Ronald Cramer,Ivan Damgard,Nico Dottling,Irene Giacomelli,Chaoping Xing

DOI: https://doi.org/10.1007/978-3-319-72089-0_1

2017-01-01

Abstract:Non-malleable codes were introduced by Dziembowski et al. (ICS 2010) as coding schemes that protect a message against tampering attacks. Roughly speaking, a code is non-malleable if decoding an adversarially tampered encoding of a message m produces the original message m or a value m' (possibly perpendicular to) completely unrelated to m. It is known that non-malleability is possible only for restricted classes of tampering functions. Since their introduction, a long line of works has established feasibility results of non-malleable codes against different families of tampering functions. However, for many interesting families the challenge of finding "good" non-malleable codes remains open. In particular, we would like to have explicit constructions of non-malleable codes with high-rate and efficient encoding/decoding algorithms (i.e. low computational complexity). In this work we present two explicit constructions: the first one is a natural generalization of the work of Dziembowski et al. and gives rise to the first constant-rate non-malleable code with linear-time complexity (in a model including bit-wise independent tampering). The second construction is inspired by the recent works about non-malleable codes of Agrawal et al. (TCC 2015) and of Cheraghchi and Guruswami (TCC 2014) and improves our previous result in the bit-wise independent tampering model: it builds the first non-malleable codes with linear-time complexity and optimal-rate (i.e. rate 1 - o(1)).

Mahdi Cheraghchi,Venkatesan Guruswami

DOI: https://doi.org/10.48550/arXiv.1309.0458

2013-09-03

Abstract:Non-malleable codes, introduced by Dziembowski, Pietrzak and Wichs (ICS 2010), encode messages $s$ in a manner so that tampering the codeword causes the decoder to either output $s$ or a message that is independent of $s$. While this is an impossible goal to achieve against unrestricted tampering functions, rather surprisingly non-malleable coding becomes possible against every fixed family $F$ of tampering functions that is not too large (for instance, when $|F| \le \exp(2^{\alpha n})$ for some $\alpha \in [0, 1)$ where $n$ is the number of bits in a codeword). In this work, we study the "capacity of non-malleable coding", and establish optimal bounds on the achievable rate as a function of the family size, answering an open problem from Dziembowski et al. (ICS 2010). Specifically, 1. We prove that for every family $F$ with $|F| \le \exp(2^{\alpha n})$, there exist non-malleable codes against $F$ with rate arbitrarily close to $1-\alpha$ (this is achieved w.h.p. by a randomized construction). 2. We show the existence of families of size $\exp(n^{O(1)} 2^{\alpha n})$ against which there is no non-malleable code of rate $1-\alpha$ (in fact this is the case w.h.p for a random family of this size). 3. We also show that $1-\alpha$ is the best achievable rate for the family of functions which are only allowed to tamper the first $\alpha n$ bits of the codeword, which is of special interest. As a corollary, this implies that the capacity of non-malleable coding in the split-state model (where the tampering function acts independently but arbitrarily on the two halves of the codeword) equals 1/2. We also give an efficient Monte Carlo construction of codes of rate close to 1 with polynomial time encoding and decoding that is non-malleable against any fixed $c > 0$ and family $F$ of size $\exp(n^c)$, in particular tampering functions with, say, cubic size circuits.

Information Theory,Computational Complexity,Cryptography and Security

Divesh Aggarwal,Naresh Goud Boddu,Rahul Jain

DOI: https://doi.org/10.3390/e24081038

2023-06-09

Abstract:Non-malleable-codes introduced by Dziembowski, Pietrzak and Wichs [DPW18] encode a classical message $S$ in a manner such that tampering the codeword results in the decoder either outputting the original message $S$ or a message that is unrelated/independent of $S$. Providing such non-malleable security for various tampering function families has received significant attention in recent years. We consider the well-studied (2-part) split-state model, in which the message $S$ is encoded into two parts $X$ and $Y$, and the adversary is allowed to arbitrarily tamper with each $X$ and $Y$ individually. We consider the security of non-malleable-codes in the split-state model when the adversary is allowed to make use of arbitrary entanglement to tamper the parts $X$ and $Y$. We construct explicit quantum secure non-malleable-codes in the split-state model. Our construction of quantum secure non-malleable-codes is based on the recent construction of quantum secure $2$-source non-malleable-extractors by Boddu, Jain and Kapshikar [BJK21].

