Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE."— Presentation transcript:

1 1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE

2 2 Talk Plan What is Interactive Hashing Applications of Interactive Hashing The new theorem Applications of the new theorem About the proof

3 3S Interactive Hashing[NOVY91] f h x à {0,1} n, y=f(x) R hÃHhÃH R Hiding – The only information that R obtains about y is h(y). S Binding- Eff. S cannot find x 1, x 2 such that f(x 1 )  f(x 2 ) and h(f(x 1 )) = h(f(x 2 )) = z. Easy |Easy|=2 ¾n h z = h(y) One-way permutation: eff. computable hard to invert: hard to find f -1 (f(x) ) for x à {0,1} n. h z=h(y) Two-to-one hash function

4 4 Statistically-Hiding Commitment S R Commit-stage y 2 {0,1} n

5 5 Statistically-Hiding Commitment cont. Reveal-stage SR y

6 6 Statistically-Hiding Commitment cont. R Hiding – R does not obtain non- negligible information about y during the commit-stage. S Binding – Eff. S cannot decommit into two different values (with non-neg. probability). R In interactive hashing R only obtains h(y) Same as in interactive hashing

7 7 S (b) S (b 2 {0,1}) IH (NOVY) to Bit-Commitment x à {0,1} n, y=f(x) R hÃHhÃH z = h(y) h Let {y 0,y 1 } = h -1 (z) sorted lexicographically and let  be the index of y (i.e., y= y  ) c = b ©  Commit stage: Reveal stage: (x,b)h(f(x)) = z and c = b © 

8 8S String-Commitment to IH x à {0,1} n, y=f(x) R hÃHhÃH z = h(y) h Com. to y

9 9 Applications of Interactive Hashing Perfectly-hiding cmt. from owp [NOVY98] Statistically-hiding cmt. from regular/ appx.-preimage-size owf [ HHKKMS05 ] Statistical zk argument from any owf [NOV06] Statistically-hiding cmt. from any OWF [HR06] “Information theoretic” ih, applications [ OVY91,CCM98,DHRS04,CS06,NV06,... ]

10 10 The NOVY IH Protocol A “more interactive” version of the naïve (semi-honest) protocol. A particular family of two-to-one hash functions. Assuming that f is a OWP, the protocol satisfies both hiding and binding. h(x) = h 1 (x),...,h n-1 (x), where  h i = 0 i-1 1 {0,1} n-i  h i (x) = 2.

11 11 The NOVY Protocol cont. Observed by [HHKKMS05]: Binding is guaranteed even when f is hard to invert over U n : hard to find an inverse f -1 (y) for a uniformly chosen y 2 {0,1} n. Hiding is useful if h expects collisions w.r.t. Im(f) - when f(U n ) is dense in {0,1} n

12 12 h f Im(f) About the size of Im(f) [HHKKMS05,NOV06] use this observation when f(U n ) is sparse h’ Two-to-one “interactive” hash function Non-interactive hashing

13 13 Interactive Hashing for Sparse Sets h f Im(f) About the size of Im(f) Can interactive hashing be applied directly to sparse sets?

14 14 Our Results Holds w.r.t. sparse sets: –Binding is guaranteed if f is hard w.r.t the uniform distribution over Im(f) –Hiding is useful if h expects collisions w.r.t. Im(f) - when f(U n ) is “close” to the uniform dis. over Im(f) Allows a more general choice of hash functions Improved parameters also w.r.t. the NOVY settings Simpler proof In NOVY- hard to invert over {0,1} n In NOVY- close to {0,1} n

15 15 Applications of The New Theorem to Bit-Commitment Reproving (as an immediate corollary) the result of [HHKKMS05] : Statistical commitment from any regular/ Appx.-preimage-size owf. Might simplify current constructions of statistical zk argument and statistical commitment from any owf.

16 16 L Information-Theoretic IH z = h(y) h S y 2 L R hÃHhÃH R Hiding – The only information that R obtains about y is h(y). S Binding- Unbounded S cannot find (with non-neg probability) y 1  y 2 2 L such that h( y 1 ) = h( y 2 ) = z. h |L| << 2 n/2 ? |L| > 2 n/2 |L Å Consist(h 1,…,h k )| << √| Consist(h 1,…,h k )| h = (h 1,...,h n-1 ) ÃH n-1 z 1 = h 1 (y) h1h1 z n-1 = h n-1 (y) h n-1 Two-to-one hash function Boolean pairwise- independent hash functions | L | << 2 n Consist(h 1,…,h k )= {y: 8 i h i (y)=z i } Consist(h 1 )={y: h 1 (y)=z 1 }

17 17 Our protocol (variant of NOVY) R h = (h 1,...,h k ) ÃH k z 1 = h 1 (y) h1h1 z k = h k (y) hkhk hf Im(f) About the size of Im(f) S x à {0,1} n, y=f(x) Any family of Boolean pairwise-independent hash functions k w log(|Im(f)|)

18 18Hiding R If R is semi-honest (follows the protocol) it obtains h(y) for a uniformly chosen h RIf R is malicious, it obtains h(y) for an adaptively chosen h RIn many settings (e.g., commitment schemes) we can force R to follow the protocol Same as in NOVY, but there it is less harmful

