On the (non)Universality of the One-Time Pad

Randomization is vital in cryptography: secret keys should be randomly generated and most cryptographic primitives (e.g., encryption) must be probabilistic. As a common abstraction, it is assumed that there is a source of truly random bits available to all the participants of the system. While convenient, this assumption is often highly unrealistic, and cryptographic systems have to be built based on imperfect sources of randomness. Remarkably, this fundamental problem has received little or no attention so far, despite the fact that a related question of simulating probabilistic (BPP) algorithms with imperfect random sources has a long and rich history. In this work we initiate the quantitative study concerning feasibility of building secure cryptographic primitives using imperfect random sources. Specifically, we concentrate on symmetric-key encryption and message authentication, where the shared secret key comes from an imperfect random source instead of being assumed truly random. In each case, we compare the class of “cryptographic” sources for the task at hand with the classes of “extractable” and “simulatable” sources, where: (1) “cryptographic” refers to sources for which the corresponding symmetric-key primitive can be build; (2) “extractable” refers to a very narrow class of sources from which one can extract nearly perfect randomness; and (3) “simulatable” refers to a very general class of weak random sources which are known to suffice for BPP simulation. For both encryption and authentication, we show that the corresponding cryptographic sources lie strictly in between extractable and simulatable sources, which implies that “cryptographic usage” of randomness is more demanding than the corresponding “algorithmic usage”, but still does not require perfect randomness. Interestingly, cryptographic sources for encryption and authentication are also quite different from each other, which suggests that there might not be an elegant way to describe imperfect sources sufficient for “general cryptographic use”. We believe that our initial investigation in this new area will inspire a lot of further research. 1 Imperfect Random Sources Randomization has proved to be extremely useful and fundamental in many areas of computer science, such as approximation algorithms, counting problems, distributed computing, primality testing, as well as cryptographic protocols (which is the topic of this paper). The common abstraction used to introduce randomness into computation is that the underlying algorithm has access to a stream of completely unbiased and independent random bits. This abstraction allows one to use randomness in a clean way, separating out the issue of actually generating such “strong” random bits. Unfortunately, in reality we do not have sources that emit perfectly uniform and independent random bits. However, there are many sources whose outputs (which need not be bits) are believed to be “somewhat random”. Such sources are generally called imperfect random sources. We remark that the “imperfectness” of the source does not only come from the fact that it does not generate uniform random bits, but also because the exact source distribution is usually unknown; instead, only some property the distribution is known (like no string is excessively likely, etc.), and our proposed usage of a given source should work for any distribution satisfying this property. Thus, “imperfect source” literally means “an unknown source from a given family of probability distributions”. A large amount of research has been devoted to filling in the gap between such realistic imperfect sources and the ideal sources of randomness that are actually used in designing various algorithms and protocols. As we will argue below, the current body of knowledge nevertheless leaves a large gap in understanding the usefulness of imperfect sources for various cryptographic purposes. Indeed, we can roughly separate the following two major questions that have been addressed so far in studying imperfect random sources, none of which directly dealing with cryptography: Simulation: can we efficiently simulate a probabilistic (BPP) algorithm with a given source? Extraction: can we extract almost perfect randomness from a given source? The first question addresses the problem if a given source is acceptable for universal probabilistic computation of decision or optimization problems (i.e., problems with a unique “correct” output which are potentially solved more efficiently using randomization). The second question goes for a conceptually cleaner approach in trying to provide — when possible – a “compiler” for a given imperfect source. The complier first extracts almost perfect randomness from the source, which can then be used for any application originally designed to work with ideal random bits. Clearly, extraction from a given source is a very desirable property to have, since it solves a much broader problem that BPP simulation. For example, “extractable” sources can be used in any cryptographic application (like secure encryption), but not every “simulatable” source can [19] (see below). Unfortunately, as shown below, the set of extractable sources is also dramatically smaller than the set of simulatable sources. SIMULATABLE SOURCES. It turns out that the class of simulatable sources is extremely large. In particular, more and more imperfect (so called “weak”) random sources have been shown to be simulatable [32, 30, 8, 9, 35, 2], culminating in using extremely weak sources [2]. The only thing guaranteed about a weak source is that no particular string has a very high probability of occurring. This is characterized by a parameter ` (called the min-entropy of the source) by saying that no string (of some given length) occurs with probability more than 2 ` (for any distribution of the source). The optimal result of [2] then says that BPP simulation is possible for any N -bit weak source of minentropy