Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistic

1
Finding Collisions in Interactive ProtocolsA
Tight Lower Bound on the Round Complexity of
Statistically-Hiding Commitments
Iftach Haitner, Jonathan Hoch, Omer Reingold and
Gil Segev
2
Talk Outline

• Statistically-hiding commitments
• Black-box lower bounds
• Our lower bound on the round complexity of
  statistically-hiding commitments
• Other lower bounds (Private Information
  Retrieval, Oblivious Transfer, Interactive
  Hashing)

2
3
Statistically-hiding Commitments

• The digital analogue of a sealed envelope.
• Major ingredient in statistical ZKA, secure
  computation, and
• Two-stage protocol between S and R
• Commit-stage S commits to x w/o revealing it to
  R .
• Reveal-stage S opens the commitment.
• Security properties
• Computationally-binding an efficient S cannot
  decommit to two different values.
• Statistically-hiding an unbounded R does not
  learn x during the commit stage.

3
4
Applications of SH-Commitments

• In setting where some commitments are never
  revealed, guarantees ever lasting security.
• Statistical zero-knowledge arguments.
• Coin-flipping protocols.
• In some settings - a general transformation for
  protocols with statistical security
  semi-honest model ? malicious model

5
Known Constructions

• NY 89, DPP 93 Collision-resistant hash
  functions (CRHF) - two rounds
• NOVY 91 One-way permutations (OWP)-
  O(n/log(n)) rounds
• NOV 06 HR 06 One-way functions (OWF) -
  poly(n) rounds

A family of efficiently computable, compressing
functions that are collision resistant
Efficiently computable permutations that are hard
to invert
6
Impossibility Results

• Are the previous constructions optimal?
• Usually it is very difficult to come up with
  unconditional impossibility results.
• Discrete log is hard
• ) CRHF exists
• ) OWP implies two-round SH-commitment in a
  trivial sense.

6
7
Black Box Reductions

• In their seminal work Impagliazzo and Rudich
  presented a paradigm for proving impossibility
  results under a restricted, yet important, class
  of reductions called black-box reductions.
• Quite a few black-box separation results e.g.,
  no key-agreement from one-way functions.

8
(Fully) Black-Box Reductions

• A fully black-box reduction from B to A
• Black-box construction.
• Black-box proof of security.
• Proof of securityAdversary for breaking B
  ) adversary for breaking A
• Fully black-box reductions relativize (hold
  relative to every oracle).

9
Black-Box Reductions (cont.)

• Most constructions in cryptography are (fully)
  black-box, e.g., pseudorandom generator from OWF.
• Few non black-box techniques that apply in
  restricted settings (typically using ZK proofs).
• Black-box separations are (still) very meaningful.

9
10
Previous results

• Fischlin 02 In any BB-reduction from
  SH-commitment to OWP (or to TDP), the commitment
  has at least two rounds.
• Wee 06 In any BB-reduction from restricted
  type of SH-commitment to OWP defined over 0,1n,
  the commitment has ?(n/log n) rounds.

10
11
Our Results

• In any BB-reduction from SH-commitment to OWP
  defined over 0,1n, the commitment has ?(n/log
  n) rounds and the sender communicates ?(n) bits.
• Remarks
• Can be generalized.
• The bounds for the number of round are tight, and
  the bounds for number of bits communicated are
  tight for bit commitments.
• Assuming that the permutation is s(n)-hard, then
  the bounds are ?(n/log(s(n))) and ?(n) resp.
• Also for trapdoor permutations.
• Also for honest receiver and for weakly-binding
  commitment schemes.

11
12
Our Results (cont)

• Additional lower bounds
• Interactive Hashing
• Statistical oblivious transfer
• Single server private information retrieval
• Additional contributions
• A novel extension of Gennaro-Trevisan 01
  short description paradigm
• A new proof of Simon 98 (no BB-reduction from
  CRHF to OWP)

12
13
The Proof

• 9 PPT with oracle access to Sam that breaks the
  binding of any o(n/log n) rounds SH-commitment.
• 8 PPT APr?A?,Sam inverts ? negl
• ) No BB-reduction from o(n/log n) rounds SH-cmt
  to OWP defined over 0,1n.

An imaginary world
Sam?
Random permutation ?0,1n!0,1n
Impossible
13
14
The rest of the talk

• Define Sam and show how to use it for breaking
  any o(n/log n) rounds SH-commitment.
• Prove that ? is (still) one-way in the presence
  of Sam.

