Finding Collisions in Interactive ProtocolsA Tight Lower Bound on the Round Complexity of Statistically-Hiding

Commitments

Iftach Haitner, Jonathan Hoch, Omer Reingold and Gil Segev

Talk OutlineStatistically-hiding commitmentsBlack-box lower boundsOur lower bound on the round complexity of statistically-hiding commitments

Other lower bounds (Private Information Retrieval, Oblivious Transfer, Interactive Hashing)

2

3

Statistically-hiding Commitments

The digital analogue of a sealed envelope..Major ingredient in statistical ZKA, secure computation, and

…

Two-stage protocol between S S and R R ::Commit-stage: S S commits to commits to xx w/o revealing it tow/o revealing it to R R ..Reveal-stage: S S opens the commitment. opens the commitment.

Security properties:Security properties:Computationally-binding: an efficient SS cannot decommit to

two different values.

Statistically-hiding:Statistically-hiding: an an unbounded RR does not learn x during the commit stage.

Applications of SH-Commitments

• In setting where some commitments are never revealed, guarantees ever lasting security.

• Statistical zero-knowledge arguments.

• Coin-flipping protocols.

• In some settings - a general transformation for protocols with “statistical security”: semi-honest model malicious model

Known Constructions

[NY ‘89, DPP ‘93] Collision-resistant hash functions (CRHF) - two rounds

[NOVY ‘91] One-way permutations (OWP)- (n/log(n)) rounds *

[NOV ‘06] + [HR ‘06] One-way functions (OWF) - poly(n) rounds

A family of efficiently computable, compressing functions that are collision

resistant Efficiently computable permutations

that are hard to invert

Tradeoff between the hardness assumption and the number of rounds

Impossibility ResultsAre the previous constructions optimal? Usually it is very difficult to come up with

unconditional impossibility results.

Discrete log is hard ) CRHF exists

) OWP implies two-round SH-commitment in a trivial sense.

6

Black Box ReductionsIn their seminal work Impagliazzo and

Rudich presented a paradigm for proving impossibility results under a restricted, yet important, class of reductions called black-box reductions.

Quite a few black-box separation results: e.g., no key-agreement from one-way functions.

7

A fully black-box reduction from B to A: Black-box construction.

Black-box proof of security. Proof of security:

Adversary for breaking B ) adversary for breaking A

Fully black-box reductions relativize (hold relative to every oracle).

(Fully) Black-Box Reductions

Adversary

for B

Adversaryfor A

A

B

A

Black-Box Reductions (cont.)1. Most constructions in cryptography

are (fully) black-box, e.g., pseudorandom generator from OWF.

2. Few “non black-box” techniques that apply in restricted settings (typically using ZK proofs).

3. Black-box separations are (still) very meaningful.

9

Previous results[Fischlin 02’] In any BB-reduction

from SH-commitment to OWP (or to TDP), the commitment has at least two rounds.

[Wee 06’] In any BB-reduction from restricted type of SH-commitment to OWP defined over{0,1}n, the commitment has (n/log n) rounds.

10

Our ResultsIn any BB-reduction from SH-commitment to OWP

defined over{0,1}n, the commitment has (n/log n) rounds and the sender communicates (n) bits.

Remarks:Can be generalized.The bounds for the number of round are tight, and the

bounds for number of bits communicated are tight for bit commitments.

Assuming that the permutation is s(n)-hard, then the bounds are (n/log(s(n))) and (n) resp.

Also for trapdoor permutations.Also for honest receiver and for

weakly-binding commitment schemes. 11

Our Results (cont)Additional lower bounds:Interactive HashingStatistical oblivious transfer Single server private information

retrieval

Additional contributions:A novel extension of [Gennaro-Trevisan

`01] “short description” paradigmA new proof of [Simon 98’] (no BB-

reduction from CRHF to OWP) *12

9 PPTŠ with oracle access to Sam that breaks the binding of any o(n/log n) rounds SH-commitment.

8 PPT APr[A,Sam inverts = negl

) No BB-reduction from o(n/log n) rounds SH-cmt to OWP defined over {0,1}n.

Adversaryfor

13

The ProofAn imaginary world

Sam

Random permutation

{0,1}n!{0,1}n

Adversary forfor o(n/log n)rounds SH-

cmt

ŠSam

Impossible

1.Define Sam and show how to use it for breaking any o(n/log n) rounds SH-commitment.

2.Prove that is (still) one-way in the presence of Sam.

14

The rest of the talk

First attempt: Sam(q,a) returns a random pair (b’,r’) s.tS(b’,r’,q) = a.

(S,R) is statistically hiding ) b’ is uni. dist. in {0,1}

) Sam can be used to break the binding (SS,,RR)Problem - Sam can be used to invert

[Simon, Fischlin]: Sam(q) returns two random pairs, (b,r) and (b’,r’) s.t. S (b,r,q) = S (b’,r’,q)

Sam can be still used to break the binding (SS,,RR).Not clear how to use Sam to invert a specific y.

