Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

Published byPaul Chancellor Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel."— Presentation transcript:

1 1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel

2 2 Bit-Commitment (BC) S,R A two-phase protocol between the sender, S, and the receiver, R. S R Commit-phase – S commits to a bit value, b, without revealing its value to R. SR Reveal-phase – S reveals b to R and proves that this is the value he had committed to (in the commit-phase).

3 3 Bit-Commitment cont. SR Commit-phase b

4 4 Bit-Commitment cont. Reveal-phase b S R

5 5 Bit-Commitment cont. R Hiding – R does not learn the value of b during the commit-phase. S Binding – S cannot prove (in the reveal- phase) that he had committed to a different value than the one he had really committed to.

6 6 Different Types Of Bit- Commitment. R S Computationally-hiding perfectly-binding BC: R does not get (through the commit-phase) any computational-knowledge about b. S cannot (whatsoever) “cheat” in the reveal-phase. R S Statistically-hiding computationally-binding BC: R does not get any noticeable information about b. A computationally-bounded S cannot “cheat” in the reveal-phase. R Perfectly-hiding computationally-binding BC: R does not get any information about b. …

7 7 Different Types Of Bit- Commitment (comparison). In order to break the protocol, R needs to get super-polynomialpowers anytime after the commit-. In order to break the Computationally- hiding perfectly-binding protocol, R needs to get super-polynomial powers anytime after the commit-phase. In order to break the protocol, S needs to get super-polynomial powers before the end of the reveal-. In order to break the Statistically-hiding computationally-binding protocol, S needs to get super-polynomial powers before the end of the reveal-phase.

8 8 The importance of stat. – hiding comp. binding BC Building block in constructions of Statistically Zero-Knowledge arguments. Other cryptographic applications (e.g., Coin-flipping protocols).

9 9 Previous Implementations Number theoretic assumptions* (BKK, BCC). Claw-free permutations* (GK). Collision resistance hash functions (DPP, HM). One-way permutations* (NOVY). * : Perfectly-hiding. What are the minimal general hardness assumptions that yield Statistically-hiding computationally-binding BC? Do one-way functions suffice?

10 10 Our Result Statistically-hiding computationally- binding BC using approximable-size one-way functions. Approx.-size OWF – a OWF f is an approx.- size if we can efficiently approximate the number of pre-images of any y 2 Im(f). Any regular OWF is an approx.- size one. Regular OWF - a OWF f is regular if there exists a constant r s.t. the number of pre- images of any y 2 Im(f) is r.

11 11 The NOVY protocol A BC protocol based on an underlying function f :{0,1} n ! {0,1} n I.If f is a permutation then the protocol is perfectly-hiding. II.If f is a permutation and one-way then the protocol is computationally- binding. Perfectly-hiding computationally-binding BC based on one-way permutations.

12 12 One–Way Functions One–way function (OWF): f :{0,1} n ! {0,1} m is a OWF if for any ppt A, Pr x à {0,1} n [ A ( f (x)) 2 f -1 ( f (x))] = neg( n ) One–way function on range: for any ppt A, Pr y à Image( f ) [ A (y) 2 f -1 ( y )] = neg( n )  Any regular-OWF is also one-way on range.

13 13 ( ,  )-balanced Distribution. {0,1} n Bad | Bad | ·  2 n. Pr y à D [y 2 Bad ] · . For all z  Bad : |Pr y à D [y = z ] - 1/2 n | ·  /2 n. f:{0,1} n ! {0,1} m is ( ,  ) -balanced if f(U n ) is ( ,  ) -balanced. D is ( ,  )-balanced

14 14 {0,1} n D Example… Bad  D is ( 1/4, 1/3 ) - balanced

15 15  -hiding Bit-Commitment R  -hiding BC: A BC is  -hiding if from R ’s point of view, after the commit- phase, the statistical-difference between the cases when b=0 and b=1 is at most .  A statistically-hiding BC is a neg -hiding BC ( neg  is a negligible function of n ).

