400 likes | 504 Views
Omer Reingold Weizmann & Microsoft. Salil Vadhan Harvard University. Iftach Haitner Microsoft Research. Hoeteck Wee Queens College, CUNY. Inaccessible Entropy. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A. outline. Entropy
E N D
Omer ReingoldWeizmann & Microsoft Salil VadhanHarvard University Iftach Haitner Microsoft Research Hoeteck WeeQueens College, CUNY Inaccessible Entropy TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA
outline • Entropy • Secrecy & Pseudoentropy • Unforgeability & Inaccessible Entropy • Applications
Entropy Def: The Shannon entropyof r.v. X is H(X) = ExÃX[log(1/Pr[X=x)] • H(X) = “Bits of randomness in X (on avg)” • 0 · H(X) · log|Supp(X)| • Conditional Entropy: H(X|Y) = EyÃY[H(X|Y=y)] X uniform onSupp(X) X concentratedon single point
Worst-Case Entropy Measures • Min-Entropy: H1(X) = minx log(1/Pr[X=x]) • Max-Entropy: H0(X) = log |Supp(X)| H1(X) · H(X) · H0(X)
outline • Entropy • Secrecy & Pseudoentropy • Unforgeability & Inaccessible Entropy • Applications
Perfect Secrecy & Entropy Def [Sh49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1}nEncK(m) & EncK(m’) are identically distributed for a random key K. Thm [Sh49]: Perfect secrecy ) |K| ¸ n
Perfect Secrecy ) |K|¸ n Proof: • Perfect secrecy) (M,EncK(M)) ´(M,EncK(M’)) for M,M’Ã{0,1}n) H(M|EncK(M)) = n • Decryptability) H(M|EncK(M),K) = 0) H(M|EncK(M)) · H(K).
Computational Secrecy Def [GM82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1}nEncK(m) & EncK(m’) are computationally indistinguishable. ) can have |K| ¿ n.
Where Shannon’s Proof Breaks • Computational secrecy) (M,EncK(M)) ´c(M,EncK(M’)) for M,M’Ã{0,1}n)“Hpseudo(M|EncK(M))” = n • Decryptability) H(M|EncK(M)) · H(K). Key point: can have Hpseudo(X) À H(X)e.g. X = G(Uk) for PRG G : {0,1}k! {0,1}n
Pseudoentropy Def [HILL90]: X has pseudoentropy¸ k iff there exists a random variable Y s.t. • Y ´c X • H(Y) ¸ k Pseudoentropy Generator: G X S Ã {0,1}n ´ c Y
Application of Pseudoentropy Thm [HILL90]:9 OWF )9 PRG Proof outline: OWF hardcore bit [GL89]+hashing X with pseudoentropy ¸ H(X)+1/poly(n) repetitions X with pseudo-min-entropy ¸ H0(X)+poly(n) hashing PRG
outline • Entropy • Secrecy & Pseudoentropy • Unforgeability & Inaccessible Entropy • Applications
Unforgeability • Crypto is not just about secrecy. • Unforgeability: security properties saying that it has hard for an adversary to generate “valid” messages. • Unforgeability of MACs, Digital Signatures • Collision-resistance of hash functions • Binding of commitment schemes • Cf. decision problems vs. search/sampling problems.
Ex: Collision-resistant Hashing F = { f : {0,1}n! {0,1}n-k} • Shrinking • Collision Resistance:Given f ÃF , an efficient Acannot output x1x2 such thatf(x1) = f(x2)
Ex: Collision-resistant Hashing F = {f : {0,1}n! {0,1}n-k} • Shrinking: H(X | F,Y) ¸k • Collision Resistance: From (even a cheating) G’s point of view, X is determined by (F,Y) X has “accessible” entropy 0 G F ÃF X Ã {0,1}n X Y= F(X)
Ex: Collision-resistant Hashing F = {f : {0,1}n! {0,1}n-k} • Collision Resistance:H(X |F,Y,S1) = neg(n) for every efficient G*. G* F ÃF S2Ã{0,1}r S1Ã{0,1}r XF-1(Y) Y
Measuring Accessible Entropy Goal: A useful entropy measure to capture possibility that Hacc(X) ¿ H(X) 1st attempt: X has accessible entropy at most k if there is a random variable Y s.t. • Y ´c X • H(Y) · k Not useful! every X is indistinguishable from some Y of entropy polylog(n).