at least N , for some (arbitrarily small) > 0. Interestingly, we will see that weak sources are typically far too general for any randomness extraction (e.g., none of the sources [32, 30, 8, 9, 35, 2] is extractable). Instead, the works above take advantage of the fact that even though it is impossible to generate almost random bits from the corresponding weak sources, it is possible to generate random strings, a majority of which avoid falling into the negligibly small set of “bad” strings. Running the given algorithm many times on various such pseudorandom strings and computing some statistics, a correct answer is given with high probability. Unfortunately, most of the above methods are not applicable for cryptographic use, where the randomness is needed by the application itself, and not mainly for the purposes of efficiency. Indeed, McInnes and Pinkas [19] have shown that none of the simulatable sources above can be used to securely encrypt even a single bit! (See Section 2). EXTRACTION FROM IMPERFECT SOURCES. As we will see, extraction is much harder to achieve than simulation, even for relatively “structured” imperfect random sources. In rough terms, we can separate three types of imperfect random sources considered so far: streaming sources, bitfixing sources, and already mentioned weak sources (the latter being significantly more general than the former two). STREAMING SOURCES. Like the ideal source, a streaming source produces a stream of bits incrementally over time, but these bits are not necessarily unbiased or independent (exact details depend on the streaming source considered). The first works [34, 12, 5] considered streaming sources which generated highly independent (but possibly biased) random bits. As a result, elegant techniques were developed to extract many ideal random bits from such highly “regular” sources. Unfortunately, once the strong independence requirement was relaxed, many impossibility results were obtained. The first quite striking negative result was obtained by Sántha and Vazirani [23], who demonstrated that not even a single almost random bit can be extracted if every bit of the source can be slightly biased and depend on all the previous bits. Lichtenstein et al. [18] showed a mix of positive and (mainly) negative results when few bits of the source could be arbitrarily biased while the rest were truly random. Dodis [10] showed even more negative results for the common generalization of the above two sources. BIT-FIXING SOURCES. A bit-fixing source produces (at once) a string of N bits, some of which (say, b) are adversarially fixed, but the other ` = (N b) are truly random. The goal of extraction for such sources is to design a function (called a resilient function) whose output is “close” to random no matter which b input bits are fixed. It turns out that there is a huge difference depending on whether the b “fixed” bits get set before or after the ` random bits are chosen. In the first scenario (studied by [31, 7, 3, 13, 17, 11]), quite positive and by now nearly optimal results are known for extracting many bits (one perfect bit is trivially extracted by the parity function). In particular, close to ` nearly perfect bits can be extracted in this setting [11]. In the second scenario (b fixed bits are set after the ` random bits), even one bit is hard to extract: the optimal b for this task lies somewhere between (N= log2N) [1] and O(N= logN) [16]. WEAK SOURCES. Originated by Chor and Goldreich [8], much subsequent research has been dedicated to various flavors of the so called weak random sources. Recall, a fixed distribution has min-entropy ` if no element can occur with probability more that 2 `. Generally, a min-entropy of a probability distribution is considered the right measure for the amount of “randomness” it contains. An imperfect source has min-entropy ` if all of its distributions have minentropy `, even though not all such distributions might belong to the source. On the other hand, a weak source of minentropy ` is a specific source consisting of all distributions of min-entropy `. In other words, if an application can tolerate a weak source, we are not making any extra assumptions about our distribution except that it contains “enough randomness”. Thus, weak sources are the most general sources one can consider, since they contain all natural imperfect sources as special cases. Remarkably, we already mentioned that weak sources are still sufficient to simulate BPP algorithms. On the other hand, weak sources are also too general for any kind of randomness extraction (unless we make some relaxations; see below). For example, it is trivial to show (see formal proof in [8]) that every deterministic bit extraction function from an N -bit source can be fixed to a constant by a source of (huge) min-entropy (N 1), implying that one cannot even extract a single slightly random bit from such a source! Three kinds of relaxations were recently studied to surpass the strong impossibility result above. First, Trevisan and Vadhan [29] consider the problem of extraction from efficiently samplable distributions with a given min-entropy. Second, we mention a series of other works [23, 31, 8, 29] which extract randomness from several independent imperfect sources (which is a strong assumption). Last, but not the least, we mention a large body of work on the so called randomness extractors [21]. Such extractors are allowed to use a small number of truly random bits in addition to the output of a given imperfect source. Despite having many applications (see [20, 28, 22] and the references therein), the assumption about the existence of truly random bits is not applicable in many situations. As the summary of the above discussion, useful imperfect sources have reasonably high level of min-entropy, and weak random sources are the most general and realistic such sources. While being simulatable, weak sources (and many other less general imperfect sources) are highly nonextractable. 