Does privacy require true randomness?

Carl Bosley, Yevgeniy Dodis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Most cryptographic primitives require randomness (for example, to generate their secret keys). Usually, one assumes that perfect randomness is available, but, conceivably, such primitives might be built under weaker, more realistic assumptions. This is known to be true for many authentication applications, when entropy alone is typically sufficient. In contrast, all known techniques for achieving privacy seem to fundamentally require (nearly) perfect randomness. We ask the question whether this is just a coincidence, or, perhaps, privacy inherently requires true randomness? We completely resolve this question for the case of (information-theoretic) private-key encryption, where parties wish to encrypt a b-bit value using a shared secret key sampled from some imperfect source of randomness script J sign. Our main result shows that if such n-bit source script J sign allows for a secure encryption of b bits, where b > log n, then one can deterministically extract nearly b almost perfect random bits from script J sign. Further, the restriction that b > log n is nearly tight: there exist sources script J sign allowing one to perfectly encrypt (log n -loglog n) bits, but not to deterministically extract even a single slightly unbiased bit. Hence, to a large extent, true randomness is inherent for encryption: either the key length must be exponential in the message length b, or one can deterministically extract nearly b almost unbiased random bits from the key. In particular, the one-time pad scheme is essentially "universal". Our technique also extends to related computational primitives which are perfectly-binding, such as perfectly-binding commitment and computationally secure private- or public-key encryption, showing the necessity to efficiently extract almost b pseudorandom bits.

Original languageEnglish (US)
Title of host publicationTheory of Cryptography - 4th Theory of Cryptography Conference, TCC 2007, Proceedings
Pages1-20
Number of pages20
Volume4392 LNCS
StatePublished - 2007
Event4th Theory of Cryptography Conference, TCC 2OO7 - Amsterdam, Netherlands
Duration: Feb 21 2007Feb 24 2007

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume4392 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other4th Theory of Cryptography Conference, TCC 2OO7
CountryNetherlands
CityAmsterdam
Period2/21/072/24/07

Fingerprint

Privacy
Randomness
Entropy
Encryption
Cryptography
Public Key Encryption
Coincidence
Imperfect
Authentication
Resolve
Sufficient
Restriction

ASJC Scopus subject areas

  • Computer Science(all)
  • Biochemistry, Genetics and Molecular Biology(all)
  • Theoretical Computer Science

Cite this

Bosley, C., & Dodis, Y. (2007). Does privacy require true randomness? In Theory of Cryptography - 4th Theory of Cryptography Conference, TCC 2007, Proceedings (Vol. 4392 LNCS, pp. 1-20). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4392 LNCS).

Does privacy require true randomness? / Bosley, Carl; Dodis, Yevgeniy.

Theory of Cryptography - 4th Theory of Cryptography Conference, TCC 2007, Proceedings. Vol. 4392 LNCS 2007. p. 1-20 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4392 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bosley, C & Dodis, Y 2007, Does privacy require true randomness? in Theory of Cryptography - 4th Theory of Cryptography Conference, TCC 2007, Proceedings. vol. 4392 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4392 LNCS, pp. 1-20, 4th Theory of Cryptography Conference, TCC 2OO7, Amsterdam, Netherlands, 2/21/07.
Bosley C, Dodis Y. Does privacy require true randomness? In Theory of Cryptography - 4th Theory of Cryptography Conference, TCC 2007, Proceedings. Vol. 4392 LNCS. 2007. p. 1-20. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
Bosley, Carl ; Dodis, Yevgeniy. / Does privacy require true randomness?. Theory of Cryptography - 4th Theory of Cryptography Conference, TCC 2007, Proceedings. Vol. 4392 LNCS 2007. pp. 1-20 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{348164c605d64a1a8055d437857ce26e,
title = "Does privacy require true randomness?",
abstract = "Most cryptographic primitives require randomness (for example, to generate their secret keys). Usually, one assumes that perfect randomness is available, but, conceivably, such primitives might be built under weaker, more realistic assumptions. This is known to be true for many authentication applications, when entropy alone is typically sufficient. In contrast, all known techniques for achieving privacy seem to fundamentally require (nearly) perfect randomness. We ask the question whether this is just a coincidence, or, perhaps, privacy inherently requires true randomness? We completely resolve this question for the case of (information-theoretic) private-key encryption, where parties wish to encrypt a b-bit value using a shared secret key sampled from some imperfect source of randomness script J sign. Our main result shows that if such n-bit source script J sign allows for a secure encryption of b bits, where b > log n, then one can deterministically extract nearly b almost perfect random bits from script J sign. Further, the restriction that b > log n is nearly tight: there exist sources script J sign allowing one to perfectly encrypt (log n -loglog n) bits, but not to deterministically extract even a single slightly unbiased bit. Hence, to a large extent, true randomness is inherent for encryption: either the key length must be exponential in the message length b, or one can deterministically extract nearly b almost unbiased random bits from the key. In particular, the one-time pad scheme is essentially {"}universal{"}. Our technique also extends to related computational primitives which are perfectly-binding, such as perfectly-binding commitment and computationally secure private- or public-key encryption, showing the necessity to efficiently extract almost b pseudorandom bits.",
author = "Carl Bosley and Yevgeniy Dodis",
year = "2007",
language = "English (US)",
isbn = "9783540709350",
volume = "4392 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "1--20",
booktitle = "Theory of Cryptography - 4th Theory of Cryptography Conference, TCC 2007, Proceedings",

