Inaccessible Entropy

Omer ReingoldWeizmann & Microsoft Salil VadhanHarvard University Iftach Haitner Microsoft Research Hoeteck WeeQueens College, CUNY Inaccessible Entropy TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA

outline • Entropy • Secrecy & Pseudoentropy • Unforgeability & Inaccessible Entropy • Applications

Entropy Def: The Shannon entropyof r.v. X is H(X) = ExÃX[log(1/Pr[X=x)] • H(X) = “Bits of randomness in X (on avg)” • 0 · H(X) · log|Supp(X)| • Conditional Entropy: H(X|Y) = EyÃY[H(X|Y=y)] X uniform onSupp(X) X concentratedon single point

Worst-Case Entropy Measures • Min-Entropy: H1(X) = minx log(1/Pr[X=x]) • Max-Entropy: H0(X) = log |Supp(X)| H1(X) · H(X) · H0(X)

Perfect Secrecy & Entropy Def [Sh49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1}nEncK(m) & EncK(m’) are identically distributed for a random key K. Thm [Sh49]: Perfect secrecy ) |K| ¸ n

Perfect Secrecy ) |K|¸ n Proof: • Perfect secrecy) (M,EncK(M)) ´(M,EncK(M’)) for M,M’Ã{0,1}n) H(M|EncK(M)) = n • Decryptability) H(M|EncK(M),K) = 0) H(M|EncK(M)) · H(K).

Computational Secrecy Def [GM82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1}nEncK(m) & EncK(m’) are computationally indistinguishable. ) can have |K| ¿ n.

Where Shannon’s Proof Breaks • Computational secrecy) (M,EncK(M)) ´c(M,EncK(M’)) for M,M’Ã{0,1}n)“Hpseudo(M|EncK(M))” = n • Decryptability) H(M|EncK(M)) · H(K). Key point: can have Hpseudo(X) À H(X)e.g. X = G(Uk) for PRG G : {0,1}k! {0,1}n

Pseudoentropy Def [HILL90]: X has pseudoentropy¸ k iff there exists a random variable Y s.t. • Y ´c X • H(Y) ¸ k Pseudoentropy Generator: G X S Ã {0,1}n ´ c Y

Application of Pseudoentropy Thm [HILL90]:9 OWF )9 PRG Proof outline: OWF hardcore bit [GL89]+hashing X with pseudoentropy ¸ H(X)+1/poly(n) repetitions X with pseudo-min-entropy ¸ H0(X)+poly(n) hashing PRG

Unforgeability • Crypto is not just about secrecy. • Unforgeability: security properties saying that it has hard for an adversary to generate “valid” messages. • Unforgeability of MACs, Digital Signatures • Collision-resistance of hash functions • Binding of commitment schemes • Cf. decision problems vs. search/sampling problems.

Ex: Collision-resistant Hashing F = { f : {0,1}n! {0,1}n-k} • Shrinking • Collision Resistance:Given f ÃF , an efficient Acannot output x1x2 such thatf(x1) = f(x2)

Ex: Collision-resistant Hashing F = {f : {0,1}n! {0,1}n-k} • Shrinking: H(X | F,Y) ¸k • Collision Resistance: From (even a cheating) G’s point of view, X is determined by (F,Y)  X has “accessible” entropy 0 G F ÃF X Ã {0,1}n X Y= F(X)

Ex: Collision-resistant Hashing F = {f : {0,1}n! {0,1}n-k} • Collision Resistance:H(X |F,Y,S1) = neg(n) for every efficient G*. G* F ÃF S2Ã{0,1}r S1Ã{0,1}r XF-1(Y) Y

Measuring Accessible Entropy Goal: A useful entropy measure to capture possibility that Hacc(X) ¿ H(X) 1st attempt: X has accessible entropy at most k if there is a random variable Y s.t. • Y ´c X • H(Y) · k Not useful! every X is indistinguishable from some Y of entropy polylog(n).

