Abstract
This paper addresses deterministic publickey encryption schemes (DE), which are designed to provide meaningful security when only source of randomness in the encryption process comes from the message itself. We propose a general construction of DE that unifies prior work and gives novel schemes. Specifically, its instantiations include:

The first construction from any trapdoor function that has sufficiently many hardcore bits.

The first construction that provides “bounded” multimessage security (assuming lossy trapdoor functions).
The security proofs for these schemes are enabled by three tools that are of broader interest:

A weaker and more precise sufficient condition for semantic security on a highentropy message distribution. Namely, we show that to establish semantic security on a distribution M of messages, it suffices to establish indistinguishability for all conditional distribution ME, where E is an event of probability at least 1/4. (Prior work required indistinguishability on all distributions of a given entropy.)

A result about computational entropy of conditional distributions. Namely, we show that conditioning on an event E of probability p reduces the quality of computational entropy by a factor of p and its quantity by log_{2}1/p.

A generalization of leftover hash lemma to correlated distributions.
We also extend our result about computational entropy to the average case, which is useful in reasoning about leakageresilient cryptography: leaking λ bits of information reduces the quality of computational entropy by a factor of 2^{λ} and its quantity by λ.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Publickey cryptosystems require randomness: indeed, if the encryption operation is deterministic, the adversary can simply use the public key to verify that the ciphertext c corresponds to its guess of the plaintext m by encrypting m. However, such an attack requires the adversary to have a reasonably likely guess for m in the first place. Recent results on deterministic publickey encryption (DE) (building on previous work in the onetime, informationtheoretic symmetrickey setting [18, 22, 56], and described in more detail below) have studied how to achieve security when the randomness comes only from m itself [4, 6, 11, 12, 35, 44, 50, 63]. DE has a number of practical applications, such as efficient search on encrypted data and securing legacy protocols (cf. [4]). It is also interesting from a foundational standpoint; indeed, its study has proven useful in other contexts: Bellare et al. [5] show how it extends to a notion of “hedged” publickey encryption that reduces dependence on external randomness for probabilistic encryption more generally, Dent et al. [17] adapt its notion of privacy to a notion of confidentiality for digital signatures, and (subsequent to our work) Bellare, Keelveedhi, and Ristenpart [8, 9] and Abadi et al. [1] show how it extends to a notion of “messagelocked” encryption that permits deduplication on encrypted storage systems.
However, our current understanding of DE is somewhat lacking. In particular, constructions of [4, 6, 11, 35], as well as their analysis techniques, are rather disparate. The works of [4, 6] construct DE schemes by “faking” the coins used to encrypt the message in a probabilistic encryption scheme as some deterministic function of the message; for example, [6] uses Goldreich–Levin hardcore bits [31] of an iterated trapdoor permutation applied to the message. On the other hand, [11] (and subsequent works such as [12]) encrypt via special trapdoor functions (called “lossy” [48, 49]). Additionally, while constructions in the random oracle model [4] achieve security for multiple messages, current constructions in the standard model (without random oracles) achieve only “single message” security. (As shown in [4], single message and multimessage security is inequivalent for DE), and it is unclear to what extent this is inherent to such schemes.^{Footnote 1}
In this work, our main goal is to provide a unified framework for the construction of DE and to help resolve these issues.
1.1 Our Results
A Scheme Based on Trapdoor Functions
We propose (in Sect. 4) a general EncryptwithHardcore (EwHCore) construction of DE from trapdoor functions (TDFs), which generalizes the basic idea behind the schemes of [4, 6] and leads to a unified framework for the construction of DE. Let f be a TDF with a hardcore function hc, and let \(\mathcal{E}\) be any probabilistic publickey encryption algorithm. Our construction EwHCore encrypts an input message x as follows: it computes y=f(x) and then encrypts y using \(\mathcal {E}\) with hc(x) as the coins; that is, the encryption of x is \(\mathcal{E}(f(x);\mathsf{hc}(x))\).
Intuitively, this scheme requires that (1) the output of hc be sufficiently long to provide enough random coins for \(\mathcal{E}\), and (2) that it not reveal any partial information about x (because \(\mathcal{E}\) does not necessarily protect the privacy of its random coins). Requirement 1 can be satisfied, for example, if inverting f is subexponentially hard, if the output of hc is long enough to be used as a seed for some pseudorandom generator, or under specific assumptions, as described below. There are two nontrivial technical steps needed to formalize requirement 2 and realize it. First, we define a condition required of hc (which we call “robustness”) and show that it is sufficient for security of the resulting DE. Second, through a computational entropy argument, we show how to make any sufficiently long hc robust by applying a randomness extractor.
This general scheme admits a number of instantiations depending of f and hc. For example, when f is any trapdoor function and hc is a random oracle (RO), we obtain the construction of [4].^{Footnote 2} When f is an iterated trapdoor permutation (TDP) and hc is a collection Goldreich–Levin (GL) [31] bits extracted at each iteration, we obtain the construction of [6]. When f is a lossy trapdoor function (LTDF) [48] and hc is a pairwiseindependent hash, we get a variant of the construction of [11] (which is less efficient but has a more straightforward analysis). We also obtain a variant of the construction of Hemenway et al. [35] under the same assumption as they use (see Sect. 5.2 for details). Note that in all but the last of these cases, the hardcore function is already robust (without requiring an extractor), which shows that in prior work this notion played an implicit role. In particular, the GL bits are robust, explaining why [4, 6] specifically uses them and not some other hardcore bits.
Moreover, this general scheme not only explains past constructions, but also gives us new ones. Specifically, if f is a trapdoor function with enough hardcore bits, we obtain:

DE that works on the uniform distribution of messages;

DE that works on any distribution of messages whose minentropy is at most logarithmically smaller than maximum possible;

assuming sufficient hardness distinguishing the output of hc from uniform (so in particular of inverting f), DE that works on evenlower entropy message distributions.
Prior results require more specific assumptions on the trapdoor function (such as assuming that it is a permutation or that it is lossy—both of which imply enough hardcore bits). Furthermore, our results yield more efficient schemes in the permutation case, by avoiding iteration (under strong enough assumptions).
Notably, we obtain the first DE scheme without random oracles based on the hardness of syndrome decoding using the Niederreiter trapdoor function [45], which was shown to have linearly many hardcore bits by Freeman et al. [27] (and, moreover, to be secure under correlated products, as defined by Rosen and Segev [55]) but is not known to be lossy. (A scheme in the random oracle model follows from [4].) Additionally, the RSA [54] and Paillier [47] trapdoor permutations have linearly many hardcore bits under certain computational assumptions (the “Small Solutions RSA” [59] and “Bounded Computational Composite Residuosity” [13] assumptions, respectively). Therefore, we can use these TDPs to instantiate our scheme efficiently under the same computational assumptions. Before our work, DE schemes from RSA and Paillier either required many iterations [6] or decisional assumptions that imply lossiness of these TDPs [11, 27, 39].
Security for Multiple Messages: Definition and Construction
An important caveat is that, as in [6, 11], we can prove the above standardmodel DE schemes secure only for the encryption of a single highentropy plaintext, or, what was shown equivalent in [11], an unbounded number of messages drawn from a block source [14] (where each subsequent message brings “fresh” entropy). On the other hand, the strongest and most practical security model for DE introduced by [4] considers the encryption of an unbounded number of plaintexts that have individual high entropy but may not have any conditional entropy. In order for EwHCore to achieve this, the hardcore function hc must also be robust on correlated inputs.^{Footnote 3} In particular, it follows from [4] that a RO hash satisfies such a notion, leading to their multimessage secure scheme. We thus have a large gap between the classes of message sources with (known) secure constructions in the RO model versus in the standard model.
To help bridge this gap, we propose (in Sect. 6) a notion of “qbounded” security for DE, where up to q highentropy but arbitrarily correlated messages may be encrypted under the same public key (whose size may depend polynomially on q). Following [11], we also extend our security definition to unbounded multimessage security where messages are drawn from what we call a “qblock source” (essentially, a block source where each “block” consists of q messages which may be arbitrarily correlated but have individual high entropy); Theorem 4.2 of [11] extends to show that qbounded multimessage security and unbounded multimessage security for qblock sources are equivalent for a given minentropy. Then, using our EwHCore construction and a generalization of the leftover hash lemma discussed below, we show qbounded DE schemes (for long enough messages), for any polynomial q, based on LTDFs losing an 1−O(1/q) fraction of the input. It is known how to build such LTDFs from the decisional Diffie–Hellman [48], dlinear [27], and decisional composite residuosity [11, 27] assumptions.
Regarding security for unbounded arbitrarily correlated messages in the standard model, a subsequent result of Wichs [64] shows that it is impossible using blackbox reductions to falsifiable assumptions.^{Footnote 4} However, in further subsequent work, Bellare et al. [7] achieve this notion under a particular nonfalsifiable assumption. We stress that our result on qbounded security holds under common, falsifiable assumptions.
1.2 Our Tools
Our results are enabled by three tools that we believe to be of more general applicability (detailed in Sect. 3).
A More Precise Condition for Security of DE
We revisit the definitional equivalences for DE proven by [6] and [11]. At a high level, they showed that the semantic security style definition for DE (called PRIV) introduced in the initial work of [4], which asks that a scheme hides all publickey independent^{Footnote 5} functions of messages drawn from some distribution is in some sense equivalent to an indistinguishabilitybased notion for DE, which asks that it is hard to distinguish ciphertexts of messages drawn from one of two possible distributions. Notice that while PRIV can be meaningfully said to hold for a given message distribution, IND inherently talks of pairs of distributions.^{Footnote 6} The works of [6, 11] compensated for this by giving an equivalences in terms of minentropy levels. That is, they showed that PRIV for all message distributions of minentropy μ is implied by indistinguishability with respect to all pairs of plaintext distributions of minentropy slightly less than μ.
We demonstrate a more precise equivalence that, for a fixed distribution \(\bf{M}\), identifies a class of pairs of distributions such that if IND holds on those pairs, then PRIV holds on \(\bf{M}\). By reexamining the equivalence proof of [6], we show that PRIV on \(\bf{M}\) is implied by IND on all pairs of “slightly induced” distributions of \(\bf{M}\mid\mathsf{E}\), where E is an arbitrary event of probability at least 1/4. This more precise equivalence makes security easier to reason about. Specifically, it is needed to argue that “robustness” of hc is sufficient for security EwHCore (essentially, a robust hardcore function is one that remains hardcore on a slightly induced distribution^{Footnote 7}).
We also note that this more precise equivalence may be of independent interest for other primitives whose security holds for specific source distributions.
Conditional Computational Entropy
We investigate how conditioning reduces computational entropy of a random variable X. We consider notions of computational entropy based on indistinguishability. The standard notion is HILL entropy which generalizes pseudorandomness to the high entropy setting [3, 34]. Suppose you have a distribution that has computational entropy (such as the pair f(r),hc(r) for a random r). If you condition that distribution on an event E of probability p, how much computational entropy is left?
To make this question more precise, we should note that notions of computational entropy are parameterized by quality (how distinguishable is X from a variable Z that has true entropy) and quantity (how much true entropy is there in Z).
We prove an intuitively natural result: conditioning on an event of probability p reduces the quality of computational entropy by a factor of p and the quantity of entropy by log_{2}1/p (note that this means that the reduction in quantity and quality is the same, because the quantity of entropy is measured on logarithmic scale).
Naturally, the answer becomes so simple only once the correct notion of entropy is in place. Our result holds for a weaker notion of computational entropy called Metric ^{∗} entropy (defined in [3, 25]). This entropy is convertible (with some loss) to HILL entropy using the techniques of [3, 60], which can then be used with randomness extractors to get pseudorandom bits.
Our result improves previous bounds of Dziembowski and Pietrzak [25, Lemma 3], where the loss in the quantity of entropy was related to its original quality. The use of metric entropy simplifies the analogous result of Reingold et al. [51, Theorem 1.3] for HILL entropy. Other recent work [30, Lemma 3.1], [15, Lemma 16] also addresses the question of conditional computational entropy. We compare our bounds with those of [15, 25, 30, 51] in Appendix B.
We use this result to show that randomness extractors can be used to convert a hardcore function into a robust one, through a computational entropy argument for slightly induced distributions. It can also be useful in the leakageresilient cryptography (indeed, leakageresilient cryptography is the subject of [25]), when instead of an event E one conditions on a random variable leaked to the adversary. For the informationtheoretic case, it is known that leakage of a λbitlong random variable reduces the average entropy by at most λ (Lemma 2.1). We show essentially the same^{Footnote 8} for the computational case: if a λbitlong random variable is leaked, then the amount of computational Metric ^{∗} entropy decreases by at most λ and its quality decreases by at most 2^{λ} (again, this entropy can be converted to HILL entropy and be used in randomness extractors [20, 36]).
(Crooked) Leftover Hash lemma for Correlated Distributions
We show that the leftover hash lemma (LHL) [34, Lemma 4.8], as well as its generalized form [20, Lemma 2.4] and the “Crooked” LHL [21], extend in a natural way to “correlated” distributions. That is, suppose we have t random variables (sources) X _{1},…,X _{ t }, where each X _{ i } individually has high minentropy but may be fully determined by the outcome of some other X _{ j } (though we assume X _{ i }≠X _{ j } for all i≠j). We would like to apply a hash function H such that H(X _{1}),…,H(X _{ t }) is statistically indistinguishable from t independent copies of the uniform distribution on the range of H (also over the choice of the key for H, which is made public). We show that this is the case assuming H is 2twise independent. (The standard LHL is thus t=1; previously, Kiltz et al. [40] showed this for t=2.) Naturally, this requires the output size of H to be about a 1/t fraction of its input size, so there is enough entropy to extract. Subsequent work of [50, Theorem 4.6] shows another generalization of (Crooked) LHL, which differs from ours in several respects. The main differences are that the conditions imposed on H by [50] are much more permissive (in particular, only (logt)wise independence is needed, and the output can be much longer), but the conclusion applies to each H(X _{ i }) only in isolation (but for every i, which can thus be chosen after H is fixed).^{Footnote 9}
1.3 Further Related Work
Work on DE
We note that we focus on the basic case of passive, “chosen plaintext” attack on DE in this paper. There are a variety of stronger attack models that have been proposed, and we leave it as an interesting future direction to study to what extent our techniques apply against them. These include security against chosenciphertext attack [4, 50], auxiliary messagedependent input [12], and “adaptive” message distributions (i.e., that depend in some way on the public key) [50]. We note that a notion of “incremental” DE (where a small change in the message induces a correspondingly small change in its encryption) has also been studied [44] due to its importance in the application of DE to deduplication on encrypted storage systems, and it would be similarly interesting to study to what extent our schemes can be adapted to the incremental setting.
Work on Conditional Computational Entropy
In addition to the work described above, there have been several subsequent works on conditional computational entropy. At the time when the conference version of our work [28] was written, it was not known whether our computational entropy loss result applied when the starting random variable was already conditional (except in special cases [15] or for different definitions [29, 30, 53]). This is known as a “chain” rule for HILL entropy. A counterexample to the chain rule using ideas from deniable encryption was recently shown by Krenn et al. [42]. Skorski [57] provides a general characterization of when the chain rule applies.
The work of Jetchev and Pietrzak [37] provides a constructive way to simulate the value of the condition, which enables the proof of the chain rule for a relaxed definition of HILL entropy. The work of Vadhan and Zheng [60] provides a proof of the conditional entropy loss result via a uniform reduction, making the result constructive in a very strong sense.
