1 Introduction

Public-key cryptosystems require randomness: indeed, if the encryption operation is deterministic, the adversary can simply use the public key to verify that the ciphertext c corresponds to its guess of the plaintext m by encrypting m. However, such an attack requires the adversary to have a reasonably likely guess for m in the first place. Recent results on deterministic public-key encryption (DE) (building on previous work in the one-time, information-theoretic symmetric-key setting [18, 22, 56], and described in more detail below) have studied how to achieve security when the randomness comes only from m itself [4, 6, 11, 12, 35, 44, 50, 63]. DE has a number of practical applications, such as efficient search on encrypted data and securing legacy protocols (cf. [4]). It is also interesting from a foundational standpoint; indeed, its study has proven useful in other contexts: Bellare et al. [5] show how it extends to a notion of “hedged” public-key encryption that reduces dependence on external randomness for probabilistic encryption more generally, Dent et al. [17] adapt its notion of privacy to a notion of confidentiality for digital signatures, and (subsequent to our work) Bellare, Keelveedhi, and Ristenpart [8, 9] and Abadi et al. [1] show how it extends to a notion of “message-locked” encryption that permits deduplication on encrypted storage systems.

However, our current understanding of DE is somewhat lacking. In particular, constructions of [4, 6, 11, 35], as well as their analysis techniques, are rather disparate. The works of [4, 6] construct DE schemes by “faking” the coins used to encrypt the message in a probabilistic encryption scheme as some deterministic function of the message; for example, [6] uses Goldreich–Levin hardcore bits [31] of an iterated trapdoor permutation applied to the message. On the other hand, [11] (and subsequent works such as [12]) encrypt via special trapdoor functions (called “lossy” [48, 49]). Additionally, while constructions in the random oracle model [4] achieve security for multiple messages, current constructions in the standard model (without random oracles) achieve only “single message” security. (As shown in [4], single message and multi-message security is inequivalent for DE), and it is unclear to what extent this is inherent to such schemes.Footnote 1

In this work, our main goal is to provide a unified framework for the construction of DE and to help resolve these issues.

1.1 Our Results

A Scheme Based on Trapdoor Functions

We propose (in Sect. 4) a general Encrypt-with-Hardcore (EwHCore) construction of DE from trapdoor functions (TDFs), which generalizes the basic idea behind the schemes of [4, 6] and leads to a unified framework for the construction of DE. Let f be a TDF with a hardcore function hc, and let \(\mathcal{E}\) be any probabilistic public-key encryption algorithm. Our construction EwHCore encrypts an input message x as follows: it computes y=f(x) and then encrypts y using \(\mathcal {E}\) with hc(x) as the coins; that is, the encryption of x is \(\mathcal{E}(f(x);\mathsf{hc}(x))\).

Intuitively, this scheme requires that (1) the output of hc be sufficiently long to provide enough random coins for \(\mathcal{E}\), and (2) that it not reveal any partial information about x (because \(\mathcal{E}\) does not necessarily protect the privacy of its random coins). Requirement 1 can be satisfied, for example, if inverting f is sub-exponentially hard, if the output of hc is long enough to be used as a seed for some pseudorandom generator, or under specific assumptions, as described below. There are two nontrivial technical steps needed to formalize requirement 2 and realize it. First, we define a condition required of hc (which we call “robustness”) and show that it is sufficient for security of the resulting DE. Second, through a computational entropy argument, we show how to make any sufficiently long hc robust by applying a randomness extractor.

This general scheme admits a number of instantiations depending of f and hc. For example, when f is any trapdoor function and hc is a random oracle (RO), we obtain the construction of [4].Footnote 2 When f is an iterated trapdoor permutation (TDP) and hc is a collection Goldreich–Levin (GL) [31] bits extracted at each iteration, we obtain the construction of [6]. When f is a lossy trapdoor function (LTDF) [48] and hc is a pairwise-independent hash, we get a variant of the construction of [11] (which is less efficient but has a more straightforward analysis). We also obtain a variant of the construction of Hemenway et al. [35] under the same assumption as they use (see Sect. 5.2 for details). Note that in all but the last of these cases, the hardcore function is already robust (without requiring an extractor), which shows that in prior work this notion played an implicit role. In particular, the GL bits are robust, explaining why [4, 6] specifically uses them and not some other hardcore bits.

Moreover, this general scheme not only explains past constructions, but also gives us new ones. Specifically, if f is a trapdoor function with enough hardcore bits, we obtain:

  • DE that works on the uniform distribution of messages;

  • DE that works on any distribution of messages whose min-entropy is at most logarithmically smaller than maximum possible;

  • assuming sufficient hardness distinguishing the output of hc from uniform (so in particular of inverting f), DE that works on even-lower entropy message distributions.

Prior results require more specific assumptions on the trapdoor function (such as assuming that it is a permutation or that it is lossy—both of which imply enough hardcore bits). Furthermore, our results yield more efficient schemes in the permutation case, by avoiding iteration (under strong enough assumptions).

Notably, we obtain the first DE scheme without random oracles based on the hardness of syndrome decoding using the Niederreiter trapdoor function [45], which was shown to have linearly many hardcore bits by Freeman et al. [27] (and, moreover, to be secure under correlated products, as defined by Rosen and Segev [55]) but is not known to be lossy. (A scheme in the random oracle model follows from [4].) Additionally, the RSA [54] and Paillier [47] trapdoor permutations have linearly many hardcore bits under certain computational assumptions (the “Small Solutions RSA” [59] and “Bounded Computational Composite Residuosity” [13] assumptions, respectively). Therefore, we can use these TDPs to instantiate our scheme efficiently under the same computational assumptions. Before our work, DE schemes from RSA and Paillier either required many iterations [6] or decisional assumptions that imply lossiness of these TDPs [11, 27, 39].

Security for Multiple Messages: Definition and Construction

An important caveat is that, as in [6, 11], we can prove the above standard-model DE schemes secure only for the encryption of a single high-entropy plaintext, or, what was shown equivalent in [11], an unbounded number of messages drawn from a block source [14] (where each subsequent message brings “fresh” entropy). On the other hand, the strongest and most practical security model for DE introduced by [4] considers the encryption of an unbounded number of plaintexts that have individual high entropy but may not have any conditional entropy. In order for EwHCore to achieve this, the hardcore function hc must also be robust on correlated inputs.Footnote 3 In particular, it follows from [4] that a RO hash satisfies such a notion, leading to their multi-message secure scheme. We thus have a large gap between the classes of message sources with (known) secure constructions in the RO model versus in the standard model.

To help bridge this gap, we propose (in Sect. 6) a notion of “q-bounded” security for DE, where up to q high-entropy but arbitrarily correlated messages may be encrypted under the same public key (whose size may depend polynomially on q). Following [11], we also extend our security definition to unbounded multi-message security where messages are drawn from what we call a “q-block source” (essentially, a block source where each “block” consists of q messages which may be arbitrarily correlated but have individual high entropy); Theorem 4.2 of [11] extends to show that q-bounded multi-message security and unbounded multi-message security for q-block sources are equivalent for a given min-entropy. Then, using our EwHCore construction and a generalization of the leftover hash lemma discussed below, we show q-bounded DE schemes (for long enough messages), for any polynomial q, based on LTDFs losing an 1−O(1/q) fraction of the input. It is known how to build such LTDFs from the decisional Diffie–Hellman [48], d-linear [27], and decisional composite residuosity [11, 27] assumptions.

Regarding security for unbounded arbitrarily correlated messages in the standard model, a subsequent result of Wichs [64] shows that it is impossible using black-box reductions to falsifiable assumptions.Footnote 4 However, in further subsequent work, Bellare et al. [7] achieve this notion under a particular non-falsifiable assumption. We stress that our result on q-bounded security holds under common, falsifiable assumptions.

1.2 Our Tools

Our results are enabled by three tools that we believe to be of more general applicability (detailed in Sect. 3).

A More Precise Condition for Security of DE

We revisit the definitional equivalences for DE proven by [6] and [11]. At a high level, they showed that the semantic security style definition for DE (called PRIV) introduced in the initial work of [4], which asks that a scheme hides all public-key independentFootnote 5 functions of messages drawn from some distribution is in some sense equivalent to an indistinguishability-based notion for DE, which asks that it is hard to distinguish ciphertexts of messages drawn from one of two possible distributions. Notice that while PRIV can be meaningfully said to hold for a given message distribution, IND inherently talks of pairs of distributions.Footnote 6 The works of [6, 11] compensated for this by giving an equivalences in terms of min-entropy levels. That is, they showed that PRIV for all message distributions of min-entropy μ is implied by indistinguishability with respect to all pairs of plaintext distributions of min-entropy slightly less than μ.

We demonstrate a more precise equivalence that, for a fixed distribution \(\bf{M}\), identifies a class of pairs of distributions such that if IND holds on those pairs, then PRIV holds on \(\bf{M}\). By reexamining the equivalence proof of [6], we show that PRIV on \(\bf{M}\) is implied by IND on all pairs of “slightly induced” distributions of \(\bf{M}\mid\mathsf{E}\), where E is an arbitrary event of probability at least 1/4. This more precise equivalence makes security easier to reason about. Specifically, it is needed to argue that “robustness” of hc is sufficient for security EwHCore (essentially, a robust hardcore function is one that remains hardcore on a slightly induced distributionFootnote 7).

We also note that this more precise equivalence may be of independent interest for other primitives whose security holds for specific source distributions.

Conditional Computational Entropy

We investigate how conditioning reduces computational entropy of a random variable X. We consider notions of computational entropy based on indistinguishability. The standard notion is HILL entropy which generalizes pseudorandomness to the high entropy setting [3, 34]. Suppose you have a distribution that has computational entropy (such as the pair f(r),hc(r) for a random r). If you condition that distribution on an event E of probability p, how much computational entropy is left?

To make this question more precise, we should note that notions of computational entropy are parameterized by quality (how distinguishable is X from a variable Z that has true entropy) and quantity (how much true entropy is there in Z).

We prove an intuitively natural result: conditioning on an event of probability p reduces the quality of computational entropy by a factor of p and the quantity of entropy by log21/p (note that this means that the reduction in quantity and quality is the same, because the quantity of entropy is measured on logarithmic scale).

Naturally, the answer becomes so simple only once the correct notion of entropy is in place. Our result holds for a weaker notion of computational entropy called Metric entropy (defined in [3, 25]). This entropy is convertible (with some loss) to HILL entropy using the techniques of [3, 60], which can then be used with randomness extractors to get pseudorandom bits.

Our result improves previous bounds of Dziembowski and Pietrzak [25, Lemma 3], where the loss in the quantity of entropy was related to its original quality. The use of metric entropy simplifies the analogous result of Reingold et al. [51, Theorem 1.3] for HILL entropy. Other recent work [30, Lemma 3.1], [15, Lemma 16] also addresses the question of conditional computational entropy. We compare our bounds with those of [15, 25, 30, 51] in Appendix B.

We use this result to show that randomness extractors can be used to convert a hardcore function into a robust one, through a computational entropy argument for slightly induced distributions. It can also be useful in the leakage-resilient cryptography (indeed, leakage-resilient cryptography is the subject of [25]), when instead of an event E one conditions on a random variable leaked to the adversary. For the information-theoretic case, it is known that leakage of a λ-bit-long random variable reduces the average entropy by at most λ (Lemma 2.1). We show essentially the sameFootnote 8 for the computational case: if a λ-bit-long random variable is leaked, then the amount of computational Metric entropy decreases by at most λ and its quality decreases by at most 2λ (again, this entropy can be converted to HILL entropy and be used in randomness extractors [20, 36]).

(Crooked) Leftover Hash lemma for Correlated Distributions

We show that the leftover hash lemma (LHL) [34, Lemma 4.8], as well as its generalized form [20, Lemma 2.4] and the “Crooked” LHL [21], extend in a natural way to “correlated” distributions. That is, suppose we have t random variables (sources) X 1,…,X t , where each X i individually has high min-entropy but may be fully determined by the outcome of some other X j (though we assume X i X j for all ij). We would like to apply a hash function H such that H(X 1),…,H(X t ) is statistically indistinguishable from t independent copies of the uniform distribution on the range of H (also over the choice of the key for H, which is made public). We show that this is the case assuming H is 2t-wise independent. (The standard LHL is thus t=1; previously, Kiltz et al. [40] showed this for t=2.) Naturally, this requires the output size of H to be about a 1/t fraction of its input size, so there is enough entropy to extract. Subsequent work of [50, Theorem 4.6] shows another generalization of (Crooked) LHL, which differs from ours in several respects. The main differences are that the conditions imposed on H by [50] are much more permissive (in particular, only (logt)-wise independence is needed, and the output can be much longer), but the conclusion applies to each H(X i ) only in isolation (but for every i, which can thus be chosen after H is fixed).Footnote 9

1.3 Further Related Work

Work on DE

We note that we focus on the basic case of passive, “chosen plaintext” attack on DE in this paper. There are a variety of stronger attack models that have been proposed, and we leave it as an interesting future direction to study to what extent our techniques apply against them. These include security against chosen-ciphertext attack [4, 50], auxiliary message-dependent input [12], and “adaptive” message distributions (i.e., that depend in some way on the public key) [50]. We note that a notion of “incremental” DE (where a small change in the message induces a correspondingly small change in its encryption) has also been studied [44] due to its importance in the application of DE to deduplication on encrypted storage systems, and it would be similarly interesting to study to what extent our schemes can be adapted to the incremental setting.

