[Cfrg] On using ROs for analyzing randomness extraction functions
canetti <canetti@watson.ibm.com> Fri, 28 October 2005 20:49 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVbAI-0008IG-Mw; Fri, 28 Oct 2005 16:49:30 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVbAH-0008IA-OZ for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 16:49:29 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18421 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:49:13 -0400 (EDT)
Received: from igw2.watson.ibm.com ([129.34.20.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVbNu-0004aI-HF for cfrg@ietf.org; Fri, 28 Oct 2005 17:03:35 -0400
Received: from sp1n293en1.watson.ibm.com (sp1n293en1.watson.ibm.com [129.34.20.41]) by igw2.watson.ibm.com (8.12.11/8.13.1/8.13.1-2005-04-25 igw) with ESMTP id j9SKp8Q1001708 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:51:08 -0400
Received: from sp1n293en1.watson.ibm.com (localhost [127.0.0.1]) by sp1n293en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_2) with ESMTP id j9SKnFF130400 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:49:15 -0400
Received: from mgsmtp00.watson.ibm.com (mgsmtp00.watson.ibm.com [9.2.40.58]) by sp1n293en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_1) with ESMTP id j9SKnE4270742 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:49:14 -0400
Received: from prf.watson.ibm.com (prf.watson.ibm.com [9.2.16.112]) by mgsmtp00.watson.ibm.com (8.12.11/8.12.11/2005/09/01) with ESMTP id j9SKnDLr023684 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:49:13 -0400
Received: from localhost (canetti@localhost) by prf.watson.ibm.com (AIX5.1/8.11.6p2/8.11.0/03-06-2002) with ESMTP id j9SKnDa70538 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:49:13 -0400
Date: Fri, 28 Oct 2005 16:49:12 -0400
From: canetti <canetti@watson.ibm.com>
To: cfrg@ietf.org
In-Reply-To: <Pine.A41.4.58.0510281538050.38438@prf.watson.ibm.com>
Message-ID: <Pine.A41.4.58.0510281644270.38438@prf.watson.ibm.com>
References: <Pine.A41.4.58.0510281538050.38438@prf.watson.ibm.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Subject: [Cfrg] On using ROs for analyzing randomness extraction functions
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
I'd like to share some thoughts regarding the use of the RO modeling in the randomness extraction problem. Beyond the known formal problems with the applicability of analysis in the RO model, such analysis usually leaves me with an uneasy feeling of being "cheated out" of a real proof. One main reason is that the RO, being so powerful, blends within it many different idealizations. And I never know for sure what idealizations were actually used in the proof at hand, and what are unnecessary. (For instance, was the "programmability" used? was the fact that the output is always uniform for any two different inputs used? was the "perfect one wayness" used? was the "hardness to find inputs such that the output has a given property" used?) I would much rather have analysis in the standard model that makes explicit assumptions on the hash functions and the adversary. This way, we'll at least know for sure what I'm assuming away. More concretely, regarding the problem of "deterministic computational randomness extraction" - namely, coming up with a public function H that turns inputs with high computational entropy into pseudorandom values. We know that if the distribution of inputs to H can depend on the definition of H then this task is impossible. One way to get around this impossibility is to model H as a RO. Then ofcourse this problem becomes not only doable but also trivial: almost any way of feeding the input to the RO will be equally as secure as any other way. But, alas, this doesnt change the fact that the task is impossible in reality... in particular, we have learned nothing regarding which constructions are better than others. An alternative way to get around this impossiblity would be to remain in our real world (without ROs) and instead make assumptions on the input distribution of H. (For instance, we can assume that the description of H contains some public and random key k, and that the input distribution is indistinguishable from a distribution that does not depend on k.) This would indeed be a weaker result than what we'd like, but at least it we will have some concrete result in our hands. Ran PS. One more, loosely relate point: As was already pointed out in this thread, randomness extraction is actually possible when the extracting function has some public random input that is independent from the secret input. Many key exchange protocols give such public randomness "for free", eg via the nonces etc., while others dont. This should be a good motivation to (1) prefer the key exchange protocols that give out this "public randomness", and (2) design randomness extraction functions that make used of this public randomness. _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] KDF: Randomness extraction vs. key expansi… canetti
- [Cfrg] KDF: Randomness extraction vs. key expansi… David Wagner
- [Cfrg] On using ROs for analyzing randomness extr… canetti
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … Bill Sommerfeld
- Re: [Cfrg] KDF: Randomness extraction vs. key exp… canetti
- [Cfrg] KDF: Randomness extraction vs. key expansi… David Wagner
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … canetti
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … Nicolas Williams
- Re: [Cfrg] KDF: Randomness extraction vs. key exp… D. J. Bernstein
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … canetti
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … D. J. Bernstein
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … canetti