19 19Binding Main Theorem: Let A be an alg. that breaks the binding of the protocol with probability . Then there exists an eff. alg. M A s.t Pr y à Im(f) [M A (y) 2 f -1 (y) ] 2  (  2 /n 8 ) Comparing to previous results (Im(f)= {0,1} n ): [NOVY98] -  (  10 /poly(n)) [NOV06] -  (  3 /n 6 ) * Here - proof for the NOVY settings, i.e., Im(f) = {0,1} n and the hashing is to {0,1} n-1

20 20 z 1 h1h1 z n-1 h n-1 A Outputs x 1, x 2 R h = (h 1,...,h n-1 ) ÃH n-1 Algorithm A Pr[ f(x 1 )  f(x 2 ) Æ h(f(x 1 )) = h(f(x 2 )) = z ] ¸  * z = (z 1,...,z n-1 )

21 21 z 1 h1h1 z n-1 h n-1 A M A (y) R h = (h 1,...,h n-1 ) ÃH kn-1 Returns x 1 or x 2 In order to success we need: y=f(x 1 ) or y=f(x 2 ) ! we need 8 i h i (y) = z i happens with neg. probability Choose (h 1,...,h n-1 ) s.t. y is consistent Outputs x 1, x 2

22 22 M A on input y 2 {0,1} n : 1.(h 1,…, h n-ofs ) Ã Searcher( y) 2.Return Inverter( h 1,…, h n-ofs ) ofs 2 O(log(1/)+ log(n)) Inverter( h 1,…, h n-ofs ) 1.Choose h n-ofs+1,…,h n-1 uniformly in H 2.( x 1, x 2 ) Ã A Dec (h 1,…, h n-1 ) 3.Return x 1 or x 2 Searcher( y): 1.For i = 1 to n - ofs Do the following 2log(n) times: Choose uniformly at random h i 2H If A (h 1,...,h i ) = h i (y), break the inner loop. 2.Return h 1,…, h n-ofs

23 23... Consist A ( h 1,...,h k ) = {y: 8 i h i (y) = A (h 1,...,h k )} {0,1} n h1h1 h2h2 h3h3 Consist A ( h 1 ) = {y: h 1 (y) = A (h 1 )} Pictorial description of A hkhk

24 24 h1h1 h2h2 h3h3 The evaluation of Searcher y 2 {0,1} n y 2 Consist A ( h 1 ) n-ofs y 2 Consist A ( h 1,...,h n-ofs ) h n-ofs D Real (h,y) y à {0,1} n, h à Searcher( y ) If Inverter does well on D Real (i.e., prob. Inverter( h ) 2 f -1 (y ) is noticeable) then M A inverts f well

25 25 h1h1 h2h2 h3h3 The Ideal dist. n-ofs h n-ofs D Ideal (h,y) h ÃH n- ofs, y à Consist A ( h ) At random Inverter does well on D Ideal The distribution on (h 1,…,h n-fs ) is what A expects ! A returns element in f -1 (Consist A (h 1,…,h n-ofs )) with non-negligible probability Consist A (h 1,…,h n-ofs ) is small y à Consist A (h 1,…,h n-ofs )

26 26 Proof of Security Inverter does well on D Ideal D Ideal and D Real are close. The statistical diff. between D Ideal and D Real is larger than the success probability of Inverter on D Ideal

27 27 Refined Proximity Measure Definition: D 1 (, a )-approximates D 2, if there exists Bad µ sup(D 1 ), s.t. –D 1 ( Bad ) · . –For every x  Bad 1/ a · D 1 (x) /D 2 (x) · a. Let T be an event s.t. D 1 [T] ¸ + non-neg then, D 2 [T] ¸ non-neg

28 28 Lemma 1 D Ideal ( O(  2 /n 3 ),81 )-approximates D Real. Lemma 2 (informal) Inverter does well on D Ideal and its success probability does not depend on event of small probability Proving Lemma 2: similar to the information-theoretic case

29 29 Proving Lemma 1 Since our proximity measure is “well behaved”, it suffices to prove that Claim 1: (h,y) h ÃH,y à Consist A (h) ( O(  2 /n 3 ), 1+4/n ) -approx. (h,y) y à {0,1} n, h ÃH | y 2 Consist A (h) Proof: 1.For almost any h 2 H, (about) half of {0,1} n is consistent with it 2.Almost any y 2 {0,1} n is consistent with (about) half of H

30 30 Further issues Linear reduction, or lower bound for the security of the reduction Give simpler construction for statistical zk and statistical commitment schemes from owf.

31 31 Thanks

32 32 L Consist A ( h 1,...,h n-ofs ) {y: prob. Inverter( h 1,...,h n-ofs ) 2 f -1 (y ) is noticeable} Lemma 2 : Inverter does well on D Ideal and its success prob. does not depend on event of small probability {y: probability that A breaks the binding with y (conditioned on h 1,...,h n-ofs ) is noticeable}

Download ppt "1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE."

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Approximation Algorithms Chapter 14: Rounding Applied to Set Cover.

Approximation Algorithms Chapter 14: Rounding Applied to Set Cover.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 13 June 25, 2006

1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 13 June 25, 2006
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.

A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.

Similar presentations

Ads by Google