Entropic security and the encryption of high entropy messages

Yevgeniy Dodis, Adam Smith

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We study entropic security, an information-theoretic notion of security introduced by Russell and Wang [24] in the context of encryption and by Canetti et al. [5, 6] in the context of hash functions. Informally, a probabilitic map Y = ε(X) (e.g., an encryption sheme or a hash function) is entropically secure if knowledge of Y does not help predicting any predicate of X, whenever X has high min-entropy from the adversary's point of view. On one hand, we strengthen the formulation of [5, 6, 24] and show that entropic security in fact implies that Y does not help predicting any function of X (as opposed to a predicate), bringing this notion closer to the conventioonal notion of semantic security [10]. On the other hand, we also show that entropic security is equivalent to indistinguishability on pairs of input distributions of sufficiently high entropy, which is in turn related to randomness extraction from non-uniform distributions . We then use the equivalence above, and the connection to randomness extraction, to prove several new results on entropically-secure encryption. First, we give two general frameworks for constructing entropically secure encryption schemes: one based on expander graphs and the other on XOR-universal hash functions. These schemes generalize the schemes of Russell and Wang, yielding simpler constructions and proofs, as well as improved parameters. To encrypt an n-bit message of min-entropy t while allowing at most ε-advantage to the adversary, our best schemes use a shared secret key of length k = n - t + 2 log (1/ε). Second, we obtain lower bounds on the key length k for entropic security and indistinguishability. In particular, we show near tightness of our constructions: k > n - t. For a large class of schemes - including all the schemes we study - the bound can be strengthened to k ≥ n - t + log (1/ε) - O(1).

Original languageEnglish (US)
Title of host publicationLecture Notes in Computer Science
EditorsJ. Kilian
Pages556-577
Number of pages22
Volume3378
StatePublished - 2005
EventSecond Theory of Cryptography Conference, TCC 2005 - Cambridge, MA, United States
Duration: Feb 10 2005Feb 12 2005

Other

OtherSecond Theory of Cryptography Conference, TCC 2005
CountryUnited States
CityCambridge, MA
Period2/10/052/12/05

Fingerprint

Cryptography
Hash functions
Entropy
Semantics

ASJC Scopus subject areas

  • Computer Science (miscellaneous)

Cite this

Dodis, Y., & Smith, A. (2005). Entropic security and the encryption of high entropy messages. In J. Kilian (Ed.), Lecture Notes in Computer Science (Vol. 3378, pp. 556-577)

Entropic security and the encryption of high entropy messages. / Dodis, Yevgeniy; Smith, Adam.

Lecture Notes in Computer Science. ed. / J. Kilian. Vol. 3378 2005. p. 556-577.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y & Smith, A 2005, Entropic security and the encryption of high entropy messages. in J Kilian (ed.), Lecture Notes in Computer Science. vol. 3378, pp. 556-577, Second Theory of Cryptography Conference, TCC 2005, Cambridge, MA, United States, 2/10/05.
Dodis Y, Smith A. Entropic security and the encryption of high entropy messages. In Kilian J, editor, Lecture Notes in Computer Science. Vol. 3378. 2005. p. 556-577
Dodis, Yevgeniy ; Smith, Adam. / Entropic security and the encryption of high entropy messages. Lecture Notes in Computer Science. editor / J. Kilian. Vol. 3378 2005. pp. 556-577
@inproceedings{9caa8a277a4043bbb77f7046c921a46f,
title = "Entropic security and the encryption of high entropy messages",
abstract = "We study entropic security, an information-theoretic notion of security introduced by Russell and Wang [24] in the context of encryption and by Canetti et al. [5, 6] in the context of hash functions. Informally, a probabilitic map Y = ε(X) (e.g., an encryption sheme or a hash function) is entropically secure if knowledge of Y does not help predicting any predicate of X, whenever X has high min-entropy from the adversary's point of view. On one hand, we strengthen the formulation of [5, 6, 24] and show that entropic security in fact implies that Y does not help predicting any function of X (as opposed to a predicate), bringing this notion closer to the conventioonal notion of semantic security [10]. On the other hand, we also show that entropic security is equivalent to indistinguishability on pairs of input distributions of sufficiently high entropy, which is in turn related to randomness extraction from non-uniform distributions . We then use the equivalence above, and the connection to randomness extraction, to prove several new results on entropically-secure encryption. First, we give two general frameworks for constructing entropically secure encryption schemes: one based on expander graphs and the other on XOR-universal hash functions. These schemes generalize the schemes of Russell and Wang, yielding simpler constructions and proofs, as well as improved parameters. To encrypt an n-bit message of min-entropy t while allowing at most ε-advantage to the adversary, our best schemes use a shared secret key of length k = n - t + 2 log (1/ε). Second, we obtain lower bounds on the key length k for entropic security and indistinguishability. In particular, we show near tightness of our constructions: k > n - t. For a large class of schemes - including all the schemes we study - the bound can be strengthened to k ≥ n - t + log (1/ε) - O(1).",
author = "Yevgeniy Dodis and Adam Smith",
year = "2005",
language = "English (US)",
volume = "3378",
pages = "556--577",
editor = "J. Kilian",
booktitle = "Lecture Notes in Computer Science",