Work on Conditional Computational Entropy

In addition to the work described above, there have been several subsequent works on conditional computational entropy. At the time when the conference version of our work [28] was written, it was not known whether our computational entropy loss result applied when the starting random variable was already conditional (except in special cases [15] or for different definitions [29, 30, 53]). This is known as a “chain” rule for HILL entropy. A counterexample to the chain rule using ideas from deniable encryption was recently shown by Krenn et al. [42]. Skorski [57] provides a general characterization of when the chain rule applies.

The work of Jetchev and Pietrzak [37] provides a constructive way to simulate the value of the condition, which enables the proof of the chain rule for a relaxed definition of HILL entropy. The work of Vadhan and Zheng [60] provides a proof of the conditional entropy loss result via a uniform reduction, making the result constructive in a very strong sense.

2 Preliminaries

2.1 Notation and Background

Unless otherwise indicated, an algorithm may be randomized and must run in probabilistic polynomial-time (PPT) in its input size. An adversary is a non-uniform algorithm (or tuple of algorithms). We make the convention that the running-time of an adversary includes its program (i.e., circuit) size and the time to run any overlying experiment. The security parameter is denoted by k, and 1k denotes the string of k ones. We often suppress dependence of variables on k for readability. A function \(f \colon{{\mathbb{N}}}\to[0,1]\) is negligible if f=o(k c) for all constants c≥0.

If A is an algorithm then \(x {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A(\ldots)\) denotes that x is assigned the output of running A on the elided inputs and a fresh random tape, while xA(…;r) denotes the same but with the random tape fixed to r. If S is a finite set then \(s {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}S\) denotes that s is assigned a uniformly random element of S. We use the abbreviation \(x_{1}, \ldots, x_{n} {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A(\ldots)\) for \(x_{1} {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A(\ldots)\:;\:\ldots\:;\: x_{n} {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A(\ldots)\).

If A is deterministic then we drop the dollar sign above the arrow. We denote by {0,1} the set of all (binary) strings, and by {0,1}n the set of strings of length n. By x 1∥⋯∥x m we denote an encoding of strings x 1,…,x m from which x 1,…,x m are uniquely recoverable. We denote by xy the bitwise exclusive-or (xor) of equal-length strings x,y. For two n-bit strings x,y we denote by 〈x,y〉 the inner-product of x and y when interpreted as vectors over GF(2). Vectors are denoted in boldface, for example x. If x is a vector then |x| denotes the number of components of x and x[i] denotes its ith component, for 1≤i≤|x|. For convenience, we extend algorithmic notation to operate on each vector of inputs component-wise. For example, if A is an algorithm and x,y are vectors then \({\mathbf{z}}{\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A({\mathbf {x}},{\mathbf{y}})\) denotes that \({\mathbf{z}}[i] {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A({\mathbf {x}}[i],{\mathbf{y}}[i])\) for all 1≤i≤|x|.

Let X and Y be random variables. For t,ϵ≥0, we say that X and Y are computationally (t,ϵ)-indistinguishable, denoted X t,ϵ Y, if |Pr[D(X)=1]−Pr[D(Y)=1]|≤ϵ for all distinguishers D running in time at most t.

Statistical Notions

Let X be a random variable on a finite set \(\mathcal{X}\). We write P X for the distribution of random variable X and P X (x) for the probability that X puts on value \(x \in\mathcal{X}\), i.e., P X (x)=P[X=x]. Denote by |X| the size of the support of X, i.e., |X|=|{x:P X (x)>0}|. We often identify X with P X when there is no danger of confusion. By \(x {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}X\) we denote that x is assigned a value drawn according to P X . When this experiment is PPT we say that X is efficiently sampleable. We write XE for the random variable X conditioned on an event E. When X is vector-valued we denote it in boldface, for example \(\bf{X}\). For a function \(f: \mathcal{X}\to\mathbb{R}\), we denote the expectation of f over X by \(\mathop{\mathbb{E}}f(X) \stackrel{\mathrm{def}}{=}\mathop{\mathbb {E}}_{x\in X} f(x) \stackrel{\mathrm{def}}{=}\sum_{x\in\mathcal {X}} P_{X}(x) f(x)\).

The max-entropy of X is H0(X)=log|X|. The min-entropy of X is H(X)=−log(max x P X (x)), the (worst-case) conditional min-entropy of X given Y is H(X|Y)=−log(max x,y P X|Y=y (x)), and the average conditional min-entropy of X given Y [20] is \(\tilde{\mathrm {H}}_{\infty}(X|Y) = -\log(\mathop{\mathbb{E}}_{y\in Y} \max_{x} P_{X|Y=y}(x))\). Following [4, 6], for vector-valued \(\bf{X}\) the min-entropy is the minimum individual min-entropy of the components, i.e., H(X)=−log(max x,i P X [ i ] (x[i])). The collision probability of X is Col(X)=∑ x P X (x)2. The statistical distance between random variables X and Y with the same domain is \(\Delta(X,Y) = \frac{1}{2} \sum_{x} |P_{X}(x) - P_{Y}(x)|\). We write X ϵ Y if Δ(X,Y)≤ϵ, and when ϵ is negligible then we say X and Y are statistically close.

t-Wise Independent Functions

Let \(F \colon\mathcal{K}\times D \to R\) be a function. We say that F is t-wise independent if for all distinct x 1,…,x t D and all y 1,…,y t R

$$\begin{aligned} \Pr \bigl[ F(K, x_1) = y_1 \wedge\cdots\wedge F(K, x_t) = y_t \: : \: K {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{K} \bigr] = \frac{1}{|R|^t} . \end{aligned}$$

In other words, F(K,x 1),…,F(K,x t ) are all uniformly and independently random over R. 2-wise independence is also called pairwise independence.

Entropy After Information Leakage

Dodis et al. [20, Lemma 2.2] characterized the effect of auxiliary information on average min-entropy:

Lemma 2.1

[20, Lemma 2.2]

Let A,B,C be random variables. Then

  1. 1.

    For any δ>0, the conditional entropy H(A|B=b) is at least \(\tilde{\mathrm{H}}_{\infty}(A|B)-\log (1/\delta)\) with probability at least 1−δ over the choice of b.

  2. 2.

    If B has at most 2λ possible values, then \(\tilde{\mathrm{H}}_{\infty}(A|(B, C))\geq\tilde{\mathrm{H}}_{\infty}((A, B)|C)-\lambda\geq\tilde{\mathrm{H}}_{\infty}(A|C)-\lambda\). In particular, \(\tilde{\mathrm{H}}_{\infty}(A|B) \geq\mathrm {H}_{\infty}((A, B))-\lambda\geq\mathrm{H}_{\infty}(A)-\lambda\).

Extractors

Let χ be a finite set. A polynomial-time computable deterministic function ext:χ×{0,1}d→{0,1}m×{0,1}d is a strong (k,ϵ)-extractor [46] if the last d outputs of bits of ext are equal to the last d input bits (these bits are called seed), and δ(ext(X,U d ),U m ×U d )≤ϵ for every distribution X on χ with H(X)≥k. The number of extracted bits is m, and the entropy loss is km.

Average-case extractors, defined in [20, Sect. 2.5], are extractors extended to work with average-case, rather than unconditional, min-entropy. Vahdan [61, Problem 6.8] shows that any (k,ϵ)-extractor for k≤log2|χ|−1 is also an (m,3ϵ)-average-case extractor. However, the additional loss is not always necessary. Indeed, the Leftover Hash Lemma generalizes without any loss to the average-case setting, as shown in [20].

Definition 2.2

Let χ 1, χ 2 be finite sets. An extractor ext is a (k,ϵ)-average-case extractor if for all pairs of random variables X,Y over χ 1,χ 2 such that \(\tilde{H}_{\infty}(X|Y) \ge k\), we have δ((ext(X,U d ),Y),U m ×U d ×Y)≤ϵ.

Public-Key Encryption

A (probabilistic) public-key encryption scheme with plaintext-space PtSp is a triple of algorithms \(\varPi= (\mathcal{K}, \mathcal{E}, \mathcal{D})\). The key-generation algorithm \(\mathcal{K}\) takes input 1k to return a public key pk and matching secret key sk. The encryption algorithm \(\mathcal{E}\) takes pk and a plaintext m to return a ciphertext; this algorithm is randomized, using randomness r. The deterministic decryption algorithm \(\mathcal{D}\) takes sk and a ciphertext c to return a plaintext. We require that for all plaintexts m∈PtSp

Next we define security against chosen-plaintext attack [32]. With an encryption scheme \(\varPi= (\mathcal{K}, \mathcal {E},\mathcal {D})\), an adversary A=(A 1,A 2), and \(k \in{{\mathbb{N}}}\) we associate

figure a

where we require A 1’s output to satisfy |m 0|=|m 1|. Define the IND-CPA advantage of A against Π as

$$\begin{aligned} \mathbf{Adv}^{\mathrm{ind\mbox{-}cpa}}_{\varPi,A}(k) = 2\cdot\Pr \bigl[ \mathbf{Exp}^{\mathrm{ind\mbox{-}cpa}}_{\varPi,A}(k) = 1 \bigr] - 1. \end{aligned}$$

We say that Π is IND-CPA secure if \(\mathbf {Adv}^{\mathrm {ind\mbox{-}cpa}}_{\varPi,A}(\cdot)\) is negligible for any PPT adversary A.

Lossy Trapdoor Functions

A lossy trapdoor function (LTDF) generator [48] is a pair \({\mathsf{LTDF}}= (\mathcal{F}, \mathcal{F}')\) of algorithms. Algorithm \(\mathcal{F}\) is a usual trapdoor function (TDF) generator, namely on input 1k outputs (a description of a) function f on {0,1}n for n=n(k) along with (a description of) its inverse f −1, and algorithm \(\mathcal{F}'\) outputs a (description of a) function f′ on {0,1}n. For a distinguisher D, define its LTDF advantage against LTDF as

$$\begin{aligned} \mathbf{Adv}^{\mathrm{ltdf}}_{{\mathsf{LTDF}},D}(k) = \Pr \bigl[ D(f) = 1 \: : \: \bigl(f, f^{-1} \bigr) {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{F} \bigl(1^k \bigr) \bigr] - \Pr \bigl[ D \bigl(f' \bigr) = 1 \: : \: f' {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{F}' \bigl(1^k \bigr) \bigr] . \end{aligned}$$

We say that LTDF is secure if \(\mathbf {Adv}^{\mathrm{ltdf}}_{{\mathsf{LTDF}},D}(\cdot)\) is negligible for any PPT D. We say LTDF has residual leakage s if for all f′ output by \(\mathcal{F}'\) we have |Image(f′)|≤2s. The lossiness of LTDF is =ns.

One-Way and Hardcore Functions on Non-uniform Distributions

We extend the usual notion of one-wayness to vectors of inputs drawn from non-uniform and possibly correlated distributions. Let \(\mathcal{F}\) be a TDF generator and X be a distribution on input vectors. With \(\mathcal{F},{\boldsymbol {X}}\), an inverter I, and \(k \in {{\mathbb{N}}}\) we associate

figure b

Define the OWF advantage of I against F,X as

$$\begin{aligned} \mathbf{Adv}^{\mathrm{owf}}_{\mathcal{F},{\boldsymbol {X}}, I}(k) = \Pr \bigl[ \mathbf{Exp}^{\mathrm{owf}}_{\mathcal{F},{\boldsymbol {X}},I}(k) = 1 \bigr] . \end{aligned}$$

We say that \(\mathcal{F}\) is one-way on a class of distributions on input vectors \({\boldsymbol {{{\mathbb{X}}}}}\) if for every \({\boldsymbol {X}} \in {\boldsymbol {{{\mathbb{X}}}}}\) and every PPT inverter I, \(\mathbf {Adv}^{\mathrm{owf}}_{\mathcal{F},{\boldsymbol {X}}, I}(\cdot)\) is negligible. We extend hardcore functions (HCFs) in a similar way. Namely, with a trapdoor function generator \(\mathcal{F}\), function hc:{0,1}k→{0,1}n, distribution on input vectors X, a distinguisher D, and \(k \in{{\mathbb{N}}}\) we associate

figure c

Define the HCF advantage of D against F,hc,X as

$$\begin{aligned} \mathbf{Adv}^{\mathrm{hcf}}_{\mathcal{F},\mathsf{hc}, {\boldsymbol {X}},D}(k) = 2 \cdot\Pr \bigl[ \mathbf{Exp}^{\mathrm{hcf}}_{\mathcal {F},\mathsf{hc}, {\boldsymbol {X}},D}(k) = 1 \bigr] - 1. \end{aligned}$$

We say that hc is hardcore for \(\mathcal{F}\) on a class of distributions on input vectors \({\boldsymbol {{{\mathbb{X}}}}}\) if for every \({\boldsymbol {X}} \in {\boldsymbol {{{\mathbb{X}}}}}\) and every PPT distinguisher D, \(\mathbf{Adv}^{\mathrm{hcf}}_{\mathcal{F},\mathsf{hc},{\boldsymbol {X}}, D}(\cdot)\) is negligible.

