Inaccessible Entropy
Iftach HaitnerMicrosoft Research
Omer Reingold Weizmann Institute
Hoeteck WeeQueens College, CUNY
Salil Vadhan Harvard University
outline
Entropy
Secrecy & Pseudoentropy
Unforgeability & Inaccessible Entropy
Applications
Def: The Shannon entropy of r.v. X is
H(X) = ExÃX[log(1/Pr[X=x)]
H(X) = “Bits of randomness in X (on avg)”
0 · H(X) · log |Supp(X)|
Entropy
H(X ) = Exà X [log(1=Pr[X = x])]HHH(X ) =
X concentratedon single point
X uniform onSupp(X)
Conditional Entropy
H(X|Y) = EyÃY[H(X|Y=y)]
Chain Rule: H(X,Y) = H(Y) + H(X|Y)
H(X)-H(Y) · H(X|Y) · H(X)
H(X|Y) = 0 iff 9 f X=f(Y).
Worst-Case Entropy Measures
Min-Entropy: H1(X) = minx log(1/Pr[X=x])
Max-Entropy: H0(X) = log |Supp(X)|
H1(X) · H(X) · H0(X)
outline
Entropy
Secrecy & Pseudoentropy
Unforgeability & Inaccessible Entropy
Applications
Perfect Secrecy & Entropy
Def [Sh49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1}n
EncK(m) & EncK(m’) are identically distributed for a random key K.
Thm [Sh49]: Perfect secrecy ) |K| ¸ n
Perfect Secrecy ) |K|¸ n
Proof:
Perfect secrecy) (M,EncK(M)) ´ (Un,EncK(M))
for M,Un à {0,1}n
) H(M|EncK(M)) = n
Decryptability) H(M|EncK(M),K) = 0) H(M|EncK(M)) · H(K).
Computational Secrecy
Def [GM82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1}n
EncK(m) & EncK(m’) are computationally indistinguishable.
) can have |K| ¿ n.
Where Shannon’s Proof Breaks
Computational secrecy) (M,EncK(M)) ´c (Un,EncK(M))
for M,Un à {0,1}n
) “Hpseudo(M|EncK(M))” = n
Decryptability) H(M|EncK(M)) · H(K).
Key point: can have Hpseudo(X) À H(X)e.g. X = G(Uk) for PRG G : {0,1}k! {0,1}n
Pseudoentropy
Def [HILL90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t.1. Y ´c X2. H(Y) ¸ k
Application of Pseudoentropy
Thm [HILL90]: 9 OWF ) 9 PRG
Proof outline:
OWF
X with pseudo-min-entropy ¸ H0(X)+poly(n)
X with pseudoentropy ¸ H(X)+1/poly(n)
PRG
hardcore bit [GL89]+hashing
repetitions
hashing
outline
Entropy
Secrecy & Pseudoentropy
Unforgeability & Inaccessible Entropy
Applications
Unforgeability
Crypto is not just about secrecy.
Unforgeability: security properties saying that it has hard for an adversary to generate “valid” messages.– Unforgeability of MACs, Digital Signatures– Collision-resistance of hash functions– Binding of commitment schemes
Ex: Collision-resistant Hashing
Shrinking: H(X|Y,F) ¸ k
Collision Resistance: From A’s perspective, X is determined by Y,F ) “accessible” entropy 0
A BF Ã F
F = { f : {0,1}n ! {0,1}n-k}
F
Y
X
XÃ {0,1}n
Y=F(X)
Ex: Collision-resistant Hashing
Collision Resistance: 9 function ¼s.t. X = ¼(F,Y,S1) except w/negligible prob.
A* BF Ã F
F = { f : {0,1}n ! {0,1}n-k}
F
Y
X
toss coins S1
toss coins S2
Ex: Collision-resistant Hashing
Collision Resistance: 9 function ¼s.t. X 2 {¼(F,Y,S1)} [ f-1(Y)c
A* BF Ã F
F = { f : {0,1}n ! {0,1}n-k}
F
Y
X
toss coins S1
toss coins S2
Measuring Accessible Entropy
Goal: A useful entropy measure to capture possibility that Hacc(X) ¿ H(X)
1st attempt: X has accessible entropy at most k if there is a random variable Y s.t.