Cryptography and Security,Quantum Physics

Thiago Bergamaschi,Naresh Goud Boddu

2023-11-28

Abstract:Tamper-detection codes (TDCs) and non-malleable codes (NMCs) are now fundamental objects at the intersection of cryptography and coding theory. Both of these primitives represent natural relaxations of error-correcting codes and offer related security guarantees in adversarial settings where error correction is impossible. While in a TDC, the decoder is tasked with either recovering the original message or rejecting it, in an NMC, the decoder is additionally allowed to output a completely unrelated message. In this work, we study quantum analogs of one of the most well-studied adversarial tampering models: the so-called split-state tampering model. In the $t$-split-state model, the codeword (or code-state) is divided into $t$ shares, and each share is tampered with "locally". Previous research has primarily focused on settings where the adversaries' local quantum operations are assisted by an unbounded amount of pre-shared entanglement, while the code remains unentangled, either classical or separable. We construct quantum TDCs and NMCs in several $\textit{resource-restricted}$ analogs of the split-state model, which are provably impossible using just classical codes. In particular, against split-state adversaries restricted to local (unentangled) operations, local operations and classical communication, as well as a "bounded storage model" where they are limited to a finite amount of pre-shared entanglement. We complement our code constructions in two directions. First, we present applications to designing secret sharing schemes, which inherit similar non-malleable and tamper-detection guarantees. Second, we discuss connections between our codes and quantum encryption schemes, which we leverage to prove singleton-type bounds on the capacity of certain families of quantum NMCs in the split-state model.

Quantum Physics

Aggelos Kiayias,Feng-Hao Liu,Yiannis Tselekounis

DOI: https://doi.org/10.1007/s00145-024-09498-2

2024-04-05

Journal of Cryptology

Abstract:Non-malleable codes were introduced by Dziembowski et al. (in: Yao (ed) ICS2010, Tsinghua University Press, 2010), and its main application is the protection of cryptographic devices against tampering attacks on memory. In this work, we initiate a comprehensive study on non-malleable codes for the class of partial functions, that read/write on an arbitrary subset of codeword bits with specific cardinality. We present two constructions: the first one is in the CRS model and allows the adversary to selectively choose the subset of codeword bits, while the latter is in the standard model and adaptively secure. Our constructions are efficient in terms of information rate, while allowing the attacker to access asymptotically almost the entire codeword. In addition, they satisfy a notion which is stronger than non-malleability, that we call non-malleability with manipulation detection, guaranteeing that any modified codeword decodes to either the original message or to . We show that our primitive implies All-Or-Nothing Transforms (AONTs), and as a result our constructions yield efficient AONTs under standard assumptions (only one-way functions), which, to the best of our knowledge, was an open question until now. Furthermore, we construct a notion of continuous non-malleable codes (CNMC), namely CNMC with light updates, that avoids the full re-encoding process and only uses shuffling and refreshing operations. Finally, we present a number of additional applications of our primitive in tamper resilience.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Naresh Goud Boddu,Vipul Goyal,Rahul Jain,João Ribeiro

2024-02-27

Abstract:Non-malleable codes are fundamental objects at the intersection of cryptography and coding theory. These codes provide security guarantees even in settings where error correction and detection are impossible, and have found applications to several other cryptographic tasks. One of the strongest and most well-studied adversarial tampering models is $2$-split-state tampering. Here, a codeword is split into two parts and the adversary can then independently tamper with each part using arbitrary functions. This model can be naturally extended to the secret sharing setting with several parties by having the adversary independently tamper with each share. Previous works on non-malleable coding and secret sharing in the split-state tampering model only considered the encoding of \emph{classical} messages. Furthermore, until recent work by Aggarwal, Boddu, and Jain (IEEE Trans.\ Inf.\ Theory 2024), adversaries with quantum capabilities and \emph{shared entanglement} had not been considered, and it is a priori not clear whether previous schemes remain secure in this model. In this work, we introduce the notions of split-state non-malleable codes and secret sharing schemes for quantum messages secure against quantum adversaries with shared entanglement. Then, we present explicit constructions of such schemes that achieve low-error non-malleability. More precisely, we construct efficiently encodable and decodable split-state non-malleable codes and secret sharing schemes for quantum messages preserving entanglement with external systems and achieving security against quantum adversaries having shared entanglement with codeword length $n$, any message length at most $n^{\Omega(1)}$, and error $\epsilon=2^{-{n^{\Omega(1)}}}$. In the easier setting of \emph{average-case} non-malleability, we achieve efficient non-malleable coding with rate close to $1/11$.

