1. A New Interactive Hashing Theorem
Iftach Haitner and Omer Reingold
To do
curves for f
colors for ITH
WEIZMANN
INSTITUTE
OF SCIENCE

2. Talk Plan What is Interactive Hashing
Applications of Interactive Hashing
The new theorem
About the proof
Applications of the new theorem

3. Interactive Hashing[OVY91,NOVY98]
|Easy|=2¾n f h
Easy R S h
z=h(y)
One-way permutation:
eff. computable
hard to invert: hard to find f-1(f(x)) for xÃ{0,1}n.
Two-to-one
hash function h
hÃH
xÃ{0,1}n, y=f(x)
z = h(y)
We call a protocol IH as long as it sats. The hiding& binding prop
The hiding is evident. Moreover, if S follows the protocol the binding also holds (assuming that the hash functions are pairwise indp.)
If the sender is semi-honest
Otherwise, we cannot w/0 hardness assumptions about h, in particular we need to assume that
Hiding – The only information that R obtains about y is h(y).
Binding- Eff. S cannot find x1, x2 such that f(x1)f(x2) and h(f(x1)) = h(f(x2)) = z.

4. Statistically-Hiding String-Commitment.
Commit-phase S R y
2 {0,1}n
The main motivation for IH is
Fundamental in many Crypto protocol. e.g., fair coin flipping protocol etc

5. Statistical Bit-Commitment cont.
Reveal-phase S R y

6. Statistically-Hiding String-Commitment cont.
Same as in Interactive Hashing
Hiding – R does not obtain non-negligible information about y during the commit-phase.
Binding – Eff. S cannot decommit into two different values (with non-neg. probability).
In Interactive Hashing R only obtains h(y)

7. IH (NOVY) to Bit-Commitment
Commit phase: R
S (b2 {0,1}) h
hÃH
xÃ{0,1}n, y=f(x)
z = h(y)
Let {y0,y1} = h-1(z) sorted lexicographically and let  be the index of y (i.e., y= y)
c = b©
Reveal phase:
(x,b)

8. String-Commitment to IH
xÃ{0,1}n, y=f(x)
Com. to y h
hÃH
Ther reverse direction is also essentially true,
the sender cannot break the binding, since it is committed to y
z = h(y)

9. Applications of Interactive Hashing
Perfectly-Hiding BC from OWP [NOVY98]
Statistically-Hiding BC from Regular/ Appx.-preimage-size OWF [HHKKMS05]
Statistical ZK Argument from OWF [NOV06]
“Information Theoretic” IH, applications [OVY91,CCM98,DHRS04,CS06,NV06,...]
Naor, Ostrovsky, Venkatesan and Yung
Haitner, Horvitz, Katz , Koo , Morselli and
Shaltiel
Nguyen Ong and Vadhan

10. The NOVY IH Protocol
A “more interactive” version of the naïve (semi-honest) protocol.
A particular family of two-to-one hash functions.
Assuming that f is a OWP, the protocol satisfies both hiding and binding.
h(x) = h1(x),...,hn-1(x), where
hi = 0i-1 1 {0,1}n-i
hi(x) = <hi,x>2.

11. The NOVY Protocol cont. Observed by [HHKKMS05]:
Binding is guaranteed even when f is hard to invert over Un:
hard to find an inverse f-1(y) for a uniformly chosen y2{0,1}n.
Hiding is useful if h expects collisions w.r.t. Im(f) - when f(Un) is dense in {0,1}n

12. [HHKKMS05,NOV06] use this observation when f(Un) is sparse
About the size of Im(f)
Im(f) h’ f h
Recall that the NOVY protocol is two-to-one over {0,1}^n and therefore we expect no collision w.r.t.
Im(f) and the hiding property would be meaning less
This additional hashing, add complications first to the protocol and to the proof
Two-to-one
“interactive”
hash function
Non-interactive hashing

13. Interactive Hashing for Sparse Sets
Can Interactive Hashing be applied directly to sparse sets? f h
Im(f)
About the size of Im(f)