2 Cryptographic Sources The main objective of this work is to initiate the study of the class of imperfect random sources applicable for various cryptographic use, like achieving privacy or authenticity. Let us informally call such sources “cryptographic” (w.r.t. to the application at hand). As we already mentioned, the large body of work studying simulatable and extractable sources leaves a significant gap in understanding the usefulness of imperfect sources for cryptographic purposes. We believe that the understanding above will not only tell us to what extent cryptographic applications — where randomness is crucial — can tolerate imperfect randomness, but will also shed further light on the differences between cryptography and algorithms/complexity theory. In particular, the main outcome of this work will show that cryptographic sources seem to lie strictly in between simulatable (i.e., weak) and extractable sources. Moreover, cryptographic sources for different tasks are different from each other. This suggests that different cryptographic applications use randomness differently, and there might not be an elegant way to describe sources sufficient for “general cryptographic use”. OUR CRYPTOGRAPHIC APPLICATIONS. In this work we concentrate on studying private-key cryptography; namely, the applications of private-key encryption and message authentication. In both applications, Alice wants to send a message m to Bob over an insecure channel, controlled by an adversary Eve. Alice and Bob originally agree on a shared secret key K, and on the publicly known encoding and decoding functions E and D. To send the message m, Alice uses K to compute the ciphertext = EK(m) and sends over the channel. Bob gets the ciphertext (call it 0) and outputs m0 = DK( 0), which could be either some message, or a special symbol ? (the latter indicates that 0 was an invalid ciphertext). Clearly, if = 0, then we require that m = m0. For encryption, we also want Eve to obtain “no information” about the message m upon observing the ciphertext . Namely, Alice and Bob want to achieve privacy. For authentication, we do not want Eve to be able to change to some 0 such that Bob outputs, with “non-trivial” probability, a valid message m0 62 fm;?g. Namely, Alice wants to make sure that Eve cannot meaningfully change the message transmitted (of course, Eve can always block the message, but this is inevitable). Aside from being interesting and important in their own right, there is one more advantage to start our general investigation from these applications. Specifically, it is well-known that both of them can be solved informationtheoretically,1 at least if the participants share a long enough truly random secret key K. In our scenario, we investigate what happens if this key instead comes from some imperfect source. Considering that most work on imperfect random sources is information-theoretic as well, studying the above applications seems to be the cleanest starting point for understanding “cryptographic” sources. PRIVATE-KEY ENCRYPTION. Recall that informationtheoretic security of (one-time) private-key encryption states that the encryptions of any two messages looks statistically indistinguishable to Eve, who does not know K.2 And the encryption is perfect if these encryptions are identically distributed. Assuming that the keyK is a truly random N -bit string, one can easily obtain a perfect encryption of an N -bit message m using the one-time pad scheme [33]: = EK(m) = m K, m = DK( ) = K, where is the “exclusive OR” operator. Notice, is uniformly distributed irrespective of m, so this encryption is indeed perfect. (Unfortunately, it can be used to encrypt only one 1This means no unproven computational assumptions, like the existence of one-way functions, are needed. 2Where the statistical difference is negligible in the security parameter. message of length N securely, and Shannon [24] showed that any secure encryption scheme must have jKj jmj.) We now study what happens when K is not truly random, but comes from some imperfect source of randomness. The only work so far that has studied this question is that of McInnes and Pinkas [19]. This work shows that one cannot securely encrypt even a single bit with the weak random source (in, fact, even with a more restricted source of [23])! More precisely, there is no statistically secure encryption scheme for one-bit messages tolerating a weak N bit source of min-entropy strictly less than N (say, N 1). In fact, for any “encryption” (E;D) of one-bit messages, some source of huge min-entropy (N 2) makes the ciphertext completely reveal the encrypted bit (see Appendix A for an alternative proof). Thus, the weak sources are not only non-extractable, but also highly non-cryptographic for private-key encryption. On the other hand, the strong negative result of [19] leaves open — and in fact suggests — the possibility that every cryptographic source for encryption is extractable. If true, this would imply that one-time pad is a universal onetime private-key encryption.3 Interestingly, the conjecture above is true for a single (possibly non-uniform) distribution on the shared keyK. Indeed, Shannon’s negative result generalizes to this case saying that the Shannon’s entropy of the key, H(K), under our fixed distribution has to be at least as large as the message length N : H(K) N . On the other hand, it is well known that the (expected) number of almost truly random bits one can extract from a single distribution on K is again essentially equal to H(K) (up to an additive 1). This shows that the one-time pad encryption is indeed universal for a single distribution on K: whenever it is possible to securely encrypt an N -bit message m (i.e., H(K) N ), one might as well extract from K an almost uniform H(K)-bit random string K 0, and then use K 0 as the one-time pad for m! The main technical contribution of this work is a precise (negative) resolution of this conjecture for general imperfect