Presentation is loading. Please wait.

Presentation is loading. Please wait.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Published byAllyson Borow Modified over 10 years ago

Similar presentations

Presentation on theme: "Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University."— Presentation transcript:

1 Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A

2 outline  Entropy  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

3 Def: The Shannon entropy of r.v. X is H(X) = E x à X [log(1/Pr[X=x)]  H(X) = “Bits of randomness in X (on avg)”  0 · H(X) · log |Supp(X)| Entropy X concentrated on single point X uniform on Supp(X)

4 Conditional Entropy H(X|Y) = E y à Y [H(X| Y=y )]  Chain Rule: H(X,Y) = H(Y) + H(X|Y)  H(X)-H(Y) · H(X|Y) · H(X)  H(X|Y) = 0 iff 9 f X=f(Y).

5 Worst-Case Entropy Measures  Min-Entropy: H 1 (X) = min x log(1/Pr[X=x])  Max-Entropy: H 0 (X) = log |Supp(X)| H 1 (X) · H(X) · H 0 (X)

6 outline  Entropy  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

7 Perfect Secrecy & Entropy Def [Sh49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1} n Enc K (m) & Enc K (m’) are identically distributed for a random key K. Thm [Sh49]: Perfect secrecy ) |K| ¸ n

8 Perfect Secrecy ) |K| ¸ n Proof:  Perfect secrecy ) (M,Enc K (M)) ´ (U n,Enc K (M)) for M,U n à {0,1} n ) H(M|Enc K (M)) = n  Decryptability ) H(M|Enc K (M),K) = 0 ) H(M|Enc K (M)) · H(K).

9 Computational Secrecy Def [GM82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1} n Enc K (m) & Enc K (m’) are computationally indistinguishable. ) can have |K| ¿ n.

10 Where Shannon’s Proof Breaks  Computational secrecy ) (M,Enc K (M)) ´ c (U n,Enc K (M)) for M,U n à {0,1} n ) “H pseudo (M|Enc K (M))” = n  Decryptability ) H(M|Enc K (M)) · H(K). Key point: can have H pseudo (X) À H(X) e.g. X = G(U k ) for PRG G : {0,1} k ! {0,1} n

11 Pseudoentropy Def [HILL90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t. 1.Y ´ c X 2.H(Y) ¸ k

12 Application of Pseudoentropy Thm [HILL90]: 9 OWF ) 9 PRG Proof outline: OWF X with pseudo-min-entropy ¸ H 0 (X)+poly(n) X with pseudoentropy ¸ H(X)+1/poly(n) PRG hardcore bit [GL89]+hashing repetitions hashing

13 outline  Entropy  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

14 Unforgeability  Crypto is not just about secrecy.  Unforgeability: security properties saying that it has hard for an adversary to generate “valid” messages. –Unforgeability of MACs, Digital Signatures –Collision-resistance of hash functions –Binding of commitment schemes

15 Ex: Collision-resistant Hashing  Shrinking: H(X|Y,F) ¸ k  Collision Resistance: From A’s perspective, X is determined by Y,F ) “accessible” entropy 0 AB F Ã F F = { f : {0,1} n ! {0,1} n-k } F Y X X Ã {0,1} n Y=F(X)

16 Ex: Collision-resistant Hashing Collision Resistance: 9 function ¼ s.t. X = ¼ (F,Y,S 1 ) except w/negligible prob. A*A* B F Ã F F = { f : {0,1} n ! {0,1} n-k } F Y X toss coins S 1 toss coins S 2

17 Ex: Collision-resistant Hashing Collision Resistance: 9 function ¼ s.t. X 2 { ¼ (F,Y,S 1 )} [ f -1 (Y) c A*A* B F Ã F F = { f : {0,1} n ! {0,1} n-k } F Y X toss coins S 1 toss coins S 2

18 Measuring Accessible Entropy Goal: A useful entropy measure to capture possibility that H acc (X) ¿ H(X) 1st attempt: X has accessible entropy at most k if there is a random variable Y s.t. 1.Y ´ c X 2.H(Y) · k Not useful! every X is indistinguishable from some Y of entropy polylog(n).

