Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Similar presentations


Presentation on theme: "Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,"— Presentation transcript:

1 Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch, Omer Reingold and Gil Segev

2 Talk Outline Statistically-hiding commitments Black-box lower bounds Our lower bound on the round complexity of statistically-hiding commitments Other lower bounds (Private Information Retrieval, Oblivious Transfer, Interactive Hashing) 2

3 3 Statistically-hiding Commitments. The digital analogue of a sealed envelope. Major ingredient in statistical ZKA, secure computation, and … S R : Two-stage protocol between S and R : S commits to x w/o revealing it to R. Commit-stage: S commits to x w/o revealing it to R. S opens the commitment. Reveal-stage: S opens the commitment. Security properties: S Computationally-binding: an efficient S cannot decommit to two different values. Statistically-hiding: an R Statistically-hiding: an unbounded R does not learn x during the commit stage.

4 Applications of SH-Commitments In setting where some commitments are never revealed, guarantees ever lasting security. Statistical zero-knowledge arguments. Coin-flipping protocols. In some settings - a general transformation for protocols with statistical security: semi-honest model malicious model

5 Known Constructions [NY 89, DPP 93] Collision-resistant hash functions (CRHF) - two rounds [NOVY 91] One-way permutations (OWP)- (n/log(n)) rounds * [NOV 06] + [HR 06] One-way functions (OWF) - poly(n) rounds A family of efficiently computable, compressing functions that are collision resistant Efficiently computable permutations that are hard to invert Tradeoff between the hardness assumption and the number of rounds

6 Impossibility Results Are the previous constructions optimal? Usually it is very difficult to come up with unconditional impossibility results. Discrete log is hard ) CRHF exists ) OWP implies two-round SH-commitment in a trivial sense. 6

7 Black Box Reductions In their seminal work Impagliazzo and Rudich presented a paradigm for proving impossibility results under a restricted, yet important, class of reductions called black-box reductions. Quite a few black-box separation results: e.g., no key-agreement from one-way functions. 7

8 A fully black-box reduction from B to A: Black-box construction. Black-box proof of security. Proof of security: Adversary for breaking B ) adversary for breaking A Fully black-box reductions relativize (hold relative to every oracle). (Fully) Black-Box Reductions Adversary for B Adversary for A A B A

9 Black-Box Reductions (cont.) 1. Most constructions in cryptography are (fully) black-box, e.g., pseudorandom generator from OWF. 2. Few non black-box techniques that apply in restricted settings (typically using ZK proofs). 3. Black-box separations are (still) very meaningful. 9

10 Previous results [Fischlin 02 ] In any BB-reduction from SH-commitment to OWP (or to TDP), the commitment has at least two rounds. [Wee 06 ] In any BB-reduction from restricted type of SH-commitment to OWP defined over {0,1} n, the commitment has (n/log n) rounds. 10

11 Our Results In any BB-reduction from SH-commitment to OWP defined over {0,1} n, the commitment has (n/log n) rounds and the sender communicates (n) bits. Remarks: Can be generalized. The bounds for the number of round are tight, and the bounds for number of bits communicated are tight for bit commitments. Assuming that the permutation is s(n)-hard, then the bounds are (n/log(s(n))) and (n) resp. Also for trapdoor permutations. Also for honest receiver and for weakly-binding commitment schemes. 11

12 Our Results (cont) Additional lower bounds: Interactive Hashing Statistical oblivious transfer Single server private information retrieval Additional contributions: A novel extension of [Gennaro-Trevisan `01] short description paradigm A new proof of [Simon 98 ] (no BB- reduction from CRHF to OWP) * 12

13 9 PPT Š with oracle access to Sam that breaks the binding of any o(n/log n) rounds SH-commitment. 8 PPT A Pr [A,Sam inverts = negl ) No BB-reduction from o(n/log n) rounds SH-cmt to OWP defined over {0,1} n. Adversary for 13 The Proof An imaginary world Sam Random permutation {0,1} n ! {0,1} n Adversary for for o(n/log n) rounds SH-cmt Š Sam Impossible

14 1. Define Sam and show how to use it for breaking any o(n/log n) rounds SH-commitment. 2. Prove that is (still) one-way in the presence of Sam. 14 The rest of the talk

15 First attempt: Sam(q,a) returns a random pair (b,r ) s.t S (b,r,q) = a. ( S,R ) is statistically hiding ) b is uni. dist. in {0,1} S, R ) Sam can be used to break the binding ( S, R ) Problem - Sam can be used to invert [Simon, Fischlin]: Sam(q) returns two random pairs, (b,r) and (b,r ) s.t. S (b,r,q) = S (b,r,q) S, R Sam can be still used to break the binding ( S, R ). Not clear how to use Sam to invert a specific y. Defining Sam ( two rounds cmt. ) 15 S (b,r) R q a Commit stage Reveal stage (b,r) S (b,r) is consistent with the commit stage Accepts if S (b,r) is consistent with the commit stage y = r 2 ) (b,(r 1,r 2 )) S (b,(r 1,r 2 ))

