Title: Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistic
1Finding Collisions in Interactive ProtocolsA
Tight Lower Bound on the Round Complexity of
Statistically-Hiding Commitments
Iftach Haitner, Jonathan Hoch, Omer Reingold and
Gil Segev
2Talk Outline
- Statistically-hiding commitments
- Black-box lower bounds
- Our lower bound on the round complexity of
statistically-hiding commitments - Other lower bounds (Private Information
Retrieval, Oblivious Transfer, Interactive
Hashing)
2
3Statistically-hiding Commitments
- The digital analogue of a sealed envelope.
- Major ingredient in statistical ZKA, secure
computation, and - Two-stage protocol between S and R
- Commit-stage S commits to x w/o revealing it to
R . - Reveal-stage S opens the commitment.
- Security properties
- Computationally-binding an efficient S cannot
decommit to two different values. - Statistically-hiding an unbounded R does not
learn x during the commit stage.
3
4Applications of SH-Commitments
- In setting where some commitments are never
revealed, guarantees ever lasting security. - Statistical zero-knowledge arguments.
- Coin-flipping protocols.
- In some settings - a general transformation for
protocols with statistical security
semi-honest model ? malicious model
5Known Constructions
- NY 89, DPP 93 Collision-resistant hash
functions (CRHF) - two rounds - NOVY 91 One-way permutations (OWP)-
O(n/log(n)) rounds - NOV 06 HR 06 One-way functions (OWF) -
poly(n) rounds
A family of efficiently computable, compressing
functions that are collision resistant
Efficiently computable permutations that are hard
to invert
6Impossibility Results
- Are the previous constructions optimal?
- Usually it is very difficult to come up with
unconditional impossibility results. - Discrete log is hard
- ) CRHF exists
- ) OWP implies two-round SH-commitment in a
trivial sense.
6
7Black Box Reductions
- In their seminal work Impagliazzo and Rudich
presented a paradigm for proving impossibility
results under a restricted, yet important, class
of reductions called black-box reductions. - Quite a few black-box separation results e.g.,
no key-agreement from one-way functions.
8(Fully) Black-Box Reductions
- A fully black-box reduction from B to A
- Black-box construction.
- Black-box proof of security.
- Proof of securityAdversary for breaking B
) adversary for breaking A - Fully black-box reductions relativize (hold
relative to every oracle).
9Black-Box Reductions (cont.)
- Most constructions in cryptography are (fully)
black-box, e.g., pseudorandom generator from OWF. - Few non black-box techniques that apply in
restricted settings (typically using ZK proofs). - Black-box separations are (still) very meaningful.
9
10Previous results
- Fischlin 02 In any BB-reduction from
SH-commitment to OWP (or to TDP), the commitment
has at least two rounds. - Wee 06 In any BB-reduction from restricted
type of SH-commitment to OWP defined over 0,1n,
the commitment has ?(n/log n) rounds.
10
11Our Results
- In any BB-reduction from SH-commitment to OWP
defined over 0,1n, the commitment has ?(n/log
n) rounds and the sender communicates ?(n) bits. - Remarks
- Can be generalized.
- The bounds for the number of round are tight, and
the bounds for number of bits communicated are
tight for bit commitments. - Assuming that the permutation is s(n)-hard, then
the bounds are ?(n/log(s(n))) and ?(n) resp. - Also for trapdoor permutations.
- Also for honest receiver and for weakly-binding
commitment schemes.
11
12Our Results (cont)
- Additional lower bounds
- Interactive Hashing
- Statistical oblivious transfer
- Single server private information retrieval
- Additional contributions
- A novel extension of Gennaro-Trevisan 01
short description paradigm - A new proof of Simon 98 (no BB-reduction from
CRHF to OWP)
12
13The Proof
- 9 PPT with oracle access to Sam that breaks the
binding of any o(n/log n) rounds SH-commitment. - 8 PPT APr?A?,Sam inverts ? negl
- ) No BB-reduction from o(n/log n) rounds SH-cmt
to OWP defined over 0,1n.
An imaginary world
Sam?
Random permutation ?0,1n!0,1n
Impossible
13
14The rest of the talk
- Define Sam and show how to use it for breaking
any o(n/log n) rounds SH-commitment. - Prove that ? is (still) one-way in the presence
of Sam.
14
15Defining Sam (two rounds cmt.)
