A note on the chi-square method: A tool for proving cryptographic security

Abstract

Very recently (in CRYPTO 2017) Dai, Hoang, and Tessaro have introduced the Chi-square method (χ² method) which can be applied to obtain an upper bound on the statistical distance between two joint probability distributions. The authors have applied this method to prove the pseudorandom function security (PRF-security) of sum of two random permutations. In this work, we revisit their proof and find a non-trivial gap in the proof. We plug this gap for two specific cases and state the general case as an assumption whose proof is essential for the completeness of the proof by Dai et al.. A complete, correct, and transparent proof of the full security of the sum of two random permutations construction is much desirable, especially due to its importance and two decades old legacy. The proposed χ² method seems to have potential for application to similar problems, where a similar gap may creep into a proof. These considerations motivate us to communicate our observation in a formal way. On the positive side, we provide a very simple proof of the PRF-security of the truncated random permutation construction (a method to construct PRF from a random permutation) using the χ² method. We note that a proof of the PRF-security due to Stam is already known for this construction in a purely statistical context. However, the use of the χ² method makes the proof much simpler.

Appendix A: Proof of the χ 2 method

In this section we provide proof of Theorem 1, which is the heart of the χ² method. The proof is based on Lemma 1, Lemma 2, and Theorem 6. Along the way we also briefly mention some (relevant) facts of KL divergence and χ² distance.

Kullback-Leibler Divergence. Kullback-Leibler divergence (KL divergence) or relative entropy between P ₀ to P ₁ is defined as

$${\displaystyle d_{\text{KL}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}})= \sum\limits_{X \in \mathrm{\Omega}}\mathbf{P}_{\mathbf{0}}(X) \log {\frac{\mathbf{P}_{\mathbf{0}}(X)}{\mathbf{P}_{\mathbf{1}}(X)}}.}$$

Note that the KL divergence is defined only if P ₀ ≪P ₁ (with the convention that \(0 \log {0\over 0}= 0\)). It was first defined by Kullback and Leibler in 1951 [16] as a generalization of the entropy notion of Shannon (see [6]).

It can be shown that the KL divergence between any two distributions is always non-negative (known as Gibbs’ inequality, see [6]). However, it is not symmetric (i.e., d_KL(P ₀ ,P ₁ )≠d_KL(P ₀ ,P ₁ ) in general) and does not satisfy the triangle inequality. Thus, KL divergence is not a metric.

Though not a metric, KL divergence has some useful properties. For example, the KL divergence between any two product distributions is additive over the corresponding marginals (see [6, 23]). The KL divergence between two joint distribution can be obtained as the sum of the KL divergences of corresponding conditional distributions. This is known as the chain rule of KL divergence. It is one of the crucial parts of the χ² method. We elaborate it in more detail below.

Chain rule of KL divergence. Let \( \mathbf {P}_{\mathbf {0}}^{\textit {\textbf {q}}}\) and \(\mathbf {P}_{\mathbf {1}}^{\textit {\textbf {q}}}\) be two probability distributions over Ω^q. We denote \(\mathbf {P}_{\mathbf {0}}^{ {i}}\) and \(\mathbf {P}_{\mathbf {1}}^{ {i}}\) to represent the marginal probability distributions for first i coordinates of \(\mathbf {P}_{\mathbf {0}}^{\textit {\textbf {q}}}\) and \(\mathbf {P}_{\mathbf {1}}^{\textit {\textbf {q}}}\) respectively, 1 ≤ i ≤ q. In other words, if X := (X₁,…,X _q ) and Y := (Y₁,…,Y _q ) are two joint random variables following the probability distributions \(\mathbf {P}_{\mathbf {0}}^{q}\) and \(\mathbf {P}_{\mathbf {1}}^{q}\) then \(\textbf {P}^{i}_{0}\) and \(\textbf {P}^{i}_{1}\) represent the probability distributions of Xⁱ and Yⁱ respectively. We recall that P ₀ (x _i ) denotes the conditional distribution \(\textbf {P}(\mathsf {X}_{i} = x_{i}|\mathsf {X}^{i-1} = x^{i-1})\) and similarly \(\mathbf {P}_{\mathbf {1}|x^{i-1}}(x_{i})\). Moreover, \(\text {KL}(x^{i-1}) = d_{\text {KL}}(\mathbf {P}_{\mathbf {0}|x^{i-1}}, \mathbf {P}_{\mathbf {1}|x^{i-1}})\). Now we state chain rule of KL divergence.

