1 / 30

Iftach Haitner , Jonathan Hoch, Omer Reingold and Gil Segev

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments. Iftach Haitner , Jonathan Hoch, Omer Reingold and Gil Segev. Talk Outline. Statistically-hiding commitments Black-box lower bounds

dallon
Download Presentation

Iftach Haitner , Jonathan Hoch, Omer Reingold and Gil Segev

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Finding Collisions in Interactive ProtocolsA Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch, Omer Reingold and Gil Segev

  2. Talk Outline • Statistically-hiding commitments • Black-box lower bounds • Our lower bound on the round complexity of statistically-hiding commitments • Other lower bounds (Private Information Retrieval, Oblivious Transfer, Interactive Hashing) 2

  3. Statistically-hiding Commitments • The digital analogue of a sealed envelope. • Major ingredient in statistical ZKA, secure computation, and … Two-stage protocol between S and R : • Commit-stage: S commits to xw/o revealing it toR . • Reveal-stage: S opens the commitment. Security properties: • Computationally-binding: an efficient S cannot decommit to two different values. • Statistically-hiding: an unboundedRdoes not learnx during the commit stage. 3

  4. Applications of SH-Commitments • In setting where some commitments are never revealed, guarantees ever lasting security. • Statistical zero-knowledge arguments. • Coin-flipping protocols. • In some settings - a general transformation for protocols with “statistical security”: semi-honest model  malicious model

  5. Known Constructions [NY ‘89, DPP ‘93] Collision-resistant hash functions (CRHF) - two rounds [NOVY ‘91] One-way permutations (OWP)- O(n/log(n)) rounds * [NOV ‘06] + [HR ‘06] One-way functions (OWF) - poly(n) rounds Tradeoff between the hardness assumption and the number of rounds A family of efficiently computable, compressing functions that are collision resistant • Efficiently computable permutations that are hard to invert

  6. Impossibility Results Are the previous constructions optimal? Usually it is very difficult to come up with unconditional impossibility results. Discrete log is hard )CRHF exists ) OWP implies two-round SH-commitment in a trivial sense. 6

  7. Black Box Reductions In their seminal work Impagliazzo and Rudichpresented a paradigm for proving impossibility results under a restricted, yet important, class of reductions called black-box reductions. Quite a few black-box separation results: e.g., no key-agreement from one-way functions.

  8. A fully black-box reduction from B to A: Black-box construction. Black-box proof of security. Proof of security:Adversary for breaking B)adversary for breaking A Fully black-box reductionsrelativize (hold relative to every oracle). (Fully) Black-Box Reductions B Adversary for A Adversary for B A A

  9. Black-Box Reductions (cont.) • Most constructions in cryptography are (fully) black-box, e.g., pseudorandom generator from OWF. • Few “non black-box” techniques that apply in restricted settings (typically using ZK proofs). • Black-box separations are (still) very meaningful. 9

  10. Previous results • [Fischlin 02’] In any BB-reduction from SH-commitment to OWP (or to TDP), the commitment has at least two rounds. • [Wee 06’] Inany BB-reduction from restricted type of SH-commitment to OWP defined over{0,1}n, the commitment has(n/log n)rounds. 10

  11. Our Results Inany BB-reduction from SH-commitment to OWP defined over{0,1}n, the commitment has(n/log n)roundsand the sender communicates (n) bits. Remarks: • Can be generalized. • The bounds for the number of round are tight, and the bounds for number of bits communicated are tight for bit commitments. • Assuming that the permutation iss(n)-hard, then the bounds are(n/log(s(n)))and(n)resp. • Also for trapdoor permutations. • Also for honest receiver and for weakly-binding commitment schemes. 11

  12. Our Results (cont) Additional lower bounds: • Interactive Hashing • Statistical oblivious transfer • Single server private information retrieval Additional contributions: • A novel extension of [Gennaro-Trevisan `01]“short description” paradigm • A new proof of [Simon 98’] (no BB-reduction from CRHF to OWP) * 12

  13. The Proof Adversary for Adversary for for o(n/log n) rounds SH-cmt ŠSam  • 9 PPTŠ with oracle access toSam thatbreaks the binding of anyo(n/log n)rounds SH-commitment. • 8 PPT APr[A,Sam inverts ] = negl ) No BB-reduction fromo(n/log n)rounds SH-cmt to OWP defined over {0,1}n. An imaginary world Sam Random permutation :{0,1}n!{0,1}n Impossible 13

  14. The rest of the talk • Define Sam and show how to use it for breaking any o(n/log n)rounds SH-commitment. • Prove that is (still) one-way in the presence of Sam. 14

