inaccessible entropy iftach haitner microsoft research omer reingold weizmann & microsoft...
TRANSCRIPT
Inaccessible Entropy
Iftach HaitnerMicrosoft Research
Omer Reingold Weizmann & Microsoft
Hoeteck WeeQueens College, CUNY
Salil Vadhan Harvard University
January, 2010
outline
Secrecy & Pseudoentropy
Unforgeability & Inaccessible Entropy
Applications
Def: The Shannon entropy of r.v. X is
H(X) = ExÃX[log(1/Pr[X=x)]
H(X) = “Bits of randomness in X (on avg)”
0 · H(X) · log |Supp(X)|
Conditional Entropy: H(X|Y) = EyÃY[H(X|
Y=y)]
Entropy
H(X ) = Exà X [log(1=Pr[X = x])]HHH(X ) =
X concentratedon single point
X uniform onSupp(X)
Perfect Secrecy & Entropy
Def [Shannon ‘49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1}n
EncK(m) & EncK(m’) are identically distributed for a random key K.
Thm [Shannon ‘49]: Perfect secrecy ) |K| ¸ H(K) ¸ n
*Also hold for statistical secrecy
Computational Secrecy
Def [Goldwasser-Micali ‘82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1}n
EncK(m) & EncK(m’) are computationally indistinguishable.
) can have |K| ¿ n.
Idea - Derive K’ from K, with a lot of “pseudoentropy”
Pseudoentropy
Def [Håstad, Imagliazzo, Levin and Luby ‘90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t.1. Y ´c X2. H(Y) ¸ k
Pseudoentropy Generator: G
S Ã {0,1}n
X
Y
´
c
Application of Pseudoentropy
Thm [HILL ‘90]: 9 OWF ) 9 PRG
Proof outline:
OWF
X with pseudo-min-entropy ¸ H(X)+poly(n)
X with pseudoentropy ¸ H(X)+1/poly(n)
PRG
hardcore bit [GL89]+hashing
repetitions
hashing
outline
Secrecy & Pseudoentropy
Unforgeability & Inaccessible Entropy
Applications
Unforgeability
Crypto is not just about secrecy.
Unforgeability: security properties saying that it has hard for an adversary to generate “valid” messages.– Unforgeability of MACs, Digital Signatures– Collision-resistance of hash functions– Binding of commitment schemes
Cf. decision problems vs. search/sampling problems.
Ex: Collision-resistant Hashing
Shrinking
Collision Resistance: Given f ÃF , an efficient algorithm A cannot output x1x2 such thatf(x1) = f(x2)
F = { f : {0,1}n ! {0,1}n-k}
Ex: Collision-resistant Hashing
Shrinking: H(X | F,Y) ¸ k
Collision Resistance: From (even a cheating) G’s point of view, X is determined by (F,Y) X has “accessible” entropy 0
F = {f : {0,1}n ! {0,1}n-k}
G
X Ã {0,1}n
Y= F(X)
F ÃF
X
Ex: Collision-resistant Hashing
Collision Resistance: H(X |F,Y,S1) = neg(n) for every efficient G*.
F = {f : {0,1}n ! {0,1}n-k}
G*
S1 Ã{0,1}r
Y
F ÃF
X F-1(Y)
S2 Ã{0,1}r
Measuring Accessible Entropy
Goal: A useful entropy measure to capture possibility that Hacc(X) ¿ H(X)
1st attempt: X has accessible entropy at most k if there is a random variable Y s.t.
1. Y ´c X2. H(Y) · k
Not useful! every X is indistinguishable from some Y of entropy polylog(n).
Inaccessible Entropy
Idea: A generator G has inaccessible entropy
if
H(G’s outputs from an observer’s perspective)
>
H(G*’s outputs from G*’s perspective)
Real Entropy
Accessible Entropy
Real Entropy
Def: The real entropy of G is
H(Y1,….,Ym|Z) = i H(Yi | Z,Y1,…,Yi-1)
G
RÃ{0,1}n
Y1
Z
Y2 Ym
Accessible Entropy
Def: G has accessible entropy at most k, if 8 PPT G*
i H(Yi|Z,S1,S2,…,Si-1) · k
Inaccessible entropy = real – accessible entropy Unbounded G* can achieve real entropy.
G*
Y1
Z
Y2 Ym
S1 S2Sm
R
s.t. G(Z,R)=(Y1,….,Ym)
OWF Inaccessible Entropy
Claim:
Real entropy = n
Accessible entropy < n-log n
G
XÃ{0,1}n
f(X)1 f(X)2
f(X)n
Given a one-way function f : {0,1}n{0,1}n, define
X
Ym+1XYn10Y21
OWF Inaccessible Entropy
Claim: Accessible entropy < n-log n
Suppose G* s.t. iH(Yi|S1,…,Si-1) n-log n
Then can invert f on input Y’ by sequentially finding S1,..,Sn s.t. Yi=Y’i (via sampling).
High accessible entropy success on random Y=f(X) w.p. 1/poly(n).
G*
Y1
S1 S2 Sn Sm+
1
10
R=Ym+1
Y’ = 0 1 0
outline
Secrecy & Pseudoentropy
Unforgeability & Inaccessible Entropy
Applications
Our Results I
Much simpler proof that OWF) Statistically Hiding Commitmentsvia accessible entropy.
Conceptually parallels [HILL ‘90,Naor ‘91] construction of PRGs & Statistically Binding Commitments from OWF.