Note that we depart somewhat from standard treatments in that we allow a HCF to also depend on the description of the trapdoor function (via the argument f). This allows us to simplify our exposition.

Augmented Trapdoor Functions

It is useful to introduce the notion of an “augmented” version of a TDF, which augments the description of the latter with keying material for a HCF. More formally, let \(\mathcal{F}\) be a trapdoor function generator and let H be a keyed function with keyspace \(\mathcal{K}\). Define the H-augmented version of \(\mathcal{F}\), denoted \(\mathcal {F}[H]\), that on input 1k returns (f,K),(f −1,K) where \((f,f^{-1}) {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{F}(1^{k})\) and \(K {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{K}\); evaluation is defined for x∈{0,1}k as f(x) (i.e., evaluation just ignores K) and inversion is defined analogously.

Goldreich–Levin Hardcore Function

For \(i \in{{\mathbb{N}}}\) define the length-i Goldreich–Levin (GL) function [31] \(\mathcal{GL}^{i} \colon\{0,1\}^{i\times k} \times\{0,1\}^{k} \to\{0,1\}^{i}\) as GL i(M,x)=Mx, where Mx is the matrix-vector product of randomly-sampled matrix M and x over GF(2) (it is also possible to choose a random Toeplitz matrix instead of a completely random matrix). If i is small enough (roughly logarithmic in the security of \(\mathcal{F}\)), then GL i is hardcore for \(\mathcal{F}[\mathcal{GL}^{i}]\). Moreover, this result does not dependent on the input distribution of \(\mathcal{F}\); it depends only on the hardness of \(\mathcal{F}\) on that particular distribution.

2.2 Computational Entropy

For computational entropy we define several classes of distinguishers. Let \(\mathcal {D}^{\mathrm {det},\{0,1\}} _{s}\) be the set of all deterministic circuits of size s with binary output in {0,1}, let \(\mathcal {D}^{\mathrm {det},[0,1]} _{s}\) be the set of all deterministic circuits of size s with output in [0,1], and let \(\mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}, \mathcal {D}^{\mathrm {rand},[0,1]} _{s}\) be the sets of probabilistic circuits with output ranges {0,1} and [0,1], respectively. (We talk of circuit size rather than running-time in the context of computational entropy for consistency with the literature.) Given a circuit D, define the computational distance δ D between X and Z as \(\delta^{D}(X, Z) = |\mathop{\mathbb{E}}[D(X)] - \mathop{\mathbb{E}}[D(Z)]|\). While min-entropy is measured only by amount, computational min-entropy has two additional parameters: distinguisher size s and quality ϵ. Larger s and smaller ϵ mean “better” entropy.

Definition 2.3

([34])

A distribution X has HILL entropy at least k, denoted \(H^{{\mathtt{HILL}}}_{\epsilon, s}(X)\geq k\) if there exists a distribution Z where H(Z)≥k, such that \(\forall D \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}, \delta^{D}(X, Z)\leq\epsilon\).

An alternative notion called Metric entropy is often used for proofs and is obtained by switching in the order of quantifiers. Thus, a different Z can be used for each distinguisher:

Definition 2.4

([3])

A distribution X has Metric entropy at least k, denoted \(H^{{\mathtt{Metric}}}_{\epsilon, s}(X)\geq k\) if \(\forall D \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}\) there exists a distribution Z D with H(Z D )≥k and δ D(X,Z D )≤ϵ.

For HILL entropy, drawing D from \(\mathcal {D}^{\mathrm {det},\{0,1\}} _{s}, \mathcal {D}^{\mathrm {det},[0,1]} _{s}, \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}, \mathcal {D}^{\mathrm {rand},[0,1]} _{s}\) is essentially equivalent, as shown in [25, 29]). For metric entropy, however, the choice among these four classes can make a difference. In particular, if we change the class of D in Definition 2.4 to \(\mathcal {D}^{\mathrm {det},[0,1]} _{s}\), we get so-called “metric-star” entropy, denoted \(H^{{\mathtt{Metric}^{*}} }_{\epsilon, s}\) (this notion was used in [25, 29]).

Equivalence (with a loss in quality) between Metric and HILL entropyFootnote 10 was shown by Barak, Shaltiel, and Wigderson [3, Theorem 5.2]:

Theorem 2.5

([3])

Let X be a discrete distribution over a finite set χ. For every ϵ, ϵ HILL >0, ϵ′≥ϵ+ϵ HILL , k, and s, if \(H^{{\mathtt{Metric}^{*}}}_{\epsilon, s}(X)\geq k\) then \(H^{{\mathtt{HILL}}}_{\epsilon', s_{{\mathtt{HILL}}}}(X)\geq k\) where \(s_{{\mathtt{HILL}}} = \varOmega (\epsilon_{{\mathtt{HILL}}}^{2} s /\log|\chi|)\).

The free parameter in the above theorem, ϵ HILL , provides a tradeoff between distinguisher size and advantage. For simplicity, we can set \(\epsilon_{{\mathtt{HILL}}} = \sqrt[3]{\frac{\log|\chi|}{s}}\) yielding \(s_{{\mathtt{HILL}}} = \varOmega(\sqrt[3]{\frac{s}{\log |\chi |}})\) and \(\epsilon' = \epsilon+\sqrt[3]{\frac{\log|\chi|}{s}}\). For typical parameters (specifically, when ϵ≤(log|χ|/s)1/3), this setting balances the resulting ϵ′ and s HILL , i.e., gives us ϵ′=O(1/s HILL ).

We show the proof of a slightly stronger version of this theorem in Theorem C.1.

Extractors can be applied to distributions with computational entropy to obtain pseudorandom, rather than random, outputs: that is, outputs that are computationally indistinguishable from, rather than statistically close to, uniformly random strings. This fact is well-known for HILL entropy. However, we have not seen it proven for Metric entropy and, although the proof is quite straightforward, we provide it here for completeness. (Since HILL entropy implies Metric entropy, this proof also works for HILL entropy.)

Theorem 2.6

Let ext:χ×{0,1}d→{0,1}m×{0,1}d be a (k,ϵ ext )-extractor, computable by circuits of size s ext . Let X be a distribution over χ with \(H^{\mathrm{metric}}_{\epsilon_{{\mathtt{Metric}}}, s}(X)\geq k\). Then \(\forall D \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s'}\), where s′≈s Metric s ext ,

$$\begin{aligned} \delta^D \bigl( \mathtt {ext} (X, U_d), U_m\times U_d \bigr)\leq\epsilon_{ \mathtt {ext} } + \epsilon_{{\mathtt{Metric}}}. \end{aligned}$$

Proof

We proceed by contradiction. Suppose not, that is, \(\exists D\in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s'}\) such that

$$\begin{aligned} \delta^D \bigl( \mathtt {ext} (X, U_d), U_m\times U_d \bigr))> \epsilon_{ \mathtt {ext} } + \epsilon_{{\mathtt{Metric}}}. \end{aligned}$$

We use D to construct a distinguisher D′ to distinguish X from all distributions Z where H(Z)≥k, violating the metric-entropy of X. We define D′ as follows: upon receiving input αχ, D′ samples seedU d , runs βext(α,seed) and then runs D(β,seed) on the result. Note that \(D' \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}\) where ss′+s ext =s Metric . Thus we have the following ∀Z, where H(Z)≥k:

$$\begin{aligned} \delta^{D'}(X, Z) &= \delta^D \bigl( \mathtt {ext} (X, U_d), \mathtt {ext} (Z, U_d) \bigr) \\ &\geq\delta^D \bigl( \mathtt {ext} (X, U_d), U_m\times U_d \bigr)- \delta^D\bigl( \bigl( \mathtt {ext} (Z, U_d), U_m\times U_d \bigr)\bigr) \\ &> \epsilon_{ \mathtt {ext} }+\epsilon_{{\mathtt{Metric}}} - \epsilon_{ \mathtt {ext} } = \epsilon_{{\mathtt{Metric}}}. \end{aligned}$$

Thus D′ is able to distinguish X from all Z with sufficient min-entropy. This is a contradiction. □

Unfortunately, the theorem does not extend to Metric entropy, because the distinguisher D′ we construct in this proof is randomized. The only way to extract from Metric entropy that we know of is to convert Metric entropy to HILL entropy using Theorem 2.5 (which incurs some loss) and then use Theorem 2.6 (see Fig. 1). Thus, Metric entropy appears to be qualitatively weaker than Metric and HILL entropy.

Fig. 1.
figure 1

Known state of equivalence for HILL and Metric Entropy. It is known how to extract from HILL and Metric entropy but not Metric entropy.

Conditional entropy has been extended to the computational case by Hsiao, Lu, Reyzin [36].

Definition 2.7

([36])

Let (X,Y) be a pair of random variables. X has conditional HILL entropy at least k conditioned on Y, denoted \(H^{{\mathtt{HILL}}}_{\epsilon, s}(X|Y)\geq k\) if there exists a collection of distributions Z y for each yY, giving rise to a joint distribution (Z,Y), such that \(\tilde{H}_{\infty}(Z|Y)\geq k\) and \(\forall D \in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}, \delta^{D}((X, Y),(Z,Y))\leq\epsilon\).

Again, we can switch the quantifiers of Z and D to obtain the definition of conditional metric entropy.

Definition 2.8

Let (X,Y) be a pair of random variables. X has conditional Metric entropy at least k conditioned on Y, denoted by \(H^{{\mathtt{Metric}}}_{\epsilon, s}(X|Y)\geq k\), if \(\forall D\in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s} \) there exists a collection of distributions Z y for each yY, giving rise to a joint distribution (Z,Y), such that \(\tilde{H}_{\infty}(Z|Y)\geq k\) and δ D((X,Y),(Z,Y))≤ϵ.

Conditional Metric can be defined similarly, replacing \(\mathcal {D}^{\mathrm {rand},\{0,1\}} \) with \(\mathcal {D}^{\mathrm {det},[0,1]} \).

Theorem 2.5 can be extended to the conditional case with the same techniques (see [15, 29] a proof):

Theorem 2.9

Let X be a discrete distribution over a finite set χ 1 and let Y be a discrete random variable over χ 2. For every ϵ,ϵ HILL >0,ϵ′≥ϵ+ϵ HILL ,k and s, if \(H^{{\mathtt{Metric}^{*}}}_{\epsilon , s}(X|Y)\geq k\) then \(H^{{\mathtt{HILL}}}_{\epsilon', s_{{\mathtt{HILL}}}}(X|Y)\geq k\) where \(s' = \varOmega(\epsilon_{{\mathtt{HILL}}}^{2}s/\log|\chi_{1}||\chi_{2}|)\).

Again, it is reasonable to set \(\epsilon_{{\mathtt{HILL}}} = \sqrt [3]{\frac {\log|\chi_{1}||\chi_{2}|}{s}}\) and get \(s_{{\mathtt{HILL}}} = \varOmega (\sqrt [3]{\frac{s}{\log|\chi_{1}||\chi_{2}|}})\) and \(\epsilon' = \epsilon +\sqrt[3]{\frac{\log|\chi_{1}||\chi_{2}|}{s}}\).

Similarly to extractors in the case of unconditional entropy, average-case extractors can be used on distributions that have conditional Metric (and therefore also on distributions that have HILL) entropy to produce pseudorandom, rather than random outputs. The proof is similar to [36, Lemma 5]. However, it is not known how to extract directly from conditional Metric entropy; we first have to convert it to HILL using Theorem 2.9.

2.3 Deterministic Encryption

We say that an encryption scheme \(\varPi= (\mathcal{K}, \mathcal {E},\mathcal{D})\) is deterministic if \(\mathcal{E}\) is deterministic.

