how to eat your entropy and have it too recovering from
play

How to Eat Your Entropy and Have It Too (Recovering from - PowerPoint PPT Presentation

Nov 03, 2022 •315 likes •1.2k views

How to Eat Your Entropy and Have It Too (Recovering from compromise) Yevgeniy Dodis Adi Shamir Noah Stephens-Davidowitz Daniel Wichs Our Goal Our Goal Our Goal Our Goal How Does TCC Build a PRG? How Does TCC Build a PRG? PRG S 0 S 1 R

  1. How to Eat Your Entropy and Have It Too (Recovering from compromise) Yevgeniy Dodis Adi Shamir Noah Stephens-Davidowitz Daniel Wichs

  2. Our Goal

  3. Our Goal

  4. Our Goal

  5. Our Goal

  6. How Does TCC Build a PRG?

  7. How Does TCC Build a PRG? PRG S 0 S 1 R 0

  8. How Does TCC Build a PRG? PRG PRG S 2 S 0 S 1 R 1 R 0

  9. How Does TCC Build a PRG? PRG PRG PRG S 2 S 3 S 0 S 1 R 1 R 2 R 0

  10. How Does TCC Build a PRG? PRG PRG PRG S 2 S 3 S 0 S 1 R 1 R 2 R 0 Perfect randomness…

  11. Developers Build “RNGs with Input”

  12. Developers Build “RNGs with Input” next S’,R S

  13. Developers Build “RNGs with Input” next S’,R S refresh S,I S’

  14. Developers Build “RNGs with Input” next S’,R S refresh S,I S’ Entropy?

  15. Developers Build “RNGs with Input” next S’,R S refresh S,I S’ Entropy? Accumulated entropy

  16. Developers Build “RNGs with Input” next S’,R S refresh S,I S’ Entropy? Accumulated entropy H(S’) ≈ H(S) + H(I)

  17. (Limited) Formal Analysis [BH05] [DPRVW13]

  18. (Limited) Formal Analysis [BH05] [DPRVW13] First formal model (In 2005!)

  19. (Limited) Formal Analysis [BH05] [DPRVW13] First formal model (In 2005!) Recover only after full-entropy input

  20. (Limited) Formal Analysis [BH05] [DPRVW13] Gathers entropy First formal model as it comes (In 2005!) Recover only after full-entropy input

  21. (Limited) Formal Analysis [BH05] [DPRVW13] Gathers entropy First formal model as it comes (In 2005!) Recover only after But…. full-entropy input