  15. Defining Sam(two rounds cmt.) q a (b,r) Commit stage S(b,r) S(b,(r1,r2)) R , y = P(r2) Reveal stage Accepts if S(b,r) is consistent with the commit stage First attempt:Sam(q,a) returns a random pair (b’,r’) s.t S(b’,r’,q) = a. (S,R)is statistically hiding)b’is uni. dist. in {0,1} ) Sam can be used to break the binding (S,R) Problem -Sam can be used to invert  [Simon, Fischlin]: Sam(q) returns two random pairs, (b,r) and (b’,r’) s.t. S (b,r,q) = S (b’,r’,q) • Sam can be still used to break the binding (S,R). • Not clear how to use Sam to invert a specific y. 15

  16. DefiningSam(general case) Commit stage S(b,r) R  (b,r) qk ak q1 a1 Reveal stage Accepts if S(b,r) is consistent with the commit stage Life is not that simple • Sam inverts any SH-commitment • limit the number of queries Sam answers. • Forcing restrictions (Sam is stateless!) • the user keeps the state. • use signature schemes. • 1. Announce q1 2.(b1,r1)ÃSam (where (b1,r1) isuniformly dist.) 3. answer a1 = S(b1,r1,q1) • 1. Announce q22. (b2,r2)ÃSam (where (b2,r2) israndom s.t. S(b2,r2,q1) = S(b1,r1,q1)) 3. answer a2 = S(b2,r2,q1,q2) Reveal stage: (bk+1,rk+1)ÃSam. Thus, Pr[bk  bk+1] = ½ • The two-round case oracle [Simon] revisited: • Announce qto Sam • (b,r)ÃSam, where (b,r) isuniformly chosen. • (b’,r’)ÃSam, where (b’,r’) is randomly chosen s.t.S (b’,r’,q) = S (b,r,q) First attempt:Sam(q1,...,qk) returns two random pairs (b,r) and (b’,r’) s.t. S(b,r,q1,...,qk) = S(b’,r’,q1,...,qk) Problem – w.h.p., both (b,r) and (b’,r’) are inconsistent with (a1,...,ak)  16

  17. DefiningSam(more formally) Let C, Cnext:{0,1}m!{0,1}* be circuits with  gates. Sam(Cnext,C,w) Return w’Ã{x2{0,1}m: C(x) = C(w)}(ifC = ?, return w’Ã{0,1}m) Preventing Sam from inverting : • Sam answers only if previously answered (C,Cprev,.)with w. • Limited interaction depth. We enforce the above using signature schemes. 17

  18. Defining Sam (cont) • d 2 o(n/log(n)) (C1,?,?) = w1 (C8,?,?) = w’ (C56,?,?) = w’’ (C2,C1, w1) = w2 (C3,C1,w1) = w3 d(n) (C4,C2,w2) = w4 (C5,C3,w3) = w5 (C6, C5, w5) = w6 (C7,C5, w5) = w7 18

  19. Defining Sam (last) Commit stage S(b,r) R  q1 a1 qk ak (b,r) Reveal stage Accepts if S(b,r) is consistent with the commit stage Let Ci be the circuit naturally defined by S and q1,...,qi(Ci(b,r) outputs S(b,r,q1,...,qi)’s answers) For all i • (bi,ri)ÃSam(Ci,Ci-1,bi-1,ri-1) • aià Ci(bi,ri ) 19

  20.  is Still One-way in the Presence of Sam Thm: 8PPT A,PrP,y[Asam,(y) = -1(y)] = negl A,Sam(y)hits if it queries w’ÃSam(Cnext,C,w) and C(w’)queries  on -1(y). Lemma 1: PrP,y[Asam,(y) = -1(y) and does not hit] = negl Using extension of [Gennaro-Trevisan `01] Lemma 2: PrP,y[Asam,(y) hits] = negl We prove that PrP,y[Asam,(y) hits] > negl )9Ā s.t. PrP,y[Āsam,(y) = -1(y) and does not hit]> negl 20

  21. Gennaro-Trevisan Thm. Theorem [GT `01] (informal): A random permutation is hard even for exponential size circuits. Main Lemma: Let A be a circuit making q queries to a permutation :{0,1}n!{0,1}n s.t. Pry[A(y) = -1(y)] ¸,then has a short description.(of length K =2¢log(2n choose a) + log((2n -a)!), where a = ¢2n/(q +1)) Proving the thm: Let A be a circuit of size 2n/5 )A inverts w.p 2-n/5 a tiny fraction of the ’s (< 2-n) 21

  22. The proof of [GT] Lemma -The Short Description of  • Carefully chosen Y µ{y: A(y) = -1(y)}, X = -1(Y) • |Y| = |X| = ¢2n / (q+1) • The desc. ofisthe desc. of X,Y and the values of  over {0,1}n \ X (and thus indeed of size K). • Reconstruction: go over all y2Y in lex. order, simulate A(y) to get x =A(y) and set (x) = y. Y is chosen s.t.: • all the queries made by A(y) toare already defined. • Except for the possibility thatA(y)querieson-1(y), but then you have found-1(y). 22

