The leftover hash lemma is a lemma in

cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...

first stated by

Russell Impagliazzo Russell Graham Impagliazzo is a professor of computer science at the University of California, San Diego specializing in computational complexity theory, having joined the faculty of UCSD in 1989. He received a BA in mathematics from Wesleyan U ...

Leonid Levin Leonid Anatolievich Levin ( ; russian: Леони́д Анато́льевич Ле́вин; uk, Леоні́д Анато́лійович Ле́він; born November 2, 1948) is a Soviet-American mathematician and computer scientist. He is kn ...

, and

Michael Luby Michael George Luby is a mathematician and computer scientist, CEO of BitRipple, Senior Research Scientist at the International Computer Science Institute (ICSI), former VP Technology at Qualcomm, co-founder and former Chief Technology Offic ...

. Imagine that you have a secret

key Key or The Key may refer to: Common meanings * Key (cryptography), a piece of information that controls the operation of a cryptography algorithm * Key (lock), device used to control access to places or facilities restricted by a lock * Key (ma ...

that has uniform random

bit The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represented a ...

s, and you would like to use this secret key to encrypt a message. Unfortunately, you were a bit careless with the key, and know that an

adversary An adversary is generally considered to be a person, group, or force that opposes and/or attacks. Adversary may also refer to: * Satan ("adversary" in Hebrew), in Judeo-Christian religion Entertainment Fiction * Adversary (comics), villain fr ...

was able to learn the values of some bits of that key, but you do not know which bits. Can you still use your key, or do you have to throw it away and choose a new key? The leftover hash lemma tells us that we can produce a key of about bits, over which the adversary has almost no knowledge. Since the adversary knows all but bits, this is almost optimal. More precisely, the leftover hash lemma tells us that we can extract a length asymptotic to

H_\infty(X)

(the min-entropy of ) bits from a

random variable A random variable (also called random quantity, aleatory variable, or stochastic variable) is a mathematical formalization of a quantity or object which depends on random events. It is a mapping or a function from possible outcomes (e.g., the p ...

that are almost uniformly distributed. In other words, an adversary who has some partial knowledge about , will have almost no knowledge about the extracted value. That is why this is also called privacy amplification (see privacy amplification section in the article

Quantum key distribution Quantum key distribution (QKD) is a secure communication method which implements a cryptographic protocol involving components of quantum mechanics. It enables two parties to produce a shared random secret key known only to them, which can then ...

Randomness extractor A randomness extractor, often simply called an "extractor", is a function, which being applied to output from a weakly random entropy source, together with a short, uniformly random seed, generates a highly random output that appears independent fro ...

s achieve the same result, but use (normally) less randomness. Let be a random variable over

\mathcal

and let

m > 0

. Let

h\colon \mathcal \times \mathcal \rightarrow \^m

be a 2-universal

hash function A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually ...

. If :

m \leq H_\infty(X) - 2 \log\left(\frac\right)

then for uniform over

\mathcal

and independent of , we have: :

\leq \varepsilon.

where is uniform over

\^m

and independent of .

H_\infty(X) = -\log \max_x \Pr =x /math> is the min-entropy of , which measures the amount of randomness  has. The min-entropy is always less than or equal to the

Shannon entropy Shannon may refer to: People * Shannon (given name) * Shannon (surname) * Shannon (American singer), stage name of singer Shannon Brenda Greene (born 1958) * Shannon (South Korean singer), British-South Korean singer and actress Shannon Arrum Will ...

. Note that

\max_x \Pr =x /math> is the probability of correctly guessing . (The best guess is to guess the most probable value.) Therefore, the min-entropy measures how difficult it is to guess . 0 \le \delta(X, Y) = \frac \sum_v \left,  \Pr =v - \Pr =v \ \le 1 is a

statistical distance In statistics, probability theory, and information theory, a statistical distance quantifies the distance between two statistical objects, which can be two random variables, or two probability distributions or samples, or the distance can be b ...

between and .

References

{{Reflist
C. H. Bennett, G. Brassard, and J. M. Robert. ''Privacy amplification by public discussion''. SIAM Journal on Computing, 17(2):210-229, 1988.C. Bennett, G. Brassard, C. Crepeau, and U. Maurer. ''Generalized privacy amplification''. IEEE Transactions on Information Theory, 41, 1995.J. Håstad, R. Impagliazzo, L. A. Levin and M. Luby. ''A Pseudorandom Generator from any One-way Function''. SIAM Journal on Computing, v28 n4, pp. 1364-1396, 1999.
Theory of cryptography Probability theorems

See also

References