leftover-hash lemma

A Unified Approach to Deterministic Encryption

Benjamin Fuller, Adam O’Neill, and Leonid Reyzin.  A Unified Approach to Deterministic Encryption: New Constructions and a Connection to Computational Entropy.  Theory of Cryptography 2012.

Abstract

This paper addresses deterministic public-key encryption schemes (DE), which are designed to provide meaningful security when only source of randomness in the encryption process comes from the message itself. We propose a general construction of DE that unifies prior work and gives novel schemes. Specifically, its instantiations include:

  • The first construction from any trapdoor function that has sufficiently many hardcore bits.
  • The first construction that provides “bounded” multi-message security (assuming lossy trapdoor functions).

The security proofs for these schemes are enabled by three tools that are of broader interest:

  • A weaker and more precise sufficient condition for semantic security on a high-entropy message distribution. Namely, we show that to establish semantic security on a distribution M of messages, it suffices to establish indistinguishability for all conditional distribution M|E, where E is an event of probability at least 1/4. (Prior work required indistinguishability on all distributions of a given entropy.)
  • A result about computational entropy of conditional distributions. Namely, we show that conditioning on an event E of probability p reduces the quality of computational entropy by a factor of p and its quantity by log_2 1/p.
  • A generalization of leftover hash lemma to correlated distributions.

We also extend our result about computational entropy to the average case, which is useful in reasoning about leakage-resilient cryptography: leaking \lambda bits of information reduces the quality of computational entropy by a factor of 2^\lambda and its quantity by \lambda.