---
_id: '1179'
abstract:
- lang: eng
text: "Computational notions of entropy have recently found many applications, including
leakage-resilient cryptography, deterministic encryption or memory delegation.
The two main types of results which make computational notions so useful are (1)
Chain rules, which quantify by how much the computational entropy of a variable
decreases if conditioned on some other variable (2) Transformations, which quantify
to which extend one type of entropy implies another.\r\n\r\nSuch chain rules and
transformations typically lose a significant amount in quality of the entropy,
and are the reason why applying these results one gets rather weak quantitative
security bounds. In this paper we for the first time prove lower bounds in this
context, showing that existing results for transformations are, unfortunately,
basically optimal for non-adaptive black-box reductions (and it’s hard to imagine
how non black-box reductions or adaptivity could be useful here.)\r\n\r\nA variable
X has k bits of HILL entropy of quality (ϵ,s)\r\nif there exists a variable Y
with k bits min-entropy which cannot be distinguished from X with advantage ϵ\r\n\r\nby
distinguishing circuits of size s. A weaker notion is Metric entropy, where we
switch quantifiers, and only require that for every distinguisher of size s, such
a Y exists.\r\n\r\nWe first describe our result concerning transformations. By
definition, HILL implies Metric without any loss in quality. Metric entropy often
comes up in applications, but must be transformed to HILL for meaningful security
guarantees. The best known result states that if a variable X has k bits of Metric
entropy of quality (ϵ,s)\r\n, then it has k bits of HILL with quality (2ϵ,s⋅ϵ2).
We show that this loss of a factor Ω(ϵ−2)\r\n\r\nin circuit size is necessary.
In fact, we show the stronger result that this loss is already necessary when
transforming so called deterministic real valued Metric entropy to randomised
boolean Metric (both these variants of Metric entropy are implied by HILL without
loss in quality).\r\n\r\nThe chain rule for HILL entropy states that if X has
k bits of HILL entropy of quality (ϵ,s)\r\n, then for any variable Z of length
m, X conditioned on Z has k−m bits of HILL entropy with quality (ϵ,s⋅ϵ2/2m). We
show that a loss of Ω(2m/ϵ) in circuit size necessary here. Note that this still
leaves a gap of ϵ between the known bound and our lower bound."
acknowledgement: "K. Pietrzak—Supported by the European Research Council consolidator
grant (682815-TOCNeT).\r\nM. Skórski—Supported by the National Science Center, Poland
(2015/17/N/ST6/03564)."
alternative_title:
- LNCS
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Skorski
full_name: Maciej, Skorski
last_name: Maciej
citation:
ama: 'Pietrzak KZ, Maciej S. Pseudoentropy: Lower-bounds for chain rules and transformations.
In: Vol 9985. Springer; 2016:183-203. doi:10.1007/978-3-662-53641-4_8'
apa: 'Pietrzak, K. Z., & Maciej, S. (2016). Pseudoentropy: Lower-bounds for
chain rules and transformations (Vol. 9985, pp. 183–203). Presented at the TCC:
Theory of Cryptography Conference, Beijing, China: Springer. https://doi.org/10.1007/978-3-662-53641-4_8'
chicago: 'Pietrzak, Krzysztof Z, and Skorski Maciej. “Pseudoentropy: Lower-Bounds
for Chain Rules and Transformations,” 9985:183–203. Springer, 2016. https://doi.org/10.1007/978-3-662-53641-4_8.'
ieee: 'K. Z. Pietrzak and S. Maciej, “Pseudoentropy: Lower-bounds for chain rules
and transformations,” presented at the TCC: Theory of Cryptography Conference,
Beijing, China, 2016, vol. 9985, pp. 183–203.'
ista: 'Pietrzak KZ, Maciej S. 2016. Pseudoentropy: Lower-bounds for chain rules
and transformations. TCC: Theory of Cryptography Conference, LNCS, vol. 9985,
183–203.'
mla: 'Pietrzak, Krzysztof Z., and Skorski Maciej. *Pseudoentropy: Lower-Bounds
for Chain Rules and Transformations*. Vol. 9985, Springer, 2016, pp. 183–203,
doi:10.1007/978-3-662-53641-4_8.'
short: K.Z. Pietrzak, S. Maciej, in:, Springer, 2016, pp. 183–203.
conference:
end_date: 2016-11-03
location: Beijing, China
name: 'TCC: Theory of Cryptography Conference'
start_date: 2016-10-31
date_created: 2018-12-11T11:50:34Z
date_published: 2016-10-22T00:00:00Z
date_updated: 2021-01-12T06:48:53Z
day: '22'
department:
- _id: KrPi
doi: 10.1007/978-3-662-53641-4_8
ec_funded: 1
intvolume: ' 9985'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/159
month: '10'
oa: 1
oa_version: Preprint
page: 183 - 203
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6175'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Pseudoentropy: Lower-bounds for chain rules and transformations'
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9985
year: '2016'
...