2 Preliminaries
2.1 Notation and Background
Unless otherwise indicated, an algorithm may be randomized and must run in probabilistic polynomialtime (PPT) in its input size. An adversary is a nonuniform algorithm (or tuple of algorithms). We make the convention that the runningtime of an adversary includes its program (i.e., circuit) size and the time to run any overlying experiment. The security parameter is denoted by k, and 1^{k} denotes the string of k ones. We often suppress dependence of variables on k for readability. A function \(f \colon{{\mathbb{N}}}\to[0,1]\) is negligible if f=o(k ^{−c}) for all constants c≥0.
If A is an algorithm then \(x {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A(\ldots)\) denotes that x is assigned the output of running A on the elided inputs and a fresh random tape, while x←A(…;r) denotes the same but with the random tape fixed to r. If S is a finite set then \(s {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}S\) denotes that s is assigned a uniformly random element of S. We use the abbreviation \(x_{1}, \ldots, x_{n} {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A(\ldots)\) for \(x_{1} {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A(\ldots)\:;\:\ldots\:;\: x_{n} {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A(\ldots)\).
If A is deterministic then we drop the dollar sign above the arrow. We denote by {0,1}^{∗} the set of all (binary) strings, and by {0,1}^{n} the set of strings of length n. By x _{1}∥⋯∥x _{ m } we denote an encoding of strings x _{1},…,x _{ m } from which x _{1},…,x _{ m } are uniquely recoverable. We denote by x⊕y the bitwise exclusiveor (xor) of equallength strings x,y. For two nbit strings x,y we denote by 〈x,y〉 the innerproduct of x and y when interpreted as vectors over GF(2). Vectors are denoted in boldface, for example x. If x is a vector then x denotes the number of components of x and x[i] denotes its ith component, for 1≤i≤x. For convenience, we extend algorithmic notation to operate on each vector of inputs componentwise. For example, if A is an algorithm and x,y are vectors then \({\mathbf{z}}{\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A({\mathbf {x}},{\mathbf{y}})\) denotes that \({\mathbf{z}}[i] {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A({\mathbf {x}}[i],{\mathbf{y}}[i])\) for all 1≤i≤x.
Let X and Y be random variables. For t,ϵ≥0, we say that X and Y are computationally (t,ϵ)indistinguishable, denoted X≈_{ t,ϵ } Y, if Pr[D(X)=1]−Pr[D(Y)=1]≤ϵ for all distinguishers D running in time at most t.
Statistical Notions
Let X be a random variable on a finite set \(\mathcal{X}\). We write P _{ X } for the distribution of random variable X and P _{ X }(x) for the probability that X puts on value \(x \in\mathcal{X}\), i.e., P _{ X }(x)=P[X=x]. Denote by X the size of the support of X, i.e., X={x:P _{ X }(x)>0}. We often identify X with P _{ X } when there is no danger of confusion. By \(x {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}X\) we denote that x is assigned a value drawn according to P _{ X }. When this experiment is PPT we say that X is efficiently sampleable. We write X∣E for the random variable X conditioned on an event E. When X is vectorvalued we denote it in boldface, for example \(\bf{X}\). For a function \(f: \mathcal{X}\to\mathbb{R}\), we denote the expectation of f over X by \(\mathop{\mathbb{E}}f(X) \stackrel{\mathrm{def}}{=}\mathop{\mathbb {E}}_{x\in X} f(x) \stackrel{\mathrm{def}}{=}\sum_{x\in\mathcal {X}} P_{X}(x) f(x)\).
The maxentropy of X is H_{0}(X)=logX. The minentropy of X is H_{∞}(X)=−log(max_{ x } P _{ X }(x)), the (worstcase) conditional minentropy of X given Y is H_{∞}(XY)=−log(max_{ x,y } P _{ XY=y }(x)), and the average conditional minentropy of X given Y [20] is \(\tilde{\mathrm {H}}_{\infty}(XY) = \log(\mathop{\mathbb{E}}_{y\in Y} \max_{x} P_{XY=y}(x))\). Following [4, 6], for vectorvalued \(\bf{X}\) the minentropy is the minimum individual minentropy of the components, i.e., H_{∞}(X)=−log(max_{ x,i } P _{ X [ i ] }(x[i])). The collision probability of X is Col(X)=∑_{ x } P _{ X }(x)^{2}. The statistical distance between random variables X and Y with the same domain is \(\Delta(X,Y) = \frac{1}{2} \sum_{x} P_{X}(x)  P_{Y}(x)\). We write X≈_{ ϵ } Y if Δ(X,Y)≤ϵ, and when ϵ is negligible then we say X and Y are statistically close.
tWise Independent Functions
Let \(F \colon\mathcal{K}\times D \to R\) be a function. We say that F is twise independent if for all distinct x _{1},…,x _{ t }∈D and all y _{1},…,y _{ t }∈R
In other words, F(K,x _{1}),…,F(K,x _{ t }) are all uniformly and independently random over R. 2wise independence is also called pairwise independence.
Entropy After Information Leakage
Dodis et al. [20, Lemma 2.2] characterized the effect of auxiliary information on average minentropy:
Lemma 2.1
[20, Lemma 2.2]
Let A,B,C be random variables. Then

1.
For any δ>0, the conditional entropy H_{∞}(AB=b) is at least \(\tilde{\mathrm{H}}_{\infty}(AB)\log (1/\delta)\) with probability at least 1−δ over the choice of b.

2.
If B has at most 2^{λ} possible values, then \(\tilde{\mathrm{H}}_{\infty}(A(B, C))\geq\tilde{\mathrm{H}}_{\infty}((A, B)C)\lambda\geq\tilde{\mathrm{H}}_{\infty}(AC)\lambda\). In particular, \(\tilde{\mathrm{H}}_{\infty}(AB) \geq\mathrm {H}_{\infty}((A, B))\lambda\geq\mathrm{H}_{\infty}(A)\lambda\).
Extractors
Let χ be a finite set. A polynomialtime computable deterministic function ext:χ×{0,1}^{d}→{0,1}^{m}×{0,1}^{d} is a strong (k,ϵ)extractor [46] if the last d outputs of bits of ext are equal to the last d input bits (these bits are called seed), and δ(ext(X,U _{ d }),U _{ m }×U _{ d })≤ϵ for every distribution X on χ with H_{∞}(X)≥k. The number of extracted bits is m, and the entropy loss is k−m.
Averagecase extractors, defined in [20, Sect. 2.5], are extractors extended to work with averagecase, rather than unconditional, minentropy. Vahdan [61, Problem 6.8] shows that any (k,ϵ)extractor for k≤log_{2}χ−1 is also an (m,3ϵ)averagecase extractor. However, the additional loss is not always necessary. Indeed, the Leftover Hash Lemma generalizes without any loss to the averagecase setting, as shown in [20].
Definition 2.2
Let χ _{1}, χ _{2} be finite sets. An extractor ext is a (k,ϵ)averagecase extractor if for all pairs of random variables X,Y over χ _{1},χ _{2} such that \(\tilde{H}_{\infty}(XY) \ge k\), we have δ((ext(X,U _{ d }),Y),U _{ m }×U _{ d }×Y)≤ϵ.
PublicKey Encryption
A (probabilistic) publickey encryption scheme with plaintextspace PtSp is a triple of algorithms \(\varPi= (\mathcal{K}, \mathcal{E}, \mathcal{D})\). The keygeneration algorithm \(\mathcal{K}\) takes input 1^{k} to return a public key pk and matching secret key sk. The encryption algorithm \(\mathcal{E}\) takes pk and a plaintext m to return a ciphertext; this algorithm is randomized, using randomness r. The deterministic decryption algorithm \(\mathcal{D}\) takes sk and a ciphertext c to return a plaintext. We require that for all plaintexts m∈PtSp
Next we define security against chosenplaintext attack [32]. With an encryption scheme \(\varPi= (\mathcal{K}, \mathcal {E},\mathcal {D})\), an adversary A=(A _{1},A _{2}), and \(k \in{{\mathbb{N}}}\) we associate
where we require A _{1}’s output to satisfy m _{0}=m _{1}. Define the INDCPA advantage of A against Π as
We say that Π is INDCPA secure if \(\mathbf {Adv}^{\mathrm {ind\mbox{}cpa}}_{\varPi,A}(\cdot)\) is negligible for any PPT adversary A.
Lossy Trapdoor Functions
A lossy trapdoor function (LTDF) generator [48] is a pair \({\mathsf{LTDF}}= (\mathcal{F}, \mathcal{F}')\) of algorithms. Algorithm \(\mathcal{F}\) is a usual trapdoor function (TDF) generator, namely on input 1^{k} outputs (a description of a) function f on {0,1}^{n} for n=n(k) along with (a description of) its inverse f ^{−1}, and algorithm \(\mathcal{F}'\) outputs a (description of a) function f′ on {0,1}^{n}. For a distinguisher D, define its LTDF advantage against LTDF as
We say that LTDF is secure if \(\mathbf {Adv}^{\mathrm{ltdf}}_{{\mathsf{LTDF}},D}(\cdot)\) is negligible for any PPT D. We say LTDF has residual leakage s if for all f′ output by \(\mathcal{F}'\) we have Image(f′)≤2^{s}. The lossiness of LTDF is ℓ=n−s.
OneWay and Hardcore Functions on Nonuniform Distributions
We extend the usual notion of onewayness to vectors of inputs drawn from nonuniform and possibly correlated distributions. Let \(\mathcal{F}\) be a TDF generator and X be a distribution on input vectors. With \(\mathcal{F},{\boldsymbol {X}}\), an inverter I, and \(k \in {{\mathbb{N}}}\) we associate
Define the OWF advantage of I against F,X as
We say that \(\mathcal{F}\) is oneway on a class of distributions on input vectors \({\boldsymbol {{{\mathbb{X}}}}}\) if for every \({\boldsymbol {X}} \in {\boldsymbol {{{\mathbb{X}}}}}\) and every PPT inverter I, \(\mathbf {Adv}^{\mathrm{owf}}_{\mathcal{F},{\boldsymbol {X}}, I}(\cdot)\) is negligible. We extend hardcore functions (HCFs) in a similar way. Namely, with a trapdoor function generator \(\mathcal{F}\), function hc:{0,1}^{k}→{0,1}^{n}, distribution on input vectors X, a distinguisher D, and \(k \in{{\mathbb{N}}}\) we associate
Define the HCF advantage of D against F,hc,X as
We say that hc is hardcore for \(\mathcal{F}\) on a class of distributions on input vectors \({\boldsymbol {{{\mathbb{X}}}}}\) if for every \({\boldsymbol {X}} \in {\boldsymbol {{{\mathbb{X}}}}}\) and every PPT distinguisher D, \(\mathbf{Adv}^{\mathrm{hcf}}_{\mathcal{F},\mathsf{hc},{\boldsymbol {X}}, D}(\cdot)\) is negligible.
Note that we depart somewhat from standard treatments in that we allow a HCF to also depend on the description of the trapdoor function (via the argument f). This allows us to simplify our exposition.
Augmented Trapdoor Functions
It is useful to introduce the notion of an “augmented” version of a TDF, which augments the description of the latter with keying material for a HCF. More formally, let \(\mathcal{F}\) be a trapdoor function generator and let H be a keyed function with keyspace \(\mathcal{K}\). Define the Haugmented version of \(\mathcal{F}\), denoted \(\mathcal {F}[H]\), that on input 1^{k} returns (f,K),(f ^{−1},K) where \((f,f^{1}) {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{F}(1^{k})\) and \(K {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{K}\); evaluation is defined for x∈{0,1}^{k} as f(x) (i.e., evaluation just ignores K) and inversion is defined analogously.
Goldreich–Levin Hardcore Function
For \(i \in{{\mathbb{N}}}\) define the lengthi Goldreich–Levin (GL) function [31] \(\mathcal{GL}^{i} \colon\{0,1\}^{i\times k} \times\{0,1\}^{k} \to\{0,1\}^{i}\) as GL ^{i}(M,x)=Mx, where Mx is the matrixvector product of randomlysampled matrix M and x over GF(2) (it is also possible to choose a random Toeplitz matrix instead of a completely random matrix). If i is small enough (roughly logarithmic in the security of \(\mathcal{F}\)), then GL ^{i} is hardcore for \(\mathcal{F}[\mathcal{GL}^{i}]\). Moreover, this result does not dependent on the input distribution of \(\mathcal{F}\); it depends only on the hardness of \(\mathcal{F}\) on that particular distribution.
2.2 Computational Entropy
For computational entropy we define several classes of distinguishers. Let \(\mathcal {D}^{\mathrm {det},\{0,1\}} _{s}\) be the set of all deterministic circuits of size s with binary output in {0,1}, let \(\mathcal {D}^{\mathrm {det},[0,1]} _{s}\) be the set of all deterministic circuits of size s with output in [0,1], and let \(\mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}, \mathcal {D}^{\mathrm {rand},[0,1]} _{s}\) be the sets of probabilistic circuits with output ranges {0,1} and [0,1], respectively. (We talk of circuit size rather than runningtime in the context of computational entropy for consistency with the literature.) Given a circuit D, define the computational distance δ ^{D} between X and Z as \(\delta^{D}(X, Z) = \mathop{\mathbb{E}}[D(X)]  \mathop{\mathbb{E}}[D(Z)]\). While minentropy is measured only by amount, computational minentropy has two additional parameters: distinguisher size s and quality ϵ. Larger s and smaller ϵ mean “better” entropy.
Definition 2.3
([34])
A distribution X has HILL entropy at least k, denoted \(H^{{\mathtt{HILL}}}_{\epsilon, s}(X)\geq k\) if there exists a distribution Z where H_{∞}(Z)≥k, such that \(\forall D \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}, \delta^{D}(X, Z)\leq\epsilon\).
An alternative notion called Metric entropy is often used for proofs and is obtained by switching in the order of quantifiers. Thus, a different Z can be used for each distinguisher:
Definition 2.4
([3])
A distribution X has Metric entropy at least k, denoted \(H^{{\mathtt{Metric}}}_{\epsilon, s}(X)\geq k\) if \(\forall D \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}\) there exists a distribution Z _{ D } with H_{∞}(Z _{ D })≥k and δ ^{D}(X,Z _{ D })≤ϵ.
For HILL entropy, drawing D from \(\mathcal {D}^{\mathrm {det},\{0,1\}} _{s}, \mathcal {D}^{\mathrm {det},[0,1]} _{s}, \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}, \mathcal {D}^{\mathrm {rand},[0,1]} _{s}\) is essentially equivalent, as shown in [25, 29]). For metric entropy, however, the choice among these four classes can make a difference. In particular, if we change the class of D in Definition 2.4 to \(\mathcal {D}^{\mathrm {det},[0,1]} _{s}\), we get socalled “metricstar” entropy, denoted \(H^{{\mathtt{Metric}^{*}} }_{\epsilon, s}\) (this notion was used in [25, 29]).
Equivalence (with a loss in quality) between Metric ^{∗} and HILL entropy^{Footnote 10} was shown by Barak, Shaltiel, and Wigderson [3, Theorem 5.2]:
Theorem 2.5
([3])
Let X be a discrete distribution over a finite set χ. For every ϵ, ϵ _{ HILL }>0, ϵ′≥ϵ+ϵ _{ HILL }, k, and s, if \(H^{{\mathtt{Metric}^{*}}}_{\epsilon, s}(X)\geq k\) then \(H^{{\mathtt{HILL}}}_{\epsilon', s_{{\mathtt{HILL}}}}(X)\geq k\) where \(s_{{\mathtt{HILL}}} = \varOmega (\epsilon_{{\mathtt{HILL}}}^{2} s /\log\chi)\).