Semantic Security of DE

We recall the semantic-security style PRIV notion for DE from [4].Footnote 11 With encryption scheme \(\varPi= (\mathcal{K}, \mathcal{E},\mathcal {D})\), an adversary A=(A 0,A 1,A 2), and \(k \in{{\mathbb{N}}}\) we associate

figure d

We require that there are functions v=v(k),=(k) such that (1) |x|=v, (2) |x[i]|= for all 1≤iv, and (3) the x[i] are all distinct with probability 1 over \(({\mathbf{x}},t) {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A_{1}(\mathit{state})\) for any state output by A 0.Footnote 12 In particular we say A outputs vectors of size v for v as above. Define the PRIV advantage of A against Π as

$$\begin{aligned} \mathbf{Adv}^{\mathrm{priv}}_{\varPi,A}(k) = \Pr \bigl[ \mathbf {Exp}^{\mathrm{priv}\mbox{-}\mathrm{1}}_{\varPi,A}(k) = 1 \bigr] - \Pr \bigl[ \mathbf{Exp}^{\mathrm{priv}\mbox{-}\mathrm{0}}_{\varPi ,A}(k) = 1 \bigr]. \end{aligned}$$

Let \({\boldsymbol {{{\mathbb{M}}}}}\) be a class of distributions on message vectors. Define \({{\mathbb{A}}}_{{\boldsymbol {{{\mathbb{M}}}}}}\) to be the class of adversaries {A=(A 0,A 1,A 2)} such that for each \(A \in {{\mathbb{A}}}_{{\boldsymbol {{{\mathbb{M}}}}}}\) there is a \({\boldsymbol {M}} \in {\boldsymbol {{{\mathbb{M}}}}}\) for which x has distribution M over \(({\mathbf{x}},t) {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}A_{1}(\mathit{state})\) for any state output by A 0. We say that Π is PRIV secure for \({\boldsymbol {{{\mathbb{M}}}}}\) if \(\mathbf{Adv}^{\mathrm{priv}}_{\varPi,A}(\cdot)\) is negligible for any PPT \(A \in{{\mathbb{A}}}_{{\boldsymbol {{{\mathbb{M}}}}}}\). Note that (allowing non-uniform adversaries as usual) we can without loss of generality consider only those A with “empty” A 0, since A 1 can always be hardwired with the “best” state. However, following [6] we explicitly allow state because it greatly facilitates some proofs.

Indistinguishability of DE

Next we recall the indistinguishability-based formulation of security for DE given (independently) by [6, 11] (and which is adapted from [22]). With an encryption scheme \(\varPi= (\mathcal{K}, \mathcal {E},\mathcal {D})\), an adversary D=(D 1,D 2), and \(k \in{{\mathbb{N}}}\) we associate

figure e

We make the analogous requirements on D 1 as on A 1 in the PRIV definition. Define the IND advantage of D against Π as \(\mathbf{Adv}^{\mathrm{ind}}_{\varPi,D}(k) = 2\cdot\Pr[ \mathbf{Exp}^{\mathrm{ind}}_{\varPi,D}(k) = 1 ] - 1\). Let \({\boldsymbol {{{\mathbb{M}}}}}^{*}\) be a class of pairs of distributions on message vectors. Define \({{\mathbb{D}}}_{{\boldsymbol {{{\mathbb{M}}}}}^{*}}\) to be the class of adversaries {D=(D 1,D 2)} such that for each \(D \in{{\mathbb{D}}}_{{\boldsymbol {{{\mathbb{M}}}}}^{*}}\), there is a pair of distributions \(({\boldsymbol {M}}_{0}, {\boldsymbol {M}}_{1}) \in {\boldsymbol {{{\mathbb{M}}}}}^{*}\) such that for each b∈{0,1} the distribution of \({\mathbf{x}}{\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}D_{1}(b)\) is M b . We say that Π is IND secure for \({\boldsymbol {{{\mathbb{M}}}}}^{*}\) if \(\mathbf{Adv}^{\mathrm{ind}}_{\varPi,D}(\cdot)\) is negligible for any PPT \(D \in{{\mathbb{D}}}_{{\boldsymbol {{{\mathbb{M}}}}}^{*}}\).

3 Our Tools

3.1 A Precise Definitional Equivalence for DE

While the PRIV definition is meaningful with respect a single message distribution M, the IND definition inherently talks of pairs of different message distributions (but see Footnote 6). Thus, in proving an equivalence between the two notions, the best we can hope to show is that PRIV security for a message distribution M is equivalent to IND security for some class of pairs of message distributions (depending on M). However, prior works [6, 11] did not provide such a statement. Instead, they showed that PRIV security on all distributions of a given entropy μ is equivalent to IND security on all pairs of distributions of slightly less entropy.

Induced Distributions

To state our result we first give some definitions relating to a notion of “induced distributions.” Let X,X′ be distributions (or random variables) on the same domain. For \(\alpha\in{{\mathbb{N}}}\), we say that X′ is an α-induced distribution of X if X′ is a conditional distribution X′=XE for an event E such that Pr[E]≥2α. We call E the corresponding event to X′. We require that the joint distribution (X,E) is efficiently samplable (where we view event E as a binary random variable).

Define X[α] to be the class of all α-induced distributions of X. Furthermore, let X 0,X 1 be two α-induced distributions of X with corresponding events E 0,E 1, respectively. Define X [α]={(X 0,X 1)} to be the class of all pairs (X 0,X 1) for which there is a pair \((X'_{0}, X'_{1})\) of α-induced distributions of X such that X 0 (resp. X 1) is statistically close to \(X'_{0}\) (resp. \(X'_{1}\)).Footnote 13

The Equivalence

We are now ready to state our result. The following theorem captures the “useful” direction that IND implies PRIV.Footnote 14

Theorem 3.1

Let \(\varPi= (\mathcal{K}, \mathcal{E}, \mathcal{D})\) be an deterministic encryption scheme. For any distribution M on message vectors, PRIV security of Π with respect to M is implied by IND security of Π with respect to M [2]. In particular, let \(A \in{{\mathbb{A}}}_{{\boldsymbol {M}}}\) be a PRIV adversary against Π. Then there is a IND adversary \(D \in{{\mathbb{D}}}_{{\boldsymbol {M}}^{*}[2]}\) such that for all \(k \in{{\mathbb{N}}}\)

$$\begin{aligned} \mathbf{Adv}^{\mathrm{priv}}_{\varPi,A}(k) \leq& 162 \cdot \mathbf{Adv}^{\mathrm{ind}}_{\varPi,D}(k) + \biggl( \frac{3}{4} \biggr)^{k} . \end{aligned}$$

Furthermore, the running-time of D is the time for at most that for k executions of A (but 4 in expectation).

The theorem essentially follows from the techniques of [6]. Thus, our contribution here is not in providing any new technical tools used in proving this result but rather in extracting it from the techniques of [6]. For completeness, we give the entire proof (incorporating simplifications due to [17] that lead to better concrete security) in Appendix A.

To establish a definitional equivalence; that is, also show that PRIV implies IND, we need to further restrict the latter to pairs (that are statistically close to pairs) of complementary 2-induced distributions of M (which we did not do above for conceptual simplicity), where we call X 0,X 1 complementary if \(\mathsf{E}_{1} = \overline{\mathsf{E}_{0}}\). (The idea for the proof of this equivalence, which is omitted here, is to have the constructed PRIV adversary sample according to M and let the partial information be whether the corresponding event for the induced complementary distributions of the given IND adversary occurred or not.)

Why Is the More Precise Equivalence Better?

This equivalence result is more precise than prior work, because it requires a weaker condition in order to show PRIV holds on a specific message distribution. Moreover, conceptually, viewing a lower-entropy distribution as a conditional (induced) version of a higher-entropy distribution is helpful in simplifying proofs. In particular, it allows us to use results about entropy of conditional distributions, which we explain next. Looking ahead, it also simplifies proofs for schemes based on one-wayness, because it is easy to argue that one-wayness is preserved on slightly induced distributions (the alternative would require us to go through an argument that distributions of lower entropy are induced by distributions of higher entropy).

3.2 Measuring Computational Entropy of Induced Distributions

We study how conditioning a distribution reduces its computational entropy. This result is used later in the work to show that randomness extractors can convert a hardcore function into a robust one; it is also applicable to leakage-resilient cryptography. Some basic definitions and results concerning computational entropy are reviewed in Sect. 2.2; in particular, we will use Metric computational entropy defined there.

It is easy to see that conditioning on an event E with probability P E reduces (information-theoretic) min-entropy by at most logP E ; indeed, this is shown Lemma 5.5. (Note that this statement is quite intuitive: the more surprising a leakage value is, the more it decreases the entropy.) In the following lemma, we show that the same holds for the computational notion of Metric entropy if one considers reduction in both quantity and quality.

We actually need a slightly stronger statement in order to use Lemma 3.2 later, in the proof of Lemma 5.1: namely, we will need to make sure that the support of the indistinguishable distribution with true randomness does not increase after conditioning. We call this additional property support preservation.

Lemma 3.2

Let X,Y be discrete random variables. Then

$$\begin{aligned} H^{{\mathtt{Metric}^*}}_{\epsilon/P_Y(y), s'}(X|Y=y)\geq H^{{\mathtt {Metric}^*} }_{\epsilon, s}(X)- \log1/P_Y(y) \end{aligned}$$

where s′≈s. Furthermore, the reduction is support preserving.Footnote 15

The use of Metric entropy and an improved proof allow for a simpler and tighter formulation than results of [25, Lemma 3] and [51, Theorem 1.3] (see Appendix B for a comparison).

The proof is similar to [51]. The high level outline of the proof is: Let \(\nu= H^{{\mathtt{Metric}^{*}}}_{\epsilon, s}(X)\).

  1. 1.

    Suppose D distinguishes X|Y=y from any distribution Z of min-entropy ν−Δ with advantage ϵ′. Show that either for all Z with min-entropy ν−Δ, \(\mathop{\mathbb {E}}[D(Z)]\) is lower than \(\mathop{\mathbb{E}}[D(X|Y=y)]\) by at least ϵ′, or for all such Z, \(\mathop{\mathbb{E}}[D(Z)]\) is higher than \(\mathop{\mathbb{E}}[D(X|Y=y)]\) by at least ϵ′. Assume the former without loss of generality. This initial step allows us to remove absolute values and to find a high-entropy distribution Z + on which \(\mathop{\mathbb{E}}[D(Z^{+})]\) is the highest.

  2. 2.

    Show that there exists a distinguisher D′ that also has advantage ϵ′ but, unlike D, outputs only 0 or 1. This is done by finding a cutoff α: if D’s output is above α, it D′ will output 1, and otherwise it will output 0.

  3. 3.

    Show that for every z outside of Z +, D′ outputs 0, and that Z + is essentially flat. Use these two facts to show an upper bound on \(\mathop{\mathbb{E}}[D'(W)]\) for any W of min-entropy ν.

  4. 4.

    Show a lower bound on \(\mathop{\mathbb{E}}[D'(X)]\) based the performance of D′ on X|Y=y.

We now proceed with the full proof:

Proof

Let χ be the outcome space of X. For notational convenience, for random variables A,B we will say that AB if the support of A is a subset of the support of B. Likewise, we will say aA to say that a is in the support of A. Fix a set ζχ, ζ will be used to represent the support of random variables with min-entropy. For the reduction to be support preserving, all distributions with min-entropy should have support no more than ζ.

Assume \(H^{{\mathtt{Metric}^{*}}}_{\epsilon, s}(X)\geq\nu\). Fix yY; let ϵ′=ϵ/P Y (y) and s′≈s be some value to be precisely determined by the end of the proof. We assume for contradiction that

$$\begin{aligned} H^{{\mathtt{Metric}^*}}_{\epsilon', s'} (X | Y =y) \geq\nu- \log1/P_Y(y) \end{aligned}$$

does not hold. By definition of metric entropy there exists a distinguisher \(D_{y}\in \mathcal {D}^{\mathrm {det},[0,1]} _{s'}\) such that ∀Zζ with H(Z)≥ν−log1/P Y (y) we have

$$\begin{aligned} \bigl\vert \mathop{\mathbb{E}} \bigl[D_y(X)\bigm|Y=y \bigr]-\mathop{ \mathbb{E}} \bigl[D_y(Z) \bigr] \bigr\vert > \epsilon'. \end{aligned}$$
(1)

To contradict the Metric entropy of X, it suffices to show there exists a distinguisher \(D'_{y}\in \mathcal {D}^{\mathrm {rand},\{0,1\}} _{s}\) such that ∀Wζ with H(W)≥ν,

$$\begin{aligned} \mathop{\mathbb{E}} \bigl[D'_y(X) \bigr]-\mathop{ \mathbb{E}} \bigl[D'_y(W) \bigr]=\epsilon. \end{aligned}$$

Let Z ζ and Z +ζ be distributions of min-entropy ν−log1/P Y (y) that are subsets of ζ minimizing \(\mathop{\mathbb{E}}[D_{y}(Z^{-})]\) and maximizing \(\mathop {\mathbb{E}}[D_{y}(Z^{+})]\), respectively. Let \(\beta^{-} \overset{\mathrm{def}}{=} \mathop{\mathbb {E}}[D_{y}(Z^{-})], \beta ^{+}\overset{\mathrm{def}}{=}\mathop{\mathbb{E}}[D_{y}(Z^{+})]\) and \(\beta\overset {def}{=} \mathop{\mathbb{E}} [D_{y}(X)|Y=y]\).

Claim 3.3

Either β β ++ϵ′<β or β<β ϵ′≤β +.

From (1) and the fact that Z +,Z have min-entropy at least ν−log1/P Y (y) it suffices to show that either β β +<β or β<β β +. Suppose it does not hold. Then β <β<β +. Then we can define a distribution Zζ as a convex combination of Z +,Z with \(\mathop{\mathbb{E}}[D_{y}(Z)] = \beta \). Furthermore a distribution formed by taking a convex combination of distributions with min-entropy ν−log1/P Y (y) has min-entropy ν−log1/P Y (y) (this is easily seen by considering the maximum-probability event). Furthermore, a distribution that is a convex combination of distributions whose support is at most ζ has support at most ζ. This is a contradiction of (1).

