Inaccessible Entropy
Iftach HaitnerMicrosoft Research
Omer Reingold Weizmann & Microsoft
Hoeteck WeeQueens College, CUNY
Salil Vadhan Harvard University
outline
Entropy Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications
Def: The Shannon entropy of r.v. X isH(X) = ExÃX[log(1/Pr[X=x)]
H(X) = “Bits of randomness in X (on avg)” 0 · H(X) · log |Supp(X)|
Conditional Entropy: H(X|Y) = EyÃY[H(X|Y=y)]
Entropy
H(X ) = Exà X [log(1=Pr[X = x])]HHH(X ) =
X concentratedon single point
X uniform onSupp(X)
Worst-Case Entropy Measures
Min-Entropy: H1(X) = minx log(1/Pr[X=x])
Max-Entropy: H0(X) = log |Supp(X)|
H1(X) · H(X) · H0(X)
outline
Entropy Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications
Perfect Secrecy & Entropy
Def [Sh49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1}n
EncK(m) & EncK(m’) are identically distributed for a random key K.
Thm [Sh49]: Perfect secrecy ) |K| ¸ n
Perfect Secrecy ) |K|¸ n
Proof: Perfect secrecy
) (M,EncK(M)) ´ (M,EncK(M’)) for M,M’Ã{0,1}n
) H(M|EncK(M)) = n Decryptability
) H(M|EncK(M),K) = 0) H(M|EncK(M)) · H(K).
Computational Secrecy
Def [GM82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1}n
EncK(m) & EncK(m’) are computationally indistinguishable.
) can have |K| ¿ n.
Where Shannon’s Proof Breaks
Computational secrecy) (M,EncK(M)) ´c (M,EncK(M’)) for M,M’Ã{0,1}n
) “Hpseudo(M|EncK(M))” = n Decryptability
) H(M|EncK(M)) · H(K).
Key point: can have Hpseudo(X) À H(X)e.g. X = G(Uk) for PRG G : {0,1}k! {0,1}n
Pseudoentropy
Def [HILL90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t.1. Y ´c X2. H(Y) ¸ k
Pseudoentropy Generator:
GS Ã
{0,1}n
X
Y
´
c
Application of Pseudoentropy
Thm [HILL90]: 9 OWF ) 9 PRGProof outline:
OWF
X with pseudo-min-entropy ¸ H0(X)+poly(n)
X with pseudoentropy ¸ H(X)+1/poly(n)
PRG
hardcore bit [GL89]+hashing
repetitions
hashing
outline
Entropy Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications
Unforgeability
Crypto is not just about secrecy. Unforgeability: security properties saying
that it has hard for an adversary to generate “valid” messages.– Unforgeability of MACs, Digital Signatures– Collision-resistance of hash functions– Binding of commitment schemes
Cf. decision problems vs. search/sampling problems.
Ex: Collision-resistant Hashing
Shrinking Collision Resistance: Given f ÃF , an
efficient A cannot output x1x2 such thatf(x1) = f(x2)
F = { f : {0,1}n ! {0,1}n-k}
Ex: Collision-resistant Hashing
Shrinking: H(X | F,Y) ¸ k Collision Resistance: From (even a cheating) G’s
point of view, X is determined by (F,Y) X has “accessible” entropy 0
F = {f : {0,1}n ! {0,1}n-k} G
X Ã {0,1}n
Y= F(X)
F ÃF
X
Ex: Collision-resistant Hashing
Collision Resistance: H(X |F,Y,S1) = neg(n) for every efficient G*.
F = {f : {0,1}n ! {0,1}n-k} G*
S1 Ã{0,1}r
Y
F ÃF
X F-1(Y)
S2 Ã{0,1}r
Measuring Accessible Entropy
Goal: A useful entropy measure to capture possibility that Hacc(X) ¿ H(X)
1st attempt: X has accessible entropy at most k if there is a random variable Y s.t.1. Y ´c X2. H(Y) · k
Not useful! every X is indistinguishable from some Y of entropy polylog(n).
Inaccessible Entropy
Idea: A generator G has inaccessible entropy
if
H(G’s outputs from an observer’s perspective)
>
H(G*’s outputs from G*’s perspective)
Real Entropy
Accessible Entropy
Real Entropy
Def: The real entropy of G isH(Y1,….,Ym|Z) = i H(Yi | Z,Y1,…,Yi-1)
GRÃ{0,1}n
Y1
Z
Y2 Ym
Accessible Entropy
Def: G has accessible entropy at most k, if 8 PPT G*
i H(Yi|Z,S1,S2,…,Si-1) · k
Inaccessible entropy = real – accessible entropy Unbounded G* can achieve real entropy.