The free parameter in the above theorem, ϵ _{ HILL }, provides a tradeoff between distinguisher size and advantage. For simplicity, we can set \(\epsilon_{{\mathtt{HILL}}} = \sqrt[3]{\frac{\log\chi}{s}}\) yielding \(s_{{\mathtt{HILL}}} = \varOmega(\sqrt[3]{\frac{s}{\log \chi }})\) and \(\epsilon' = \epsilon+\sqrt[3]{\frac{\log\chi}{s}}\). For typical parameters (specifically, when ϵ≤(logχ/s)^{1/3}), this setting balances the resulting ϵ′ and s _{ HILL }, i.e., gives us ϵ′=O(1/s _{ HILL }).
We show the proof of a slightly stronger version of this theorem in Theorem C.1.
Extractors can be applied to distributions with computational entropy to obtain pseudorandom, rather than random, outputs: that is, outputs that are computationally indistinguishable from, rather than statistically close to, uniformly random strings. This fact is wellknown for HILL entropy. However, we have not seen it proven for Metric entropy and, although the proof is quite straightforward, we provide it here for completeness. (Since HILL entropy implies Metric entropy, this proof also works for HILL entropy.)
Theorem 2.6
Let ext:χ×{0,1}^{d}→{0,1}^{m}×{0,1}^{d} be a (k,ϵ _{ ext })extractor, computable by circuits of size s _{ ext }. Let X be a distribution over χ with \(H^{\mathrm{metric}}_{\epsilon_{{\mathtt{Metric}}}, s}(X)\geq k\). Then \(\forall D \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s'}\), where s′≈s _{ Metric }−s _{ ext },
Proof
We proceed by contradiction. Suppose not, that is, \(\exists D\in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s'}\) such that
We use D to construct a distinguisher D′ to distinguish X from all distributions Z where H_{∞}(Z)≥k, violating the metricentropy of X. We define D′ as follows: upon receiving input α∈χ, D′ samples seed←U _{ d }, runs β←ext(α,seed) and then runs D(β,seed) on the result. Note that \(D' \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}\) where s≈s′+s _{ ext }=s _{ Metric }. Thus we have the following ∀Z, where H_{∞}(Z)≥k:
Thus D′ is able to distinguish X from all Z with sufficient minentropy. This is a contradiction. □
Unfortunately, the theorem does not extend to Metric ^{∗} entropy, because the distinguisher D′ we construct in this proof is randomized. The only way to extract from Metric^{∗} entropy that we know of is to convert Metric ^{∗} entropy to HILL ^{∗} entropy using Theorem 2.5 (which incurs some loss) and then use Theorem 2.6 (see Fig. 1). Thus, Metric ^{∗} entropy appears to be qualitatively weaker than Metric and HILL entropy.
Conditional entropy has been extended to the computational case by Hsiao, Lu, Reyzin [36].
Definition 2.7
([36])
Let (X,Y) be a pair of random variables. X has conditional HILL entropy at least k conditioned on Y, denoted \(H^{{\mathtt{HILL}}}_{\epsilon, s}(XY)\geq k\) if there exists a collection of distributions Z _{ y } for each y∈Y, giving rise to a joint distribution (Z,Y), such that \(\tilde{H}_{\infty}(ZY)\geq k\) and \(\forall D \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}, \delta^{D}((X, Y),(Z,Y))\leq\epsilon\).
Again, we can switch the quantifiers of Z and D to obtain the definition of conditional metric entropy.
Definition 2.8
Let (X,Y) be a pair of random variables. X has conditional Metric entropy at least k conditioned on Y, denoted by \(H^{{\mathtt{Metric}}}_{\epsilon, s}(XY)\geq k\), if \(\forall D\in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s} \) there exists a collection of distributions Z _{ y } for each y∈Y, giving rise to a joint distribution (Z,Y), such that \(\tilde{H}_{\infty}(ZY)\geq k\) and δ ^{D}((X,Y),(Z,Y))≤ϵ.
Conditional Metric ^{∗} can be defined similarly, replacing \(\mathcal {D}^{\mathrm {rand},\{0,1\}} \) with \(\mathcal {D}^{\mathrm {det},[0,1]} \).
Theorem 2.5 can be extended to the conditional case with the same techniques (see [15, 29] a proof):
Theorem 2.9
Let X be a discrete distribution over a finite set χ _{1} and let Y be a discrete random variable over χ _{2}. For every ϵ,ϵ _{ HILL }>0,ϵ′≥ϵ+ϵ _{ HILL },k and s, if \(H^{{\mathtt{Metric}^{*}}}_{\epsilon , s}(XY)\geq k\) then \(H^{{\mathtt{HILL}}}_{\epsilon', s_{{\mathtt{HILL}}}}(XY)\geq k\) where \(s' = \varOmega(\epsilon_{{\mathtt{HILL}}}^{2}s/\log\chi_{1}\chi_{2})\).
Again, it is reasonable to set \(\epsilon_{{\mathtt{HILL}}} = \sqrt [3]{\frac {\log\chi_{1}\chi_{2}}{s}}\) and get \(s_{{\mathtt{HILL}}} = \varOmega (\sqrt [3]{\frac{s}{\log\chi_{1}\chi_{2}}})\) and \(\epsilon' = \epsilon +\sqrt[3]{\frac{\log\chi_{1}\chi_{2}}{s}}\).
Similarly to extractors in the case of unconditional entropy, averagecase extractors can be used on distributions that have conditional Metric (and therefore also on distributions that have HILL) entropy to produce pseudorandom, rather than random outputs. The proof is similar to [36, Lemma 5]. However, it is not known how to extract directly from conditional Metric ^{∗} entropy; we first have to convert it to HILL using Theorem 2.9.
2.3 Deterministic Encryption
We say that an encryption scheme \(\varPi= (\mathcal{K}, \mathcal {E},\mathcal{D})\) is deterministic if \(\mathcal{E}\) is deterministic.
Semantic Security of DE
We recall the semanticsecurity style PRIV notion for DE from [4].^{Footnote 11} With encryption scheme \(\varPi= (\mathcal{K}, \mathcal{E},\mathcal {D})\), an adversary A=(A _{0},A _{1},A _{2}), and \(k \in{{\mathbb{N}}}\) we associate
We require that there are functions v=v(k),ℓ=ℓ(k) such that (1) x=v, (2) x[i]=ℓ for all 1≤i≤v, and (3) the x[i] are all distinct with probability 1 over \(({\mathbf{x}},t) {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A_{1}(\mathit{state})\) for any state output by A _{0}.^{Footnote 12} In particular we say A outputs vectors of size v for v as above. Define the PRIV advantage of A against Π as
Let \({\boldsymbol {{{\mathbb{M}}}}}\) be a class of distributions on message vectors. Define \({{\mathbb{A}}}_{{\boldsymbol {{{\mathbb{M}}}}}}\) to be the class of adversaries {A=(A _{0},A _{1},A _{2})} such that for each \(A \in {{\mathbb{A}}}_{{\boldsymbol {{{\mathbb{M}}}}}}\) there is a \({\boldsymbol {M}} \in {\boldsymbol {{{\mathbb{M}}}}}\) for which x has distribution M over \(({\mathbf{x}},t) {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A_{1}(\mathit{state})\) for any state output by A _{0}. We say that Π is PRIV secure for \({\boldsymbol {{{\mathbb{M}}}}}\) if \(\mathbf{Adv}^{\mathrm{priv}}_{\varPi,A}(\cdot)\) is negligible for any PPT \(A \in{{\mathbb{A}}}_{{\boldsymbol {{{\mathbb{M}}}}}}\). Note that (allowing nonuniform adversaries as usual) we can without loss of generality consider only those A with “empty” A _{0}, since A _{1} can always be hardwired with the “best” state. However, following [6] we explicitly allow state because it greatly facilitates some proofs.
Indistinguishability of DE
Next we recall the indistinguishabilitybased formulation of security for DE given (independently) by [6, 11] (and which is adapted from [22]). With an encryption scheme \(\varPi= (\mathcal{K}, \mathcal {E},\mathcal {D})\), an adversary D=(D _{1},D _{2}), and \(k \in{{\mathbb{N}}}\) we associate
We make the analogous requirements on D _{1} as on A _{1} in the PRIV definition. Define the IND advantage of D against Π as \(\mathbf{Adv}^{\mathrm{ind}}_{\varPi,D}(k) = 2\cdot\Pr[ \mathbf{Exp}^{\mathrm{ind}}_{\varPi,D}(k) = 1 ]  1\). Let \({\boldsymbol {{{\mathbb{M}}}}}^{*}\) be a class of pairs of distributions on message vectors. Define \({{\mathbb{D}}}_{{\boldsymbol {{{\mathbb{M}}}}}^{*}}\) to be the class of adversaries {D=(D _{1},D _{2})} such that for each \(D \in{{\mathbb{D}}}_{{\boldsymbol {{{\mathbb{M}}}}}^{*}}\), there is a pair of distributions \(({\boldsymbol {M}}_{0}, {\boldsymbol {M}}_{1}) \in {\boldsymbol {{{\mathbb{M}}}}}^{*}\) such that for each b∈{0,1} the distribution of \({\mathbf{x}}{\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}D_{1}(b)\) is M _{ b }. We say that Π is IND secure for \({\boldsymbol {{{\mathbb{M}}}}}^{*}\) if \(\mathbf{Adv}^{\mathrm{ind}}_{\varPi,D}(\cdot)\) is negligible for any PPT \(D \in{{\mathbb{D}}}_{{\boldsymbol {{{\mathbb{M}}}}}^{*}}\).
3 Our Tools
3.1 A Precise Definitional Equivalence for DE
While the PRIV definition is meaningful with respect a single message distribution M, the IND definition inherently talks of pairs of different message distributions (but see Footnote 6). Thus, in proving an equivalence between the two notions, the best we can hope to show is that PRIV security for a message distribution M is equivalent to IND security for some class of pairs of message distributions (depending on M). However, prior works [6, 11] did not provide such a statement. Instead, they showed that PRIV security on all distributions of a given entropy μ is equivalent to IND security on all pairs of distributions of slightly less entropy.
Induced Distributions
To state our result we first give some definitions relating to a notion of “induced distributions.” Let X,X′ be distributions (or random variables) on the same domain. For \(\alpha\in{{\mathbb{N}}}\), we say that X′ is an αinduced distribution of X if X′ is a conditional distribution X′=X∣E for an event E such that Pr[E]≥2^{−α}. We call E the corresponding event to X′. We require that the joint distribution (X,E) is efficiently samplable (where we view event E as a binary random variable).
Define X[α] to be the class of all αinduced distributions of X. Furthermore, let X _{0},X _{1} be two αinduced distributions of X with corresponding events E _{0},E _{1}, respectively. Define X ^{∗}[α]={(X _{0},X _{1})} to be the class of all pairs (X _{0},X _{1}) for which there is a pair \((X'_{0}, X'_{1})\) of αinduced distributions of X such that X _{0} (resp. X _{1}) is statistically close to \(X'_{0}\) (resp. \(X'_{1}\)).^{Footnote 13}
The Equivalence
We are now ready to state our result. The following theorem captures the “useful” direction that IND implies PRIV.^{Footnote 14}
Theorem 3.1
Let \(\varPi= (\mathcal{K}, \mathcal{E}, \mathcal{D})\) be an deterministic encryption scheme. For any distribution M on message vectors, PRIV security of Π with respect to M is implied by IND security of Π with respect to M ^{∗}[2]. In particular, let \(A \in{{\mathbb{A}}}_{{\boldsymbol {M}}}\) be a PRIV adversary against Π. Then there is a IND adversary \(D \in{{\mathbb{D}}}_{{\boldsymbol {M}}^{*}[2]}\) such that for all \(k \in{{\mathbb{N}}}\)
Furthermore, the runningtime of D is the time for at most that for k executions of A (but 4 in expectation).
The theorem essentially follows from the techniques of [6]. Thus, our contribution here is not in providing any new technical tools used in proving this result but rather in extracting it from the techniques of [6]. For completeness, we give the entire proof (incorporating simplifications due to [17] that lead to better concrete security) in Appendix A.
To establish a definitional equivalence; that is, also show that PRIV implies IND, we need to further restrict the latter to pairs (that are statistically close to pairs) of complementary 2induced distributions of M (which we did not do above for conceptual simplicity), where we call X _{0},X _{1} complementary if \(\mathsf{E}_{1} = \overline{\mathsf{E}_{0}}\). (The idea for the proof of this equivalence, which is omitted here, is to have the constructed PRIV adversary sample according to M and let the partial information be whether the corresponding event for the induced complementary distributions of the given IND adversary occurred or not.)
Why Is the More Precise Equivalence Better?
This equivalence result is more precise than prior work, because it requires a weaker condition in order to show PRIV holds on a specific message distribution. Moreover, conceptually, viewing a lowerentropy distribution as a conditional (induced) version of a higherentropy distribution is helpful in simplifying proofs. In particular, it allows us to use results about entropy of conditional distributions, which we explain next. Looking ahead, it also simplifies proofs for schemes based on onewayness, because it is easy to argue that onewayness is preserved on slightly induced distributions (the alternative would require us to go through an argument that distributions of lower entropy are induced by distributions of higher entropy).
3.2 Measuring Computational Entropy of Induced Distributions
We study how conditioning a distribution reduces its computational entropy. This result is used later in the work to show that randomness extractors can convert a hardcore function into a robust one; it is also applicable to leakageresilient cryptography. Some basic definitions and results concerning computational entropy are reviewed in Sect. 2.2; in particular, we will use Metric ^{∗} computational entropy defined there.
It is easy to see that conditioning on an event E with probability P _{ E } reduces (informationtheoretic) minentropy by at most logP _{ E }; indeed, this is shown Lemma 5.5. (Note that this statement is quite intuitive: the more surprising a leakage value is, the more it decreases the entropy.) In the following lemma, we show that the same holds for the computational notion of Metric ^{∗} entropy if one considers reduction in both quantity and quality.
We actually need a slightly stronger statement in order to use Lemma 3.2 later, in the proof of Lemma 5.1: namely, we will need to make sure that the support of the indistinguishable distribution with true randomness does not increase after conditioning. We call this additional property support preservation.
Lemma 3.2
Let X,Y be discrete random variables. Then
where s′≈s. Furthermore, the reduction is support preserving.^{Footnote 15}
The use of Metric ^{∗} entropy and an improved proof allow for a simpler and tighter formulation than results of [25, Lemma 3] and [51, Theorem 1.3] (see Appendix B for a comparison).
The proof is similar to [51]. The high level outline of the proof is: Let \(\nu= H^{{\mathtt{Metric}^{*}}}_{\epsilon, s}(X)\).

1.
Suppose D distinguishes XY=y from any distribution Z of minentropy ν−Δ with advantage ϵ′. Show that either for all Z with minentropy ν−Δ, \(\mathop{\mathbb {E}}[D(Z)]\) is lower than \(\mathop{\mathbb{E}}[D(XY=y)]\) by at least ϵ′, or for all such Z, \(\mathop{\mathbb{E}}[D(Z)]\) is higher than \(\mathop{\mathbb{E}}[D(XY=y)]\) by at least ϵ′. Assume the former without loss of generality. This initial step allows us to remove absolute values and to find a highentropy distribution Z ^{+} on which \(\mathop{\mathbb{E}}[D(Z^{+})]\) is the highest.

2.
Show that there exists a distinguisher D′ that also has advantage ϵ′ but, unlike D, outputs only 0 or 1. This is done by finding a cutoff α: if D’s output is above α, it D′ will output 1, and otherwise it will output 0.

3.