19 Inaccessible Entropy Idea: Protocol (A,B) has inaccessible entropy if H(A’s messages from B’s point of view) > H(A * ’s messages from A * ’s point of view) Real Entropy Accessible Entropy

20 Real Entropy AB B1B1 A1A1 B2B2 A2A2 BmBm AmAm Def: The real entropy of (A,B) is  i H(A i | B 1,A 1,…,B i )

21 Accessible Entropy A*A* B B1B1 A1A1 B2B2 A2A2 BmBm AmAm  Tosses coins S i  Sends message A i  Privately outputs justification W i (e.g. consistent coins of honest A) coins S 1 coins S 2 coins S m What A * does at each round W1W1 W2W2 WmWm

22 Accessible Entropy A*A* B B1B1 A1A1 B2B2 A2A2 BmBm AmAm coins S 1 coins S 2 coins S m W1W1 W2W2 WmWm Def: (A,B) has accessible entropy at most k if for every PPT A *  i H(A i |B 1,S 1,B 2,S 2,…,S i-1,B i ) · k Remarks 1.Needs adjustment in case A * outputs invalid justification. 2.Unbounded A * can achieve real entropy. never Assume

23 Ex: Collision-resistant Hashing Real Entropy= H(Y|F)+H(X|Y,F) = H(X|F) = n AB F Ã F F = { f : {0,1} n ! {0,1} n-k } F Y X X Ã {0,1} n Y=F(X)

24 Ex: Collision-resistant Hashing Accessible Entropy= H(Y|F)+H(X|F,S 1 ) · (n-k) + neg(n) A*A* B F Ã F F = { f : {0,1} n ! {0,1} n-k } F Y X toss coins S 1 toss coins S 2

25 outline  Entropy  Secrecy & Pseudoentropy  Unforgeability & Inaccessible Entropy  Applications

26 Commitment Schemes

27 m COMMIT STAGE SR

28 m R Commitment Schemes S REVEAL STAGE

29 Commitment Schemes COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)

30 Security of Commitments COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational COMMIT (m) & COMMIT (m’) indistinguishable even to cheating R* Even cheating S * cannot reveal (m,K), (m’,K’) with m  m’

31 Statistical Security? COMMIT STAGE accept/ reject SR m 2 {0,1} t REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational Impossible!

32 Statistical Binding COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments

33 Statistical Hiding COMMIT STAGE accept/ reject SR m 2 {0,1} n REVEAL STAGE (m,K)  Hiding –Statistical –Computational  Binding –Statistical –Computational Thm [HNORV07]: One-way functions ) Statistically Hiding Commitments Too Complicated !

34 Our Results I  Much simpler proof that OWF ) Statistically Hiding Commitments via accessible entropy.  Conceptually parallels [HILL90,Naor91] construction of PRGs & Statistically Binding Commitments from OWF.  “Nonuniform” version achieves optimal round complexity, O(n/log n) [HHRS07]

35 Our Results II Thm: Assume one-way functions exist. Then: NP has constant-round parallelizable ZK proofs with “black-box simulation” m constant-round statistically hiding commitments exist. ( * due to [GK96,G01], novelty is  )

36 Statistically Hiding Commitments & Inaccessible Entropy COMMIT STAGE SR M Ã {0,1} n REVEAL STAGE M Statistical Hiding: H(M|C) = n - neg(n) K C

37 Statistically Hiding Commitments & Inaccessible Entropy COMMIT STAGE S*S* R REVEAL STAGE M Statistical Hiding: H(M|C) = n - neg(n) Comp’l Binding: For every PPT S * H(M|C,S 1 ) = neg(n) K C coins S 1 coins S 2

38 OWF ) Statistically Hiding Commitments: Our Proof OWF (A,B) with real min-entropy ¸ accessible entropy+poly(n) (A,B) with real entropy ¸ accessible entropy+log n statistically hiding commitment interactive hashing [NOVY92,HR07] repetitions cut & choose (interactive) hashing [DHRS07] +UOWHFs [NY89,Rom90] “m-phase” commitment