Commit stage
S(b,r)
S(b,(r1,r2))
R
, y P(r2)
Reveal stage
Accepts if S(b,r) is consistent with the commit
stage
First attempt Sam(q,a) returns a random pair
(b,r) s.t S(b,r,q) a. (S,R) is
statistically hiding ) b is uni. dist. in
0,1 ) Sam can be used to break the binding
(S,R) Problem - Sam can be used to invert ?
- Simon, Fischlin Sam(q) returns two random
pairs, (b,r) and (b,r) s.t. S (b,r,q) S
(b,r,q) - Sam can be still used to break the binding (S,R).
- Not clear how to use Sam to invert a specific y.
15
16Defining Sam (general case)
- Life is not that simple
- Sam inverts any SH-commitment
- limit the number of queries Sam answers.
- Forcing restrictions (Sam is stateless!)
- the user keeps the state.
- use signature schemes.
- 1. Announce q1 2. (b1,r1)ÃSam (where (b1,r1)
is uniformly dist.) 3. answer a1
S(b1,r1,q1) - 1. Announce q2 2. (b2,r2)ÃSam (where (b2,r2) is
random s.t. S(b2,r2,q1) S(b1,r1,q1)) 3.
answer a2 S(b2,r2,q1,q2) - Reveal stage
- (bk1,rk1) Ã Sam. Thus, Prbk ? bk1 ½
- The two-round case oracle Simon revisited
- Announce q to Sam
- (b,r)ÃSam, where (b,r) is uniformly chosen.
- (b,r)ÃSam, where (b,r) is randomly chosen
s.t. S (b,r,q) S (b,r,q)
First attempt Sam(q1,...,qk) returns two random
pairs (b,r) and (b,r) s.t. S(b,r,q1,...,qk)
S(b,r,q1,...,qk) Problem w.h.p., both (b,r)
and (b,r) are inconsistent with (a1,...,ak)
?
16
17Defining Sam (more formally)
- Let C, Cnext0,1m!0,1 be circuits with ?
gates. - Sam(Cnext,C,w)
- Return wÃx20,1m C(x) C(w)(if C ?,
return wÃ0,1m) - Preventing Sam from inverting ?
- Sam answers only if previously answered
(C,Cprev,.) with w. - Limited interaction depth.
- We enforce the above using signature schemes.
17
18Defining Sam (cont)
d 2 o(n/log(n))
(C1,?,?) w1
(C8,?,?) w
(C56,?,?) w
(C2,C1, w1) w2
(C3,C1,w1) w3
d(n)
(C4,C2,w2) w4
(C5,C3,w3) w5
(C7,C5, w5) w7
(C6, C5, w5) w6
18
19Defining Sam (last)
- Let Ci be the circuit naturally defined by S and
q1,...,qi (Ci(b,r) outputs S(b,r,q1,...,qi)s
answers) - For all i
- (bi,ri) Ã Sam(Ci,Ci-1,bi-1,ri-1)
- ai à Ci(bi,ri )
19
20? is Still One-way in the Presence of Sam
Thm 8PPT A, PrP,yAsam,?(y)
?-1(y) negl A?,Sam(y) hits if it queries
wÃSam(Cnext,C,w) and C(w) queries ? on
?-1(y). Lemma 1 PrP,yAsam,?(y) ?-1(y) and
does not hit negl Using extension of
Gennaro-Trevisan 01 Lemma 2 PrP,yAsam,?(y)
hits negl We prove that PrP,yAsam,?(y) hits
gt negl ) 9 A s.t. PrP,yAsam,?(y) ?-1(y) and
does not hitgt negl
20
21Gennaro-Trevisan Thm.
- Theorem GT 01 (informal) A random permutation
is hard even for exponential size circuits. - Main Lemma Let A be a circuit making q queries
to a permutation ?0,1n!0,1n s.t. PryA?(y)
?-1(y) ?,then ? has a short description.(of
length K 2log(2n choose a) log((2n -a)!),
where a ?2n/(q 1)) - Proving the thm
- Let A be a circuit of size 2n/5
- ) A inverts w.p 2-n/5 a tiny fraction of the ?s
(lt 2-n)
21
22The proof of GT Lemma -The Short Description
of ?
- Carefully chosen Y µy A?(y) ?-1(y), X
?-1(Y) - Y X ?2n / (q1)
- The desc. of ? is the desc. of X,Y and the
values of ? over 0,1n \ X (and thus indeed of
size K). - Reconstruction go over all y2Y in lex. order,
simulate A(y) to get x A(y) and set ?(x) y. - Y is chosen s.t.
