Download - Inaccessible Entropy

Inaccessible Entropy

Iftach HaitnerMicrosoft Research

Omer Reingold Weizmann Institute

Hoeteck WeeQueens College, CUNY

Salil Vadhan Harvard University

outline

Entropy

Secrecy & Pseudoentropy

Unforgeability & Inaccessible Entropy

Applications

Def: The Shannon entropy of r.v. X is

H(X) = ExÃX[log(1/Pr[X=x)]

H(X) = “Bits of randomness in X (on avg)”

0 · H(X) · log |Supp(X)|

Entropy

H(X ) = ExÃ X [log(1=Pr[X = x])]HHH(X ) =

X concentratedon single point

X uniform onSupp(X)

Worst-Case Entropy Measures

Min-Entropy: H1(X) = minx log(1/Pr[X=x])

Max-Entropy: H0(X) = log |Supp(X)|

H1(X) · H(X) · H0(X)

outline

Entropy



Applications

Perfect Secrecy & Entropy

Def [Sh49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1}n

EncK(m) & EncK(m’) are identically distributed for a random key K.

Thm [Sh49]: Perfect secrecy ) |K| ¸ n

Perfect Secrecy ) |K|¸ n

Proof:

Perfect secrecy) (M,EncK(M)) ´ (Un,EncK(M))

for M,Un Ã {0,1}n

) H(M|EncK(M)) = n

Decryptability) H(M|EncK(M),K) = 0) H(M|EncK(M)) · H(K).

Computational Secrecy

Def [GM82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1}n

EncK(m) & EncK(m’) are computationally indistinguishable.

) can have |K| ¿ n.

Where Shannon’s Proof Breaks

Computational secrecy) (M,EncK(M)) ´c (Un,EncK(M))

for M,Un Ã {0,1}n

) “Hpseudo(M|EncK(M))” = n

Decryptability) H(M|EncK(M)) · H(K).

Key point: can have Hpseudo(X) À H(X)e.g. X = G(Uk) for PRG G : {0,1}k! {0,1}n

Pseudoentropy

Def [HILL90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t.1. Y ´c X2. H(Y) ¸ k

Application of Pseudoentropy

Thm [HILL90]: 9 OWF ) 9 PRG

Proof outline:

OWF

X with pseudo-min-entropy ¸ H0(X)+poly(n)

X with pseudoentropy ¸ H(X)+1/poly(n)

PRG

hardcore bit [GL89]+hashing

repetitions

hashing

outline

Entropy



Applications

Unforgeability

Crypto is not just about secrecy.

Unforgeability: security properties saying that it has hard for an adversary to generate “valid” messages.– Unforgeability of MACs, Digital Signatures– Collision-resistance of hash functions– Binding of commitment schemes

Ex: Collision-resistant Hashing

Shrinking: H(X|Y,F) ¸ k

Collision Resistance: From A’s perspective, X is determined by Y,F ) “accessible” entropy 0

A BF Ã F

F = { f : {0,1}n ! {0,1}n-k}

F

Y

X

XÃ {0,1}n

Y=F(X)


Collision Resistance: 9 function ¼s.t. X = ¼(F,Y,S1) except w/negligible prob.

A* BF Ã F

F = { f : {0,1}n ! {0,1}n-k}

F

Y

X

toss coins S1

toss coins S2


Collision Resistance: 9 function ¼s.t. X 2 {¼(F,Y,S1)} [ f-1(Y)c

A* BF Ã F

F = { f : {0,1}n ! {0,1}n-k}

F

Y

X

toss coins S1

toss coins S2

Measuring Accessible Entropy

Goal: A useful entropy measure to capture possibility that Hacc(X) ¿ H(X)

1st attempt: X has accessible entropy at most k if there is a random variable Y s.t.

1. Y ´c X2. H(Y) · k

Not useful! every X is indistinguishable from some Y of entropy polylog(n).

Inaccessible Entropy

Idea: Protocol (A,B) has inaccessible entropy if

H(A’s messages from B’s point of view) >

H(A*’s messages from A*’s point of view)

Real Entropy

Accessible Entropy

Real Entropy

A BB1

A1

B2

A2

Bm

Am

Def: The real entropy of (A,B) is

i H(Ai | B1,A1,…,Bi)

Accessible Entropy

A* BB1

A1

B2

A2

Bm

Am

Tosses coins Si

Sends message Ai

Privately outputs justification Wi (e.g. consistent coins of honest A)

coins S1

coins S2

coins Sm

What A* does at each round

W1

W2

Wm

Accessible Entropy

A* BB1

A1

B2

A2

Bm

Am

coins S1

coins S2

coins Sm

W1

W2

Wm

Def: (A,B) has accessible entropy at most k if for every PPT A*

i H(Ai|B1,S1,B2,S2,…,Si-1,Bi) · k

Remarks1. Needs

adjustmentin case A*

outputs invalidjustification.

2. Unbounded A* can achieve real entropy.

neverAssume


Real Entropy = H(Y|F)+H(X|Y,F)

= H(X|F)

= n

A BF Ã F

F = { f : {0,1}n ! {0,1}n-k}

F

Y

X

XÃ {0,1}n

Y=F(X)


Accessible Entropy = H(Y|F)+H(X|F,S1)

· (n-k) + neg(n)

A* BF Ã F

F = { f : {0,1}n ! {0,1}n-k}

F

Y

X

toss coins S1

toss coins S2

outline

Entropy



Applications

Commitment Schemes

m

Commitment Schemes

COMMIT STAGE

S R

m

R

Commitment Schemes

S

REVEAL STAGE

Commitment Schemes

COMMIT STAGE

accept/reject

S R

m2{0,1}n

REVEAL STAGE(m,K)

Security of Commitments

COMMIT STAGE

accept/reject

S R

m2{0,1}n

REVEAL STAGE(m,K)

Hiding– Statistical– Computational

Binding– Statistical– Computational

COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R*

COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R*

Even cheating S*

cannot reveal(m,K), (m’,K’) with mm’

Even cheating S*

cannot reveal(m,K), (m’,K’) with mm’

Statistical Security?

