{"_id":"2185","author":[{"full_name":"Dodis, Yevgeniy","last_name":"Dodis","first_name":"Yevgeniy"},{"orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","first_name":"Krzysztof Z"},{"first_name":"Daniel","last_name":"Wichs","full_name":"Wichs, Daniel"}],"file_date_updated":"2020-07-14T12:45:31Z","intvolume":" 8441","quality_controlled":"1","publication_status":"published","alternative_title":["LNCS"],"department":[{"_id":"KrPi"}],"doi":"10.1007/978-3-642-55220-5_6","page":"93 - 110","title":"Key derivation without entropy waste","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","month":"04","date_created":"2018-12-11T11:56:12Z","oa":1,"editor":[{"first_name":"Phong","last_name":"Nguyen","full_name":"Nguyen, Phong"},{"last_name":"Oswald","full_name":"Oswald, Elisabeth","first_name":"Elisabeth"}],"language":[{"iso":"eng"}],"type":"conference","abstract":[{"lang":"eng","text":"We revisit the classical problem of converting an imperfect source of randomness into a usable cryptographic key. Assume that we have some cryptographic application P that expects a uniformly random m-bit key R and ensures that the best attack (in some complexity class) against P(R) has success probability at most δ. Our goal is to design a key-derivation function (KDF) h that converts any random source X of min-entropy k into a sufficiently "good" key h(X), guaranteeing that P(h(X)) has comparable security δ′ which is 'close' to δ. Seeded randomness extractors provide a generic way to solve this problem for all applications P, with resulting security δ′ = O(δ), provided that we start with entropy k ≥ m + 2 log (1/δ) - O(1). By a result of Radhakrishnan and Ta-Shma, this bound on k (called the "RT-bound") is also known to be tight in general. Unfortunately, in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This motivates the study KDFs with less entropy waste by placing some restrictions on the source X or the application P. In this work we obtain the following new positive and negative results in this regard: - Efficient samplability of the source X does not help beat the RT-bound for general applications. This resolves the SRT (samplable RT) conjecture of Dachman-Soled et al. [DGKM12] in the affirmative, and also shows that the existence of computationally-secure extractors beating the RT-bound implies the existence of one-way functions. - We continue in the line of work initiated by Barak et al. [BDK+11] and construct new information-theoretic KDFs which beat the RT-bound for large but restricted classes of applications. Specifically, we design efficient KDFs that work for all unpredictability applications P (e.g., signatures, MACs, one-way functions, etc.) and can either: (1) extract all of the entropy k = m with a very modest security loss δ′ = O(δ·log (1/δ)), or alternatively, (2) achieve essentially optimal security δ′ = O(δ) with a very modest entropy loss k ≥ m + loglog (1/δ). In comparison, the best prior results from [BDK+11] for this class of applications would only guarantee δ′ = O(√δ) when k = m, and would need k ≥ m + log (1/δ) to get δ′ = O(δ). - The weaker bounds of [BDK+11] hold for a larger class of so-called "square- friendly" applications (which includes all unpredictability, but also some important indistinguishability, applications). Unfortunately, we show that these weaker bounds are tight for the larger class of applications. - We abstract out a clean, information-theoretic notion of (k,δ,δ′)- unpredictability extractors, which guarantee "induced" security δ′ for any δ-secure unpredictability application P, and characterize the parameters achievable for such unpredictability extractors. Of independent interest, we also relate this notion to the previously-known notion of (min-entropy) condensers, and improve the state-of-the-art parameters for such condensers."}],"publist_id":"4795","citation":{"apa":"Dodis, Y., Pietrzak, K. Z., & Wichs, D. (2014). Key derivation without entropy waste. In P. Nguyen & E. Oswald (Eds.) (Vol. 8441, pp. 93–110). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark: Springer. https://doi.org/10.1007/978-3-642-55220-5_6","chicago":"Dodis, Yevgeniy, Krzysztof Z Pietrzak, and Daniel Wichs. “Key Derivation without Entropy Waste.” edited by Phong Nguyen and Elisabeth Oswald, 8441:93–110. Springer, 2014. https://doi.org/10.1007/978-3-642-55220-5_6.","ista":"Dodis Y, Pietrzak KZ, Wichs D. 2014. Key derivation without entropy waste. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 8441, 93–110.","ieee":"Y. Dodis, K. Z. Pietrzak, and D. Wichs, “Key derivation without entropy waste,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 2014, vol. 8441, pp. 93–110.","ama":"Dodis Y, Pietrzak KZ, Wichs D. Key derivation without entropy waste. In: Nguyen P, Oswald E, eds. Vol 8441. Springer; 2014:93-110. doi:10.1007/978-3-642-55220-5_6","mla":"Dodis, Yevgeniy, et al. Key Derivation without Entropy Waste. Edited by Phong Nguyen and Elisabeth Oswald, vol. 8441, Springer, 2014, pp. 93–110, doi:10.1007/978-3-642-55220-5_6.","short":"Y. Dodis, K.Z. Pietrzak, D. Wichs, in:, P. Nguyen, E. Oswald (Eds.), Springer, 2014, pp. 93–110."},"oa_version":"Submitted Version","date_published":"2014-04-01T00:00:00Z","file":[{"date_updated":"2020-07-14T12:45:31Z","creator":"system","access_level":"open_access","file_name":"IST-2016-680-v1+1_708.pdf","checksum":"da1aa01221086083b23c92e547b48ff4","content_type":"application/pdf","file_size":505389,"relation":"main_file","file_id":"4705","date_created":"2018-12-12T10:08:43Z"}],"pubrep_id":"680","ddc":["000","004"],"volume":8441,"year":"2014","day":"01","status":"public","publisher":"Springer","date_updated":"2021-01-12T06:55:51Z","conference":{"end_date":"2014-05-15","start_date":"2014-05-11","location":"Copenhagen, Denmark","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"has_accepted_license":"1","scopus_import":1}