For the rest of the proof we will assume that the first case β <β ++ϵ′<β holds.

Claim 3.4

There exists a point ρ∈[0,1] such that

$$\begin{aligned} \Pr \bigl[D_y(X|Y=y)> \rho \bigr] - \Pr \bigl[D_y \bigl(Z^+ \bigr)> \rho \bigr]> \epsilon'. \end{aligned}$$
(2)

Proof

One has that

$$\begin{aligned} \epsilon' &< \mathop{\mathbb{E}} \bigl[D_y(X|Y=y) \bigr]-\mathop{\mathbb{E}} \bigl[D_y \bigl(Z^+ \bigr) \bigr] \\ &=\int_0^1\Pr_{x\in X|Y=y} \bigl[D_y(x)>\rho \bigr]d\rho- \int_0^1 \Pr_{z\in Z} \bigl[D_y(z)>\rho \bigr]d\rho \\ &=\int_0^1 \Bigl(\Pr_{x\in X|Y=y} \bigl[D_y(x)>\rho \bigr] - \Pr_{z\in Z} \bigl[D_y(z)> \rho \bigr] \Bigr)d\rho. \end{aligned}$$

Suppose no ρ∈[0,1] satisfies (2). This means ∀ρ∈[0,1],Pr[D y (X)>ρ|Y=y]−Pr[D y (Z +)>ρ]≤ϵ′ and thus

$$\begin{aligned} \int_0^1 \Bigl(\Pr_{x\in X|Y=y} \bigl[D_y(x)>\rho \bigr] - \Pr_{z\in Z} \bigl[D_y(z)> \rho \bigr] \Bigr)d\rho\leq\epsilon'. \end{aligned}$$

This is a contradiction. □

Since D y is a fixed size circuit, it outputs values of some bounded precision. Call the ordered set of possible output values Π={p 1,…,p j }. Then, let α=max{p i |p i ρ}. Thus, α is a fixed precision number where ∀p i Π,p i >α implies p i >ρ. This means that

$$\begin{aligned} \Pr \bigl[D_y(X|Y=y)> \alpha \bigr] - \Pr \bigl[D_y \bigl(Z^+ \bigr)> \alpha \bigr]> \epsilon'. \end{aligned}$$
(3)

We define a distinguisher \(D'_{y}\) as follows:

$$\begin{aligned} D_y'(z)= \begin{cases} 0 &D_y(z)\leq\alpha\\ 1 &D_y(z)>\alpha. \end{cases} \end{aligned}$$
(4)

The only difference in the size of \(D'_{y}\) and D y is the addition of a comparison to α, which takes up size proportional to the number of output bits of D y . Thus s, the size of \(D'_{y}\), is approximately the same as s′, the size of D y . We define the quantities

$$\begin{aligned} \beta_\alpha \overset{\mathrm{def}}{=} & \Pr \bigl[D_y(X|Y=y)>\alpha \bigr] = \mathop{\mathbb{E}} \bigl[D'_y(X |Y=y) \bigr] \\ \beta^+_\alpha \overset{\mathrm{def}}{=}& \Pr \bigl[D_y \bigl(Z^+ \bigr)>\alpha \bigr] = \mathop{\mathbb{E}} \bigl[D'_y \bigl(Z^+ \bigr) \bigr]. \end{aligned}$$

Let \(\gamma= \min_{z\in Z^{+}} D_{y}(z)\). Since \(\beta_{\alpha}- \beta ^{+}_{\alpha}\geq\epsilon'\), we know that \(\beta^{+}_{\alpha}<1\). This implies that γ<α.

Claim 3.5

For all zζ if \(\Pr[Z^{+}=z]\neq2^{-\nu+\log1/P_{Y}(y)}\), then D y (z)≤γ<α and therefore \(D'_{y}(z) = 0\).

Proof

Recall that because H(Z +)=ν−log1/P Y (y), for all zζ we have \(\Pr[Z^{+}= z] \le2^{-\nu+\log1/P_{Y}(y)}\). Thus, suppose, for contradiction that there exists a zζ such that \(\Pr[Z^{+}=z]<2^{-\nu+\log1/P_{Y}(y)}\) and D y (z)>γ. Choose a w with Pr[Z +=w]>0 such that D y (w)=γ. Create a distribution Z′ by starting with Z +, increasing the probability of z and decreasing the probability of w by the same amount, while keeping the min-entropy guarantee. Then we have \(\mathop{\mathbb {E}}[D_{y}(Z')]>\mathop{\mathbb{E}} [D_{y}(Z^{+})]\) which is a contradiction to how Z + was chosen. □

Claim 3.5 implies that

$$\begin{aligned} \beta^+_\alpha= \sum_{z\in\chi} \Pr \bigl[Z^+=z \bigr] D'_y(z) = \sum_{z\in Z^+} 2^{-\nu+ \log1/P_Y(y)} D'_y(z) = \frac{1}{P_Y(y)} 2^{-\nu} \sum_{z\in Z^+} D'_y(z). \end{aligned}$$

Claim 3.6

For all Wζ where H(W)≥ν, \(\mathop{\mathbb{E}}[D'_{y}(W)]\leq\beta^{+}_{\alpha}P_{Y}(y)\) .

Proof

Indeed,

$$\begin{aligned} \mathop{\mathbb{E}} \bigl[D'_y(W) \bigr] =& \sum _{z\in\zeta}\Pr[W=z] D'_y(z) \le \sum_{z\in \zeta} 2^{-\nu} D'_y(z)\\ =& 2^{-\nu}\sum_{z\in Z^+} D'_y(z) = P_Y(y)\mathop{\mathbb{E}} \bigl[D'_y \bigl(Z^+ \bigr) \bigr]. \end{aligned}$$

 □

Claim 3.7

\(\mathop{\mathbb {E}}[D'_{y}(X)]\geq\beta _{\alpha}P_{Y}(y)\).

Proof

One computes

$$\begin{aligned} \mathop{\mathbb{E}} \bigl[D_y'(X) \bigr]&= \mathop{ \mathbb{E}} \bigl[D_y'(X)|Y=y \bigr]\Pr[Y=y] + \mathop{ \mathbb{E}} \bigl[D_y'(X)|Y\neq y \bigr]\Pr[Y\neq y] \\ &\geq\mathop{\mathbb{E}} \bigl[D_y'(X)|Y=y \bigr] \Pr[Y=y] \\ &= \beta_\alpha P_Y(y). \end{aligned}$$

 □

By combining Claim 3.6, Claim 3.7, and (3) we have that for Z:

$$\begin{aligned} \mathop{\mathbb{E}} \bigl[D'_y(X) \bigr] - \mathop{ \mathbb{E}} \bigl[D'_y(Z) \bigr] > \beta_\alpha P_Y(y) - \beta^+_\alpha P_Y(y) = \epsilon' P_Y(y) = \epsilon. \end{aligned}$$
(5)

Thus, we have successfully distinguished the distribution X from Z. This is a contradiction.  □

If we now consider averaging over all values of Y, we obtain the following simple formulation that expresses how much average entropy is left in X from the point of view of someone who knows Y. (This scenario naturally occurs in leakage-resilient cryptography, as exemplified in [25]).

Theorem 3.8

Let X,Y be discrete random variables. Then

$$\begin{aligned} H^{{\mathtt{Metric}^*}}_{\epsilon|Y|, s'}(X|Y)\geq H^{{\mathtt {Metric}^*}}_{\epsilon , s}(X) - \log|Y| \end{aligned}$$

where s′≈s Footnote 16 (recall that |Y| is the size of the support of Y). The reduction is support preserving, in the same sense as in Lemma 3.2.

This statement is similar to the statement for the information-theoretic case (where the reduction is only in quantity, of course) from Lemma 2.1. In Appendix B, we compare this theorem to [15, Lemma 16] and [30, Lemma 3.1].

As discussed in Sect. 2.2, it is not known whether Metric entropy can be directly extracted from. To extract, we must convert the conditional Metric entropy to conditional HILL entropy. Theorem 2.5 provides such a conversion with a substantial loss in quality; thus, it should be applied only when necessary. Here we provide a “HILL-to-HILL” formulation of Lemma 3.2.

Corollary 3.9

Let X be a discrete random variable over χ and let Y be a discrete random variable. Then,

$$\begin{aligned} H^{{\mathtt{HILL}}}_{\epsilon', s'} (X | Y =y) \geq H^{{\mathtt {HILL}}}_{\epsilon, s}(X) - \log1/P_Y(y) \end{aligned}$$
(6)

where \(\epsilon' = \epsilon/P_{Y}(y)+\sqrt[3]{\frac{\log|\chi |}{s}}\), and \(s'= \varOmega(\sqrt[3]{s/\log|\chi|})\). The reduction is support preserving.Footnote 17

The corollary follows by combining Lemma 3.2 and Theorem C.1, which is simply the support-preserving version of Theorem 2.5, and setting \(\epsilon_{{\mathtt{HILL}}} = \sqrt [3]{\frac{\log|\chi|}{s}}\). A similar corollary is available for conditioning on average-case Y (see Corollary B.4).

3.3 A (Crooked) Leftover Hash Lemma for Correlated Distributions

The following generalization of the (Crooked) LHL to correlated input distributions will be very useful to us when considering bounded multi-message security in Sect. 6. Since our generalization of the classical LHL is a special case of our generalization of the Crooked LHL, we just state the latter here.

Lemma 3.10

(CLHL for Correlated Sources)

Let \(\mathcal{H}\colon\mathcal{K}\times D \to R\) be a 2t-wise δ-dependent function for t>0 with range R, and let f:RS be a function (we assume S contains no more than the image of f, i.e., f maps onto all of S). Let X=(X 1,…,X t ) where the X i are random variables over D such that H(X i )≥μ for all 1≤in and, moreover, Pr[X i =X j ]=0 for all 1≤ijt. Then

$$\begin{aligned} \Delta \bigl( \bigl(K,f \bigl(\mathcal{H}(K,{\mathbf{X}}) \bigr) \bigr), \bigl(K,f({ \mathbf{U}}) \bigr) \bigr) \leq\frac{1}{2} \sqrt{|S|^t \bigl(t^2 2^{-\mu} + 3 \delta \bigr)} \end{aligned}$$
(7)

where \(K {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{K}\) and U=(U 1,…,U t ) where the U i ’s are all uniform and independent over R (recall that functions operate on vectors X and U component-wise).

Note that the lemma implies the corresponding generalization of the classical LHL by taking \(\mathcal{H}\) to have range S and f to be the identity function. The proof of the above lemma, which extends the proof of the Crooked LHL in [11], is in Appendix D.

Remark 3.11

Dodis and Yu [24] recently used fourwise-independent hash functions to construct nonmalleable extractors [23]. Note that when f is the identity function and t=2, then, like nonmalleable extractors, Lemma 3.10 also requires fourwise-independent hashing and gives the adversary two hash values; however, the differences between the settings are numerous.

Remark 3.12

We can further extend Lemma 3.10 to the case of average conditional min-entropy using the techniques of [20]. Such a generalization (without considering correlated sources) is similarly useful in the context of randomized encryption from lossy TDFs [48].

Remark 3.13

As pointed out in Sect. 1.2, a different generalization of CLHL was provided by [50, Theorem 4.6] subsequent to our work. The comparison is made difficult by the different notation used in the two results: the result of [50, Theorem 4.6] considers block sources, i.e., sequences of T (in their notation) random variables, where each random variable brings fresh entropy. We do not consider block sources, so there is no equivalent letter in our notation—essentially, for us T=1. Lemma 3.10 can be extended to block sources in a straightforward way, because each block brings fresh entropy (in such an extension, each X i would replaced by a sequence of random variables coming from a block source).

The set of random variables \(\mathcal{X}\) in the notation of [50, Theorem 4.6] is the same as the set of random variables {X 1,…,X t } in our Lemma 3.10. Our result applies to the joint distribution \(\mathcal{H}(X_{1}), \dots , \mathcal{H}(X_{t})\) simultaneously, while the result of [50, Theorem 4.6] applies to each \(\mathcal{H}(X_{i})\) in isolation. Both results produce roughly the same total number of output bits (close to the min-entropy of X i ), which means that each of the individual outputs in our result is considerably shorter (roughly a 1/t fraction). Furthermore, our requirement on the hash function is much more restrictive: we need independence that is linear, rather than logarithmic, in the number of random variables. Intuitively, this more restrictive requirement is needed because our goal is to remove correlations among the random variables, while the goal of [50, Theorem 4.6] is to make sure the hash function is not correlated to each of the random variables.

4 Deterministic Encryption from Robust Hardcore Functions

4.1 Robust Hardcore Functions

We introduce a new notion of robustness for hardcore functions. Intuitively, robust HCFs are those that remain pseudorandom when the input is conditioned on an event that occurs with good probability. We expand on this below.

