Provable Security II

Security definition via indistinguishability experiment

• Encryption scheme: Π=(Gen,Enc,Dec)

• The adversarial indistinguishability experiment: PrivKeav

• Security game between adversary A=(A1,D) and challenger C

• Adversary’s advantage:

Statistical Security

The two definitions about statistical security

• (1) for every A:

• (2) for every D:

The one-time pad (OTP) is perfectly secure

Statistical Distance

Statistical distance: the upper bound of distinguishing advantage

More about statistical distance

Statistical security for one-time pad

Unpredictability and min-entropy

(Conditional) unpredictability and min-entropy

High min-entropy ≠ (Any form of) Security

• Then what?

Using randomness extractor Ext s.t. Ext(K) is statistical random!

Randomness extractors

• First attempt: an (𝑛, 𝑘,𝑚, 𝜀)-randomness extractor is a function Ext: {0,1}𝑛→ {0,1}𝑚 that for every r.v. of length n and min-entropy at least k we have SD(Ext(X),𝑈𝑚)≤ 𝜀

• Unfortunately, deterministic is impossible even for k=n-1, m=1

• Definition: an (𝑛, 𝑘,𝑚, 𝑑, 𝜀)-randomness extractor is a function Ext: {0,1}𝑛× {0,1}𝑑→ {0,1}𝑚 that for every r.v. of length n and min-entropy at least k we have SD( Ext(X,𝑈𝑑), 𝑈𝑑 , 𝑈𝑚+𝑑 )≤ 𝜀

ExtX Almost uniform randomness

X Almost uniform randomnessExt

𝑈𝑑 𝑈𝑑

Seed length: dEntropy loss: k-m

Universal Hash Functions and Leftover Hash Lemma

Universal Hash Functions and Leftover Hash Lemma

Universal Hash Functions and Leftover Hash Lemma (cont’d)

• Informally, universal hash H is an 𝑙, 𝑘, 𝑘 − 𝑑, log 𝐻 , 2−𝑑

2−1 -extractor

Extending the LHL to the conditional case

Privacy Amplification: an application of LHL

Some exercises

more exercises

Advanced readings

• Non-malleable extractors

• Leftover hash lemma, revisited.