Abstract
We introduce hardness in relative entropy, a new notion of hardness for search problems which on the one hand is satisfied by all one-way functions and on the other hand implies both next-block pseudoentropy and inaccessible entropy, two forms of computational entropy used in recent constructions of pseudorandom generators and statistically hiding commitment schemes, respectively. Thus, hardness in relative entropy unifies the latter two notions of computational entropy and sheds light on the apparent “duality” between them. Additionally, it yields a more modular and illuminating proof that one-way functions imply next-block inaccessible entropy, similar in structure to the proof that one-way functions imply next-block pseudoentropy (Vadhan and Zheng, STOC ‘12).
R. Agrawal—Supported by the Department of Defense (DoD) through the National Defense Science & Engineering Graduate Fellowship (NDSEG) Program.
Y.-H. Chen—Supported by NSF grant CCF-1763299.
T. Horel—Supported in part by the National Science Foundation under grants CAREER IIS-1149662, CNS-1237235 and CCF-1763299, by the Office of Naval Research under grants YIP N00014-14-1-0485 and N00014-17-1-2131, and by a Google Research Award.
S. Vadhan—Supported by NSF grant CCF-1763299.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Recall that for random variables A and B with \({{\,\mathrm{Supp}\,}}(A)\subseteq {{\,\mathrm{Supp}\,}}(B)\), the relative entropy is defined by
. - 2.
Relative entropy is also commonly referred to as Kullback–Liebler divergence, which explains the standard \({{\,\mathrm{KL}\,}}\) notation. We prefer to use relative entropy to have more uniformity across the notions discussed in this work.
- 3.
We used the unconventional notation y for the instance (instead of x) because our relations will often be of the form \(\varPi ^f\) for some function f; in this case an instance is some y in the range of f and a witness for y is any preimage \(x\in f^{-1}(y)\).
- 4.
For the theorems in this paper that relate two notions of hardness, the notation \(t'=\varOmega (t)\) means that there exists a constant C depending only on the computational model such that \(t'\ge C\cdot t\).
- 5.
As already mentioned in the introduction, this notion was in fact called “\({{\,\mathrm{KL}\,}}\)-hardness for sampling” in [21] but we rename it here to unify the terminology between the various notions discussed here.
- 6.
We write \(m+1\) the total number of blocks, since in this section we will think of \(Y_{m+1}\) (also written as W) as the witness of distributional search problem and \((Y_1,\dots ,Y_m)\) are the blocks of the instance as in the previous section.
- 7.
For example, the distribution \((Y_{\le m}, Y_{m+1}) = (f(U), U)\) for a function f and uniform input U is always a flat distribution even if f itself is not regular.
.References
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo random bits. In: Proceedings of the 23th Annual Symposium on Foundations of Computer Science (FOCS), pp. 112–117 (1982)
Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (1976)
Ding, Y.Z., Harnik, D., Rosen, A., Shaltiel, R.: Constant-round oblivious transfer in the bounded storage model. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 446–472. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_25
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC), pp. 218–229. ACM Press (1987)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(1), 691–729 (1991)
Haitner, I., Holenstein, T., Reingold, O., Vadhan, S.P., Wee, H.: Universal one-way hash functions via inaccessible entropy. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 616–637. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_31
Haitner, I., Nguyen, M., Ong, S.J., Reingold, O., Vadhan, S.: Statistically hiding commitments and statistical zero-knowledge arguments from any one-way function. SIAM J. Comput. 39(3), 1153–1218 (2009)
Haitner, I., Reingold, O., Vadhan, S.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: Proceedings of the 42nd Annual ACM Symposium on Theory of Computing (STOC), pp. 437–446 (2010)
Haitner, I., Reingold, O., Vadhan, S., Wee, H.: Inaccessible entropy. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC 2009), pp. 611–620, 31 May–2 June 2009