COMMIT STAGE

accept/reject

S R

m2{0,1}t

REVEAL STAGE(m,K)



Impossible!

Statistical Binding

COMMIT STAGE

accept/reject

S R

m2{0,1}n

REVEAL STAGE(m,K)



Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments

Statistical Hiding

COMMIT STAGE

accept/reject

S R

m2{0,1}n

REVEAL STAGE(m,K)



Thm [HNORV07]: One-way functions ) Statistically Hiding Commitments

Too Complicate

d!

Our Results I

Much simpler proof that OWF) Statistically Hiding Commitmentsvia accessible entropy.

Conceptually parallels [HILL90,Naor91] construction of PRGs & Statistically Binding Commitments from OWF.

“Nonuniform” version achieves optimal round complexity, O(n/log n) [HHRS07]

Our Results II

Thm: Assume one-way functions exist. Then:

NP has constant-round parallelizable ZK proofs with “black-box simulation”

m

constant-round statistically hiding commitments exist.

( * due to [GK96,G01], novelty is )

Statistically Hiding Commitments& Inaccessible Entropy

COMMIT STAGES R

MÃ{0,1}n

REVEAL STAGEM

Statistical Hiding:

H(M|C) = n - neg(n)

K

C

Statistically Hiding Commitments& Inaccessible Entropy

COMMIT STAGES* R

REVEAL STAGEM

Statistical Hiding:

H(M|C) = n - neg(n)

Comp’l Binding:

For every PPT S*

H(M|C,S1) = neg(n)

K

Ccoins S1

coins S2

OWF ) Statistically Hiding Commitments: Our Proof

OWF

(A,B) with real min-entropy ¸ accessible entropy+poly(n)

(A,B) with real entropy ¸ accessible entropy+log n

statistically hiding commitment

interactive hashing [NOVY92,HR07]

repetitions

cut & choose

(interactive) hashing [DHRS07]+UOWHFs [NY89,Rom90]

“m-phase” commitment

Cf. OWF ) Statistically Binding Commitment [HILL90,Nao91]

OWF

X with pseudo-min-entropy ¸ H0(X)+poly(n)

X with pseudoentropy ¸ H(X)+1/poly(n)

PRG

hardcore bit [GL89]+hashing

repetitions

hashing

Statistically binding commitment

expand output & translate

OWF ) Statistically Hiding Commitments: Our Proof

OWF

(A,B) with real min-entropy ¸ accessible entropy+poly(n)

(A,B) with real entropy ¸ accessible entropy+log n

statistically hiding commitment

interactive hashing [NOVY92,HR07]

repetitions

cut & choose

(interactive) hashing [DHRS07]+UOWHFs [NY89,Rom90]

“m-phase” commitment

OWF ) Inaccessible Entropy

A BChooselinearly indep.B1,…,Bm Ã {0,1}m

f : {0,1}n ! {0,1}m OWF

B1

h B1,Yi

XÃ {0,1}n

Y=f(X)

Real Entropy = n

Can show: Accessible Entropy · n-log n

Bm

h Bm,Yi

X

Claim: Accessible Entropy · n-log n

A* B

f : {0,1}n ! {0,1}m OWF.

B1

h B1,Yi

Bm

h Bm,Yi

X

Bt

h Bt,Yi

For simplicity, assume |f-1(y)| = 2k 8 y2 Im(f)

entropy · k

entropy · t = n-k-2log n

Claim: entropy = neg(n)


A* B

f : {0,1}n ! {0,1}m OWF.

B1

h B1,Yi

Bt

h Bt,Yi

For simplicity, assume |f-1(y)| = 2k 8 y2 Im(f).

t=n-k-2log n

Claim: 9 at most oneconsistent Y s.t. A* canproduce a preimage(except w/neg prob,)


A* B

f : {0,1}n ! {0,1}m OWF.

B1

h B1,Yi

Bt

h Bt,Yi

For simplicity, assume |f-1(y)| = 2k 8 y2 Im(f).

t=n-k-2log n

Claim: 9 at most oneconsistent Y s.t. A* canproduce a preimage(except w/neg prob,)

Im(f)poly(n)

Interactive Hashing Thms

[NOVY92,HR07]:A* can “control” at most 1 consistent value


A* B

f : {0,1}n ! {0,1}m OWF.

B1

h B1,Yi

Bm

h Bm,Yi

X

Bt

h Bt,Yi

For simplicity, assume |f-1(y)| = 2k 8 y2 Im(f)

entropy · k

entropy · t = n-k-2log n

entropy = neg(n)

Analysis holdswhenever |f-1(Y)| ¼ 2k

Choice of k contributesentropy · log n

Conclusion

Complexity-based cryptography is possible because of gaps between real & computational entropy.

Secrecypseudoentropy > real entropy

Unforgeabilityaccessible entropy < real entropy

What else can we do with inaccessible entropy?

Research Directions

Remove “parallelizable” condition from ZK result.

Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.

Formally unify statistical hiding & statistical binding.