On the (Non)Universality of the One-Time Pad

On the (Non)Universality of the One-Time Pad

On the (non)Universality of the One-Time Pad Yevgeniy Dodis Joel Spencer Department of Computer Science Department of Computer Science New York University New York University Email: [email protected] Email: [email protected] Abstract 1 Imperfect Random Sources Randomization is vital in cryptography: secret keys Randomization has proved to be extremely useful and should be randomly generated and most cryptographic fundamental in many areas of computer science, such as primitives (e.g., encryption) must be probabilistic. As a approximation algorithms, counting problems, distributed common abstraction, it is assumed that there is a source of computing, primality testing, as well as cryptographic pro- truly random bits available to all the participants of the sys- tocols (which is the topic of this paper). The common ab- tem. While convenient, this assumption is often highly un- straction used to introduce randomness into computation realistic, and cryptographic systems have to be built based is that the underlying algorithm has access to a stream of on imperfect sources of randomness. Remarkably, this fun- completely unbiased and independent random bits. This ab- damental problem has received little or no attention so far, straction allows one to use randomness in a clean way, sep- despite the fact that a related question of simulating prob- arating out the issue of actually generating such “strong” abilistic (BPP) algorithms with imperfect random sources random bits. Unfortunately, in reality we do not have has a long and rich history. sources that emit perfectly uniform and independent ran- In this work we initiate the quantitative study concerning dom bits. However, there are many sources whose outputs feasibility of building secure cryptographic primitives us- (which need not be bits) are believed to be “somewhat ran- ing imperfect random sources. Specifically, we concentrate dom”. Such sources are generally called imperfect random on symmetric-key encryption and message authentication, sources. We remark that the “imperfectness” of the source where the shared secret key comes from an imperfect ran- does not only come from the fact that it does not generate dom source instead of being assumed truly random. In each uniform random bits, but also because the exact source dis- case, we compare the class of “cryptographic” sources for tribution is usually unknown; instead, only some property the task at hand with the classes of “extractable” and “sim- the distribution is known (like no string is excessively likely, ulatable” sources, where: (1) “cryptographic” refers to etc.), and our proposed usage of a given source should work sources for which the corresponding symmetric-key prim- for any distribution satisfying this property. Thus, “imper- itive can be build; (2) “extractable” refers to a very narrow fect source” literally means “an unknown source from a class of sources from which one can extract nearly perfect given family of probability distributions”. randomness; and (3) “simulatable” refers to a very general A large amount of research has been devoted to filling class of weak random sources which are known to suffice in the gap between such realistic imperfect sources and the for BPP simulation. For both encryption and authentica- ideal sources of randomness that are actually used in de- tion, we show that the corresponding cryptographic sources signing various algorithms and protocols. As we will argue lie strictly in between extractable and simulatable sources, below, the current body of knowledge nevertheless leaves which implies that “cryptographic usage” of randomness is a large gap in understanding the usefulness of imperfect more demanding than the corresponding “algorithmic us- sources for various cryptographic purposes. Indeed, we age”, but still does not require perfect randomness. Inter- can roughly separate the following two major questions that estingly, cryptographic sources for encryption and authen- have been addressed so far in studying imperfect random tication are also quite different from each other, which sug- sources, none of which directly dealing with cryptography: gests that there might not be an elegant way to describe im- perfect sources sufficient for “general cryptographic use”. ¯ Simulation: can we efficiently simulate a probabilis- We believe that our initial investigation in this new area will tic (BPP) algorithm with a given source? inspire a lot of further research. ¯ Extraction: can we extract almost perfect random- ness from a given source? The first question addresses the problem if a given source fixing sources, and already mentioned weak sources (the lat- is acceptable for universal probabilistic computation of ter being significantly more general than the former two). decision or optimization problems (i.e., problems with a STREAMING SOURCES. Like the ideal source, a stream- unique “correct” output which are potentially solved more ing source produces a stream of bits incrementally over efficiently using