16 16 The NOVY protocol (restated) A generic scheme of BC protocol based on an underlying function f :{0,1} n ! {0,1} m I.If f is a one-way function on range then the protocol is computationally- binding. II.If f is ( ,  )-balanced then the protocol is (  +  )-hiding. The task: Implementing a balanced one-way function on range using approximable-size OWF.

17 17 Universal-Hashing Let H be a family of functions from {0,1} n ! {0,1} m. H is a k -universal hash family, if the output of a uniformly chosen h 2 H over k distinct elements in {0,1} n, are k independent random variables in {0,1} m.

18 18 Each element in {0,1} m has about the expected number of pre-images w.r.t. h (i.e., | S | ¢ 2 -m ) in S. Where the estimation gets better as k and |S| get bigger and m gets smaller. h à H, where H is k - universal {0,1} n S z h -1 (z) Hashing Lemma {0,1} m h

19 19  3n -universality of H - each z 2 {0,1} m has about the same number of pre-images, w.r.t. h, in Im(f).  r -regularity of f - each z 2 {0,1} m has about the same number of pre-images, w.r.t. g, in {0,1} n.  g is “rather” balanced.. universal constant g is (2 -n,1/2)-balanced one-way on range function. m=n-log(r)–log(cn) If m is too small g is not guaranteed to be one-way. g(h,x) ≡ h(f(x)),h {0,1} m h Balanced One-Way Function On Range From Regular OWF {0,1} n f {0,1} l(n) Im(f) m=? m=? {0,1} m g(U n ) m = n-log(r) (|{0,1} m | = |Im(f)|) m m m Danger! r-regular OWF h à H where H 3n -universal z h -1 (z) g -1 (z) z h -1 (z)

20 20 Claim: g is (2 -n,1/2) -balanced one-way on range function. g is (2 -n,1/2) -balanced. g is one-way – ( by our choice of m) a given output element in {0,1} m does not have “too-many” (up to polynomially many) pre-images, w.r.t. h 2 H, in Im(f). We can reduce the hardness of g to the hardness of f. g is one-way on range- there are about the same number of pre-images per output element. Similar to the regular OWF case.

21 21 Getting Statiscally–Hiding Computationally-Binding BC When using g with the NOVY protocol we achieve 1/2 -hiding computationally-binding BC. The amplification into statistically-hiding computationally-binding BC is done through a standard secret-sharing technique.

22 22 Balanced One-Way Function On Range From Approx.-Size OWF The following construction was given by [Häastad, Impagliazzo, Levin & Luby]. Let f:{0,1} n ! {0,1} m be an approx.-size OWF and let for y 2 {0,1} m, D(y) ≡ log(|f -1 (y)|). f xf(x) h h(x) 1…D(f(x))+2 h 0 (n-D(f(x)-2) g(h,x) ≡ f(x),h(x) 1...D(f(x)),h,0 (n-D(f(x)))

23 23 From Approx.-Size OWF cont. Thm [HILL]: g is “almost” 1-1 one-way function. Hence by plugging g in the construction for regular OWF we get ( 2 -n, 1/2 )-balanced one-way function on range. Using secret-sharing we get statiscally–hiding computationally-binding BC.

24 24 Open Problems Stat-hiding comp.-binding BC from any OWF? R. It suffices to give a construction for semi- honest R. Black-Box separation between Stat- hiding comp.-binding BC and OWF? Efficient round complexity?

Download ppt "1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel."

Similar presentations

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan.

On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan.
On Black-Box Separations in Cryptography

On Black-Box Separations in Cryptography
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan And improvements with Kai-Min Chung.

Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan And improvements with Kai-Min Chung.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Lecturer: Moni Naor Weizmann Institute of Science

Lecturer: Moni Naor Weizmann Institute of Science
A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.

A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Similar presentations

Ads by Google