sources. To state our optimal result quantitatively, recall that the fairness of one random bit r is defined to be min[Pr(r = 0);Pr(r = 1)℄. Thus, a truly random bit is 12 -fair, while a constant bit is 0-fair. We show that Theorem 1 For any fairness " > 2 N=2+1, there is an N bit imperfect source S of min-entropy ` N log(1=") O(1) and a one-bit encryption scheme (E;D) such that: 1. (E;D) is perfectly secure for any distribution in S; 2. One cannot extract an "-fair random bit from S. The lower bound on ` is optimal up to an additive constant, but " can be made 2 N=2 when no restriction on ` is made. 3At least for the purposes of encrypting a single bit. Of course, there is a possibility that one can encrypt more bits “directly” rather than by first extracting uniform randomness and applying the one-time pad to it. As a corollary, for any ` N (1), there exists a source S of min-entropy ` which is non-extractable but cryptographic (for one-bit encryption). Moreover, the impossibility of extraction increases exponentially with “min-entropy loss” (N `), while the encryption scheme remains perfectly secure. The proof of this result and further discussion of encryption is given in Section 3. To summarize, nearly perfect randomness is not inherently needed to generate indistinguishable distributions, while weak (i.e., simulatable) sources are too general for this task (see also Appendix A). PRIVATE-KEY AUTHENTICATION. We also consider the question of information-theoretic private-key message authentication [14] (see also [25]). Recall, the security of such authentication codes is given by the parameter ", which is the maximal probability of Eve’s success (i.e., changing the ciphertext for m into a valid ciphertext 0 of some m0 6= m). For concreteness, we will restrict our attention to the simplest case of one-bit messages (just like we did for encryption). This will simplify our analysis, without qualitatively changing our conclusions. Indeed, to authenticate long messages one typically uses various types of universal hash functions [6] (see [6, 27, 4, 15] for examples). For one-bit messages, many much more trivial techniques suffice (we will see examples in Section 4). As with the encryption, we first address the possibility of basing message authentication on weak sources. Interestingly, the result we obtain is quite different. Theorem 2 The optimal one-bit authentication code achieves error probability " = min[2N=2 `; 1℄ against a weak source of min-entropy `. In particular, one can nontrivially tolerate weak sources of min-entropy ` > N=2 + !(1), but cannot go beyond this “threshold”. Therefore, when N < ` < N=2 (for any > 0), we see that the weak source can simulate BPP algorithms, but cannot be used even for the most basic 2-message authentication. On the other hand, when N=2 < ` < N , one can at least build secure 2-message authentication codes, but cannot extract even a single non-constant (let alone random) bit. Also, the threshold N=2 is quite different from the corresponding threshold N for encryption. Finally, we show that a strong separation between the possibility of authentication and extraction continues to hold even when ` < N=2. More specifically, we show Theorem 3 There exists an imperfect N -bit source, each of whose distributions has min-entropy at most ` (i.e., all of them have “low entropy”!), and such that: 1. There exists a one-bit authentication code achieving nearly optimal error probability " = 2 `=2+O(1) against any distribution in S; 2. Any bit extraction function can be fixed to a constant by some source in S. In other words, one can potentially build a secure authentication code even for some “low-entropy” sources, but still completely fail in extracting even a single bit from this source. The proofs of the above results and further discussion of message authentication appear in Section 4. 3 Private-Key Encryption In this section we discuss our approach for encryption in more detail (in particular, prove our main Theorem 1). We will find it convenient to slightly change our notation. Let K denote the universe of shared keys, and let jKj = u (i.e., u = 2N , but we will not insist on it). Similarly, let C be the set of ciphertexts and jCj = n. Also, it will be easier to replace the notion of min-entropy ` by an equivalent notion of uniformity. We will say that a distribution over the universe K of size u is -uniform, where 2 [0; 1℄, if no element occurs with probability larger than 1= u (for simplicity, we will assume throughout that u is an integer). Similarly, an imperfect source is -uniform if all its distributions are such. Clearly, = 2`=u where ` is the corresponding minentropy, so our change is purely syntactic. We will also call a distribution flat if it is uniform over some subset T of K (i.e., every element of T comes with probability 1=jT j). GRAPH REPRESENTATION. Given any candidate one-bit encryption scheme (E;D), we now give a purely graphtheoretic representation of this scheme. Consider the following directed graph G = G(E;D). The n vertices of G are the n possible ciphertexts 2 C. G will also have exactly u directed edges (call this set E) — one for each possible shared key K. The directed edge eK 2 E , labeled by key K, will connect vertices EK(0) (the head) and EK(1) (the tail). In this view, to encrypt 0 Alice will send to Bob the head of eK , and to encrypt 1 she will send the tail of eK . We let IN( ) denote the (multi)set of edges incoming to (i.e., those whose tail is ), and by OUT( ) the (multi)set of outgoing edges. Notice, since Bob should be able to decrypt, G cannot have self-loops (i.e., EK(0) 6= EK(1)), so the sets IN( ) and OUT( ) are disjoint. Thus, an encryption scheme (E;D) is equivalent to specifying a directed (multi)graph with jKj edges, jCj vertices, and no self-loops. Assume we are given some distribution p onK. This distribution can be viewed as assigning a non-negative weight p(K) to the edge eK . Conversely, any non-zero weight assignment to K