Defining Sam (two rounds cmt.)

15

SS(b,r)(b,r) RRq

a

Commit stage

Reveal stage

(b,r)

Accepts if SS(b,r) (b,r) is is consistent with the consistent with the commit stagecommit stage

y = r2)

S(b,(r(b,(r11,r,r22))))

16

SS(b,r)(b,r) RRq1

a1

qk

ak

Reveal stage

(b,r)Accepts if SS(b,r) (b,r) is is consistent with the consistent with the commit stagecommit stage

Commit stage

The two-round case oracle [Simon] revisited:

• Announce q to Sam

• (b,r)ÃSam, where (b,r) is uniformly chosen.

• (b’,r’)ÃSam, where (b’,r’) is randomly chosen s.t. S (b’,r’,q) = S (b,r,q)

First attempt: Sam(q1,...,qk) returns two random

pairs (b,r) and (b’,r’) s.t. S(b,r,q1,...,qk) =

S(b’,r’,q1,...,qk)

Problem – w.h.p., both (b,r) and (b’,r’) are inconsistent with (a1,...,ak)

• 1. Announce q1 2. (b1,r1)ÃSam (where (b1,r1) is uniformly

dist.) 3. answer a1 = S(b1,r1,q1)

• 1. Announce q2 2. (b2,r2)ÃSam (where (b2,r2) is random

s.t. S(b2,r2,q1) = S(b1,r1,q1)) 3. answer a2 = S(b2,r2,q1,q2)

Reveal stage: (bk+1,rk+1) Ã Sam. Thus, Pr[bk bk+1] = ½

Defining Sam (general case)

Life is not that simple Sam inverts any SH-commitment

- limit the number of queries Sam answers.Forcing restrictions (Sam is stateless!)

the user keeps the state. use signature schemes.

Let C, Cnext:{0,1}m!{0,1}* be circuits with gates.

Sam(Cnext,C,w)

Return w’Ã{x2{0,1}m: C(x) = C(w)}(if C = ?, return w’Ã{0,1}m)

Preventing Sam from inverting :Sam answers only if previously answered (C,Cprev,.)

with w.Limited interaction depth.

We enforce the above using signature schemes.

Defining Sam (more formally)

17

Defining Sam (cont)

18

(C1,?,?) = w1

(C8,?,?) = w’ (C56,?,?) = w’’

(C2,C1, w1) = w2 (C3,C1,w1) = w3

(C4,C2,w2) = w4 (C5,C3,w3) = w5

(C7,C5, w5) = w7(C6, C5, w5) = w6

d(n)

d 2 o(n/log(n))

Defining Sam (last)

19

Let Ci be the circuit naturally defined by naturally defined by S S and and qq11,...,q,...,qii

((Ci(b,r) (b,r) outputs outputs SS(b,r,(b,r,qq11,...,q,...,qii))’s answers)’s answers)

For allFor all i i• (bbii,r,rii) ÃÃ Sam(Sam(Ci,Ci-1,bbi-1i-1,r,ri-1i-1))• aaii ÃÃ Ci(b(bii,r,ri i ))

SS(b,r)(b,r) RRq1

a1

qk

ak

Reveal stage (b,r)

Accepts if SS(b,r) (b,r) is is consistent with the consistent with the commit stagecommit stage

Commit stage

Thm: 8PPT A, Pry[Asam,(y) = -1(y)] = negl

A,Sam(y) hits if it queries w’ÃSam(Cnext,C,w) and C(w’) queries on -1(y).

Lemma 1: Pry[Asam,(y) = -1(y) and does not hit] = negl

Using extension of [Gennaro-Trevisan `01]

Lemma 2: Pry[Asam,(y) hits] = negl

We prove thatPry[Asam,(y) hits] > negl

) 9 Ā s.t. Pry[Āsam,(y) = -1(y) and does not hit]> negl 20

is Still One-way in the Presence of Sam

21

Theorem [GT `01] (informal): A random permutation is hard even for exponential size circuits.

Main Lemma: Let A be a circuit making q queries to a permutation :{0,1}n!{0,1}n s.t. Pry[A(y) = -1(y)] ¸ then has a short description.(of length K = 2¢log(2n choose a) + log((2n -a)!), where a = ¢2n/(q +1))

Proving the thm:

Let A be a circuit of size 2n/5

) A inverts w.p 2-n/5 a tiny fraction of the ’s (< 2-n)

Gennaro-Trevisan Thm.

Carefully chosen Y µ{y: A(y) = -1(y)}, X = -1(Y)|Y| = |X| = ¢2n / (q+1)The desc. of is the desc. of X,Y and the values

of over {0,1}n \ X (and thus indeed of size K). Reconstruction: go over all y2Y in lex. order,

simulate A(y) to get x =A(y) and set (x) = y. Y is chosen s.t.:

all the queries made by A(y) to are already defined.

