1 / 33

A New Interactive Hashing Theorem

WEIZMANN INSTITUTE OF SCIENCE. A New Interactive Hashing Theorem. Iftach Haitner and Omer Reingold. Talk Plan. What is Interactive Hashing Applications of Interactive Hashing The new theorem About the proof Applications of the new theorem. Easy. h. z=h(y). S. R. h. z = h(y).

lexine
Download Presentation

A New Interactive Hashing Theorem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WEIZMANN INSTITUTE OF SCIENCE A NewInteractive HashingTheorem Iftach Haitnerand Omer Reingold

  2. Talk Plan • What is Interactive Hashing • Applications of Interactive Hashing • The new theorem • About the proof • Applications of the new theorem

  3. Easy h z=h(y) S R h z = h(y) Interactive Hashing[OVY91,NOVY98] |Easy|=2¾n f h Hiding – The only information that R obtains about y is h(y). Binding- Eff. S cannot find x1, x2 such thatf(x1)f(x2) and h(f(x1)) = h(f(x2)) = z. • One-way permutation: • eff. computable • hard to invert: hard to find f-1(f(x)) for xÃ{0,1}n. Two-to-one hash function hÃH xÃ{0,1}n, y=f(x)

  4. Statistically-Hiding String-Commitment. Commit-phase S R y 2 {0,1}n

  5. Statistical Bit-Commitment cont. Reveal-phase S R y

  6. Statistically-Hiding String-Commitment cont. Hiding – Rdoes not obtainnon-negligibleinformation about y during the commit-phase. Binding – Eff.Scannot decommit into two different values (with non-neg. probability). Same as in Interactive Hashing In Interactive Hashing R only obtains h(y)

  7. R h z = h(y) c = b© (x,b) IH (NOVY) to Bit-Commitment Commit phase: Let {y0,y1} = h-1(z) sorted lexicographically and let  be the index of y (i.e., y= y) S (b2 {0,1}) hÃH xÃ{0,1}n, y=f(x) Reveal phase:

  8. R h Com. to y z = h(y) String-Commitment to IH S xÃ{0,1}n, y=f(x) hÃH

  9. Applications of Interactive Hashing • Perfectly-Hiding BC from OWP [NOVY98] • Statistically-Hiding BC from Regular/ Appx.-preimage-size OWF [HHKKMS05] • Statistical ZK Argument from OWF [NOV06] • “Information Theoretic” IH, applications[OVY91,CCM98,DHRS04,CS06,NV06,...]

  10. The NOVY IH Protocol • A “more interactive” version of the naïve (semi-honest) protocol. • A particular family of two-to-one hash functions. • Assuming that f is a OWP, the protocol satisfies both hiding and binding. • h(x) = h1(x),...,hn-1(x), where • hi = 0i-1 1 {0,1}n-i • hi(x) = <hi,x>2.

  11. The NOVY Protocol cont. Observed by [HHKKMS05]: • Binding is guaranteed even when f is hard to invert over Un: hard to find an inverse f-1(y) for a uniformly chosen y2{0,1}n. • Hiding is useful if h expects collisions w.r.t. Im(f) - when f(Un) is dense in {0,1}n

  12. Im(f) h’ h About the size of Im(f) • [HHKKMS05,NOV06] use this observation when f(Un) is sparse f Two-to-one “interactive” hash function Non-interactive hashing

  13. Im(f) Interactive Hashing for Sparse Sets • Can Interactive Hashing be applied directly to sparse sets? f h About the size of Im(f)

  14. Our Results • Holds w.r.t. sparse sets: • Binding is guaranteed if f is hardw.r.t theuniform distribution over Im(f) • Hiding is useful if h expects collisions w.r.t. Im(f) - when f(Un) is “close”to the uniform dis. overIm(f) • Allows a more general choice of hash functions • Improved parameters also w.r.t. the NOVY settings • Simpler proof • Applications to statistically-hiding string-commitment ... In NOVY- hard to invert over {0,1}n In NOVY- close to {0,1}n

  15. L h1 y2 L hÃH S R hn-1 h zn-1 = hn-1(y) z1 = h1(y) z = h(y) Information-Theoretic IH Consist(h1)={y: h1(y)=z1} h Boolean pairwise-independent hash functions Hiding – The only information that R obtains about y is h(y). Binding-UnboundedS cannot find (with non-neg probability) y1y22 L such that h(y1) = h(y2) = z. Consist(h1,…,hk)={y: 8i hi(y)=zi} Two-to-one hash function |L| << 2n h=(h1,...,hn-1 )ÃHn-1 • |L| << 2n/2 • |L| > 2n/2 |LÅConsist(h1,…,hk)| << √|Consist(h1,…,hk)|

  16. Im(f) h1 S R xÃ{0,1}n, y=f(x) h=(h1,...,hk )ÃHk hk zk = hk(y) z1 = h1(y) Our protocol (variant of NOVY) f h Any family of Booleanpairwise-independent hash functions About the size of Im(f) kw log(|Im(f)|)

  17. Hiding • If Ris semi-honest (follows the protocol) it obtains h(y) for a uniformly chosen h • If Ris malicious, it obtains h(y) for an adaptively chosen h • In many settings (e.g., String-Commitment) we can forceR to follow the protocol Same as in NOVY, but there it is less harmful

