Transcript scws2 6703

A New Interactive
Hashing Theorem
Iftach Haitner and Omer Reingold
WEIZMANN
INSTITUTE
OF SCIENCE
1
2
Talk Plan
• What is Interactive Hashing
• Applications of Interactive Hashing
• The new theorem
• About the proof
• Applications of the new theorem
Interactive Hashing[OVY91,NOVY98]
|Easy|=2¾n
h
f
Easy
One-way permutation:
• eff. computable
h
n
{0,1}
, y=f(x)hard to find
• xÃ
hard
to invert:
n.
z = h(y)
f-1(f(x)) for xÃ{0,1}h
S
R
Two-to-one
hash function
hÃH
z=h(y)
Hiding – The only information that R
obtains about y is h(y).
Binding- Eff. S cannot find x1, x2 such that
f(x1)f(x2) and h(f(x1)) = h(f(x2)) = z.
3
4
Statistically-Hiding
String-Commitment.
S
Commit-phase
y 2 {0,1}n
R
Statistical Bit-Commitment
cont.
S
Reveal-phase
R
y
5
Statistically-Hiding
String-Commitment cont.
Same as in Interactive
Hiding – R does
not obtain
Hashing
nonnegligible information about y
during the commit-phase.
Binding – Eff. S cannot decommit
In Interactive Hashing R
into two different
values
only obtains
h(y)(with
non-neg. probability).
6
IH (NOVY) to Bit-Commitment
Commit phase:
R
S (b2 {0,1})
xÃ
, y=f(x)
{0,1}n
h
z = h(y)
hÃH
Let {y0,y1} = h-1(z) sorted lexicographically and let
 be the index of y (i.e., y= y)
c = b©
Reveal phase:
(x,b)
7
String-Commitment to IH
S
xÃ{0,1}n, y=f(x)
R
Com. to y
h
z = h(y)
hÃH
8
Applications of Interactive
Hashing
• Perfectly-Hiding BC from OWP [NOVY98]
• Statistically-Hiding BC from Regular/
Appx.-preimage-size OWF [HHKKMS05]
• Statistical ZK Argument from OWF
[NOV06]
• “Information Theoretic” IH, applications
[OVY91,CCM98,DHRS04,CS06,NV06,...]
9
10
The NOVY IH Protocol
• A “more interactive” version of the
naïve (semi-honest) protocol.
• A particular family of two-to-one hash
functions.
h(x) = h1(x),...,hn-1(x), where
• Assuming
that f is a OWP, the protocol
 hi = 0i-1 1 {0,1}n-i
satisfies hboth
hiding and binding.
i(x) = <hi,x>2.
11
The NOVY Protocol cont.
Observed by [HHKKMS05]:
• Binding is guaranteed even when f is hard to
invert over Un:
hard to find an inverse f-1(y) for a uniformly
chosen y2{0,1}n.
• Hiding is useful if h expects collisions w.r.t.
Im(f) - when f(Un) is dense in {0,1}n
12
• [HHKKMS05,NOV06] use this observation
when f(Un) is sparse
About the size of
Im(f)
f
Im(f)
Non-interactive
hashing
h
h’
Two-to-one
“interactive”
hash function
Interactive Hashing for Sparse Sets
• Can Interactive Hashing be applied
directly to sparse sets?
f
Im(f)
h
About the size of
Im(f)
13
Our Results
• Holds w.r.t. sparse sets:
– Binding is guaranteed if f is hard w.r.t
the uniform distribution over Im(f)
– Hiding is useful if h expects collisions
In -NOVYinvert
w.r.t. Im(f)
whenhard
f(Unto
) is
“close” to the
overIm(f)
{0,1}n
uniform dis. over
• Allows a more general choice of hash
functions
In NOVY- close to
• Improved parameters also nw.r.t. the NOVY
{0,1}
settings
• Simpler proof
• Applications to statistically-hiding stringcommitment ...
14
Information-Theoretic IH
15
Consist(h1)={y: h1(y)=z1}
L
|L| <<
y2 L
2n
S
h
Boolean pairwiseindependent hash
h1 functions
Consist(h1,…,hk)=
z1 = 8ih1h(y)
{y:
i(y)=zi}
h
Two-to-one R
hash function
hÃH
z = h(y)
hn-1
h = (h1,...,hn-1 ) ÃH n-1
Hiding – The only
that R
zn-1information
= hn-1(y)
obtains about
y is h(y).
n/2
|L| << 2
BindingUnbounded S cannot find (with
n/2
? |L| > 2
non-neg probability) y1y22 L such that
|LÅConsist(h1,…,hk)| << √|Consist(h1,…,hk)|
h(y1) = h(y2) = z.
Our protocol (variant of NOVY)
f
S
xÃ{0,1}n, y=f(x)
h
Im(f)
Any family of Boolean
pairwise-independent
About the size of
hashIm(f)
functions
h1
z1 = h1(y)
kw hlog(|Im(f)|)
k
zk = hk(y)
R
h = (h1,...,hk ) ÃH k
16
17
Hiding
• If R is semi-honest (follows the
protocol) it obtains h(y) for a
uniformly chosen h
• If R is malicious, it obtains h(y) for
an adaptively chosen h
• In many settings (e.g., StringCommitment) we can force R to
Same as in NOVY, but
follow the protocol
there it is less harmful
Binding
Main Theorem: Let A be an alg. that breaks
the binding of the protocol with probability
>0. Then there exists an eff. alg. MA s.t
PryÃIm(f)[MA(y)2 f-1(y)]2 (2/n8)
Comparing to previous results (Im(f)= {0,1}n):
• [NOVY98] - (10/poly(n))
• [NOV06] - (3/n6)
* Here - proof for the NOVY settings, i.e.,
Im(f) = {0,1}n and the hashing is to {0,1}n-1
18
19
Algorithm A
A
h1
z1
hn-1
R
h = (h1,...,hn-1 ) ÃH kn-1
zn-1
Outputs x1, x2
Pr[f(x1)f(x2) Æ h(f(x1)) = h(f(x2)) = z] ¸ 
* z = (z1,...,zn-1 )
20
In order to success we need:
y=f(x1) or y=f(x2)
! we need 8i hi(y) = zi
Aprobability
happens with neg.
