Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quantum-security of commitment schemes and hash functions

Published byLaureen Richardson Modified over 6 years ago

Similar presentations

Presentation on theme: "Quantum-security of commitment schemes and hash functions"β€” Presentation transcript:

1 Quantum-security of commitment schemes and hash functions
Dominique Unruh University of Tartu

2 Surprises with hash functions
Consider a hash function and a horse race β€œSpicy Spirit” wins… Player Bookie 𝐻("𝑠𝑝𝑖𝑐𝑦 π‘ π‘π‘–π‘Ÿπ‘–π‘‘", ) Player Bookie 231632 $$$ Commitments and hashes

3 Surprises with hash functions (II)
Consider a cheating player β€œWallopping Waldo” wins… Player Bookie Some fake β„Ž 𝐻("𝑠𝑝𝑖𝑐𝑦 π‘ π‘π‘–π‘Ÿπ‘–π‘‘", ) Player Bookie π‘Ÿ with 𝐻 π‘€π‘Žπ‘™π‘™π‘œπ‘,π‘Ÿ =β„Ž $$$ Commitments and hashes

4 Surprises with hash functions (III)
Player Bookie Classical crypto: 𝐻 is collision-resistant (infeasible to find π‘₯, π‘₯ β€² with 𝐻 π‘₯ =𝐻( π‘₯ β€² )) Consequence: Can open β„Ž to one horse only. Surprise: Does not hold for quantum adv (𝐻 might be coll.-res., and attack still works) Commitments and hashes

5 Surprises with hash functions (IV)
Player Bookie Some fake β„Ž π‘Ÿ with 𝐻 π‘€π‘Žπ‘™π‘™π‘œπ‘,π‘Ÿ =β„Ž |Ξ¨βŒͺ |Ξ¨βŒͺ used up! β€œCommitment”: A protocol that does not allow the player to change their mind. οƒ  This talk. Commitments and hashes

6 Commitments: scope of this talk
Hiding and binding Hiding seems well understood Statistically vs. computationally binding Weaker assms, everlasting security Interactive vs. non-interactive For simplicity Secure against quantum attacks Classical protocols Commitments and hashes

7 Classical definitions
𝑐 Commit: S R π‘š, 𝑒 Open: Computationally binding (classical-style): Hard to find: 𝑐 and π‘šβ‰  π‘š β€² and 𝑒, 𝑒 β€² s.t.: 𝑒 opens 𝑐 as π‘š 𝑒′ opens 𝑐 as π‘šβ€² ⟹ Adv. cannot change his mind Commitments and hashes

8 New definitions needed
Classical def of computationally binding: β€œWalloping Waldo” attack still possible! Collision-resistance Weaker than expected Stronger def? (NIST post-quantum competition?) Our proposal: β€œCollapse-binding” commitments Our proposal: β€œCollapsing” hash functions Commitments and hashes

9 Existing defs (binding)
Various prior def’s Brassard, CrΓ©peau, DamgΓ₯rd, Dumais, Fehr, Jozsa, Langlois, Lunemann, Mayers, Salvail, Schaffner Various problems: Need trapdoors (or even UC) Rewinding proofs difficult No parallel composition Do not imply knowledge of message Commitments and hashes

10 Collapse-binding commitments
Adv. A outputs commitment 𝑐 (classically), and valid openings π‘š,𝑒 (in superposition) Def: Collapse-binding = A cannot distinguish |π‘šβŒͺ A |π‘šβŒͺ |𝑒βŒͺ 𝑐 measure A A or |𝑒βŒͺ 𝑐 Commitments and hashes

11 Commitments and hashes
Why this def? Intuition: Adversary cannot produce several openings in superposition If he could, he’d notice measurement Formally: Weaker than β€œnon-existence of two openings” (perfect) Stronger than β€œhard to find two openings” (class.-style) kind of… A |π‘šβŒͺ |𝑒βŒͺ 𝑐 or measure Commitments and hashes

12 Commitments and hashes
Properties Perfect binding ⟹ collapse-binding ⟹ classical-style binding Avoids β€œchange of mind” Composes in parallel Rewinding friendly gives ZK arguments of knowledge Simple constructions from β€œcollapsing” hashes βœ” βœ” βœ” βœ” βœ” Commitments and hashes

13 Collapsing hash functions
Strengthening of β€œcollision-resistance” for quantum setting Adv. A outputs hash β„Ž (classically), and preimages π‘š (in superposition) Def: Collapsing = A cannot distinguish A |π‘šβŒͺ A |π‘šβŒͺ or Measure 𝑯(π’Ž) Measure π’Ž Commitments and hashes

14 Collapsing hash functions (ctd.)
Simple β€œcollapse-binding” commitments Statistically hiding Using collapsing hashes in existing constructions Drop in replacement for β€œcollision-resistance”? Random oracle is a collapsing hash Suggestion: β€œCollapsing” required property for hashes e.g., NIST post-quantum crypto competition Commitments and hashes

15 Collapsing hash funs – constructions?
Lossy function (LF): Indistinguishable whether injective, or highly non-injective (β€œlossy”) message … long … hash LF universal hash func looks injective β‡’ is collapsing injective on im(𝐿𝐹) Commitments and hashes

16 Commitments and hashes
Hashing long messages? Prior construction: Fixed compression factor (e.g., 2) For long messages: Merkle-DamgΓ₯rd 𝑖𝑛𝑖𝑑 𝑣𝑒𝑐 𝐻 𝐻 𝐻 𝐻 β„Žπ‘Žπ‘ β„Ž π‘šπ‘ π‘” 1 π‘šπ‘ π‘” 2 π‘šπ‘ π‘” 3 π‘π‘Žπ‘‘π‘‘π‘–π‘›π‘” Commitments and hashes

17 Commitments and hashes
Summary Classical definitions for commitments & hashes: insufficient! New definitions: collapse-binding / collapsing Constructions from lossy functions / lattice-assumptions Question: Collapsing hashes from OWF / coll.-resistance? Commitments and hashes

18 I thank for your attention
This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa

Download ppt "Quantum-security of commitment schemes and hash functions"

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}* οƒ  {0,1} 160 – Input is called β€œmessage”, output is β€œdigest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}* οƒ  {0,1} 160 – Input is called β€œmessage”, output is β€œdigest”
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.

A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions

Similar presentations

Ads by Google