Cryptography and Security,Quantum Physics

Fuchun Lin,San Ling,Reihaneh Safavi-Naini,Huaxiong Wang

DOI: https://doi.org/10.48550/arXiv.1906.11066

2019-07-03

Abstract:Non-malleable codes protect against an adversary who can tamper with the coded message by using a tampering function in a specified function family, guaranteeing that the tampering result will only depend on the chosen function and not the coded message. The codes have been motivated for providing protection against tampering with hardware that stores the secret cryptographic keys, and have found significant attention in cryptography. Traditional Shannon model of communication systems assumes the communication channel is perfectly known to the transmitter and the receiver. Arbitrary Varying Channels (AVCs) remove this assumption and have been used to model adversarially controlled channels. Transmission over these channels has been originally studied with the goal of recovering the sent message, and more recently with the goal of detecting tampering with the sent messages. In this paper we introduce non-malleability as the protection goal of message transmission over these channels, and study binary (discrete memoryless) AVCs where possible tampering is modelled by the set of channel states. Our main result is that non-malleability for these channels is achievable at a rate asymptotically approaching 1. We also consider the setting of an AVC with a special state s*, and the additional requirement that the message must be recoverable if s* is applied to all the transmitted bits. We give the outline of a message encoding scheme that in addition to non-malleability, can provide recovery for all s* channel.

Information Theory

Divesh Aggarwal,Eldon Chung,Maciej Obremski

2023-06-10

Abstract:The known constructions of negligible error (non-malleable) two-source extractors can be broadly classified in three categories: (1) Constructions where one source has min-entropy rate about $1/2$, the other source can have small min-entropy rate, but the extractor doesn't guarantee non-malleability. (2) Constructions where one source is uniform, and the other can have small min-entropy rate, and the extractor guarantees non-malleability when the uniform source is tampered. (3) Constructions where both sources have entropy rate very close to $1$ and the extractor guarantees non-malleability against the tampering of both sources. We introduce a new notion of collision resistant extractors and in using it we obtain a strong two source non-malleable extractor where we require the first source to have $0.8$ entropy rate and the other source can have min-entropy polylogarithmic in the length of the source. We show how the above extractor can be applied to obtain a non-malleable extractor with output rate $\frac 1 2$, which is optimal. We also show how, by using our extractor and extending the known protocol, one can obtain a privacy amplification secure against memory tampering where the size of the secret output is almost optimal.

Information Theory,Cryptography and Security

Xin Li,Yan Zhong

2024-04-26

Abstract:Non-malleable extractors are generalizations and strengthening of standard randomness extractors, that are resilient to adversarial tampering. Such extractors have wide applications in cryptography and explicit construction of extractors. In the well-studied models of two-source and affine non-malleable extractors, the previous best constructions only work for entropy rate $>2/3$ and $1-\gamma$ respectively by Li (FOCS' 23).

Computational Complexity,Combinatorics

Fuchun Lin,Mahdi Cheraghchi,Venkatesan Guruswami,Reihaneh Safavi-Naini,Huaxiong Wang

DOI: https://doi.org/10.48550/arXiv.1902.06195

2019-06-16

Abstract:Non-malleable secret sharing was recently proposed by Goyal and Kumar in independent tampering and joint tampering models for threshold secret sharing (STOC18) and secret sharing with general access structure (CRYPTO18). The idea of making secret sharing non-malleable received great attention and by now has generated many papers exploring new frontiers in this topic, such as multiple-time tampering and adding leakage resiliency to the one-shot tampering model. Non-compartmentalized tampering model was first studied by Agrawal <a class="link-external link-http" href="http://et.al" rel="external noopener nofollow">this http URL</a> (CRYPTO15) for non-malleability against permutation composed with bit-wise independent tampering, and shown useful in constructing non-malleable string commitments. We initiate the study of leakage-resilient secret sharing in the non-compartmentalized model. The leakage adversary can corrupt several players and obtain their shares, as in normal secret sharing. The leakage adversary can apply arbitrary affine functions with bounded total output length to the full share vector and obtain the outputs as leakage. These two processes can be both non-adaptive and do not depend on each other, or both adaptive and depend on each other with arbitrary ordering. We construct such leakage-resilient secret sharing schemes and achieve constant information ratio (the scheme for non-adaptive adversary is near optimal). We then explore making the non-compartmentalized leakage-resilient secret sharing also non-malleable against tampering. We consider a tampering model, where the adversary can use the shares obtained from the corrupted players and the outputs of the global leakage functions to choose a tampering function from a tampering family F. We give two constructions of such leakage-resilient non-malleable secret sharing for the case F is the bit-wise independent tampering and, respectively, for the case F is the affine tampering functions.

