Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A January, 2010

outline  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

Def: The Shannon entropy of r.v. X is H(X) = E x à X [log(1/Pr[X=x)]  H(X) = “Bits of randomness in X (on avg)”  0 · H(X) · log |Supp(X)|  Conditional Entropy: H(X|Y) = E y à Y [H(X| Y=y )] Entropy X concentrated on single point X uniform on Supp(X)

Perfect Secrecy & Entropy Def [Shannon ‘49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1} n Enc K (m) & Enc K (m’) are identically distributed for a random key K. Thm [Shannon ‘49]: Perfect secrecy ) |K| ¸ H(K) ¸ n *Also hold for statistical secrecy

Computational Secrecy Def [Goldwasser-Micali ‘82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1} n Enc K (m) & Enc K (m’) are computationally indistinguishable. ) can have |K| ¿ n. Idea - Derive K’ from K, with a lot of “pseudoentropy”

Pseudoentropy Def [Håstad, Imagliazzo, Levin and Luby ‘90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t. 1.Y ´ c X 2.H(Y) ¸ k Pseudoentropy Generator: G S Ã {0,1} n X Y ´ c

Application of Pseudoentropy Thm [HILL ‘90]: 9 OWF ) 9 PRG Proof outline: OWF X with pseudo-min-entropy ¸ H(X)+poly(n) X with pseudoentropy ¸ H(X)+1/poly(n) PRG hardcore bit [GL89]+hashing repetitions hashing

outline  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

Unforgeability  Crypto is not just about secrecy.  Unforgeability: security properties saying that it has hard for an adversary to generate “valid” messages. –Unforgeability of MACs, Digital Signatures –Collision-resistance of hash functions –Binding of commitment schemes  Cf. decision problems vs. search/sampling problems.

Ex: Collision-resistant Hashing  Shrinking  Collision Resistance: Given f ÃF, an efficient algorithm A cannot output x 1  x 2 such that f(x 1 ) = f(x 2 ) F = { f : {0,1} n ! {0,1} n-k }

Ex: Collision-resistant Hashing  Shrinking: H(X | F,Y) ¸ k  Collision Resistance: From (even a cheating) G’s point of view, X is determined by (F,Y)  X has “accessible” entropy 0 F = {f : {0,1} n ! {0,1} n-k } G X Ã {0,1} n Y= F(X) F ÃF X

Ex: Collision-resistant Hashing  Collision Resistance: H(X |F,Y,S 1 ) = neg(n) for every efficient G *. F = {f : {0,1} n ! {0,1} n-k } G * S 1 Ã {0,1} r Y F ÃF X  F -1 (Y) S 2 Ã {0,1} r

Measuring Accessible Entropy Goal: A useful entropy measure to capture possibility that H acc (X) ¿ H(X) 1st attempt: X has accessible entropy at most k if there is a random variable Y s.t. 1.Y ´ c X 2.H(Y) · k Not useful! every X is indistinguishable from some Y of entropy polylog(n).

Inaccessible Entropy Idea: A generator G has inaccessible entropy if H(G’s outputs from an observer’s perspective) > H(G * ’s outputs from G * ’s perspective) Real Entropy Accessible Entropy

Real Entropy Def: The real entropy of G is H(Y 1,….,Y m |Z)  i H(Y i | Z,Y 1,…,Y i-1 ) G R Ã {0,1} n Y1Y1 Z Y2Y2 YmYm

Accessible Entropy Def: G has accessible entropy at most k, if 8 PPT G *   i H(Y i |Z,S 1,S 2,…,S i-1 ) · k  Inaccessible entropy = real – accessible entropy  Unbounded G * can achieve real entropy. G* Y1Y1 Z Y2Y2 YmYm S1S1 S2S2 SmSm R s.t. G(Z,R)=(Y 1,….,Y m )

OWF  Inaccessible Entropy Claim:  Real entropy = n  Accessible entropy < n-log n G X Ã {0,1} n f(X) 1 f(X) 2 f(X) n Given a one-way function f : {0,1} n  {0,1} n, define X

Y m+1 XYnYn 10Y2Y2 1 OWF  Inaccessible Entropy Claim: Accessible entropy < n-log n  Suppose  G * s.t.  i H(Y i |S 1,…,S i-1 )  n-log n  Then can invert f on input Y’ by sequentially finding S 1,..,S n s.t. Y i =Y’ i (via sampling).  High accessible entropy  success on random Y=f(X) w.p. 1/poly(n). G* Y1Y1 S1S1 S2S2 SnSn S m+1 10 R=Y m+1 Y’ = 0 1 0

outline  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

Our Results I  Much simpler proof that OWF ) Statistically Hiding Commitments via accessible entropy.  Conceptually parallels [HILL ‘90,Naor ‘91] construction of PRGs & Statistically Binding Commitments from OWF.  “Nonuniform” version achieves optimal round complexity, O(n/log n) [Haitner-Hoch-Reingold-Segev‘07]

Commitment Schemes

Commit stage Reveal stage m m S mm

Commitment Schemes COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)

Security of Commitments COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational COMMIT (m) & COMMIT (m’) indistinguishable even to cheating R* Even cheating S * cannot reveal (m,K), (m’,K’) with m  m’

Statistical Security? COMMIT STAGE accept/ reject SR m 2 {0,1} t REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational Impossible!

