1 a new interactive hashing theorem iftach haitner and omer reingold weizmann institute of science
Post on 22-Dec-2015
219 views
TRANSCRIPT
1
A NewA New Interactive Interactive HashingHashing TheoremTheorem
Iftach HaitnerIftach Haitner and Omer Reingoldand Omer Reingold
WEIZMANNINSTITUTEOF SCIENCE
2
Talk PlanTalk Plan• What is Interactive Hashing
• Applications of Interactive Hashing
• The new theorem
• Applications of the new theorem
• About the proof
3
SS
Interactive Hashing[NOVY91]Interactive Hashing[NOVY91]
f h
xÃ{0,1}n, y=f(x)
RRhÃH
Hiding – The only information that R R obtains about y is h(y).
Binding- Eff. S S cannot find x1, x2 such thatf(x1)f(x2) and h(f(x1)) = h(f(x2)) = z.
Easy
|Easy|=2¾n
h
z = h(y)
One-way permutation:• eff. computable• hard to invert: hard to find
f-1(f(x)) for xÃ{0,1}n.h z=h(y)
Two-to-one hash function
4
Statistically-Hiding Statistically-Hiding CommitmentCommitment
S S RRCommit-stage
yy2 {0,1}n
5
Statistically-Hiding Statistically-Hiding Commitment cont.Commitment cont.
Reveal-stageSS RR
yy
6
Statistically-Hiding Statistically-Hiding Commitment cont.Commitment cont.
Hiding – RR does not obtain non-negligible information about y during the commit-stage.
Binding – Eff. SS cannot decommit into two different values (with non-neg. probability).
In interactive hashing RR only obtains h(y)
Same as in interactive hashing
7
S S (b(b2 {0,1}))
IH (NOVY) to Bit-CommitmentIH (NOVY) to Bit-Commitment
xÃ{0,1}n, y=f(x)
RRhÃH
z = h(y)
h
Let {y0,y1} = h-1(z) sorted lexicographically and let be the index of y (i.e., y= y)
c = b©
Commit stage:
Reveal stage:(x,b) h(f(x)) = z
and c = b©
8
SS
String-Commitment to IHString-Commitment to IH
xÃ{0,1}n, y=f(x)
RR
hÃHz = h(y)
h
Com. to y
9
Applications of Interactive Applications of Interactive HashingHashing
• Perfectly-hiding cmt. from owp [NOVY98]
• Statistically-hiding cmt. from regular/ appx.-preimage-size owf [HHKKMS05]
• Statistical zk argument from any owf [NOV06]
• Statistically-hiding cmt. from any OWF [HR06]
• “Information theoretic” ih, applications[OVY91,CCM98,DHRS04,CS06,NV06,...]
10
The NOVY IH ProtocolThe NOVY IH Protocol• A “more interactive” version of the
naïve (semi-honest) protocol.
• A particular family of two-to-one hash functions.
• Assuming that f is a OWP, the protocol satisfies both hiding and binding.
h(x) = h1(x),...,hn-1(x), where hi = 0i-1 1 {0,1}n-i
hi(x) = <hi,x>2.
11
The NOVY Protocol cont.The NOVY Protocol cont.
Observed by [HHKKMS05]:• Binding is guaranteed even when f is hard to
invert over Un:
hard to find an inverse f-1(y) for a uniformly chosen y2{0,1}n.
• Hiding is useful if h expects collisions w.r.t. Im(f) - when f(Un) is dense in {0,1}n
12
hfIm(f)
About the size of Im(f)
• [HHKKMS05,NOV06] use this observation when f(Un) is sparse
h’
Two-to-one “interactive”hash function
Non-interactive hashing
13
Interactive Hashing for Sparse SetsInteractive Hashing for Sparse Sets
hfIm(f)
About the size of Im(f)
• Can interactive hashing be applied directly to sparse sets?
14
Our ResultsOur Results• Holds w.r.t. sparse sets:
– Binding is guaranteed if f is hard w.r.t the uniform distribution over Im(f)
– Hiding is useful if h expects collisions w.r.t. Im(f) - when f(Un) is “close” to the uniform dis. over Im(f)
• Allows a more general choice of hash functions
• Improved parameters also w.r.t. the NOVY settings
• Simpler proof
In NOVY- hard to invert over {0,1}n
In NOVY- close to {0,1}n
15
Applications of The New Applications of The New Theorem to Bit-CommitmentTheorem to Bit-Commitment
• Reproving (as an immediate corollary) the result of [HHKKMS05]: Statistical commitment from any regular/ Appx.-preimage-size owf.
• Might simplify current constructions of statistical zk argument and statistical commitment from any owf.
16
L
Information-Theoretic IHInformation-Theoretic IH
z = h(y)
hSSy2 L
RRhÃH
Hiding – The only information that R R obtains about y is h(y).
