1

A NewA New Interactive Interactive HashingHashing TheoremTheorem

Iftach HaitnerIftach Haitner and Omer Reingoldand Omer Reingold

WEIZMANNINSTITUTEOF SCIENCE

2

Talk PlanTalk Plan• What is Interactive Hashing

• Applications of Interactive Hashing

• The new theorem

• Applications of the new theorem

• About the proof

3

SS

Interactive Hashing[NOVY91]Interactive Hashing[NOVY91]

f h

xÃ{0,1}n, y=f(x)

RRhÃH

Hiding – The only information that R R obtains about y is h(y).

Binding- Eff. S S cannot find x1, x2 such thatf(x1)f(x2) and h(f(x1)) = h(f(x2)) = z.

Easy

|Easy|=2¾n

h

z = h(y)

One-way permutation:• eff. computable• hard to invert: hard to find

f-1(f(x)) for xÃ{0,1}n.h z=h(y)

Two-to-one hash function

4

Statistically-Hiding Statistically-Hiding CommitmentCommitment

S S RRCommit-stage

yy2 {0,1}n

5

Statistically-Hiding Statistically-Hiding Commitment cont.Commitment cont.

Reveal-stageSS RR

yy

6

Statistically-Hiding Statistically-Hiding Commitment cont.Commitment cont.

Hiding – RR does not obtain non-negligible information about y during the commit-stage.

Binding – Eff. SS cannot decommit into two different values (with non-neg. probability).

In interactive hashing RR only obtains h(y)

Same as in interactive hashing

7

S S (b(b2 {0,1}))

IH (NOVY) to Bit-CommitmentIH (NOVY) to Bit-Commitment

xÃ{0,1}n, y=f(x)

RRhÃH

z = h(y)

h

Let {y0,y1} = h-1(z) sorted lexicographically and let be the index of y (i.e., y= y)

c = b©

Commit stage:

Reveal stage:(x,b) h(f(x)) = z

and c = b©

8

SS

String-Commitment to IHString-Commitment to IH

xÃ{0,1}n, y=f(x)

RR

hÃHz = h(y)

h

Com. to y

9

Applications of Interactive Applications of Interactive HashingHashing

• Perfectly-hiding cmt. from owp [NOVY98]

• Statistically-hiding cmt. from regular/ appx.-preimage-size owf [HHKKMS05]

• Statistical zk argument from any owf [NOV06]

• Statistically-hiding cmt. from any OWF [HR06]

• “Information theoretic” ih, applications[OVY91,CCM98,DHRS04,CS06,NV06,...]

10

The NOVY IH ProtocolThe NOVY IH Protocol• A “more interactive” version of the

naïve (semi-honest) protocol.

• A particular family of two-to-one hash functions.

• Assuming that f is a OWP, the protocol satisfies both hiding and binding.

h(x) = h1(x),...,hn-1(x), where hi = 0i-1 1 {0,1}n-i

hi(x) = <hi,x>2.

11

The NOVY Protocol cont.The NOVY Protocol cont.

Observed by [HHKKMS05]:• Binding is guaranteed even when f is hard to

invert over Un:

hard to find an inverse f-1(y) for a uniformly chosen y2{0,1}n.

• Hiding is useful if h expects collisions w.r.t. Im(f) - when f(Un) is dense in {0,1}n

12

hfIm(f)

About the size of Im(f)

• [HHKKMS05,NOV06] use this observation when f(Un) is sparse

h’

Two-to-one “interactive”hash function

Non-interactive hashing

13

Interactive Hashing for Sparse SetsInteractive Hashing for Sparse Sets

hfIm(f)

About the size of Im(f)

• Can interactive hashing be applied directly to sparse sets?

14

Our ResultsOur Results• Holds w.r.t. sparse sets:

– Binding is guaranteed if f is hard w.r.t the uniform distribution over Im(f)

– Hiding is useful if h expects collisions w.r.t. Im(f) - when f(Un) is “close” to the uniform dis. over Im(f)

• Allows a more general choice of hash functions

• Improved parameters also w.r.t. the NOVY settings

• Simpler proof

In NOVY- hard to invert over {0,1}n

In NOVY- close to {0,1}n

15

Applications of The New Applications of The New Theorem to Bit-CommitmentTheorem to Bit-Commitment

• Reproving (as an immediate corollary) the result of [HHKKMS05]: Statistical commitment from any regular/ Appx.-preimage-size owf.

• Might simplify current constructions of statistical zk argument and statistical commitment from any owf.

16

L

Information-Theoretic IHInformation-Theoretic IH

z = h(y)

hSSy2 L

RRhÃH

Hiding – The only information that R R obtains about y is h(y).