Inaccessible Entropy Idea:A generator G has inaccessible entropy if H(G’s outputs from an observer’s perspective) > H(G*’s outputs from G*’s perspective) Real Entropy Accessible Entropy

Real Entropy G Def: The real entropy of G is H(Y1,….,Ym|Z) = i H(Yi | Z,Y1,…,Yi-1) Z RÃ{0,1}n Ym Y1 Y2

Accessible Entropy G* Def:G has accessible entropy at most k, if 8 PPT G* • iH(Yi|Z,S1,S2,…,Si-1) ·k • Inaccessible entropy = real – accessible entropy • Unbounded G* can achieve real entropy. Z R Sm S1 S2 s.t. G(Z,R)=(Y1,….,Ym) Ym Y1 Y2

OWF  Inaccessible Entropy Given a one-way function f : {0,1}n{0,1}n, define Claim: • Real entropy = n • Accessible entropy < n-log n [cf. Omer’s talk: G(x)=(f(x),x1,…,xn) next-bit pseudoentropyn+log n for OWP f] G XÃ{0,1}n X f(X)n f(X)1 f(X)2

OWF  Inaccessible Entropy G* Claim: Accessible entropy < n-log n • Suppose  G*s.t. iH(Yi|S1,…,Si-1)  n-log n • Then can invert f on input Y’by sequentially finding S1,..,Sns.t. Yi=Y’i (via sampling). • High accessible entropy  success on random Y=f(X) w.p. 1/poly(n). R=Ym+1 Sn Sm+1 S1 S2 Yn 1 X 0 Ym+1 Y1 Y2 1 1 0 0 Y’ = 0 1

Commitment Schemes

Commitment Schemes COMMIT STAGE S R m

Commitment Schemes REVEAL STAGE S R m

Commitment Schemes S R COMMIT STAGE m2{0,1}n REVEAL STAGE (m,K) accept/reject

Security of Commitments COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R* • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}n Even cheating S*cannot reveal(m,K), (m’,K’) with mm’ REVEAL STAGE (m,K) accept/reject

Statistical Security? • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}t REVEAL STAGE (m,K) accept/reject Impossible!

Statistical Binding • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}n REVEAL STAGE (m,K) accept/reject Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments

Statistical Hiding • Hiding • Statistical • Computational • Binding • Statistical • Computational S R COMMIT STAGE m2{0,1}n REVEAL STAGE (m,K) accept/reject Too Complicated! Thm [HNORV07]: One-way functions ) Statistically Hiding Commitments

Our Results I • Much simpler proof that OWF) Statistically Hiding Commitmentsvia accessible entropy. • Conceptually parallels [HILL90,Naor91] construction of PRGs & Statistically Binding Commitments from OWF. • “Nonuniform” version achieves optimal round complexity, O(n/log n) [HHRS07]

Our Results II Thm: Assume one-way functions exist. Then: NP has constant-round parallelizable ZK proofs with “black-box simulation” m constant-round statistically hiding commitments exist. ( * due to [GK96,G01], novelty is )

Statistically Hiding Commitments& Inaccessible Entropy Statistical Hiding: H(M|C) = n - neg(n) S R COMMIT STAGE MÃ{0,1}n C REVEAL STAGE M K

Statistically Hiding Commitments& Inaccessible Entropy Statistical Hiding: H(M|C) = n - neg(n) Comp’l Binding: For every PPT S* H(M|C,S1) = neg(n)  “inaccessible entropy for protocols” S* R COMMIT STAGE coins S1 C REVEAL STAGE coins S2 M K

OWF ) Statistically Hiding Commitments: Our Proof OWF • done G with real entropy ¸ accessible entropy+log n repetitions G with real min-entropy ¸ accessible entropy+poly(n) (interactive) hashing [DHRS07]+UOWHFs [NY89,Rom90] “m-phase” commitment cut & choose & parallel rep statistically hiding commitment

Cf. OWF ) Statistically Binding Commitment [HILL90,Nao91] OWF hardcore bit [GL89]+hashing X with pseudoentropy ¸ H(X)+1/poly(n) repetitions X with pseudo-min-entropy ¸ H0(X)+poly(n) hashing PRG expand output & translate Statistically binding commitment

Other Applications • Simpler/improved universal one-way hash functions from OWF [HRVW09b] • Inspired simpler/improved pseudorandom generators from OWF [HRV09]

Conclusion Complexity-based cryptography is possible because of gaps between real & computational entropy. Secrecypseudoentropy > real entropy Unforgeabilityaccessible entropy < real entropy

Research Directions • Formally unify inaccessible entropy and pseudoentropy. • Complexity-theoretic applications of inaccessible entropy • Remove “parallelizable” condition from ZK result. • Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.

Inaccessible Entropy

Inaccessible Entropy

Presentation Transcript

Entropy

Entropy

Inaccessible Entropy

ENTROPY

Entropy

Entropy

Entropy

Entropy

Entropy

OBIGGS Utilization In Inaccessible Areas

Entropy

Entropy

Entropy

ENTROPY

Entropy (?)

Entropy

Entropy

Entropy

Entropy

Entropy

Entropy