The Leakage-Resilience Limit of a Computational Problem Is Equal to Its Unpredictability Entropy

  • Divesh Aggarwal
  • Ueli Maurer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7073)


A cryptographic assumption is the (unproven) mathematical statement that a certain computational problem (e.g. factoring integers) is computationally hard. The leakage-resilience limit of a cryptographic assumption, and hence of a computational search problem, is the maximal number of bits of information that can be leaked (adaptively) about an instance, without making the problem easy to solve. This implies security of the underlying scheme against arbitrary side channel attacks by a computationally unbounded adversary as long as the number of leaked bits of information is less than the leakage resilience limit.

The hardness of a computational problem is typically characterized by the running time of the fastest (known) algorithm for solving it. We propose to consider, as another natural complexity-theoretic quantity, the success probability of the best polynomial-time algorithm (which can be exponentially small). We refer to its negative logarithm as the unpredictability entropy of the problem (which is defined up to an additive logarithmic term).

A main result of the paper is that the leakage-resilience limit and the unpredictability entropy are equal. This demonstrates, for the first time, the practical relevance of studying polynomial-time algorithms even for problems believed to be hard, and even if the success probability is too small to be of practical interest. With this view, we look at the best probabilistic polynomial time algorithms for the learning with errors and lattice problems that have in recent years gained relevance in cryptography.

We also introduce the concept of witness compression for computational problems, namely the reduction of a problem to another problem for which the witnesses are shorter. The length of the smallest achievable witness for a problem also corresponds to the non-adaptive leakage-resilience limit, and it is also shown to be equal to the unpredictability entropy of the problem. The witness compression concept is also of independent theoretical interest. An example of an implication of our result is that 3-SAT for n variables can be witness compressed from n bits (the variable assignments) to 0.41 n bits.


