Download presentation

Presentation is loading. Please wait.

Published byCristian Hallet Modified about 1 year ago

1
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A January, 2010

2
outline Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications

3
Def: The Shannon entropy of r.v. X is H(X) = E x Ã X [log(1/Pr[X=x)] H(X) = “Bits of randomness in X (on avg)” 0 · H(X) · log |Supp(X)| Conditional Entropy: H(X|Y) = E y Ã Y [H(X| Y=y )] Entropy X concentrated on single point X uniform on Supp(X)

4
Perfect Secrecy & Entropy Def [Shannon ‘49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1} n Enc K (m) & Enc K (m’) are identically distributed for a random key K. Thm [Shannon ‘49]: Perfect secrecy ) |K| ¸ H(K) ¸ n *Also hold for statistical secrecy

5
Computational Secrecy Def [Goldwasser-Micali ‘82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1} n Enc K (m) & Enc K (m’) are computationally indistinguishable. ) can have |K| ¿ n. Idea - Derive K’ from K, with a lot of “pseudoentropy”

6
Pseudoentropy Def [Håstad, Imagliazzo, Levin and Luby ‘90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t. 1.Y ´ c X 2.H(Y) ¸ k Pseudoentropy Generator: G S Ã {0,1} n X Y ´ c

7
Application of Pseudoentropy Thm [HILL ‘90]: 9 OWF ) 9 PRG Proof outline: OWF X with pseudo-min-entropy ¸ H(X)+poly(n) X with pseudoentropy ¸ H(X)+1/poly(n) PRG hardcore bit [GL89]+hashing repetitions hashing

8
outline Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications

9
Unforgeability Crypto is not just about secrecy. Unforgeability: security properties saying that it has hard for an adversary to generate “valid” messages. –Unforgeability of MACs, Digital Signatures –Collision-resistance of hash functions –Binding of commitment schemes Cf. decision problems vs. search/sampling problems.

10
Ex: Collision-resistant Hashing Shrinking Collision Resistance: Given f ÃF, an efficient algorithm A cannot output x 1 x 2 such that f(x 1 ) = f(x 2 ) F = { f : {0,1} n ! {0,1} n-k }

11
Ex: Collision-resistant Hashing Shrinking: H(X | F,Y) ¸ k Collision Resistance: From (even a cheating) G’s point of view, X is determined by (F,Y) X has “accessible” entropy 0 F = {f : {0,1} n ! {0,1} n-k } G X Ã {0,1} n Y= F(X) F ÃF X

12
Ex: Collision-resistant Hashing Collision Resistance: H(X |F,Y,S 1 ) = neg(n) for every efficient G *. F = {f : {0,1} n ! {0,1} n-k } G * S 1 Ã {0,1} r Y F ÃF X F -1 (Y) S 2 Ã {0,1} r

13
Measuring Accessible Entropy Goal: A useful entropy measure to capture possibility that H acc (X) ¿ H(X) 1st attempt: X has accessible entropy at most k if there is a random variable Y s.t. 1.Y ´ c X 2.H(Y) · k Not useful! every X is indistinguishable from some Y of entropy polylog(n).

14
Inaccessible Entropy Idea: A generator G has inaccessible entropy if H(G’s outputs from an observer’s perspective) > H(G * ’s outputs from G * ’s perspective) Real Entropy Accessible Entropy

15
Real Entropy Def: The real entropy of G is H(Y 1,….,Y m |Z) i H(Y i | Z,Y 1,…,Y i-1 ) G R Ã {0,1} n Y1Y1 Z Y2Y2 YmYm

16
Accessible Entropy Def: G has accessible entropy at most k, if 8 PPT G * i H(Y i |Z,S 1,S 2,…,S i-1 ) · k Inaccessible entropy = real – accessible entropy Unbounded G * can achieve real entropy. G* Y1Y1 Z Y2Y2 YmYm S1S1 S2S2 SmSm R s.t. G(Z,R)=(Y 1,….,Y m )

17
OWF Inaccessible Entropy Claim: Real entropy = n Accessible entropy < n-log n G X Ã {0,1} n f(X) 1 f(X) 2 f(X) n Given a one-way function f : {0,1} n {0,1} n, define X

18
Y m+1 XYnYn 10Y2Y2 1 OWF Inaccessible Entropy Claim: Accessible entropy < n-log n Suppose G * s.t. i H(Y i |S 1,…,S i-1 ) n-log n Then can invert f on input Y’ by sequentially finding S 1,..,S n s.t. Y i =Y’ i (via sampling). High accessible entropy success on random Y=f(X) w.p. 1/poly(n). G* Y1Y1 S1S1 S2S2 SnSn S m+1 10 R=Y m+1 Y’ = 0 1 0

19
outline Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications

20
Our Results I Much simpler proof that OWF ) Statistically Hiding Commitments via accessible entropy. Conceptually parallels [HILL ‘90,Naor ‘91] construction of PRGs & Statistically Binding Commitments from OWF. “Nonuniform” version achieves optimal round complexity, O(n/log n) [Haitner-Hoch-Reingold-Segev‘07]

21
Commitment Schemes

22
Commit stage Reveal stage m m S mm

23
Commitment Schemes COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)

24
Security of Commitments COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K) Hiding –Statistical –Computational Binding –Statistical –Computational COMMIT (m) & COMMIT (m’) indistinguishable even to cheating R* Even cheating S * cannot reveal (m,K), (m’,K’) with m m’

25
Statistical Security? COMMIT STAGE accept/ reject SR m 2 {0,1} t REVEAL STAGE (m,K) Hiding –Statistical –Computational Binding –Statistical –Computational Impossible!

