Privacy amplification by public discussion
SIAM Journal on Computing - Special issue on cryptography
A hard-core predicate for all one-way functions
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
Limits on the provable consequences of one-way permutations
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
Universal hashing and authentication codes
Designs, Codes and Cryptography
Journal of Computer and System Sciences
A Pseudorandom Generator from any One-way Function
SIAM Journal on Computing
Bounds for Dispersers, Extractors, and Depth-Two Superconcentrators
SIAM Journal on Discrete Mathematics
Privacy Amplification Secure Against Active Adversaries
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Number-theoretic constructions of efficient pseudo-random functions
FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
A personal view of average-case complexity
SCT '95 Proceedings of the 10th Annual Structure in Complexity Theory Conference (SCT'95)
Nearly One-Sided Tests and the Goldreich–Levin Predicate
Journal of Cryptology
Key agreement from weak bit agreement
Proceedings of the thirty-seventh annual ACM symposium on Theory of computing
A model and architecture for pseudo-random generation with applications to /dev/random
Proceedings of the 12th ACM conference on Computer and communications security
On the randomness complexity of efficient sampling
Proceedings of the thirty-eighth annual ACM symposium on Theory of computing
Why simple hash functions work: exploiting the entropy in a data stream
Proceedings of the nineteenth annual ACM-SIAM symposium on Discrete algorithms
Cryptography with constant computational overhead
STOC '08 Proceedings of the fortieth annual ACM symposium on Theory of computing
Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data
SIAM Journal on Computing
Weak Pseudorandom Functions in Minicrypt
ICALP '08 Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II
Optimal Randomness Extraction from a Diffie-Hellman Element
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Unbalanced expanders and randomness extractors from Parvaresh--Vardy codes
Journal of the ACM (JACM)
Public-Key Cryptosystems Resilient to Key Leakage
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Software performance of universal hash functions
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Exposure-resilient functions and all-or-nothing transforms
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Cryptographic extraction and key derivation: the HKDF scheme
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Secure remote authentication using biometric data
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Robust fuzzy extractors and authenticated key agreement from close secrets
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Composition implies adaptive security in minicrypt
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Computational extractors and pseudorandomness
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
Randomness condensers for efficiently samplable, seed-dependent sources
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
Practical leakage-resilient pseudorandom objects with minimum public randomness
CT-RSA'13 Proceedings of the 13th international conference on Topics in Cryptology
TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography
Weak leakage-resilient client-side deduplication of encrypted data in cloud storage
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Hi-index | 0.00 |
The famous Leftover Hash Lemma (LHL) states that (almost) universal hash functions are good randomness extractors. Despite its numerous applications, LHL-based extractors suffer from the following two limitations: - Large Entropy Loss: to extract v bits from distribution X of minentropy m which are ε-close to uniform, one must set v ≤ m - 2 log (1/ε), meaning that the entropy loss L = m - v ≥ 2 log (1/ε). For many applications, such entropy loss is too large. - Large Seed Length: the seed length n of (almost) universal hash function required by the LHL must be at least n ≥ min(u - v, v + 2 log (1/ε) - O(1), where u is the length of the source, and must grow with the number of extracted bits. Quite surprisingly, we show that both limitations of the LHL - large entropy loss and large seed - can be overcome (or, at least, mitigated) in various important scenarios. First, we show that entropy loss could be reduced to L = log(1/ε) for the setting of deriving secret keys for a wide range of cryptographic applications. Specifically, the security of these schemes with an LHL-derived key gracefully degrades from ε to at most ε + √ε2-L. (Notice that, unlike standard LHL, this bound is meaningful even when one extracts more bits than the min-entropy we have!) Based on these results we build a general computational extractor that enjoys low entropy loss and can be used to instantiate a generic key derivation function for any cryptographic application. Second, we study the soundness of the natural expand-then-extract approach, where one uses a pseudorandom generator (PRG) to expand a short "input seed" S into a longer "output seed" S', and then use the resulting S' as the seed required by the LHL (or, more generally, by any randomness extractor). We show that, in general, the expandthen-extract approach is not sound if the Decisional Diffie-Hellman assumption is true. Despite that, we show that it is sound either: (1) when extracting a "small" (logarithmic in the security of the PRG) number of bits; or (2) in minicrypt. Implication (2) suggests that the expandthen-extract approach is likely secure when used with "practical" PRGs, despite lacking a reductionist proof of security!