1. Y ´c X2. H(Y) · k
Not useful! every X is indistinguishable from some Y of entropy polylog(n).
Inaccessible Entropy
Idea: Protocol (A,B) has inaccessible entropy if
H(A’s messages from B’s point of view) >
H(A*’s messages from A*’s point of view)
Real Entropy
Accessible Entropy
Real Entropy
A BB1
A1
B2
A2
Bm
Am
Def: The real entropy of (A,B) is
i H(Ai | B1,A1,…,Bi)
Accessible Entropy
A* BB1
A1
B2
A2
Bm
Am
Tosses coins Si
Sends message Ai
Privately outputs justification Wi (e.g. consistent coins of honest A)
coins S1
coins S2
coins Sm
What A* does at each round
W1
W2
Wm
Accessible Entropy
A* BB1
A1
B2
A2
Bm
Am
coins S1
coins S2
coins Sm
W1
W2
Wm
Def: (A,B) has accessible entropy at most k if for every PPT A*
i H(Ai|B1,S1,B2,S2,…,Si-1,Bi) · k
Remarks1. Needs
adjustmentin case A*
outputs invalidjustification.
2. Unbounded A* can achieve real entropy.
neverAssume
Ex: Collision-resistant Hashing
Real Entropy = H(Y|F)+H(X|Y,F)
= H(X|F)
= n
A BF Ã F
F = { f : {0,1}n ! {0,1}n-k}
F
Y
X
XÃ {0,1}n
Y=F(X)
Ex: Collision-resistant Hashing
Accessible Entropy = H(Y|F)+H(X|F,S1)
· (n-k) + neg(n)
A* BF Ã F
F = { f : {0,1}n ! {0,1}n-k}
F
Y
X
toss coins S1
toss coins S2
outline
Entropy
Secrecy & Pseudoentropy
Unforgeability & Inaccessible Entropy
Applications
Commitment Schemes
m
Commitment Schemes
COMMIT STAGE
S R
m
R
Commitment Schemes
S
REVEAL STAGE
Commitment Schemes
COMMIT STAGE
accept/reject
S R
m2{0,1}n
REVEAL STAGE(m,K)
Security of Commitments
COMMIT STAGE
accept/reject
S R
m2{0,1}n
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R*
COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R*
Even cheating S*
cannot reveal(m,K), (m’,K’) with mm’
Even cheating S*
cannot reveal(m,K), (m’,K’) with mm’
Statistical Security?
COMMIT STAGE
accept/reject
S R
m2{0,1}t
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
Impossible!
Statistical Binding
COMMIT STAGE
accept/reject
S R
m2{0,1}n
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments
Statistical Hiding
COMMIT STAGE
accept/reject
S R
m2{0,1}n
REVEAL STAGE(m,K)
Hiding– Statistical– Computational
Binding– Statistical– Computational
Thm [HNORV07]: One-way functions ) Statistically Hiding Commitments
Too Complicate
d!
Our Results I
Much simpler proof that OWF) Statistically Hiding Commitmentsvia accessible entropy.
Conceptually parallels [HILL90,Naor91] construction of PRGs & Statistically Binding Commitments from OWF.
“Nonuniform” version achieves optimal round complexity, O(n/log n) [HHRS07]
Our Results II
Thm: Assume one-way functions exist. Then:
NP has constant-round parallelizable ZK proofs with “black-box simulation”
m
constant-round statistically hiding commitments exist.