Cryptography and Security

Naresh Goud Boddu,Upendra S. Kapshikar

DOI: https://doi.org/10.22331/q-2023-11-08-1178

2023-11-06

Abstract:Security of a storage device against a tampering adversary has been a well-studied topic in classical cryptography. Such models give black-box access to an adversary, and the aim is to protect the stored message or abort the protocol if there is any tampering. In this work, we extend the scope of the theory of tamper detection codes against an adversary with quantum capabilities. We consider encoding and decoding schemes that are used to encode a $k$-qubit quantum message $\vert m\rangle$ to obtain an $n$-qubit quantum codeword $\vert {\psi_m} \rangle$. A quantum codeword $\vert {\psi_m} \rangle$ can be adversarially tampered via a unitary $U$ from some known tampering unitary family $\mathcal{U}_{\mathsf{Adv}}$ (acting on $\mathbb{C}^{2^n}$). Firstly, we initiate the general study of \emph{quantum tamper detection codes}, which detect if there is any tampering caused by the action of a unitary operator. In case there was no tampering, we would like to output the original message. We show that quantum tamper detection codes exist for any family of unitary operators $\mathcal{U}_{\mathsf{Adv}}$, such that $\vert\mathcal{U}_{\mathsf{Adv}} \vert < 2^{2^{\alpha n}}$ for some constant $\alpha \in (0,1/6)$; provided that unitary operators are not too close to the identity operator. Quantum tamper detection codes that we construct can be considered to be quantum variants of \emph{classical tamper detection codes} studied by Jafargholi and Wichs~['15], which are also known to exist under similar restrictions. Additionally, we show that when the message set $\mathcal{M}$ is classical, such a construction can be realized as a \emph{non-malleable code} against any $\mathcal{U}_{\mathsf{Adv}}$ of size up to $2^{2^{\alpha n}}$.

Cryptography and Security,Information Theory,Quantum Physics

Naresh Goud Boddu,Rahul Jain,Upendra Kapshikar

2024-09-14

Abstract:We construct several explicit quantum secure non-malleable-extractors. All the quantum secure non-malleable-extractors we construct are based on the constructions by Chattopadhyay, Goyal and Li [2015] and Cohen [2015]. 1) We construct the first explicit quantum secure non-malleable-extractor for (source) min-entropy $k \geq \textsf{poly}\left(\log \left( \frac{n}{\epsilon} \right)\right)$ ($n$ is the length of the source and $\epsilon$ is the error parameter). Previously Aggarwal, Chung, Lin, and Vidick [2019] have shown that the inner-product based non-malleable-extractor proposed by Li [2012] is quantum secure, however it required linear (in $n$) min-entropy and seed length. Using the connection between non-malleable-extractors and privacy amplification (established first in the quantum setting by Cohen and Vidick [2017]), we get a $2$-round privacy amplification protocol that is secure against active quantum adversaries with communication $\textsf{poly}\left(\log \left( \frac{n}{\epsilon} \right)\right)$, exponentially improving upon the linear communication required by the protocol due to [2019]. 2) We construct an explicit quantum secure $2$-source non-malleable-extractor for min-entropy $k \geq n- n^{\Omega(1)}$, with an output of size $n^{\Omega(1)}$ and error $2^{- n^{\Omega(1)}}$. 3) We also study their natural extensions when the tampering of the inputs is performed $t$-times. We construct explicit quantum secure $t$-non-malleable-extractors for both seeded ($t=d^{\Omega(1)}$) as well as $2$-source case ($t=n^{\Omega(1)}$).

