Security of cryptographic primitives is usually proved by assuming “ideal” probability distributions. We need to replace them with approximated “real” distributions in the real-world systems without losing the security level. We demonstrate that the Hellinger distance is useful for this problem, while the statistical distance is mainly used in the cryptographic literature. First, we show that for preserving $lambda$-bit security of a given security game, the closeness of $2^{-lambda/2}$ to the ideal distribution is sufficient for the Hellinger distance, whereas $2^{-lambda}$ is generally required for the statistical distance. The result can be applied to both search and decision primitives through the bit security framework of Micciancio and Walter (Eurocrypt 2018). We also show that the Hellinger distance gives a tighter evaluation of closeness than the max-log distance when the distance is small. Finally, we show that the leftover hash lemma can be strengthened to the Hellinger distance. Namely, a universal family of hash functions gives a strong randomness extractor with optimal entropy loss for the Hellinger distance. Based on the results, a $lambda$-bit entropy loss in randomness extractors is sufficient for preserving $lambda$-bit security. The current understanding based on the statistical distance is that a $2lambda$-bit entropy loss is necessary.

By admin