Lemma 1 (Chain rule of KL divergence (see [6], Theorem 2.5.3))

Following the above notations,

$$d_{\text{KL}}(\mathbf{P}_{\mathbf{0}}^{\textbf{q}}, \mathbf{P}_{\mathbf{1}}^{\textbf{q}}) = d_{\text{KL}}(\mathbf{P}_{\mathbf{0}}^{\mathbf{1}}, \mathbf{P}_{\mathbf{1}}^{\mathbf{q}}) + \sum\limits_{i = 2}^{q} \mathbf{Ex}[\text{KL}(\mathsf{X}^{i-1})].$$

Proof

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} d_{\text{KL}}(\mathbf{P}_{\mathbf{0}}^{\textit{\textbf{q}}}, \mathbf{P}_{\mathbf{1}}^{\textit{\textbf{q}}}) & = \sum\limits_{x^{q}\in\mathrm{\Omega}^{q}} \mathbf{P}_{\mathbf{0}}^{\textit{\textbf{q}}}(x^{q}) \log \left( {\mathbf{P}_{\mathbf{0}}^{\textit{\textbf{q}}}(x^{q}) \over \mathbf{P}_{\mathbf{1}}^{\textit{\textbf{q}}}(x^{q})} \right)\\ &= \sum\limits_{x^{q}\in\mathrm{\Omega}^{q}} \mathbf{P}_{\mathbf{0}}^{\textit{\textbf{q}}}(x^{q})\log \left( {\prod_{i = 1}^{q}\mathbf{P}_{\mathbf{0}|x^{i-1}}(x_{i} ) \over \prod_{i = 1}^{q}\mathbf{P}_{\mathbf{1}|x^{i-1}}(x_{i} )} \right)\\ &= \sum\limits_{x^{q}\in\mathrm{\Omega}^{q}} \mathbf{P}_{\mathbf{0}}^{\textit{\textbf{q}}}(x^{q})\sum\limits_{i = 1}^{q}\log \left( {\mathbf{P}_{\mathbf{0}|x^{i-1}}(x_{i} ) \over \mathbf{P}_{\mathbf{1}|x^{i-1}}(x_{i} )} \right)\\ &= \sum\limits_{i = 1}^{q}\sum\limits_{x^{q}\in\mathrm{\Omega}^{q}}\mathbf{P}_{\mathbf{0}}^{\textit{\textbf{q}}}(x^{q})\log \left( {\mathbf{P}_{\mathbf{0}|x^{i-1}}(x_{i} ) \over \mathbf{P}_{\mathbf{1}|x^{i-1}}(x_{i} )} \right)\\ &= \sum\limits_{i = 1}^{q}\sum\limits_{x^{i}\in\mathrm{\Omega}^{i}}\mathbf{P}_{\mathbf{0}}^{\textit{\textbf{i}}}(x^{i})\log \left( {\mathbf{P}_{\mathbf{0}|x^{i-1}}(x_{i} ) \over \mathbf{P}_{\mathbf{1}|x^{i-1}}(x_{i} )} \right)\\ &= \sum\limits_{i = 1}^{q}\sum\limits_{x^{i}\in\mathrm{\Omega}^{i}}\mathbf{P}_{\mathbf{0}}^{\textit{\textbf{i-}}1}(x^{\textit{\textbf{i-}}1})\mathbf{P}_{\mathbf{0}|x^{i-1}}(x_{i})\log \left( {\mathbf{P}_{\mathbf{0}|x^{i-1}}(x_{i} ) \over \mathbf{P}_{\mathbf{1}|x^{i-1}}(x_{i} )} \right)\\ &= \sum\limits_{i = 1}^{q}\sum\limits_{x^{i-1}\in\mathrm{\Omega}^{i-1}}\mathbf{P}_{\mathbf{0}}^{\textit{\textbf{i-}}1}(x^{\textit{\textbf{i-}}1})\sum\limits_{X_{i}}\mathbf{P}_{\mathbf{0}|x^{i-1}}(x_{i})\log \left( {\mathbf{P}_{\mathbf{0}|x^{i-1}}(x_{i} ) \over \mathbf{P}_{\mathbf{1}|x^{i-1}}(x_{i} )} \right)\\ &= \sum\limits_{i = 1}^{q}\sum\limits_{x^{i-1}\in\mathrm{\Omega}^{i-1}}\mathbf{P}_{\mathbf{0}}^{\textit{\textbf{i-}}1}(x^{i-1})\text{KL}(x^{i-1})\\ &=\sum\limits_{i = 1}^{q} \mathbf{Ex}[\text{KL}(\mathsf{X}^{i-1})] \end{array} \end{array} $$

The next inequality due to Pinsker (see [6]) gives an upper bound on the total variation distance between two distributions in terms of their KL divergence.

