Free-Start Distinguishing: Combining Two Types of Indistinguishability Amplification

The term indistinguishability amplification refers to a setting where a certain construction combines two (or more) cryptographic primitives of the same type to improve their indistinguishability from an ideal primitive. Various constructions achieving this property have been studied, both in the information-theoretic and computational setting. In the former, a result due to Maurer, Pietrzak and Renner describes the amplification achieved by a very general class of constructions called neutralizing. Two types of amplification are observed: a product theorem (bounding the advantage in distinguishing the construction by twice the product of individual advantages) and the amplification of the distinguisher class (the obtained construction is secure against a wider class of distinguishers). In this paper, we combine these two aspects of information-theoretic indistinguishability amplification. We derive a new bound for the general case of a neutralizing construction that keeps the structure of a product theorem, while also capturing the amplification of the distinguisher class. This improves both bounds mentioned above. The new technical notion we introduce, central to our analysis, is the notion of free-start distinguishing of systems. This describes the setting where the distinguisher is allowed to choose any common state for both systems and then it is supposed to distinguish these systems starting from that chosen state.