corresponds to some probability distribution p (by rescaling the weights so that they sum to 1). Therefore, we will identify these two concepts. We say that a weight assignment forms a circulation, if for every node 2 C, “incoming” weight to is equal to the “outgoing” weight from : win( ) def = PeK2IN( ) p(K) = PeK2OUT( ) p(K) def = wout( ). Lemma 1 The encryption (E;D) is perfectly secure against distribution p on K if and only if the weight assignment above induces a circulation. Proof: The values win( ) and wout( ) are respectively proportional to the conditional probabilities that that the encrypted bit was 1 or 0 given that the ciphertext was . The encryption is perfect iff these are always equal. We remark that the simplest possible circulation corresponds to any simple (uniformly weighted) directed cycle in G. Additionally, it is well know that any circulation can be decomposed into a weighted sum of such uniform cycles (the converse is true as well). Finally, flat circulations decompose into a disjoint union of such cycles. BIT EXTRACTION. Any deterministic bit extraction function f : K ! f0; 1g can be viewed as a two-coloring f of the edges E of G. Let us call the colors “red” and “blue”. Given a particular distribution p on K, we define its weight on red edges to be Red( f ; p) = PK:f(K)=0 p(K) = PrK p(f(K) = 0), and similarly for Blue( f ; p). The fairness of f on p is simply the corresponding fairness of the extracted random bit f(K): F( f ; p) def = min[Red( f ; p);Blue( f ; p)℄. Given an imperfect source S, the quality of extraction given by coloring f is FS( f ) = minp2S F( f ; p). Namely, we select the source p 2 S that biases f(K) as much as possible. Finally, the best extraction function f against S defines the quantity FS = maxf FS( f ). To summarize, the quality of randomness extraction from S is given as the optimal value FS of the following zero-sum game: (1) the first player tries to maximize the game value and chooses a two-coloring ; (2) the second player tries to minimize the game value and chooses a distribution p 2 S; (3) the value of this specific outcome is the fairness F( ; p). BIT EXTRACTION VS. BIT ENCRYPTION. Having developed the terminology above, let us return to the original conjecture posed in Section 2. The question was to separate extractable sources from cryptographic sources for encryption. The approach suggested in Theorem 1 was the following. We want to see if there exists an encryption scheme (E;D) such that for a given min-entropy level ` one can find an imperfect source S with this min-entropy such that: (1) (E;D) is secure (in fact, perfect) one-bit encryption for any distribution p 2 S, but (2) one cannot extract even a single “slightly” random bit from S. First, we can simplify this question as follows. Given a candidate scheme (E;D), we can without loss of generality define S to be the family of all (min-entropy `) distributions against which (E;D) is perfectly secure. Recalling now our graph representation and Lemma 1, we arrive at the following question. Given a candidate directed (multi)graph G with n vertices and u edges, we let S be the family of all circulations on G which are -uniform (recall, we will work with uniformity in place of min-entropy). Our goal is to determine FS , which is the quality of bit extraction from this S. Let us denote this value — now dependent only on G and — by Val(G; ). Notice, if Val(G; ) 1=2, encryption scheme (E;D) is exactly the encryption we are looking for to disprove the conjecture. On the other hand, if Val(G; ) 1=2, the feasibility of perfectly encrypting a bit using (E;D) indeed implies the possibility of bit extraction. WHEN ENCRYPTION () EXTRACTION. Before finding graphs G disproving our conjecture, we address the following curious question. Which graphs G (i.e., encryption schemes) actually support the original conjecture? Specifically, when is Val(G; 0) = 1=2? ( = 0 means not placing any min-entropy restrictions). Lemma 2 Val(G; 0) = 12 if and only if G is bipartite. Proof: Assume G is not bipartite. Then it has some oddlength cycle C, which defines a flat circulation. Any twocoloring will have a different number of red and blue edges in C, which means Val(G; 0) F( ;C) 12 1 2jCj < 12 . On the other hand, if G is bipartite, then its vertex set can be partitioned into left set L and right set R, so that all the edges go betweenL andR. Now define by coloring all the edges from L to R red and those from R to L — blue. For any circulation p, the amount of outgoing flow fromL toR should be equal to the amount of incoming flow fromR toL, which means that the weight of red edges is the same as the weight of blue edges: Red( ; p) = Blue( ; p), but this means that our coloring extracts a perfect coin. 3.1 Proof of Theorem 1 We now come back to our main result. First, using the notation developed so far, we can restate Theorem 1 in the following (even stronger) form: Theorem 4 For any universe size u and uniformity level 2 (0; 1 16 ℄,4 define = max[ ; 1=pu℄. Then, there exists a single graph G such that Val(G ; ) = O( ). In particular, for any = o(1) we have Val(G ; ) = o(1). For any G, Val(G; ) = ( ), so the graph G above is nearly optimal. We remark that the result above can be viewed as a precise calculation to the value of the following game, given by parameters u and . It it played by “minimization” player A and “maximization” player B: A. Selects number of vertices n and a directed graph G with n vertices and u edges. B. Selects a two-coloring of G. A. Selects an -uniform circulation p in G. The value of the game is F( ; p). Theorem 4 states that this value is (max[ ; 1=pu℄). 