Dodis, Yevgeniy; Pietrzak, Krzysztof ZIST Austria ; Wichs, Daniel
Nguyen, Phong; Oswald, Elisabeth
We revisit the classical problem of converting an imperfect source of randomness into a usable cryptographic key. Assume that we have some cryptographic application P that expects a uniformly random m-bit key R and ensures that the best attack (in some complexity class) against P(R) has success probability at most δ. Our goal is to design a key-derivation function (KDF) h that converts any random source X of min-entropy k into a sufficiently "good" key h(X), guaranteeing that P(h(X)) has comparable security δ′ which is 'close' to δ. Seeded randomness extractors provide a generic way to solve this problem for all applications P, with resulting security δ′ = O(δ), provided that we start with entropy k ≥ m + 2 log (1/δ) - O(1). By a result of Radhakrishnan and Ta-Shma, this bound on k (called the "RT-bound") is also known to be tight in general. Unfortunately, in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This motivates the study KDFs with less entropy waste by placing some restrictions on the source X or the application P. In this work we obtain the following new positive and negative results in this regard: - Efficient samplability of the source X does not help beat the RT-bound for general applications. This resolves the SRT (samplable RT) conjecture of Dachman-Soled et al. [DGKM12] in the affirmative, and also shows that the existence of computationally-secure extractors beating the RT-bound implies the existence of one-way functions. - We continue in the line of work initiated by Barak et al. [BDK+11] and construct new information-theoretic KDFs which beat the RT-bound for large but restricted classes of applications. Specifically, we design efficient KDFs that work for all unpredictability applications P (e.g., signatures, MACs, one-way functions, etc.) and can either: (1) extract all of the entropy k = m with a very modest security loss δ′ = O(δ·log (1/δ)), or alternatively, (2) achieve essentially optimal security δ′ = O(δ) with a very modest entropy loss k ≥ m + loglog (1/δ). In comparison, the best prior results from [BDK+11] for this class of applications would only guarantee δ′ = O(√δ) when k = m, and would need k ≥ m + log (1/δ) to get δ′ = O(δ). - The weaker bounds of [BDK+11] hold for a larger class of so-called "square- friendly" applications (which includes all unpredictability, but also some important indistinguishability, applications). Unfortunately, we show that these weaker bounds are tight for the larger class of applications. - We abstract out a clean, information-theoretic notion of (k,δ,δ′)- unpredictability extractors, which guarantee "induced" security δ′ for any δ-secure unpredictability application P, and characterize the parameters achievable for such unpredictability extractors. Of independent interest, we also relate this notion to the previously-known notion of (min-entropy) condensers, and improve the state-of-the-art parameters for such condensers.
93 - 110
EUROCRYPT: Theory and Applications of Cryptographic Techniques
2014-05-11 – 2014-05-15
Dodis Y, Pietrzak KZ, Wichs D. Key derivation without entropy waste. In: Nguyen P, Oswald E, eds. Vol 8441. Springer; 2014:93-110. doi:10.1007/978-3-642-55220-5_6
Dodis, Y., Pietrzak, K. Z., & Wichs, D. (2014). Key derivation without entropy waste. In P. Nguyen & E. Oswald (Eds.) (Vol. 8441, pp. 93–110). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark: Springer. https://doi.org/10.1007/978-3-642-55220-5_6
Dodis, Yevgeniy, Krzysztof Z Pietrzak, and Daniel Wichs. “Key Derivation without Entropy Waste.” edited by Phong Nguyen and Elisabeth Oswald, 8441:93–110. Springer, 2014. https://doi.org/10.1007/978-3-642-55220-5_6.
Y. Dodis, K. Z. Pietrzak, and D. Wichs, “Key derivation without entropy waste,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 2014, vol. 8441, pp. 93–110.
Dodis Y, Pietrzak KZ, Wichs D. 2014. Key derivation without entropy waste. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 8441, 93–110.
Dodis, Yevgeniy, et al. Key Derivation without Entropy Waste. Edited by Phong Nguyen and Elisabeth Oswald, vol. 8441, Springer, 2014, pp. 93–110, doi:10.1007/978-3-642-55220-5_6.