Show that for every z outside of Z ^{+}, D′ outputs 0, and that Z ^{+} is essentially flat. Use these two facts to show an upper bound on \(\mathop{\mathbb{E}}[D'(W)]\) for any W of minentropy ν.

4.
Show a lower bound on \(\mathop{\mathbb{E}}[D'(X)]\) based the performance of D′ on XY=y.
We now proceed with the full proof:
Proof
Let χ be the outcome space of X. For notational convenience, for random variables A,B we will say that A⊆B if the support of A is a subset of the support of B. Likewise, we will say a∈A to say that a is in the support of A. Fix a set ζ⊆χ, ζ will be used to represent the support of random variables with minentropy. For the reduction to be support preserving, all distributions with minentropy should have support no more than ζ.
Assume \(H^{{\mathtt{Metric}^{*}}}_{\epsilon, s}(X)\geq\nu\). Fix y∈Y; let ϵ′=ϵ/P _{ Y }(y) and s′≈s be some value to be precisely determined by the end of the proof. We assume for contradiction that
does not hold. By definition of metric entropy there exists a distinguisher \(D_{y}\in \mathcal {D}^{\mathrm {det},[0,1]} _{s'}\) such that ∀Z⊆ζ with H_{∞}(Z)≥ν−log1/P _{ Y }(y) we have
To contradict the Metric ^{∗} entropy of X, it suffices to show there exists a distinguisher \(D'_{y}\in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}\) such that ∀W⊆ζ with H_{∞}(W)≥ν,
Let Z ^{−}⊆ζ and Z ^{+}⊆ζ be distributions of minentropy ν−log1/P _{ Y }(y) that are subsets of ζ minimizing \(\mathop{\mathbb{E}}[D_{y}(Z^{})]\) and maximizing \(\mathop {\mathbb{E}}[D_{y}(Z^{+})]\), respectively. Let \(\beta^{} \overset{\mathrm{def}}{=} \mathop{\mathbb {E}}[D_{y}(Z^{})], \beta ^{+}\overset{\mathrm{def}}{=}\mathop{\mathbb{E}}[D_{y}(Z^{+})]\) and \(\beta\overset {def}{=} \mathop{\mathbb{E}} [D_{y}(X)Y=y]\).
Claim 3.3
Either β ^{−}≤β ^{+}+ϵ′<β or β<β ^{−}−ϵ′≤β ^{+}.
From (1) and the fact that Z ^{+},Z ^{−} have minentropy at least ν−log1/P _{ Y }(y) it suffices to show that either β ^{−}≤β ^{+}<β or β<β ^{−}≤β ^{+}. Suppose it does not hold. Then β ^{−}<β<β ^{+}. Then we can define a distribution Z⊆ζ as a convex combination of Z ^{+},Z ^{−} with \(\mathop{\mathbb{E}}[D_{y}(Z)] = \beta \). Furthermore a distribution formed by taking a convex combination of distributions with minentropy ν−log1/P _{ Y }(y) has minentropy ν−log1/P _{ Y }(y) (this is easily seen by considering the maximumprobability event). Furthermore, a distribution that is a convex combination of distributions whose support is at most ζ has support at most ζ. This is a contradiction of (1).
For the rest of the proof we will assume that the first case β ^{−}<β ^{+}+ϵ′<β holds.
Claim 3.4
There exists a point ρ∈[0,1] such that
Proof
One has that
Suppose no ρ∈[0,1] satisfies (2). This means ∀ρ∈[0,1],Pr[D _{ y }(X)>ρY=y]−Pr[D _{ y }(Z ^{+})>ρ]≤ϵ′ and thus
This is a contradiction. □
Since D _{ y } is a fixed size circuit, it outputs values of some bounded precision. Call the ordered set of possible output values Π={p _{1},…,p _{ j }}. Then, let α=max{p _{ i }p _{ i }≤ρ}. Thus, α is a fixed precision number where ∀p _{ i }∈Π,p _{ i }>α implies p _{ i }>ρ. This means that
We define a distinguisher \(D'_{y}\) as follows:
The only difference in the size of \(D'_{y}\) and D _{ y } is the addition of a comparison to α, which takes up size proportional to the number of output bits of D _{ y }. Thus s, the size of \(D'_{y}\), is approximately the same as s′, the size of D _{ y }. We define the quantities
Let \(\gamma= \min_{z\in Z^{+}} D_{y}(z)\). Since \(\beta_{\alpha} \beta ^{+}_{\alpha}\geq\epsilon'\), we know that \(\beta^{+}_{\alpha}<1\). This implies that γ<α.
Claim 3.5
For all z∈ζ if \(\Pr[Z^{+}=z]\neq2^{\nu+\log1/P_{Y}(y)}\), then D _{ y }(z)≤γ<α and therefore \(D'_{y}(z) = 0\).
Proof
Recall that because H_{∞}(Z ^{+})=ν−log1/P _{ Y }(y), for all z∈ζ we have \(\Pr[Z^{+}= z] \le2^{\nu+\log1/P_{Y}(y)}\). Thus, suppose, for contradiction that there exists a z∈ζ such that \(\Pr[Z^{+}=z]<2^{\nu+\log1/P_{Y}(y)}\) and D _{ y }(z)>γ. Choose a w with Pr[Z ^{+}=w]>0 such that D _{ y }(w)=γ. Create a distribution Z′ by starting with Z ^{+}, increasing the probability of z and decreasing the probability of w by the same amount, while keeping the minentropy guarantee. Then we have \(\mathop{\mathbb {E}}[D_{y}(Z')]>\mathop{\mathbb{E}} [D_{y}(Z^{+})]\) which is a contradiction to how Z ^{+} was chosen. □
Claim 3.5 implies that
Claim 3.6
For all W⊆ζ where H_{∞}(W)≥ν, \(\mathop{\mathbb{E}}[D'_{y}(W)]\leq\beta^{+}_{\alpha}P_{Y}(y)\) .
Proof
Indeed,
□
Claim 3.7
\(\mathop{\mathbb {E}}[D'_{y}(X)]\geq\beta _{\alpha}P_{Y}(y)\).
Proof
One computes
□
By combining Claim 3.6, Claim 3.7, and (3) we have that for Z:
Thus, we have successfully distinguished the distribution X from Z. This is a contradiction. □
If we now consider averaging over all values of Y, we obtain the following simple formulation that expresses how much average entropy is left in X from the point of view of someone who knows Y. (This scenario naturally occurs in leakageresilient cryptography, as exemplified in [25]).
Theorem 3.8
Let X,Y be discrete random variables. Then
where s′≈s ^{Footnote 16} (recall that Y is the size of the support of Y). The reduction is support preserving, in the same sense as in Lemma 3.2.
This statement is similar to the statement for the informationtheoretic case (where the reduction is only in quantity, of course) from Lemma 2.1. In Appendix B, we compare this theorem to [15, Lemma 16] and [30, Lemma 3.1].
As discussed in Sect. 2.2, it is not known whether Metric ^{∗} entropy can be directly extracted from. To extract, we must convert the conditional Metric ^{∗} entropy to conditional HILL entropy. Theorem 2.5 provides such a conversion with a substantial loss in quality; thus, it should be applied only when necessary. Here we provide a “HILLtoHILL” formulation of Lemma 3.2.
Corollary 3.9
Let X be a discrete random variable over χ and let Y be a discrete random variable. Then,
where \(\epsilon' = \epsilon/P_{Y}(y)+\sqrt[3]{\frac{\log\chi }{s}}\), and \(s'= \varOmega(\sqrt[3]{s/\log\chi})\). The reduction is support preserving.^{Footnote 17}
The corollary follows by combining Lemma 3.2 and Theorem C.1, which is simply the supportpreserving version of Theorem 2.5, and setting \(\epsilon_{{\mathtt{HILL}}} = \sqrt [3]{\frac{\log\chi}{s}}\). A similar corollary is available for conditioning on averagecase Y (see Corollary B.4).
3.3 A (Crooked) Leftover Hash Lemma for Correlated Distributions
The following generalization of the (Crooked) LHL to correlated input distributions will be very useful to us when considering bounded multimessage security in Sect. 6. Since our generalization of the classical LHL is a special case of our generalization of the Crooked LHL, we just state the latter here.
Lemma 3.10
(CLHL for Correlated Sources)
Let \(\mathcal{H}\colon\mathcal{K}\times D \to R\) be a 2twise δdependent function for t>0 with range R, and let f:R→S be a function (we assume S contains no more than the image of f, i.e., f maps onto all of S). Let X=(X _{1},…,X _{ t }) where the X _{ i } are random variables over D such that H_{∞}(X _{ i })≥μ for all 1≤i≤n and, moreover, Pr[X _{ i }=X _{ j }]=0 for all 1≤i≠j≤t. Then
where \(K {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{K}\) and U=(U _{1},…,U _{ t }) where the U _{ i } ’s are all uniform and independent over R (recall that functions operate on vectors X and U componentwise).
Note that the lemma implies the corresponding generalization of the classical LHL by taking \(\mathcal{H}\) to have range S and f to be the identity function. The proof of the above lemma, which extends the proof of the Crooked LHL in [11], is in Appendix D.
Remark 3.11
Dodis and Yu [24] recently used fourwiseindependent hash functions to construct nonmalleable extractors [23]. Note that when f is the identity function and t=2, then, like nonmalleable extractors, Lemma 3.10 also requires fourwiseindependent hashing and gives the adversary two hash values; however, the differences between the settings are numerous.
Remark 3.12
We can further extend Lemma 3.10 to the case of average conditional minentropy using the techniques of [20]. Such a generalization (without considering correlated sources) is similarly useful in the context of randomized encryption from lossy TDFs [48].
Remark 3.13
As pointed out in Sect. 1.2, a different generalization of CLHL was provided by [50, Theorem 4.6] subsequent to our work. The comparison is made difficult by the different notation used in the two results: the result of [50, Theorem 4.6] considers block sources, i.e., sequences of T (in their notation) random variables, where each random variable brings fresh entropy. We do not consider block sources, so there is no equivalent letter in our notation—essentially, for us T=1. Lemma 3.10 can be extended to block sources in a straightforward way, because each block brings fresh entropy (in such an extension, each X _{ i } would replaced by a sequence of random variables coming from a block source).
The set of random variables \(\mathcal{X}\) in the notation of [50, Theorem 4.6] is the same as the set of random variables {X _{1},…,X _{ t }} in our Lemma 3.10. Our result applies to the joint distribution \(\mathcal{H}(X_{1}), \dots , \mathcal{H}(X_{t})\) simultaneously, while the result of [50, Theorem 4.6] applies to each \(\mathcal{H}(X_{i})\) in isolation. Both results produce roughly the same total number of output bits (close to the minentropy of X _{ i }), which means that each of the individual outputs in our result is considerably shorter (roughly a 1/t fraction). Furthermore, our requirement on the hash function is much more restrictive: we need independence that is linear, rather than logarithmic, in the number of random variables. Intuitively, this more restrictive requirement is needed because our goal is to remove correlations among the random variables, while the goal of [50, Theorem 4.6] is to make sure the hash function is not correlated to each of the random variables.
4 Deterministic Encryption from Robust Hardcore Functions
4.1 Robust Hardcore Functions
We introduce a new notion of robustness for hardcore functions. Intuitively, robust HCFs are those that remain pseudorandom when the input is conditioned on an event that occurs with good probability. We expand on this below.
Definition 4.1
Let \(\mathcal{F}\) be a TDF generator and let hc be an HCF such that hc is hardcore for \(\mathcal{F}\) with respect to a distribution X on input vectors. For α=α(k), we say hc is αrobust for \(\mathcal{F}\) on X if hc is also hardcore for \(\mathcal{F}\) with respect to the class X[α] of αinduced distributions of X.
Discussion
Robustness is interesting even for the classical definition of hardcore bits, where hc is boolean and a single uniform input x is generated in the security experiment. Here robustness means that hc remains hardcore even when x is conditioned on an event that occurs with good probability. It is clear that not every hardcore bit in the classical sense is robust—note, for example, that while every bit of the input to RSA is wellknown to be hardcore assuming RSA is oneway [2], they are not even 1robust since we may condition on a particular bit of the input being a fixed value. It may also be interesting to explore robustness in contexts other than DE, such as leakage resilience [43] and computational randomness extraction (or key derivation) [41].
4.2 The EncryptwithHardcore Scheme
The Scheme
Let \(\varPi= (\mathcal{K}, \mathcal{E}, \mathcal{D})\) be a probabilistic encryption scheme, \(\mathcal{F}\) be a TDF generator, and hc _{ f } be a HCF. Assume that hc outputs binary strings of the same length as the random string r needed by \(\mathcal{E}\). Define the associated “EncryptwithHardcore” deterministic encryption scheme \({\mathsf{EwHCore}}[\varPi,\mathcal{F},\mathsf{hc}] =(\mathcal {DK},\mathcal{DE},\mathcal{DD})\) with plaintextspace PtSp={0,1}^{k} via
Security Analysis
To gain some intuition, suppose hc is hardcore for \(\mathcal{F}\) on some distribution X on input vectors. One might think that PRIV security of \({\mathsf{EwHCore}}= {\mathsf {EwHCore}}[\varPi,\mathcal{F},\mathsf{hc}]\) on X then follows by INDCPA security of Π. However, this is not true. To see this, suppose hc is a “natural” hardcore function (i.e., outputs some bits of the input). Define \(\varPi' = (\mathcal{K},\mathcal{E}',\mathcal{D}')\) to be like \(\varPi= (\mathcal{K},\mathcal{E},\mathcal{D})\) except that the coins consumed by \(\mathcal{E}'\) are extended by one bit, which \(\mathcal {E}'\) outputs in the clear and \(\mathcal{D}'\) ignores. That is, define \(\mathcal{E}'(\mathit{pk},x;r\b) = \mathcal{E}(\mathit{pk},x;r) \ b\) and \(\mathcal{D}'(\mathit{sk},y\ b) = \mathcal{D}(\mathit{sk},y)\). Then INDCPA security of Π′ follows from that of Π, but a straightforward attack shows EwHCore is not PRIV on X. This is how our notion of robustness comes into play.
Theorem 4.2
Suppose Π is INDCPA secure, hc is 2robust for \(\mathcal{F}\) on a distribution M on input vectors. Then \({\mathsf{EwHCore}}[\varPi,\mathcal{F},\mathsf{hc}]\) is PRIVsecure on M.
The theorem follows from combining Theorem 3.1 with the following lemma, which shows that what does follow if hc is hardcore (but not necessarily robust) is the IND security of EwHCore.
Lemma 4.3
Suppose Π is INDCPA, hc is hardcore for \(\mathcal {F}\) on a distribution M on input vectors, and that g is pseudorandom. Then \({\mathsf{EwHCore}}= {\mathsf{EwHCore}}[\varPi ,\mathcal{F},\mathsf{hc}]\) is IND secure on M. In particular, let \(D \in{{\mathbb{D}}}_{{\boldsymbol {M}}}\) be a IND adversary against EwHCore. Then there is an INDCPA adversary A against Π, an adversary B against hc on M such that for all \(k\in{{\mathbb{N}}}\)
Furthermore, the runningtimes of A,B are the time to run D.