4The choice of this constant, as well of some other constants in this section, is arbitrary and is not necessarily optimal. UPPER BOUND. From Lemma 2, the graph G should be highly non-bipartite. So we let G be the complete directed graph on n vertices, i.e. u = n(n 1) n2. We show that this graph is nearly optimal in separating extractable and cryptographic sources for encryption. We start with computing Val(G ; 0), i.e. the optimal discrepancy when no constraints are put on the min-entropy of our circulation. Lemma 3 Val(G ; 0) = 1 n 1 pu . Proof: For the lower bound, consider the lexicographic coloring of G. Namely, color (i; j) red if i < j and blue otherwise. Any cycle C (say, of length s n) must have at least one edge of each color, which means that F( ;C) 1=s 1=n. On the other hand, any circulation p can be written as a convex combination of simple cycles. By linearity of Red( ; ) andBlue( ; ), this implies that the weight of red (resp. blue) edges in p is lower bounded by the corresponding weight in at least one of the cycles in the convex combination, and the latter we know is at least 1=n. For the upper bound, take any coloring of the edges of G . If any 2-cycle i ! j ! i in G is monochromatic, we would get F( ; i ! j ! i) = 0 < 1=n. Thus, we can assume that among each pair of edges (i; j) and (j; i), exactly one is red and one is blue. But this means that the subgraph of, say, blue edges forms a tournament. However, it is well known (e.g., see [26, p. 175]) that any tournament has a Hamiltonian path (the proof follows by a simple induction on the number of vertices). This means that there exists a length (n 1) path consisting only of blue edges. Completing this path into a Hamiltonian cycle (by either a red or a blue edge), we get a cycle C with F( ;C) 1=n, as needed. Next, we show that the bound Val(G ; ) = O(1=n) extends to all 1=2n = (1=pu) as well. Indeed, consider any two-coloring , as before. Let us look at all monochromatic 2-cycles in . If this number is at least n=2, this means that there are at least n=4 monochromatic 2-cycles of the same color. Taking the union of these 2cycles gives a flat circulation pwith n2 > n(n 1) 1 2n u edges having F( ; p) = 0. If the number of monochromatic cycles is less than n=2, let us remove from G one arbitrary vertex in each of the monochromatic 2-cycles. We get a two-coloring of a complete graph G0 on at least n=2 vertices, where no 2-cycle is monochromatic. By the previous argument, we can find a Hamiltonian cycle C in G0, which has at least n=2 n edges and achieves F( ;C) 2=n. Hence, to prove Theorem 4, i.e. Val(G ; ) = O(max( ; 1=pu)) = O(max( ; 1=n)), it suffices to consider the case when 1=2n and show Val(G ; ) = O( ). As before, take any coloring , and assume wlog that it contains at least n(n 1)=2 blue edges. Recall, our goal is to find an -uniform circulation p such that F( ; p) = O( ). We will in fact produce a flat circulation satisfying this condition. Namely, our circulation will consist of u = n(n 1) edges with uniform weight on them. Recall, a flat circulation can be decomposed into a disjoint union of cycles. And this is in fact the way we will build our p. We will keep adding some carefully chosen cycles C to p, each time removing C from our graph G (this will ensure that the cycles are disjoint), until we add a total of n(n 1) edges, as required by the min-entropy requirement. Each cycle C will contain at most O( ) fraction of red edges, guaranteeing that F( ; p) = O( ), as needed. PICKING THE CYCLES. We now describe the procedure of choosing our cycles. First, we keep adding cycles which are entirely blue, until no such cycles are left inG (remember, we remove the cycle the moment we add it to p). If we already got n(n 1) edges in p, we stop. Otherwise, at the end we are left with an acyclic “blue” subgraphG0 containing at least n(n 1)( 12 ) edges. Let us topologically order the vertices of G0 so that all the edges go from left to right. As a combinatorial result of independent interest, we will show that such G0 always contains a directed (blue) path of length (1= ) (here we use > (1=n)). It seems that we are done: complete the path above to a cycle C (which has F( ;C) = O( )) and add it to p. However, we have to ensure that we will never reuse the “back” edge we use to complete the cycle. Thus, we prove an even stronger combinatorial result. Lemma 4 Let G0 be an acyclic directed graph having n vertices and u0 n(n 1)( 12 ) edges. ThenG0 contains at least n2 directed paths of length (1= ), each having a distinct pair of starting and ending vertices. Postponing the proof of Lemma 4 for a second, we argue that it allows us to complete the argument. Namely, since p always has at most n2 edges (which consequently are not present in G0), we can find a length (1= ) “blue” path in G0 such that the “back” edge it needs to become a cycle is still present in G0. Therefore, we can keep finding almost blue cycles until the size of p becomes n(n 1), as needed. The proof of Lemma 4 below then completes the first part of Theorem 4. Proof: Let us denote by 1 : : : n the n vertices of G0 listed in their topological order. Let G00 denote the “complement” graph containing at most n(n 1) forward edges that are not present in G0. Let d = 8 n (notice, 4 d n=2 since 1=2n 1=16), G0 = G0, n0 = n, k = 0, and repeat the following procedure until impossible. Given a vertex i 2 f1 : : : (nk d)g of Gk, we call call vertices fi + 1; : : : ; i + dg of Gk the immediate neighborhood of i. We say that i is lonely, if it has at most d=2 outgoing edges to its immediate neighborhood (i.e., at most d=2 of the edges (i; i+1); (i; i+2); : : : ; (i; i+d) are present inGk). If the graph Gk has at least one lonely vertex i, we remove i (and all its adjacent edges) from Gk , thus forming a new graph Gk+1 with nk+1 = nk 1 vertices. In particular, we rename the vertices of Gk+1 so that they are numbered from 1 to nk+1 = nk 1. Finally, we increment k. We notice that in each step we removed a vertex which did not have at least d=2 forward neighbors, which means that we removed at least d=2 new edges in the complement graph G00. Since G00 only had n(n 1) edges to begin with, the number of times k we could find such a lonely vertex is at most k n2=(d=2) = n2=4 n = n=4. Hence, the final graph Gk has at least 3n=4 vertices, none of