Lower bounds on $q$-wise independence tails and applications to min-entropy condensers

TL;DR

This paper establishes tight lower bounds on the independence level needed for $q$-wise hashing to effectively condense min-entropy, with implications for cryptographic key derivation and explicit bounds using combinatorial methods.

Contribution

It provides the first tight lower bounds on the independence level for min-entropy condensers, matching known upper bounds asymptotically and introducing novel combinatorial techniques.

Findings

Lower bounds on $q$-wise independence necessary for effective min-entropy condensation.

Explicit bounds involving Bell numbers and Stirling numbers.

Almost matching the known upper bounds for the independence level $q$.

Abstract

We present novel and sharp lower bounds for higher load moments in the classical problem of mapping $M$ balls into $N$ bins by $q$-universal hashing, specialized to the case when $M=N$. As a corollary we prove a tight counterpart for the result about min-entropy condensers due to Dodis, Pietrzak and Wichs (CRYPTO'14), which has found important applications in key derivation. It states that condensing $k$ bits of min-entropy into a $k$-bit string $\epsilon$-close to almost full min-entropy (precisely $ k-\log\log(1/\epsilon)$ bits of entropy) can be achieved by the use of $q$-independent hashing with $q= \log(1/\epsilon)$. We prove that when given a source of min-entropy $k$ and aiming at entropy loss $\ell = \log\log (1/\epsilon) - 3$, the independence level $q=(1-o(1))\log(1/\epsilon)$ is necessary (for small values of $\epsilon$), which almost matches the positive result. Besides these asymptotic bounds, we provide clear hard bounds in terms of Bell numbers and some numerical examples. Our technique is based on an explicit representation of the load moments in terms of Stirling numbers, some asymptotic estimates on Stirling numbers and a tricky application of the Paley-Zygmund inequality. \keywords{ min-entropy condensers, key derivation, balls and bins hashing, anti-concentration inequalities }