Theorem 6 (Pinsker’s Inequality)

For every probability functionsP ₀ ,P ₁ ,

$$d_{\text{TV}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}}) \leq \sqrt{\frac{1}{2} d_{\text{KL}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}})}.$$

Proof

We follow the steps of [24]. Let Ω^′ = {x ∈Ω|P ₀ (x) ≥P ₁ (x)}.Also, let \(p_{i} = \sum _{x \in {\mathrm {\Omega }^{\prime }}} \mathbf {\textit {P}}_{\mathbf {\textit {i}}}(x)\)for i ∈{0, 1}. So,d_TV(P ₀ ,P ₁ ) = p₀ − p₁. Also, by logsuminequality⁶,we have \(d_{\text {KL}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}}) \geq p_{0} \log {p_{0} \over p_{1}}+ (1-p_{0}) \log {(1-p_{0}) \over (1-p_{1})}\).Therefore,

$$\begin{array}{@{}rcl@{}} d_{\text{KL}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}}) & \geq& p_{0} \log{p_{0} \over p_{1}}+ (1-p_{0}) \log {(1-p_{0}) \over (1-p_{1})}\\ &=& \int_{p_{1}}^{p_{0}}\left( {p_{0} \over x} - {(1-p_{0}) \over (1-x)}\right) dx\\ &=& \int_{p_{1}}^{p_{0}}{p_{0}-x \over x(1-x)} dx\\ &\geq& 2(p_{0} - p_{1})^{2} = 2d_{\text{TV}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}})^{2}, \left( \text{since} \ x(1-x) \leq {1 \over 4}\right). \end{array} $$

χ²distance. χ² distance has its origin in mathematical statistics dating back to Pearson (see [18] for some history). The χ² distance between P ₀ and P ₁ , with P ₀ ≪P ₁ , is defined as

$$d_{\chi^{2}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}}) := \sum\limits_{x \in \Omega} \frac{(\mathbf{P}_{\mathbf{0}}(x) - \mathbf{P}_{\mathbf{1}}(x))^{2}}{\mathbf{P}_{\mathbf{1}}(x)}.$$

It can be seen that χ² distance is not symmetric. Therefore, it is not a metric. However, like KL-divergence, χ² distance between product distributions can be bounded in terms of the χ² distances between their marginals (see [23]). The following lemma shows that KL-divergence between two distributions can be upper bounded by their χ² distance. The first inequality can also be found in earlier works (see [12] for this and many other relations among various distances used in Statistics).

Lemma 2

\(d_{\text {KL}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}}) \leq \log (1 + d_{\chi ^{2}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}})) \leq d_{\chi ^{2}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}})\) .

Proof

By the definition of χ²distance we have

$$\begin{array}{@{}rcl@{}} \log (1 + d_{\chi^{2}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}})) & =& \log \left( \sum\limits_{x \in \mathrm{\Omega}} \mathbf{P}_{\mathbf{0}}(x) {\mathbf{P}_{\mathbf{0}}(x) \over \mathbf{P}_{\mathbf{1}}(x)}\right)\\ & =& \log \left( {\mathbf{Ex}}\left[{\mathbf{P}_{\mathbf{0}}(x) \over \mathbf{P}_{\mathbf{1}}(x)}\right]\right)\\ & \geq& \mathbf{Ex}\left[\log \left( {\mathbf{P}_{\mathbf{0}}(x) \over \mathbf{P}_{\mathbf{1}}(x)}\right) \right] \text{by Jensen's inequality}\\ & =& \sum\limits_{x \in \mathrm{\Omega}} \mathbf{P}_{\mathbf{0}}(x) \log \left( {\mathbf{P}_{\mathbf{0}}(x) \over \mathbf{P}_{\mathbf{1}}(x)}\right)\\ & =& d_{\text{KL}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}}) \end{array} $$

The last inequality follows by observing that \(d_{\chi ^{2}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}})) \geq 0\)and log(1 + t) ≤ t fort ≥ 0.

1.1 A.1 Proof of Theorem 1

We are now ready to show the upper bound on \(d_{\text {TV}}(\mathbf {P}_{\mathbf {0}}^{\textit {\textbf {q}}}, \mathbf {P}_{\mathbf {1}}^{\textit {\textbf {q}}})\) in terms of expected value of χ² distance between the conditional distributions P ₀ and P ₁ . We state and prove the χ² method, i.e. Theorem 1.

Proof

of Theorem 1 The proof follows directly from Pinsker’s inequality (Theorem 6), chain rule of KLdivergence (Lemma 1), and Lemma 2. More precisely, we have

$$\begin{array}{@{}rcl@{}} d_{\text{TV}}(\mathbf{P}_{\mathbf{0}}^{\textit{\textbf{q}}}, \mathbf{P}_{\mathbf{1}}^{\textit{\textbf{q}}}) &\leq& \left( {d_{\text{KL}}(\mathbf{P}_{\mathbf{0}}^{\textit{\textbf{q}}}, \mathbf{P}_{\mathbf{1}}^{\textit{\textbf{q}}}) \over 2}\right)^{1\over 2} \text{by Theorem 6}\\ &=& \left( {1\over 2}\sum\limits_{i = 1}^{q} \mathbf{Ex}[\text{KL}(\mathsf{X}^{i-1})]\right)^{1\over 2} \text{by Lemma 1} \\ &\leq& \left( {1\over 2}\sum\limits_{i = 1}^{q} \mathbf{Ex}[\chi^{2}(\mathsf{X}^{i-1})]\right)^{1\over 2} \text{by Lemma 2} \end{array} $$