Leftover hash lemma explained

The leftover hash lemma is a lemma in cryptography first stated by Russell Impagliazzo, Leonid Levin, and Michael Luby.

Given a secret key that has uniform random bits, of which an adversary was able to learn the values of some bits of that key, the leftover hash lemma states that it is possible to produce a key of about bits, over which the adversary has almost no knowledge, without knowing which are known to the adversary. Since the adversary knows all but bits, this is almost optimal.

More precisely, the leftover hash lemma states that it is possible to extract a length asymptotic to

H_infty(X)

(the min-entropy of) bits from a random variable) that are almost uniformly distributed. In other words, an adversary who has some partial knowledge about, will have almost no knowledge about the extracted value. This is also known as privacy amplification (see privacy amplification section in the article Quantum key distribution).

Randomness extractors achieve the same result, but use (normally) less randomness.

Let be a random variable over

l{X}

and let

m>0

. Let

h\colon \mathcal \times \mathcal \rightarrow \^m

be a 2-universal hash function. If

$m \leq H_\infty(X) - 2 \log\left(\frac\right)$ then for uniform over

l{S}

and independent of, we have:

$\delta\left[(h(S, X), S), (U, S)\right] \leq \varepsilon.$

where is uniform over

\{0,1\}^m

and independent of .

$H_\infty(X) = -\log \max_x \Pr[X=x]$ is the min-entropy of, which measures the amount of randomness has. The min-entropy is always less than or equal to the Shannon entropy. Note that $\max_x \Pr[X=x]$ is the probability of correctly guessing . (The best guess is to guess the most probable value.) Therefore, the min-entropy measures how difficult it is to guess .

$0 \le \delta(X, Y) = \frac \sum_v \left| \Pr[X=v] - \Pr[Y=v] \right| \le 1$ is a statistical distance between and .

Leftover hash lemma explained

See also

References