IETF Logo Mail Archive

[Cfrg] On using ROs for analyzing randomness extraction functions

canetti <canetti@watson.ibm.com> Fri, 28 October 2005 20:49 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVbAI-0008IG-Mw; Fri, 28 Oct 2005 16:49:30 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVbAH-0008IA-OZ for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 16:49:29 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18421 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:49:13 -0400 (EDT)
Received: from igw2.watson.ibm.com ([129.34.20.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVbNu-0004aI-HF for cfrg@ietf.org; Fri, 28 Oct 2005 17:03:35 -0400
Received: from sp1n293en1.watson.ibm.com (sp1n293en1.watson.ibm.com [129.34.20.41]) by igw2.watson.ibm.com (8.12.11/8.13.1/8.13.1-2005-04-25 igw) with ESMTP id j9SKp8Q1001708 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:51:08 -0400
Received: from sp1n293en1.watson.ibm.com (localhost [127.0.0.1]) by sp1n293en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_2) with ESMTP id j9SKnFF130400 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:49:15 -0400
Received: from mgsmtp00.watson.ibm.com (mgsmtp00.watson.ibm.com [9.2.40.58]) by sp1n293en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_1) with ESMTP id j9SKnE4270742 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:49:14 -0400
Received: from prf.watson.ibm.com (prf.watson.ibm.com [9.2.16.112]) by mgsmtp00.watson.ibm.com (8.12.11/8.12.11/2005/09/01) with ESMTP id j9SKnDLr023684 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:49:13 -0400
Received: from localhost (canetti@localhost) by prf.watson.ibm.com (AIX5.1/8.11.6p2/8.11.0/03-06-2002) with ESMTP id j9SKnDa70538 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:49:13 -0400
Date: Fri, 28 Oct 2005 16:49:12 -0400
From: canetti <canetti@watson.ibm.com>
To: cfrg@ietf.org
In-Reply-To: <Pine.A41.4.58.0510281538050.38438@prf.watson.ibm.com>
Message-ID: <Pine.A41.4.58.0510281644270.38438@prf.watson.ibm.com>
References: <Pine.A41.4.58.0510281538050.38438@prf.watson.ibm.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Subject: [Cfrg] On using ROs for analyzing randomness extraction functions
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org


I'd like to share some thoughts regarding the use of the RO modeling in
the randomness extraction problem.

Beyond the known formal problems with the
applicability of analysis in the RO model, such analysis usually leaves me
with an uneasy feeling of being "cheated out" of a real proof. One main
reason is that the RO, being so powerful, blends within it many different
idealizations. And I never know for sure what idealizations were actually
used in the proof at hand, and what are unnecessary.  (For instance, was the
"programmability" used? was the fact that the output is always uniform for
any two different inputs used? was the "perfect one wayness" used? was the
"hardness to find inputs such that the output has a given property" used?)
I would much rather have analysis in the standard model that makes explicit
assumptions on the hash functions and the adversary. This way, we'll at
least know for sure what I'm assuming away.

More concretely, regarding the problem of "deterministic computational
randomness extraction" - namely, coming up with a public function H that
turns inputs with high computational entropy into pseudorandom values. We
know that if the distribution of inputs to H can depend on the definition
of H then this task is impossible.

One way to get around this impossibility is to model H as a RO. Then
ofcourse this problem becomes not only doable but also trivial: almost any
way of feeding the input to the RO will be equally as secure as any other
way. But, alas, this doesnt change the fact that the task is impossible
in reality... in particular, we have learned nothing regarding which
constructions are better than others.

An alternative way to get around this impossiblity would be to remain in
our real world (without ROs) and instead make assumptions on the input
distribution of H. (For instance,  we can assume that the description of H
contains some public and random key k, and that the input distribution is
indistinguishable from a distribution that does not depend on k.)
This would indeed be a weaker result than what we'd like, but at least it
we will have some concrete result in our hands.


Ran


PS. One more, loosely relate point: As was already pointed out in this
thread, randomness extraction is actually possible when the extracting
function has some public random input that is independent from the secret
input. Many key exchange protocols give such public randomness "for free",
eg via the nonces etc., while others dont. This should be a good
motivation to (1) prefer the key exchange protocols that give out this
"public randomness", and (2) design randomness extraction functions that
make used of this public randomness.




_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email