Binding- Unbounded S S cannot find (with non-neg probability) y1y22 L such that h(y1) = h(y2) = z.
h
|L| << 2n/2 ? |L| > 2n/2
|LÅConsist(h1,…,hk)| << √|Consist(h1,…,hk)|
h = (h1,...,hn-1 ) ÃH n-1
z1 = h1(y)
h1
zn-1 = hn-1(y)
hn-1
Two-to-one hash function
Boolean pairwise-independent hash
functions
|L| << 2n
Consist(h1,…,hk)={y: 8i hi(y)=zi}
Consist(h1)={y: h1(y)=z1}
17
Our protocol (variant of NOVY)Our protocol (variant of NOVY)
RRh = (h1,...,hk ) ÃH
kz1 = h1(y)
h1
zk = hk(y)
hk
hfIm(f)
About the size of Im(f)
SSxÃ{0,1}n,
y=f(x)
Any family of Booleanpairwise-independent
hash functions
kw log(|Im(f)|)
18
HidingHiding
• If RR is semi-honest (follows the protocol) it obtains h(y) for a uniformly chosen h
• If RR is malicious, it obtains h(y) for an adaptively chosen h
• In many settings (e.g., commitment schemes) we can force RR to follow the protocolSame as in NOVY, but
there it is less harmful
19
BindingBindingMain Theorem: Let A be an alg. that breaks
the binding of the protocol with probability . Then there exists an eff. alg. MA s.t PryÃIm(f)[MA(y)2 f-1(y)]2 (2/n8)
Comparing to previous results (Im(f)= {0,1}n):• [NOVY98] - (10/poly(n))• [NOV06] - (3/n6)
* Here - proof for the NOVY settings, i.e., Im(f) = {0,1}n and the hashing is to {0,1}n-1
20
z1
h1
zn-1
hn-1
A
Outputs x1, x2
RRh = (h1,...,hn-1 ) ÃH
n-1
Algorithm Algorithm AA
Pr[f(x1)f(x2) Æ h(f(x1)) = h(f(x2)) = z] ¸
* z = (z1,...,zn-1 )
21
z1
h1
zn-1
hn-1
A
MA(y)
RRh = (h1,...,hn-1 ) ÃH
kn-
1
Returns x1 or x2
In order to success we need:y=f(x1) or y=f(x2)
! we need 8i hi(y) = zi happens with neg. probability
Choose (h1,...,hn-1 ) s.t. y is consistent
Outputs x1, x2
22
MA on input y2 {0,1}n:1. (h1,…, hn-ofs) Ã Searcher(y)
2. Return Inverter(h1,…, hn-ofs)
ofs2O(log(1/)+ log(n))
Inverter(h1,…, hn-ofs)1. Choose hn-ofs+1,…,hn-1 uniformly in H
2. (x1, x2) Ã ADec(h1,…, hn-1)
3. Return x1 or x2
Searcher(y):1. For i = 1 to n-ofs Do the following 2log(n) times:
• Choose uniformly at random hi2H
• If A(h1,...,hi) = hi(y), break the inner loop.
2. Return h1,…, hn-ofs
23
...
ConsistA(h1,...,hk) = {y: 8i hi(y) =A(h1,...,hk)}
{0,1}n
h1h2
h3
ConsistA(h1) = {y: h1(y) = A(h1)}
Pictorial description of Pictorial description of AA
hk
24
h1h2
h3
The evaluation of The evaluation of SearcherSearchery2{0,1}n
y2ConsistA(h1)
n-ofs
y2ConsistA(h1,...,hn-ofs)
hn-ofs DReal
(h,y)yÃ{0,1}n,hÃSearcher(y)
If Inverter does well on DReal (i.e., prob. Inverter(h)2f-1(y) is noticeable) then MA
inverts f well
25
h1h2
h3
The Ideal dist.The Ideal dist.
n-ofs hn-ofs DIdeal
(h,y)hÃHn-ofs
,yÃConsistA
(h)
At random
Inverter does well on DIdeal
• The distribution on (h1,…,hn-fs) is what A expects
! A returns element in f-1(ConsistA(h1,…,hn-ofs)) with non-negligible probability
• ConsistA(h1,…,hn-ofs) is small
yÃConsistA(h1,…,hn-ofs)
26
Proof of SecurityProof of Security
• Inverter does well on DIdeal
• DIdeal and DReal are close.
The statistical diff. between DIdeal and DReal
is larger than the success probability of Inverter on DIdeal
27
Refined Proximity MeasureRefined Proximity Measure
Definition: D1 (,a)-approximates D2, if there exists Bad µ sup(D1), s.t.
– D1(Bad) · .
– For every x Bad 1/a · D1(x)/D2(x) · a.
Let T be an event s.t. D1[T] ¸ + non-neg then, D2[T] ¸ non-neg
28
Lemma 1 DIdeal (O(2/n3),81)-approximates DReal.
Lemma 2 (informal)Inverter does well on DIdeal and its success probability does not depend on event of small probability
Proving Lemma 2: similar to the information-theoretic case
29
ProvingProving Lemma 1Lemma 1Since our proximity measure is “well
behaved”, it suffices to prove thatClaim 1: (h,y)hÃH,yÃConsist
A(h) (O(2/n3),1+4/n)-approx.
(h,y)yÃ{0,1}n,h ÃH | y2Consist
A(h)
Proof:
1. For almost any h2H, (about) half of {0,1}n is consistent with it
2. Almost any y2{0,1}n is consistent with (about) half of H
30
Further issuesFurther issues
• Linear reduction, or lower bound for the security of the reduction
• Give simpler construction for statistical zk and statistical commitment schemes from owf.
31
Thanks
32
L
ConsistA(h1,...,hn-ofs)
{y: prob. Inverter(h1,...,hn-ofs)2f-1(y) is noticeable}
Lemma 2 : Inverter does well on DIdeal and its success prob. does not depend on event of small probability
{y: probability that A breaks the binding with y (conditioned on
h1,...,hn-ofs) is noticeable}