Binding- Unbounded S S cannot find (with non-neg probability) y1y22 L such that h(y1) = h(y2) = z.

h

|L| << 2n/2 ? |L| > 2n/2

|LÅConsist(h1,…,hk)| << √|Consist(h1,…,hk)|

h = (h1,...,hn-1 ) ÃH n-1

z1 = h1(y)

h1

zn-1 = hn-1(y)

hn-1

Two-to-one hash function

Boolean pairwise-independent hash

functions

|L| << 2n

Consist(h1,…,hk)={y: 8i hi(y)=zi}

Consist(h1)={y: h1(y)=z1}

17

Our protocol (variant of NOVY)Our protocol (variant of NOVY)

RRh = (h1,...,hk ) ÃH

kz1 = h1(y)

h1

zk = hk(y)

hk

hfIm(f)

About the size of Im(f)

SSxÃ{0,1}n,

y=f(x)

Any family of Booleanpairwise-independent

hash functions

kw log(|Im(f)|)

18

HidingHiding

• If RR is semi-honest (follows the protocol) it obtains h(y) for a uniformly chosen h

• If RR is malicious, it obtains h(y) for an adaptively chosen h

• In many settings (e.g., commitment schemes) we can force RR to follow the protocolSame as in NOVY, but

there it is less harmful

19

BindingBindingMain Theorem: Let A be an alg. that breaks

the binding of the protocol with probability . Then there exists an eff. alg. MA s.t PryÃIm(f)[MA(y)2 f-1(y)]2 (2/n8)

Comparing to previous results (Im(f)= {0,1}n):• [NOVY98] - (10/poly(n))• [NOV06] - (3/n6)

* Here - proof for the NOVY settings, i.e., Im(f) = {0,1}n and the hashing is to {0,1}n-1

20

z1

h1

zn-1

hn-1

A

Outputs x1, x2

RRh = (h1,...,hn-1 ) ÃH

n-1

Algorithm Algorithm AA

Pr[f(x1)f(x2) Æ h(f(x1)) = h(f(x2)) = z] ¸

* z = (z1,...,zn-1 )

21

z1

h1

zn-1

hn-1

A

MA(y)

RRh = (h1,...,hn-1 ) ÃH

kn-

1

Returns x1 or x2

In order to success we need:y=f(x1) or y=f(x2)

! we need 8i hi(y) = zi happens with neg. probability

Choose (h1,...,hn-1 ) s.t. y is consistent

Outputs x1, x2

22

MA on input y2 {0,1}n:1. (h1,…, hn-ofs) Ã Searcher(y)

2. Return Inverter(h1,…, hn-ofs)

ofs2O(log(1/)+ log(n))

Inverter(h1,…, hn-ofs)1. Choose hn-ofs+1,…,hn-1 uniformly in H

2. (x1, x2) Ã ADec(h1,…, hn-1)

3. Return x1 or x2

Searcher(y):1. For i = 1 to n-ofs Do the following 2log(n) times:

• Choose uniformly at random hi2H

• If A(h1,...,hi) = hi(y), break the inner loop.

2. Return h1,…, hn-ofs

23

...

ConsistA(h1,...,hk) = {y: 8i hi(y) =A(h1,...,hk)}

{0,1}n

h1h2

h3

ConsistA(h1) = {y: h1(y) = A(h1)}

Pictorial description of Pictorial description of AA

hk

24

h1h2

h3

The evaluation of The evaluation of SearcherSearchery2{0,1}n

y2ConsistA(h1)

n-ofs

y2ConsistA(h1,...,hn-ofs)

hn-ofs DReal

(h,y)yÃ{0,1}n,hÃSearcher(y)

If Inverter does well on DReal (i.e., prob. Inverter(h)2f-1(y) is noticeable) then MA

inverts f well

25

h1h2

h3

The Ideal dist.The Ideal dist.

n-ofs hn-ofs DIdeal

(h,y)hÃHn-ofs

,yÃConsistA

(h)

At random

Inverter does well on DIdeal

• The distribution on (h1,…,hn-fs) is what A expects

! A returns element in f-1(ConsistA(h1,…,hn-ofs)) with non-negligible probability

• ConsistA(h1,…,hn-ofs) is small

yÃConsistA(h1,…,hn-ofs)

26

Proof of SecurityProof of Security

• Inverter does well on DIdeal

• DIdeal and DReal are close.

The statistical diff. between DIdeal and DReal

is larger than the success probability of Inverter on DIdeal

27

Refined Proximity MeasureRefined Proximity Measure

Definition: D1 (,a)-approximates D2, if there exists Bad µ sup(D1), s.t.

– D1(Bad) · .

– For every x Bad 1/a · D1(x)/D2(x) · a.

Let T be an event s.t. D1[T] ¸ + non-neg then, D2[T] ¸ non-neg

28

Lemma 1 DIdeal (O(2/n3),81)-approximates DReal.

Lemma 2 (informal)Inverter does well on DIdeal and its success probability does not depend on event of small probability

Proving Lemma 2: similar to the information-theoretic case

29

ProvingProving Lemma 1Lemma 1Since our proximity measure is “well

behaved”, it suffices to prove thatClaim 1: (h,y)hÃH,yÃConsist

A(h) (O(2/n3),1+4/n)-approx.

(h,y)yÃ{0,1}n,h ÃH | y2Consist

A(h)

Proof:

1. For almost any h2H, (about) half of {0,1}n is consistent with it

2. Almost any y2{0,1}n is consistent with (about) half of H

30

Further issuesFurther issues

• Linear reduction, or lower bound for the security of the reduction

• Give simpler construction for statistical zk and statistical commitment schemes from owf.

31

Thanks

32

L

ConsistA(h1,...,hn-ofs)

{y: prob. Inverter(h1,...,hn-ofs)2f-1(y) is noticeable}

Lemma 2 : Inverter does well on DIdeal and its success prob. does not depend on event of small probability

{y: probability that A breaks the binding with y (conditioned on

h1,...,hn-ofs) is noticeable}