16 16 S (b,r) R q1q1 a1a1 qkqk akak Reveal stage (b,r) S (b,r) is consistent with the commit stage Accepts if S (b,r) is consistent with the commit stage Commit stage The two-round case oracle [Simon] revisited: Announce q to Sam (b,r) Ã Sam, where (b,r) is uniformly chosen. (b,r) Ã Sam, where (b,r) is randomly chosen s.t. S (b,r,q) = S (b,r,q) First attempt: Sam(q 1,...,q k ) returns two random pairs (b,r) and (b,r ) s.t. S (b,r,q 1,...,q k ) = S (b,r,q 1,...,q k ) Problem – w.h.p., both (b,r) and (b,r ) are inconsistent with (a 1,...,a k ) 1. Announce q 1 2. (b 1,r 1 ) Ã Sam (where (b 1,r 1 ) is uniformly dist.) 3. answer a 1 = S (b 1,r 1,q 1 ) 1. Announce q 2 2. (b 2,r 2 ) Ã Sam (where (b 2,r 2 ) is random s.t. S (b 2,r 2,q 1 ) = S (b 1,r 1,q 1 )) 3. answer a 2 = S (b 2,r 2,q 1,q 2 ) Reveal stage: (b k+1,r k+1 ) Ã Sam. Thus, Pr[b k b k+1 ] = ½ Defining Sam (general case) Life is not that simple Sam inverts any SH-commitment - limit the number of queries Sam answers. Forcing restrictions (Sam is stateless!) the user keeps the state. use signature schemes.

17 Let C, C next :{0,1} m ! {0,1} * b e circuits with gates. Sam(C next,C,w) Return w à {x 2 {0,1} m : C(x) = C(w) } (if C = ?, return w à {0,1} m ) Preventing Sam from inverting : Sam answers only if previously answered (C,C prev,.) with w. Limited interaction depth. We enforce the above using signature schemes. Defining Sam (more formally) 17

18 Defining Sam (cont) 18 (C 1, ?, ? ) = w 1 (C 8, ?, ? ) = w(C 56, ?, ? ) = w (C 2,C 1, w 1 ) = w 2 (C 3,C 1,w 1 ) = w 3 (C 4,C 2,w 2 ) = w 4 (C 5,C 3,w 3 ) = w 5 (C 7,C 5, w 5 ) = w 7 (C 6, C 5, w 5 ) = w 6 d(n) d 2 o ( n/log(n) )

19 Defining Sam (last) 19 naturally defined by S and q 1,...,q i ((b,r) outputs S (b,r,q 1,...,q i )s answers) Let C i be the circuit naturally defined by S and q 1,...,q i (C i (b,r) outputs S (b,r,q 1,...,q i )s answers) For all i b i,r i à Sam(b i-1,r i-1 )(b i,r i ) à Sam(C i,C i-1,b i-1,r i-1 ) a i à (b i,r i )a i à C i (b i,r i ) S (b,r) R q1q1 a1a1 qkqk akak Reveal stage (b,r) S (b,r) is consistent with the commit stage Accepts if S (b,r) is consistent with the commit stage Commit stage

20 Thm: 8 PPT A, Pr y [A sam, (y) = -1 (y)] = negl A,Sam (y) hits if it queries w à Sam(C next,C,w) and C(w) queries on -1 (y). Lemma 1: Pr y [A sam, (y) = -1 (y) and does not hit] = negl Using extension of [Gennaro-Trevisan `01] Lemma 2: Pr y [A sam, (y) hits] = negl We prove that Pr y [A sam, (y) hits] > negl ) 9 Ā s.t. Pr y [Ā sam, (y) = -1 (y) and does not hit]> negl 20 is Still One-way in the Presence of Sam

21 21 Theorem [GT `01] (informal): A random permutation is hard even for exponential size circuits. Main Lemma: Let A be a circuit making q queries to a permutation :{0,1} n ! {0,1} n s.t. Pr y [A (y) = -1 (y)] ¸ t hen has a short description. (of length K = 2 ¢ log(2 n choose a) + log((2 n -a)!), where a = ¢ 2 n /(q +1)) Proving the thm: Let A be a circuit of size 2 n/5 ) A inverts w.p 2 -n/5 a tiny fraction of the s (< 2 -n ) Gennaro-Trevisan Thm.