- all the queries made by A?(y) to ? are already
defined. - Except for the possibility that A?(y) queries ?
on ?-1(y), but then you have found ?-1(y).
22
23Proving Lemma 1
- Lemma 1 8PPT A, Pr?,yA?,Sam(y) ?-1(y) and
no hit lt 2-?(n). - We show that
- 8 fixing of A and Sams random coins, 8?
- PryA?,Sam(y) ?-1(y) and no hit gt ?
- ) ? has a short description.
- ) For any choice of A and Sams random coins,
- Pr?,yA?,Sam(y) ?-1(y) and no hit lt
2-?(n)
23
24Proving Lemma 1 (cont)
Sam(Cnext,C,w) Go over 0,1m in a fixed order,
return the first that satisfies C(w) C(w)
- Idea apply GT to ASam.
- Problem ASam makes too many queries to ?.
- Solution when defining Y, only care that the
queries in the evaluation C(w) and C(w) are
defined. - Reconstruction when simulating Sam(C) (embedded
in A?,Sam(y)), we find the first w s.t. all the
calls of C(w) to ? are already defined and
C(w) C(w). - Problem C(w) might query ? on ?-1(y).
- A is non-hitting!
24
25From Hitting to Non Hitting (a simple case)
- Lemma 2 8PPT A, Pr?,yA?,Sam hits negl
- Idea hitting A ) non-hitting A that inverts ?
- Let ? be fixed, and assume that A only makes two
queries w1ÃSam(C1,?,?) and w2ÃSam(C2,C1,w1). - A hits if C1(w2) queries y.
- w2 is uniformly dist. in 0,1m
- ) PryC1(Um) queries y PryA?,Sam hits
- A acts as A, but queries C1(Um) before calling
Sam. - ) PryA?,Sam ?-1(y) and no hit PryA?,Sam
hits - ) PryA?,Sam hits negl
Sam(Cnext,C,w) wÃx 20,1m C(x) C(w)
25
26From Hitting to Non Hitting (general case)
- PryASam,?(y) hits gt 1/p(n)
- hiti PrCi-1(wi) queries y
- A evaluates Ci-1(wi-1) before it calls
Sam(Ci,Ci-1,wi-1), - invi PrCi-1(wi-1) queries y
- Wlog hit2 is exp. small
- d(n) 2 o(n/log n)
- ? hiti gt 1/p(n)
- ) 9j s.t. hitj gt max p2(n) ?iltj hiti, t
- Claim hitj is large ) invj is large.
- )(invj - ?iltj hiti) gt t/2
- )PryASam,?(y) ?-1(y) and no hitgt t/2
Sam(Ci,Ci-1,wi-1) wiÃx20,1m
Ci-1(x)Ci-1(wi-1)
2-n/8
27hitj is large ) invj is large
- We prove that 8i Exhiti invi .
-
- invi PrCi-1(wi-1) queries y
- hiti PrCi-1(wi) queries y
- Sampling wi-1
- wi-1 Ã w Ci-2(w) Ci-2(wi-2)
- Sampling wi
- Sample wi-1
- S w Ci-1(w) Ci-1(wi-1)
- wi à S
- hitSi PrwÃSCi-1(w) queries y
- invi ? PrS PrCi-1(wi-1) queries y S
- ? PrS hitSi Exhiti
wi-1
28Additional Results
- Similar proof (same Sam) ) in any construction of
the above, the sender communicates ?(n) bits - Give a BB-reduction from low-communication PIR to
SH-commitment, where the sender communicates
?(log n) additional bits. - )
- No BB-construction from OWP (and from TDP) to
low-communication PIR.
28
29Concluding Remarks
- In any BB-reduction from SH-commitment to OWP
defined over 0,1n, the commitment has ?(n/log
n) rounds and the sender communicates ?(n) bits. - Sam breaks the binding w.h.p ) no weakly-binding
commitment. - Did not use the fact that the receiver might
deviate from the protocol. - ) The bound holds for protocols secure only
against honest receivers. - The extension to TDP is not very hard.
29
30Open Questions
- We showed that in any BB-reduction from OWP
defined over 0,1n to statistically-hiding bit
commitment, the sender communicates ?(n) bits. - Tighter bounds for commitment of many bits,
imply tighter bounds for PIR. - Using our extension to Gennaro-Trevisan to prove
other black-box separation results.
30