Results 1 
3 of
3
Instantiating Random Oracles via UCEs
, 2013
"... This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; p ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; pointfunction obfuscation; OAEP; encryption secure for keydependent messages; encryption secure under relatedkey attack; proofs of storage; and adaptivelysecure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standardmodel schemes for these goals. The definition of UCEsecurity itself is quite simple, asking that outputs of the function look random given some “leakage, ” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.
Key Derivation Without Entropy Waste
, 2013
"... We revisit the classical problem of converting an imperfect source of randomness into a usable cryptographic key. Assume that we have some cryptographic application P that expects a uniformly random mbit key R and ensures that the best attack (in some complexity class) against P (R) has success pro ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
We revisit the classical problem of converting an imperfect source of randomness into a usable cryptographic key. Assume that we have some cryptographic application P that expects a uniformly random mbit key R and ensures that the best attack (in some complexity class) against P (R) has success probability at most δ. Our goal is to design a keyderivation function (KDF) h that converts any random source X of minentropy k into a sufficiently “good ” key h(X), guaranteeing that P (h(X)) has comparable security δ ′ which is ‘close ’ to δ. Seeded randomness extractors provide a generic way to solve this problem for all applications P, with resulting security δ ′ = O(δ), provided that we start with entropy k ≥ m + 2 log (1/δ) − O(1). By a result of Radhakrishnan and TaShma, this bound on k (called the “RTbound”) is also known to be tight in general. Unfortunately, in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This motivates the study KDFs with less entropy waste by placing some restrictions on the source X or the application P. In this work we obtain the following new positive and negative results in this regard: • Efficient samplability of the source X does not help beat the RTbound for general applications.
Computational Fuzzy Extractors
, 2013
"... Fuzzy extractors derive strong keys from noisy sources. Their security is defined informationtheoretically, which limits the length of the derived key, sometimes making it too short to be useful. We ask whether it is possible to obtain longer keys by considering computational security, and show the ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Fuzzy extractors derive strong keys from noisy sources. Their security is defined informationtheoretically, which limits the length of the derived key, sometimes making it too short to be useful. We ask whether it is possible to obtain longer keys by considering computational security, and show the following. • Negative Result: Noise tolerance in fuzzy extractors is usually achieved using an information reconciliation component called a “secure sketch. ” The security of this component, which directly affects the length of the resulting key, is subject to lower bounds from coding theory. We show that, even when defined computationally, secure sketches are still subject to lower bounds from coding theory. Specifically, we consider two computational relaxations of the informationtheoretic security requirement of secure sketches, using conditional HILL entropy and unpredictability entropy. For both cases we show that computational secure sketches cannot outperform the best informationtheoretic secure sketches in the case of highentropy Hamming metric sources. • Positive Result: We show that the negative result can be overcome by analyzing computational fuzzy extractors directly. Namely, we show how to build a computational fuzzy extractor whose output key length equals the entropy of the source (this is impossible in the informationtheoretic setting). Our construction is based on the hardness of the Learning with Errors (LWE) problem, and is secure when the noisy source is uniform or symbolfixing (that is, each dimension is either uniform or fixed). As part of the security proof, we show a result of independent interest, namely that the decision version of LWE is secure even when a small number of dimensions has no error.