  23. Proving Lemma 1 Lemma 1:8PPT A,Pr,y[A,Sam(y) = -1(y) and no hit] < 2-(n). We show that: 8 fixing of A and Sam’srandom coins, 8 Pry[A,Sam(y) = -1(y) and no hit] >  )has a short description. ) For any choice of A and Sam’srandom coins, Pr,y[A,Sam(y) = -1(y) and no hit] < 2-(n) 23

  24. Proving Lemma 1 (cont) Sam(Cnext,C,w): Go over {0,1}m in a fixed order, return the first that satisfies C(w’) = C(w) Idea: apply [GT] to ASam. Problem: ASammakes too many queries to. Solution: when defining Y, only care that the queries in the evaluation C(w) and C(w’) are defined. Reconstruction: when simulating Sam(C) (embedded in A,Sam(y)), we find the first w’ s.t. all the calls of C(w’) to  are already defined and C(w’)= C(w). Problem:C(w’) might queryon-1(y). Ais non-hitting! 24

  25. From Hitting to Non Hitting (a simple case) Sam(Cnext,C,w): w’Ã{x 2{0,1}m: C(x) =C(w)} Lemma 2: 8PPT A,Pr,y[A,Sam hits] = negl Idea: hitting A) non-hitting Ā that inverts Let  be fixed, and assume that Aonly makes two queries: w1ÃSam(C1,?,?)and w2ÃSam(C2,C1,w1). A hits if C1(w2) queries y. • w2 is uniformly dist. in {0,1}m )Pry[C1(Um) queries y] = Pry[A,Sam hits] • Ā – acts as A, but queries C1(Um) before calling Sam. )Pry[Ā,Sam = -1(y) and no hit] ¸ Pry[A,Sam hits] ) Pry[A,Sam hits] = negl 25

  26. From Hitting to Non Hitting (general case) (C1,?,?) = w1 (C2, C1, w1) = w2  d(n) (Cj-1, Cj-2, wj-2) = wj-1 (Cj, Cj-1, wj-1) = wj  (Cd, Cd-1, wd-1) = wd Sam(Ci,Ci-1,wi-1): wiÃ{x2{0,1}m: Ci-1(x)=Ci-1(wi-1)} Pry[ASam,(y) hits] > 1/p(n) • hiti = Pr[Ci-1(wi) queries y] Ā:evaluatesCi-1(wi-1)before it calls Sam(Ci,Ci-1,wi-1), • invi = Pr[Ci-1(wi-1) queries y] • Wlog hit2is exp. small • d(n) 2 o(n/log n) •  hiti> 1/p(n) ) 9j s.t. hitj > max{ p2(n)¢ i<j hiti, t } Claim:hitj is large ) invj is large. )(invj - i<j hiti)> t’/2 )Pry[ĀSam,(y) = -1(y) and no hit]> t’/2 • 2-n/8

  27. hitj is large ) invj is large s3 s1 s4 s5 s2 We prove that 8iEx[hiti] = invi . • invi = Pr[Ci-1(wi-1) queries y] • hiti = Pr[Ci-1(wi) queries y] • Sampling wi-1: wi-1Ã {w: Ci-2(w) = Ci-2(wi-2)} • Sampling wi : • Sample wi-1 • S= {w: Ci-1(w) = Ci-1(wi-1)} • wiÃS hitSi = PrwÃS[Ci-1(w) queries y] invi =  Pr[S] ¢ Pr[Ci-1(wi-1) queries y | S] =  Pr[S] ¢ hitSi = Ex[hiti] wi-1

  28. Additional Results • Similar proof (same Sam) ) in any construction of the above, the sender communicates (n) bits • Give a BB-reduction from low-communication PIR to SH-commitment, where the sender communicates (log n) additional bits. ) • No BB-construction from OWP (and from TDP) to low-communication PIR. 28

  29. Concluding Remarks • In any BB-reduction from SH-commitment to OWP defined over{0,1}n, the commitmenthas (n/log n) rounds and the sender communicates (n) bits. • Sam breaks the binding w.h.p ) no weakly-binding commitment. • Did not use the fact that the receiver might deviate from the protocol. ) The bound holds for protocols secure only against honest receivers. • The extension to TDP is not very hard. 29

  30. Open Questions • We showed that inany BB-reduction from OWP defined over{0,1}n to statistically-hiding bit commitment, the sender communicates (n) bits. Tighter bounds for commitment of many bits, imply tighter bounds for PIR. • Using our extension to Gennaro-Trevisan to prove other black-box separation results. 30

More Related