26
Statistical Binding COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K) Hiding –Statistical –Computational Binding –Statistical –Computational Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments

27
Statistical Hiding COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K) Hiding –Statistical –Computational Binding –Statistical –Computational Thm [HNORV ’07]: One-way functions ) Statistically Hiding Commitments Too Complicated!

28
Benefit of Statistical Hiding In most protocols that use commitments: Binding only required during protocol execution –Depends on adversary’s current capabilities –Safe to be computational Hiding may matter long after execution –Adversary may gain computational resources –Hardness assumption may be broken –Statistical hiding ) “everlasting secrecy”

29
Example: Zero Knowledge for NP [Goldreich-Micali-Wigderson86] Hiding ) Zero Knowledge –Verifier learns nothing other than x 2 L Binding ) Soundness –Prover cannot convince verifier if x L (1,4) PV Corollary: One-Way Functions ) Statistical Zero Knowledge “Arguments” for NP.

30
Statistically Hiding Commitments & Inaccessible Entropy COMMIT STAGE SR M Ã {0,1} n REVEAL STAGE M Statistical Hiding: H(M|C) = n - neg(n) K C

31
Statistically Hiding Commitments & Inaccessible Entropy COMMIT STAGE S*S* R REVEAL STAGE M Statistical Hiding: H(M|C) = n - neg(n) Comp’l Binding: For every PPT S * H(M|C,S 1 ) = neg(n) “inaccessible entropy for protocols” K C coins S 1 coins S 2

32
OWF ) Statistically Hiding Commitments: Our Proof OWF G with real min-entropy ¸ accessible entropy+poly(n) G with real entropy ¸ accessible entropy+log n statistically hiding commitment done repetitions parallel repetitions* (interactive) hashing [DHRS07] +UOWHFs [NY89,Rom90] “m-phase” commitment

33
Entropy Gap to Commitment Theorem: Assume exists m(n)-block generator with accessible entropy < real min-entropy – (mn). Then there exists m(n)-round statistically hiding commitment. Skip

34
(b 2 {0,1}) G(U n ) y1y1 y2y2 … y1y1 y2y2 (S H (y 1 ),R H ) (S H (y 2 ),R H ) Interactive hashing [DHRS ‘07]: S H send some random information about y i to R H Or Accessible messages Single element Possible messages Many elements * Problem – S * can decide where to have low accessible entropy, after seeing which round is used for the commitment “Hiding” – after (S H (y i ),R H ), the entropy of y i from R’s point of view is still high * “Weakly binding” - 9 i s.t. after (S H (c),R H ) there is only single accessible y i (even for a cheating S * )

35
Def: [Naor-Yung ’89] (UOWHF) F = {f : {0,1} l {0,1} l-k } is a family of universal one-way hash functions if –Shrinking A –Weak collision resistance: The following is negligible for any efficient A*: First A * outputs x, and on f ÃF, A* outputs x≠x' s.t f(x)= f(x’) Thm. [Rompel ’90, HRVW ‘09]: If OWFs exist, then there exists UOWHF for every (poly. related) l and t. Universal One-way hash function

36
(b 2 {0,1}) y1y1 y2y2 (S H (y 1 ),R H ) (S H (y 2 ),R H ) 1. 2.S H sends f(y) to R H, for a random f 2F (chosen by R H ) Or Possible messages Accessible messages Single element Many elements (S H (y),R H )

37
Missing Details Accessible entropy ) Accessible set of valid messages We assume that for all i 2 [m] we know H(y i |y 1,…,y i-1 ) 1.Constant-round protocols: a)try “all” values b)combine the resulting commitments. 2.Many-round protocols: “equalize” the real entropy via sequential repetition

38
Cf. OWF ) Statistically Binding Commitment - [HILL ’90, Naor ’91] OWF X with pseudo-min-entropy ¸ H(X)+poly(n) X with pseudoentropy ¸ H(X)+1/poly(n) PRG hardcore bit [GL89]+hashing repetitions hashing Statistically binding commitment expand output & translate

39
Our Results II Thm: Assume one-way functions exist. Then: NP has constant-round parallelizable ZK proofs with “black-box simulation” m constant-round statistically hiding commitments exist. ( * due to [GK96,G01], novelty is )

40
Other Applications Simpler/improved universal one-way hash functions from OWF [HRVW09b] Inspired simpler/improved pseudorandom generators from OWF [HRV09]

41
Conclusion Complexity-based cryptography is possible because of gaps between real & computational entropy. Secrecy pseudoentropy > real entropy Unforgeability accessible entropy < real entropy

42
Research Directions Complexity-theoretic applications of inaccessible entropy Remove “parallelizable” condition from ZK result. Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google