randomness extractors & their cryptographic applications salil vadhan harvard university salil
TRANSCRIPT
Randomness Extractors& their Cryptographic Applications
Salil Vadhan
Harvard Universityhttp://eecs.harvard.edu/~salil
Motivation
Original Motivation[SV84,Vaz85,VV85,CG85,Vaz87,CW89,Zuc90,Zuc91]
• Randomization is pervasive in CS– Algorithm design, cryptography, distributed computing, …
• Typically assume perfect random source.– Unbiased, independent random bits– Unrealistic?
• Can we use a “weak” random source?– Source of biased & correlated bits.– More realistic model of physical sources.
• (Randomness) Extractors: convert a weak random source into an almost-perfect random source.
CS Theory Applications of Extractors
• Derandomization of (poly-time/log-space) algorithms [Sip88,NZ93,INW94, GZ97,RR99, MV99,STV99,GW02]
• Distributed & Network Algs [WZ95,Zuc97,RZ98,Ind02].
• Hardness of Approximation [Zuc93,Uma99,MU01]
• Data Structures [Ta02]
• Metric Embeddings [Ind07]
• Unify many important “pseudorandom” objects– Hash Functions– Expander Graphs– Samplers– Pseudorandom Generators– Error-Correcting Codes
Crypto Applications of Extractors
• Privacy Amplification [BBR85]
• Pseudorandom Generators [HILL89]
• Protecting against Partial Key Exposure [CDHKS00]
• Crypto vs. Storage-bounded Adversaries [Lu02]
• Biometrics [DRS04]
• Statistically Hiding Commitments [NY89,DPP93] ׃
׃
Outline
• Motivation
• Definition & Basics
• Cryptographic Applications
• Conclusions & a Glimpse Beyond
Definition & Basics
Weak Random Sources
• What is a source of biased & correlated bits?– Probability distribution X on {0,1}n.– Must contain some “randomness”.– Want: no independence assumptions ) one sample
• Measure of “randomness”– Shannon entropy:
No good:
– Better [Chor-Goldreich 85, Zuckerman 90]: min-entropy
Min-entropy• Def: X is a k-source if H1(X)¸ k.
i.e. Pr[X=x] · 2-k for all x
• Examples:– Unpredictable Source [SV84]: 8 i2[n], b1, ..., bi-12 {0,1},
– Bit-fixing [CGH+85,BL85,LLS87,CW89]: Some k coordinates of X uniform, rest fixed (or even depend arbitrarily on others).
– Flat k-source: Uniform over S µ {0,1}n, |S|=2k
• Fact [CG85]: every k-source is convex combination of flat ones.
Extractors: 1st attempt
• A function Ext : {0,1}n ! {0,1}m s.t.
8 k-source X, Ext(X) is “close” to uniform.
• Impossible! 9 set of 2n-1 inputs x on which first bit of
Ext(x) is constant ) flat (n-1)-source X, bad for Ext.
EXT
k-source of length n
m almost-uniform bits
Extractors [Nisan & Zuckerman `93]
• Def: A (k,)-extractor is Ext : {0,1}n £{0,1}d ! {0,1}m
s.t. 8 k-source X, Ext(X,Ud) is -close to Um.
d random bits
“seed”
• Key point: seed can be much shorter than output.
• Goals: minimize seed length, maximize output length.
EXT
k-source of length n
m almost-uniform bits
Definitional Details
• Ut = uniform distribution on {0,1}t
• Measure of closeness: statistical difference (a.k.a. variation distance)
– T = “statistical test” or “distinguisher”
– metric, 2 [0,1], very well-behaved
• Def: X, Y -close if (X,Y)·.
Strong extractors
• Output looks random even after seeing the seed.(important in most crypto applications)
• Def: Ext is a (k,) strong extractor if
Ext0(x,y)=y±Ext(x,y) is a (k,) extractor
• i.e. 8 k-sources X, for a 1-0 frac. of y2{0,1}d
Ext(X,y) is 0-close to Um
• In this talk, “extractor” ´ “strong extractor”
The Parameters• The min-entropy k:
– High min-entropy: k = n-a, a =o(n)– Constant entropy rate: k = (n)– Middle (hardest) range: k = n, 0<<1– Low min-entropy: k = no(1)
• The error :– In crypto apps, ¼ Pr[adversary “breaks” scheme]
(very small)
• The output length m:– Certainly m· k.– Can this be achieved?