Statistical Binding COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments

Statistical Hiding COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational Thm [HNORV ’07]: One-way functions ) Statistically Hiding Commitments Too Complicated!

Benefit of Statistical Hiding In most protocols that use commitments:  Binding only required during protocol execution –Depends on adversary’s current capabilities –Safe to be computational  Hiding may matter long after execution –Adversary may gain computational resources –Hardness assumption may be broken –Statistical hiding ) “everlasting secrecy”

Example: Zero Knowledge for NP [Goldreich-Micali-Wigderson86] Hiding ) Zero Knowledge –Verifier learns nothing other than x 2 L Binding ) Soundness –Prover cannot convince verifier if x  L (1,4) PV Corollary: One-Way Functions ) Statistical Zero Knowledge “Arguments” for NP.

Statistically Hiding Commitments & Inaccessible Entropy COMMIT STAGE SR M Ã {0,1} n REVEAL STAGE M Statistical Hiding: H(M|C) = n - neg(n) K C

Statistically Hiding Commitments & Inaccessible Entropy COMMIT STAGE S*S* R REVEAL STAGE M Statistical Hiding: H(M|C) = n - neg(n) Comp’l Binding: For every PPT S * H(M|C,S 1 ) = neg(n)  “inaccessible entropy for protocols” K C coins S 1 coins S 2

OWF ) Statistically Hiding Commitments: Our Proof OWF G with real min-entropy ¸ accessible entropy+poly(n) G with real entropy ¸ accessible entropy+log n statistically hiding commitment done repetitions parallel repetitions* (interactive) hashing [DHRS07] +UOWHFs [NY89,Rom90] “m-phase” commitment

Entropy Gap to Commitment Theorem: Assume exists m(n)-block generator with accessible entropy < real min-entropy –  (mn). Then there exists m(n)-round statistically hiding commitment. Skip

(b 2 {0,1}) G(U n ) y1y1 y2y2 … y1y1 y2y2 (S H (y 1 ),R H ) (S H (y 2 ),R H ) Interactive hashing [DHRS ‘07]: S H send some random information about y i to R H Or Accessible messages Single element Possible messages Many elements * Problem – S * can decide where to have low accessible entropy, after seeing which round is used for the commitment  “Hiding” – after (S H (y i ),R H ), the entropy of y i from R’s point of view is still high *  “Weakly binding” - 9 i s.t. after (S H (c),R H ) there is only single accessible y i (even for a cheating S * )

Def: [Naor-Yung ’89] (UOWHF) F = {f : {0,1} l  {0,1} l-k } is a family of universal one-way hash functions if –Shrinking A –Weak collision resistance: The following is negligible for any efficient A*: First A * outputs x, and on f ÃF, A* outputs x≠x' s.t f(x)= f(x’) Thm. [Rompel ’90, HRVW ‘09]: If OWFs exist, then there exists UOWHF for every (poly. related) l and t. Universal One-way hash function

(b 2 {0,1}) y1y1 y2y2 (S H (y 1 ),R H ) (S H (y 2 ),R H ) 1. 2.S H sends f(y) to R H, for a random f 2F (chosen by R H ) Or Possible messages Accessible messages Single element Many elements (S H (y),R H )

Missing Details  Accessible entropy ) Accessible set of valid messages We assume that for all i 2 [m] we know H(y i |y 1,…,y i-1 ) 1.Constant-round protocols: a)try “all” values b)combine the resulting commitments. 2.Many-round protocols: “equalize” the real entropy via sequential repetition

Cf. OWF ) Statistically Binding Commitment - [HILL ’90, Naor ’91] OWF X with pseudo-min-entropy ¸ H(X)+poly(n) X with pseudoentropy ¸ H(X)+1/poly(n) PRG hardcore bit [GL89]+hashing repetitions hashing Statistically binding commitment expand output & translate

Our Results II Thm: Assume one-way functions exist. Then: NP has constant-round parallelizable ZK proofs with “black-box simulation” m constant-round statistically hiding commitments exist. ( * due to [GK96,G01], novelty is  )

Other Applications  Simpler/improved universal one-way hash functions from OWF [HRVW09b]  Inspired simpler/improved pseudorandom generators from OWF [HRV09]

Conclusion Complexity-based cryptography is possible because of gaps between real & computational entropy. Secrecy pseudoentropy > real entropy Unforgeability accessible entropy < real entropy

Research Directions  Complexity-theoretic applications of inaccessible entropy  Remove “parallelizable” condition from ZK result.  Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.