14
15
Defining Sam (two rounds cmt.)
Commit stage
S(b,r)
S(b,(r1,r2))
R
, y P(r2)
Reveal stage
Accepts if S(b,r) is consistent with the commit
stage
First attempt Sam(q,a) returns a random pair
(b,r) s.t S(b,r,q) a. (S,R) is
statistically hiding ) b is uni. dist. in
0,1 ) Sam can be used to break the binding
(S,R) Problem - Sam can be used to invert ?

• Simon, Fischlin Sam(q) returns two random
  pairs, (b,r) and (b,r) s.t. S (b,r,q) S
  (b,r,q)
• Sam can be still used to break the binding (S,R).
• Not clear how to use Sam to invert a specific y.

15
16
Defining Sam (general case)

• Life is not that simple
• Sam inverts any SH-commitment
• limit the number of queries Sam answers.
• Forcing restrictions (Sam is stateless!)
• the user keeps the state.
• use signature schemes.

• 1. Announce q1 2. (b1,r1)ÃSam (where (b1,r1)
  is uniformly dist.) 3. answer a1
  S(b1,r1,q1)
• 1. Announce q2 2. (b2,r2)ÃSam (where (b2,r2) is
  random s.t. S(b2,r2,q1) S(b1,r1,q1)) 3.
  answer a2 S(b2,r2,q1,q2)
• Reveal stage
• (bk1,rk1) Ã Sam. Thus, Prbk ? bk1 ½

• The two-round case oracle Simon revisited
• Announce q to Sam
• (b,r)ÃSam, where (b,r) is uniformly chosen.
• (b,r)ÃSam, where (b,r) is randomly chosen
  s.t. S (b,r,q) S (b,r,q)

First attempt Sam(q1,...,qk) returns two random
pairs (b,r) and (b,r) s.t. S(b,r,q1,...,qk)
S(b,r,q1,...,qk) Problem w.h.p., both (b,r)
and (b,r) are inconsistent with (a1,...,ak)
?
16
17
Defining Sam (more formally)

• Let C, Cnext0,1m!0,1 be circuits with ?
  gates.
• Sam(Cnext,C,w)
• Return wÃx20,1m C(x) C(w)(if C ?,
  return wÃ0,1m)
• Preventing Sam from inverting ?
• Sam answers only if previously answered
  (C,Cprev,.) with w.
• Limited interaction depth.
• We enforce the above using signature schemes.

17
18
Defining Sam (cont)
d 2 o(n/log(n))
(C1,?,?) w1
(C8,?,?) w
(C56,?,?) w
(C2,C1, w1) w2
(C3,C1,w1) w3
d(n)
(C4,C2,w2) w4
(C5,C3,w3) w5
(C7,C5, w5) w7
(C6, C5, w5) w6
18
19
Defining Sam (last)

• Let Ci be the circuit naturally defined by S and
  q1,...,qi (Ci(b,r) outputs S(b,r,q1,...,qi)s
  answers)
• For all i
• (bi,ri) Ã Sam(Ci,Ci-1,bi-1,ri-1)
• ai à Ci(bi,ri )

19
20
? is Still One-way in the Presence of Sam
Thm 8PPT A, PrP,yAsam,?(y)
?-1(y) negl A?,Sam(y) hits if it queries
wÃSam(Cnext,C,w) and C(w) queries ? on
?-1(y). Lemma 1 PrP,yAsam,?(y) ?-1(y) and
does not hit negl Using extension of
Gennaro-Trevisan 01 Lemma 2 PrP,yAsam,?(y)
hits negl We prove that PrP,yAsam,?(y) hits
gt negl ) 9 A s.t. PrP,yAsam,?(y) ?-1(y) and
does not hitgt negl
20
21
Gennaro-Trevisan Thm.

• Theorem GT 01 (informal) A random permutation
  is hard even for exponential size circuits.
• Main Lemma Let A be a circuit making q queries
  to a permutation ?0,1n!0,1n s.t. PryA?(y)
  ?-1(y) ?,then ? has a short description.(of
  length K 2log(2n choose a) log((2n -a)!),
  where a ?2n/(q 1))
• Proving the thm
• Let A be a circuit of size 2n/5
• ) A inverts w.p 2-n/5 a tiny fraction of the ?s
  (lt 2-n)

21
22
The proof of GT Lemma -The Short Description
of ?

• Carefully chosen Y µy A?(y) ?-1(y), X
  ?-1(Y)
• Y X ?2n / (q1)
• The desc. of ? is the desc. of X,Y and the
  values of ? over 0,1n \ X (and thus indeed of
  size K).
• Reconstruction go over all y2Y in lex. order,
  simulate A(y) to get x A(y) and set ?(x) y.
• Y is chosen s.t.
• all the queries made by A?(y) to ? are already
  defined.
• Except for the possibility that A?(y) queries ?
  on ?-1(y), but then you have found ?-1(y).