The Optimal Extractor
Thm [Sip88,RT97]: For every k · n, 9 a (k,)-extractor w/
– Seed length d = log(n-k)+2log(1/)+O(1)
– Output length m = k -2log(1/)-O(1)
“extract almost all the min-entropy w/logarithmic seed”
• Pf Sketch: Probabilistic Method.
– Show that for random Ext,
Pr[Ext not (k,)-extractor] < 1.
– By union bound over flat k-sources X on {0,1}n and
statistical tests Tµ {0,1}m
The Optimal Extractor
• Thm: For every k · n, 9 a (k,)-extractor w/
– Seed length d = log(n-k)+2log(1/)+O(1)
– Output length m = k -2log(1/)-O(1)
• Thm [NZ93,RT97]: Above tight up to additive constants.
• For applications, need explicit extractors:– Ext(x,y) computable in time poly(n).– Random extractor requires space ¸ 2n to even store!
• Long line of research has sought to approach above bounds with explicit constructions.
Extractors as Hash Functions
{0,1}n
{0,1}m
flat k-source,i.e. set of size 2k À 2m
For most y, hy maps sets of size K almost uniformly
onto range.
Extractors from Hash Functions
• Leftover Hash Lemma [BBR85,ILL89]: universal (ie pairwise independent) hash functions yield strong extractors– output length: m= k-2log(1/)-O(1)– seed length: d= n+m– example: Ext(x,(a,b))=first m bits of a¢x+b in GF(2n)
• Almost pairwise independence [SZ94,GW94]:
– seed length: d= O(log n+k)
Application: Randomized algorithms w/a weak source [Zuckerman `90,`91]
accept/rejectRandomized Algorithminput xerrs w.p. · 2( )
• Run algorithm using all 2d seeds & output majority.
• Only polynomial slowdown, provided d=O(log n) and Ext explicit.
k-source
m uniform bits
d-bit seed
+
almost
EXT
Cryptographic Applications
Crypto with Weak Random Sources?
• Enumerating seeds doesn’t work.– e.g. get several encryptions of a message, most of which are “secure”
• Thm [MP97,DOPS04]: Most crypto tasks are impossible with only an (n-1)-source.– Encryption, commitment, secret sharing, zero knowledge,…
• Alternative: Seek “seedless” extractors for restricted classes of sources.– Bit-fixing sources [KZ03], several independent weak sources
[CG88,BIW04,DEOR04,BKSSW04,Raz05,Rao06,BRSW06], efficiently samplable sources [TV00,KM04,KRVZ06], …
• Thm [BD07]: Secure encryption is only possible for classes of sources for which there exist seedless extractors.
Seeded Extractors in Crypto
• Common setting: entropy gaps– To parties A, B,…, string X has little or no “entropy”– To parties E, F,…, string X has a lot of “entropy”
• After extraction: – To parties A, B,…, r.v. Ext(X) still has little or no “entropy”– To parties E, F,…, r.v. Ext(X) indistinguishable from uniform
• Question: where to get seed?– Various solutions, depending on application
Privacy Amplification [Bennett,Brassard,Robert `85]
• Setting: honest parties A,B hold a string X about which adversary E has imperfect information
• X (close to) a k-source conditioned E’s view
• Ext(X,R) close to uniform conditioned on E’s view & R.
• Seed R may be sent in clear or shared in advance.
Key Agreement w/a Noisy Channel [BBR85]
Noisy Communication ChannelXÃ{0,1}n
ZY
Alice Bob
Eve
) w.h.p. Alice & Bob “share some randomness” unknown to Eve
Information ReconciliationProtocol
Alice Bob
YX whpX Z) w.h.p. over zà Z, X |Z’=z is a k-source for large k.
K =Ext(X,R)
Random seed R
K =Ext(Y,R)Z=(Z,R)) w.h.p. over zà Z, K|Z’’ =z is -close to uniform.
The Bounded-Storage Model [Maurer 90]
) Output of extractor looks uniform to adversary [NZ93,Lu02]
Storage s
00000000
00111011101000100000000100001100001
01100001
0100000100010101100000010
seedEXT
length n
• High-rate source of truly random bits.
• Lemma: conditioned on adversary’s state, have (n-s)-source w.h.p.
Adversary
Proof of Lemma
Lemma: (X,Z) (correlated) random vars,
Proof: Let BAD = { z : Pr[Z=z] · ¢ 2-s}. Then
•
•
X a k-source
and |Z|=sw.p. ¸ 1- over zÃZ,
X|Z=z is a (k-s-log(1/))-source.