Definition 4.1

Let \(\mathcal{F}\) be a TDF generator and let hc be an HCF such that hc is hardcore for \(\mathcal{F}\) with respect to a distribution X on input vectors. For α=α(k), we say hc is α-robust for \(\mathcal{F}\) on X if hc is also hardcore for \(\mathcal{F}\) with respect to the class X[α] of α-induced distributions of X.

Discussion

Robustness is interesting even for the classical definition of hardcore bits, where hc is boolean and a single uniform input x is generated in the security experiment. Here robustness means that hc remains hardcore even when x is conditioned on an event that occurs with good probability. It is clear that not every hardcore bit in the classical sense is robust—note, for example, that while every bit of the input to RSA is well-known to be hardcore assuming RSA is one-way [2], they are not even 1-robust since we may condition on a particular bit of the input being a fixed value. It may also be interesting to explore robustness in contexts other than DE, such as leakage resilience [43] and computational randomness extraction (or key derivation) [41].

4.2 The Encrypt-with-Hardcore Scheme

The Scheme

Let \(\varPi= (\mathcal{K}, \mathcal{E}, \mathcal{D})\) be a probabilistic encryption scheme, \(\mathcal{F}\) be a TDF generator, and hc f be a HCF. Assume that hc outputs binary strings of the same length as the random string r needed by \(\mathcal{E}\). Define the associated “Encrypt-with-Hardcore” deterministic encryption scheme \({\mathsf{EwHCore}}[\varPi,\mathcal{F},\mathsf{hc}] =(\mathcal {DK},\mathcal{DE},\mathcal{DD})\) with plaintext-space PtSp={0,1}k via

figure f

Security Analysis

To gain some intuition, suppose hc is hardcore for \(\mathcal{F}\) on some distribution X on input vectors. One might think that PRIV security of \({\mathsf{EwHCore}}= {\mathsf {EwHCore}}[\varPi,\mathcal{F},\mathsf{hc}]\) on X then follows by IND-CPA security of Π. However, this is not true. To see this, suppose hc is a “natural” hardcore function (i.e., outputs some bits of the input). Define \(\varPi' = (\mathcal{K},\mathcal{E}',\mathcal{D}')\) to be like \(\varPi= (\mathcal{K},\mathcal{E},\mathcal{D})\) except that the coins consumed by \(\mathcal{E}'\) are extended by one bit, which \(\mathcal {E}'\) outputs in the clear and \(\mathcal{D}'\) ignores. That is, define \(\mathcal{E}'(\mathit{pk},x;r\|b) = \mathcal{E}(\mathit{pk},x;r) \| b\) and \(\mathcal{D}'(\mathit{sk},y\| b) = \mathcal{D}(\mathit{sk},y)\). Then IND-CPA security of Π′ follows from that of Π, but a straightforward attack shows EwHCore is not PRIV on X. This is how our notion of robustness comes into play.

Theorem 4.2

Suppose Π is IND-CPA secure, hc is 2-robust for \(\mathcal{F}\) on a distribution M on input vectors. Then \({\mathsf{EwHCore}}[\varPi,\mathcal{F},\mathsf{hc}]\) is PRIV-secure on M.

The theorem follows from combining Theorem 3.1 with the following lemma, which shows that what does follow if hc is hardcore (but not necessarily robust) is the IND security of EwHCore.

Lemma 4.3

Suppose Π is IND-CPA, hc is hardcore for \(\mathcal {F}\) on a distribution M on input vectors, and that g is pseudorandom. Then \({\mathsf{EwHCore}}= {\mathsf{EwHCore}}[\varPi ,\mathcal{F},\mathsf{hc}]\) is IND secure on M. In particular, let \(D \in{{\mathbb{D}}}_{{\boldsymbol {M}}}\) be a IND adversary against EwHCore. Then there is an IND-CPA adversary A against Π, an adversary B against hc on M such that for all \(k\in{{\mathbb{N}}}\)

$$\begin{aligned} \mathbf{Adv}^{\mathrm{ind}}_{{\mathsf{EwHCore}},D}(k) \leq& \mathbf{Adv}^{\mathrm{ind\mbox{-}cpa}}_{\varPi,A}(k) + 2 \cdot\mathbf{Adv}^{\mathrm{hcf}}_{\mathcal{F},\mathsf{hc},{\boldsymbol {M}},B}(k) . \end{aligned}$$
(8)

Furthermore, the running-times of A,B are the time to run D.

Proof

Let Game G 1 correspond to the IND experiment with D against EwHCore, and let Game G 2 be like G 1 except that the coins used to encrypt the challenge plaintext vector are truly random. For i∈{0,1} let \(B^{i} = (B^{i}_{1},B^{i}_{2})\) be the HCF adversary against \(\mathcal{F}\) hc defined via

figure g

Then

$$\begin{aligned} \Pr \bigl[ G_1^{D} = b \bigr] =& {\Pr }\bigl[ G_1^{D} = b\bigm| b = 1 \bigr] + {\Pr }\bigl[ G_1^{D} = b\bigm| b = 0 \bigr] \\ =& {\Pr }\bigl[ G_2^{D} = b\bigm| b = 1 \bigr] + \mathbf{Adv}^{\mathrm {hcf}}_{\mathcal{F},\mathsf{hc},B^1}(k) \\ &+ \: {\Pr }\bigl[ G_2^{D} = b\bigm| b = 0 \bigr] + \mathbf{Adv}^{\mathrm {hcf}}_{\mathcal{F},\mathsf{hc},B^0}(k) \\ \leq& \Pr \bigl[ G_2^{D} = b \bigr] + 2 \cdot \mathbf{Adv}^{\mathrm{hcf}}_{\mathcal{F},\mathsf {hc},B}(k) \end{aligned}$$

where we take B to be whichever of B 0,B 1 has the larger advantage. Now define IND-CPA adversary A against Π via

figure h

Then (8) follows from taking into account the definition of the advantages of D,A. □

A subtle point worth mentioning is where in the proof we use the fact that the Lemma 4.3 considers IND security of EwHCore rather than PRIV (which, as we have said, does not follow). It is in the step that uses security of the hardcore function. If we considered PRIV security, in this step the constructed HCF adversaries against \(\mathcal{F}\) would need to test whether the output of the PRIV adversary against EwHCore is equal to a “target value” representing partial information on the input to \(\mathcal {F}\), which these adversaries are not given. Indeed, this is exactly what caused complications in the original analysis of the scheme of [6], who used the PRIV notion directly.

5 Single-Message Instantiations of Encrypt-with-Hardcore

5.1 Getting Robust Hardcore Functions

Making any Large Hardcore Function Robust

We show that by applying a randomness extractor in a natural way, one can convert any large hardcore function in the standard sense to one that is robust (with some loss in parameters). However, while the conversion procedure is natural, proving that it works turns out to be nontrivial.

For a random variable A with support \(\mathcal{A}\), define the entropy discrepancy of A as \(\mathsf{disc}(A) = \log|\mathcal {A}| - \mathrm{H}_{\infty}(A) = \mathrm{H}_{0}(A)-\mathrm{H}_{\infty}(A)\). Let \(\mathcal{F}\) be a TDF generator. Let disc k (f) be the entropy discrepancy of the public key f, viewed as a random variable produced by \(\mathcal{F}(1^{k})\). Let X be an input distribution for f and hc:{0,1}k→{0,1} be an HCF for f on X. Let ext:{0,1}×{0,1}d→{0,1}m×{0,1}d be a strong average-case (αdisc(f)−disc(X),ϵ ext )-extractor for \(\alpha\in{{\mathbb{N}}}\) that takes time t ext to compute. Define a new “extractor-augmented” HCF hc[ext] for \(\mathcal{F}[ \mathtt {ext} ]\) as follows: hc[ext] s (x)=ext(hc(x),s) for all x∈{0,1}k and s∈{0,1}d. (Here we view ext as a keyed function with the second argument as the key.) The following characterizes the α-robustness of hc[ext].

Lemma 5.1

If hc is a sufficiently long hardcore function for \(\mathcal{F}\) on an input distribution X, then hc[ext] is a hardcore function for any input distribution X′∈X[α]. More precisely, if

$$\begin{gathered} \bigl(f, f(X),\mathsf{hc}(X) \bigr) \approx_{t,\epsilon} \bigl(f, f(X),U_\ell \bigr), \quad \textit{then} \\ \bigl(f, f \bigl(X' \bigr), \mathtt {ext} \bigl(\mathsf{hc} \bigl(X' \bigr),U_d \bigr),U_d \bigr) \approx_{t'- t_ \mathtt {ext} ,, 2 \epsilon' + \epsilon_ \mathtt {ext} } \bigl(f, f \bigl(X' \bigr),U_m,U_d \bigr) , \end{gathered}$$

where in both equations f is distributed according to \(\mathcal{F}(1^{k})\), and \(\epsilon' = \epsilon\cdot2^{\alpha}+\sqrt[3]{(k + \log |\mathcal{F}| + \ell)/t}\) and \(t'= \varOmega(\sqrt[3]{t/(k + \log |\mathcal{F}| +\ell)})\).

We note that in order to apply this lemma, (αdisc(f)−disc(X)) must be large enough in order to allow for a useful extractor. Thus, the “entropy loss” is not only α (which is expected, because it is the entropy deficiency of X′), but also disc(f)+disc(X). Therefore, we need the starting hardcore function output length to be sufficiently large compared to the entropy discrepancies of both f and X. Fortunately, for typical trapdoor functions such as RSA, disc(f) is 0 because the distribution of public keys produced by the key generation method is flat. Moreover, sufficiently long can always be achieved if the starting hardcore function output is long enough to be used as a seed for a pseudorandom generator, since then it can be expanded to any polynomial length (here we are referring to running the hardcore function through a pseudorandom generator before applying the extractor, thus changing hc to have longer output ).

Also note that when α=log(k), the security loss in the reduction is polynomial (in our application we just need α=2). We note that the conversion procedure also works when hc is hardcore on a distribution X on input vectors, but we omit this since we do not know any examples of “natural” hardcore functions that are secure on correlated inputs. (Looking ahead, in Sect. 6 we give a direct constructions of the such hardcore function without needing the conversion procedure of Lemma 5.1.)

Proof

Let f be distributed according to the distribution of public keys produced by \(\mathcal{F}(1^{k})\). Slightly abusing notation, we will also denote the support of this distribution by \(\mathcal{F}\). Assume that for t,ϵ>0

$$\begin{aligned} \bigl(f, f(X),\mathsf{hc}(X) \bigr) \approx_{t,\epsilon} \bigl(f, f(X),U_\ell \bigr) . \end{aligned}$$
(9)

By definition of HILL entropy,

$$\begin{aligned} H^{{\mathtt {HILL}}}_{\epsilon, t}\bigl(f,f(X), \mathsf{hc}(X)\bigr) \ge \mathrm{H}_\infty\bigl(f,f(X), U_\ell\bigr) = \mathrm {H}_\infty(f) + \mathrm{H}_\infty(X)+\ell \end{aligned}$$

(using the fact that f is injective). Let ζ denote the set of all triples (f,y,r) such that \(f\in\mathcal{F}\), and y=f(x) for some xX. Let E be such that X′=XE; note that Pr[E]=2α. Applying the “HILL-to-HILL” Corollary 3.9, we know that

$$\begin{aligned} H^{{\mathtt{HILL}}}_{\epsilon', t'} \bigl(f, f(X), \mathsf {hc}(X)\mid\mathsf{E} \bigr) \geq& H^{{\mathtt{HILL}}}_{\epsilon, t} \bigl(f, f(x), \mathsf {hc}(X) \bigr) - \alpha\\ \ge&\mathrm{H}_\infty(f) + \mathrm{H}_\infty(X)+\ell- \alpha, \end{aligned}$$

where \(\epsilon' = \epsilon\cdot2^{\alpha}+\sqrt[3]{(k + \log |\mathcal{F}| + \ell)/t}\), and \(t'= \varOmega(\sqrt[3]{t/(k + \log |\mathcal{F}|+\ell)})\). By Definition 2.3 of HILL entropy and the fact that Corollary 3.9 is support preserving, this implies that there exist random variables (A,B,C)⊆ζ such that

$$\begin{aligned} \bigl(f,f(X),\mathsf{hc}(X) \bigr)\mid\mathsf{E} \approx _{t',\epsilon'} (A,B,C) , \end{aligned}$$
(10)

and furthermore H((A,B,C))≥H(f)+H(X)+α. Because an independent random string does not help the distinguisher,

$$\begin{aligned} \bigl(f, f(X),\mathsf{hc}(X),U_d \bigr)\mid\mathsf{E} \approx_{t',\epsilon'} (A,B,C,U_d) . \end{aligned}$$

Because applying a deterministic function to the distributions can help the distinguisher by at most the time it takes to compute the function,

$$ \bigl(f, f(X), \mathtt {ext} \bigl(\mathsf{hc}(X),U_d \bigr),U_d \bigr)\mid\mathsf{E} \approx_{t' - t_ \mathtt {ext} ,\epsilon'} \bigl(A,B, \mathtt {ext} (C, U_d), U_d \bigr) . $$
(11)

We now claim that

$$ \bigl(A,B, \mathtt {ext} (C, U_d), U_d \bigr)\approx_{\epsilon_ \mathtt {ext} } (A,B,U_\ell, U_d) . $$
(12)

Indeed,

$$\begin{aligned} \tilde{\mathrm{H}}_\infty \bigl(C\mid(A,B) \bigr) \geq& \mathrm{H}_\infty(A,B,C) - \log|A| - \log|B| \\ \geq& \mathrm{H}_\infty(A,B,C) - \log|\mathcal{F}| - \log\bigl|f(X)\bigr| \\ \geq& \ell- \alpha- \mathsf{disc}(f) - \mathsf{disc}(X), \end{aligned}$$

where the first inequality uses Lemma 2.1, the second inequality follows from \(A\subseteq\mathcal{F}\) and Bf(X), and the final inequality follows from the definition of (A,B,C), the definition of disc, and the fact that f is injective. Thus, (12) follows by security of ext. Note that (10) implies that (f,f(X))∣E t′,ϵ(A,B), which implies

$$ (A,B,U_\ell,U_d) \approx_{t', \epsilon'} \bigl(f,f(X),U_\ell,U_d \bigr) \mid\mathsf{E} . $$
(13)

Combining (11), (12), (13) via the triangle inequality we have

$$ \bigl(f,f(X), \mathtt {ext} \bigl(\mathsf{hc}(X),U_d \bigr),U_d \bigr)\mid\mathsf{E}\approx_{t' - t_ \mathtt {ext} ,2\epsilon' + \epsilon_ \mathtt {ext} } \bigl(f,f(X),U_\ell,U_d \bigr)\mid\mathsf{E} . $$
(14)

Recalling that f is distributed independently of E and X′=X|E, we get the statement of the lemma. □

Remark 5.2

The conclusion of the lemma actually holds given a weaker hypothesis on the starting hardcore function. Namely, its output need not be indistinguishable from uniform but rather have high computational (HILL) entropy.