Proof
Let Game G _{1} correspond to the IND experiment with D against EwHCore, and let Game G _{2} be like G _{1} except that the coins used to encrypt the challenge plaintext vector are truly random. For i∈{0,1} let \(B^{i} = (B^{i}_{1},B^{i}_{2})\) be the HCF adversary against \(\mathcal{F}\) hc defined via
Then
where we take B to be whichever of B ^{0},B ^{1} has the larger advantage. Now define INDCPA adversary A against Π via
Then (8) follows from taking into account the definition of the advantages of D,A. □
A subtle point worth mentioning is where in the proof we use the fact that the Lemma 4.3 considers IND security of EwHCore rather than PRIV (which, as we have said, does not follow). It is in the step that uses security of the hardcore function. If we considered PRIV security, in this step the constructed HCF adversaries against \(\mathcal{F}\) would need to test whether the output of the PRIV adversary against EwHCore is equal to a “target value” representing partial information on the input to \(\mathcal {F}\), which these adversaries are not given. Indeed, this is exactly what caused complications in the original analysis of the scheme of [6], who used the PRIV notion directly.
5 SingleMessage Instantiations of EncryptwithHardcore
5.1 Getting Robust Hardcore Functions
Making any Large Hardcore Function Robust
We show that by applying a randomness extractor in a natural way, one can convert any large hardcore function in the standard sense to one that is robust (with some loss in parameters). However, while the conversion procedure is natural, proving that it works turns out to be nontrivial.
For a random variable A with support \(\mathcal{A}\), define the entropy discrepancy of A as \(\mathsf{disc}(A) = \log\mathcal {A}  \mathrm{H}_{\infty}(A) = \mathrm{H}_{0}(A)\mathrm{H}_{\infty}(A)\). Let \(\mathcal{F}\) be a TDF generator. Let disc _{ k }(f) be the entropy discrepancy of the public key f, viewed as a random variable produced by \(\mathcal{F}(1^{k})\). Let X be an input distribution for f and hc:{0,1}^{k}→{0,1}^{ℓ} be an HCF for f on X. Let ext:{0,1}^{ℓ}×{0,1}^{d}→{0,1}^{m}×{0,1}^{d} be a strong averagecase (ℓ−α−disc(f)−disc(X),ϵ _{ ext })extractor for \(\alpha\in{{\mathbb{N}}}\) that takes time t _{ ext } to compute. Define a new “extractoraugmented” HCF hc[ext] for \(\mathcal{F}[ \mathtt {ext} ]\) as follows: hc[ext]_{ s }(x)=ext(hc(x),s) for all x∈{0,1}^{k} and s∈{0,1}^{d}. (Here we view ext as a keyed function with the second argument as the key.) The following characterizes the αrobustness of hc[ext].
Lemma 5.1
If hc is a sufficiently long hardcore function for \(\mathcal{F}\) on an input distribution X, then hc[ext] is a hardcore function for any input distribution X′∈X[α]. More precisely, if
where in both equations f is distributed according to \(\mathcal{F}(1^{k})\), and \(\epsilon' = \epsilon\cdot2^{\alpha}+\sqrt[3]{(k + \log \mathcal{F} + \ell)/t}\) and \(t'= \varOmega(\sqrt[3]{t/(k + \log \mathcal{F} +\ell)})\).
We note that in order to apply this lemma, (ℓ−α−disc(f)−disc(X)) must be large enough in order to allow for a useful extractor. Thus, the “entropy loss” is not only α (which is expected, because it is the entropy deficiency of X′), but also disc(f)+disc(X). Therefore, we need the starting hardcore function output length ℓ to be sufficiently large compared to the entropy discrepancies of both f and X. Fortunately, for typical trapdoor functions such as RSA, disc(f) is 0 because the distribution of public keys produced by the key generation method is flat. Moreover, sufficiently long ℓ can always be achieved if the starting hardcore function output is long enough to be used as a seed for a pseudorandom generator, since then it can be expanded to any polynomial length (here we are referring to running the hardcore function through a pseudorandom generator before applying the extractor, thus changing hc to have longer output ℓ).
Also note that when α=log(k), the security loss in the reduction is polynomial (in our application we just need α=2). We note that the conversion procedure also works when hc is hardcore on a distribution X on input vectors, but we omit this since we do not know any examples of “natural” hardcore functions that are secure on correlated inputs. (Looking ahead, in Sect. 6 we give a direct constructions of the such hardcore function without needing the conversion procedure of Lemma 5.1.)
Proof
Let f be distributed according to the distribution of public keys produced by \(\mathcal{F}(1^{k})\). Slightly abusing notation, we will also denote the support of this distribution by \(\mathcal{F}\). Assume that for t,ϵ>0
By definition of HILL entropy,
(using the fact that f is injective). Let ζ denote the set of all triples (f,y,r) such that \(f\in\mathcal{F}\), and y=f(x) for some x∈X. Let E be such that X′=X∣E; note that Pr[E]=2^{−α}. Applying the “HILLtoHILL” Corollary 3.9, we know that
where \(\epsilon' = \epsilon\cdot2^{\alpha}+\sqrt[3]{(k + \log \mathcal{F} + \ell)/t}\), and \(t'= \varOmega(\sqrt[3]{t/(k + \log \mathcal{F}+\ell)})\). By Definition 2.3 of HILL entropy and the fact that Corollary 3.9 is support preserving, this implies that there exist random variables (A,B,C)⊆ζ such that
and furthermore H_{∞}((A,B,C))≥H_{∞}(f)+H_{∞}(X)+ℓ−α. Because an independent random string does not help the distinguisher,
Because applying a deterministic function to the distributions can help the distinguisher by at most the time it takes to compute the function,
We now claim that
Indeed,
where the first inequality uses Lemma 2.1, the second inequality follows from \(A\subseteq\mathcal{F}\) and B⊆f(X), and the final inequality follows from the definition of (A,B,C), the definition of disc, and the fact that f is injective. Thus, (12) follows by security of ext. Note that (10) implies that (f,f(X))∣E≈_{ t′,ϵ′}(A,B), which implies
Combining (11), (12), (13) via the triangle inequality we have
Recalling that f is distributed independently of E and X′=XE, we get the statement of the lemma. □
Remark 5.2
The conclusion of the lemma actually holds given a weaker hypothesis on the starting hardcore function. Namely, its output need not be indistinguishable from uniform but rather have high computational (HILL) entropy.
The above conversion procedure notwithstanding, we give specific examples of hardcore functions that are already robust without requiring the former. This is especially useful to view constructions from both onewayness as in [6] and from lossiness as in [11] in a unified way: these constructions emanate from the fact that both “oneway hardness” and minentropy are preserved on slightly induced distributions.
Robust Goldreich–Levin Bits for Any TDF
First, we show that the Goldreich–Levin [31] hardcore function as considered in [6] is robust. Indeed, robustness of Goldreich–Levin follows from the following simple lemma, which describes how “oneway hardness” on an input distribution is preserved on induced distributions.
Lemma 5.3
Let \(\mathcal{F}\) be a TDF generator. Let X be an input distribution and fix X′∈X[α] for \(\alpha\in{{\mathbb{N}}}\). Then for any inverter I′ against \(\mathcal{F}\) on X′ there is an inverter I against \(\mathcal{F}\) on X such that for all \(k \in{{\mathbb{N}}}\)
Furthermore, the runningtime of I is the time to run I′.
Proof
Let I′ be the inverter that simply runs I on its input, and let E be the corresponding event to X′. Let G be the event that \(\mathbf{Exp}^{\mathrm{owf}}_{\mathcal {F},{\boldsymbol {X'}},I'}(k) = 1\). Then
from which (15) follows by rearranging terms. □
Note that when α=O(logk), the reduction incurs a polynomial loss in advantage (again, in our applications we just need α=2). As mentioned, the security of \(\mathcal{GL}^{i}\) for an input distribution X depends only on the hardness of \(\mathcal{F}\) on X. By Lemma 5.3, the hardness of \(\mathcal{F}\) on all X′∈X[α] is polynomially related to the hardness of \(\mathcal{F}\) on X. Thus, if \(\mathcal{GL}^{i}\) is hardcore for \(\mathcal {F}[\mathcal{GL}^{i}]\) on X, it is hardcore for \(\mathcal{F}[\mathcal {GL}^{i}]\) on all X′∈X[α]. This yields the following proposition.
Proposition 5.4
Let \(\mathcal{F}[\mathcal{GL}^{i}]\) be as defined above and suppose \(\mathcal{GL}^{i}\) is hardcore for \(\mathcal{F}[\mathcal{GL}^{i}]\) on singleinput distribution X. Then \(\mathcal{GL}^{i}\) is O(logk)robust for \(\mathcal{F}[\mathcal{GL}^{i}]\) on X.
Robust Bits for Any LTDF
Peikert and Waters [48] showed that LTDFs admit a simple, large hardcore function, namely a pairwiseindependent hash function (the same argument applies also to universal hash functions or, more generally, randomness extractors). We show robustness of the latter based on the following simple lemma, which says that minentropy of a given input distribution is preserved on subdistributions induced by an event that occurs with good probability.
Lemma 5.5
Let X be a random variable with H_{∞}(X)≥μ, and let X′ be a random variable where P _{ X′} is a an αinduced subdistribution of P _{ X }. Then H_{∞}(X′)≥μ−α.
Proof of Lemma 5.5
Suppose not, and let E be the corresponding event to X′. Then there exists an x′ such that P _{ X′}(x′)>2^{−μ+α}. But then
a contradiction. □
By combining the Generalized Leftover Hash Lemma of [20] (i.e., for the case of average minentropy) with the “chain rule” for average conditional minentropy (Lemma 2.1), it follows that if \(\mathcal {F}\) is a lossy trapdoor function generator with residual leakage s, then a pairwiseindependent hash function \(\mathcal{H}\colon\mathcal {K}\times\{0,1\}^{k} \to\{0,1\}^{r}\) is hardcore for \(\mathcal {F}[\mathcal{H}]\) on any singleinput distribution X with minentropy s+r+2(log1/ϵ) for negligible ϵ (as compared to [48, Lemma 3.4], we simply observe that the argument does not require the input to be uniform). Then, using Lemma 5.5 we have the following.
Proposition 5.6
Let \({\mathsf{LTDF}}= (\mathcal{F}, \mathcal{F}')\) be a LTDF generator with residual leakage s, and let \(\mathcal{H}\colon \mathcal{K}\times\{0,1\}^{k} \to\{0,1\}^{r}\) be a pairwiseindependent hash function. Then \(\mathcal{H}\) is a O(logk)robust hardcore function for \(\mathcal{F}[\mathcal{H}]\) on any singleinput distribution X with minentropy s+r+2(log1/ϵ) for negligible ϵ.
5.2 Putting It Together
Equipped with the above results, we describe instantiations of the EncryptwithHardcore scheme that both explain prior constructions and produce novel ones.
Using an Iterated Trapdoor Permutation
The prior trapdoorpermutationbased DE scheme of Bellare et al. [6] readily provides an instantiation of EwHCore by using an iterated trapdoor permutation as the TDF. Let \(\mathcal{F}\) be a TDP and hc be a hardcore bit for \(\mathcal{F}\). For \(i \in{{\mathbb{N}}}\) denote by \(\mathcal {F}^{i}\) the TDP that iterates \(\mathcal{F}\) imany times. Define the Blum–Micali–Yao (BMY) [10, 65] hardcore function for \(\mathcal{F}^{i}\) via \(\mathcal{BMY}^{i}[\mathsf{hc}](f,x) = \mathsf{hc}(x) \ \mathsf {hc}(f(x)) \ \ldots\ \mathsf{hc}(f^{i1})\). Bellare et al. [6] used the specific choice of \(\mathsf {hc}= \mathcal{GL}\) (the GL bit) in their scheme, which is explained by the fact that the latter is robust as per Proposition 5.4 and one can show that BMY iteration expands one robust hardcore bit to many (on a nonuniform distribution, the bit should be hardcore on all “permutation distributions” of the former).
However, due to our augmentation procedure to make any large hardcore function robust, we are no longer bound to any specific choice of hc. For example, we may choose hc to be a natural bit of the input in the case that the latter is hardcore. In fact, it may often be the case that \(\mathcal{F}\) has many simultaneously hardcore natural bits, and therefore our construction will require fewer iterations of the TDP than the construction of [6].
Using a Lossy TDF
Applying Proposition 5.6, we get an instantiation of the EncryptwithHardcore scheme from lossy TDFs that is an alternative to the prior scheme of Boldyreva et al. [11] and the concurrent work of Wee [63]. Our scheme requires an LTDF with residual leakage s≤H_{∞}(X)−2log(1/ϵ)−r, where r is the number of random bits needed in \(\mathcal{E}\) (or the length of a seed to a pseudorandom generator that can be used to obtain those bits). Thus the LTDF should lose a constant fraction of its input. To compare, the prior scheme of [11] encrypts under (an augmented version of) the LTDF directly and does not use the “outer” encryption scheme at all. Its analysis requires the ‘Crooked” LHL of Dodis and Smith [21] rather than the standard LHL but gets rid of r in the above bound leading to a better requirement on lossiness or input entropy.
Using 2Correlated Product TDFs
Hemenway et al. [35] show a construction of DE from a decisional 2correlated product TDF, namely where \(\mathcal{F}\) has the property that f _{1}(x),f _{2}(x) is indistinguishable from f _{1}(x _{1}),f _{2}(x _{2}) where x _{1},x _{2} are sampled independently (in both cases for two independent public instances f _{1},f _{2} of \(\mathcal{F}\)). (This property is a strengthening of the notion of security under correlated products introduced in [55].) They show such a trapdoor function is a secure DE scheme for uniform messages. To obtain an instantiation of EwHCore under the same assumption, we can use \(\mathcal{F}\) as the TDF, and an independent instance of the TDF as hc. When a randomness extractor is applied to the latter, robustness follows from Lemma 5.1, taking into account Remark 5.2.
Using any TDF with a Large HCF
Our most novel instantiations in the singlemessage case come from considering TDFs that have a sufficiently large HCF but are not necessarily lossy or an iterated TDP. Let us first consider instantiations on the uniform message distribution (an important special case as highlighted in [6]). It was recently shown by Freeman et al. [27] that the Niederreiter TDF [45] has linearly many (simultaneous) hardcore bits under the “Syndrome Decoding Assumption (SDA)” and “Indistinguishability Assumption (IA)” as defined in [27, Sect. 7.2], which are already needed to show the TDF is oneway. Furthermore, the RSA [54] and Paillier [47] TDPs have linearly many hardcore bits under certain computational assumptions, namely the “Small Solutions RSA (SSRSA) Assumption” [59] and the “Bounded Computational Composite Residuosity (BCCR) Assumption” [13], respectively. Because these hardcore functions are sufficiently long, they can be made robust via Lemma 5.1 and give us a linear number of robust hardcore bits—enough to use as randomness for \(\mathcal{E}\) (expanded by a pseudorandom generator if necessary). (Here the “outer” encryption scheme can be instantiated under the same assumptions.) Thus, by Theorem 4.2, we obtain:
Corollary 5.7
Under SDA+IA for the Niederreiter TDF, DE for the uniform message distribution exists. Similarly, under SSRSA the RSA TDP or BCCR for the Paillier TDP, respectively, DE for the uniform message distribution exists.
In particular, the first statement provides the first DE scheme without random oracles based on the hardness of syndrome decoding. (A scheme in the random oracle model follows from [4].) Moreover, the schemes provided by the second statement are nearly as efficient as the ones obtained from lossy TDFs (since they do not use iteration), and the latter typically requires decisional assumptions (in contrast to the computational assumptions used here).
If we do not wish to rely on specific assumptions, we can also get DE from strong but general assumptions. Specifically, for general \(\mathcal{F}\), we can obtain a large enough HCF by using enough GL bits and assuming the TDF is sufficiently hard to invert.^{Footnote 18} If \(\mathcal{F}\) is shard on X then, by [31], it has an HCF on X with almost logs bits of output. Note we can trade hardness of the TDF for greater hardness of an underlying PRG used to expand the HCF, which can be built from a oneway function without a trapdoor. For example, we can assume a TDF \(\mathcal{F}\) that is quasipolynomially hard to invert, which yields a GL HCF with polylogarithmic output length, and expand it via a PRG with subexponential hardness (which could be built assuming a subexponentially hard oneway function).