The Bounded-Storage Model
Storage s
00000000
00111011101000100000000100001100001
01100001
0100000100010101100000010
seedEXT
length n
Doing Cryptography:• Seed = shared secret key• Output of extractor = use for encryption (one-time pad),
message authentication• Strong extractor ) seed reusable, secure even if key compromised later (“everlasting security” [ADR99])
Adversary
The Bounded-Storage Model
Storage s
00000000
00111011101000100000000100001100001
01100001
0100000100010101100000010
seedEXT
length n
Additional Constraint: honest parties should only have to read a small # bits from source
i.e. EXT should be “locally computable” [L02,V03]
(easily achieved using techniques in the extractor literature)
Adversary
Extractors & Biometrics[Dodis, Reyzin, Smith `03]
Goal: use biometric data (eg your fingerprint F) as crypto keys
Problem: biometric data not uniform • But seems to have significant min-entropy
) use K = Ext(F,R) instead
server
K, RF
clientuser
R
K = Ext(F,R)
start session
Extractors & Biometrics
Problem 2: biometric data not reliable • Multiple readings will produce non-identical, but “close” (eg in
Hamming distance) values
Want: value C=C(F) s.t.• F can be recovered from C and any F -close to F• F still has high min-entropy given C
server
K, R
clientuser
R
K = Ext(F,R)
start sessionFF = Rec(F,C) , C
, C
Extractors & Biometrics
Want: value C=C(F) s.t.• F can be recovered from C and any F -close to F• F still has high min-entropy given C
Solution: C=F©Z• Z random codeword in error-correcting code of relative minimum
distance >2 and rate 1- • Reduces min-entropy rate by at most
server
K, R, CF
clientuser
R, C
K = Ext(F,R)
start sessionF = Rec(F,C)
Comparing Applications
Application Low Entropy High Entropy Add’l Properties
Privacy Amplification
H(X|Honest) H1(X|Adversary)
Bounded-Storage Model
'' '' Locally computable
Biometrics(Fuzzy Ext)
'' '' Handle noisy X
(M,X)REVEAL
F(X),
Statistically Hiding Commitments from CRHF[Naor-Yung `89, Damgard-Petersen-Pfitzmann `93]
COMMIT
accept/reject
S RM2{0,1}t
(M,K)
CRHF { F : {0,1}n! {0,1}n-k }
• H1(X|F(X),F) ¸ k
• Hcom(X|F(X),F) = 0
• M -close to Ut given R’s view
• Hcom(M) = 0 given S’s viewFXÃ{0,1}n
R,M=Ext(X,R)
REVEAL
F(X),R,M=Ext(X,R)
Statistically Hiding Commitments from CRHF[Naor-Yung `89, Damgard-Petersen-Pfitzmann]
COMMIT
accept/reject
S R
(M,X)
CRHF { F : {0,1}n! {0,1}n-k }
• H1(X|F*(X),F*) ¸ k
• Hcom(X*|F(X*),F) = 0
• M -close to Ut given R*’s view
• Hcom(M) = 0 given S*’s viewF
Pseudorandom Generators from 1-1 OWF[Hastad-Impagliazzo-Levin-Luby `89]
Goal: transform one-to-one OWF f : {0,1}n ! {0,1}m into a PRG G : {0,1}a ! {0,1}b
• H(X|f(X))=0 (b/c f one-to-one)• X computationally unpredictable given f(X)
• H(G(Y)) = a
• G(Y) computationally indistinguishable from Ub
Pseudorandom Generators from 1-1 OWF[Hastad-Impagliazzo-Levin-Luby `89]
• H(hX,Ri | f(X),R) = 0
• hX,Ri indistinguishable from U1 given f(X),R
• H(X|f(X))=0 (b/c f one-to-one)• X computationally unpredictable given f(X)
hardcore bit [GL89]
Pseudorandom Generators from 1-1 OWF[Hastad-Impagliazzo-Levin-Luby `89]
• H(hX,Ri | f(X),R) = 0
• hX,Ri indistinguishable from U1 given f(X),R
