1 / 40

Inaccessible Entropy

This article explores concepts such as entropy, secrecy, pseudoentropy, unforgeability, and inaccessible entropy, and discusses their applications in cryptography.

johnkwilliams
Download Presentation

Inaccessible Entropy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Omer ReingoldWeizmann & Microsoft Salil VadhanHarvard University Iftach Haitner Microsoft Research Hoeteck WeeQueens College, CUNY Inaccessible Entropy TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA

  2. outline • Entropy • Secrecy & Pseudoentropy • Unforgeability & Inaccessible Entropy • Applications

  3. Entropy Def: The Shannon entropyof r.v. X is H(X) = ExÃX[log(1/Pr[X=x)] • H(X) = “Bits of randomness in X (on avg)” • 0 · H(X) · log|Supp(X)| • Conditional Entropy: H(X|Y) = EyÃY[H(X|Y=y)] X uniform onSupp(X) X concentratedon single point

  4. Worst-Case Entropy Measures • Min-Entropy: H1(X) = minx log(1/Pr[X=x]) • Max-Entropy: H0(X) = log |Supp(X)| H1(X) · H(X) · H0(X)

  5. outline • Entropy • Secrecy & Pseudoentropy • Unforgeability & Inaccessible Entropy • Applications

  6. Perfect Secrecy & Entropy Def [Sh49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1}nEncK(m) & EncK(m’) are identically distributed for a random key K. Thm [Sh49]: Perfect secrecy ) |K| ¸ n

  7. Perfect Secrecy ) |K|¸ n Proof: • Perfect secrecy) (M,EncK(M)) ´(M,EncK(M’)) for M,M’Ã{0,1}n) H(M|EncK(M)) = n • Decryptability) H(M|EncK(M),K) = 0) H(M|EncK(M)) · H(K).

  8. Computational Secrecy Def [GM82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1}nEncK(m) & EncK(m’) are computationally indistinguishable. ) can have |K| ¿ n.

  9. Where Shannon’s Proof Breaks • Computational secrecy) (M,EncK(M)) ´c(M,EncK(M’)) for M,M’Ã{0,1}n)“Hpseudo(M|EncK(M))” = n • Decryptability) H(M|EncK(M)) · H(K). Key point: can have Hpseudo(X) À H(X)e.g. X = G(Uk) for PRG G : {0,1}k! {0,1}n

  10. Pseudoentropy Def [HILL90]: X has pseudoentropy¸ k iff there exists a random variable Y s.t. • Y ´c X • H(Y) ¸ k Pseudoentropy Generator: G X S Ã {0,1}n ´ c Y

  11. Application of Pseudoentropy Thm [HILL90]:9 OWF )9 PRG Proof outline: OWF hardcore bit [GL89]+hashing X with pseudoentropy ¸ H(X)+1/poly(n) repetitions X with pseudo-min-entropy ¸ H0(X)+poly(n) hashing PRG

  12. outline • Entropy • Secrecy & Pseudoentropy • Unforgeability & Inaccessible Entropy • Applications

  13. Unforgeability • Crypto is not just about secrecy. • Unforgeability: security properties saying that it has hard for an adversary to generate “valid” messages. • Unforgeability of MACs, Digital Signatures • Collision-resistance of hash functions • Binding of commitment schemes • Cf. decision problems vs. search/sampling problems.

  14. Ex: Collision-resistant Hashing F = { f : {0,1}n! {0,1}n-k} • Shrinking • Collision Resistance:Given f ÃF , an efficient Acannot output x1x2 such thatf(x1) = f(x2)

  15. Ex: Collision-resistant Hashing F = {f : {0,1}n! {0,1}n-k} • Shrinking: H(X | F,Y) ¸k • Collision Resistance: From (even a cheating) G’s point of view, X is determined by (F,Y)  X has “accessible” entropy 0 G F ÃF X Ã {0,1}n X Y= F(X)

  16. Ex: Collision-resistant Hashing F = {f : {0,1}n! {0,1}n-k} • Collision Resistance:H(X |F,Y,S1) = neg(n) for every efficient G*. G* F ÃF S2Ã{0,1}r S1Ã{0,1}r XF-1(Y) Y

  17. Measuring Accessible Entropy Goal: A useful entropy measure to capture possibility that Hacc(X) ¿ H(X) 1st attempt: X has accessible entropy at most k if there is a random variable Y s.t. • Y ´c X • H(Y) · k Not useful! every X is indistinguishable from some Y of entropy polylog(n).