To obtain instantiations on message distributions of less than maximal entropy, we can use a technical lemma [26, Lemma 4] saying that every distribution with minentropy α less than maximal can be viewed as an αinduced distribution of the uniform distribution, and take into account Remark 5.2. By Corollary 3.9, we know the HILL entropy of a HCF on such a distribution degrades in quantity by α and in quality polynomially in 2^{α}. Thus, assuming the HCF is sufficiently long and sufficiently hard to distinguish from uniform, it can still be turned into a robust HCF using Remark 5.2 For example, if α=O(log(k)), a standard hardness assumption suffices. We thus obtain the analog of Corollary 5.7 for distributions whose minentropy is logarithmically away from maximal under the same assumptions.
For any α=o(k), we can obtain DE for distributions of minentropy α away from maximal by assuming subexponential hardness of simultaneous hardcore bits. That is, the analog of Corollary 5.7 holds under subexponential hardness of the assumptions.
6 Bounded Multimessage Security and Its Instantiations
6.1 The New Notion and Variations
The New Notion
The notion of qbounded multimessage security (or just qbounded security) for DE is quite natural, and parallels the treatment of “bounded” security in other contexts (e.g. [16]). In a nutshell, it asks for security on up to q arbitrarily correlated but highentropy messages (where we allow the publickey size to depend on q). More formally, fix an encryption scheme \(\varPi= (\mathcal{K}, \mathcal {E},\mathcal{D})\). For q=q(k) and μ=μ(k), let \({{\mathbb{M}}}^{q,\mu}\) be the class of distributions on message vectors \(M^{\mu ,q} = (M^{\mu,q}_{1}, \ldots, M^{\mu,q}_{q})\) where \(\mathrm{H}_{\infty}(M^{\mu,q}_{i}) \geq\mu\) and for all 1≤i≤q and \(M^{\mu}_{1,q}, \ldots, M^{\mu}_{q,q}\) are distinct with probability 1. We say that Π is qbounded multimessage PRIV (resp. IND) secure for μsources if it is PRIV (resp. IND) secure for \({{\mathbb{M}}}^{q,\mu}\). We note that Theorem 3.1 (combined with Lemma 5.5) tells us that PRIV on \({{\mathbb{M}}}^{q,\mu}\) is equivalent to IND on \({{\mathbb{M}}}^{q,\mu2}\).
Unbounded Multimessage Security for qBlock Sources
We also consider unbounded multimessage security for what we call a qblock source, a generalization of a blocksource [14] where every qth message introduces some “fresh” entropy. More formally, fix an encryption scheme \(\varPi= (\mathcal{K}, \mathcal {E},\mathcal{D})\). For q=q(k), n=n(k), and μ=μ(k), let \({{\mathbb{M}}}^{q,n,\mu}\) be the class of distributions on message vectors \(M^{q,n,\mu} = (M^{q,n\mbox{,}\mu}_{1}, \ldots, M^{q,n,\mu}_{qn})\) such that H_{∞}(X _{ qi+j }∣X _{1}=x _{1},…,X _{ qi−1}=x _{ qi−1})≥μ for all 1≤i≤n, all 0≤j≤q−1, and all outcomes x _{1},…,x _{ qi−1} of X _{1},…,X _{ qi−1}. We say that Π is qbounded multimessage PRIV (resp. IND) secure for (μ,n)blocksources if Π is PRIV (resp. IND) secure on \({{\mathbb{M}}}^{q,n,\mu}\). Using a similar argument to [11, Theorem 4.2], one can show equivalence of PRIV on \({{\mathbb{M}}}^{q,n,\mu}\) to IND on \({{\mathbb{M}}}^{q,n,\mu}\).
6.2 Our Basic Scheme
Note that we cannot trivially achieve qbounded security by running, say, q copies of a scheme secure for one message in parallel (and encrypting the ith message under the ith public key), since this approach would lead to a stateful scheme. The main technical tool we use to achieve the notion is Lemma 3.10. Combined with Lemma 2.1, this tells us that a 2qwise independent hash function is robust on correlated input distributions of sufficient minentropy:
Proposition 6.1
For any q, let \({\mathsf{LTDF}}= (\mathcal{F},\mathcal{F}')\) be an LTDF generator with input length n and residual leakage s, and let \(\mathcal{H}\colon\mathcal{K}\times D \to R\) where r=logR be a 2qwise independent hash function. Then \(\mathcal{H}\) is a 2robust hardcore function for \(\mathcal{F}\) on any input distribution X=(X _{1},…,X _{ q }) such that H_{∞}(X)≥q(s+r)+2logq+2log(1/ϵ)−2 for negligible ϵ.
Thus, by Theorem 4.2 we obtain a qbounded multimessage secure DE scheme based on lossy trapdoor functions. Note that since we require
(where r is the number of random bits needed in \(\mathcal{E}\), or the length of a seed to a pseudorandom generator that can be used to obtain those bits) the lossy trapdoor function must lose a 1−O(1/q) fraction of its input. The DDHbased construction of Peikert and Waters [48], the Paillierbased one of [11, 27], and the one from dlinear of [27] can all satisfy this requirement for any polynomial q.
6.3 Our Optimized Scheme
We show that by extending some ideas of [11], we obtain a more efficient DE scheme meeting qbounded security that achieves better parameters.
Intuition and Preliminaries
Intuitively, for the optimized scheme we modify the scheme of [11] to first preprocess an input message using a 2qwise independent permutation (instead of pairwise as in [11]). However, there are two issues to deal with here. First, for q>1 such a permutation is not known to exist (in an explicit and efficiently computable sense). Second, Lemma 3.10 applies to twise independent functions rather than permutations. (In the case t=2 as considered in [11] the difference turns out to be immaterial.)
To solve the first problem, we turn to 2qwise “δdependent” permutations (as constructed in e.g. [38]). Namely, say that a collection of permutations over D keyed by \(\mathcal{K}\), \(H \colon\mathcal{K}\times D \to D\), is twise δdependent if for all distinct x _{1},…,x _{ t }∈D
where \(K {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{K}\) and P _{1},…,P _{ t } are defined iteratively by taking P _{1} to be uniform on D and, for all 2≤i≤t, taking P _{ i } to be uniform on R∖{p _{1},…,p _{ i−1}} where p _{1},…,p _{ i−1} are the outcomes of P _{1},…,P _{ i−1}, respectively.
To solve the second problem, we use the following lemma, which says that a twise δdependent permutation is a twise δ′dependent function where δ′ is a bit bigger than δ.
Lemma 6.2
Suppose \(H \colon\mathcal{K}\times D \to D\) is a twise δdependent permutation for some t≥1. Then \(\mathcal{H}\) is a twise δdependent function for δ′=δ+t ^{2}/D.
The proof uses the fact that the distribution of (P _{1},…,P _{ t }) equals the distribution of (U _{1},…,U _{ t })∣DIST where DIST is the event that U _{1},…,U _{ t } are all distinct and then applies a union bound. It will be useful to now restate Lemma 3.10 in terms of δdependent permutations, which follows by combining Lemma 3.10 and Lemma 6.2, and observing that 1/D≤2^{−μ}.
Lemma 6.3
(CLHL for Correlated Sources with Permutations)
Let \(\mathcal{H}\colon\mathcal{K}\times D \to D\) be a δdependent 2twise permutation for some t>0 with range R, where δ=t ^{2}2^{−μ}. Let f:R→S be a function (we assume S contains no more than the image of f, i.e., f maps onto all of S). Let X=(X _{1},…,X _{ t }) where the X _{ i } are random variables over D such that H_{∞}(X _{ i })≥μ for all 1≤i≤n and, moreover, Pr[X _{ i }=X _{ j }]=0 for all 1≤i≠j≤t. Then
where \(K {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{K}\) and U=(U _{1},…,U _{ t }) where the U _{ i } are all uniform and independent over D (recall that functions operate on vectors componentwise).
It is interesting to note here that the bound in Equation (16) is essentially as good as the one in Equation (7) with δ=0 (just a factor of 4 worse). At first one might not expect this to be the case. Indeed, when the classical LHL is extended to “imperfect” hash functions [19, 58], the error probability must be taken much smaller than 1/R, where R is the range of the hash function. But in Lemma 3.10 we have δ=t ^{2}/2^{−μ}≥t ^{2}/D, which is large compared to 1/D (where D the range of the hash function in our case as it is a permutation). The reason we can tolerate this is that it is enough for t ^{2}/D to be much smaller than 1/S (where S is the image of f), which is indeed the case in applications. In other words, the Crooked LHL turns out to be more tolerant than the classical one in this respect.
The Construction
We now detail our construction. Let \({\mathsf{LTDF}}= (\mathcal{F}, \mathcal{F}')\) be an LTDF and let \(\mathcal{P}\colon\mathcal{K}\times\{0,1\}^{k} \to\{0,1\}^{k}\) be an efficiently invertible family of permutations on k bits. Define the associated deterministic encryption scheme \(\varPi[{\mathsf{LTDF}},\mathcal{P}] = (\mathcal{DK}, \mathcal {DE},\mathcal{DD})\) with plaintextspace PtSp={0,1}^{k} via
We have the following result.
Theorem 6.4
Suppose LTDF is a lossy trapdoor function on {0,1}^{n} with residual leakage s, and let q,ϵ>0. Suppose \(\mathcal {P}\) is a 2qwise δdependent permutation on {0,1}^{n} for δ=q ^{2}/2^{n}. Then for any qmessage IND adversary \(B \in {{\mathbb{D}}}_{{{\mathbb{M}}}^{q,\mu}}\) with minentropy μ≥qs+2logq+2log(1/ϵ)+2, there is a LTDF distinguisher D such that for all \(k \in{{\mathbb{N}}}\),
Furthermore, the runningtime of D is the time to run B.
Proof
The first step in the proof is to switch the HCF experiment to execute not \((f,f^{1}) {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{F}(1^{k})\) but \(f' \gets\mathcal {F}'(1^{k})\). We can conclude by applying Lemma 6.3 with t=q and \(\mathcal{H}= \mathcal{P}\). □
An efficiently invertible 2qwise δdependent permutation on {0,1}^{n} for δ=t ^{2}/2^{n} can be obtained from [38] using key length nt+log(1/δ)=n(t+1)−2t.
Now, combining Theorem 6.4 with Theorem 3.1 and Lemma 5.5 (extended to message vectors rather than singleinput distributions) gives us bounded multimessage PRIV (rather than IND) security for any distribution on message vectors of size q with sufficient entropy. We make explicit the following corollary.
Corollary 6.5
Suppose LTDF is a lossy trapdoor function on {0,1}^{n} with residual leakage s. Then we obtain a qbounded multimessage PRIV secure DE scheme for the class of distributions on {0,1}^{n} with minentropy μ≥qs+2logq+2log(1/ϵ)+4 for negligible ϵ.
Comparing to Proposition 6.1, we see that we have dropped the r in the entropy bound (indeed, there is no hardcore function here). This translates to savings on the input entropy or lossiness requirement on the trapdoor function. Namely, while we still need to lose a 1−O(1/q) fraction of the input, we get rid of the factor 2 on q. We also note that we can prove that the optimized scheme meets our notion of unbounded multimessage PRIV security on qblock sources of the same entropy directly by using our precise definitional equivalence, as follows. First, its IND security on qblock sources follows by extending Lemma 3.10 to qblock sources by a hybrid argument as in the case of the original LHL [66]. Then, its PRIV security on qblock sources (of 2 bits greater entropy) follows by Theorem 3.1 after extending Lemma 5.5 to show that a 2induced distribution of a qblock source with minentropy μ is a qblock source with minentropy μ−2.
Notes
Technically, this construction does not even need a TDF because of the random oracle model; however, it may be prudent to use a TDF because then it seems more likely that the instantiation of the random oracle will be secure as it may be hardcore for the TDF.
A general study of correlatedinput security for the case of hash functions rather than hardcore functions was concurrently initiated in [33].
The result of Wichs holds when the entropy of each message is logarithmically than uniform. Whether deterministic encryption is possible when messages are arbitrarily correlated but individually full entropy is an interesting open question.
Subsequent work [50] has defined a “realorrandom” (RoR) style IND definition for a single message distribution (where the other message distribution in the pair is fixed to be uniform). However, this definition is overly restrictive in our context and is really only helpful when security is defined with respect to minentropy levels; indeed, our result shows that for PRIV to hold on a given message distribution, the RoR IND notion need not.
One could alternatively define robustness as one that remains hardcore on inputs of slightly lower entropy; however, in our proofs of robustness we would then need to go through an additional argument that distributions of lower entropy are induced by distributions of higher entropy.
In case of randomized leakage, the informationtheoretic result of [20, Lemma 2.2(b)] gives better bounds.
We note that the result of [50] is phrased in terms of block sources, which we have ignored here for ease of comparison (our result also extends to what we call “qblock” sources); see Remark 3.13 for further details.
Metric ^{∗} entropy is weaker than HILL entropy in two ways, the distinguisher is deterministic and the distribution Z can depend on the distinguisher.
More specifically, it is a “comparisonbased” semanticsecurity style notion; this was shown equivalent to a “simulationbased” formulation in [6].
In this work we only consider the definition relative to deterministic Π, so requirement (3) is without loss of generality.
We need to allow a negligible statistical distance for technical reasons; cf. Proposition A.3. (This relaxation is reminiscent of the notion of smooth entropy [52] by Renner and Wolf.) Since we will be interested in indistinguishability of functions of these distributions, this will not make any appreciable difference, and hence we mostly ignore this issue in the remainder of the paper.
Indeed, IND is much easier to work with than PRIV, so it is preferable to use in security proofs. As explained below, if one wants to establish a definitional equivalence some additional technical restrictions are required.
“Support preserving” here means the following. The definition of Metric ^{∗} entropy of X calls for an indistinguishable from X distribution Z _{ D } with true entropy for every distinguisher \(D\in \mathcal {D}^{\mathrm {det},[0,1]} _{s}\). Let ζ _{ X } be the union of supports of all Z _{ D }. Similarly, define ζ _{ XY=y } to be the union of supports for Z _{ D } that cannot be distinguished by \(D\in \mathcal {D}^{\mathrm {det},[0,1]} _{s'}\) from XY=y. Supportpreserving means ζ _{ XY=y }⊆ζ _{ X }.
The difference between the size of the two distinguishers is a comparison circuit that converts the Metric ^{∗} distinguisher which has a range of outputs to a binary distinguisher. This involve comparison with a number in [0,1] whose size is at most the number of output wires of the Metric ^{∗} distinguisher.
“Support preserving” for HILL entropy is similar to the same notion for Metric ^{∗} entropy explained in Lemma 3.2. It simply means that the distribution Z _{ XY=y }, which is indistinguishable from XY=y according to the definition of HILL entropy, has no greater support than the distribution Z _{ X } which is indistinguishable from X.
For very long messages, on the uniform distribution we can actually apply any TDF blockwise to collect a large hardcore function from individual GL bits, but this does not extend to lower entropy messages.
Note that as compared to [6] our approach avoids having to analyze the minentropy of D, which is more involved.
“Support preserving” here means the following. The definition of Metric ^{∗} entropy of X calls for an indistinguishable from X distribution Z _{ D } with true entropy for every distinguisher \(D\in \mathcal {D}^{\mathrm {det},[0,1]} _{s}\). The definition of HILL entropy of X calls for a single distribution Z that is indistinguishable from X. Supportpreserving means that support of Z is no greater than the union of supports of Z _{ D }.