}

TY - GEN

T1 - Does privacy require true randomness?

AU - Bosley, Carl

AU - Dodis, Yevgeniy

PY - 2007

Y1 - 2007

N2 - Most cryptographic primitives require randomness (for example, to generate their secret keys). Usually, one assumes that perfect randomness is available, but, conceivably, such primitives might be built under weaker, more realistic assumptions. This is known to be true for many authentication applications, when entropy alone is typically sufficient. In contrast, all known techniques for achieving privacy seem to fundamentally require (nearly) perfect randomness. We ask the question whether this is just a coincidence, or, perhaps, privacy inherently requires true randomness? We completely resolve this question for the case of (information-theoretic) private-key encryption, where parties wish to encrypt a b-bit value using a shared secret key sampled from some imperfect source of randomness script J sign. Our main result shows that if such n-bit source script J sign allows for a secure encryption of b bits, where b > log n, then one can deterministically extract nearly b almost perfect random bits from script J sign. Further, the restriction that b > log n is nearly tight: there exist sources script J sign allowing one to perfectly encrypt (log n -loglog n) bits, but not to deterministically extract even a single slightly unbiased bit. Hence, to a large extent, true randomness is inherent for encryption: either the key length must be exponential in the message length b, or one can deterministically extract nearly b almost unbiased random bits from the key. In particular, the one-time pad scheme is essentially "universal". Our technique also extends to related computational primitives which are perfectly-binding, such as perfectly-binding commitment and computationally secure private- or public-key encryption, showing the necessity to efficiently extract almost b pseudorandom bits.

AB - Most cryptographic primitives require randomness (for example, to generate their secret keys). Usually, one assumes that perfect randomness is available, but, conceivably, such primitives might be built under weaker, more realistic assumptions. This is known to be true for many authentication applications, when entropy alone is typically sufficient. In contrast, all known techniques for achieving privacy seem to fundamentally require (nearly) perfect randomness. We ask the question whether this is just a coincidence, or, perhaps, privacy inherently requires true randomness? We completely resolve this question for the case of (information-theoretic) private-key encryption, where parties wish to encrypt a b-bit value using a shared secret key sampled from some imperfect source of randomness script J sign. Our main result shows that if such n-bit source script J sign allows for a secure encryption of b bits, where b > log n, then one can deterministically extract nearly b almost perfect random bits from script J sign. Further, the restriction that b > log n is nearly tight: there exist sources script J sign allowing one to perfectly encrypt (log n -loglog n) bits, but not to deterministically extract even a single slightly unbiased bit. Hence, to a large extent, true randomness is inherent for encryption: either the key length must be exponential in the message length b, or one can deterministically extract nearly b almost unbiased random bits from the key. In particular, the one-time pad scheme is essentially "universal". Our technique also extends to related computational primitives which are perfectly-binding, such as perfectly-binding commitment and computationally secure private- or public-key encryption, showing the necessity to efficiently extract almost b pseudorandom bits.

UR - http://www.scopus.com/inward/record.url?scp=38049035373&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=38049035373&partnerID=8YFLogxK

M3 - Conference contribution

SN - 9783540709350

VL - 4392 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 1

EP - 20

BT - Theory of Cryptography - 4th Theory of Cryptography Conference, TCC 2007, Proceedings

ER -