  18. Binding Main Theorem: Let A be an alg. that breaks the binding of the protocol with probability >0. Then there exists an eff. alg. MA s.t PryÃIm(f)[MA(y)2f-1(y)]2 (2/n8) Comparing to previous results (Im(f)= {0,1}n): • [NOVY98] - (10/poly(n)) • [NOV06] - (3/n6) * Here - proof for the NOVY settings, i.e., Im(f) = {0,1}n and the hashing is to {0,1}n-1

  19. h1 h=(h1,...,hn-1 )ÃHkn-1 R hn-1 zn-1 z1 Algorithm A A Pr[f(x1)f(x2)Æh(f(x1)) = h(f(x2)) = z] ¸ * z = (z1,...,zn-1 ) Outputs x1, x2

  20. h1 h=(h1,...,hn-1 )ÃHkn-1 R hn-1 Choose(h1,...,hn-1 ) s.t. y is consistent zn-1 z1 In order to success we need:y=f(x1)or y=f(x2) ! we need 8i hi(y) = zi happens with neg. probability MA(y) A Outputs x1, x2 Returns x1 or x2

  21. MA on input y2{0,1}n: • (h1,…, hn-ofs)Ã Searcher(y) • Return Inverter(h1,…, hn-ofs) ofs2O(log(1/)+ log(n)) Searcher(y): • For i = 1 to n-ofs Do the following 2log(n) times: • Choose uniformly at random hi2H • If A(h1,...,hi) = hi(y), break the inner loop. • Return h1,…, hn-ofs Inverter(h1,…, hn-ofs) • Choose hn-ofs+1,…,hn-1uniformly inH • (x1,x2) ÃADec(h1,…, hn-1) • Return x1or x2

  22. hk Pictorial description of A {0,1}n ConsistA(h1) = {y: h1(y) = A(h1)} h1 ... h2 h3 ConsistA(h1,...,hk) = {y: 8i hi(y) =A(h1,...,hk)}

  23. h1 h2 h3 hn-ofs The evaluation of Searcher y2{0,1}n If Inverter doeswellon DReal (i.e., prob. Inverter(h)2f-1(y) is noticeable) then MA inverts f well y2ConsistA(h1) y2ConsistA(h1,...,hn-ofs) n-ofs DReal (h,y)yÃ{0,1}n,hÃSearcher(y)

  24. h1 h2 h3 The Ideal dist. Inverter doeswellon DIdeal • The distribution on (h1,…,hn-fs) is what A expects !A returns element in f-1(ConsistA(h1,…,hn-ofs)) with non-negligible probability • ConsistA(h1,…,hn-ofs) is small At random yÃConsistA(h1,…,hn-ofs) hn-ofs n-ofs DIdeal (h,y)hÃHn-ofs,yÃConsistA(h)

  25. Proof of Security • Inverter doeswellon DIdeal • DIdealand DRealare close. The statistical diff. between DIdealand DRealis larger than the success probability of Inverter on DIdeal

  26. Refined Proximity Measure Definition: D1(,a)-approximatesD2, if exists Bad µ sup(D1), s.t. • D1(Bad) · . • For every xBad1/a·D1(x)/D2(x)·a. Let T be an event s.t. D1[T] ¸+ non-neg then, D2[T] ¸ non-neg

  27. Lemma 1DIdeal (O(2/n3),81)-approximatesDReal. Lemma 2 (informal)Inverter does wellon DIdealand its success probability does not depend on event of small probability Proving Lemma 2: similar to the information-theoretic case

  28. ProvingLemma 1 Since our proximity measure is “well behaved”, it suffices to prove that Claim 1: (h,y)hÃH,yÃConsistA(h)(O(2/n3),1+4/n)-approx. (h,y)yÃ{0,1}n,h ÃH | y2ConsistA(h) Proof: • For almost any h2H, (about) half of {0,1}n is consistent with it • Almost any y2{0,1}n is consistent with (about) half of H

  29. Applications of The New Theorem to Bit-Commitment • Reproving (as an immediate corollary) the result of [HHKKMS05]: Stat.-Hiding BC from any regular/ Appx.-preimage-size OWF • Statistically-hiding BC from “One-sided approximable preimage-size one-way functions” • In particular: Stat.-hiding BC from any one-way function with hardness 2(-nloglog(n)/log(n)) * * Small O(loglog(n)) non-uniform advice

  30. One-sided approximable preimage-size OWF • Approximable preimage-size OWF: A OWF f, possible to eff. approximate Ďf(y) = log|(f-1(y))| • One-sided approximable preimage-size OWF: A OWF f, exists an eff. algorithm D and a polynomial p: • Pr[D(f(x))wĎf(f(x))] ¸1/p(n) • D(f(x)) ·Ďf(f(x)) * Or the opposite case Allows additive error which depends on the security-parameter of f Save for a small probability (smaller than 1/p(n))

  31. Further issues • Linear reduction • Or, lower bound for the security of the reduction • Statistically-hiding bit-commitment from any OWF

  32. Thanks

  33. L Lemma 2 : Inverterdoes wellon DIdealand its success prob. does not depend on event of small probability ConsistA(h1,...,hn-ofs) {y: prob. Inverter(h1,...,hn-ofs)2f-1(y) is noticeable} {y: probability that A breaks the binding with y (conditioned on h1,...,hn-ofs) is noticeable}

More Related