Modulus Computational Entropy

Abstract

The so-called leakage-chain rule is a very important tool used in many security proofs. It gives an upper bound on the entropy loss of a random variable \(X\) in case the adversary who having already learned some random variables \(Z_{1},\ldots ,Z_{\ell }\) correlated with \(X\), obtains some further information \(Z_{\ell +1}\) about \(X\). Analogously to the information-theoretic case, one might expect that also for the computational variants of entropy the loss depends only on the actual leakage, i.e. on \(Z_{\ell +1}\). Surprisingly, Krenn et al. have shown recently that for the most commonly used definitions of computational entropy this holds only if the computational quality of the entropy deteriorates exponentially in \(|(Z_{1},\ldots ,Z_{\ell })|\). This means that the current standard definitions of computational entropy do not allow to fully capture leakage that occurred “in the past”, which severely limits the applicability of this notion.

As a remedy for this problem we propose a slightly stronger definition of the computational entropy, which we call the modulus computational entropy, and use it as a technical tool that allows us to prove a desired chain rule that depends only on the actual leakage and not on its history. Moreover, we show that the modulus computational entropy unifies other, sometimes seemingly unrelated, notions already studied in the literature in the context of information leakage and chain rules. Our results indicate that the modulus entropy is, up to now, the weakest restriction that guarantees that the chain rule for the computational entropy works. As an example of application we demonstrate a few interesting cases where our restricted definition is fulfilled and the chain rule holds.

This work was partly supported by the WELCOME/2010-4/2 grant founded within the framework of the EU Innovative Economy Operational Programme.

Appendices

A Tightness of the Leakage Lemma

Lemma 10

Let \(X\in \{0,1\}^{n}\) be a random variable, \(f:\,\{0,1\}^{m}\rightarrow \{0,1\}^{n}\) be a deterministic circuit of size \(s\) and \( \epsilon < \frac{1}{12}\). Then \(\widetilde{\mathbf {H}}^{{\mathrm {Metric}},{\mathrm {det}}\{0,1\},s,\epsilon }_{}\left( f(X)|X\right) < 3 \).

Proof

Consider the following distinguisher \(D\): on the input \((y,x)\), where \(x\in \{0,1\}^{m}\) and \(y\in \{0,1\}^{n}\), run \(f(x)\) and return \(1\) iff \(f(x)=y\). Then for every \(x\) we get \(D(f(x),x) = 1\). Let \(Y\) be any random variable over \(\{0,1\}^{n}\) such that \(\widetilde{\mathbf {H}}_{\infty }(Y|X) \geqslant 3\). Then by Lemma 1, with probability \(\frac{2}{3}\) over \(x\leftarrow X\) we have \( \mathbf {H}_{\infty }(Y|X=x) \geqslant 3-\log _{2}(3)\). Since \(D(y,x) = 0\) if \(y\not =x\), for any such \(x\) we have \(\mathbf {E}_{y \leftarrow Y|X=x} D\left( y, x \right) \leqslant 2^{-(3 - \log _2(3))} \leqslant \frac{3}{8}\), and thus, with probability \(\frac{2}{3}\) over \(x\leftarrow X\), we get \(\mathbf {E}_{y \leftarrow f(X)|X=x} D\left( y, x \right) - \mathbf {E}_{y \leftarrow Y|X=x} D\left( y, x \right) \geqslant \frac{5}{8}\). Taking the expectation over \(x\leftarrow X\) we obtain finally \(\mathbf {E}D( f(X), X )- \mathbf {E}D ( Y,X ) \geqslant \frac{2}{3}\cdot \frac{5}{8} - \frac{1}{3} \cdot 1 = \frac{1}{12}\).

We use this lemma to show that the estimate in Lemma 3 cannot be improved:

Theorem 10

(Tightness of the estimate in Lemma 3) Suppose that there exists an exponentially secure pseudorandom generator \(f\). Then for every \(m\) and \(C>0\) we have \( \mathbf {H}^{{\mathrm {HILL}},{\mathrm {rand}}\{0,1\}, 2^{\mathcal {O}\left( m \right) },\frac{1}{2^{\mathcal {O}\left( m \right) }}}_{}\left( f\left( U_m\right) \right) \geqslant m+C\) and simultaneously \( \widetilde{\mathbf {H}}^{{\mathrm {Metric}},{\mathrm {det}}\{0,1\}, {\mathrm {poly}}(m),\frac{1}{{\mathrm {poly}}(m)}}_{}\left( \left. f\left( U_m\right) \right| U_m\right) \leqslant 3\).

Proof

The first inequality follows from the definition of the exponentially secure pseudorandom generator. The second inequality is implied by Lemma 10.

