finding collisions in interactive protocols a tight lower bound on the round complexity of...
TRANSCRIPT
Finding Collisions in Interactive ProtocolsA Tight Lower Bound on the Round Complexity of Statistically-Hiding
Commitments
Iftach Haitner, Jonathan Hoch, Omer Reingold and Gil Segev
Talk OutlineStatistically-hiding commitmentsBlack-box lower boundsOur lower bound on the round complexity of statistically-hiding commitments
Other lower bounds (Private Information Retrieval, Oblivious Transfer, Interactive Hashing)
2
3
Statistically-hiding Commitments
The digital analogue of a sealed envelope..Major ingredient in statistical ZKA, secure computation, and
…
Two-stage protocol between S S and R R ::Commit-stage: S S commits to commits to xx w/o revealing it tow/o revealing it to R R ..Reveal-stage: S S opens the commitment. opens the commitment.
Security properties:Security properties:Computationally-binding: an efficient SS cannot decommit to
two different values.
Statistically-hiding:Statistically-hiding: an an unbounded RR does not learn x during the commit stage.
Applications of SH-Commitments
• In setting where some commitments are never revealed, guarantees ever lasting security.
• Statistical zero-knowledge arguments.
• Coin-flipping protocols.
• In some settings - a general transformation for protocols with “statistical security”: semi-honest model malicious model
Known Constructions
[NY ‘89, DPP ‘93] Collision-resistant hash functions (CRHF) - two rounds
[NOVY ‘91] One-way permutations (OWP)- (n/log(n)) rounds *
[NOV ‘06] + [HR ‘06] One-way functions (OWF) - poly(n) rounds
A family of efficiently computable, compressing functions that are collision
resistant Efficiently computable permutations
that are hard to invert
Tradeoff between the hardness assumption and the number of rounds
Impossibility ResultsAre the previous constructions optimal? Usually it is very difficult to come up with
unconditional impossibility results.
Discrete log is hard ) CRHF exists
) OWP implies two-round SH-commitment in a trivial sense.
6
Black Box ReductionsIn their seminal work Impagliazzo and
Rudich presented a paradigm for proving impossibility results under a restricted, yet important, class of reductions called black-box reductions.
Quite a few black-box separation results: e.g., no key-agreement from one-way functions.
7
A fully black-box reduction from B to A: Black-box construction.
Black-box proof of security. Proof of security:
Adversary for breaking B ) adversary for breaking A
Fully black-box reductions relativize (hold relative to every oracle).
(Fully) Black-Box Reductions
Adversary
for B
Adversaryfor A
A
B
A
Black-Box Reductions (cont.)1. Most constructions in cryptography
are (fully) black-box, e.g., pseudorandom generator from OWF.
2. Few “non black-box” techniques that apply in restricted settings (typically using ZK proofs).
3. Black-box separations are (still) very meaningful.
9
Previous results[Fischlin 02’] In any BB-reduction
from SH-commitment to OWP (or to TDP), the commitment has at least two rounds.
[Wee 06’] In any BB-reduction from restricted type of SH-commitment to OWP defined over{0,1}n, the commitment has (n/log n) rounds.
10
Our ResultsIn any BB-reduction from SH-commitment to OWP
defined over{0,1}n, the commitment has (n/log n) rounds and the sender communicates (n) bits.
Remarks:Can be generalized.The bounds for the number of round are tight, and the
bounds for number of bits communicated are tight for bit commitments.
Assuming that the permutation is s(n)-hard, then the bounds are (n/log(s(n))) and (n) resp.
Also for trapdoor permutations.Also for honest receiver and for
weakly-binding commitment schemes. 11
Our Results (cont)Additional lower bounds:Interactive HashingStatistical oblivious transfer Single server private information
retrieval
Additional contributions:A novel extension of [Gennaro-Trevisan
`01] “short description” paradigmA new proof of [Simon 98’] (no BB-
reduction from CRHF to OWP) *12
9 PPTŠ with oracle access to Sam that breaks the binding of any o(n/log n) rounds SH-commitment.
8 PPT APr[A,Sam inverts = negl
) No BB-reduction from o(n/log n) rounds SH-cmt to OWP defined over {0,1}n.
Adversaryfor
13
The ProofAn imaginary world
Sam
Random permutation
{0,1}n!{0,1}n
Adversary forfor o(n/log n)rounds SH-
cmt
ŠSam
Impossible
1.Define Sam and show how to use it for breaking any o(n/log n) rounds SH-commitment.
2.Prove that is (still) one-way in the presence of Sam.
14
The rest of the talk
First attempt: Sam(q,a) returns a random pair (b’,r’) s.tS(b’,r’,q) = a.
