This article needs editing for compliance with Wikipedia's Manual of Style. In particular, it has problems with use of second person; see MOS:YOU. (February 2023) (Learn how and when to remove this template message) |
The leftover hash lemma is a lemma in cryptography first stated by Russell Impagliazzo, Leonid Levin, and Michael Luby.[1]
Imagine that you have a secret key X that has n uniform random bits, and you would like to use this secret key to encrypt a message. Unfortunately, you were a bit careless with the key, and know that an adversary was able to learn the values of some t < n bits of that key, but you do not know which t bits. Can you still use your key, or do you have to throw it away and choose a new key? The leftover hash lemma tells us that we can produce a key of about n − t bits, over which the adversary has almost no knowledge. Since the adversary knows all but n − t bits, this is almost optimal.
More precisely, the leftover hash lemma tells us that we can extract a length asymptotic to [math]\displaystyle{ H_\infty(X) }[/math] (the min-entropy of X) bits from a random variable X that are almost uniformly distributed. In other words, an adversary who has some partial knowledge about X, will have almost no knowledge about the extracted value. That is why this is also called privacy amplification (see privacy amplification section in the article Quantum key distribution).
Randomness extractors achieve the same result, but use (normally) less randomness.
Let X be a random variable over [math]\displaystyle{ \mathcal{X} }[/math] and let [math]\displaystyle{ m \gt 0 }[/math]. Let [math]\displaystyle{ h\colon \mathcal{S} \times \mathcal{X} \rightarrow \{0,\, 1\}^m }[/math] be a 2-universal hash function. If
then for S uniform over [math]\displaystyle{ \mathcal{S} }[/math] and independent of X, we have:
where U is uniform over [math]\displaystyle{ \{0, 1\}^m }[/math] and independent of S.[2]
[math]\displaystyle{ H_\infty(X) = -\log \max_x \Pr[X=x] }[/math] is the min-entropy of X, which measures the amount of randomness X has. The min-entropy is always less than or equal to the Shannon entropy. Note that [math]\displaystyle{ \max_x \Pr[X=x] }[/math] is the probability of correctly guessing X. (The best guess is to guess the most probable value.) Therefore, the min-entropy measures how difficult it is to guess X.
[math]\displaystyle{ 0 \le \delta(X, Y) = \frac{1}{2} \sum_v \left| \Pr[X=v] - \Pr[Y=v] \right| \le 1 }[/math] is a statistical distance between X and Y.
Original source: https://en.wikipedia.org/wiki/Leftover hash lemma.
Read more |