Leaky Pseudo-Entropy Functions
نویسندگان
چکیده
Pseudo-random functions (PRFs) introduced by Goldwasser, Goldreich, and Micali (FOCS 1984), are one of the most important building blocks in cryptography. A PRF family is a family of seeded functions {fs}, with the property that no efficient adversary can tell the difference between getting oracle access to a random PRF function fs, and getting oracle access to a truly random function. In this work, we consider the problem of constructing pseudo-random functions that are resilient to leakage. Unfortunately, even if a single bit about the secret seed s ∈ {0, 1}k is leaked, then there is no hope to construct a PRF, since the leakage can simply be the first bit of fs(0), and thus fs(0) is distinguishable from uniform. Therefore, when dealing with leakage, we must relax the definition. We consider the following relaxation: Instead of requiring that for each input x, the value fs(x) looks random, we require that it looks like it has high min-entropy, even given oracle access to fs everywhere except point x. We call such a function family a pseudo-entropy function (PEF) family. In particular, a leakage-resilient PEF family has the property that given leakage L(s) and given oracle access to fs, it is hard to predict fs on any input that was not queried. We construct such a leakage-resilient PEF family under the DDH assumption (or more generally, assuming the existence of lossy functions with the property that the output size is not much larger than the input size). We also show that leakage-resilient PEFs imply leakage-resilient random-input PRFs, where the requirement is that for a random input r, the value fs(r) looks uniform, even given the leakage L(s) and given oracle access to fs anywhere accept at point r (the leakage L(s) is independent of r, but the oracle fs is present even after the pair (r, fs(r)) is given).
منابع مشابه
On classical and quantal Kolmogorov entropies
The construction of a quantal Kolmogorov entropy that tends to the classical Kolmogorov entropy in the limit h -t 0 is discussed. The approach is to use sets of functions rather than disjoint partitions and involves the use of pseudo-differential operators.
متن کاملQualms concerning Tsallis’s condition of Pseudo-Additivity as a Definition of Non-Extensivity
The pseudo-additive relation that the Tsallis entropy satisfies has nothing whatsoever to do with the super-and sub-additivity properties of the entropy. The latter properties, like concavity and convexity, are couched in geometric inequalities and cannot be reduced to equalities. Rather, the pseudo-additivity relation is a functional equation that determines the functional forms of the random ...
متن کاملRobustness of the Learning with Errors Assumption Citation
Starting with the work of Ishai-Sahai-Wagner and Micali-Reyzin, a new goal has been set within the theory of cryptography community, to design cryptographic primitives that are secure against large classes of side-channel attacks. Recently, many works have focused on designing various cryptographic primitives that are robust (retain security) even when the secret key is “leaky”, under various i...
متن کاملRobustness of the Learning with Errors Assumption
Starting with the work of Ishai-Sahai-Wagner and Micali-Reyzin, a new goal has been set within the theory of cryptography community, to design cryptographic primitives that are secure against large classes of side-channel attacks. Recently, many works have focused on designing various cryptographic primitives that are robust (retain security) even when the secret key is “leaky”, under various i...
متن کاملNongeneralizability of Tsallis Entropy by means of Kolmogorov-Nagumo averages under pseudo-additivity
As additivity is a characteristic property of the classical information measure, Shannon entropy, pseudo-additivity of the form x+qy = x+y+(1−q)xy is a characteristic property of Tsallis entropy. Rényi in [1] generalized Shannon entropy by means of Kolmogorov-Nagumo averages, by imposing additivity as a constraint. In this paper we show that there exists no generalization for Tsallis entropy, b...
متن کامل