Non-Malleable Extractors with Shorter Seeds and Their Applications

Motivated by the problem of how to communicate over a public channel with an active adversary, Dodis and Wichs (STOC’09) introduced the notion of a non-malleable extractor. A non-malleable extractor nmExt : {0, 1}^n ×{0, 1}^d \rightarrow {0, 1}^m takes two inputs, a weakly random W and a uniformly random seed S, and outputs a string which is nearly uniform, given S as well as nmExt(W,A(S)), for an arbitrary function A with A(S) = S. In this paper, by developing the combination and permutation techniques, we improve the error estimation of the extractor of Raz (STOC’05), which plays an extremely important role in the constraints of the non-malleable extractor parameters including seed length. Then we present improved explicit construction of non-malleable extractors. Though our construction is the same as that given by Cohen, Raz and Segev (CCC’12), the parameters are improved. More precisely, we construct an explicit (1016, 1/2)-non-malleable extractor nmExt : {0, 1}^n ×{0, 1}^d \rightarrow {0, 1} with n = 210 and seed length d = 19, while Cohen et al. showed that the seed length is no less than 46/63 +66. Therefore, our method beats the condition “2.01 · log n \leq d \leq n” proposed by Cohen et al., since d is just 1.9 · log n in our construction. We also improve the parameters of the general explicit construction given by Cohen et al. Finally, we give their applications to privacy amplification

On Bitcoin as a public randomness source

We formalize the use of Bitcoin as a source of publicly-verifiable randomness. As a side-effect of Bitcoin\u27s proof-of-work-based consensus system, random values are broadcast every time new blocks are mined. We can derive strong lower bounds on the computational min-entropy in each block: currently, at least 68 bits of min-entropy are produced every 10 minutes, from which one can derive over 32 near-uniform bits using standard extractor techniques. We show that any attack on this beacon would form an attack on Bitcoin itself and hence have a monetary cost that we can bound, unlike any other construction for a public randomness beacon in the literature. In our simplest construction, we show that a lottery producing a single unbiased bit is manipulation-resistant against an attacker with a stake of less than 50 bitcoins in the output, or about US$12,000 today. Finally, we propose making the beacon output available to smart contracts and demonstrate that this simple tool enables a number of interesting applications

Succinct Predicate and Online-Offline Multi-Input Inner Product Encryptions under Standard Static Assumptions

This paper presents expressive predicate encryption (PE) systems, namely non-zero inner-product-predicate encryption (NIPPE) and attribute-based encryption (ABE) supporting monotone span programs achieving best known parameters among existing similar schemes under well-studied static complexity assumptions. Both the constructions are built in composite order bilinear group setting and involve only 2 group elements in the ciphertexts. More interestingly, our NIPPE scheme, which additionally features only 1 group element in the decryption keys, is the first to attain succinct ciphertexts and decryption keys simultaneously. For proving selective security of these constructions under the Subgroup Decision assumptions, which are the most standard static assumptions in composite order bilinear group setting, we apply the extended version of the elegant D´ej`a Q framework, which was originally proposed as a general technique for reducing the q-type complexity assumptions to their static counter parts. Our work thus demonstrates the power of this framework in overcoming the need of q-type assumptions, which are vulnerable to serious practical attacks, for deriving security of highly expressive PE systems with compact parameters. We further introduce the concept of online-offline multi-input functional encryption (OO-MIFE), which is a crucial advancement towards realizing this highly promising but computationally intensive cryptographic primitive in resource bounded and power constrained devices. We also instantiate our notion of OO-MIFE by constructing such a scheme for the multi-input analog of the inner product functionality, which has a wide range of application in practice. Our OO-MIFE scheme for multiinput inner products is built in asymmetric bilinear groups of prime order and is proven selectively secure under the well-studied k-Linear (k-LIN) assumption

On Resilient and Exposure-Resilient Functions

Resilient and exposure-resilient functions are functions whose output appears random even if some portion of their input is either revealed or fixed. We explore an alternative way of characterizing these objects that ties them explicitly to the theory of randomness extractors and simplifies current proofs of basic results. We also describe the inclusions and separations governing the various classes of resilient and exposure-resilient functions. Using this knowledge, we explore the possibility of improving existing constructions of these functions and prove that one specific method of doing so is impossible

Randomness Extractors and their Many Guises

Since its introduction by Nisan and Zuckerman (STOC ‘93) nearly a decade ago, the notion of a randomness extractor has proven to be a fundamental and powerful one. Extractors and their variants have found widespread application in a variety of areas, including pseudorandomness and derandomization, combinatorics, cryptography, data structures, and computational complexity. Equally striking has been a sequence of discoveries showing that, under different interpretations, extractors are close relatives of a number of other important objects, such as expander graphs, hash functions, error-correcting codes, pseudorandom generators, and sampling algorithms. Through these connections, extractors have unified the study of these objects and have led to new and improved constructions of each. In this tutorial, we give an introduction to the study of extractors. The structure of the tutorial is built around the connections between extractors and the other objects mentioned above. Within the context of these connections, we hope to convey an understanding of the definition of extractors, some intuition for how they are constructed, and a glimpse of their use in applications. 1 The Definition The standard definition views an extractor as a procedure for extracting almost-uniform bits from a source of biased and correlated bits. The min-entropy of a random variable X is defined to be H∞(X) = minx log(1 / Pr [X = x]). X is called a k-source if H∞(X) ≥ k, i.e. for all x, Pr [X = x] ≤ 2 −k. The statistical difference between two random variables X, Y distributed over a universe U is defined to be maxT ⊂U | Pr [X ∈ T]−Pr [Y ∈ T] |. X and Y are ε-close if their statistical difference is at most ε. Un denotes the uniform distribution on {0, 1} n

Maintaining secrecy when information leakage is unavoidable

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2004.Includes bibliographical references (p. 109-115).(cont.) We apply the framework to get new results, creating (a) encryption schemes with very short keys, and (b) hash functions that leak no information about their input, yet-paradoxically-allow testing if a candidate vector is close to the input. One of the technical contributions of this research is to provide new, cryptographic uses of mathematical tools from complexity theory known as randomness extractors.Sharing and maintaining long, random keys is one of the central problems in cryptography. This thesis provides about ensuring the security of a cryptographic key when partial information about it has been, or must be, leaked to an adversary. We consider two basic approaches: 1. Extracting a new, shorter, secret key from one that has been partially compromised. Specifically, we study the use of noisy data, such as biometrics and personal information, as cryptographic keys. Such data can vary drastically from one measurement to the next. We would like to store enough information to handle these variations, without having to rely on any secure storage-in particular, without storing the key itself in the clear. We solve the problem by casting it in terms of key extraction. We give a precise definition of what "security" should mean in this setting, and design practical, general solutions with rigorous analyses. Prior to this work, no solutions were known with satisfactory provable security guarantees. 2. Ensuring that whatever is revealed is not actually useful. This is most relevant when the key itself is sensitive-for example when it is based on a person's iris scan or Social Security Number. This second approach requires the user to have some control over exactly what information is revealed, but this is often the case: for example, if the user must reveal enough information to allow another user to correct errors in a corrupted key. How can the user ensure that whatever information the adversary learns is not useful to her? We answer by developing a theoretical framework for separating leaked information from useful information. Our definition strengthens the notion of entropic security, considered before in a few different contexts.by Adam Davison Smith.Ph.D