1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE

2 Talk Plan What is Interactive Hashing Applications of Interactive Hashing The new theorem Applications of the new theorem About the proof

3S Interactive Hashing[NOVY91] f h x à {0,1} n, y=f(x) R hÃHhÃH R Hiding – The only information that R obtains about y is h(y). S Binding- Eff. S cannot find x 1, x 2 such that f(x 1 )  f(x 2 ) and h(f(x 1 )) = h(f(x 2 )) = z. Easy |Easy|=2 ¾n h z = h(y) One-way permutation: eff. computable hard to invert: hard to find f -1 (f(x) ) for x à {0,1} n. h z=h(y) Two-to-one hash function

4 Statistically-Hiding Commitment S R Commit-stage y 2 {0,1} n

5 Statistically-Hiding Commitment cont. Reveal-stage SR y

6 Statistically-Hiding Commitment cont. R Hiding – R does not obtain non- negligible information about y during the commit-stage. S Binding – Eff. S cannot decommit into two different values (with non-neg. probability). R In interactive hashing R only obtains h(y) Same as in interactive hashing

7 S (b) S (b 2 {0,1}) IH (NOVY) to Bit-Commitment x à {0,1} n, y=f(x) R hÃHhÃH z = h(y) h Let {y 0,y 1 } = h -1 (z) sorted lexicographically and let  be the index of y (i.e., y= y  ) c = b ©  Commit stage: Reveal stage: (x,b)h(f(x)) = z and c = b © 

8S String-Commitment to IH x à {0,1} n, y=f(x) R hÃHhÃH z = h(y) h Com. to y

9 Applications of Interactive Hashing Perfectly-hiding cmt. from owp [NOVY98] Statistically-hiding cmt. from regular/ appx.-preimage-size owf [ HHKKMS05 ] Statistical zk argument from any owf [NOV06] Statistically-hiding cmt. from any OWF [HR06] “Information theoretic” ih, applications [ OVY91,CCM98,DHRS04,CS06,NV06,... ]

10 The NOVY IH Protocol A “more interactive” version of the naïve (semi-honest) protocol. A particular family of two-to-one hash functions. Assuming that f is a OWP, the protocol satisfies both hiding and binding. h(x) = h 1 (x),...,h n-1 (x), where  h i = 0 i-1 1 {0,1} n-i  h i (x) = 2.

11 The NOVY Protocol cont. Observed by [HHKKMS05]: Binding is guaranteed even when f is hard to invert over U n : hard to find an inverse f -1 (y) for a uniformly chosen y 2 {0,1} n. Hiding is useful if h expects collisions w.r.t. Im(f) - when f(U n ) is dense in {0,1} n

12 h f Im(f) About the size of Im(f) [HHKKMS05,NOV06] use this observation when f(U n ) is sparse h’ Two-to-one “interactive” hash function Non-interactive hashing

13 Interactive Hashing for Sparse Sets h f Im(f) About the size of Im(f) Can interactive hashing be applied directly to sparse sets?

14 Our Results Holds w.r.t. sparse sets: –Binding is guaranteed if f is hard w.r.t the uniform distribution over Im(f) –Hiding is useful if h expects collisions w.r.t. Im(f) - when f(U n ) is “close” to the uniform dis. over Im(f) Allows a more general choice of hash functions Improved parameters also w.r.t. the NOVY settings Simpler proof In NOVY- hard to invert over {0,1} n In NOVY- close to {0,1} n

15 Applications of The New Theorem to Bit-Commitment Reproving (as an immediate corollary) the result of [HHKKMS05] : Statistical commitment from any regular/ Appx.-preimage-size owf. Might simplify current constructions of statistical zk argument and statistical commitment from any owf.

16 L Information-Theoretic IH z = h(y) h S y 2 L R hÃHhÃH R Hiding – The only information that R obtains about y is h(y). S Binding- Unbounded S cannot find (with non-neg probability) y 1  y 2 2 L such that h( y 1 ) = h( y 2 ) = z. h |L| << 2 n/2 ? |L| > 2 n/2 |L Å Consist(h 1,…,h k )| << √| Consist(h 1,…,h k )| h = (h 1,...,h n-1 ) ÃH n-1 z 1 = h 1 (y) h1h1 z n-1 = h n-1 (y) h n-1 Two-to-one hash function Boolean pairwise- independent hash functions | L | << 2 n Consist(h 1,…,h k )= {y: 8 i h i (y)=z i } Consist(h 1 )={y: h 1 (y)=z 1 }

17 Our protocol (variant of NOVY) R h = (h 1,...,h k ) ÃH k z 1 = h 1 (y) h1h1 z k = h k (y) hkhk hf Im(f) About the size of Im(f) S x à {0,1} n, y=f(x) Any family of Boolean pairwise-independent hash functions k w log(|Im(f)|)

18Hiding R If R is semi-honest (follows the protocol) it obtains h(y) for a uniformly chosen h RIf R is malicious, it obtains h(y) for an adaptively chosen h RIn many settings (e.g., commitment schemes) we can force R to follow the protocol Same as in NOVY, but there it is less harmful