B Metric Entropy vs Different Kinds of Distinguishers

Below we prove the equivalence between boolean and real valued distinguishers

Theorem 11

For any random variables \(X,Z\) over \(\{0,1\}^{n},\{0,1\}^{m}\) we have \( \mathbf {H}_{}^{{\mathrm {Metric}},\mathrm {det}[0,1], s',\epsilon }(X|Z) = \mathbf {H}_{}^{{\mathrm {Metric}},\mathrm {det}\{0,1\}, s,\epsilon }(X|Z) \), where \(s'\approx s\).

Proof

We only need to prove \(\mathbf {H}^{{\mathrm {Metric}},{\mathrm {det}}[0,1], s',\epsilon }_{}\left( X|Z\right) \geqslant \mathbf {H}_{\infty }^{{\mathrm {Metric}},\mathrm {det}\{0,1\}, s,\epsilon }\) as the other direction is trivial (because the class \(({\mathrm {det}}[0,1],s)\) is larger than \(({\mathrm {det}}\{0,1\},s)\)). Suppose that \(\mathbf {H}^{{\mathrm {Metric}},{\mathrm {det}}[0,1],s,\epsilon }_{}\left( X|Z\right) <k\). Then for some \(D\) and all \(Y\) satisfying \(\mathbf {H}_{\infty }\left( X|Z\right) \geqslant k\) we have \( \left| \mathbf {E}_{(x,z)\leftarrow (X,Z)}D(x,z) - \mathbf {E}_{(x,z)\leftarrow (Y,Z)}D(x,z) \right| \geqslant \epsilon \). Applying the same reasoning as in Theorem 6 we can replace \(D\) with \(D'\), which is equal either to \(D\) or to \(D^{c}\), obtaining for all distributions \(\mathbf {H}_{\infty }\left( Y|Z\right) \geqslant k\), the following:

$$\begin{aligned} \mathbf {E}D'(X,Z) - \mathbf {E}D'(Y,Z) \geqslant \epsilon . \end{aligned}$$

Consider the distribution \(\left( Y^{+},Z\right) \) minimizing the left side of the above inequality. Equivalently, it maximizes the expected value of \(D'\) under the condition \(\mathbf {H}_{\infty }\left( Y|Z\right) \geqslant k\). Since this condition means that \(\mathbf {H}_{\infty }\left( \left. Y^{+}\right| Z=z\right) \geqslant k\) for all \(z\), we conclude that \(\left. Y^{+}\right| Z=z\), for fixed \(z\), is distributed over \(2^k\) values of \(x\) giving the greatest values of \(D'(x,z)\). Calculating the expected values in the last inequality via integration of the tail yields

$$\begin{aligned} \int \limits _{t\in [0,1]}\mathbf {P}_{(x,z)\leftarrow (X,Z)}\left[ D(x,z) > t\right] \text{ d }t - \int \limits _{t\in [0,1]}\mathbf {P}_{(x,z)\leftarrow \left( Y^{+},Z\right) } \left[ D(x,z) > t\right] \text{ d }t \geqslant \epsilon \end{aligned}$$

therefore for some number \(t\in (0,1)\), the following holds:

$$\begin{aligned} \mathbf {P}_{(x,z)\leftarrow (X,Z)}\left[ D(x,z) > t\right] \geqslant \mathbf {P}_{(x,z)\leftarrow \left( Y^{+},Z\right) } \left[ D(x,z) > t\right] + \epsilon . \end{aligned}$$

Let \(D''\) be a \(\{0,1\}\)-distinguisher that for every \((x,z)\) outputs \(1\) iff \(D(x,z) > t\). Clearly \(D''\) is of size \(s+\mathcal {O}(1)\) and satisfies

$$\begin{aligned} \mathbf {E}_{(x,z)\leftarrow (X,Z)}D''(x,z) \geqslant \mathbf {E}_{(x,z)\leftarrow \left( Y^{+},Z\right) }D''(x,z) + \epsilon . \end{aligned}$$

We assumed that \((Y,Z)\) maximizes \(\mathbf {E}D'(Y,Z)\). Now we argue that \((Y,Z)\) is also maximal for \(D''\). We know that for every \(z\) the distribution \(Y_z\) is flat over the set \(\mathrm {Max}_{D'(\cdot ,z)}^{k}\) of \(2^k\) values of \(x\) corresponding to largest values of \(D'(x,z)\). It is easy to see that \(\mathrm {Max}_{D'(\cdot ,z)}^{k} = \mathrm {Max}_{D''(\cdot ,z)}^{k}\). Therefore, we have shown in fact that

$$\begin{aligned} \mathbf {E}_{(x,z)\leftarrow (X,Z)}D''(x,z) - \max \limits _{(Y,Z):\,\mathbf {H}_{\infty }(Y|Z)\geqslant k}\mathbf {E}_{(x,z)\leftarrow (Y,Z)}D''(x,z) \geqslant \epsilon , \end{aligned}$$

which means exactly that \(\mathbf {H}^{{\mathrm {Metric}},\{0,1\},s',\epsilon }_{}\left( X|Z\right) <k\).