Statistical Zero-Knowledge Arguments from One

Download Report

Transcript Statistical Zero-Knowledge Arguments from One 

Inaccessible Entropy
Iftach Haitner
Omer Reingold
Microsoft Research
Weizmann & Microsoft
Hoeteck Wee
Salil Vadhan
Queens College, CUNY
Harvard University
outline
 Entropy
 Secrecy & Pseudoentropy
 Unforgeability & Inaccessible Entropy
 Applications
Entropy
Def: The Shannon entropy of r.v. X is
H(X) = ExÃX[log(1/Pr[X=x)]
 H(X) = “Bits of randomness in X (on avg)”
 0 · H(X) · log |Supp(X)|
X concentrated
on single point
X uniform on
Supp(X)
 Conditional Entropy: H(X|Y) = EyÃY[H(X|Y=y)]
Worst-Case Entropy Measures
 Min-Entropy:
H1(X) = minx log(1/Pr[X=x])
 Max-Entropy:
H0(X) = log |Supp(X)|
H1(X) · H(X) · H0(X)
outline
 Entropy
 Secrecy & Pseudoentropy
 Unforgeability & Inaccessible Entropy
 Applications
Perfect Secrecy & Entropy
Def [Sh49]: Encryption scheme (Enc,Dec) has
perfect secrecy if 8 m,m’ 2 {0,1}n
EncK(m) & EncK(m’) are identically distributed
for a random key K.
Thm [Sh49]: Perfect secrecy ) |K| ¸ n
Perfect Secrecy ) |K|¸ n
Proof:
 Perfect secrecy
) (M,EncK(M)) ´ (M,EncK(M’)) for M,M’Ã{0,1}n
) H(M|EncK(M)) = n
 Decryptability
) H(M|EncK(M),K) = 0
) H(M|EncK(M)) · H(K).
Computational Secrecy
Def [GM82]: Encryption scheme (Enc,Dec) has
computational secrecy if 8 m,m’ 2 {0,1}n
EncK(m) & EncK(m’) are computationally
indistinguishable.
) can have |K| ¿ n.
Where Shannon’s Proof Breaks
 Computational secrecy
) (M,EncK(M)) ´c (M,EncK(M’)) for M,M’Ã{0,1}n
) “Hpseudo(M|EncK(M))” = n
 Decryptability
) H(M|EncK(M)) · H(K).
Key point: can have Hpseudo(X) À H(X)
e.g. X = G(Uk) for PRG G : {0,1}k! {0,1}n
Pseudoentropy
Def [HILL90]: X has pseudoentropy ¸ k iff
there exists a random variable Y s.t.
1. Y ´c X
2. H(Y) ¸ k
Pseudoentropy Generator:
G
X
´
SÃ
{0,1}n
c
Y
Application of Pseudoentropy
Thm [HILL90]: 9 OWF ) 9 PRG
Proof outline:
OWF
hardcore bit [GL89]+hashing
X with pseudoentropy ¸ H(X)+1/poly(n)
repetitions
X with pseudo-min-entropy ¸ H0(X)+poly(n)
hashing
PRG
outline
 Entropy
 Secrecy & Pseudoentropy
 Unforgeability & Inaccessible Entropy
 Applications
Unforgeability
 Crypto is not just about secrecy.
 Unforgeability: security properties saying
that it has hard for an adversary to generate
“valid” messages.
– Unforgeability of MACs, Digital Signatures
– Collision-resistance of hash functions
– Binding of commitment schemes
 Cf. decision problems vs. search/sampling
problems.
Ex: Collision-resistant Hashing
F = { f : {0,1}n ! {0,1}n-k}
 Shrinking
 Collision Resistance: Given f ÃF , an
efficient A cannot output x1x2 such that
f(x1) = f(x2)
Ex: Collision-resistant Hashing
F = {f : {0,1}n ! {0,1}n-k}
F ÃF
G
X Ã {0,1}n
Y= F(X)
X
 Shrinking: H(X | F,Y) ¸ k
 Collision Resistance: From (even a cheating) G’s
point of view, X is determined by (F,Y)
 X has “accessible” entropy 0
Ex: Collision-resistant Hashing
F = {f : {0,1}n ! {0,1}n-k}
F ÃF
G*
S1 Ã{0,1}r
Y
S2 Ã{0,1}r
X F-1(Y)
 Collision Resistance:
H(X |F,Y,S1) = neg(n) for every efficient G*.
Measuring Accessible Entropy
Goal: A useful entropy measure to capture
possibility that Hacc(X) ¿ H(X)
1st attempt: X has accessible entropy at most k
if there is a random variable Y s.t.
1. Y ´c X
2. H(Y) · k
Not useful! every X is indistinguishable from
some Y of entropy polylog(n).
Inaccessible Entropy
Idea: A generator G has inaccessible entropy
if
Real Entropy
H(G’s outputs from an observer’s perspective)
>
Accessible Entropy
H(G*’s outputs from G*’s perspective)
Real Entropy
G
Z
RÃ{0,1}n
Y1
Y2
Ym
Def: The real entropy of G is
H(Y1,….,Ym|Z) = i H(Yi | Z,Y1,…,Yi-1)
Accessible Entropy
G*
Z
S1
Y1
S2
Y2
R
Sm
Ym
s.t. G(Z,R)=(Y1,….,Ym)
Def: G has accessible entropy at most k, if 8 PPT G*
i H(Yi|Z,S1,S2,…,Si-1) · k
 Inaccessible entropy = real – accessible entropy
 Unbounded G* can achieve real entropy.
OWF  Inaccessible Entropy
Given a one-way function f : {0,1}n{0,1}n, define
G
XÃ{0,1}n
f(X)1
f(X)2
f(X)n
X
Claim:
 Real entropy = n
 Accessible entropy < n-log n
[cf. Omer’s talk: G(x)=(f(x),x1,…,xn) next-bit
pseudoentropy n+log n for OWP f]
OWF  Inaccessible Entropy
G*
Y’ =
S2
Sn
Sm+1
Y1
01
Y12
Y1
0n
X
Ym+1
0
1
0
S1
R=Ym+1
Claim: Accessible entropy < n-log n
 Suppose  G* s.t. iH(Yi|S1,…,Si-1)  n-log n
 Then can invert f on input Y’ by sequentially finding
S1,..,Sn s.t. Yi=Y’i (via sampling).
 High accessible entropy  success on random
Y=f(X) w.p. 1/poly(n).
outline
 Entropy
 Secrecy & Pseudoentropy
 Unforgeability & Inaccessible Entropy
 Applications
Commitment Schemes
Commitment Schemes
COMMIT STAGE
S
m
R
Commitment Schemes
REVEAL STAGE
S
R
m
Commitment Schemes
S
m2{0,1}n
R
COMMIT STAGE
REVEAL STAGE
(m,K)
accept/
reject
Security of Commitments
 Hiding
COMMIT(m)
& COMMIT(m’)
indistinguishable
even to cheatingSR*
– Statistical
– Computational