which is lonely. Now, take an arbitrary starting point i 2 f1 : : : n=4g in Gk, and greedily construct a forward path by iteratively picking any point in the immediate neighborhood of the current point (also stopping when we cross nk d). Since no points below (nk d) n=2 are lonely, the length of the path is at least (n=4)=d = (1= ). Moreover, we have at least n=4 choices for the starting and d=2 = 4 n choices for the ending points. Therefore, the total number of distinct source/destination paths we can construct is at least n2, as claimed. LOWER BOUND. Take any graph G with u edges and n vertices. To show that Val(G; ) = ( ), where = max[ ; 1=pu℄, we need to show the existence of a coloring such that for any -uniform circulation p we have F( ; p) = ( ). We will show that such exists by probabilistic method. We randomly label the vertices of G by numbers from 1 to n, and color edge (i; j) of G red if i < j and blue otherwise. We show that such coloring satisfies the needed property with non-zero probability, and therefore exists. First, we prove the bound (1=pu). For that, we show that with high probability, G does not contain a blue (resp. red) path of length ` def = 3pu. Indeed, taking any path of G of length `, the probability that it gets all red or all blue is exactly 2=`! < (e=`)`. Since the overall number of paths of length ` is certainly less than ù < (eu=`)`, the expected number of monochromatic length ` paths is less than ( eù è )` < ( 9u `2 )` = 1, since ` = 3pu. Thus, some ordering with the given property exists. Now, fix any such ordering and the corresponding coloring , and take any circulation p. Decompose p into cycles. The property of our ordering ensures that in each cycle C, at most ` consecutive edges are monochromatic, so F( ;C) 1=`. Thus implies that F( ; p) = (1=pu) as well. Next, we show the bound ( ). For that, call an edge (i; j) short in the resulting ordering if ji jj < d, where d = (n 1)=4. Notice, the probability that a given edge of G becomes short is at most 2dn (n 1)n = 2 , by our choice of d. Therefore, the expected number of short edges is at most u=2. In particular, some ordering will produce at most u=2 short edges. Now, fix any such ordering and the corresponding coloring , and take any -uniform circulation p. Since the weight of each edge in p is at most 1= u, the total weight of short edges in p is at most 1=2, meaning that “long” edges must have weight at least 1=2 too. Now decompose p into cycles and take any resulting cycle C. We claim that any consecutive sequence of blue (same argument hold for red as well) edges can contain at most (n 1)=d = O( ) long blue edges (but can contain more short blue edges). Indeed, since blue edges go “forward” by at least d steps, one cannot have more that (n 1)=d blue edges without have at least one “backward” red edge. This implies that the total weight of the red edges in this cycle is at least an ( ) fraction of the weight of long blue edges. Since this bound holds for every cycle C, it holds for the entire circulation p as well. Thus, the total weight of red edges (call it r) in p is at least ( ) fraction of the weight of long blue edges (call it bl): r = ( ) bl. But since all red and all long blue edges include all long edges, it means r + bl 1=2 (remember, short edges weight at most 1=2), which implies that r = ( ), completing the proof. 4 Private-Key Authentication We now address the question of building a one-time messages authentication code for one-bit messages. Our results could be viewed as the first step towards basing more general (many-time, larger message spaces) authentication codes on imperfect sources. A lot of our notation will parallel what we used for encryption in Section 3. In particular, we will also use graphs to represent an authentication code (E;D) with key space K of cardinality u and tagging space5 C of cardinality n. However, it will be more natural to use an undirected bipartite (multi)graph for this purpose. Namely, this graph G has a left side L and a right side R — both being a copies of the tagging space C. As before, there will be u edges eK , corresponding to different secret keys K 2 K. The edge eK will connect the “left” copy ofEK(0) to the “right” copy of EK(1) (given 2 C, we let ` and r denote the left and right copies of in G). Notice, there is no restriction about not connecting ` to r, and also edges could be duplicated. FLAT DISTRIBUTIONS. As before, a probability distribution p onK can be viewed as assigning weights to the edges of G. Given such distribution p and observing a tag of some bit b (say, b = 0), the optimal strategy for producing the tag 0 of (1 b) = 1 involves picking the vertex 0r 2 R having the largest weight going from ` to 0r. Because of that, flat distributions will play a particularly important role in our study. Recall, such distributions assign equal weight to some subset of K. It is well known that every -uniform distribution is a convex combination of -uniform flat distributions. This implies that among all -uniform sources, the best ones for the adversary are exactly the flat distribution having u edges in their support. 