Success Probability Polynomial Time Algorithm Search Problem Discrete Logarithm Discrete Logarithm Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC 2001, pp. 601–610 (2001)Google Scholar
  2. 2.
    Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous Hardcore Bits and Cryptography Against Memory Attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Alwen, J., Dodis, Y., Wichs, D.: Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 36–54. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Alwen, J., Dodis, Y., Wichs, D.: Survey: Leakage Resilience and the Bounded Retrieval Model. In: Kurosawa, K. (ed.) Information Theoretic Security. LNCS, vol. 5973, pp. 1–18. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Babai, L.: On Lovász’ Lattice Reduction and the Nearest Lattice Point Problem. Combinatorica 6(1), 1–13 (1986)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Beigel, R., Eppstein, D.: 3-coloring in Time o(1.3446n): A No-mis Algorithm. In: FOCS 1995, pp. 444–452 (1995)Google Scholar
  7. 7.
    Beigel, R.: Finding Maximum Independent Sets in Sparse and General Graphs. In: SODA 1999, pp. 856–857 (1999)Google Scholar
  8. 8.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant Learning, the Parity Problem, and the Statistical Query Model. Journal of the ACM 50(4), 506–519 (2003)CrossRefMathSciNetGoogle Scholar
  9. 9.
    Byskov, J.: Algorithms for k-colouring and Finding Maximal Independent Sets. In: SODA 2003, pp. 456–457 (2003)Google Scholar
  10. 10.
    Canetti, R., Dodis, Y., Halevi, S., Kushilevitz, E., Sahai, A.: Exposure-Resilient Functions and All-or-Nothing Transforms. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 453–469. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)Google Scholar
  12. 12.
    Dantsin, E., Goerdt, A., Hirsch, E., Kannan, R., Kleinberg, J., Papadimitriou, C., Raghavan, P., Schöning, U.: A Deterministic (2 − 2/(k + 1))n Algorithm for k-SAT Based on Local Search. Theoretical Computer Science 289(1), 69–83 (2002)CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    Dodis, Y., Goldwasser, S., Kalai, Y., Peikert, C., Vaikuntanathan, V.: Public-Key Encryption Schemes with Auxiliary Inputs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 361–381. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Dodis, Y., Kalai, Y., Lovett, S.: On Cryptography with Auxiliary Input. In: STOC 2009, pp. 621–630 (2009)Google Scholar
  15. 15.
    Dohmen, K.: Improved Bonferroni Inequalities with Applications: Inequalities and Identities of Inclusion-Exclusion Type. Springer, Berlin (2003)Google Scholar
  16. 16.
    Dziembowski, S., Pietrzak, K.: Leakage-resilient Cryptography. In: FOCS 2008, pp. 293–302 (2008)Google Scholar
  17. 17.
    Eppstein, D.: Improved Algorithms for 3-coloring, 3-edge-coloring, and Constraint Satisfaction. In: SODA 2001, pp. 329–337 (2001)Google Scholar
  18. 18.
    Eppstein, D.: Small Maximal Independent Sets and Faster Exact Graph Coloring. Journal of Graph Algorithms and Applications 7, 131–140 (2003)zbMATHMathSciNetGoogle Scholar
  19. 19.
    Fomin, F., Grandoni, F., Kratsch, D.: Measure and Conquer: A Simple o(20.288n) Independent Set Algorithm. In: SODA 2006, pp. 18–25 (2006)Google Scholar
  20. 20.
    Fortnow, L., Santhanam, R.: Infeasibility of instance compression and succinct PCPs for NP. Journal of Computer and System Sciences 77(1), 91–106 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  21. 21.
    Faust, S., Kiltz, E., Pietrzak, K., Rothblum, G.: Leakage-Resilient Signatures. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 343–360. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  22. 22.
    Goldreich, O., Goldwasser, S.: On the Limits of Nonapproximability of Lattice Problems. Journal of Computation and Systems Sciences 60(3), 540–563 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  23. 23.
    Gramm, J., Hirsch, E., Niedermeier, R., Rossmanith, P.: Worst Case Upper Bounds for Max-2-sat with an Application to Max-cut. Discrete Applied Mathematics 130(2), 139–155 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  24. 24.
    Goldwasser, S., Kalai, Y., Peikert, C., Vaikuntanathan, V.: Robustness of the Learning With Errors Assumption. In: ICS 2010. Tsinghua University Press, Beijing (2010)Google Scholar
  25. 25.
    Goldwasser, S., Micciancio, D.: Complexity of Lattice Problems: a Cryptographic Perspective. The Kluwer International Series in Engineering and Computer Science, vol. 671. Kluwer Academic Publishers, BostonGoogle Scholar
  26. 26.
    Goldreich, O.: Computational Complexity: A Conceptual Perspective. Cambridge University Press, NYGoogle Scholar
  27. 27.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206 (2008)Google Scholar
  28. 28.
    Gregg, J.: On Factoring Integers and Evaluating Discrete Logarithms. Bachelor’s Thesis. Harvard College, Cambridge, MassachusettsGoogle Scholar
  29. 29.
    Harnik, D., Naor, M.: On the compressibility of NP instances and cryptographic applications. In: FOCS 2006, pp. 719–728 (2006)Google Scholar
  30. 30.
    Heninger, N., Shacham, H.: Reconstructing RSA Private Keys from Random Key Bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  31. 31.
    Hsiao, C., Lu, C., Reyzin, L.: Conditional Computational Entropy, or Toward Separating Pseudoentropy from Compressibility. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 169–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  32. 32.
    Klein, P.: Finding the Closest Vector When it is Unusually Close. In: SODA 2000, pp. 937–941 (2000)Google Scholar
  33. 33.
    Katz, J., Vaikuntanathan, V.: Signature Schemes with Bounded Leakage Resilience. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 703–720. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  34. 34.
    Lenstra, H.: Factoring Integers with Elliptic Curves. Annals of Mathematics 126, 649–673 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  35. 35.
    Lenstra, A., Lenstra, H., Lovász, L.: Factoring Polynomials wth Rational Coefficients. Mathematische Annalen 261(4), 515–534 (1982)CrossRefzbMATHMathSciNetGoogle Scholar
  36. 36.
    Lyubashevsky, V., Micciancio, D.: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 577–594. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  37. 37.
    Maurer, U.: On the Oracle Complexity of Factoring Integers. Computational Complexity 5(4), 237–247 (1996)CrossRefMathSciNetGoogle Scholar
  38. 38.
    Micali, S., Reyzin, L.: Physically Observable Cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  39. 39.
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: STOC 2010, pp. 351–358 (2010)Google Scholar
  40. 40.
    Naor, M., Segev, G.: Public-key Cryptosystems Resilient to Key Leakage. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 18–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  41. 41.
    Peikert, C.: Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. In: STOC 2009 (2009)Google Scholar
  42. 42.
    Pietrzak, K.: A Leakage-Resilient Mode of Operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  43. 43.
    Petit, C., Standaert, F., Pereira, O., Malkin, T., Yung, M.: A Block Cipher Based Pseudo Random Number Generator Secure Against Side-channel Key Recovery. In: ASIACCS 2008, pp. 56–65 (2008)Google Scholar
  44. 44.
    Paturi, R., Pudlák, P.: On the Complexity of Circuit Satisfiability. In: STOC 2010 (2010)Google Scholar
  45. 45.
    Paturi, R., Pudlák, P., Zane, F.: Satisfiability Coding Lemma. In: FOCS 1997, pp. 566–574 (1997)Google Scholar
  46. 46.
    Regev, O.: On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. In: STOC 2005 (2005)Google Scholar
  47. 47.
    Rivest, R., Shamir, A.: Efficient Factoring Based on Partial Information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)CrossRefGoogle Scholar
  48. 48.
    Schöning, U.: A Probabilistic Algorithm for k-SAT and Constraint Satisfaction Problems. In: FOCS 1999 (1999)Google Scholar
  49. 49.
    Sipser, M.: A Complexity Theoretic Approach to Randomness. In: STOC 1983, pp. 330–335 (1983)Google Scholar
  50. 50.
    Stockmeyer, L.: The Complexity of Approximate Counting. In: STOC 1983, pp. 118–126 (1983)Google Scholar
  51. 51.
    Valiant, L., Vazirani, V.: NP is as Easy as Detecting Unique Solutions. Theoretical Computer Science 47, 85–93 (1986)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Divesh Aggarwal
    • 1
  • Ueli Maurer
    • 1
  1. 1.Department of Computer ScienceETH ZurichZurichSwitzerland

Personalised recommendations