14. In NOVY- hard to invert over {0,1}n
Our Results
Holds w.r.t. sparse sets:
Binding is guaranteed if f is hard w.r.t the uniform distribution over Im(f)
Hiding is useful if h expects collisions w.r.t. Im(f) - when f(Un) is “close” to the uniform dis. over Im(f)
Allows a more general choice of hash functions
Improved parameters also w.r.t. the NOVY settings
Simpler proof
Applications to statistically-hiding string-commitment ...
In NOVY- hard to invert over {0,1}n
In NOVY- close to {0,1}n

15. Information-Theoretic IHL
Consist(h1)={y: h1(y)=z1} h
Boolean pairwise-independent hash
functions
z1 = h1(y) h1
zn-1 = hn-1(y)
hn-1 S
y2 L R
hÃH
Consist(h1,…,hk)= {y: 8i hi(y)=zi}
Two-to-one
hash function
z = h(y) h
|L| << 2n
h = (h1,...,hn-1 ) ÃH n-1
Hiding – The only information that R obtains about y is h(y).
Binding- Unbounded S cannot find (with non-neg probability) y1y22 L such that h(y1) = h(y2) = z.
First give motivation for the protocol
|L| << 2n/2
|L| > 2n/2
|LÅConsist(h1,…,hk)| << √|Consist(h1,…,hk)|

16. Our protocol (variant of NOVY)
Im(f) f h
Any family of Boolean pairwise-independent hash functions
About the size of Im(f) S
xÃ{0,1}n, y=f(x) R
h = (h1,...,hk ) ÃH k
z1 = h1(y) h1
zk = hk(y) hk
kw log(|Im(f)|)

17. Same as in NOVY, but there it is less harmful
Hiding
If R is semi-honest (follows the protocol) it obtains h(y) for a uniformly chosen h
If R is malicious, it obtains h(y) for an adaptively chosen h
In many settings (e.g., String-Commitment) we can force R to follow the protocol
Same as in NOVY, but there it is less harmful

18. Binding
Main Theorem: Let A be an alg. that breaks the binding of the protocol with probability >0. Then there exists an eff. alg. MA s.t PryÃIm(f)[MA(y)2 f-1(y)]2 (2/n8)
Comparing to previous results (Im(f)= {0,1}n):
[NOVY98] - (10/poly(n))
[NOV06] - (3/n6)
* Here - proof for the NOVY settings, i.e., Im(f) = {0,1}n and the hashing is to {0,1}n-1
Recall that these results were stated w.r.t…., we have
[NOV] ind. of our work

19. A Algorithm A R Pr[f(x1)f(x2) Æ h(f(x1)) = h(f(x2)) = z] ¸ 
h = (h1,...,hn-1 ) ÃH kn-1 A z1 h1
zn-1
hn-1
Outputs x1, x2
Pr[f(x1)f(x2) Æ h(f(x1)) = h(f(x2)) = z] ¸ 
* z = (z1,...,zn-1 )

20. MA(y) A R ! we need 8i hi(y) = zi
In order to success we need: y=f(x1) or y=f(x2)
! we need 8i hi(y) = zi
happens with neg. probability
MA(y) R
h = (h1,...,hn-1 ) ÃH kn-1
Choose (h1,...,hn-1 ) s.t. y is consistent A z1 h1
zn-1
hn-1
Outputs x1, x2
Returns x1 or x2

21. MA on input y2 {0,1}n: Searcher(y): Inverter(h1,…, hn-ofs)
(h1,…, hn-ofs) Ã Searcher(y)
Return Inverter(h1,…, hn-ofs)
ofs2O(log(1/)+ log(n))
Searcher(y):
For i = 1 to n-ofs
Do the following 2log(n) times:
Choose uniformly at random hi2H
If A(h1,...,hi) = hi(y), break the inner loop.
Return h1,…, hn-ofs
For pedagogical reasons. We do not select all the hash function in this way, but only of them
Where we selects the last hash function at random
compare to NOVY
Inverter(h1,…, hn-ofs)
Choose hn-ofs+1,…,hn-1 uniformly in H
(x1, x2) Ã ADec(h1,…, hn-1)
Return x1 or x2