G*
Y1
Z
Y2 Ym
S1
S2
SmR
s.t. G(Z,R)=(Y1,….,Ym)
OWF Inaccessible Entropy
Claim: Real entropy = n Accessible entropy < n-log n[cf. Omer’s talk: G(x)=(f(x),x1,…,xn) next-bit
pseudoentropy n+log n for OWP f]
GXÃ{0,1}n
f(X)1 f(X)2
f(X)n
Given a one-way function f : {0,1}n{0,1}n, define
X
Ym+1XYn10Y21
OWF Inaccessible Entropy
Claim: Accessible entropy < n-log n Suppose G* s.t. iH(Yi|S1,…,Si-1) n-log n Then can invert f on input Y’ by sequentially
finding S1,..,Sn s.t. Yi=Y’i (via sampling). High accessible entropy success on random
Y=f(X) w.p. 1/poly(n).
G*
Y1
S1
S2
Sn Sm+
1
10
R=Ym+1
Y’ = 0 1 0
outline
Entropy Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications
Commitment Schemes
m
Commitment Schemes
COMMIT STAGE
S R
m
R
Commitment Schemes
S
REVEAL STAGE
Commitment Schemes
COMMIT STAGE
accept/reject
S Rm2{0,1}n
REVEAL STAGE(m,K)
Security of Commitments
COMMIT STAGE
accept/reject
S Rm2{0,1}n
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R*Even cheating S*
cannot reveal(m,K), (m’,K’) with mm’
Statistical Security?
COMMIT STAGE
accept/reject
S Rm2{0,1}t
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
Impossible!
Statistical Binding
COMMIT STAGE
accept/reject
S Rm2{0,1}n
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments
Statistical Hiding
COMMIT STAGE
accept/reject
S Rm2{0,1}n
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
Thm [HNORV07]: One-way functions ) Statistically Hiding Commitments
Too Complicated
!
Our Results I
Much simpler proof that OWF) Statistically Hiding Commitmentsvia accessible entropy.
Conceptually parallels [HILL90,Naor91] construction of PRGs & Statistically Binding Commitments from OWF.
“Nonuniform” version achieves optimal round complexity, O(n/log n) [HHRS07]
Our Results II
Thm: Assume one-way functions exist. Then: NP has constant-round parallelizable ZK
proofs with “black-box simulation” m
constant-round statistically hiding commitments exist.
( * due to [GK96,G01], novelty is )
Statistically Hiding Commitments& Inaccessible Entropy
COMMIT STAGES R
MÃ{0,1}n
REVEAL STAGEM
Statistical Hiding:H(M|C) = n - neg(n)
K
C
Statistically Hiding Commitments& Inaccessible Entropy
COMMIT STAGES* R
REVEAL STAGEM
Statistical Hiding:H(M|C) = n - neg(n)
Comp’l Binding:For every PPT S*
H(M|C,S1) = neg(n)
“inaccessible entropy for protocols”
K
Ccoins S1
coins S2
OWF ) Statistically Hiding Commitments: Our Proof
OWF
G with real min-entropy ¸ accessible entropy+poly(n)
G with real entropy ¸ accessible entropy+log n
statistically hiding commitment
done
repetitions
cut & choose & parallel rep
(interactive) hashing [DHRS07]+UOWHFs [NY89,Rom90]
“m-phase” commitment
Cf. OWF ) Statistically Binding Commitment [HILL90,Nao91]
OWF
X with pseudo-min-entropy ¸ H0(X)+poly(n)
X with pseudoentropy ¸ H(X)+1/poly(n)
PRG
hardcore bit [GL89]+hashing
repetitions
hashing
Statistically binding commitmentexpand output & translate
Other Applications
Simpler/improved universal one-way hash functions from OWF [HRVW09b]
Inspired simpler/improved pseudorandom generators from OWF [HRV09]
Conclusion
Complexity-based cryptography is possible because of gaps between real & computational entropy.
Secrecypseudoentropy > real entropy
Unforgeabilityaccessible entropy < real entropy
Research Directions
Formally unify inaccessible entropy and pseudoentropy.
Complexity-theoretic applications of inaccessible entropy
Remove “parallelizable” condition from ZK result.
Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.
Top Related