References
M. Abadi, D. Boneh, I. Mironov, A. Raghunathan, G. Segev, M. Abadi, Messagelocked encryption for lockdependent messages, in Advances in CryptologyCRYPTO (2013)
W. Alexi, B. Chor, O. Goldreich, C.P. Schnorr, RSA and Rabin functions: certain parts are as hard as the whole. SIAM J. Comput. 17(2) (1988)
B. Barak, R. Shaltiel, A. Wigderson, Computational analogues of entropy, in 11th International Conference on Random Structures and Algorithms (2003), pp. 200–215
M. Bellare, A. Boldyreva, A. O’Neill, Deterministic and efficiently searchable encryption, in CRYPTO (2007), pp. 535–552
M. Bellare, Z. Brakerski, M. Naor, T. Ristenpart, G. Segev, H. Shacham, S. Yilek, Hedged publickey encryption: how to protect against bad randomness, in ASIACRYPT (2009), pp. 232–249
M. Bellare, M. Fischlin, A. O’Neill, T. Ristenpart, Deterministic encryption: definitional equivalences and constructions without random oracles, in CRYPTO (2008), pp. 360–378
M. Bellare, V. Tung Hoang, S. Keelveedhi, Instantiating random oracles via UCEs, in Advances in Cryptology–CRYPTO 2013 (Springer, Berlin, 2013), pp. 398–415
M. Bellare, S. Keelveedhi, T. Ristenpart, DupLESS: serveraided encryption for deduplicated storage, in USENIX Security (2013)
M. Bellare, S. Keelveedhi, T. Ristenpart, Messagelocked encryption and secure deduplication, in EUROCRYPT (2013), pp. 296–312
M. Blum, S. Micali, How to generate cryptographically strong sequences of pseudorandom bits. SIAM J. Comput. 13(4), 850–864 (1984)
A. Boldyreva, S. Fehr, A. O’Neill, On notions of security for deterministic encryption, and efficient constructions without random oracles, in CRYPTO (2008), pp. 335–359
Z. Brakerski, G. Segev, Better security for deterministic publickey encryption: the auxiliaryinput setting, in CRYPTO (2011), pp. 543–560
D. Catalano, R. Gennaro, N. HowgraveGraham, Paillier’s trapdoor function hides up to O(n) bits. J. Cryptol. 15(4), 251–269 (2002)
B. Chor, O. Goldreich, Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM J. Comput. 17(2) (1988)
K.M. Chung, Y. Tauman Kalai, F.H. Liu, R. Raz, Memory delegation, in CRYPTO (2011), pp. 151–168
R. Cramer, G. Hanaoka, D. Hofheinz, H. Imai, E. Kiltz, R. Pass, A. Shelat, V. Vaikuntanathan, Bounded CCA2secure encryption, in ASIACRYPT (2007), pp. 502–518
A.W. Dent, M. Fischlin, M. Manulis, M. Stam, D. Schröder, Confidential signatures and deterministic signcryption, in Public Key Cryptography (2010), pp. 462–479
S.P. Desrosiers, Entropic security in quantum cryptography. Quantum Inf. Process. 8(4), 331–345 (2009)
Y. Dodis, R. Gennaro, J. Håstad, H. Krawczyk, T. Rabin, Randomness extraction and key derivation using the CBC, cascade and HMAC modes, in CRYPTO (2004), pp. 494–510
Y. Dodis, R. Ostrovsky, L. Reyzin, A. Smith, Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)
Y. Dodis, A. Smith, Correcting errors without leaking partial information, in STOC (2005), pp. 654–663
Y. Dodis, A. Smith, Entropic security and the encryption of high entropy messages, in TCC (2005), pp. 556–577
Y. Dodis, D. Wichs, Nonmalleable extractors and symmetric key cryptography from weak secrets, in Proceedings of the 41st Annual ACM Symposium on Theory of Computing (ACM, New York, 2009), pp. 601–610
Y. Dodis, Y. Yu, Overcoming weak expectations, in Theory of Cryptography (Springer, Berlin, 2013), pp. 1–22
S. Dziembowski, K. Pietrzak, Leakageresilient cryptography, in FOCS (2008), pp. 293–302
S. Faust, E. Kiltz, K. Pietrzak, G.N. Rothblum, Leakageresilient signatures, in TCC (2010), pp. 343–360
D. Mandell Freeman, O. Goldreich, E. Kiltz, A. Rosen, G. Segev, More constructions of lossy and correlationsecure trapdoor functions, in Public Key Cryptography (2010), pp. 279–295
B. Fuller, A. O’Neill, L. Reyzin, A unified approach to deterministic encryption: new constructions and a connection to computational entropy, in TCC, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 7194 (Springer, Berlin, 2012), pp. 582–599
B. Fuller, L. Reyzin, Computational entropy and information leakage. Technical report, IACR Cryptology ePrint Archive (2012). http://eprint.iacr.org/2012/466.pdf
C. Gentry, D. Wichs, Separating succinct noninteractive arguments from all falsifiable assumptions, in STOC (ACM, New York, 2011), pp. 99–108
O. Goldreich, L.A. Levin, A hardcore predicate for all oneway functions, in STOC (1989), pp. 25–32
S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)
V. Goyal, A. O’Neill, V. Rao, Correlatedinput secure hash functions, in TCC (2011)
J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any oneway function. SIAM J. Comput. 28(4), 1364–1396 (1999)
B. Hemenway, S. Lu, R. Ostrovsky, Correlated product security from any oneway function, in Public Key Cryptography (2012), pp. 558–575
C.Y. Hsiao, C.J. Lu, L. Reyzin, Conditional computational entropy, or toward separating pseudoentropy from compressibility, in EUROCRYPT (2007), pp. 169–186
J. Dimitar, K. Pietrzak, How to fake auxiliary input (2013). Unpublished manuscript
E. Kaplan, M. Naor, O. Reingold, Derandomized constructions of kwise (almost) independent permutations. Algorithmica 55(1), 113–133 (2009)
Eike Kiltz, A. O’Neill, A. Smith, Instantiability of RSAOAEP under chosenplaintext attack. IACR Cryptology ePrint Archive, 2011:559 (2011)
E. Kiltz, K. Pietrzak, M. Stam, M. Yung, A new randomness extraction paradigm for hybrid encryption, in EUROCRYPT (2009), pp. 590–609
H. Krawczyk, Cryptographic extraction and key derivation: the HKDF scheme, in CRYPTO (2010), pp. 631–648
S. Krenn, K. Pietrzak, A. Wadia, A counterexample to the chain rule for conditional hill entropy, in Theory of Cryptography (Springer, Berlin, 2013), pp. 23–39
S. Micali, L. Reyzin, Physically observable cryptography (extended abstract), in TCC (2004), pp. 278–296
I. Mironov, O. Pandey, O. Reingold, G. Segev, Incremental deterministic publickey encryption, in Advances in Cryptology–EUROCRYPT 2012 (Springer, Berlin, 2012), pp. 628–644
H. Niederreiter, Knapsacktype cryptosystems and algebraic coding theory. Probl. Control Inf. Theory 15, 367–391 (1986)
N. Nisan, D. Zuckerman, Randomness is linear in space. J. Comput. Syst. Sci., 43–52 (1993)
P. Paillier, Publickey cryptosystems based on composite degree residuosity classes, in EUROCRYPT (1999), pp. 223–238
C. Peikert, B. Waters, Lossy trapdoor functions and their applications, in STOC (2008), pp. 187–196
C. Peikert, B. Waters, Lossy trapdoor functions and their applications. SIAM J. Comput. 40(6), 1803–1844 (2011)
A. Raghunathan, G. Segev, S. Vadhan, Deterministic publickey encryption for adaptively chosen plaintext distributions, in Advances in Cryptology–EUROCRYPT 2013 (Springer, Berlin, 2013), pp. 93–110
O. Reingold, L. Trevisan, M. Tulsiani, S. Vadhan, Dense subsets of pseudorandom sets, in 2008 49th Annual IEEE Symposium on Foundations of Computer Science (IEEE, New York, 2008), pp. 76–85
R. Renner, S. Wolf, Smooth Rényi entropy and applications, in IEEE International Symposium on Information Theory—ISIT 2004 (IEEE, New York, 2004), p. 233
L. Reyzin, Some notions of entropy for cryptography—(invited talk), in ICITS, ed. by S. Fehr. Lecture Notes in Computer Science, vol. 6673 (Springer, Berlin, 2011), pp. 138–142
R.L. Rivest, A. Shamir, L.M. Adleman, A method for obtaining digital signatures and publickey cryptosystems. Commun. ACM 21(2), 120–126 (1978)
A. Rosen, G. Segev, Chosenciphertext security via correlated products. SIAM J. Comput. 39(7), 3058–3088 (2010)
A. Russell, H. Wang, How to fool an unbounded adversary with a short key. IEEE Trans. Inf. Theory 52(3), 1130–1140 (2006)
M. Skorski, Modulus computational entropy, in The 7th International Conference on Information Theoretic Security, ICITS, ed. by C. Padro (2013)
A. Srinivasan, D. Zuckerman, Computing with very weak random sources, in FOCS (1994), pp. 264–275
R. Steinfeld, J. Pieprzyk, H. Wang, On the provable security of an efficient RSAbased pseudorandom generator, in ASIACRYPT (2006), pp. 194–209
S. Vadhan, C.J. Zheng, A uniform minmax theorem with applications in cryptography, in Advances in Cryptology–CRYPTO 2013 (Springer, Berlin, 2013), pp. 93–110
S.P. Vadhan, Pseudorandomness. Foundations and Trends in Theoretical Computer Science (Now Publishers, Hanover, 2012). To appear; available at: http://people.seas.harvard.edu/~salil/pseudorandomness/
J. Von Neumann, Zur theorie der gesellschaftsspiele. Math. Ann. 100(1), 295–320 (1928)
H. Wee, Dual projective hashing and its applications—lossy trapdoor functions and more, in Eurocrypt (2012)
D. Wichs, Barriers in cryptography with weak, correlated and leaky sources, in Proceedings of the 4th Conference on Innovations in Theoretical Computer Science (ACM, New York, 2013), pp. 111–126
A.C.C. Yao, Theory and applications of trapdoor functions (extended abstract), in FOCS (1982), pp. 80–91
D. Zuckerman, Simulating BPP using a general weak random source. Algorithmica 16(4/5), 367–391 (1996)
Acknowledgements
The authors thank the anonymous reviewers for their many helpful comments and insights. The authors are grateful to Mihir Bellare, Alexandra Boldyreva, KaiMin Chung, Sebastian Faust, Marc Fischlin, Serge Fehr, Péter Gács, Bhavana Kanukurthi, Fenghao Liu, Payman Mohassel, Krzysztof Pietrzak, Gil Segev, Adam Smith, Ramarathnam Venkatesan, Hoeteck Wee, and Daniel Wichs for helpful discussions, improvements to our analysis, and useful references. The work was supported, in part, by National Science Foundation awards 0546614, 0831281, 1012910, and 1012798. The work of A.O. was additionally supported by NSF CNS0915361, CNS0952692, NSF CAREER award 0545659, and NSF Cyber Trust award 0831184. The work of B.F. was additionally sponsored by the United States Air Force under Air Force Contract FA872105C0002. Opinions, interpretations, conclusions and recommendations are those of the authors and are not necessarily endorsed by the United States Government.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Phillip Rogaway
A short version of this work appeared at the Ninth IACR Theory of Cryptography Conference, March 2012.
Work of A.O’N. was done in part while the author was at Boston University, Georgia Institute of Technology, and University of Texas at Austin.
Appendices
Appendix A. Proof of Theorem 3.1
Following [6], the highlevel intuition for the proof is as follows. For the given distribution M on message vectors, we first show that it suffices to consider PRIV adversaries for which A _{2} outputs (x,t) where t is boolean. Now, we would like to use the fact if t is easy to guess from the encryption of x then the encryption of x conditioned on (1) the output (x,t) of A _{2} being such that t=1, or (2) the output (x,t) of A _{2} being such that t=0 are easy to distinguish; indeed, these are induced distributions of M (viewing the binary t as the random variable indicating the event E). However, one of these distributions may be hard to sample from and have low entropy. Therefore, we show it additionally suffices to consider PRIV adversaries on M for which t is not just boolean but also balanced, meaning the probability it is 0 or 1 is about the same. Then, we can easily sample from the abovementioned distributions by repeatedly running A. In this section, we assume PRIV adversaries have an empty A _{0} and accept 1^{k} as input (the “best” state is hardwired) though we describe the A _{0}’s of some adversaries for clarity.
Reduction to the Boolean Case
Call a PRIV adversary A boolean if it outputs test strings of length 1. We first show that is suffices to consider boolean PRIV adversaries (this was previously shown in both [6] and [11]).
Proposition A.1
Let \(\varPi= (\mathcal{K}, \mathcal{E}, \mathcal{D})\) be an encryption scheme and \(A \in{{\mathbb{A}}}_{{\boldsymbol {M}}}\) be a PRIV adversary that outputs test strings of length ℓ. Then there is a boolean PRIV adversary \(B \in{{\mathbb{A}}}_{{\boldsymbol {M}}}\) such that
Furthermore, the runningtime of B is the time to run A plus O(ℓ).
Proof
The proof is identical to an argument in [18] for the informationtheoretic setting. Adversary B works as follows:
For d∈{0,1}, let \(\mathsf{E}^{A}_{d}\) denote the event \(\mathbf {Exp}^{\mathrm{priv\mbox{}d}}_{\varPi,A}(k) = 1\) and similarly \(\mathsf{E}^{B}_{d}\) denote \(\mathbf{Exp}^{\mathrm{priv\mbox {}d}}_{\varPi ,B}(k) = 1\). Then
where in the second step we use that if t≠g then 〈t,r〉=〈g,r〉 with probability 1/2 over the choice of r. The claimed runningtime of B is easy to verify. □
Reduction to the Balanced Boolean Case
As in [6] the next step is to show that it in fact suffices to consider boolean PRIV adversaries that are balanced, meaning the probability the partial information is 1 or 0 is approximately 1/2. Namely, call a boolean PRIV adversary A=(A _{0},A _{1},A _{2}) δbalanced [6] if for all b∈{0,1}
for all state output by A _{0} on input 1^{k}.
Proposition A.2
Let \(\varPi= (\mathcal{K}, \mathcal{E}, \mathcal{D})\) be an encryption scheme and \(B \in{{\mathbb{A}}}_{{\boldsymbol {M}}}\) be a boolean PRIV adversary. Then for any 0≤δ<1/2 there is a δbalanced boolean PRIV adversary \(C\in{{\mathbb{A}}}_{{\boldsymbol {M}}}\) such that
Furthermore, the runningtime of C is the time to run B plus O(1/δ).
Proof
As compared to [6] we give a simplified proof due to [17] (which also leads to better concrete security), where for simplicity we assume 1/δ is an integer. Adversary C works as follows:
Note that C is δbalanced, since for all b∈{0,1}
As before, for d∈{0,1}, let B _{ d } denote the event \(\mathbf {Exp}^{\mathrm{priv\mbox{}d}}_{\varPi,B}(k) = 1\) and similarly C _{ d } denote \(\mathbf{Exp}^{\mathrm{priv\mbox{}d}}_{\varPi,C}(k) = 1\). We define the event E to be the event that i=j=2/δ+1. Then
As before, the claimed runningtime of C is easy to verify. □
Reduction to Distribution Hiding
Similarly to [6] the final component for the proof is as follows.