“Nonuniform” version achieves optimal round complexity, O(n/log n) [Haitner-Hoch-Reingold-Segev‘07]
Commitment Schemes
Commitment Schemes
Commit stageReveal stage
m
mS R
m
Commitment Schemes
COMMIT STAGE
accept/reject
S R
m2{0,1}n
REVEAL STAGE(m,K)
Security of Commitments
COMMIT STAGE
accept/reject
S R
m2{0,1}n
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R*
COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R*
Even cheating S*
cannot reveal(m,K), (m’,K’) with mm’
Even cheating S*
cannot reveal(m,K), (m’,K’) with mm’
Statistical Security?
COMMIT STAGE
accept/reject
S R
m2{0,1}t
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
Impossible!
Statistical Binding
COMMIT STAGE
accept/reject
S R
m2{0,1}n
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments
Statistical Hiding
COMMIT STAGE
accept/reject
S R
m2{0,1}n
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
Thm [HNORV ’07]: One-way functions ) Statistically Hiding Commitments
Too Complicated
!
Benefit of Statistical Hiding
In most protocols that use commitments: Binding only required during protocol execution
– Depends on adversary’s current capabilities– Safe to be computational
Hiding may matter long after execution– Adversary may gain computational resources– Hardness assumption may be broken– Statistical hiding ) “everlasting secrecy”
Example: Zero Knowledge for NP[Goldreich-Micali-Wigderson86]
Hiding ) Zero Knowledge– Verifier learns nothing
other than x2L
Binding ) Soundness– Prover cannot convince
verifier if xL
12
3
4
5
6
(1,4)
P V
Corollary: One-Way Functions) Statistical Zero Knowledge
“Arguments” for NP.
Statistically Hiding Commitments& Inaccessible Entropy
COMMIT STAGES R
MÃ{0,1}n
REVEAL STAGEM
Statistical Hiding:
H(M|C) = n - neg(n)
K
C
Statistically Hiding Commitments& Inaccessible Entropy
COMMIT STAGES* R
REVEAL STAGEM
Statistical Hiding:
H(M|C) = n - neg(n)
Comp’l Binding:
For every PPT S*
H(M|C,S1) = neg(n)
“inaccessible entropy for protocols”
K
Ccoins S1
coins S2
OWF ) Statistically Hiding Commitments: Our Proof
OWF
G with real min-entropy ¸ accessible entropy+poly(n)
G with real entropy ¸ accessible entropy+log n
statistically hiding commitment
done
repetitions
parallel repetitions*
(interactive) hashing [DHRS07]+UOWHFs [NY89,Rom90]
“m-phase” commitment
Entropy Gap to Commitment
Theorem: Assume exists m(n)-block generator with accessible entropy < real min-entropy – (mn). Then there exists m(n)-round statistically hiding commitment.
Skip
Use yi for “masking” b (for a random i 2 [m])
– S sends (<r,yi>©b,r) to R
High Real entropy of yi ) hiding
Low Accessible entropy of yi ) binding
First, we need to make yi unique
S R(b 2 {0,1})
G(Un)
y1
y2
…
y1
y2
(SH(y1),RH)
(SH(y2),RH)
Interactive hashing [DHRS ‘07]: SH
send some random information about yi
to RH
OrAccessible messages
Single element
Possible messages
Many elements
Problem – S* can decide where to have low accessible entropy, after seeing which round is used for the commitment
“Hiding” – after (SH(yi),RH), the entropy of yi from R’s point of view is still high
“Weakly binding” - 9i s.t. after (SH(c),RH) there is only single accessible yi (even for a cheating S* )
Def: [Naor-Yung ’89] (UOWHF)
F = {f : {0,1}l {0,1}l-k} is a family of universal one-way hash functions if – Shrinking– Weak collision resistance: The following is
negligible for any efficient A*: First A* outputs x, and on fÃF, A* outputs x≠x' s.t f(x)= f(x’)
Thm. [Rompel ’90, HRVW ‘09]: If OWFs exist, then there exists UOWHF for every (poly. related) l and t.
Universal One-way hash function
S R(b 2 {0,1})
y1
y2
(SH(y1),RH)
(SH(y2),RH)
1. 2. SH sends f(y) to RH, for a random f2F (chosen by
RH)
OrPossible messagesAccessible messages
Single element Many elements
(SH(y),RH)
Missing Details
Accessible entropy ) Accessible set of valid messages
• We assume that for all i2[m] we know H(yi|y1,…,yi-1)
1. Constant-round protocols: a) try “all” valuesb) combine the resulting commitments.
2. Many-round protocols: “equalize” the real entropy via sequential repetition
Cf. OWF ) Statistically Binding Commitment - [HILL ’90, Naor ’91]
OWF
X with pseudo-min-entropy ¸ H(X)+poly(n)
X with pseudoentropy ¸ H(X)+1/poly(n)
PRG
hardcore bit [GL89]+hashing
repetitions
hashing
Statistically binding commitment
expand output & translate
Our Results II
Thm: Assume one-way functions exist. Then:
NP has constant-round parallelizable ZK proofs with “black-box simulation”
m
constant-round statistically hiding commitments exist.
( * due to [GK96,G01], novelty is )
Other Applications
Simpler/improved universal one-way hash functions from OWF [HRVW09b]
Inspired simpler/improved pseudorandom generators from OWF [HRV09]
Conclusion
Complexity-based cryptography is possible because of gaps between real & computational entropy.
Secrecypseudoentropy > real entropy
Unforgeabilityaccessible entropy < real entropy
Research Directions
Complexity-theoretic applications of inaccessible entropy
Remove “parallelizable” condition from ZK result.
Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.