randomization). The second question goes time, but these bits are not necessarily unbiased or inde- for a conceptually cleaner approach in trying to provide — pendent (exact details depend on the streaming source con- when possible – a “compiler” for a given imperfect source. sidered). The first works [34, 12, 5] considered stream- The complier first extracts almost perfect randomness from ing sources which generated highly independent (but pos- the source, which can then be used for any application orig- sibly biased) random bits. As a result, elegant techniques inally designed to work with ideal random bits. Clearly, were developed to extract many ideal random bits from extraction from a given source is a very desirable prop- such highly “regular” sources. Unfortunately, once the erty to have, since it solves a much broader problem that strong independence requirement was relaxed, many im- BPP simulation. For example, “extractable” sources can be possibility results were obtained. The first quite striking used in any cryptographic application (like secure encryp- negative result was obtained by S´antha and Vazirani [23], tion), but not every “simulatable” source can [19] (see be- who demonstrated that not even a single almost random bit low). Unfortunately, as shown below, the set of extractable can be extracted if every bit of the source can be slightly sources is also dramatically smaller than the set of simulat- biased and depend on all the previous bits. Lichtenstein et able sources. al. [18] showed a mix of positive and (mainly) negative re- SIMULATABLE SOURCES. It turns out that the class of sults when few bits of the source could be arbitrarily biased simulatable sources is extremely large. In particular, more while the rest were truly random. Dodis [10] showed even and more imperfect (so called “weak”) random sources have more negative results for the common generalization of the been shown to be simulatable [32, 30, 8, 9, 35, 2], cul- above two sources. minating in using extremely weak sources [2]. The only thing guaranteed about a weak source is that no particular BIT-FIXING SOURCES. A bit-fixing source produces (at string has a very high probability of occurring. This is char- once) a string of Æ bits, some of which (say, ) are adver- ´Æ µ sarially fixed, but the other are truly random. acterized by a parameter (called the min-entropy of the source) by saying that no string (of some given length) oc- The goal of extraction for such sources is to design a func- tion (called a resilient function) whose output is “close” to curs with probability more than ¾ (for any distribution of the source). The optimal result of [2] then says that BPP random no matter which input bits are fixed. It turns out that there is a huge difference depending on whether the simulation is possible for any Æ -bit weak source of min- ­ “fixed” bits get set before or after the random bits are cho- ­ ¼ entropy at least Æ , for some (arbitrarily small) . Interestingly, we will see that weak sources are typically sen. In the first scenario (studied by [31, 7, 3, 13, 17, 11]), far too general for any randomness extraction (e.g., none of quite positive and by now nearly optimal results are known the sources [32, 30, 8, 9, 35, 2] is extractable). Instead, the for extracting many bits (one perfect bit is trivially ex- works above take advantage of the fact that even though it tracted by the parity function). In particular, close to is impossible to generate almost random bits from the cor- nearly perfect bits can be extracted in this setting [11]. In responding weak sources, it is possible to generate random the second scenario ( fixed bits are set after the ran- strings, a majority of which avoid falling into the negligi- dom bits), even one bit is hard to extract: the optimal ¾ Æ ÐÓ Æ µ bly small set of “bad” strings. Running the given algorithm for this task lies somewhere between ª´ [1] and ´Æ ÐÓ Æ µ many times on varioussuch pseudorandomstrings and com- Ç [16]. puting some statistics, a correct answer is given with high WEAK SOURCES. Originated by Chor and Goldreich [8], probability. much subsequent research has been dedicated to various Unfortunately, most of the above methods are not ap- flavors of the so called weak random sources. Recall, a plicable for cryptographic use, where the randomness is fixed distribution has min-entropy if no element can occur needed by the application itself, and not mainly for the pur- with probability more that ¾ . Generally, a min-entropy poses of efficiency. Indeed, McInnes and Pinkas [19] have of a probability distribution is considered the right measure shown that none of the simulatable sources above can be for the amount of “randomness” it contains. An imperfect used to securely encrypt even a single bit! (See Section 2). source has min-entropy if all of its distributions have min- EXTRACTION FROM IMPERFECT SOURCES. As we will entropy , even though not all such distributions might be- see, extraction is much harder to achieve than simulation, longto the source.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us