(S,R) is statistically hiding ) b’ is uni. dist. in {0,1}
) Sam can be used to break the binding (SS,,RR)Problem - Sam can be used to invert
[Simon, Fischlin]: Sam(q) returns two random pairs, (b,r) and (b’,r’) s.t. S (b,r,q) = S (b’,r’,q)
Sam can be still used to break the binding (SS,,RR).Not clear how to use Sam to invert a specific y.
Defining Sam (two rounds cmt.)
15
SS(b,r)(b,r) RRq
a
Commit stage
Reveal stage
(b,r)
Accepts if SS(b,r) (b,r) is is consistent with the consistent with the commit stagecommit stage
y = r2)
S(b,(r(b,(r11,r,r22))))
16
SS(b,r)(b,r) RRq1
a1
qk
ak
Reveal stage
(b,r)Accepts if SS(b,r) (b,r) is is consistent with the consistent with the commit stagecommit stage
Commit stage
The two-round case oracle [Simon] revisited:
• Announce q to Sam
• (b,r)ÃSam, where (b,r) is uniformly chosen.
• (b’,r’)ÃSam, where (b’,r’) is randomly chosen s.t. S (b’,r’,q) = S (b,r,q)
First attempt: Sam(q1,...,qk) returns two random
pairs (b,r) and (b’,r’) s.t. S(b,r,q1,...,qk) =
S(b’,r’,q1,...,qk)
Problem – w.h.p., both (b,r) and (b’,r’) are inconsistent with (a1,...,ak)
• 1. Announce q1 2. (b1,r1)ÃSam (where (b1,r1) is uniformly
dist.) 3. answer a1 = S(b1,r1,q1)
• 1. Announce q2 2. (b2,r2)ÃSam (where (b2,r2) is random
s.t. S(b2,r2,q1) = S(b1,r1,q1)) 3. answer a2 = S(b2,r2,q1,q2)
Reveal stage: (bk+1,rk+1) Ã Sam. Thus, Pr[bk bk+1] = ½
Defining Sam (general case)
Life is not that simple Sam inverts any SH-commitment
- limit the number of queries Sam answers.Forcing restrictions (Sam is stateless!)
the user keeps the state. use signature schemes.
Let C, Cnext:{0,1}m!{0,1}* be circuits with gates.
Sam(Cnext,C,w)
Return w’Ã{x2{0,1}m: C(x) = C(w)}(if C = ?, return w’Ã{0,1}m)
Preventing Sam from inverting :Sam answers only if previously answered (C,Cprev,.)
with w.Limited interaction depth.
We enforce the above using signature schemes.
Defining Sam (more formally)
17
Defining Sam (cont)
18
(C1,?,?) = w1
(C8,?,?) = w’ (C56,?,?) = w’’
(C2,C1, w1) = w2 (C3,C1,w1) = w3
(C4,C2,w2) = w4 (C5,C3,w3) = w5
(C7,C5, w5) = w7(C6, C5, w5) = w6
d(n)
d 2 o(n/log(n))
Defining Sam (last)
19
Let Ci be the circuit naturally defined by naturally defined by S S and and qq11,...,q,...,qii
((Ci(b,r) (b,r) outputs outputs SS(b,r,(b,r,qq11,...,q,...,qii))’s answers)’s answers)
For allFor all i i• (bbii,r,rii) ÃÃ Sam(Sam(Ci,Ci-1,bbi-1i-1,r,ri-1i-1))• aaii ÃÃ Ci(b(bii,r,ri i ))
SS(b,r)(b,r) RRq1
a1
qk
ak
Reveal stage (b,r)
Accepts if SS(b,r) (b,r) is is consistent with the consistent with the commit stagecommit stage
Commit stage
Thm: 8PPT A, Pry[Asam,(y) = -1(y)] = negl
A,Sam(y) hits if it queries w’ÃSam(Cnext,C,w) and C(w’) queries on -1(y).
Lemma 1: Pry[Asam,(y) = -1(y) and does not hit] = negl
Using extension of [Gennaro-Trevisan `01]
Lemma 2: Pry[Asam,(y) hits] = negl
We prove thatPry[Asam,(y) hits] > negl
) 9 Ā s.t. Pry[Āsam,(y) = -1(y) and does not hit]> negl 20
is Still One-way in the Presence of Sam
21
Theorem [GT `01] (informal): A random permutation is hard even for exponential size circuits.
Main Lemma: Let A be a circuit making q queries to a permutation :{0,1}n!{0,1}n s.t. Pry[A(y) = -1(y)] ¸ then has a short description.(of length K = 2¢log(2n choose a) + log((2n -a)!), where a = ¢2n/(q +1))
Proving the thm:
Let A be a circuit of size 2n/5
) A inverts w.p 2-n/5 a tiny fraction of the ’s (< 2-n)
Gennaro-Trevisan Thm.