Except for the possibility that A(y) queries on -1(y), but then you have found -1(y).

The proof of [GT] Lemma -The Short Description of

22

Lemma 1: 8PPT A, Pr,y[A,Sam(y) = -1(y) and no hit] < 2-(n).

We show that: 8 fixing of A and Sam’s random coins, 8 Pry[A,Sam(y) = -1(y) and no hit] > ) has a short description.

) For any choice of A and Sam’s random coins, Pr,y[A,Sam(y) = -1(y) and no hit] < 2-(n)

23

Proving Lemma 1

Idea: apply [GT] to ASam.

Problem: ASam makes too many queries to .Solution: when defining Y, only care that the

queries in the evaluation C(w) and C(w’) are defined.

Reconstruction: when simulating Sam(C) (embedded in A,Sam(y)), we find the first w’ s.t. all the calls of C(w’) to are already defined and C(w’)= C(w).

Problem: C(w’) might query on -1(y).

A is non-hitting!24

Sam(Cnext,C,w):Go over {0,1}m in a fixed order, return the

first that satisfies C(w’) = C(w)

Proving Lemma 1 (cont)

25

Lemma 2: 8PPT A, Pr,y[A,Sam hits] = negl

Idea: hitting A ) non-hitting Ā that inverts

Let be fixed, and assume that A only makes two queries: w1ÃSam(C1,?,?) and w2ÃSam(C2,C1,w1).

A hits if C1(w2) queries y.

w2 is uniformly dist. in {0,1}m

) Pry[C1(Um) queries y] = Pry[A,Sam hits]

Ā – acts as A, but queries C1(Um) before calling Sam.

) Pry[Ā,Sam = -1(y) and no hit] ¸ Pry[A,Sam hits]

) Pry[A,Sam hits] = negl

From Hitting to Non Hitting (a simple case)

Sam(Cnext,C,w):

w’Ã{x 2{0,1}m: C(x) =C(w)}

Pry[ASam,(y) hits] > 1/p(n) hiti = Pr[Ci-1(wi) queries y]

Ā: evaluates Ci-1(wi-1) before it calls Sam(Ci,Ci-1,wi-1),

invi = Pr[Ci-1(wi-1) queries y]

Wlog hit2 is exp. small d(n) 2 o(n/log n) hiti > 1/p(n)

) 9j s.t. hitj > max{ p2(n)¢ i<j hiti, t }

Claim: hitj is large ) invj is large.

)(invj - i<j hiti) > t’/2

)Pry[ĀSam,(y) = -1(y) and no hit]> t’/2

From Hitting to Non Hitting (general case)

Sam(Ci,Ci-1,wi-1):

wiÃ{x2{0,1}m: Ci-1(x)=Ci-1(wi-1)}

(C1,?,?) = w1

(C2, C1, w1) = w2

(Cd, Cd-1, wd-1) = wd

(Cj, Cj-1, wj-1) = wj

d(n)

(Cj-1, Cj-2, wj-2) = wj-1

2-n/8

s5

s1

s2

s4

s3

hitj is large ) invj is large

We prove that 8i Ex[hiti] = invi .

invi = Pr[Ci-1(wi-1) queries y]

• hiti = Pr[Ci-1(wi) queries y]

• Sampling wi-1:

wi-1 Ã {w: Ci-2(w) = Ci-2(wi-2)}

• Sampling wi :• Sample wi-1

• S = {w: Ci-1(w) = Ci-1(wi-1)}

• wi à S

hitSi = PrwÃS[Ci-1(w) queries y]

invi = Pr[S] ¢ Pr[Ci-1(wi-1) queries y | S]

= Pr[S] ¢ hitSi = Ex[hiti]

wi-1

Similar proof (same Sam) ) in any construction of the above, the sender communicates (n) bits

Give a BB-reduction from low-communication PIR to SH-commitment, where the sender communicates (log n) additional bits.

)No BB-construction from OWP (and from TDP) to

low-communication PIR.

Additional Results

28

In any BB-reduction from SH-commitment to OWP defined over{0,1}n, the commitment has (n/log n) rounds and the sender communicates (n) bits.

Sam breaks the binding w.h.p ) no weakly-binding commitment.

Did not use the fact that the receiver might deviate from the protocol.

) The bound holds for protocols secure only against honest receivers.

The extension to TDP is not very hard.

Concluding Remarks

29

We showed that in any BB-reduction from OWP defined over{0,1}n to statistically-hiding bit commitment, the sender communicates (n) bits.

Tighter bounds for commitment of many bits, imply tighter bounds for PIR.

Using our extension to Gennaro-Trevisan to prove other black-box separation results.

Open Questions

30