  22. Premature Next RNG with input

  23. Premature Next RNG with input

  24. Premature Next RNG with input I

  25. Premature Next RNG with input I

  26. Premature Next RNG with input I I

  27. Premature Next RNG with input I I

  28. Premature Next I … RNG with input I I

  29. Premature Next I … RNG with input I I

  30. Premature Next I … R RNG with input I I

  31. Premature Next I … R RNG with input I I

  32. Premature Next RNG with input

  33. Premature Next RNG with input

  34. Premature Next RNG with input I

  35. Premature Next RNG with input I R

  36. Premature Next S RNG with input I R

  37. Premature Next S RNG with input I R

  38. How do we deal with this?

  39. Option 1: Don’t Let The Adversary Look RNG with input

  40. Option 1: Don’t Let The Adversary Look RNG with input I

  41. Option 1: Don’t Let The Adversary Look RNG with input I

  42. Option 1: Don’t Let The Adversary Look RNG with input I I

  43. Option 1: Don’t Let The Adversary Look RNG with input I I

  44. Option 1: Don’t Let The Adversary Look I … RNG with input I I

  45. Option 1: Don’t Let The Adversary Look I … RNG with input I I

  46. Option 1: Don’t Let The Adversary Look I … R RNG with input I I

  47. Option 1: Don’t Let The Adversary Look I … R RNG with input I I

  48. Option 2: Estimate Entropy RNG with input

  49. Option 2: Estimate Entropy RNG with input

  50. Option 2: Estimate Entropy RNG with input I

  51. Option 2: Estimate Entropy RNG with input I I

  52. Option 2: Estimate Entropy RNG with input I I

  53. Option 2: Estimate Entropy RNG ? with input I I

  54. Option 2: Estimate Entropy ? RNG ? with input I I

  55. Option 2: Estimate Entropy ? I … RNG ? with input I I

  56. Option 2: Estimate Entropy ? I … RNG RNG ? with input with input I I

  57. Option 2: Estimate Entropy ? R I … RNG RNG ? with input with input I I

  58. Option 2: Estimate Entropy ? R I … RNG RNG ? with input with input I I

  59. Option 2: Estimate Entropy ? R I … RNG RNG ? with input with input I I But we can’t estimate entropy….

  60. Option 3: Prove Impossibility

  61. Option 3: Prove Impossibility But it’s possible….

  62. Option 4: Eat Your Entropy and Have It Too

  63. Option 4: Eat Your Entropy and Have It Too …

  64. Option 4: Eat Your Entropy and Have It Too …

  65. Option 4: Eat Your Entropy and Have It Too …

  66. Option 4: Eat Your Entropy and Have It Too Unknown amount …

  67. Option 4: Eat Your Entropy and Have It Too …

  68. Option 4: Eat Your Entropy and Have It Too …

  69. Option 4: Eat Your Entropy and Have It Too …

  70. Option 4: Eat Your Entropy and Have It Too …

  71. Option 4: Eat Your Entropy and Have It Too …

  72. Option 4: Eat Your Entropy and Have It Too …

  73. Option 4: Eat Your Entropy and Have It Too …

  74. Option 4: Eat Your Entropy and Have It Too …

  75. Option 4: Eat Your Entropy and Have It Too … Adi Shamir

  76. Idea Used in Practice (but not theory…) [KSF99]’s Yarrow [FS03]’s Fortuna

  77. Idea Used in Practice (but not theory…) Only two pools [KSF99]’s Yarrow [FS03]’s Fortuna

  78. Idea Used in Practice (but not theory…) Many pools with clever scheduling Only two pools [KSF99]’s Yarrow [FS03]’s Fortuna

  79. Idea Used in Practice (but not theory…) Many pools with clever scheduling Only two pools [KSF99]’s Yarrow [FS03]’s Fortuna

  80. Idea Used in Practice (but not theory…) Many pools with clever scheduling Only two pools [KSF99]’s Yarrow [FS03]’s Fortuna

  81. Our Work

  82. Our Work • Formal model (very strong security notion)

  83. Our Work • Formal model (very strong security notion) • Provably secure construction in this model • Inspired by Fortuna • Proof in standard model (from OWF)

  84. Our Work • Formal model (very strong security notion) • Provably secure construction in this model • Inspired by Fortuna • Proof in standard model (from OWF) • Attacks on prior constructions

  85. Our Work • Formal model (very strong security notion) • Provably secure construction in this model • Inspired by Fortuna • Proof in standard model (from OWF) • Attacks on prior constructions • Formal analysis of and improvement of Fortuna • Secure in limited setting • Doubled entropy e ffj ciency

  86. Thanks!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) >= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically - defined thermodynamic quantity that helps to account for the flow of energy through a thermodynamic process. 2 What is

467 views • 13 slides
E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION Entropy measures exponential complexity in a topological dynamical system: topological entropy very crude, entropy function on invariant

556 views • 23 slides
Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute of Communication Engineering National Taipei University Chapter Outline Chap. 2 Entropy, Relative Entropy, and Mutual Information 2.1 Entropy 2.2

752 views • 51 slides
ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF CHEMISTRY AND BIOCHEMISTRY, BYU, PROVO, UT 84602, POPOVIC.PASA@GMAIL.COM Thermodynamic entropy - S (J/K) At T=0K ideal crystal imperfect

560 views • 21 slides
Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of bits actually required to store data. Entropy is sometimes called a measure of surprise A highly predictable sequence contains little actual

293 views • 16 slides
Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual information f -divergence Mikael Skoglund 1/16 Entropy Over ( R , B ) , consider a discrete RV X with all probability in a countable set X B ,

538 views • 8 slides
Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J.

Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J.

Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J. A. Laeven Dept. of Econometrics and OR Tilburg University, CentER and Eurandom based on joint work with Mitja Stadje August 30, 2011 Entropy

442 views • 40 slides
Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy

Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy

Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy The Maximum Entropy (MaxEnt) method is a methodology to assign or update probability distributions to describe systems which are not completely

202 views • 17 slides
Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for

Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for

Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for describing low-level computation on modern CPUs (c) 2009 Entropy Wave Inc Motivation (c) 2009 Entropy Wave Inc Motivation Want maintainable assembly

611 views • 28 slides
1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less

1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less

Introduction to Information Retrieval Entropy: a basic introduction 1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less compressible High entropy = high randomness/low compressibility Low entropy =

236 views • 19 slides
Is the ozone layer Is the ozone layer recovering ? recovering ? Johannes Staehelin Institute

Is the ozone layer Is the ozone layer recovering ? recovering ? Johannes Staehelin Institute