5We find it more natural to refer to the output ofEK( ) as a “tag” rather than a “ciphertext” like we did for encryption. Now, let p be an -uniform flat distribution having support on the edge set E 0 of u0 = u edges. Let 0!1(p) denote the optimal probability of the adversary to produce a valid tag for 1 after seeing the tag for 0, and similarly for 1!0(p). The security of the authentication code (E;D) on distribution p is then "(p) = max[ 0!1(p); 1!0(p)℄. Let L0 (R0) be the set of left (right) vertices belonging to some edge in E 0, and let n` = jL0j and nr = jR0j. We will also call our flat distribution p simple if no two edges in E 0 connect the same pair of vertices (i.e., all the keys are functionally distinct). Lemma 5 For any flat distribution p, 0!1(p) max n` u; 1 nr ; 1!0(p) max nr u; 1 n` and, thus, "(p) 1 p u . For simple flat distributions, 0!1(p) = n` u ; 1!0(p) = nr u ; "(p) = max[n`;nr℄ u . Proof: The fact that 0!1(p) 1=nr is obvious since there are only nr possible tags for 1. Next, let d( ) be the degree of the node in E 0. Then the probability that EK(0) = ` is equal to d( `)= u. On the other hand, conditioned on EK(0) = `, there are at most d( `) possibilities for EK(1), implying that the adversary can predict the value EK(1) with probability at least 1=d( `) (the latter becomes equality for simple flat distributions). Thus, 0!1(p) P `2L0 d( `) u 1 d( `) = n` u . Similar proof holds for 1!0(p). Finally, "(p) = max[ 1!0(p); 0!1(p)℄ max[ n` u ; 1 n` ; nr u ; 1 nr ℄ 1 p u . PROOF OF THEOREM 2. We can now examine the construction of optimal authentication codes secure against weak sources. In our notation, Theorem 2 states that the optimal authentication code for all -uniform distributions achieves error min[ 1 pu ; 1℄. For the upper bound, consider the complete bipartite graph G on n nodes (so that u = n2). Recall, it suffices to consider only flat -uniform distributions. Notice, each such distribution is necessarily simple. Then, for any such distribution on u edges touching n` left and nr right nodes of G , applying Lemma 5 yields that " = max[n`;nr ℄ u n u = pu u = 1 pu , as needed. In retrospective and coming back to our original notation, the above authentication code is extremely simple. One splits anN -bit secret key into two equal length random pads s0 and s1. Then, to authenticate a bit b, Alice can use the pad sb. Intuitively, if the min-entropy of the source is above N=2, learning sb still leaves some randomness in s1 b, so the latter indeed cannot be predicted well. We next show that the above graph G is indeed optimal for dealing with -uniform sources. For any graph G on u nodes, we consider two possibilities. First, assume the edges of G touch at least pu left vertices, i.e. jLj pu. Take any subgraph of G with u edges which also touches pu left vertices (making n` at leastpu for the corresponding flat distribution p). By Lemma 5, "(p) n`= u pu= u = 1= pu. On the other hand, assume the edges of G do not touch pu vertices the left side, i.e. jLj pu. Take an fraction of left vertices having the largest degree in G. They form the set L0 of size jLj pu. Clearly, the vertices of L0 have at least u edges of G adjacent to them. We make these edges form our flat distribution p. Then, Lemma 5 again implies that "(p) 1=n` 1= pu. PROOF OF THEOREM 3. Finally, we show that the separation between extractable and cryptographic sources holds for “low” levels of min-entropy as well. In our notation, Theorem 3 states that there exists a graph G on u edges and a family S of at most -uniform distributions on the edges of G, so that: (1) "(p) O(1=p u), for all p 2 S; but (2) for every two-coloring of the edges of G, the support set of some p 2 S is monochromatic. As earlier, we let G be the complete bipartite graph on n vertices (so that u = n2). The family S will consist of the flat distributions corresponding to the following sets of n2 edges. Take any left and right subsets L0 L and R0 R of cardinality p2 n = p2 u. Then take any subgraph of size u of the complete bipartite subgraph L0 R0. Since all our flat distributions are simple, we get by Lemma 5 that "(p) p2 u u = O( 1 p u ), as desired. Notice, this is nearly the best possible by Lemma 5 too, since for any flat -uniform p we have "(p) 1 p u . It remains to show that no bit extraction is possible from S. For that, take any two-coloring of the edges of G , and assume wlog that at least n2=2 edges are colored blue. Let us look at the subgraph G0 formed by these blue edges. We need to show that G0 contains at least one distribution in S, i.e. that there exists L0 and R0 of cardinality p2 u such that the complete subgraph L0 R0 contains at least n2 blue edges. We show the existence of such L0 and R0 by probabilistic method. Namely, pick L0 and R0 of size p2 u completely at random. Each blue edge will get inside L0 R0 with probability 2 , so the expected number of blue edges inside L0 R0 is at least 2 n2 2 = n2. This shows that some L0 and R0 matching the above expectation exist, completing the proof. 5 Conclusions and Further Research In this work we investigated the extent to which conventional cryptographic primitives such as encryption and authentication can be build based on imperfect sources of randomness. In particular, we compared the class of such “cryptographic” sources for the applications above with the well studied classes of weak (i.e., simulatable) and extractable random sources. Our results illustrate that the set of sources sufficient for various cryptographic applications seems to be quite different from the above well studied classes, and also strongly depends on the cryptographic task at hand. Thus, cryptographic primitives do not inherently rely on ideal randomness, but cannot tolerate very general weak sources of randomness. We believe that our initial investigation of the possibility of basing cryptography on imperfect random sources will inspire a lot of further research. In particular, many questions remain open. For example, it is interesting to extend our quantitative results for private-key encryption and especially authentication to larger than one-bit message spaces. It is also interesting to consider other informationtheoretic primitives like authenticated encryption and secret sharing schemes. Finally, many new questions appear when we look at computationally secure primitives (like one-way functions or public-key encryption and signature schemes). In particular, we still have to rely on (possibly stronger!) computational assumptions in order to build computational primitives which are secure against various imperfect sources. Investigating which such sources can still be tolerated in this setting is a very interesting research direction. Acknowledgments: We would like to thank Petar Maymounkov, Amit Sahai, Luca Trevisan and Salil Vadhan for useful discussions.