  18. Inaccessible Entropy Idea:A generator G has inaccessible entropy if H(G’s outputs from an observer’s perspective) > H(G*’s outputs from G*’s perspective) Real Entropy Accessible Entropy

  19. Real Entropy G Def: The real entropy of G is H(Y1,….,Ym|Z) = i H(Yi | Z,Y1,…,Yi-1) Z RÃ{0,1}n Ym Y1 Y2

  20. Accessible Entropy G* Def:G has accessible entropy at most k, if 8 PPT G* • iH(Yi|Z,S1,S2,…,Si-1) ·k • Inaccessible entropy = real – accessible entropy • Unbounded G* can achieve real entropy. Z R Sm S1 S2 s.t. G(Z,R)=(Y1,….,Ym) Ym Y1 Y2

  21. OWF  Inaccessible Entropy Given a one-way function f : {0,1}n{0,1}n, define Claim: • Real entropy = n • Accessible entropy < n-log n [cf. Omer’s talk: G(x)=(f(x),x1,…,xn) next-bit pseudoentropyn+log n for OWP f] G XÃ{0,1}n X f(X)n f(X)1 f(X)2

  22. OWF  Inaccessible Entropy G* Claim: Accessible entropy < n-log n • Suppose  G*s.t. iH(Yi|S1,…,Si-1)  n-log n • Then can invert f on input Y’by sequentially finding S1,..,Sns.t. Yi=Y’i (via sampling). • High accessible entropy  success on random Y=f(X) w.p. 1/poly(n). R=Ym+1 Sn Sm+1 S1 S2 Yn 1 X 0 Ym+1 Y1 Y2 1 1 0 0 Y’ = 0 1

  23. outline • Entropy • Secrecy & Pseudoentropy • Unforgeability & Inaccessible Entropy • Applications

  24. Commitment Schemes

  25. Commitment Schemes COMMIT STAGE S R m

  26. Commitment Schemes REVEAL STAGE S R m

  27. Commitment Schemes S R COMMIT STAGE m2{0,1}n REVEAL STAGE (m,K) accept/reject

  28. Security of Commitments COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R* • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}n Even cheating S*cannot reveal(m,K), (m’,K’) with mm’ REVEAL STAGE (m,K) accept/reject

  29. Statistical Security? • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}t REVEAL STAGE (m,K) accept/reject Impossible!

  30. Statistical Binding • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}n REVEAL STAGE (m,K) accept/reject Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments

  31. Statistical Hiding • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}n REVEAL STAGE (m,K) accept/reject Too Complicated! Thm [HNORV07]: One-way functions ) Statistically Hiding Commitments

  32. Our Results I • Much simpler proof that OWF) Statistically Hiding Commitmentsvia accessible entropy. • Conceptually parallels [HILL90,Naor91] construction of PRGs & Statistically Binding Commitments from OWF. • “Nonuniform” version achieves optimal round complexity, O(n/log n) [HHRS07]

  33. Our Results II Thm: Assume one-way functions exist. Then: NP has constant-round parallelizable ZK proofs with “black-box simulation” m constant-round statistically hiding commitments exist. ( * due to [GK96,G01], novelty is )

  34. Statistically Hiding Commitments& Inaccessible Entropy Statistical Hiding: H(M|C) = n - neg(n) S R COMMIT STAGE MÃ{0,1}n C REVEAL STAGE M K

  35. Statistically Hiding Commitments& Inaccessible Entropy Statistical Hiding: H(M|C) = n - neg(n) Comp’l Binding: For every PPT S* H(M|C,S1) = neg(n)  “inaccessible entropy for protocols” S* R COMMIT STAGE coins S1 C REVEAL STAGE coins S2 M K

  36. OWF ) Statistically Hiding Commitments: Our Proof OWF • done G with real entropy ¸ accessible entropy+log n repetitions G with real min-entropy ¸ accessible entropy+poly(n) (interactive) hashing [DHRS07]+UOWHFs [NY89,Rom90] “m-phase” commitment cut & choose & parallel rep statistically hiding commitment

  37. Cf. OWF ) Statistically Binding Commitment [HILL90,Nao91] OWF hardcore bit [GL89]+hashing X with pseudoentropy ¸ H(X)+1/poly(n) repetitions X with pseudo-min-entropy ¸ H0(X)+poly(n) hashing PRG expand output & translate Statistically binding commitment

  38. Other Applications • Simpler/improved universal one-way hash functions from OWF [HRVW09b] • Inspired simpler/improved pseudorandom generators from OWF [HRV09]

  39. Conclusion Complexity-based cryptography is possible because of gaps between real & computational entropy. Secrecypseudoentropy > real entropy Unforgeabilityaccessible entropy < real entropy

  40. Research Directions • Formally unify inaccessible entropy and pseudoentropy. • Complexity-theoretic applications of inaccessible entropy • Remove “parallelizable” condition from ZK result. • Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.

More Related