19Binding Main Theorem: Let A be an alg. that breaks the binding of the protocol with probability . Then there exists an eff. alg. M A s.t Pr y à Im(f) [M A (y) 2 f -1 (y) ] 2  (  2 /n 8 ) Comparing to previous results (Im(f)= {0,1} n ): [NOVY98] -  (  10 /poly(n)) [NOV06] -  (  3 /n 6 ) * Here - proof for the NOVY settings, i.e., Im(f) = {0,1} n and the hashing is to {0,1} n-1

20 z 1 h1h1 z n-1 h n-1 A Outputs x 1, x 2 R h = (h 1,...,h n-1 ) ÃH n-1 Algorithm A Pr[ f(x 1 )  f(x 2 ) Æ h(f(x 1 )) = h(f(x 2 )) = z ] ¸  * z = (z 1,...,z n-1 )

21 z 1 h1h1 z n-1 h n-1 A M A (y) R h = (h 1,...,h n-1 ) ÃH kn-1 Returns x 1 or x 2 In order to success we need: y=f(x 1 ) or y=f(x 2 ) ! we need 8 i h i (y) = z i happens with neg. probability Choose (h 1,...,h n-1 ) s.t. y is consistent Outputs x 1, x 2

22 M A on input y 2 {0,1} n : 1.(h 1,…, h n-ofs ) Ã Searcher( y) 2.Return Inverter( h 1,…, h n-ofs ) ofs 2 O(log(1/)+ log(n)) Inverter( h 1,…, h n-ofs ) 1.Choose h n-ofs+1,…,h n-1 uniformly in H 2.( x 1, x 2 ) Ã A Dec (h 1,…, h n-1 ) 3.Return x 1 or x 2 Searcher( y): 1.For i = 1 to n - ofs Do the following 2log(n) times: Choose uniformly at random h i 2H If A (h 1,...,h i ) = h i (y), break the inner loop. 2.Return h 1,…, h n-ofs

23... Consist A ( h 1,...,h k ) = {y: 8 i h i (y) = A (h 1,...,h k )} {0,1} n h1h1 h2h2 h3h3 Consist A ( h 1 ) = {y: h 1 (y) = A (h 1 )} Pictorial description of A hkhk

24 h1h1 h2h2 h3h3 The evaluation of Searcher y 2 {0,1} n y 2 Consist A ( h 1 ) n-ofs y 2 Consist A ( h 1,...,h n-ofs ) h n-ofs D Real (h,y) y à {0,1} n, h à Searcher( y ) If Inverter does well on D Real (i.e., prob. Inverter( h ) 2 f -1 (y ) is noticeable) then M A inverts f well

25 h1h1 h2h2 h3h3 The Ideal dist. n-ofs h n-ofs D Ideal (h,y) h ÃH n- ofs, y à Consist A ( h ) At random Inverter does well on D Ideal The distribution on (h 1,…,h n-fs ) is what A expects ! A returns element in f -1 (Consist A (h 1,…,h n-ofs )) with non-negligible probability Consist A (h 1,…,h n-ofs ) is small y à Consist A (h 1,…,h n-ofs )

26 Proof of Security Inverter does well on D Ideal D Ideal and D Real are close. The statistical diff. between D Ideal and D Real is larger than the success probability of Inverter on D Ideal

27 Refined Proximity Measure Definition: D 1 (, a )-approximates D 2, if there exists Bad µ sup(D 1 ), s.t. –D 1 ( Bad ) · . –For every x  Bad 1/ a · D 1 (x) /D 2 (x) · a. Let T be an event s.t. D 1 [T] ¸ + non-neg then, D 2 [T] ¸ non-neg

28 Lemma 1 D Ideal ( O(  2 /n 3 ),81 )-approximates D Real. Lemma 2 (informal) Inverter does well on D Ideal and its success probability does not depend on event of small probability Proving Lemma 2: similar to the information-theoretic case

29 Proving Lemma 1 Since our proximity measure is “well behaved”, it suffices to prove that Claim 1: (h,y) h ÃH,y à Consist A (h) ( O(  2 /n 3 ), 1+4/n ) -approx. (h,y) y à {0,1} n, h ÃH | y 2 Consist A (h) Proof: 1.For almost any h 2 H, (about) half of {0,1} n is consistent with it 2.Almost any y 2 {0,1} n is consistent with (about) half of H

30 Further issues Linear reduction, or lower bound for the security of the reduction Give simpler construction for statistical zk and statistical commitment schemes from owf.

31 Thanks

32 L Consist A ( h 1,...,h n-ofs ) {y: prob. Inverter( h 1,...,h n-ofs ) 2 f -1 (y ) is noticeable} Lemma 2 : Inverter does well on D Ideal and its success prob. does not depend on event of small probability {y: probability that A breaks the binding with y (conditioned on h 1,...,h n-ofs ) is noticeable}