- Leftover hash-lemma
Imagine that you have a secret key that has uniform random bits, and you would like to use this secret key to encrypt a message. Unfortunately, you were a bit careless with the key, and know that an adversary was able to learn about bits of that key, but you do not know which. Can you still use your key, or do you have to throw it away and choose a new key? The leftover hash-lemma tells us that we can produce a key of almost bits, over which the adversary has almost no knowledge. Since the adversary knows all but bits, this is almost optimal.
More precisely, leftover hash-lemma tells us that we can extract about (the
min-entropy of ) bits from a random variable that are almost uniformly distributed.In other words, an adversary who has some partial knowledge about , will have almostno knowledge about the extracted value. That is why this is also called privacy amplification (see privacy amplification section in Quantum Crytography).Extractor s achieve the same result, but use (normally) less randomness.The leftover hash-lemma was first stated by
Russell Impagliazzo ,Leonid Levin andMichael Luby and is a very useful tool incryptography .Fact|date=January 2008Leftover hash-lemma
Let be a random variable over and let . Let be a 2-universal hash function. If:then for uniform over and independent of , we have:where is uniform over and independent of .
is the
Min-entropy of , which measures the amount of randomness has. The min-entropy is always less than or equal to theShannon entropy . Note that is the probability of correctly guessing . (The best guess is to guess the most probable value.) Therefore, the min-entropymeasures how difficult it is to guess .is the
statistical distance between and .ee also
*
Extractor
*Universal hashing
*Min-entropy ,R%C3%A9nyi entropy
*Information theoretic security References
* [http://portal.acm.org/citation.cfm?coll=GUIDE&dl=GUIDE&id=45477 C. H. Bennett, G. Brassard, and J. M. Robert. "Privacy amplification by public discussion". SIAM Journal on Computing, 17(2):210-229, 1988.]
* [http://portal.acm.org/citation.cfm?coll=GUIDE&dl=GUIDE&id=73009 R. Impagliazzo, L. A. Levin, and M. Luby. "Pseudo-random generation from one-way functions". In Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC '89), pages 12-24. ACM Press, 1989.]
* [http://ieeexplore.ieee.org/xpls/abs_all.jsp?isnumber=10153&arnumber=476316&type=ref C. Bennett, G. Brassard, C. Crepeau, and U. Maurer. "Generalized privacy amplification". IEEE Transactions on Information Theory, 41, 1995.]
* [http://portal.acm.org/citation.cfm?coll=GUIDE&dl=GUIDE&id=312213 J. Håstad, R. Impagliazzo, L. A. Levin and M. Luby. "A Pseudorandom Generator from any One-way Function". SIAM Journal on Computing, v28 n4, pp. 1364-1396, 1999.]
Wikimedia Foundation. 2010.