Carefully chosen Y µ{y: A(y) = -1(y)}, X = -1(Y)|Y| = |X| = ¢2n / (q+1)The desc. of is the desc. of X,Y and the values
of over {0,1}n \ X (and thus indeed of size K). Reconstruction: go over all y2Y in lex. order,
simulate A(y) to get x =A(y) and set (x) = y. Y is chosen s.t.:
all the queries made by A(y) to are already defined.
Except for the possibility that A(y) queries on -1(y), but then you have found -1(y).
The proof of [GT] Lemma -The Short Description of
22
Lemma 1: 8PPT A, Pr,y[A,Sam(y) = -1(y) and no hit] < 2-(n).
We show that: 8 fixing of A and Sam’s random coins, 8 Pry[A,Sam(y) = -1(y) and no hit] > ) has a short description.
) For any choice of A and Sam’s random coins, Pr,y[A,Sam(y) = -1(y) and no hit] < 2-(n)
23
Proving Lemma 1
Idea: apply [GT] to ASam.
Problem: ASam makes too many queries to .Solution: when defining Y, only care that the
queries in the evaluation C(w) and C(w’) are defined.
Reconstruction: when simulating Sam(C) (embedded in A,Sam(y)), we find the first w’ s.t. all the calls of C(w’) to are already defined and C(w’)= C(w).
Problem: C(w’) might query on -1(y).
A is non-hitting!24
Sam(Cnext,C,w):Go over {0,1}m in a fixed order, return the
first that satisfies C(w’) = C(w)
Proving Lemma 1 (cont)
25
Lemma 2: 8PPT A, Pr,y[A,Sam hits] = negl
Idea: hitting A ) non-hitting Ā that inverts
Let be fixed, and assume that A only makes two queries: w1ÃSam(C1,?,?) and w2ÃSam(C2,C1,w1).
A hits if C1(w2) queries y.
w2 is uniformly dist. in {0,1}m
) Pry[C1(Um) queries y] = Pry[A,Sam hits]
Ā – acts as A, but queries C1(Um) before calling Sam.
) Pry[Ā,Sam = -1(y) and no hit] ¸ Pry[A,Sam hits]
) Pry[A,Sam hits] = negl
From Hitting to Non Hitting (a simple case)
Sam(Cnext,C,w):
w’Ã{x 2{0,1}m: C(x) =C(w)}
Pry[ASam,(y) hits] > 1/p(n) hiti = Pr[Ci-1(wi) queries y]
Ā: evaluates Ci-1(wi-1) before it calls Sam(Ci,Ci-1,wi-1),
invi = Pr[Ci-1(wi-1) queries y]
Wlog hit2 is exp. small d(n) 2 o(n/log n) hiti > 1/p(n)
) 9j s.t. hitj > max{ p2(n)¢ i<j hiti, t }
Claim: hitj is large ) invj is large.
)(invj - i<j hiti) > t’/2
)Pry[ĀSam,(y) = -1(y) and no hit]> t’/2
From Hitting to Non Hitting (general case)
Sam(Ci,Ci-1,wi-1):
wiÃ{x2{0,1}m: Ci-1(x)=Ci-1(wi-1)}
(C1,?,?) = w1
(C2, C1, w1) = w2
(Cd, Cd-1, wd-1) = wd
(Cj, Cj-1, wj-1) = wj
d(n)
(Cj-1, Cj-2, wj-2) = wj-1
2-n/8
s5
s1
s2
s4
s3
hitj is large ) invj is large
We prove that 8i Ex[hiti] = invi .
invi = Pr[Ci-1(wi-1) queries y]
• hiti = Pr[Ci-1(wi) queries y]
• Sampling wi-1:
wi-1 Ã {w: Ci-2(w) = Ci-2(wi-2)}
• Sampling wi :• Sample wi-1
• S = {w: Ci-1(w) = Ci-1(wi-1)}
• wi à S
hitSi = PrwÃS[Ci-1(w) queries y]
invi = Pr[S] ¢ Pr[Ci-1(wi-1) queries y | S]
= Pr[S] ¢ hitSi = Ex[hiti]
wi-1
Similar proof (same Sam) ) in any construction of the above, the sender communicates (n) bits
Give a BB-reduction from low-communication PIR to SH-commitment, where the sender communicates (log n) additional bits.
)No BB-construction from OWP (and from TDP) to
low-communication PIR.
Additional Results
28
In any BB-reduction from SH-commitment to OWP defined over{0,1}n, the commitment has (n/log n) rounds and the sender communicates (n) bits.
Sam breaks the binding w.h.p ) no weakly-binding commitment.
Did not use the fact that the receiver might deviate from the protocol.
) The bound holds for protocols secure only against honest receivers.
The extension to TDP is not very hard.
Concluding Remarks
29
We showed that in any BB-reduction from OWP defined over{0,1}n to statistically-hiding bit commitment, the sender communicates (n) bits.
Tighter bounds for commitment of many bits, imply tighter bounds for PIR.
Using our extension to Gennaro-Trevisan to prove other black-box separation results.
Open Questions
30