R
COMMIT STAGE
n
m2{0,1}
Even cheating
S*
cannot reveal
Binding
(m,K), (m’,K’)
REVEAL STAGE
– Statistical
with mm’
(m,K)
– Computational
accept/
reject
Statistical Security?
 Hiding
– Statistical
– Computational
S
m2{0,1}t
R
COMMIT STAGE
 Binding
– Statistical
– Computational
REVEAL STAGE
(m,K)
Impossible!
accept/
reject
Statistical Binding
 Hiding
– Statistical
– Computational
S
m2{0,1}n
R
COMMIT STAGE
 Binding
– Statistical
– Computational
REVEAL STAGE
(m,K)
Thm [HILL90,Naor91]: One-way functions
) Statistically Binding Commitments
accept/
reject
Statistical Hiding
 Hiding
– Statistical
– Computational
S
m2{0,1}n
R
COMMIT STAGE
 Binding
– Statistical
– Computational
REVEAL STAGE
(m,K)
Too
Thm [HNORV07]: One-way functions
Complicated!
) Statistically Hiding Commitments
accept/
reject
Our Results I
 Much simpler proof that
OWF) Statistically Hiding Commitments
via accessible entropy.
 Conceptually parallels [HILL90,Naor91]
construction of PRGs & Statistically Binding
Commitments from OWF.
 “Nonuniform” version achieves optimal
round complexity, O(n/log n) [HHRS07]
Our Results II
Thm: Assume one-way functions exist. Then:
NP has constant-round parallelizable ZK
proofs with “black-box simulation”
m
constant-round statistically hiding
commitments exist.
( * due to [GK96,G01], novelty is )
Statistically Hiding Commitments
& Inaccessible Entropy
Statistical Hiding:
H(M|C) = n - neg(n)
S
MÃ{0,1}n
R
COMMIT STAGE
C
REVEAL STAGE
M
K
Statistically Hiding Commitments
& Inaccessible Entropy
Statistical Hiding:
H(M|C) = n - neg(n)
S*
COMMIT STAGE
coins S1
Comp’l Binding:
For every PPT S*
R
coins S2
C
REVEAL STAGE
M
K
H(M|C,S1) = neg(n)
 “inaccessible entropy for protocols”
OWF ) Statistically Hiding
Commitments: Our Proof
OWF
done
G with real entropy ¸ accessible entropy+log n
repetitions
G with real min-entropy ¸ accessible entropy+poly(n)
(interactive) hashing [DHRS07]
+UOWHFs [NY89,Rom90]
“m-phase” commitment
cut & choose & parallel rep
statistically hiding commitment
Cf. OWF ) Statistically Binding
Commitment [HILL90,Nao91]
OWF
hardcore bit [GL89]+hashing
X with pseudoentropy ¸ H(X)+1/poly(n)
repetitions
X with pseudo-min-entropy ¸ H0(X)+poly(n)
hashing
PRG
expand output & translate
Statistically binding commitment
Other Applications
 Simpler/improved universal one-way hash
functions from OWF [HRVW09b]
 Inspired simpler/improved pseudorandom
generators from OWF [HRV09]
Conclusion
Complexity-based cryptography is possible
because of gaps between real &
computational entropy.
Secrecy
pseudoentropy > real entropy
Unforgeability
accessible entropy < real entropy
Research Directions
 Formally unify inaccessible entropy and
pseudoentropy.
 Complexity-theoretic applications of
inaccessible entropy
 Remove “parallelizable” condition from ZK
result.
 Use inaccessible entropy for new
understanding/constructions of MACS and
digital signatures.