---
_id: '2185'
abstract:
- lang: eng
text: 'We revisit the classical problem of converting an imperfect source of randomness
into a usable cryptographic key. Assume that we have some cryptographic application
P that expects a uniformly random m-bit key R and ensures that the best attack
(in some complexity class) against P(R) has success probability at most δ. Our
goal is to design a key-derivation function (KDF) h that converts any random source
X of min-entropy k into a sufficiently "good" key h(X), guaranteeing
that P(h(X)) has comparable security δ′ which is ''close'' to δ. Seeded randomness
extractors provide a generic way to solve this problem for all applications P,
with resulting security δ′ = O(δ), provided that we start with entropy k ≥ m +
2 log (1/δ) - O(1). By a result of Radhakrishnan and Ta-Shma, this bound on k
(called the "RT-bound") is also known to be tight in general. Unfortunately,
in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This
motivates the study KDFs with less entropy waste by placing some restrictions
on the source X or the application P. In this work we obtain the following new
positive and negative results in this regard: - Efficient samplability of the
source X does not help beat the RT-bound for general applications. This resolves
the SRT (samplable RT) conjecture of Dachman-Soled et al. [DGKM12] in the affirmative,
and also shows that the existence of computationally-secure extractors beating
the RT-bound implies the existence of one-way functions. - We continue in the
line of work initiated by Barak et al. [BDK+11] and construct new information-theoretic
KDFs which beat the RT-bound for large but restricted classes of applications.
Specifically, we design efficient KDFs that work for all unpredictability applications
P (e.g., signatures, MACs, one-way functions, etc.) and can either: (1) extract
all of the entropy k = m with a very modest security loss δ′ = O(δ·log (1/δ)),
or alternatively, (2) achieve essentially optimal security δ′ = O(δ) with a very
modest entropy loss k ≥ m + loglog (1/δ). In comparison, the best prior results
from [BDK+11] for this class of applications would only guarantee δ′ = O(√δ) when
k = m, and would need k ≥ m + log (1/δ) to get δ′ = O(δ). - The weaker bounds
of [BDK+11] hold for a larger class of so-called "square- friendly"
applications (which includes all unpredictability, but also some important indistinguishability,
applications). Unfortunately, we show that these weaker bounds are tight for the
larger class of applications. - We abstract out a clean, information-theoretic
notion of (k,δ,δ′)- unpredictability extractors, which guarantee "induced"
security δ′ for any δ-secure unpredictability application P, and characterize
the parameters achievable for such unpredictability extractors. Of independent
interest, we also relate this notion to the previously-known notion of (min-entropy)
condensers, and improve the state-of-the-art parameters for such condensers.'
alternative_title:
- LNCS
author:
- first_name: Yevgeniy
full_name: Dodis, Yevgeniy
last_name: Dodis
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
- first_name: Daniel
full_name: Wichs, Daniel
last_name: Wichs
citation:
ama: 'Dodis Y, Pietrzak KZ, Wichs D. Key derivation without entropy waste. In: Nguyen
P, Oswald E, eds. Vol 8441. Springer; 2014:93-110. doi:10.1007/978-3-642-55220-5_6'
apa: 'Dodis, Y., Pietrzak, K. Z., & Wichs, D. (2014). Key derivation without
entropy waste. In P. Nguyen & E. Oswald (Eds.) (Vol. 8441, pp. 93–110). Presented
at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen,
Denmark: Springer. https://doi.org/10.1007/978-3-642-55220-5_6'
chicago: Dodis, Yevgeniy, Krzysztof Z Pietrzak, and Daniel Wichs. “Key Derivation
without Entropy Waste.” edited by Phong Nguyen and Elisabeth Oswald, 8441:93–110.
Springer, 2014. https://doi.org/10.1007/978-3-642-55220-5_6.
ieee: 'Y. Dodis, K. Z. Pietrzak, and D. Wichs, “Key derivation without entropy waste,”
presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques,
Copenhagen, Denmark, 2014, vol. 8441, pp. 93–110.'
ista: 'Dodis Y, Pietrzak KZ, Wichs D. 2014. Key derivation without entropy waste.
EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 8441.
93–110.'
mla: Dodis, Yevgeniy, et al. *Key Derivation without Entropy Waste*. Edited
by Phong Nguyen and Elisabeth Oswald, vol. 8441, Springer, 2014, pp. 93–110, doi:10.1007/978-3-642-55220-5_6.
short: Y. Dodis, K.Z. Pietrzak, D. Wichs, in:, P. Nguyen, E. Oswald (Eds.), Springer,
2014, pp. 93–110.
conference:
end_date: 2014-05-15
location: Copenhagen, Denmark
name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
start_date: 2014-05-11
date_created: 2018-12-11T11:56:12Z
date_published: 2014-04-01T00:00:00Z
date_updated: 2020-08-11T10:09:40Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-642-55220-5_6
editor:
- first_name: Phong
full_name: Nguyen, Phong
last_name: Nguyen
- first_name: Elisabeth
full_name: Oswald, Elisabeth
last_name: Oswald
file:
- access_level: open_access
checksum: da1aa01221086083b23c92e547b48ff4
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:08:43Z
date_updated: 2020-07-14T12:45:31Z
file_id: '4705'
file_name: IST-2016-680-v1+1_708.pdf
file_size: 505389
relation: main_file
file_date_updated: 2020-07-14T12:45:31Z
has_accepted_license: '1'
intvolume: ' 8441'
language:
- iso: eng
month: '04'
oa: 1
oa_version: Submitted Version
page: 93 - 110
publication_status: published
publisher: Springer
publist_id: '4795'
pubrep_id: '680'
quality_controlled: '1'
scopus_import: 1
status: public
title: Key derivation without entropy waste
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8441
year: '2014'
...