Proposition A.3
Let \(\varPi= (\mathcal{K}, \mathcal{E}, \mathcal{D})\) be an encryption scheme and \(C \in{{\mathbb{A}}}_{{\boldsymbol {M}}}\) be a δbalanced boolean PRIV adversary. Then there is an IND adversary \(D \in{{\mathbb{D}}}_{{\boldsymbol {M}}^{*}[\log(1/(1/2 \delta))]}\) such that
In particular, D samples from message distributions that are statistically 2^{Ω(k)}close to complementary log(1/(1/2−δ))induced message distributions of C. Furthermore, the runningtime of D is the time for at most k executions of C.
Proof
Adversary D works as follows:
For the analysis, let BAD denote the event that the final return statement is executed. Let CORRECT _{ D } be the event that b=d when D is executed in the PRIV experiment with Π and similarly let CORRECT _{ B } denote the event that t=g when B is executed in the PRIV experiment with Π. Then
where the secondtolast line uses that B is δbalanced. The claimed runningtime of D is easy to verify. It remains to argue that \(D \in{{\mathbb{D}}}_{{\boldsymbol {M}}^{*}[\log(1/(1/2 \delta))]}\). Let M _{ D,i } be the message distribution sampled by D _{1} on input b=i for i∈{0,1} and similarly let M _{ C,i } be the message distribution sampled by C _{1} when t=i in its output for i∈{0,1}. Observe that M _{ C,0} and M _{ C,1} are complementary log(1/(1/2−δ))induced distributions of the message distribution of C, with corresponding events t=0 and t=1, respectively. Furthermore, we have \({\boldsymbol {M}}_{D,i}\mid\overline{{\mathsf{BAD}}} = {\boldsymbol {M}}_{C,i}\) for i∈{0,1}. Since Pr[BAD]≤(1/2+δ)^{k}, it follows that \({\boldsymbol {M}}_{D,i}\mid\overline{{\mathsf{BAD}}}\) is statistically 2^{−Ω(k)}close to M _{ C,i } for i∈{0,1}, which concludes the proof.^{Footnote 19} □
Theorem 3.1 follows by combining Propositions A.1, A.2, and A.3 with δ=1/4. □
Appendix B. Comparison to Other Computational Entropy Leakage Lemmas
Previous works have considered the question of measuring conditional computational entropy under a wide array of applications and settings. Dziembowski and Pietrzak [25] show that the output of a pseudorandom generator still has entropy conditioned on functions of the seed:
Lemma B.1
[25, Lemma 3]
Let prg:{0,1}^{n}→{0,1}^{ν} and f:{0,1}^{n}:→{0,1}^{λ} (where 1≤λ<n<ν) be any functions. If prg is a (ϵ _{ prg },s)secure pseudorandomgenerator, then for any ϵ _{1},ϵ _{2},Δ>0 satisfying ϵ _{ prg }≤ϵ _{1} ϵ _{2}/2^{λ}−2^{−Δ}, we have with X∼U _{ n },
where s′≈s.
Our results improve the parameters and simplify the exposition. Our result considers any random variables X,Y (not just pseudorandom X) and gives simpler statements, such as Theorem 3.8. To make the quantitative comparison, we present the following alternative formulation of our result, in the style of [25, Lemma 3]:
Lemma B.2
Let X,Y be discrete random variables with Y≤2^{λ} and \(H^{{\mathtt{Metric}^{*}}}_{\epsilon_{\mathrm{ent}}, s} (X)\geq\nu\), then for any ϵ _{1},ϵ _{2},Δ>0 satisfying ϵ _{ent}≤ϵ _{1} ϵ _{2}/2^{λ} and 2^{−Δ}≤ϵ _{2}/2^{λ},
where s′≈s.
To compare the bounds, observe that we have removed ϵ _{1} from 2^{−Δ}, because the constraint ϵ _{ prg }≤ϵ _{1} ϵ _{2}/2^{λ}−2^{−Δ} implies that ϵ _{ prg }≤ϵ _{1} ϵ _{2}/2^{λ} and ϵ _{1} ϵ _{2}/2^{λ}≥2^{−Δ}.
The question has also been considered by [51] in the language of the dense model theorem. Their main result, restated in our language is:
Lemma B.3
[51, Theorem 1.3]
Let X,Y be discrete random variables. Then
where ϵ′=Ω(ϵ/P _{ Y }(y)), and s′=s/poly(P _{ Y }(y)/ϵ,log1/P _{ Y }(y)).
Note that the quantity loss is the same as in Lemma 3.2; however, the losses in the circuit size and distinguishing advantage are different, because Lemma 3.2 separates the conditioning step and the conversion back to HILL entropy. This separation allows us set conversion parameters separately (which is needed when ϵ is smaller than 1/s). It also allows paying for the conversion step only once in case of repeated leakage, enabling the proof of a limited chain rule for repeated conditioning (see [29, Theorem 3.6]).
Recent work concurrent with ours [15, 30] has shown results on information leakage when the starting distribution is already conditional. This is a significantly harder as the auxiliary information may shape the original distribution or its condition. Both works are able to achieve this “chainrule” but must introduce significant restrictions. Since these works are both averagecase formulations, we first present an average case formulation of Corollary 3.9:
Corollary B.4
Let X,Y be discrete random variables over χ _{1},χ _{2}, respectively. Then
where \(\epsilon' = \epsilonY+ \sqrt[3]{\frac{\log\chi_{1}}{s}}, s' = \varOmega( \sqrt[3]{\frac{s}{\log\chi_{1}}})\).
This corollary follows by Theorem 3.8, Theorem 2.9, and setting \(\epsilon _{{\mathtt{HILL}} }=\sqrt[3]{\frac{\log\chi_{1}}{s}}\).
Gentry and Wichs consider indistinguishability with auxiliary information in their work on succinct argument systems [30, Lemma 3.1]. Their result is below (restated in our language):
Lemma B.5
[30, Lemma 3.1]
Let X,Y,Z be discrete random variables with H_{∞}(Z)≥k and Y ranges over {0,1}^{λ}. If \(\forall D \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}\), δ ^{D}(X,Z)≤ϵ, then ∃Y′ such that \(\forall \tilde{D} \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s'}\), \(\delta^{\tilde{D}}((X, Y), (Z, Y'))\leq\epsilon'\) where ϵ′=2ϵ and s′=s⋅poly(ϵ/Y).
This lemma is related to entropy as follows: X has HILL entropy k, and it can be said that, since (X,Y) is indistinguishable from (Z,Y′), that computational entropy of X∣Y is at least \(\tilde {\mathrm{H}}_{\infty}(Z\mid Y')\), which is at least k−λ by Lemma 2.1. Note, however, that this lemma requires a different definition of entropy from ours, in which the condition itself may also be replaced. It is unclear the implications of this change and where it would better or worse than conditional HILL entropy. The advantage of this lemma is that it handles the case when X is already a conditional distribution (we can only handle this when the conditional distribution decomposes “nicely” into distributions for each value of the condition [29, Theorem 3.6]). The disadvantage, however, is that the lemma inherently talks about the average case Y and not a single event y. For our application in the current paper, we need to condition on a particular event y and not the distribution of events.
Chung et al. in their work on memory delegation need indistinguishability in the presence of a single bit of auxiliary information. They formulate the problem in the asymptotic setting:
Lemma B.6
[15, Lemma 16]
Let k be a security parameter and n,l,t be any parameters such that n≤poly(k),l=O(logk), and t=ω(logk). Let (X,C) be a joint distribution over {0,1}^{∗}×{0,1}^{∗} of poly(k) length. If H ^{HILL}(XC)≥n w.r.t. samplable distributions, then for any distribution B=B(X,C) over {0,1}^{l}, we have
It is important to note that in this lemma, the “conditional HILL entropy” is different from our notion: it means indistinguishability against distributions of worstcase conditional minentropy, whereas here we define conditional HILL entropy as indistinguishability against distributions of average minentropy (see the precise definitions in Sect. 2). In addition, this lemma imposes a samplability condition that we do not.
Appendix C. Support Preserving Extension to Theorem 2.5
Theorem C.1
Let X be a discrete distribution over a s finite set χ. For every ϵ, ϵ _{ HILL }>0, ϵ′≥ϵ+ϵ _{ HILL }, k and s, if \(H^{{\mathtt {Metric}^{*}}}_{\epsilon, s}(X)\geq k\) then \(H^{{\mathtt{HILL}}}_{\epsilon', s_{{\mathtt {HILL}}}}(X)\geq k\) where \(s_{{\mathtt{HILL}}}=\varOmega(\epsilon_{{\mathtt{HILL}}}^{2} s /\log \chi)\). The reduction is support preserving.^{Footnote 20}
Proof
This proof closely follows the proof from [3, Theorem 5.2]. For a set X (such as a set of distinguishers or distributions with a certain property) we will use \(\hat{X}\) to represent the set of distributions over that set. A game is simply a function from finite sets A,B to an outcome space R, that is, g:A×B→R. We similarly define \(\hat{g} : \hat{A}\times\hat{B}\rightarrow R\) as a function from distributions, \(a\leftarrow\hat{A}, b\leftarrow\hat{B}\) to outcome space R.
We let ζ be the support of random variable Z that is indistinguishable from X. The proof proceeds similarly to the case where ζ=χ [3, Theorem 5.2]. We will assume that \(H^{{\mathtt{HILL}}}_{\epsilon', s_{{\mathtt {HILL}}}}(X)< k\) and seek to show that \(H^{{\mathtt{Metric}^{*}}}_{\epsilon, s}(X)< k\). Assume that \(H^{{\mathtt{HILL}}}_{\epsilon', s_{{\mathtt{HILL}}}}(X)<k\). That is, ∀Z″⊂ζ with H_{∞}(Z″)≥k there exists \(D\in \mathcal {D}^{\mathrm {det},\{0,1\}} _{s_{{\mathtt{HILL}}}}\) such that δ ^{D}(X,Z″)≥ϵ′. Recall that the definition for H ^{HILL} is for randomized {0,1} distinguishers, however as noted after Definition 2.3, drawing from deterministic {0,1} distinguishers is essentially equivalent (by selecting the “best” randomness). We begin by showing a change of quantifiers similar to [3, Lemma 5.3]:
Claim C.2
Let X be a distribution over χ. Let \(\mathcal{C}\) be a class that is closed under complement. If for every Z″⊂ζ with H_{∞}(Z″)≥k there exists a \(D\in\mathcal{C}\) such that δ ^{D}(X,Z″)≥ϵ′, then there is a distribution \(\hat{D}\) over \(\mathcal{C}\) such that for every Z′⊂ζ with H_{∞}(Z′)≥k
Proof
We use the minimax theorem of [62]:
Theorem C.3
([62])
For every game g there is a value v such that
We will use the minimax theorem to change the order of quantifiers. We define our game as follows: let \(A \overset{\mathrm{def}}{=} \mathcal{C}\), let \(B\overset{\mathrm{def}}{=}\{Z''\mathrm{H}_{\infty}(Z'')\geq k, Z''\subseteq \zeta\}\) and let \(g(D,Z)\overset{\mathrm{def}}{=} [D(X)D(Z)]\). The convex combination of distributions with minentropy k has minentropy at least k (this is easily seen by considering the maximum probability event), thus \(\forall\hat{b}\in\hat{B}, \mathrm {H}_{\infty}(\hat{b})\geq k\). Thus, both B and \(\hat{B}\) are the sets of all distributions with minentropy at least k. Then by assumption, \(\forall Z''\in\hat{B}, \exists D\in A\) such that D(X)−D(Z″)≥ϵ′. Because \(\mathcal{C}\) is closed under complement, there must ∃D∈A such that D(X)−D(Z″)≥ϵ′. Now we know that \(\min_{\hat{b}\in\hat{B}}\max_{a\in A} \hat {g}(a,\hat{b})=\min_{Z''\in B}\max_{D\in\mathcal {C}}(D(X)D(Z''))\geq\epsilon'\). Then by Theorem C.3: \(\max_{\hat{a}\in\hat {A}}\min_{b\in B} \hat{g}(\hat{a},b)\geq\epsilon'\). That is, there is a distribution \(\hat{D}\) over the class of distinguishers \(\mathcal{C}\) such that for every Z″∈B, \(\mathop {\mathbb{E}} _{D\leftarrow\hat{D}} D(X)D(Z'')\geq\epsilon'\). This completes the proof of the claim. □
Our remaining task is to approximate a distribution of distinguishers \(\hat{D}\) by several distinguishers in its support where the resulting distinguisher still has advantage at least ϵ. Define n=logχ and choose \(t=8n/\epsilon_{{\mathtt{HILL}}}^{2}\) samples D _{1},…,D _{ t } from \(\hat{D}\) and define
Then by Chernoff’s inequality
Claim C.4
There exists D _{1},…,D _{ t } such that
Proof
Suppose not, that is
For a particular, D _{1},…,D _{ t } we denote x′ as \(x'_{D_{1},\ldots,D_{t}}\). This implies that,
However, this implies that ∃x∈χ such that
(since there are 2^{n} possible x). This is a contradiction of Equation (C.1). □
Fix one such D _{1},…,D _{ t }. Because it holds for every x, it also holds for all distributions, and thus for the distribution X, \({\vert { D'_{D_{1},\ldots,D_{t}}(X)\mathop{\mathbb{E}}_{D\leftarrow \hat {D}}D(X)} \vert }\leq \epsilon_{{\mathtt{HILL}}}/2\), and for every distribution Z′⊂ζ, \({ \vert { D'_{D_{1},\ldots,D_{t}}(Z')\mathop{\mathbb {E}}_{D\leftarrow \hat{D}}D(Z')} \vert } \leq\epsilon_{{\mathtt{HILL}}}/2\). Therefore, subtracting these inequalities from the inequality of Claim C.2, and recalling that a≥a+b+c−b−c, we get
Lastly, \(D'_{D_{1},\ldots,D_{t}}\) is of size
This completes the proof. □
Appendix D. Proof of Lemma 3.10
For random variables X and Y, we define D(X,Y)=∑_{ x }(P _{ X }(x)−P _{ Y }(x))^{2}. Then, writing \(\mathop{\mathbb{E}}_{k}\) for the expectation over the choice of k according to the distribution of K, it follows that
where the first inequality is by Cauchy–Schwarz and the second inequality is due to Jensen’s inequality. We will show that
which completes the proof (after rearranging and plugging in δ=t ^{2}/D). Write \({\mathbf{Y}}= \mathcal{H}(k,{\mathbf{X}})\) for an arbitrary but fixed k. Then
For a set Z⊆R ^{t} (here exponentiation denotes Cartesian product), define δ _{ r,Z } to be 1 if r∈Z and else 0. For s∈S ^{t} we can write \(P_{f({\mathbf{Y}})}({\mathbf{s}}) = \sum_{{\mathbf{x}}} P_{{\mathbf{X}}}({\mathbf{x}}) \delta_{\mathcal{H}(k,{\mathbf {x}}),f^{1}({\mathbf{s}})}\) and thus
so that
where the first term is by a union bound over all 1≤i,j≤t and for the remaining terms we use the 2twise δdependence of \(\mathcal{H}\) and note that
Similarly,
so that
using δalmost twise independence of \(\mathcal{H}\). By combining the above, it follows that
which was to be shown. □
Rights and permissions
About this article
Cite this article
Fuller, B., O’Neill, A. & Reyzin, L. A Unified Approach to Deterministic Encryption: New Constructions and a Connection to Computational Entropy. J Cryptol 28, 671–717 (2015). https://doi.org/10.1007/s0014501391745
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s0014501391745