Overcoming Weak Expectations via the R\(\acute{e}\)nyi Entropy and the Expanded Computational Entropy

Abstract

In the ideal world, cryptographic models take for granted that the secret sources (e.g. secret keys and other secret randomness) are derived from uniform distribution. However, in reality, we may only obtain some ‘weak’ random sources guaranteed with high unpredictability (e.g. biometric data, physical sources, and secrets with partial leakage). Formally, the security of cryptographic models is measured by the expectation of some function, called ‘perfect’ expectation in the ideal model and ‘weak’ expectation in the real model respectively. We propose some elementary inequalities which show that the ‘weak’ expectation is not much worse than the ‘perfect’ expectation. Instead of discussing the results based on the min-entropy and collision entropy by Dodis and Yu [TCC 2013], we present how to overcome weak expectations dependent on the R\(\acute{e}\)nyi entropy and the expanded computational entropy. We achieve these results via employing the discrete form of the H\(\ddot{o}\)lder inequality. We also use some techniques to guarantee that the expanded computational entropy is useful in the security model. Thus our results are more general, and we also obtain some results from a computational perspective. The results apply to all ‘unpredictability’ applications and some indistinguishability applications including CPA-secure symmetric-key encryption schemes, weak Pseudorandom Functions and Weaker Computational Extractors.

Appendices

A Definitions

Definition 1

(see [13]) We say that an indistinguishability application \(P\) is \(((T', T, \gamma )\)-simulatable, if for any secret key \(r\) and any legal, \(T\)-bounded attacker \(\mathsf A \), there exists a (possibly illegal!) \(T'-\)bounded attacker \(\mathsf B \) (for some \(T' \ge T\)) such that:

1. (1)

    The execution between \(\mathsf B \) and ‘real’ \(\mathsf C (r)\) defines two independent executions between a copy \(\mathsf A _i\) of \(\mathsf A \) and a ‘simulated’ challenger \(\mathsf C _i(r)\) , for \(i = 1, 2\). In particular, except reusing the same \(r\), \(\mathsf A _1\), \(\mathsf C _1(r)\), \(\mathsf A _2\), \(\mathsf C _2(r)\) use fresh and independent randomness, including independent challenge bits \(b_1\) and \(b_2\).

2. (2)

    The challenge \(b\) used by ‘real’ \(\mathsf C (r)\) is equal to the challenge \(b_2\) used by ‘simulated’ \(\mathsf C _2\).

3. (3)

    Before making its guess \(b'\) of the challenge bit \(b\), \(B\) learns the values \(b_1\), \(b'_1\) and \(b'_2\).

4. (4)

    The probability of \(\mathsf B \) violating the failure predicate \(F\) is at most \(\gamma \).

Definition 2

We say that an indistinguishability application \(P\) is \(((T', s'), (T, s), \gamma )-\)simulatable, if for any secret key \(r\) and any legal, \(T\)-bounded attacker \(\mathsf A \) with the advantage circuit size \(s\), there exists a (possibly illegal!) \(T'-\)bounded attacker \(\mathsf B \) (for some \(T' \ge T\)) with the advantage circuit size \(s'\) such that it satisfies items (1)-(4) of Definition 1.

Remark

The definition here is essentially equivalent to Definition 1, as the definition here is obtained via adding the parameters \(s\) and \(s'\) to Definition 1.

B Proof

Proof

Since \(1 < \beta < 2\), we have \(\frac{2}{\beta } > 1\). From the H\(\ddot{o}\)lder inequality, we have

$$\begin{aligned} \sum \limits _{r \in \{0, 1\}^m}[|f(r)^\beta | \cdot 1]&\le [\sum \limits _{r \in \{0, 1\}^m} |f(r)^\beta |^{\frac{2}{\beta }}]^{\frac{\beta }{2}} \cdot (\sum \limits _{r \in \{0, 1\}^m}1)^{1-\frac{\beta }{2}}\\&=[\sum \limits _{r \in \{0, 1\}^m}|f(r)|^2]^{\frac{\beta }{2}} \cdot 2^{m \cdot (1-\frac{\beta }{2})}.\\ \end{aligned}$$

Therefore,

$$\begin{aligned}&\mathbb {E}[|f(U_m)|^\beta ] = \frac{1}{2^m} \sum \limits _{r \in \{0, 1\}^m}|f(r)^\beta | \\&\le (2^m)^{\frac{\beta }{2}} \cdot [\frac{1}{2^m} \cdot \sum \limits _{r \in \{0, 1\}^m}|f(r)|^2]^{\frac{\beta }{2}} \cdot 2^{m \cdot (-\frac{\beta }{2})}\\&= \{ \mathbb {E}[|f(U_m)|^2]\}^{\frac{\beta }{2}}. \\ \end{aligned}$$