The above conversion procedure notwithstanding, we give specific examples of hardcore functions that are already robust without requiring the former. This is especially useful to view constructions from both one-wayness as in [6] and from lossiness as in [11] in a unified way: these constructions emanate from the fact that both “one-way hardness” and min-entropy are preserved on slightly induced distributions.

Robust Goldreich–Levin Bits for Any TDF

First, we show that the Goldreich–Levin [31] hardcore function as considered in [6] is robust. Indeed, robustness of Goldreich–Levin follows from the following simple lemma, which describes how “one-way hardness” on an input distribution is preserved on induced distributions.

Lemma 5.3

Let \(\mathcal{F}\) be a TDF generator. Let X be an input distribution and fix X′∈X[α] for \(\alpha\in{{\mathbb{N}}}\). Then for any inverter Iagainst \(\mathcal{F}\) on Xthere is an inverter I against \(\mathcal{F}\) on X such that for all \(k \in{{\mathbb{N}}}\)

$$\begin{aligned} \mathbf{Adv}^{\mathrm{owf}}_{\mathcal{F},X',I'}(k) \leq& 2^{\alpha } \cdot \mathbf{Adv}^{\mathrm{owf}}_{\mathcal{F},X,I}(k) . \end{aligned}$$
(15)

Furthermore, the running-time of I is the time to run I′.

Proof

Let I′ be the inverter that simply runs I on its input, and let E be the corresponding event to X′. Let G be the event that \(\mathbf{Exp}^{\mathrm{owf}}_{\mathcal {F},{\boldsymbol {X'}},I'}(k) = 1\). Then

$$\begin{aligned} \mathbf{Adv}^{\mathrm{owf}}_{\mathcal{F},{\boldsymbol {X}}',I'}(k) =& {\Pr }\bigl[ G\bigm| \mathsf{E} \bigr] \cdot\Pr[ \mathsf{E} ] + {\Pr }\bigl[ G\bigm| \overline{\mathsf{E}} \bigr] \cdot\Pr[ \overline{ \mathsf{E}} ] \\ \geq& {\Pr }\bigl[ G\bigm| \mathsf{E} \bigr] \cdot\Pr[ \mathsf{E} ] \\ = & \mathbf{Adv}^{\mathrm{owf}}_{\mathcal{F},{\boldsymbol {X}},I}(k) \cdot 1/2^{-\alpha} , \end{aligned}$$

from which (15) follows by rearranging terms. □

Note that when α=O(logk), the reduction incurs a polynomial loss in advantage (again, in our applications we just need α=2). As mentioned, the security of \(\mathcal{GL}^{i}\) for an input distribution X depends only on the hardness of \(\mathcal{F}\) on X. By Lemma 5.3, the hardness of \(\mathcal{F}\) on all X′∈X[α] is polynomially related to the hardness of \(\mathcal{F}\) on X. Thus, if \(\mathcal{GL}^{i}\) is hardcore for \(\mathcal {F}[\mathcal{GL}^{i}]\) on X, it is hardcore for \(\mathcal{F}[\mathcal {GL}^{i}]\) on all X′∈X[α]. This yields the following proposition.

Proposition 5.4

Let \(\mathcal{F}[\mathcal{GL}^{i}]\) be as defined above and suppose \(\mathcal{GL}^{i}\) is hardcore for \(\mathcal{F}[\mathcal{GL}^{i}]\) on single-input distribution X. Then \(\mathcal{GL}^{i}\) is O(logk)-robust for \(\mathcal{F}[\mathcal{GL}^{i}]\) on X.

Robust Bits for Any LTDF

Peikert and Waters [48] showed that LTDFs admit a simple, large hardcore function, namely a pairwise-independent hash function (the same argument applies also to universal hash functions or, more generally, randomness extractors). We show robustness of the latter based on the following simple lemma, which says that min-entropy of a given input distribution is preserved on sub-distributions induced by an event that occurs with good probability.

Lemma 5.5

Let X be a random variable with H(X)≥μ, and let Xbe a random variable where P X is a an α-induced sub-distribution of P X . Then H(X′)≥μα.

Proof of Lemma 5.5

Suppose not, and let E be the corresponding event to X′. Then there exists an x′ such that P X(x′)>2μ+α. But then

$$\begin{aligned} P_X \bigl(x' \bigr) \geq& {\Pr }\bigl[ X = x'\bigm| \mathsf{E} \bigr] \cdot\Pr[ \mathsf{E} ] + {\Pr }\bigl[ X = x'\bigm| \overline{\mathsf{E}} \bigr] \cdot\Pr[ \overline{\mathsf{E}} ] \\ \geq& {\Pr }\bigl[ X = x'\bigm| \mathsf{E} \bigr] \cdot\Pr[ \mathsf{E} ] \\ \:>\: & 2^{-\mu+ \alpha} \cdot2^{-\alpha} \\ =& 2^{-\mu} \end{aligned}$$

a contradiction. □

By combining the Generalized Leftover Hash Lemma of [20] (i.e., for the case of average min-entropy) with the “chain rule” for average conditional min-entropy (Lemma 2.1), it follows that if \(\mathcal {F}\) is a lossy trapdoor function generator with residual leakage s, then a pairwise-independent hash function \(\mathcal{H}\colon\mathcal {K}\times\{0,1\}^{k} \to\{0,1\}^{r}\) is hardcore for \(\mathcal {F}[\mathcal{H}]\) on any single-input distribution X with min-entropy s+r+2(log1/ϵ) for negligible ϵ (as compared to [48, Lemma 3.4], we simply observe that the argument does not require the input to be uniform). Then, using Lemma 5.5 we have the following.

Proposition 5.6

Let \({\mathsf{LTDF}}= (\mathcal{F}, \mathcal{F}')\) be a LTDF generator with residual leakage s, and let \(\mathcal{H}\colon \mathcal{K}\times\{0,1\}^{k} \to\{0,1\}^{r}\) be a pairwise-independent hash function. Then \(\mathcal{H}\) is a O(logk)-robust hardcore function for \(\mathcal{F}[\mathcal{H}]\) on any single-input distribution X with min-entropy s+r+2(log1/ϵ) for negligible ϵ.

5.2 Putting It Together

Equipped with the above results, we describe instantiations of the Encrypt-with-Hardcore scheme that both explain prior constructions and produce novel ones.

Using an Iterated Trapdoor Permutation

The prior trapdoor-permutation-based DE scheme of Bellare et al. [6] readily provides an instantiation of EwHCore by using an iterated trapdoor permutation as the TDF. Let \(\mathcal{F}\) be a TDP and hc be a hardcore bit for \(\mathcal{F}\). For \(i \in{{\mathbb{N}}}\) denote by \(\mathcal {F}^{i}\) the TDP that iterates \(\mathcal{F}\) i-many times. Define the Blum–Micali–Yao (BMY) [10, 65] hardcore function for \(\mathcal{F}^{i}\) via \(\mathcal{BMY}^{i}[\mathsf{hc}](f,x) = \mathsf{hc}(x) \| \mathsf {hc}(f(x)) \| \ldots\| \mathsf{hc}(f^{i-1})\). Bellare et al. [6] used the specific choice of \(\mathsf {hc}= \mathcal{GL}\) (the GL bit) in their scheme, which is explained by the fact that the latter is robust as per Proposition 5.4 and one can show that BMY iteration expands one robust hardcore bit to many (on a non-uniform distribution, the bit should be hardcore on all “permutation distributions” of the former).

However, due to our augmentation procedure to make any large hardcore function robust, we are no longer bound to any specific choice of hc. For example, we may choose hc to be a natural bit of the input in the case that the latter is hardcore. In fact, it may often be the case that \(\mathcal{F}\) has many simultaneously hardcore natural bits, and therefore our construction will require fewer iterations of the TDP than the construction of [6].

Using a Lossy TDF

Applying Proposition 5.6, we get an instantiation of the Encrypt-with-Hardcore scheme from lossy TDFs that is an alternative to the prior scheme of Boldyreva et al. [11] and the concurrent work of Wee [63]. Our scheme requires an LTDF with residual leakage s≤H(X)−2log(1/ϵ)−r, where r is the number of random bits needed in \(\mathcal{E}\) (or the length of a seed to a pseudorandom generator that can be used to obtain those bits). Thus the LTDF should lose a constant fraction of its input. To compare, the prior scheme of [11] encrypts under (an augmented version of) the LTDF directly and does not use the “outer” encryption scheme at all. Its analysis requires the ‘Crooked” LHL of Dodis and Smith [21] rather than the standard LHL but gets rid of r in the above bound leading to a better requirement on lossiness or input entropy.

Using 2-Correlated Product TDFs

Hemenway et al. [35] show a construction of DE from a decisional 2-correlated product TDF, namely where \(\mathcal{F}\) has the property that f 1(x),f 2(x) is indistinguishable from f 1(x 1),f 2(x 2) where x 1,x 2 are sampled independently (in both cases for two independent public instances f 1,f 2 of \(\mathcal{F}\)). (This property is a strengthening of the notion of security under correlated products introduced in [55].) They show such a trapdoor function is a secure DE scheme for uniform messages. To obtain an instantiation of EwHCore under the same assumption, we can use \(\mathcal{F}\) as the TDF, and an independent instance of the TDF as hc. When a randomness extractor is applied to the latter, robustness follows from Lemma 5.1, taking into account Remark 5.2.

Using any TDF with a Large HCF

Our most novel instantiations in the single-message case come from considering TDFs that have a sufficiently large HCF but are not necessarily lossy or an iterated TDP. Let us first consider instantiations on the uniform message distribution (an important special case as highlighted in [6]). It was recently shown by Freeman et al. [27] that the Niederreiter TDF [45] has linearly many (simultaneous) hardcore bits under the “Syndrome Decoding Assumption (SDA)” and “Indistinguishability Assumption (IA)” as defined in [27, Sect. 7.2], which are already needed to show the TDF is one-way. Furthermore, the RSA [54] and Paillier [47] TDPs have linearly many hardcore bits under certain computational assumptions, namely the “Small Solutions RSA (SS-RSA) Assumption” [59] and the “Bounded Computational Composite Residuosity (BCCR) Assumption” [13], respectively. Because these hardcore functions are sufficiently long, they can be made robust via Lemma 5.1 and give us a linear number of robust hardcore bits—enough to use as randomness for \(\mathcal{E}\) (expanded by a pseudorandom generator if necessary). (Here the “outer” encryption scheme can be instantiated under the same assumptions.) Thus, by Theorem 4.2, we obtain:

Corollary 5.7

Under SDA+IA for the Niederreiter TDF, DE for the uniform message distribution exists. Similarly, under SS-RSA the RSA TDP or BCCR for the Paillier TDP, respectively, DE for the uniform message distribution exists.

In particular, the first statement provides the first DE scheme without random oracles based on the hardness of syndrome decoding. (A scheme in the random oracle model follows from [4].) Moreover, the schemes provided by the second statement are nearly as efficient as the ones obtained from lossy TDFs (since they do not use iteration), and the latter typically requires decisional assumptions (in contrast to the computational assumptions used here).