39 Cf. OWF ) Statistically Binding Commitment [HILL90,Nao91] OWF X with pseudo-min-entropy ¸ H 0 (X)+poly(n) X with pseudoentropy ¸ H(X)+1/poly(n) PRG hardcore bit [GL89]+hashing repetitions hashing Statistically binding commitment expand output & translate

40 OWF ) Statistically Hiding Commitments: Our Proof OWF (A,B) with real min-entropy ¸ accessible entropy+poly(n) (A,B) with real entropy ¸ accessible entropy+log n statistically hiding commitment interactive hashing [NOVY92,HR07] repetitions cut & choose (interactive) hashing [DHRS07] +UOWHFs [NY89,Rom90] “m-phase” commitment

41 OWF ) Inaccessible Entropy AB Choose linearly indep. B 1,…,B m à {0,1} m f : {0,1} n ! {0,1} m OWF B1B1 h B 1,Y i X à {0,1} n Y=f(X)  Real Entropy = n  Can show: Accessible Entropy · n-log n BmBm h B m,Y i X

42 Claim: Accessible Entropy · n-log n A*A* B f : {0,1} n ! {0,1} m OWF. B1B1 h B 1,Y i BmBm h B m,Y i X BtBt h B t,Y i For simplicity, assume |f -1 (y)| = 2 k 8 y 2 Im(f) entropy · k entropy · t = n-k-2log n Claim: entropy = neg(n)

43 Claim: Accessible Entropy · n-log n A*A* B f : {0,1} n ! {0,1} m OWF. B1B1 h B 1,Y i BtBt h B t,Y i For simplicity, assume |f -1 (y)| = 2 k 8 y 2 Im(f). t=n-k-2log n Claim: 9 at most one consistent Y s.t. A * can produce a preimage (except w/neg prob,)

44 Claim: Accessible Entropy · n-log n A*A* B f : {0,1} n ! {0,1} m OWF. B1B1 h B 1,Y i BtBt h B t,Y i For simplicity, assume |f -1 (y)| = 2 k 8 y 2 Im(f). t=n-k-2log n Claim: 9 at most one consistent Y s.t. A * can produce a preimage (except w/neg prob,) Im(f) poly(n) Interactive Hashing Thms [NOVY92,HR07]: A * can “control” at most 1 consistent value

45 Claim: Accessible Entropy · n-log n A*A* B f : {0,1} n ! {0,1} m OWF. B1B1 h B 1,Y i BmBm h B m,Y i X BtBt h B t,Y i For simplicity, assume |f -1 (y)| = 2 k 8 y 2 Im(f) entropy · k entropy · t = n-k-2log n entropy = neg(n) Analysis holds whenever |f -1 (Y)| ¼ 2 k Choice of k contributes entropy · log n

46 Conclusion Complexity-based cryptography is possible because of gaps between real & computational entropy. Secrecy pseudoentropy > real entropy Unforgeability accessible entropy < real entropy What else can we do with inaccessible entropy?

47 Research Directions  Remove “parallelizable” condition from ZK result.  Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.  Formally unify statistical hiding & statistical binding.

48 Benefit of Statistical Hiding In most protocols that use commitments:  Binding only required during protocol execution –Depends on adversary’s current capabilities –Safe to be computational  Hiding may matter long after execution –Adversary may gain computational resources –Hardness assumption may be broken –Statistical hiding ) “everlasting secrecy”

49 Example: Zero Knowledge for NP [Goldreich-Micali-Wigderson86] Hiding ) Zero Knowledge –Verifier learns nothing other than x 2 L Binding ) Soundness –Prover cannot convince verifier if x  L 1 2 3 4 5 6 (1,4) PV Corollary: One-Way Functions ) Statistical Zero Knowledge “Arguments” for NP.

Download ppt "Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.

A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Similar presentations

Ads by Google