M
A
(y)
h1
z1
hn-1
Outputs x1, x2
R
kn-1
h = (h1,...,h
)
ÃH
Choose
(hn-1
,...,h
1
n-1 )
s.t. y is consistent
zn-1
Returns x1 or x2
MA
1.
2.
{0,1}n:
ofs2O(log(1/)+ log(n))
on input y2
(h1,…, hn-ofs) Ã Searcher(y)
Return Inverter(h1,…, hn-ofs)
Searcher(y):
1.
2.
For i = 1 to n-ofs
Do the following 2log(n) times:
• Choose uniformly at random hi2H
• If A(h1,...,hi) = hi(y), break the inner loop.
Return h1,…, hn-ofs
Inverter(h1,…, hn-ofs)
1.
2.
3.
Choose hn-ofs+1,…,hn-1 uniformly in H
(x1, x2) Ã ADec(h1,…, hn-1)
Return x1 or x2
21
Pictorial description of A
{0,1}n
h1
...
ConsistA(h1) =
{y: h1(y) = A(h1)}
h2
h3
hk
ConsistA(h1,...,hk) =
{y: 8i hi(y) =A(h1,...,hk)}
22
The evaluation of Searcher
y2{0,1}n
h1 on DReal (i.e., prob.
If
Inverter
does
well
A
y2Consist (h1)
Inverter(h)2f-1(y) is noticeable) then MA
h2
inverts f well
h3
y2ConsistA(h1,...,hn-ofs)
n-ofs
hn-ofs
DReal
(h,y)yÃ{0,1}n,hÃSearcher(y)
23
The Ideal dist.
24
Inverter does well on DIdeal
• The distribution on (h1,…,hn-fs) is what A expects
! A returns element in
h1 f-1(ConsistA(h1,…,hn-ofs)) with
non-negligible probability
h
• ConsistA(h1,…,hn-ofs) is2 small
h3
At random
yÃConsistA(h1,…,hn-ofs)
n-ofs
hn-ofs
DIdeal
(h,y)hÃHn-ofs,yÃConsistA(h)
25
Proof of Security
• Inverter does well on DIdeal
• DIdeal and DReal are close.
The statistical diff. between DIdeal and
DReal is larger than the success
probability of Inverter on DIdeal
26
Refined Proximity Measure
Definition: D1 (,a)-approximates D2,
if exists Bad µ sup(D1), s.t.
–D1(Bad) · .
–For every x Bad
1/a · D1(x)/D2(x) · a.
Let T be an event s.t. D1[T] ¸ + non-neg
then, D2[T] ¸ non-neg
27
Lemma 1
DIdeal (O(2/n3),81)-approximates DReal.
Lemma 2 (informal)
Inverter does well on DIdeal and its
success probability does not depend on
event of small probability
Proving Lemma 2: similar to the
information-theoretic case
Proving Lemma 1
Since our proximity measure is “well
behaved”, it suffices to prove that
Claim 1:
(h,y)hÃH,yÃConsistA(h) (O(2/n3),1+4/n)-approx.
(h,y)yÃ{0,1}n,h ÃH | y2ConsistA(h)
Proof:
1. For almost any h2H, (about) half of
{0,1}n is consistent with it
2. Almost any y2{0,1}n is consistent
with (about) half of H
28
Applications of The New
Theorem to Bit-Commitment
•
Reproving (as an immediate corollary) the
result of [HHKKMS05]:
Stat.-Hiding BC from any regular/ Appx.preimage-size OWF
•
Statistically-hiding BC from “One-sided
approximable preimage-size one-way
functions”
– In particular: Stat.-hiding BC from any oneway function with hardness
2(-nloglog(n)/log(n))
*
* Small O(loglog(n)) non-uniform advice
29
One-sided approximable
preimage-size OWF
• Approximable preimage-size OWF: A OWF f,
additive error
possible to eff.Allows
approximate
Ďf(y)which
= log|(f-1(y))|
depends on the
security-parameter of f
• One-sided approximable preimage-size OWF:
Save for a small probability
A OWF f, exists an eff. algorithm D and a
(smaller than 1/p(n))
polynomial p:
– Pr[D(f(x)) w Ďf(f(x))] ¸ 1/p(n)
– D(f(x)) · Ďf(f(x))
* Or the opposite case
30
31
Further issues
• Linear reduction
• Or, lower bound for the security of
the reduction
• Statistically-hiding bit-commitment
from any OWF
32
Thanks
33
Lemma 2 : Inverter does well on DIdeal
and its success prob. does not
depend on event of small probability
ConsistA(h1,...,hn-ofs)
{y: prob. Inverter(h1,...,hn-ofs)2f-1(y) is
noticeable}
L
{y: probability that A breaks the
binding with y (conditioned on
h1,...,hn-ofs) is noticeable}