22 Carefully chosen Y µ {y: A (y) = -1 (y)}, X = -1 (Y) |Y| = |X| = ¢ 2 n / (q+1) The desc. of is the desc. of X,Y and the values of over {0,1} n \ X (and thus indeed of size K). Reconstruction: go over all y 2 Y in lex. order, simulate A(y) to get x =A(y) and set (x) = y. Y is chosen s.t.: all the queries made by A (y) to are already defined. Except for the possibility that A (y) queries on -1 (y), but then you have found -1 (y). The proof of [GT] Lemma - The Short Description of 22

23 Lemma 1: 8 PPT A, Pr,y [A,Sam (y) = -1 (y) and no hit] < 2 - (n). We show that: 8 fixing of A and Sam s random coins, 8 Pr y [A,Sam (y) = -1 (y) and no hit] > ) has a short description. ) For any choice of A and Sam s random coins, Pr,y [A,Sam (y) = -1 (y) and no hit] < 2 - (n) 23 Proving Lemma 1

24 Idea: apply [GT] to A Sam. Problem: A Sam makes too many queries to. Solution: when defining Y, only care that the queries in the evaluation C(w) and C(w ) are defined. Reconstruction: when simulating Sam(C) (embedded in A,Sam (y)), we find the first w s.t. all the calls of C(w ) to are already defined and C(w )= C(w). Problem: C(w ) might query on -1 (y). A is non-hitting! 24 Sam(C next,C,w): Go over {0,1} m in a fixed order, return the first that satisfies C(w) = C(w) Proving Lemma 1 (cont)

25 25 Lemma 2: 8 PPT A, Pr,y [A,Sam hits] = negl Idea: hitting A ) non-hitting Ā that inverts Let be fixed, and assume that A only makes two queries: w 1 à Sam(C 1, ?, ? ) and w 2 à Sam(C 2,C 1,w 1 ). A hits if C 1 (w 2 ) queries y. w 2 is uniformly dist. in {0,1} m ) Pr y [C 1 (U m ) queries y] = Pr y [A,Sam hits] Ā – acts as A, but queries C 1 (U m ) before calling Sam. ) Pr y [Ā,Sam = -1 (y) and no hit] ¸ Pr y [A,Sam hits] ) Pr y [A,Sam hits] = negl From Hitting to Non Hitting (a simple case) Sam(C next,C,w): w à { x 2 {0,1} m : C(x) =C(w) }

26 Pr y [A Sam, (y) hits] > 1/p(n) hit i = Pr[C i-1 (w i ) queries y] Ā: evaluates C i-1 (w i-1 ) before it calls Sam(C i,C i-1,w i-1 ), inv i = Pr[C i-1 (w i-1 ) queries y] Wlog hit 2 is exp. small d(n) 2 o(n/log n) hit i > 1/p(n) ) 9 j s.t. hit j > max{ p 2 (n) ¢ i t/2 From Hitting to Non Hitting (general case) Sam(C i,C i-1,w i-1 ): w i à { x 2 {0,1} m : C i-1 (x)=C i-1 (w i-1 ) } (C 1, ?, ? ) = w 1 (C 2, C 1, w 1 ) = w 2 (C d, C d-1, w d-1 ) = w d (C j, C j-1, w j-1 ) = w j d(n) (C j-1, C j-2, w j-2 ) = w j-1 2 -n/8

27 s5s5 s1s1 s2s2 s4s4 s3s3 hit j is large ) inv j is large We prove that 8 i Ex[hit i ] = inv i. inv i = Pr[C i-1 (w i-1 ) queries y] hit i = Pr[C i-1 (w i ) queries y] Sampling w i-1 : w i-1 à {w: C i-2 (w) = C i-2 (w i-2 )} Sampling w i : Sample w i-1 S = {w: C i-1 (w) = C i-1 (w i-1 )} w i à S hit S i = Pr w à S [C i-1 (w) queries y] inv i = Pr[S] ¢ Pr[C i-1 (w i-1 ) queries y | S] = Pr[S] ¢ hit S i = Ex[hit i ] w i-1

28 Similar proof (same Sam) ) in any construction of the above, the sender communicates (n) bits Give a BB-reduction from low-communication PIR to SH-commitment, where the sender communicates (log n) additional bits. ) No BB-construction from OWP (and from TDP) to low-communication PIR. Additional Results 28

29 In any BB-reduction from SH-commitment to OWP defined over {0,1} n, the commitment has (n/log n) rounds and the sender communicates (n) bits. Sam breaks the binding w.h.p ) no weakly-binding commitment. Did not use the fact that the receiver might deviate from the protocol. ) The bound holds for protocols secure only against honest receivers. The extension to TDP is not very hard. Concluding Remarks 29

30 We showed that in any BB-reduction from OWP defined over {0,1} n to statistically-hiding bit commitment, the sender communicates (n) bits. Tighter bounds for commitment of many bits, imply tighter bounds for PIR. Using our extension to Gennaro-Trevisan to prove other black-box separation results. Open Questions 30


Download ppt "Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,"

Similar presentations


Ads by Google