A Counterexample to the Chain Rule for Conditional HILL Entropy

And What Deniable Encryption Has to Do with It
  • Stephan Krenn
  • Krzysztof Pietrzak
  • Akshay Wadia
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7785)


A chain rule for an entropy notion H(·) states that the entropy H(X) of a variable X decreases by at most ℓ if conditioned on an ℓ-bit string A, i.e., H(X|A) ≥ H(X) − ℓ. More generally, it satisfies a chain rule for conditional entropy if H(X|Y,A) ≥ H(X|Y) − ℓ.

All natural information theoretic entropy notions we are aware of (like Shannon or min-entropy) satisfy some kind of chain rule for conditional entropy. Moreover, many computational entropy notions (like Yao entropy, unpredictability entropy and several variants of HILL entropy) satisfy the chain rule for conditional entropy, though here not only the quantity decreases by ℓ, but also the quality of the entropy decreases exponentially in ℓ. However, for the standard notion of conditional HILL entropy (the computational equivalent of min-entropy) the existence of such a rule was unknown so far.

In this paper, we prove that for conditional HILL entropy no meaningful chain rule exists, assuming the existence of one-way permutations: there exist distributions X,Y,A, where A is a distribution over a single bit, but HHILL(X|Y)≫ HHILL(X|Y,A), even if we simultaneously allow for a massive degradation in the quality of the entropy.

The idea underlying our construction is based on a surprising connection between the chain rule for HILL entropy and deniable encryption.


Computational entropy HILL entropy Conditional chain rule 


  1. 1.
    Barak, B., Shaltiel, R., Wigderson, A.: Computational Analogues of Entropy. In: Arora, S., Jansen, K., Rolim, J.D.P., Sahai, A. (eds.) RANDOM 2003 and APPROX 2003. LNCS, vol. 2764, pp. 200–215. Springer, Heidelberg (2003)Google Scholar
  2. 2.
    Bendlin, R., Nielsen, J.B., Nordholt, P.S., Orlandi, C.: Lower and Upper Bounds for Deniable Public-Key Encryption. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 125–142. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable Encryption. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  4. 4.
    Chung, K.-M., Kalai, Y.T., Liu, F.-H., Raz, R.: Memory Delegation. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 151–168. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. SIAM Journal on Computing 38(1), 97–139 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Dürmuth, M., Freeman, D.M.: Deniable Encryption with Negligible Detection Probability: An Interactive Construction. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 610–626. Springer, Heidelberg (2011), Full version including a description of the flaw available at Scholar
  7. 7.
    Dziembowski, S., Pietrzak, K.: Leakage-Resilient Cryptography. In: FOCS 2008, pp. 293–302. IEEE Computer Society (2008)Google Scholar
  8. 8.
    Fuller, B., O’Neill, A., Reyzin, L.: A Unified Approach to Deterministic Encryption: New Constructions and a Connection to Computational Entropy. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 582–599. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Fuller, B., Reyzin, L.: Computational Entropy and Information Leakage. Cryptology ePrint Archive, Report 2012/466 (2012),
  10. 10.
    Gentry, C., Wichs, D.: Separating Succinct Non-Interactive Arguments from All Falsifiable Assumptions. In: STOC 2011, pp. 99–108 (2011)Google Scholar
  11. 11.
    Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge University Press, New York (2000)zbMATHGoogle Scholar
  12. 12.
    Goldreich, O., Levin, L.A.: A Hard-Core Predicate for all One-Way Functions. In: Johnson, D.S. (ed.) STOC 1989, pp. 25–32. ACM (1989)Google Scholar
  13. 13.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A Pseudorandom Generator from any One-way Function. SIAM Journal on Computing 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Hsiao, C.-Y., Lu, C.-J., Reyzin, L.: Conditional Computational Entropy, or Toward Separating Pseudoentropy from Compressibility. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 169–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Reingold, O., Trevisan, L., Tulsiani, M., Vadhan, S.P.: Dense Subsets of Pseudorandom Sets. In: FOCS 2008, pp. 76–85. IEEE Computer Society (2008)Google Scholar
  16. 16.
    Reyzin, L.: Some Notions of Entropy for Cryptography. In: Fehr, S. (ed.) ICITS 2011. LNCS, vol. 6673, pp. 138–142. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Shoup, V.: A Computational Introduction to Number Theory and Algebra. Cambridge Press (2009)Google Scholar
  18. 18.
    Trevisan, L.: Cryptography. Lecture Notes from CS 276 (2009)Google Scholar
  19. 19.
    Wee, H.M.: One-Way Permutations, Interactive Hashing and Statistically Hiding Commitments. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 419–433. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Yao, A.C.: Theory and Applications of Trapdoor Functions (Extended Abstract). In: FOCS 1982, pp. 80–91. IEEE Computer Society (1982)Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Stephan Krenn
    • 1
  • Krzysztof Pietrzak
    • 2
  • Akshay Wadia
    • 3
  1. 1.IBM Research - ZurichRüschlikonSwitzerland
  2. 2.Institute of Science and Technology AustriaAustria
  3. 3.University of CaliforniaLos AngelesUSA

Personalised recommendations