If we do not wish to rely on specific assumptions, we can also get DE from strong but general assumptions. Specifically, for general \(\mathcal{F}\), we can obtain a large enough HCF by using enough GL bits and assuming the TDF is sufficiently hard to invert.Footnote 18 If \(\mathcal{F}\) is s-hard on X then, by [31], it has an HCF on X with almost logs bits of output. Note we can trade hardness of the TDF for greater hardness of an underlying PRG used to expand the HCF, which can be built from a one-way function without a trapdoor. For example, we can assume a TDF \(\mathcal{F}\) that is quasi-polynomially hard to invert, which yields a GL HCF with poly-logarithmic output length, and expand it via a PRG with sub-exponential hardness (which could be built assuming a sub-exponentially hard one-way function).

To obtain instantiations on message distributions of less than maximal entropy, we can use a technical lemma [26, Lemma 4] saying that every distribution with min-entropy α less than maximal can be viewed as an α-induced distribution of the uniform distribution, and take into account Remark 5.2. By Corollary 3.9, we know the HILL entropy of a HCF on such a distribution degrades in quantity by α and in quality polynomially in 2α. Thus, assuming the HCF is sufficiently long and sufficiently hard to distinguish from uniform, it can still be turned into a robust HCF using Remark 5.2 For example, if α=O(log(k)), a standard hardness assumption suffices. We thus obtain the analog of Corollary 5.7 for distributions whose min-entropy is logarithmically away from maximal under the same assumptions.

For any α=o(k), we can obtain DE for distributions of min-entropy α away from maximal by assuming sub-exponential hardness of simultaneous hardcore bits. That is, the analog of Corollary 5.7 holds under sub-exponential hardness of the assumptions.

6 Bounded Multi-message Security and Its Instantiations

6.1 The New Notion and Variations

The New Notion

The notion of q-bounded multi-message security (or just q-bounded security) for DE is quite natural, and parallels the treatment of “bounded” security in other contexts (e.g. [16]). In a nutshell, it asks for security on up to q arbitrarily correlated but high-entropy messages (where we allow the public-key size to depend on q). More formally, fix an encryption scheme \(\varPi= (\mathcal{K}, \mathcal {E},\mathcal{D})\). For q=q(k) and μ=μ(k), let \({{\mathbb{M}}}^{q,\mu}\) be the class of distributions on message vectors \(M^{\mu ,q} = (M^{\mu,q}_{1}, \ldots, M^{\mu,q}_{q})\) where \(\mathrm{H}_{\infty}(M^{\mu,q}_{i}) \geq\mu\) and for all 1≤iq and \(M^{\mu}_{1,q}, \ldots, M^{\mu}_{q,q}\) are distinct with probability 1. We say that Π is q-bounded multi-message PRIV (resp. IND) secure for μ-sources if it is PRIV (resp. IND) secure for \({{\mathbb{M}}}^{q,\mu}\). We note that Theorem 3.1 (combined with Lemma 5.5) tells us that PRIV on \({{\mathbb{M}}}^{q,\mu}\) is equivalent to IND on \({{\mathbb{M}}}^{q,\mu-2}\).

Unbounded Multi-message Security for q-Block Sources

We also consider unbounded multi-message security for what we call a q-block source, a generalization of a block-source [14] where every qth message introduces some “fresh” entropy. More formally, fix an encryption scheme \(\varPi= (\mathcal{K}, \mathcal {E},\mathcal{D})\). For q=q(k), n=n(k), and μ=μ(k), let \({{\mathbb{M}}}^{q,n,\mu}\) be the class of distributions on message vectors \(M^{q,n,\mu} = (M^{q,n\mbox{,}\mu}_{1}, \ldots, M^{q,n,\mu}_{qn})\) such that H(X qi+j X 1=x 1,…,X qi−1=x qi−1)≥μ for all 1≤in, all 0≤jq−1, and all outcomes x 1,…,x qi−1 of X 1,…,X qi−1. We say that Π is q-bounded multi-message PRIV (resp. IND) secure for (μ,n)-block-sources if Π is PRIV (resp. IND) secure on \({{\mathbb{M}}}^{q,n,\mu}\). Using a similar argument to [11, Theorem 4.2], one can show equivalence of PRIV on \({{\mathbb{M}}}^{q,n,\mu}\) to IND on \({{\mathbb{M}}}^{q,n,\mu}\).

6.2 Our Basic Scheme

Note that we cannot trivially achieve q-bounded security by running, say, q copies of a scheme secure for one message in parallel (and encrypting the ith message under the ith public key), since this approach would lead to a stateful scheme. The main technical tool we use to achieve the notion is Lemma 3.10. Combined with Lemma 2.1, this tells us that a 2q-wise independent hash function is robust on correlated input distributions of sufficient min-entropy:

Proposition 6.1

For any q, let \({\mathsf{LTDF}}= (\mathcal{F},\mathcal{F}')\) be an LTDF generator with input length n and residual leakage s, and let \(\mathcal{H}\colon\mathcal{K}\times D \to R\) where r=log|R| be a 2q-wise independent hash function. Then \(\mathcal{H}\) is a 2-robust hardcore function for \(\mathcal{F}\) on any input distribution X=(X 1,…,X q ) such that H(X)≥q(s+r)+2logq+2log(1/ϵ)−2 for negligible ϵ.

Thus, by Theorem 4.2 we obtain a q-bounded multi-message secure DE scheme based on lossy trapdoor functions. Note that since we require

$$\begin{aligned} \bigl(\mathrm{H}_\infty(X) - 2 \log q - \log (1/\epsilon)\bigr)/q - r \geq s \end{aligned}$$

(where r is the number of random bits needed in \(\mathcal{E}\), or the length of a seed to a pseudorandom generator that can be used to obtain those bits) the lossy trapdoor function must lose a 1−O(1/q) fraction of its input. The DDH-based construction of Peikert and Waters [48], the Paillier-based one of [11, 27], and the one from d-linear of [27] can all satisfy this requirement for any polynomial q.

6.3 Our Optimized Scheme

We show that by extending some ideas of [11], we obtain a more efficient DE scheme meeting q-bounded security that achieves better parameters.

Intuition and Preliminaries

Intuitively, for the optimized scheme we modify the scheme of [11] to first pre-process an input message using a 2q-wise independent permutation (instead of pairwise as in [11]). However, there are two issues to deal with here. First, for q>1 such a permutation is not known to exist (in an explicit and efficiently computable sense). Second, Lemma 3.10 applies to t-wise independent functions rather than permutations. (In the case t=2 as considered in [11] the difference turns out to be immaterial.)

To solve the first problem, we turn to 2q-wise “δ-dependent” permutations (as constructed in e.g. [38]). Namely, say that a collection of permutations over D keyed by \(\mathcal{K}\), \(H \colon\mathcal{K}\times D \to D\), is t-wise δ-dependent if for all distinct x 1,…,x t D

$$\begin{aligned} \Delta \bigl( \bigl(H(K, x_1),\ldots, H(K, x_t) \bigr), (P_1,\ldots, P_t) \bigr) \leq\delta, \end{aligned}$$

where \(K {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{K}\) and P 1,…,P t are defined iteratively by taking P 1 to be uniform on D and, for all 2≤it, taking P i to be uniform on R∖{p 1,…,p i−1} where p 1,…,p i−1 are the outcomes of P 1,…,P i−1, respectively.

To solve the second problem, we use the following lemma, which says that a t-wise δ-dependent permutation is a t-wise δ′-dependent function where δ′ is a bit bigger than δ.

Lemma 6.2

Suppose \(H \colon\mathcal{K}\times D \to D\) is a t-wise δ-dependent permutation for some t≥1. Then \(\mathcal{H}\) is a t-wise δ-dependent function for δ′=δ+t 2/|D|.

The proof uses the fact that the distribution of (P 1,…,P t ) equals the distribution of (U 1,…,U t )∣DIST where DIST is the event that U 1,…,U t are all distinct and then applies a union bound. It will be useful to now restate Lemma 3.10 in terms of δ-dependent permutations, which follows by combining Lemma 3.10 and Lemma 6.2, and observing that 1/|D|≤2μ.

Lemma 6.3

(CLHL for Correlated Sources with Permutations)

Let \(\mathcal{H}\colon\mathcal{K}\times D \to D\) be a δ-dependent 2t-wise permutation for some t>0 with range R, where δ=t 22μ. Let f:RS be a function (we assume S contains no more than the image of f, i.e., f maps onto all of S). Let X=(X 1,…,X t ) where the X i are random variables over D such that H(X i )≥μ for all 1≤in and, moreover, Pr[X i =X j ]=0 for all 1≤ijt. Then

$$\begin{aligned} \Delta \bigl( \bigl(K,f \bigl(\mathcal{H}(K,{\mathbf{X}}) \bigr) \bigr), \bigl(K,f({ \mathbf{U}}) \bigr) \bigr) \leq2 \sqrt{ |S|^t t^2 2^{-\mu}} \end{aligned}$$
(16)

where \(K {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{K}\) and U=(U 1,…,U t ) where the U i are all uniform and independent over D (recall that functions operate on vectors component-wise).

It is interesting to note here that the bound in Equation (16) is essentially as good as the one in Equation (7) with δ=0 (just a factor of 4 worse). At first one might not expect this to be the case. Indeed, when the classical LHL is extended to “imperfect” hash functions [19, 58], the error probability must be taken much smaller than 1/|R|, where R is the range of the hash function. But in Lemma 3.10 we have δ=t 2/2μt 2/|D|, which is large compared to 1/|D| (where D the range of the hash function in our case as it is a permutation). The reason we can tolerate this is that it is enough for t 2/|D| to be much smaller than 1/|S| (where S is the image of f), which is indeed the case in applications. In other words, the Crooked LHL turns out to be more tolerant than the classical one in this respect.

The Construction

We now detail our construction. Let \({\mathsf{LTDF}}= (\mathcal{F}, \mathcal{F}')\) be an LTDF and let \(\mathcal{P}\colon\mathcal{K}\times\{0,1\}^{k} \to\{0,1\}^{k}\) be an efficiently invertible family of permutations on k bits. Define the associated deterministic encryption scheme \(\varPi[{\mathsf{LTDF}},\mathcal{P}] = (\mathcal{DK}, \mathcal {DE},\mathcal{DD})\) with plaintext-space PtSp={0,1}k via

figure i

We have the following result.

Theorem 6.4

Suppose LTDF is a lossy trapdoor function on {0,1}n with residual leakage s, and let q,ϵ>0. Suppose \(\mathcal {P}\) is a 2q-wise δ-dependent permutation on {0,1}n for δ=q 2/2n. Then for any q-message IND adversary \(B \in {{\mathbb{D}}}_{{{\mathbb{M}}}^{q,\mu}}\) with min-entropy μqs+2logq+2log(1/ϵ)+2, there is a LTDF distinguisher D such that for all \(k \in{{\mathbb{N}}}\),

$$\begin{aligned} \mathbf{Adv}^{\mathrm{ind}}_{\varPi[{\mathsf{LTDF}},\mathcal {P}],B}(k) \leq& \mathbf{Adv}^{\mathrm{ltdf}}_{{\mathsf{LTDF}},D}(k) + \epsilon. \end{aligned}$$

Furthermore, the running-time of D is the time to run B.

Proof

The first step in the proof is to switch the HCF experiment to execute not \((f,f^{-1}) {\:\stackrel {\scriptscriptstyle \hspace {0.2em}\$}{\leftarrow }\:}\mathcal{F}(1^{k})\) but \(f' \gets\mathcal {F}'(1^{k})\). We can conclude by applying Lemma 6.3 with t=q and \(\mathcal{H}= \mathcal{P}\). □

An efficiently invertible 2q-wise δ-dependent permutation on {0,1}n for δ=t 2/2n can be obtained from [38] using key length nt+log(1/δ)=n(t+1)−2t.

Now, combining Theorem 6.4 with Theorem 3.1 and Lemma 5.5 (extended to message vectors rather than single-input distributions) gives us bounded multi-message PRIV (rather than IND) security for any distribution on message vectors of size q with sufficient entropy. We make explicit the following corollary.

Corollary 6.5

Suppose LTDF is a lossy trapdoor function on {0,1}n with residual leakage s. Then we obtain a q-bounded multi-message PRIV secure DE scheme for the class of distributions on {0,1}n with min-entropy μqs+2logq+2log(1/ϵ)+4 for negligible ϵ.

Comparing to Proposition 6.1, we see that we have dropped the r in the entropy bound (indeed, there is no hardcore function here). This translates to savings on the input entropy or lossiness requirement on the trapdoor function. Namely, while we still need to lose a 1−O(1/q) fraction of the input, we get rid of the factor 2 on q. We also note that we can prove that the optimized scheme meets our notion of unbounded multi-message PRIV security on q-block sources of the same entropy directly by using our precise definitional equivalence, as follows. First, its IND security on q-block sources follows by extending Lemma 3.10 to q-block sources by a hybrid argument as in the case of the original LHL [66]. Then, its PRIV security on q-block sources (of 2 bits greater entropy) follows by Theorem 3.1 after extending Lemma 5.5 to show that a 2-induced distribution of a q-block source with min-entropy μ is a q-block source with min-entropy μ−2.