}

TY - GEN

T1 - Entropic security and the encryption of high entropy messages

AU - Dodis, Yevgeniy

AU - Smith, Adam

PY - 2005

Y1 - 2005

N2 - We study entropic security, an information-theoretic notion of security introduced by Russell and Wang [24] in the context of encryption and by Canetti et al. [5, 6] in the context of hash functions. Informally, a probabilitic map Y = ε(X) (e.g., an encryption sheme or a hash function) is entropically secure if knowledge of Y does not help predicting any predicate of X, whenever X has high min-entropy from the adversary's point of view. On one hand, we strengthen the formulation of [5, 6, 24] and show that entropic security in fact implies that Y does not help predicting any function of X (as opposed to a predicate), bringing this notion closer to the conventioonal notion of semantic security [10]. On the other hand, we also show that entropic security is equivalent to indistinguishability on pairs of input distributions of sufficiently high entropy, which is in turn related to randomness extraction from non-uniform distributions . We then use the equivalence above, and the connection to randomness extraction, to prove several new results on entropically-secure encryption. First, we give two general frameworks for constructing entropically secure encryption schemes: one based on expander graphs and the other on XOR-universal hash functions. These schemes generalize the schemes of Russell and Wang, yielding simpler constructions and proofs, as well as improved parameters. To encrypt an n-bit message of min-entropy t while allowing at most ε-advantage to the adversary, our best schemes use a shared secret key of length k = n - t + 2 log (1/ε). Second, we obtain lower bounds on the key length k for entropic security and indistinguishability. In particular, we show near tightness of our constructions: k > n - t. For a large class of schemes - including all the schemes we study - the bound can be strengthened to k ≥ n - t + log (1/ε) - O(1).

AB - We study entropic security, an information-theoretic notion of security introduced by Russell and Wang [24] in the context of encryption and by Canetti et al. [5, 6] in the context of hash functions. Informally, a probabilitic map Y = ε(X) (e.g., an encryption sheme or a hash function) is entropically secure if knowledge of Y does not help predicting any predicate of X, whenever X has high min-entropy from the adversary's point of view. On one hand, we strengthen the formulation of [5, 6, 24] and show that entropic security in fact implies that Y does not help predicting any function of X (as opposed to a predicate), bringing this notion closer to the conventioonal notion of semantic security [10]. On the other hand, we also show that entropic security is equivalent to indistinguishability on pairs of input distributions of sufficiently high entropy, which is in turn related to randomness extraction from non-uniform distributions . We then use the equivalence above, and the connection to randomness extraction, to prove several new results on entropically-secure encryption. First, we give two general frameworks for constructing entropically secure encryption schemes: one based on expander graphs and the other on XOR-universal hash functions. These schemes generalize the schemes of Russell and Wang, yielding simpler constructions and proofs, as well as improved parameters. To encrypt an n-bit message of min-entropy t while allowing at most ε-advantage to the adversary, our best schemes use a shared secret key of length k = n - t + 2 log (1/ε). Second, we obtain lower bounds on the key length k for entropic security and indistinguishability. In particular, we show near tightness of our constructions: k > n - t. For a large class of schemes - including all the schemes we study - the bound can be strengthened to k ≥ n - t + log (1/ε) - O(1).

UR - http://www.scopus.com/inward/record.url?scp=24144460521&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=24144460521&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:24144460521

VL - 3378

SP - 556

EP - 577

BT - Lecture Notes in Computer Science

A2 - Kilian, J.

ER -