Upload
paul-chancellor
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
1
Reducing Complexity Assumptions for Statistically-Hiding Commitment
Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo
Ruggero Morselli Ronen Shaltiel
2
Bit-Commitment (BC)
A two-phase protocol between the sender, S,S, and the receiver, RR.
Commit-phase – SS commits to a bit value, b, without revealing its value to RR.
Reveal-phase – SS reveals b to R R and proves that this is the value he had committed to (in the commit-phase).
3
Bit-Commitment cont.
SS RR
Commit-phase
bb
4
Bit-Commitment cont.
Reveal-phase
bb
SS RR
5
Bit-Commitment cont.
Hiding – RR does not learn the value of b during the commit-phase.
Binding – SS cannot prove (in the reveal-phase) that he had committed to a different value than the one he had really committed to.
6
Different Types Of Bit-Commitment.
Computationally-hiding perfectly-binding BC: RR does not get (through the commit-phase) any computational-knowledge about b. SS cannot (whatsoever) “cheat” in the reveal-phase.
Statistically-hiding computationally-binding BC: RR does not get any noticeable information about b. A computationally-bounded SS cannot “cheat” in the reveal-phase.
Perfectly-hiding computationally-binding BC:RR does not get any information about b. …
7
Different Types Of Bit-Commitment (comparison).
In order to In order to breakbreak the the Computationally-hiding perfectly-binding protocol,protocol, RR needs to get needs to get super-polynomialsuper-polynomial powers anytime powers anytime afterafter the commit- the commit-phase..
In order to In order to breakbreak the the Statistically-hiding computationally-binding protocol,protocol, SS needs to get super- needs to get super-polynomial powers polynomial powers before the endbefore the end of of the reveal-the reveal-phase..
8
The importance of stat. – hiding comp. binding BC
Building block in constructions of Statistically Zero-Knowledge arguments. Other cryptographic applications(e.g., Coin-flipping protocols).
9
Previous Implementations
Number theoretic assumptions* (BKK, BCC).
Claw-free permutations* (GK). Collision resistance hash functions
(DPP, HM). One-way permutations* (NOVY).* : Perfectly-hiding.
What are the minimal general hardness assumptions that yield Statistically-hiding computationally-binding BC?
Do one-way functions suffice?
10
Our ResultStatistically-hiding
computationally-binding BC using approximable-size one-way functions.
Approx.-size OWF – a OWF f is an approx.- size if we can efficiently approximate the number of pre-images of any y2 Im(f).
Any regular OWF is an approx.- size one.Regular OWF - a OWF f is regular if there
exists a constant r s.t. the number of pre-images of any y2 Im(f) is r.
11
The NOVY protocol
A BC protocol based on an underlying function f:{0,1}n ! {0,1}n
I. If f is a permutation then the protocol is perfectly-hiding.
II. If f is a permutation and one-way then the protocol is computationally-binding.
Perfectly-hiding computationally-binding
BC based on one-way permutations.
12
One–Way Functions One–way function (OWF):
f:{0,1}n!{0,1}m is a OWF if for any ppt A, PrxÃ{0,1}n[A(f(x)) 2 f-1(f(x))] = neg(n)
One–way function on range:for any ppt A, PryÃImage(f) [A(y)2 f-1(y)] = neg(n)
Any regular-OWF is also one-way on range.
13
(,)-balanced Distribution.
{0,1}n
Bad •|Bad| · 2n.• PryÃD[y2 Bad] ·.
For all zBad : |PryÃD[y = z ] - 1/2n| · /2n.
f:{0,1}n !{0,1}m is (,)-balanced if
f(Un) is (,)-balanced.
D is (,)-balanced
14
{0,1}n{0,1}n
D
Example…
Bad D is (1/4, 1/3)-
balanced
15
-hiding Bit-Commitment-hiding BC: A BC is -hiding if
from RR’s point of view, after the commit-phase, the statistical-difference between the cases when b=0 and b=1 is at most .
A statistically-hiding BC is a neg-hiding BC (negis a negligible function of n).
16
The NOVY protocol (restated)
A generic scheme of BC protocol based on an underlying function f:{0,1}n ! {0,1}m
I. If f is a one-way function on range then the protocol is computationally-binding.
II. If f is (,)-balanced then the protocol is (+)-hiding.
The task: Implementing a balanced one-way function on range using approximable-size OWF.
17
Universal-Hashing
Let H be a family of functions from {0,1}n!{0,1}m. H is a k-universal hash family, if the output of a uniformly chosen h2H over k distinct elements in {0,1}n, are k independent random variables in {0,1}m.
18
Each element in {0,1}m has about the expected number of pre-images w.r.t. h(i.e., |S|¢2-m) in S. Where the estimation gets better as k and |S| get bigger and m gets smaller.
hÃH, where H is k-universal
{0,1}n
S zh-1(z)
Hashing Lemma
{0,1}m
h
19
3n-universality of H - each z2{0,1}m has about the same number of pre-images, w.r.t. h, in Im(f).
r-regularity of f - each z2{0,1}m has about the same number of pre-images, w.r.t. g, in {0,1}n.
g is “rather” balanced..
universal constant
g is (2-n,1/2)-balanced one-way on range function.
m=n-log(r)–log(cn)If m is too
small g is not guaranteed to be one-way.
g(h,x) ≡ h(f(x)),h
{0,1}mh
Balanced One-Way Function On Range From Regular OWF
{0,1}n f
{0,1}l(
n)
Im(f)
m=?
{0,1}m
g(Un) m = n-log(r)
(|{0,1}m| = |Im(f)|)
mmm
Danger!
r-regular OWF
hÃH where H 3n-universal
zh-1(z)g-1(z) zh-1(z)
20
Claim: g is (2-n,1/2)-balanced one-way on range function.
g is (2-n,1/2)-balanced. g is one-way – (by our choice of m) a given
output element in {0,1}m does not have “too-many” (up to polynomially many) pre-images, w.r.t. h2H, in Im(f). We can reduce the hardness of g to the hardness of f.
g is one-way on range- there are about the same number of pre-images per output element. Similar to the regular OWF case.
21
Getting Statiscally–Hiding Computationally-Binding BC
When using g with the NOVY protocol we achieve 1/2-hiding computationally-binding BC.
The amplification into statistically-hiding computationally-binding BC is done through a standard secret-sharing technique.
22
Balanced One-Way Function On Range From Approx.-Size OWF
The following construction was given by [Häastad, Impagliazzo, Levin & Luby].
Let f:{0,1}n!{0,1}m be an approx.-size OWF and let for y2{0,1}m, D(y) ≡ log(|f-1(y)|).
f x f(x)
h
h(x)1…D(f(x))+2 h 0(n-D(f(x)-2)
g(h,x) ≡ f(x),h(x)1...D(f(x)),h,0(n-D(f(x)))
23
From Approx.-Size OWF cont.
Thm [HILL]: g is “almost” 1-1 one-way function.
Hence by plugging g in the construction for regular OWF we get (2-n,1/2)-balanced one-way function on range.
Using secret-sharing we get statiscally–hiding computationally-binding BC.
24
Open Problems
Stat-hiding comp.-binding BC from any OWF?It suffices to give a construction for
semi-honest R.R. Black-Box separation between
Stat-hiding comp.-binding BC and OWF?
Efficient round complexity?