Haitner, I., Reingold, O., Vadhan, S.P.: Eciency improvements in constructing pseudorandom generators from one-way functions. SIAM J. Comput. 42(3), 1405–1430 (2013). https://doi.org/10.1137/100814421
Haitner, I., Reingold, O., Vadhan, S.P., Wee, H.: Inaccessible entropy I: inaccessible entropy generators and statistically hiding commitments from one-way functions (2016). www.cs.tau.ac.il/~iftachh/papers/AccessibleEntropy/IE1.pdf. To appear. Preliminary version, named Inaccessible Entropy, appeared in STOC 2009
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography. In: Proceedings of the 30th Annual Symposium on Foundations of Computer Science (FOCS), pp. 230–235 (1989)
Naor, M.: Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991)
Naor, M., Ostrovsky, R., Venkatesan, R., Yung, M.: Perfect zero-knowledge arguments for NP using any one-way permutation. J. Cryptol. 11(2), 87–108 (1998). Preliminary version in CRYPTO 1992
Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC), pp. 33–43. ACM Press (1989)
Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996)
Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing (STOC), pp. 387–394 (1990)
Vadhan, S.P., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: Proceedings of the 44th Symposium on Theory of Computing Conference, STOC 2012, pp. 817–836 (2012). http://doi.acm.org/10.1145/2213977.2214051
Yao, A.C.: Theory and applications of trapdoor functions. In: Proceedings of the 23th Annual Symposium on Foundations of Computer Science (FOCS), pp. 80–91 (1982)
Acknowledgements
We thank Muthuramakrishnan Venkitasubramaniam for an inspiring conversation which sparked this work.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Missing Proofs
A Missing Proofs
Lemma A.1
For all \(t \ge 1\), \(f:x\mapsto \frac{x}{1-(1-x)^t}\) is convex over [0, 1].
Proof
We instead show convexity of \(\tilde{f}:x\mapsto f(1-x)\). A straightforward computation gives:
so that it suffices to show the non-negativity of \(g(x) = t(1-x)(x^t+1) - (1+x)(1-x^t)\) over [0, 1]. The function g has second derivative \(t(1-x)(t^2-1)x^{t-2}\), which is non-negative when \(x\in [0, 1]\), and thus the first derivative \(g'\) is non-decreasing. Also, the first derivative at 1 is equal to zero, so that \(g'\) is non-positive over [0, 1] and hence g is non-increasing over this interval. Since \(g(1) = 0\), this implies that g is non-negative over [0, 1] and f is convex as desired.
Theorem A.2
(Theorem 3.11 restated). Let \(\varPi \) be a binary relation and let (Y, W) be pair of random variables supported on \(\varPi \). If \((\varPi , Y)\) is \((t, \varepsilon )\)-hard, then \((\varPi , Y, W)\) is \((t', \varDelta ')\) witness hard in relative entropy and \((t', \varDelta '')\) witness hard in \(\delta \)-min relative entropy for every \(\delta \in [0,1]\) where \(t' = \varOmega (t)\), \(\varDelta ' = \log (1/\varepsilon )\) and \(\varDelta '' = \log (\delta /\varepsilon )\).
Proof
We proceed similarly to the proof of Theorem 3.5. Let 
be a pair of algorithms with \(\mathsf {\widetilde{G}}= (\mathsf {\widetilde{G}}_1, \mathsf {\widetilde{G}}_\mathsf {w})\) a two-block generator supported on \(\varPi \). Define the linear-time oracle algorithm 
. Then
The witness hardness in relative entropy then follows by applying Jensen’s inequality (since \(2^{-x}\) is convex) and the witness hardness in \(\delta \)-min relative entropy follows by Markov’s inequality by considering the event that the sample relative entropy is smaller than \(\varDelta \) (this event has density at least \(\delta \)).
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Agrawal, R., Chen, YH., Horel, T., Vadhan, S. (2019). Unifying Computational Entropies via Kullback–Leibler Divergence. In: Boldyreva, A., Micciancio, D. (eds) Advances in Cryptology – CRYPTO 2019. CRYPTO 2019. Lecture Notes in Computer Science(), vol 11693. Springer, Cham. https://doi.org/10.1007/978-3-030-26951-7_28
Download citation
DOI: https://doi.org/10.1007/978-3-030-26951-7_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26950-0
Online ISBN: 978-3-030-26951-7
eBook Packages: Computer ScienceComputer Science (R0)