22
23
Proving Lemma 1

• Lemma 1 8PPT A, Pr?,yA?,Sam(y) ?-1(y) and
  no hit lt 2-?(n).
• We show that
• 8 fixing of A and Sams random coins, 8?
• PryA?,Sam(y) ?-1(y) and no hit gt ?
• ) ? has a short description.
• ) For any choice of A and Sams random coins,
• Pr?,yA?,Sam(y) ?-1(y) and no hit lt
  2-?(n)

23
24
Proving Lemma 1 (cont)
Sam(Cnext,C,w) Go over 0,1m in a fixed order,
return the first that satisfies C(w) C(w)

• Idea apply GT to ASam.
• Problem ASam makes too many queries to ?.
• Solution when defining Y, only care that the
  queries in the evaluation C(w) and C(w) are
  defined.
• Reconstruction when simulating Sam(C) (embedded
  in A?,Sam(y)), we find the first w s.t. all the
  calls of C(w) to ? are already defined and
  C(w) C(w).
• Problem C(w) might query ? on ?-1(y).
• A is non-hitting!

24
25
From Hitting to Non Hitting (a simple case)

• Lemma 2 8PPT A, Pr?,yA?,Sam hits negl
• Idea hitting A ) non-hitting A that inverts ?
• Let ? be fixed, and assume that A only makes two
  queries w1ÃSam(C1,?,?) and w2ÃSam(C2,C1,w1).
• A hits if C1(w2) queries y.
• w2 is uniformly dist. in 0,1m
• ) PryC1(Um) queries y PryA?,Sam hits
• A acts as A, but queries C1(Um) before calling
  Sam.
• ) PryA?,Sam ?-1(y) and no hit PryA?,Sam
  hits
• ) PryA?,Sam hits negl

Sam(Cnext,C,w) wÃx 20,1m C(x) C(w)
25
26
From Hitting to Non Hitting (general case)

• PryASam,?(y) hits gt 1/p(n)
• hiti PrCi-1(wi) queries y
• A evaluates Ci-1(wi-1) before it calls
  Sam(Ci,Ci-1,wi-1),
• invi PrCi-1(wi-1) queries y
• Wlog hit2 is exp. small
• d(n) 2 o(n/log n)
• ? hiti gt 1/p(n)
• ) 9j s.t. hitj gt max p2(n) ?iltj hiti, t
• Claim hitj is large ) invj is large.
• )(invj - ?iltj hiti) gt t/2
• )PryASam,?(y) ?-1(y) and no hitgt t/2

Sam(Ci,Ci-1,wi-1) wiÃx20,1m
Ci-1(x)Ci-1(wi-1)
2-n/8
27
hitj is large ) invj is large

• We prove that 8i Exhiti invi .
• invi PrCi-1(wi-1) queries y
• hiti PrCi-1(wi) queries y
• Sampling wi-1
• wi-1 Ã w Ci-2(w) Ci-2(wi-2)
• Sampling wi
• Sample wi-1
• S w Ci-1(w) Ci-1(wi-1)
• wi à S
• hitSi PrwÃSCi-1(w) queries y
• invi ? PrS PrCi-1(wi-1) queries y S
• ? PrS hitSi Exhiti

wi-1
28
Additional Results

• Similar proof (same Sam) ) in any construction of
  the above, the sender communicates ?(n) bits
• Give a BB-reduction from low-communication PIR to
  SH-commitment, where the sender communicates
  ?(log n) additional bits.
• )
• No BB-construction from OWP (and from TDP) to
  low-communication PIR.

28
29
Concluding Remarks

• In any BB-reduction from SH-commitment to OWP
  defined over 0,1n, the commitment has ?(n/log
  n) rounds and the sender communicates ?(n) bits.
• Sam breaks the binding w.h.p ) no weakly-binding
  commitment.
• Did not use the fact that the receiver might
  deviate from the protocol.
• ) The bound holds for protocols secure only
  against honest receivers.
• The extension to TDP is not very hard.

29
30
Open Questions

• We showed that in any BB-reduction from OWP
  defined over 0,1n to statistically-hiding bit
  commitment, the sender communicates ?(n) bits.
• Tighter bounds for commitment of many bits,
  imply tighter bounds for PIR.
• Using our extension to Gennaro-Trevisan to prove
  other black-box separation results.

30