Pseudoentropy: Lower-Bounds for Chain Rules and Transformations

  • Krzysztof PietrzakEmail author
  • Maciej Skórski
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9985)


Computational notions of entropy have recently found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The two main types of results which make computational notions so useful are (1) Chain rules, which quantify by how much the computational entropy of a variable decreases if conditioned on some other variable (2) Transformations, which quantify to which extend one type of entropy implies another.

Such chain rules and transformations typically lose a significant amount in quality of the entropy, and are the reason why applying these results one gets rather weak quantitative security bounds. In this paper we for the first time prove lower bounds in this context, showing that existing results for transformations are, unfortunately, basically optimal for non-adaptive black-box reductions (and it’s hard to imagine how non black-box reductions or adaptivity could be useful here.)

A variable X has k bits of HILL entropy of quality \((\epsilon ,s)\) if there exists a variable Y with k bits min-entropy which cannot be distinguished from X with advantage \(\epsilon \) by distinguishing circuits of size s. A weaker notion is Metric entropy, where we switch quantifiers, and only require that for every distinguisher of size s, such a Y exists.

We first describe our result concerning transformations. By definition, HILL implies Metric without any loss in quality. Metric entropy often comes up in applications, but must be transformed to HILL for meaningful security guarantees. The best known result states that if a variable X has k bits of Metric entropy of quality \((\epsilon ,s)\), then it has k bits of HILL with quality \((2\epsilon ,s\cdot \epsilon ^2)\). We show that this loss of a factor \({\varOmega }(\epsilon ^{-2})\) in circuit size is necessary. In fact, we show the stronger result that this loss is already necessary when transforming so called deterministic real valued Metric entropy to randomised boolean Metric (both these variants of Metric entropy are implied by HILL without loss in quality).

The chain rule for HILL entropy states that if X has k bits of HILL entropy of quality \((\epsilon ,s)\), then for any variable Z of length m, X conditioned on Z has \(k-m\) bits of HILL entropy with quality \((\epsilon ,s\cdot \epsilon ^2/ 2^{m})\). We show that a loss of \({\varOmega }(2^m/\epsilon )\) in circuit size necessary here. Note that this still leaves a gap of \(\epsilon \) between the known bound and our lower bound.


Chain Rule Differential Privacy Auxiliary Input Circuit Size Oracle Query 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Baker, T., Gill, J., Solovay, R.: Relativizations of the p=?np question. SIAM J. Comput. 4(4), 431–442 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd FOCS, pp. 106–115. IEEE Computer Society Press, October 2001Google Scholar
  3. 3.
    Barak, B., Shaltiel, R., Wigderson, A.: Computational analogues of entropy. In: 11th International Conference on Random Structures and Algorithms, pp. 200–215 (2003)Google Scholar
  4. 4.
    Chung, K.-M., Kalai, Y.T., Liu, F.-H., Raz, R.: Memory delegation. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 151–168. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: 49th FOCS, pp. 293–302. IEEE Computer Society Press, October 2008Google Scholar
  7. 7.
    Fuller, B., O’Neill, A., Reyzin, L.: A unified approach to deterministic encryption: new constructions and a connection to computational entropy. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 582–599. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Fuller, B., Reyzin, L.: Computational entropy and information leakage. Cryptology ePrint Archive, report 2012/466 (2012).
  9. 9.
    Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd ACM STOC, pp. 99–108. ACM Press, June 2011Google Scholar
  10. 10.
    Goldreich, O., Krawczyk, H., Luby, M.: On the existence of pseudorandom generators. SIAM J. Comput. 22(6), 1163–1175 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Haitner, I., Reingold, O., Vadhan, S.P.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: Schulman, L.J. (ed.) 42nd ACM STOC, pp. 437–446. ACM Press, June 2010Google Scholar
  12. 12.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Holenstein, T.: Pseudorandom generators from one-way functions: a simple construction for any hardness. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 443–461. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Holenstein, T., Sinha, M.: Constructing a pseudorandom generator requires an almost linear number of calls. In: 53rd FOCS, pp. 698–707. IEEE Computer Society Press, October 2012Google Scholar
  15. 15.
    Hsiao, C.-Y., Lu, C.-J., Reyzin, L.: Conditional computational entropy, or toward separating pseudoentropy from compressibility. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 169–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 8–26. Springer, Heidelberg (1990)Google Scholar
  17. 17.
    Jetchev, D., Pietrzak, K.: How to fake auxiliary input. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 566–590. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  18. 18.
    Krenn, S., Pietrzak, K., Wadia, A.: A counterexample to the chain rule for conditional HILL entropy. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 23–39. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  19. 19.
    Lu, C.-J., Tsai, S.-C., Wu, H.-L.: On the complexity of hard-core set constructions. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 183–194. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Pietrzak, K., Skórski, M.: The chain rule for HILL pseudoentropy, revisited. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LatinCrypt 2015. LNCS, vol. 9230, pp. 81–98. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  22. 22.
    Reingold, O., Trevisan, L., Tulsiani, M., Vadhan, S.P.: Dense subsets of pseudorandom sets. In: 49th FOCS, pp. 76–85. IEEE Computer Society Press, October 2008Google Scholar
  23. 23.
    Reyzin, L.: Some notions of entropy for cryptography. In: Fehr, S. (ed.) ICITS 2011. LNCS, vol. 6673, pp. 138–142. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Simon, D.R.: Findings collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  25. 25.
    Skorski, M.: Metric pseudoentropy: characterizations, transformations and applications. In: Lehmann, A., Wolf, S. (eds.) Information Theoretic Security. LNCS, vol. 9063, pp. 105–122. Springer, Heidelberg (2015)Google Scholar
  26. 26.
    Skorski, M.: A better chain rule for hill pseudoentropy - beyond bounded leakage. In: Information Theoretic Security - 9th International Conference, ICITS 2016 (2016)Google Scholar
  27. 27.
    Skorski, M.: Simulating auxiliary information, revisited. In: TCC 2016-B (2016)Google Scholar
  28. 28.
    Vadhan, S.P., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: Karloff, H.J., Pitassi, T. (eds.) 44th ACM STOC, pp. 817–836. ACM Press, May 2012Google Scholar
  29. 29.
    Vadhan, S., Zheng, C.J.: A uniform min-max theorem with applications in cryptography. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 93–110. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  30. 30.
    Watson, T.: Advice lower bounds for the dense model theorem. TOCT 7(1), 1 (2014)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Zhang, J.: On the query complexity for showing dense model. Electron. Colloquium Comput. Complexity (ECCC) 18, 38 (2011)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.IST AustriaKlosterneuburgAustria
  2. 2.University of WarsawWarsawPoland

Personalised recommendations