Theory of Cryptography pp 23-39
A Counterexample to the Chain Rule for Conditional HILL Entropy
- Cite this paper as:
- Krenn S., Pietrzak K., Wadia A. (2013) A Counterexample to the Chain Rule for Conditional HILL Entropy. In: Sahai A. (eds) Theory of Cryptography. Lecture Notes in Computer Science, vol 7785. Springer, Berlin, Heidelberg
A chain rule for an entropy notion H(·) states that the entropy H(X) of a variable X decreases by at most ℓ if conditioned on an ℓ-bit string A, i.e., H(X|A) ≥ H(X) − ℓ. More generally, it satisfies a chain rule for conditional entropy if H(X|Y,A) ≥ H(X|Y) − ℓ.
All natural information theoretic entropy notions we are aware of (like Shannon or min-entropy) satisfy some kind of chain rule for conditional entropy. Moreover, many computational entropy notions (like Yao entropy, unpredictability entropy and several variants of HILL entropy) satisfy the chain rule for conditional entropy, though here not only the quantity decreases by ℓ, but also the quality of the entropy decreases exponentially in ℓ. However, for the standard notion of conditional HILL entropy (the computational equivalent of min-entropy) the existence of such a rule was unknown so far.
In this paper, we prove that for conditional HILL entropy no meaningful chain rule exists, assuming the existence of one-way permutations: there exist distributions X,Y,A, where A is a distribution over a single bit, but HHILL(X|Y)≫ HHILL(X|Y,A), even if we simultaneously allow for a massive degradation in the quality of the entropy.
The idea underlying our construction is based on a surprising connection between the chain rule for HILL entropy and deniable encryption.