{"editor":[{"full_name":"Nguyen, Phong","last_name":"Nguyen","first_name":"Phong"},{"first_name":"Elisabeth","last_name":"Oswald","full_name":"Oswald, Elisabeth"}],"file":[{"file_id":"4705","relation":"main_file","date_created":"2018-12-12T10:08:43Z","file_name":"IST-2016-680-v1+1_708.pdf","date_updated":"2020-07-14T12:45:31Z","creator":"system","content_type":"application/pdf","file_size":505389,"checksum":"da1aa01221086083b23c92e547b48ff4","access_level":"open_access"}],"intvolume":" 8441","page":"93 - 110","date_updated":"2021-01-12T06:55:51Z","date_created":"2018-12-11T11:56:12Z","scopus_import":1,"citation":{"mla":"Dodis, Yevgeniy, et al. Key Derivation without Entropy Waste. Edited by Phong Nguyen and Elisabeth Oswald, vol. 8441, Springer, 2014, pp. 93–110, doi:10.1007/978-3-642-55220-5_6.","short":"Y. Dodis, K.Z. Pietrzak, D. Wichs, in:, P. Nguyen, E. Oswald (Eds.), Springer, 2014, pp. 93–110.","ieee":"Y. Dodis, K. Z. Pietrzak, and D. Wichs, “Key derivation without entropy waste,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 2014, vol. 8441, pp. 93–110.","chicago":"Dodis, Yevgeniy, Krzysztof Z Pietrzak, and Daniel Wichs. “Key Derivation without Entropy Waste.” edited by Phong Nguyen and Elisabeth Oswald, 8441:93–110. Springer, 2014. https://doi.org/10.1007/978-3-642-55220-5_6.","ista":"Dodis Y, Pietrzak KZ, Wichs D. 2014. Key derivation without entropy waste. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 8441, 93–110.","apa":"Dodis, Y., Pietrzak, K. Z., & Wichs, D. (2014). Key derivation without entropy waste. In P. Nguyen & E. Oswald (Eds.) (Vol. 8441, pp. 93–110). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark: Springer. https://doi.org/10.1007/978-3-642-55220-5_6","ama":"Dodis Y, Pietrzak KZ, Wichs D. Key derivation without entropy waste. In: Nguyen P, Oswald E, eds. Vol 8441. Springer; 2014:93-110. doi:10.1007/978-3-642-55220-5_6"},"conference":{"name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques","start_date":"2014-05-11","location":"Copenhagen, Denmark","end_date":"2014-05-15"},"publication_status":"published","status":"public","abstract":[{"lang":"eng","text":"We revisit the classical problem of converting an imperfect source of randomness into a usable cryptographic key. Assume that we have some cryptographic application P that expects a uniformly random m-bit key R and ensures that the best attack (in some complexity class) against P(R) has success probability at most δ. Our goal is to design a key-derivation function (KDF) h that converts any random source X of min-entropy k into a sufficiently "good" key h(X), guaranteeing that P(h(X)) has comparable security δ′ which is 'close' to δ. Seeded randomness extractors provide a generic way to solve this problem for all applications P, with resulting security δ′ = O(δ), provided that we start with entropy k ≥ m + 2 log (1/δ) - O(1). By a result of Radhakrishnan and Ta-Shma, this bound on k (called the "RT-bound") is also known to be tight in general. Unfortunately, in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This motivates the study KDFs with less entropy waste by placing some restrictions on the source X or the application P. In this work we obtain the following new positive and negative results in this regard: - Efficient samplability of the source X does not help beat the RT-bound for general applications. This resolves the SRT (samplable RT) conjecture of Dachman-Soled et al. [DGKM12] in the affirmative, and also shows that the existence of computationally-secure extractors beating the RT-bound implies the existence of one-way functions. - We continue in the line of work initiated by Barak et al. [BDK+11] and construct new information-theoretic KDFs which beat the RT-bound for large but restricted classes of applications. Specifically, we design efficient KDFs that work for all unpredictability applications P (e.g., signatures, MACs, one-way functions, etc.) and can either: (1) extract all of the entropy k = m with a very modest security loss δ′ = O(δ·log (1/δ)), or alternatively, (2) achieve essentially optimal security δ′ = O(δ) with a very modest entropy loss k ≥ m + loglog (1/δ). In comparison, the best prior results from [BDK+11] for this class of applications would only guarantee δ′ = O(√δ) when k = m, and would need k ≥ m + log (1/δ) to get δ′ = O(δ). - The weaker bounds of [BDK+11] hold for a larger class of so-called "square- friendly" applications (which includes all unpredictability, but also some important indistinguishability, applications). Unfortunately, we show that these weaker bounds are tight for the larger class of applications. - We abstract out a clean, information-theoretic notion of (k,δ,δ′)- unpredictability extractors, which guarantee "induced" security δ′ for any δ-secure unpredictability application P, and characterize the parameters achievable for such unpredictability extractors. Of independent interest, we also relate this notion to the previously-known notion of (min-entropy) condensers, and improve the state-of-the-art parameters for such condensers."}],"doi":"10.1007/978-3-642-55220-5_6","oa_version":"Submitted Version","year":"2014","author":[{"full_name":"Dodis, Yevgeniy","first_name":"Yevgeniy","last_name":"Dodis"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","first_name":"Krzysztof Z","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z"},{"full_name":"Wichs, Daniel","first_name":"Daniel","last_name":"Wichs"}],"has_accepted_license":"1","file_date_updated":"2020-07-14T12:45:31Z","oa":1,"quality_controlled":"1","publist_id":"4795","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","_id":"2185","publisher":"Springer","language":[{"iso":"eng"}],"type":"conference","pubrep_id":"680","department":[{"_id":"KrPi"}],"ddc":["000","004"],"month":"04","date_published":"2014-04-01T00:00:00Z","day":"01","alternative_title":["LNCS"],"title":"Key derivation without entropy waste","volume":8441}