Is the ozone layer Is the ozone layer recovering ? recovering ? Johannes Staehelin Institute for Atmospheric and Climate Institute for Atmospheric and Climate Science (IACETH), Swiss Federal Institute of Technology Zrich (ETHZ) gy ( )

509 views • 27 slides
1 Plasma Entropy In ideal MHD, specific entropy is conserved along a flow path: where:

1 Plasma Entropy In ideal MHD, specific entropy is conserved along a flow path: where:

Plasma Entropy in the Magnetosphere Joachim Raeder 1 , Kai Germaschewski 1 , LiWei Lin 1 Space Science Center, University of New Hampshire, Durham, NH 03824, USA Congre ASTRONUM, Biarritz, France, July 2, 2013 Basic Structure of the

499 views • 11 slides
MODEL QUALITY MODEL QUALITY Christian Kaestner Required reading: Hulten, Geoff. "

MODEL QUALITY MODEL QUALITY Christian Kaestner Required reading: Hulten, Geoff. "

MODEL QUALITY MODEL QUALITY Christian Kaestner Required reading: Hulten, Geoff. " Building Intelligent Systems: A Guide to Machine Learning Engineering. " Apress, 2018, Chapter 19 (Evaluating Intelligence). Ribeiro, Marco

1.38k views • 111 slides
MODEL QUALITY MODEL QUALITY Christian Kaestner Required reading: Hulten, Geoff. "

MODEL QUALITY MODEL QUALITY Christian Kaestner Required reading: Hulten, Geoff. "

MODEL QUALITY MODEL QUALITY Christian Kaestner Required reading: Hulten, Geoff. " Building Intelligent Systems: A Guide to Machine Learning Engineering. " Apress, 2018, Chapter 19 (Evaluating Intelligence). Ribeiro, Marco

1.43k views • 141 slides
RESULTS Hotline! 1 The RESULTS Team Simon Buckingham

RESULTS Hotline! 1 The RESULTS Team Simon Buckingham

Write this Down! RESULTS Hotline! 1 The RESULTS Team Simon Buckingham RESULTS Coach 2 The RESULTS Team Brendan Kelly RESULTS Coach The RESULTS Team Tony Lambrianos RESULTS Coach 3 The RESULTS

1.74k views • 134 slides
Lectures 1 and 2: Operator algebras, etc (basic theory and real positivity) David Blecher

Lectures 1 and 2: Operator algebras, etc (basic theory and real positivity) David Blecher

Lectures 1 and 2: Operator algebras, etc (basic theory and real positivity) David Blecher University of Houston December 2016 Abstract Lecture 1: Operator algebras, etc We briefly survey the existing theory of (possibly nonselfadjoint)

1.32k views • 108 slides
1 Tuning MATLAB for Better Performance Tutorial Overview General advice about optimization

1 Tuning MATLAB for Better Performance Tutorial Overview General advice about optimization

1 Tuning MATLAB for Better Performance Tutorial Overview General advice about optimization A typical workflow for performance optimization MATLAB's performance measurement tools Common performance issues in MATLAB and how to solve

656 views • 29 slides
Minimizing MPI Resource Contention in Multithreaded Multicore Environments Dave Goodell , 1 Pavan

Minimizing MPI Resource Contention in Multithreaded Multicore Environments Dave Goodell , 1 Pavan

Minimizing MPI Resource Contention in Multithreaded Multicore Environments Dave Goodell , 1 Pavan Balaji, 1 Darius Buntinas, 1 ozsa, 2 William Gropp, 3 Sameer Kumar, 2 G abor D Bronis R. de Supinski, 4 Rajeev Thakur, 1 goodell@mcs.anl.gov

653 views • 33 slides
Categories of Client Resistance Chamberlin, Patterson, Reid, Kavanaugh, and Forgatch (1984)

Categories of Client Resistance Chamberlin, Patterson, Reid, Kavanaugh, and Forgatch (1984)

Categories of Client Resistance Chamberlin, Patterson, Reid, Kavanaugh, and Forgatch (1984) Arguing-client contests the accuracy, integrity, or expertise of the therapist Interrupting- client breaks in and interrupts the therapist in a

328 views • 13 slides
Program Launch: Action Plan to Project Implementation Webinar 2020 CDBG-DR and CDBG-MIT Webinar

Program Launch: Action Plan to Project Implementation Webinar 2020 CDBG-DR and CDBG-MIT Webinar

Program Launch: Action Plan to Project Implementation Webinar 2020 CDBG-DR and CDBG-MIT Webinar Series Webinar Instructions PowerPoint and webinar recording will be available on the HUD Exchange Participants in listen only mode

582 views • 44 slides

More recommend