Provable Security II - Yu Yuyuyu.hk/files/slide2.pdf · Security definition via...
Transcript of Provable Security II - Yu Yuyuyu.hk/files/slide2.pdf · Security definition via...
Provable Security II
Security definition via indistinguishability experiment
• Encryption scheme: Π=(Gen,Enc,Dec)
• The adversarial indistinguishability experiment: PrivKeav
• Security game between adversary A=(A1,D) and challenger C
• Adversary’s advantage:
Statistical Security
The two definitions about statistical security
• (1) for every A:
• (2) for every D:
The one-time pad (OTP) is perfectly secure
Statistical Distance
Statistical distance: the upper bound of distinguishing advantage
More about statistical distance
Statistical security for one-time pad
Unpredictability and min-entropy
(Conditional) unpredictability and min-entropy
High min-entropy ≠ (Any form of) Security
• Then what?
Using randomness extractor Ext s.t. Ext(K) is statistical random!
Randomness extractors
• First attempt: an (𝑛, 𝑘,𝑚, 𝜀)-randomness extractor is a function Ext: {0,1}𝑛→ {0,1}𝑚 that for every r.v. of length n and min-entropy at least k we have SD(Ext(X),𝑈𝑚)≤ 𝜀
• Unfortunately, deterministic is impossible even for k=n-1, m=1
• Definition: an (𝑛, 𝑘,𝑚, 𝑑, 𝜀)-randomness extractor is a function Ext: {0,1}𝑛× {0,1}𝑑→ {0,1}𝑚 that for every r.v. of length n and min-entropy at least k we have SD( Ext(X,𝑈𝑑), 𝑈𝑑 , 𝑈𝑚+𝑑 )≤ 𝜀
ExtX Almost uniform randomness
X Almost uniform randomnessExt
𝑈𝑑 𝑈𝑑
Seed length: dEntropy loss: k-m
Universal Hash Functions and Leftover Hash Lemma
Universal Hash Functions and Leftover Hash Lemma
Universal Hash Functions and Leftover Hash Lemma (cont’d)
• Informally, universal hash H is an 𝑙, 𝑘, 𝑘 − 𝑑, log 𝐻 , 2−𝑑
2−1 -extractor
Extending the LHL to the conditional case
Privacy Amplification: an application of LHL
Some exercises
more exercises
Advanced readings
• Non-malleable extractors
• Leftover hash lemma, revisited.