22. Pictorial description of A
ConsistA(h1) = {y: h1(y) = A(h1)} h1
... h2 h3 hk
ConsistA(h1,...,hk) = {y: 8i hi(y) =A(h1,...,hk)}

23. The evaluation of Searcher
y2{0,1}n h1
If Inverter does well on DReal (i.e., prob. Inverter(h)2f-1(y) is noticeable) then MA inverts f well
y2ConsistA(h1) h2 h3
hn-ofs
y2ConsistA(h1,...,hn-ofs)
Note that Searcher might fail, however since it happens with small probability, we ignore it
n-ofs
DReal
(h,y)yÃ{0,1}n,hÃSearcher(y)

24. (h,y)hÃHn-ofs,yÃConsistA(h)
The Ideal dist.
Inverter does well on DIdeal
The distribution on (h1,…,hn-fs) is what A expects
! A returns element in f-1(ConsistA(h1,…,hn-ofs)) with non-negligible probability
ConsistA(h1,…,hn-ofs) is small h1 h2 h3
At random
yÃConsistA(h1,…,hn-ofs)
hn-ofs
n-ofs
DIdeal
(h,y)hÃHn-ofs,yÃConsistA(h)

25. Proof of Security Inverter does well on DIdeal
DIdeal and DReal are close.
The statistical diff. between DIdeal and DReal is larger than the success probability of Inverter on DIdeal

26. Refined Proximity Measure
Definition: D1 (,a)-approximates D2, if exists Bad µ sup(D1), s.t.
D1(Bad) · .
For every x Bad 1/a · D1(x)/D2(x) · a.
Let T be an event s.t. D1[T] ¸ + non-neg then, D2[T] ¸ non-neg

27. Proving Lemma 2: similar to the information-theoretic case
Lemma 1 DIdeal (O(2/n3),81)-approximates DReal.
Lemma 2 (informal) Inverter does well on DIdeal and its success probability does not depend on event of small probability
Proving Lemma 2: similar to the information-theoretic case

28. Proving Lemma 1
Since our proximity measure is “well behaved”, it suffices to prove that
Claim 1:
(h,y)hÃH,yÃConsistA(h) (O(2/n3),1+4/n)-approx.
(h,y)yÃ{0,1}n,h ÃH | y2ConsistA(h)
Proof:
For almost any h2H, (about) half of {0,1}n is consistent with it
Almost any y2{0,1}n is consistent with (about) half of H

29. Applications of The New Theorem to Bit-Commitment
Reproving (as an immediate corollary) the result of [HHKKMS05]: Stat.-Hiding BC from any regular/ Appx.-preimage-size OWF
Statistically-hiding BC from “One-sided approximable preimage-size one-way functions”
In particular: Stat.-hiding BC from any one-way function with hardness 2(-nloglog(n)/log(n)) *
* Small O(loglog(n)) non-uniform advice

30. One-sided approximable preimage-size OWF
Approximable preimage-size OWF: A OWF f, possible to eff. approximate Ďf(y) = log|(f-1(y))|
One-sided approximable preimage-size OWF: A OWF f, exists an eff. algorithm D and a polynomial p:
Pr[D(f(x)) w Ďf(f(x))] ¸ 1/p(n)
D(f(x)) · Ďf(f(x))
* Or the opposite case
Allows additive error which depends on the security-parameter of f
Save for a small probability (smaller than 1/p(n))

31. Further issues Linear reduction
Or, lower bound for the security of the reduction
Statistically-hiding bit-commitment from any OWF

32. Thanks

33. {y: prob. Inverter(h1,...,hn-ofs)2f-1(y) is noticeable}
Lemma 2 : Inverter does well on DIdeal and its success prob. does not depend on event of small probability
ConsistA(h1,...,hn-ofs) L
{y: prob. Inverter(h1,...,hn-ofs)2f-1(y) is noticeable}
{y: probability that A breaks the binding with y (conditioned on h1,...,hn-ofs) is noticeable}