Cryptography and Security,Quantum Physics

Yujie Gu,Ilya Vorobyev,Ying Miao

DOI: https://doi.org/10.48550/arXiv.2302.02414

2023-02-05

Abstract:In this paper we consider combinatorial secure codes in traitor tracing for protecting copyright of multimedia content. First, we introduce a new notion of secure codes with list decoding (SCLDs) for collusion-resistant multimedia fingerprinting, which includes many existing types of fingerprinting codes as special cases. Next, we build efficient identifying algorithms for SCLDs with complete traceability and establish bounds on its largest possible code rate. In comparison with the existing fingerprinting codes, it is shown that SCLDs have not only much more efficient traceability than separable codes but also a much larger code rate than frameproof codes. As a byproduct, new bounds on the largest code rate of binary separable codes are established as well. Furthermore, a two-stage dynamic traitor tracing framework is proposed for multimedia fingerprinting in the dynamic scenario, which could not only efficiently achieve the complete traceability but also provide a much larger capacity than the static scenario.

Information Theory,Cryptography and Security,Discrete Mathematics,Combinatorics

Behzad Ahmadi,Osvaldo Simeone

DOI: https://doi.org/10.48550/arXiv.1109.6665

2013-02-08

Abstract:Source coding with a side information "vending machine" is a recently proposed framework in which the statistical relationship between the side information and the source, instead of being given and fixed as in the classical Wyner-Ziv problem, can be controlled by the decoder. This control action is selected by the decoder based on the message encoded by the source node. Unlike conventional settings, the message can thus carry not only information about the source to be reproduced at the decoder, but also control information aimed at improving the quality of the side information. In this paper, the analysis of the trade-offs between rate, distortion and cost associated with the control actions is extended from the previously studied point-to-point set-up to two basic multiterminal models. First, a distributed source coding model is studied, in which two encoders communicate over rate-limited links to a decoder, whose side information can be controlled. The control actions are selected by the decoder based on the messages encoded by both source nodes. For this set-up, inner bounds are derived on the rate-distortion-cost region for both cases in which the side information is available causally and non-causally at the decoder. These bounds are shown to be tight under specific assumptions, including the scenario in which the sequence observed by one of the nodes is a function of the source observed by the other and the side information is available causally at the decoder. Then, a cascade scenario in which three nodes are connected in a cascade and the last node has controllable side information, is also investigated. For this model, the rate-distortion-cost region is derived for general distortion requirements and under the assumption of causal availability of side information at the last node.

Information Theory

K. V. Rashmi,Nihar B. Shah,Kannan Ramchandran,P. Vijay Kumar

DOI: https://doi.org/10.1109/tit.2017.2769101

IF: 2.5

2018-03-01

IEEE Transactions on Information Theory

Abstract:Repair operations in erasure-coded distributed storage systems involve a lot of data movement. This can potentially expose data to malicious acts of passive eavesdroppers or active adversaries, putting security of the system at risk. This paper presents coding schemes and repair algorithms that ensure security of the data in the presence of passive eavesdroppers and active adversaries while maintaining high availability, reliability, and resource efficiency in the system. The proposed codes are optimal in that they meet previously proposed lower bounds on storage and network-bandwidth requirements for a wide range of system parameters. The results thus establish the secure storage capacity of such systems. The proposed codes are based on an optimal class of codes called product-matrix codes. The constructions presented for security from active adversaries provide an additional appealing feature of “on-demand security,” where the desired level of security can be chosen separately for each instance of repair, and the proposed algorithms remain optimal simultaneously for all possible security levels. This paper also provides necessary and sufficient conditions governing the transformation of any (non-secure) code into one providing on-demand security.

