Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A

outline  Entropy  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

Def: The Shannon entropy of r.v. X is H(X) = E x à X [log(1/Pr[X=x)]  H(X) = “Bits of randomness in X (on avg)”  0 · H(X) · log |Supp(X)| Entropy X concentrated on single point X uniform on Supp(X)

Conditional Entropy H(X|Y) = E y à Y [H(X| Y=y )]  Chain Rule: H(X,Y) = H(Y) + H(X|Y)  H(X)-H(Y) · H(X|Y) · H(X)  H(X|Y) = 0 iff 9 f X=f(Y).

Worst-Case Entropy Measures  Min-Entropy: H 1 (X) = min x log(1/Pr[X=x])  Max-Entropy: H 0 (X) = log |Supp(X)| H 1 (X) · H(X) · H 0 (X)

outline  Entropy  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

Perfect Secrecy & Entropy Def [Sh49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1} n Enc K (m) & Enc K (m’) are identically distributed for a random key K. Thm [Sh49]: Perfect secrecy ) |K| ¸ n

Perfect Secrecy ) |K| ¸ n Proof:  Perfect secrecy ) (M,Enc K (M)) ´ (U n,Enc K (M)) for M,U n à {0,1} n ) H(M|Enc K (M)) = n  Decryptability ) H(M|Enc K (M),K) = 0 ) H(M|Enc K (M)) · H(K).

Computational Secrecy Def [GM82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1} n Enc K (m) & Enc K (m’) are computationally indistinguishable. ) can have |K| ¿ n.

Where Shannon’s Proof Breaks  Computational secrecy ) (M,Enc K (M)) ´ c (U n,Enc K (M)) for M,U n à {0,1} n ) “H pseudo (M|Enc K (M))” = n  Decryptability ) H(M|Enc K (M)) · H(K). Key point: can have H pseudo (X) À H(X) e.g. X = G(U k ) for PRG G : {0,1} k ! {0,1} n

Pseudoentropy Def [HILL90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t. 1.Y ´ c X 2.H(Y) ¸ k

Application of Pseudoentropy Thm [HILL90]: 9 OWF ) 9 PRG Proof outline: OWF X with pseudo-min-entropy ¸ H 0 (X)+poly(n) X with pseudoentropy ¸ H(X)+1/poly(n) PRG hardcore bit [GL89]+hashing repetitions hashing

outline  Entropy  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

Unforgeability  Crypto is not just about secrecy.  Unforgeability: security properties saying that it has hard for an adversary to generate “valid” messages. –Unforgeability of MACs, Digital Signatures –Collision-resistance of hash functions –Binding of commitment schemes

Ex: Collision-resistant Hashing  Shrinking: H(X|Y,F) ¸ k  Collision Resistance: From A’s perspective, X is determined by Y,F ) “accessible” entropy 0 AB F Ã F F = { f : {0,1} n ! {0,1} n-k } F Y X X Ã {0,1} n Y=F(X)

Ex: Collision-resistant Hashing Collision Resistance: 9 function ¼ s.t. X = ¼ (F,Y,S 1 ) except w/negligible prob. A*A* B F Ã F F = { f : {0,1} n ! {0,1} n-k } F Y X toss coins S 1 toss coins S 2

Ex: Collision-resistant Hashing Collision Resistance: 9 function ¼ s.t. X 2 { ¼ (F,Y,S 1 )} [ f -1 (Y) c A*A* B F Ã F F = { f : {0,1} n ! {0,1} n-k } F Y X toss coins S 1 toss coins S 2

Measuring Accessible Entropy Goal: A useful entropy measure to capture possibility that H acc (X) ¿ H(X) 1st attempt: X has accessible entropy at most k if there is a random variable Y s.t. 1.Y ´ c X 2.H(Y) · k Not useful! every X is indistinguishable from some Y of entropy polylog(n).

Inaccessible Entropy Idea: Protocol (A,B) has inaccessible entropy if H(A’s messages from B’s point of view) > H(A * ’s messages from A * ’s point of view) Real Entropy Accessible Entropy

Real Entropy AB B1B1 A1A1 B2B2 A2A2 BmBm AmAm Def: The real entropy of (A,B) is  i H(A i | B 1,A 1,…,B i )

Accessible Entropy A*A* B B1B1 A1A1 B2B2 A2A2 BmBm AmAm  Tosses coins S i  Sends message A i  Privately outputs justification W i (e.g. consistent coins of honest A) coins S 1 coins S 2 coins S m What A * does at each round W1W1 W2W2 WmWm

Accessible Entropy A*A* B B1B1 A1A1 B2B2 A2A2 BmBm AmAm coins S 1 coins S 2 coins S m W1W1 W2W2 WmWm Def: (A,B) has accessible entropy at most k if for every PPT A *  i H(A i |B 1,S 1,B 2,S 2,…,S i-1,B i ) · k Remarks 1.Needs adjustment in case A * outputs invalid justification. 2.Unbounded A * can achieve real entropy. never Assume

Ex: Collision-resistant Hashing Real Entropy= H(Y|F)+H(X|Y,F) = H(X|F) = n AB F Ã F F = { f : {0,1} n ! {0,1} n-k } F Y X X Ã {0,1} n Y=F(X)

Ex: Collision-resistant Hashing Accessible Entropy= H(Y|F)+H(X|F,S 1 ) · (n-k) + neg(n) A*A* B F Ã F F = { f : {0,1} n ! {0,1} n-k } F Y X toss coins S 1 toss coins S 2

outline  Entropy  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

Commitment Schemes

m COMMIT STAGE SR

m R Commitment Schemes S REVEAL STAGE

Commitment Schemes COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)

Security of Commitments COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational COMMIT (m) & COMMIT (m’) indistinguishable even to cheating R* Even cheating S * cannot reveal (m,K), (m’,K’) with m  m’

Statistical Security? COMMIT STAGE accept/ reject SR m 2 {0,1} t REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational Impossible!

