Leftover Hash Lemma, Revisited (Crypto 2011)
Talk at Crypto 2011, August 15, 2011. Boaz Barak, Yevgeniy Dodis, Hugo Krawczyk, Olivier Pereira, Krzysztof Pietrzak, François-Xavier Standaert, and Yu Yu...
IACR
2.5K views • Oct 9, 2011
About this video
Talk at Crypto 2011, August 15, 2011.
Boaz Barak, Yevgeniy Dodis, Hugo Krawczyk, Olivier Pereira, Krzysztof Pietrzak, François-Xavier Standaert, and Yu Yu
Microsoft Research New England; New York University; IBM Research; Université Catholique de Louvain; CWI Amsterdam; Université Catholique de Louvain;and East China Normal University
Abstract. The famous Leftover Hash Lemma (LHL) states that (almost) universal hash functions are good randomness extractors. Despite its numerous applications, LHL-based extractors suffer from the following two drawbacks:
Large Entropy Loss: to extract $v$ bits from distribution $X$ of min-entropy $m$ which are $\epsilon$-close to uniform, one must set $v \le m - 2*\log(1/\epsilon)$, meaning that the entropy loss $L = m-v \ge 2*\log(1/\epsilon)$.
Large Seed Length: the seed length $n$ of (almost) universal hash function required by the LHL must be at least $n \ge \min(u-v, v + 2*\log(1/\epsilon))-O(1)$, where $u$ is the length of the source.
Quite surprisingly, we show that both limitations of the LHL — large entropy loss and large seed — can often be overcome (or, at least, mitigated) in various quite general scenarios. First, we show that entropy loss could be reduced to $L = \log (1/\epsilon)$ for the setting of deriving secret keys for a wide range of cryptographic applications. Specifically, the security of these schemes with an LHL-derived key gracefully degrades from $\epsilon$ to at most $\epsilon+\sqrt{\epsilon 2^{-L}}$. (Notice that, unlike standard LHL, this bound is meaningful even when one extracts more bits than the min-entropy we have!) Based on these results we build a general computational extractor that enjoys low entropy loss and can be used to instantiate a generic key derivation function for any cryptographic application.
Second, we study the soundness of the natural expand-then-extract approach, where one uses a pseudorandom generator (PRG) to expand a short "input seed" $S$ into a longer "output seed" $S'$, and then use the resulting $S'$ as the seed required by the LHL (or, more generally, by any randomness extractor). We show that, in general, the expand-then extract approach is not sound if the Decisional Diffie-Hellman assumption is true. Despite that, we show that it is sound either: (1) when extracting a "small" (logarithmic in the security of the PRG) number of bits; or (2) in minicrypt. Implication (2) suggests that the expand-then-extract approach is likely secure when used with "practical" PRGs, despite lacking a reductionist proof of security!
See http://www.iacr.org/cryptodb/data/paper.php?pubkey=23565
Boaz Barak, Yevgeniy Dodis, Hugo Krawczyk, Olivier Pereira, Krzysztof Pietrzak, François-Xavier Standaert, and Yu Yu
Microsoft Research New England; New York University; IBM Research; Université Catholique de Louvain; CWI Amsterdam; Université Catholique de Louvain;and East China Normal University
Abstract. The famous Leftover Hash Lemma (LHL) states that (almost) universal hash functions are good randomness extractors. Despite its numerous applications, LHL-based extractors suffer from the following two drawbacks:
Large Entropy Loss: to extract $v$ bits from distribution $X$ of min-entropy $m$ which are $\epsilon$-close to uniform, one must set $v \le m - 2*\log(1/\epsilon)$, meaning that the entropy loss $L = m-v \ge 2*\log(1/\epsilon)$.
Large Seed Length: the seed length $n$ of (almost) universal hash function required by the LHL must be at least $n \ge \min(u-v, v + 2*\log(1/\epsilon))-O(1)$, where $u$ is the length of the source.
Quite surprisingly, we show that both limitations of the LHL — large entropy loss and large seed — can often be overcome (or, at least, mitigated) in various quite general scenarios. First, we show that entropy loss could be reduced to $L = \log (1/\epsilon)$ for the setting of deriving secret keys for a wide range of cryptographic applications. Specifically, the security of these schemes with an LHL-derived key gracefully degrades from $\epsilon$ to at most $\epsilon+\sqrt{\epsilon 2^{-L}}$. (Notice that, unlike standard LHL, this bound is meaningful even when one extracts more bits than the min-entropy we have!) Based on these results we build a general computational extractor that enjoys low entropy loss and can be used to instantiate a generic key derivation function for any cryptographic application.
Second, we study the soundness of the natural expand-then-extract approach, where one uses a pseudorandom generator (PRG) to expand a short "input seed" $S$ into a longer "output seed" $S'$, and then use the resulting $S'$ as the seed required by the LHL (or, more generally, by any randomness extractor). We show that, in general, the expand-then extract approach is not sound if the Decisional Diffie-Hellman assumption is true. Despite that, we show that it is sound either: (1) when extracting a "small" (logarithmic in the security of the PRG) number of bits; or (2) in minicrypt. Implication (2) suggests that the expand-then-extract approach is likely secure when used with "practical" PRGs, despite lacking a reductionist proof of security!
See http://www.iacr.org/cryptodb/data/paper.php?pubkey=23565
Video Information
Views
2.5K
Likes
7
Duration
22:10
Published
Oct 9, 2011
User Reviews
3.9
(2) Related Trending Topics
LIVE TRENDSRelated trending topics. Click any trend to explore more videos.
No specific trending topics match this video yet.
Explore All Trends