computer science, information systems,engineering, electrical & electronic

Harikrishnan K.,J. Harshan,Anwitaman Datta

2024-10-03

Abstract:Coded blockchains have acquired prominence as a promising solution to reduce storage costs and facilitate scalability. Within this class, Luby Transform (LT) coded blockchains are an appealing choice for scalability owing to the availability of a wide range of low-complexity decoders. In the first part of this work, we identify that traditional LT decoders like Belief Propagation and On-the-Fly Gaussian Elimination may not be optimal for heterogeneous networks with nodes that have varying computational and download capabilities. To address this, we introduce a family of hybrid decoders for LT codes and propose optimal operating regimes for them to recover the blockchain at the lowest decoding cost. While LT coded blockchain architecture has been studied from the aspects of storage savings and scalability, not much is known in terms of its security vulnerabilities. Pointing at this research gap, in the second part, we present novel denial-of-service threats on LT coded blockchains that target nodes with specific decoding capabilities, preventing them from joining the network. Our proposed threats are non-oblivious in nature, wherein adversaries gain access to the archived blocks, and choose to execute their attack on a subset of them based on underlying coding scheme. We show that our optimized threats can achieve the same level of damage as that of blind attacks, however, with limited amount of resources. Overall, this is the first work of its kind that opens up new questions on designing coded blockchains to jointly provide storage savings, scalability and also resilience to optimized threats.

Information Theory

Kagan Akcay

2024-05-10

Abstract:This paper investigates the relation between the second-order coding rate, where the second-order turns out to be strictly larger than $\sqrt{n}$, and the mutual information as the leaked information for a fixed error probability by using wiretap codes constructed by universal$_2$ hash functions. We first generalize the upper bound on $\epsilon$-smooth max information in \cite{tyagi} and use it in our analysis where we adopt the method in \cite{hayashi-tan}, which uses universal hashing for compressing a source and making it secure from another correlated source, and apply it to the wiretap channel. We prove first- and second-order achievability results by assuming that the conjecture we state holds true.

Information Theory

Hassan ZivariFard,Remi A. Chou

2024-07-30

Abstract:Consider a source and multiple users who observe the independent and identically distributed (i.i.d.) copies of correlated Gaussian random variables. The source wishes to compress its observations and store the result in a public database such that (i) authorized sets of users are able to reconstruct the source with a certain distortion level, and (ii) information leakage to non-authorized sets of colluding users is minimized. In other words, the recovery of the source is restricted to a predefined access structure. The main result of this paper is a closed-form characterization of the fundamental trade-off between the source coding rate and the information leakage rate. As an example, threshold access structures are studied, i.e., the case where any set of at least $t$ users is able to reconstruct the source with some predefined distortion level and the information leakage at any set of users with a size smaller than $t$ is minimized.

Information Theory

Esther Hänggi,Iyán Méndez Veiga,Ligong Wang

2024-04-02

Abstract:We consider the wiretap channel, where the individual channel uses have memory or are influenced by an adversary. We analyze the explicit and computationally efficient construction of information-theoretically secure coding schemes which use the inverse of an extractor and an error-correcting code. These schemes are known to achieve secrecy capacity on a large class of memoryless wiretap channels. We show that this also holds for certain channel types with memory. In particular, they can achieve secrecy capacity on channels where an adversary can pick a sequence of ``states'' governing the channel's behavior, as long as, given every possible state, the channel is strongly symmetric.

Cryptography and Security,Information Theory

Hanzaleh Akbari Nodehi,Viveck R. Cadambe,Mohammad Ali Maddah-Ali

2024-05-29

Abstract:Coding theory revolves around the incorporation of redundancy into transmitted symbols, computation tasks, and stored data to guard against adversarial manipulation. However, error correction in coding theory is contingent upon a strict trust assumption. In the context of computation and storage, it is required that honest nodes outnumber adversarial ones by a certain margin. However, in several emerging real-world cases, particularly, in decentralized blockchain-oriented applications, such assumptions are often unrealistic. Consequently, despite the important role of coding in addressing significant challenges within decentralized systems, its applications become constrained. Still, in decentralized platforms, a distinctive characteristic emerges, offering new avenues for secure coding beyond the constraints of conventional methods. In these scenarios, the adversary benefits when the legitimate decoder recovers the data, and preferably with a high estimation error. This incentive motivates them to act rationally, trying to maximize their gains. In this paper, we propose a game theoretic formulation for coding, called the game of coding, that captures this unique dynamic where each of the adversary and the data collector (decoder) have a utility function to optimize. The utility functions reflect the fact that both the data collector and the adversary are interested in increasing the chance of data being recoverable by the data collector. Moreover, the utility functions express the interest of the data collector to estimate the input with lower estimation error, but the opposite interest of the adversary. As a first, still highly non-trivial step, we characterize the equilibrium of the game for the repetition code with a repetition factor of 2, for a wide class of utility functions with minimal assumptions.

Information Theory