Inaccessible Entropy Idea:A generator G has inaccessible entropy if H(G’s outputs from an observer’s perspective) > H(G*’s outputs from G*’s perspective) Real Entropy Accessible Entropy
Real Entropy G Def: The real entropy of G is H(Y1,….,Ym|Z) = i H(Yi | Z,Y1,…,Yi-1) Z RÃ{0,1}n Ym Y1 Y2
Accessible Entropy G* Def:G has accessible entropy at most k, if 8 PPT G* • iH(Yi|Z,S1,S2,…,Si-1) ·k • Inaccessible entropy = real – accessible entropy • Unbounded G* can achieve real entropy. Z R Sm S1 S2 s.t. G(Z,R)=(Y1,….,Ym) Ym Y1 Y2
OWF Inaccessible Entropy Given a one-way function f : {0,1}n{0,1}n, define Claim: • Real entropy = n • Accessible entropy < n-log n [cf. Omer’s talk: G(x)=(f(x),x1,…,xn) next-bit pseudoentropyn+log n for OWP f] G XÃ{0,1}n X f(X)n f(X)1 f(X)2
OWF Inaccessible Entropy G* Claim: Accessible entropy < n-log n • Suppose G*s.t. iH(Yi|S1,…,Si-1) n-log n • Then can invert f on input Y’by sequentially finding S1,..,Sns.t. Yi=Y’i (via sampling). • High accessible entropy success on random Y=f(X) w.p. 1/poly(n). R=Ym+1 Sn Sm+1 S1 S2 Yn 1 X 0 Ym+1 Y1 Y2 1 1 0 0 Y’ = 0 1
outline • Entropy • Secrecy & Pseudoentropy • Unforgeability & Inaccessible Entropy • Applications
Commitment Schemes COMMIT STAGE S R m
Commitment Schemes REVEAL STAGE S R m
Commitment Schemes S R COMMIT STAGE m2{0,1}n REVEAL STAGE (m,K) accept/reject
Security of Commitments COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R* • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}n Even cheating S*cannot reveal(m,K), (m’,K’) with mm’ REVEAL STAGE (m,K) accept/reject
Statistical Security? • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}t REVEAL STAGE (m,K) accept/reject Impossible!
Statistical Binding • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}n REVEAL STAGE (m,K) accept/reject Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments
Statistical Hiding • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}n REVEAL STAGE (m,K) accept/reject Too Complicated! Thm [HNORV07]: One-way functions ) Statistically Hiding Commitments
Our Results I • Much simpler proof that OWF) Statistically Hiding Commitmentsvia accessible entropy. • Conceptually parallels [HILL90,Naor91] construction of PRGs & Statistically Binding Commitments from OWF. • “Nonuniform” version achieves optimal round complexity, O(n/log n) [HHRS07]
Our Results II Thm: Assume one-way functions exist. Then: NP has constant-round parallelizable ZK proofs with “black-box simulation” m constant-round statistically hiding commitments exist. ( * due to [GK96,G01], novelty is )
Statistically Hiding Commitments& Inaccessible Entropy Statistical Hiding: H(M|C) = n - neg(n) S R COMMIT STAGE MÃ{0,1}n C REVEAL STAGE M K
Statistically Hiding Commitments& Inaccessible Entropy Statistical Hiding: H(M|C) = n - neg(n) Comp’l Binding: For every PPT S* H(M|C,S1) = neg(n) “inaccessible entropy for protocols” S* R COMMIT STAGE coins S1 C REVEAL STAGE coins S2 M K
OWF ) Statistically Hiding Commitments: Our Proof OWF • done G with real entropy ¸ accessible entropy+log n repetitions G with real min-entropy ¸ accessible entropy+poly(n) (interactive) hashing [DHRS07]+UOWHFs [NY89,Rom90] “m-phase” commitment cut & choose & parallel rep statistically hiding commitment
Cf. OWF ) Statistically Binding Commitment [HILL90,Nao91] OWF hardcore bit [GL89]+hashing X with pseudoentropy ¸ H(X)+1/poly(n) repetitions X with pseudo-min-entropy ¸ H0(X)+poly(n) hashing PRG expand output & translate Statistically binding commitment
Other Applications • Simpler/improved universal one-way hash functions from OWF [HRVW09b] • Inspired simpler/improved pseudorandom generators from OWF [HRV09]
Conclusion Complexity-based cryptography is possible because of gaps between real & computational entropy. Secrecypseudoentropy > real entropy Unforgeabilityaccessible entropy < real entropy
Research Directions • Formally unify inaccessible entropy and pseudoentropy. • Complexity-theoretic applications of inaccessible entropy • Remove “parallelizable” condition from ZK result. • Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.