 1-1 OWF f, X Ã {0,1} n : H(X|f(X))=0, but FALSE! T(x,y) = [[f(x)= ? y]] distinguishes (X,f(X)) from every (Z,f(X)) with H(Z|f(X))>0 Challenges:  How to convert unpredictability into pseudoentropy?  When f not 1-1, unpredictability can be trivial. Pseudoentropy from OWF: Intuition 8 poly-time A Pr[A(f(X))=X] · 1/n ! (1) X has “unpredictability entropy” ¸ ! (log n) given f(X) X has pseudoentropy ! (log n) given f(X) def [HLR07]

16 Pseudoentropy from OWF  Thm [HILL90]: W=(f(X),H,H(X) 1,…H(X) J ) has pseudoentropy ¸ H(W)+ ! (log n)/n –H : {0,1} n ! {0,1} n a certain kind of hash func. –X Ã {0,1} n, J Ã {1,…,n}.  Thm [HRV10,VZ11]: (f(X),X 1,…,X n ) has “next-bit pseudoentropy” ¸ n+ ! (log n). –No hashing! –Total amount of pseudoentropy known & > n. –Get full ! (log n) bits of pseudoentropy.

17 Next-bit Pseudoentropy  Thm [HRV10,VZ11]: (f(X),X 1,…,X n ) has “next-bit pseudoentropy” ¸ n+ ! (log n).  Note: (f(X),X) easily distinguishable from every random variable of entropy > n.  Next-bit pseudoentropy: 9 (Y 1,…,Y n ) s.t. –(f(X),X 1,…,X i ) ´ c (f(X),X 1,…,X i-1,Y i ) – H(f(X))+  i H(Y i |f(X),X 1,…,X i-1 ) = n+ ! (log n).

18 Consequences  Simpler and more efficient construction of pseudorandom generators from one-way functions.  [HILL90,H06]: OWF f of input length n ) PRG G of seed length O(n 8 ).  [HRV10,VZ11]: OWF f of input length n ) PRG G of seed length O ~ (n 3 ).

19 Pseudoentropy, Unpredictability wrt KL Divergence  Thm [VZ11]: Let (Y,Z) 2 {0,1} n £ {0,1} O(log n). The pseudoentropy of Z given Y is ¸ H(Z|Y)+ ± m There is no probabilistic poly-time A s.t. D((Y,Z)||(Y,A(Y)) · ±. [D = Kullback-Liebler Divergence]  Special case: H(Z|Y)=0 –“Z has pseudoentropy ¸ ± ” iff “hard to predict Z with divergence · ± ” –Can’t take Z=f -1 (Y) for 1-1 OWF f since |f -1 (Y)|=n.

20 Pseudoentropy, Unpredictability wrt KL Divergence  Thm [VZ11]: Let (Y,Z) 2 {0,1} n £ {0,1} O(log n). The pseudoentropy of Z given Y is ¸ H(Z|Y)+ ± m There is no probabilistic poly-time A s.t. D((Y,Z)||(Y,A(Y)) · ±. [D = Kullback-Liebler Divergence]  Analogue of Impagliazzo’s Hardcore Thm [I95,N95,H05,BHK09] for Shannon entropy rather than min-entropy.

21 Next-Bit Pseudoentropy from OWF: Proof Sketch f a one-way function Given f(X), hard to achieve divergence O(log n) from X (f(X),X 1,…,X n ) has next-bit pseudoentropy ¸ n+ ! (log n) Given (f(X),X 1,…,X J ), hard to achieve divergence O(log n)/n from X J+1 thm Given (f(X),X 1,…,X J ), X J+1 has pseudoentropy ¸ entropy+ ! (log n)/n

22 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HRV10, VZ11] [R90] [HNORV07] [GGM86] [N89] [GMW86] [NY89][BCC86] next-bit pseudoentropy

23 Application of Next-Bit Pseudoentropy Thm [HILL90]: 9 OWF ) 9 PRG Proof outline [HRV10]: OWF Z’ with next-block pseudo-min-entropy ¸ |seed|+poly(n) Z=(f(U n ),U n ) with next-bit pseudoentropy ¸ n+ ! (log n) PRG done repetitions hashing

24 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HRV10, VZ11] [R90] [HNORV07] [GGM86] [N89] [GMW86] [NY89][BCC86] next-bit pseudoentropy

25 OWFs & Cryptography one-way functions pseudorandom generators target-collision-resistant hash functions (UOWHFs) statistically hiding commitments pseudorandom functions statistically binding commitments zero-knowledge proofs statistical ZK arguments private-key encryption MACs digital signatures secure protocols & applications [HRV10, VZ11] [GGM86] [N89] [GMW86] [NY89][BCC86] next-bit pseudoentropy inaccessible entropy [HRVW09, HHRVW10]

26 Inaccessible Entropy [HRVW09,HHRVW10]  Example: if h : {0,1} n ! {0,1} n-k is collision- resistant and X Ã {0,1} n, then –H(X|h(X)) ¸ k, but –To an efficient algorithm, once it produces h(X), X is determined ) “accessible entropy” 0. –Accessible entropy ¿ Real Entropy!  Thm [HRVW09]: f a OWF ) (f(X) 1,…,f(X) n,X) has accessible entropy n- ! (log n). –Cf. (f(X),X 1,…,X n ) has pseudoentropy n+ ! (log n).

27 Conclusion Complexity-based cryptography is possible because of gaps between real & computational entropy. “Secrecy” pseudoentropy > real entropy “Unforgeability” accessible entropy < real entropy

28 Research Directions  Formally unify inaccessible entropy and pseudoentropy.  OWF f : {0,1} n ! {0,1} n ) Pseudorandom generators of seed length O(n)?  More applications of inaccessible entropy in crypto or complexity (or mathematics?)

Download ppt "Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington."

Similar presentations

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University
Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.

Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
F(x 1 )h h( x 1 ) 1 … n+|h|+ 1 bits of next-block pseudoentropy f(x 2 )h h( x 2 )f(x t )h h( x t ) g(x t,h t )= g(x 2,h 2 )= g(x 1,h 1 )= G(x 1,h 1 …,x.

F(x 1 )h h( x 1 ) 1 … n+|h|+ 1 bits of next-block pseudoentropy f(x 2 )h h( x 2 )f(x t )h h( x t ) g(x t,h t )= g(x 2,h 2 )= g(x 1,h 1 )= G(x 1,h 1 …,x.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.

Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.
Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.

Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Similar presentations

Ads by Google