• H(X|f(X))=0
• Hu1(X|f(X)) = (log n)
hardcore bit [GL89]
Pseudorandom Generators from 1-1 OWF[Hastad-Impagliazzo-Levin-Luby `89]
• H(Ext1(X,R) | f(X),R) = 0
• Ext1(X,R) indistinguishable from Ulog n given f(X),R
Extractor w/efficient “list-decoding” [TZ01]
• H(X|f(X))=0
• Hu1(X|f(X)) = (log n)
F(X,R) = (f(X),R,Ext1(X,R))
Pseudorandom Generators from 1-1 OWF[Hastad-Impagliazzo-Levin-Luby `89]
• H(F(Z)) = |Z|
• Ext1(X,R) indistinguishable from Ulog n given f(X),R
Extractor w/efficient “list-decoding” [TZ01]
• H(X|f(X))=0
• Hu1(X|f(X)) = (log n)
F(X,R) = (f(X),R,Ext1(X,R))
Pseudorandom Generators from 1-1 OWF[Hastad-Impagliazzo-Levin-Luby `89]
• H(F(Z)) = |Z|• F(Z) comp. indist. from dist. w/min-entropy |Z|+log n
Extractor w/efficient “list-decoding” [TZ01]
• H(X|f(X))=0
• Hu1(X|f(X)) = (log n)
F(X,R) = (f(X),R,Ext1(X,R))
“pseudoentropy generator”
Pseudorandom Generators from 1-1 OWF[Hastad-Impagliazzo-Levin-Luby `89]
• H(F(Z)) = |Z|
• Hpe1(F(Z)) = |Z|+log n
Extractor w/efficient “list-decoding” [TZ01]
• H(X|f(X))=0
• Hu1(X|f(X)) = (log n)
F(X,R) = (f(X),R,Ext1(X,R))
“pseudoentropy generator”
Pseudorandom Generators from 1-1 OWF[Hastad-Impagliazzo-Levin-Luby `89]
• H(Fk(Zk)) = |Zk|
• Hpe1(Fk(Zk)) = |Zk|+k¢log n
Extractor w/efficient “list-decoding” [TZ01]
• H(X|f(X))=0
• Hu1(X|f(X)) = (log n)
F(X,R) = (f(X),R,Ext1(X,R))
“pseudoentropy generator”
Pseudorandom Generators from 1-1 OWF[Hastad-Impagliazzo-Levin-Luby `89]
• H(Fk(Zk)) = |Zk|
• Hpe1(Fk(Zk)) = |Zk|+k¢log n
Extractor w/efficient “list-decoding” [TZ01]
• H(X|f(X))=0
• Hu1(X|f(X)) = (log n)
F(X,R) = (f(X),R,Ext1(X,R))
Efficient extractor
• H(G(Zk,S)) · |S|+|Zk|
• G(Zk,S) indist. from (S,U|Zk|+1)
G(Zk,S) = (S,Ext2(Fk(Zk),S))
Pseudorandom Generators from 1-1 OWF[Hastad-Impagliazzo-Levin-Luby `89]
• H(Fk(Zk)) = |Zk|
• Hpe1(Fk(Zk)) = |Zk|+k¢log n
Extractor w/efficient “list-decoding” [TZ01]
• H(X|f(X))=0
• Hu1(X|f(X)) = (log n)
F(X,R) = (f(X),R,Ext1(X,R))
Efficient extractor
• H(G(Y)) · |Y|
• G(Y) indist. from U|Y|+1
G(Zk,S) = (S,Ext2(Fk(Zk),S))
Comparing Applications
Application Low Entropy High Entropy Add’l Properties
Privacy Amplification
H(X|Honest) H1(X|Adversary)
Bounded-Storage Model
'' '' Locally computable
Biometrics(Fuzzy Ext)
'' '' Handle noisy X
CRHF ) SHC Hcom(X*|F(X*),F) H1(X|F*(X),F*)
1-1 OWF ) PEG H(X|f(X)) Hu1(X|f(X)) Efficient list-
decoding
PEG ) PRG F(Z) Hpe1
(F(Z)) Efficient extractor
Conclusions
• Randomness extractors address a basic problem in crypto: exploiting assymetry of information
• Language and basic results as important as the actual constructions.
• Interplay between cryptography, theory of computation, probability & information theory(also combinatorics, algebra, …)
Further Reading
• N. Nisan and A. Ta-Shma. Extracting randomness: a survey and new constructions. Journal of Computer & System Sciences, 58 (1):148-173, 1999.
• R. Shaltiel. Recent developments in explicit constructions of extractors. Bulletin of EATCS, 77:67-95, June 2002.
• S. Vadhan. Randomness extractors & their many guises. Slides from tutorial at FOCS `02.
• S. Vadhan. Course Notes for CS225: Pseudorandomness. http://eecs.harvard.edu/~salil/cs225