( * due to [GK96,G01], novelty is )
Statistically Hiding Commitments& Inaccessible Entropy
COMMIT STAGES R
MÃ{0,1}n
REVEAL STAGEM
Statistical Hiding:
H(M|C) = n - neg(n)
K
C
Statistically Hiding Commitments& Inaccessible Entropy
COMMIT STAGES* R
REVEAL STAGEM
Statistical Hiding:
H(M|C) = n - neg(n)
Comp’l Binding:
For every PPT S*
H(M|C,S1) = neg(n)
K
Ccoins S1
coins S2
OWF ) Statistically Hiding Commitments: Our Proof
OWF
(A,B) with real min-entropy ¸ accessible entropy+poly(n)
(A,B) with real entropy ¸ accessible entropy+log n
statistically hiding commitment
interactive hashing [NOVY92,HR07]
repetitions
cut & choose
(interactive) hashing [DHRS07]+UOWHFs [NY89,Rom90]
“m-phase” commitment
Cf. OWF ) Statistically Binding Commitment [HILL90,Nao91]
OWF
X with pseudo-min-entropy ¸ H0(X)+poly(n)
X with pseudoentropy ¸ H(X)+1/poly(n)
PRG
hardcore bit [GL89]+hashing
repetitions
hashing
Statistically binding commitment
expand output & translate
OWF ) Statistically Hiding Commitments: Our Proof
OWF
(A,B) with real min-entropy ¸ accessible entropy+poly(n)
(A,B) with real entropy ¸ accessible entropy+log n
statistically hiding commitment
interactive hashing [NOVY92,HR07]
repetitions
cut & choose
(interactive) hashing [DHRS07]+UOWHFs [NY89,Rom90]
“m-phase” commitment
OWF ) Inaccessible Entropy
A BChooselinearly indep.B1,…,Bm à {0,1}m
f : {0,1}n ! {0,1}m OWF
B1
h B1,Yi
XÃ {0,1}n
Y=f(X)
Real Entropy = n
Can show: Accessible Entropy · n-log n
Bm
h Bm,Yi
X
Claim: Accessible Entropy · n-log n
A* B
f : {0,1}n ! {0,1}m OWF.
B1
h B1,Yi
Bm
h Bm,Yi
X
Bt
h Bt,Yi
For simplicity, assume |f-1(y)| = 2k 8 y2 Im(f)
entropy · k
entropy · t = n-k-2log n
Claim: entropy = neg(n)
Claim: Accessible Entropy · n-log n
A* B
f : {0,1}n ! {0,1}m OWF.
B1
h B1,Yi
Bt
h Bt,Yi
For simplicity, assume |f-1(y)| = 2k 8 y2 Im(f).
t=n-k-2log n
Claim: 9 at most oneconsistent Y s.t. A* canproduce a preimage(except w/neg prob,)
Claim: Accessible Entropy · n-log n
A* B
f : {0,1}n ! {0,1}m OWF.
B1
h B1,Yi
Bt
h Bt,Yi
For simplicity, assume |f-1(y)| = 2k 8 y2 Im(f).
t=n-k-2log n
Claim: 9 at most oneconsistent Y s.t. A* canproduce a preimage(except w/neg prob,)
Im(f)poly(n)
Interactive Hashing Thms
[NOVY92,HR07]:A* can “control” at most 1 consistent value
Claim: Accessible Entropy · n-log n
A* B
f : {0,1}n ! {0,1}m OWF.
B1
h B1,Yi
Bm
h Bm,Yi
X
Bt
h Bt,Yi
For simplicity, assume |f-1(y)| = 2k 8 y2 Im(f)
entropy · k
entropy · t = n-k-2log n
entropy = neg(n)
Analysis holdswhenever |f-1(Y)| ¼ 2k
Choice of k contributesentropy · log n
Conclusion
Complexity-based cryptography is possible because of gaps between real & computational entropy.
Secrecypseudoentropy > real entropy
Unforgeabilityaccessible entropy < real entropy
What else can we do with inaccessible entropy?
Research Directions
Remove “parallelizable” condition from ZK result.
Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.
Formally unify statistical hiding & statistical binding.
Top Related