Statistical Binding COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments

Statistical Hiding COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational Thm [HNORV07]: One-way functions ) Statistically Hiding Commitments Too Complicated !

Our Results I  Much simpler proof that OWF ) Statistically Hiding Commitments via accessible entropy.  Conceptually parallels [HILL90,Naor91] construction of PRGs & Statistically Binding Commitments from OWF.  “Nonuniform” version achieves optimal round complexity, O(n/log n) [HHRS07]

Our Results II Thm: Assume one-way functions exist. Then: NP has constant-round parallelizable ZK proofs with “black-box simulation” m constant-round statistically hiding commitments exist. ( * due to [GK96,G01], novelty is  )

Statistically Hiding Commitments & Inaccessible Entropy COMMIT STAGE SR M Ã {0,1} n REVEAL STAGE M Statistical Hiding: H(M|C) = n - neg(n) K C

Statistically Hiding Commitments & Inaccessible Entropy COMMIT STAGE S*S* R REVEAL STAGE M Statistical Hiding: H(M|C) = n - neg(n) Comp’l Binding: For every PPT S * H(M|C,S 1 ) = neg(n) K C coins S 1 coins S 2

OWF ) Statistically Hiding Commitments: Our Proof OWF (A,B) with real min-entropy ¸ accessible entropy+poly(n) (A,B) with real entropy ¸ accessible entropy+log n statistically hiding commitment interactive hashing [NOVY92,HR07] repetitions cut & choose (interactive) hashing [DHRS07] +UOWHFs [NY89,Rom90] “m-phase” commitment

Cf. OWF ) Statistically Binding Commitment [HILL90,Nao91] OWF X with pseudo-min-entropy ¸ H 0 (X)+poly(n) X with pseudoentropy ¸ H(X)+1/poly(n) PRG hardcore bit [GL89]+hashing repetitions hashing Statistically binding commitment expand output & translate

OWF ) Statistically Hiding Commitments: Our Proof OWF (A,B) with real min-entropy ¸ accessible entropy+poly(n) (A,B) with real entropy ¸ accessible entropy+log n statistically hiding commitment interactive hashing [NOVY92,HR07] repetitions cut & choose (interactive) hashing [DHRS07] +UOWHFs [NY89,Rom90] “m-phase” commitment

OWF ) Inaccessible Entropy AB Choose linearly indep. B 1,…,B m à {0,1} m f : {0,1} n ! {0,1} m OWF B1B1 h B 1,Y i X à {0,1} n Y=f(X)  Real Entropy = n  Can show: Accessible Entropy · n-log n BmBm h B m,Y i X

Claim: Accessible Entropy · n-log n A*A* B f : {0,1} n ! {0,1} m OWF. B1B1 h B 1,Y i BmBm h B m,Y i X BtBt h B t,Y i For simplicity, assume |f -1 (y)| = 2 k 8 y 2 Im(f) entropy · k entropy · t = n-k-2log n Claim: entropy = neg(n)

Claim: Accessible Entropy · n-log n A*A* B f : {0,1} n ! {0,1} m OWF. B1B1 h B 1,Y i BtBt h B t,Y i For simplicity, assume |f -1 (y)| = 2 k 8 y 2 Im(f). t=n-k-2log n Claim: 9 at most one consistent Y s.t. A * can produce a preimage (except w/neg prob,)

Claim: Accessible Entropy · n-log n A*A* B f : {0,1} n ! {0,1} m OWF. B1B1 h B 1,Y i BtBt h B t,Y i For simplicity, assume |f -1 (y)| = 2 k 8 y 2 Im(f). t=n-k-2log n Claim: 9 at most one consistent Y s.t. A * can produce a preimage (except w/neg prob,) Im(f) poly(n) Interactive Hashing Thms [NOVY92,HR07]: A * can “control” at most 1 consistent value

Claim: Accessible Entropy · n-log n A*A* B f : {0,1} n ! {0,1} m OWF. B1B1 h B 1,Y i BmBm h B m,Y i X BtBt h B t,Y i For simplicity, assume |f -1 (y)| = 2 k 8 y 2 Im(f) entropy · k entropy · t = n-k-2log n entropy = neg(n) Analysis holds whenever |f -1 (Y)| ¼ 2 k Choice of k contributes entropy · log n

Conclusion Complexity-based cryptography is possible because of gaps between real & computational entropy. Secrecy pseudoentropy > real entropy Unforgeability accessible entropy < real entropy What else can we do with inaccessible entropy?

Research Directions  Remove “parallelizable” condition from ZK result.  Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.  Formally unify statistical hiding & statistical binding.

Benefit of Statistical Hiding In most protocols that use commitments:  Binding only required during protocol execution –Depends on adversary’s current capabilities –Safe to be computational  Hiding may matter long after execution –Adversary may gain computational resources –Hardness assumption may be broken –Statistical hiding ) “everlasting secrecy”

Example: Zero Knowledge for NP [Goldreich-Micali-Wigderson86] Hiding ) Zero Knowledge –Verifier learns nothing other than x 2 L Binding ) Soundness –Prover cannot convince verifier if x  L (1,4) PV Corollary: One-Way Functions ) Statistical Zero Knowledge “Arguments” for NP.