nach oben

Journal of Cryptology

Erschienen in:

01.01.2014

A New Interactive Hashing Theorem

verfasst von: Iftach Haitner, Omer Reingold

Erschienen in: Journal of Cryptology | Ausgabe 1/2014

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan, and Yung (J. Cryptol. 11(2):87–108, 1998), plays an important role in many cryptographic protocols. In particular, interactive hashing is a major component in all known constructions of statistically hiding commitment schemes and of statistical zero-knowledge arguments based on general one-way permutations/functions. Interactive hashing with respect to a one-way function f is a two-party protocol that enables a sender who knows y=f(x) to transfer a random hash z=h(y) to a receiver such that the sender is committed to y: the sender cannot come up with x and x′ such that f(x)≠f(x′), but h(f(x))=h(f(x′))=z. Specifically, if f is a permutation and h is a two-to-one hash function, then the receiver does not learn which of the two preimages {y,y′}=h ⁻¹(z) is the one the sender can invert with respect to f. This paper reexamines the notion of interactive hashing, and proves the security of a variant of the Naor et al. protocol, which yields a more versatile interactive hashing theorem. When applying our new proof to (an equivalent variant of) the Naor et al. protocol, we get an alternative proof for this protocol that seems simpler and more intuitive than the original one, and achieves better parameters (in terms of how security preserving the reduction is).

Vorheriger Artikel (Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher

Nächster Artikel Security Models and Proof Strategies for Plaintext-Aware Encryption

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

\({\mathcal{H}}\) is a family of collision resistant hash functions if given a random \(h\in{\mathcal{H}}\), it is infeasible to find x ₁≠x ₂ with h(x ₁)=h(x ₂).

[9] is the full version that corresponds to Nguyen et al. [17] and Haitner and Reingold [5]. Reference [17] is independent of this work and [5] is subsequent to both [17] and this work.

I.e., for every x≠x′∈{0,1}ⁿ, the distribution (h(x),h(x′)) induced by uniformly selecting h from the family, is close to being uniform over {0,1}ⁿ⁻¹×{0,1}ⁿ⁻¹.

Assume for example that the one-way permutation equals the identity function on the set T of all strings that start with n/4 zeros (where n is the input length). Now given a hash function h, all that the cheating sender has to do is to find a collision y ₁≠y ₂∈T with h(y ₁)=h(y ₂). Such a collision is likely to exist by the birthday paradox, and for many families of hash functions (e.g., linear mappings) finding such a collision is easy.

Actually, the fact that the combined reduction works, yields the result that the second reduction also works (see Remark 4.6). Still, following [16], we use this distinction to simplify the presentation.

Up to this point we did not use the fact that S ^∗ finds two different outputs of f that are consistent with the protocol rather than a single output (and for that purpose, S ^∗ is not more useful than the honest sender). If the statistical difference between D _Ideal and D _Real would have been small enough, we could deduce that the above (efficient) procedure when applied to the honest sender, inverts f with noticeable probability.

A set of random variables \(\{{\mathcal{S}}_{i}\}\) over \({\mathord{\mathcal{U}}}\) is pairwise independent, if Pr[S _i=u _i∧S _j=u _j]=Pr[S _i=u _i]⋅Pr[S _j=u _j] for any i≠j and \(u_{i},u_{j}\in{\mathord{\mathcal{U}}}\).

Note that \({\overline{h}}'\) can be found in deterministic polynomial time using Gaussian elimination.

That is, \(\Pr_{h \gets{\mathcal{H}}}[h(x_{1})\oplus h(x_{2})=y] = 2^{-\ell}\) for any distinct \(x_{1},x_{2}\in{\mathrm {Consist}}_{{\overline {h}},\overline{z}}\) and any y∈{0,1}^ℓ.

In a linear-preserving reduction, the time-success ratio of an adversary violating the hardness of the relation, is larger than the time-success ratio of an adversary breaking the binding of the interactive hashing protocol, by at most a multiplicative polynomial factor.

[8, Theorem 4.4] also holds with respect to somewhat more general choice of one-way functions. Specifically, [8] consider the case where the number of preimages is not fixed for all outputs, but rather can be efficiently approximated. As in [8], the proof of Theorem A.1 can be easily extended to such functions.

The assumption that f is length-preserving is without lost of generality, see [3, 11].

[1]

G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988) CrossRefMATH

[2]

L.J. Carter, M.N. Wegman, Universal classes of Hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979) CrossRefMATHMathSciNet

[3]

O. Goldreich, Foundations of Cryptography: Basic Tools (Cambridge University Press, Cambridge, 2001) CrossRef

[4]

O. Goldreich, S. Goldwasser, N. Linial, Fault-tolerant computation in the full information model. SIAM J. Comput. 27, 447–457 (1998) MathSciNet

[5]

I. Haitner, O. Reingold, Statistically hiding commitment from any one-way function, in Proceedings of the 39th Annual ACM Symposium on Theory of Computing (STOC) (2007), pp. 1–10

[6]

I. Haitner, O. Reingold, A new interactive hashing theorem, in Proceedings of the 18th Annual IEEE Conference on Computational Complexity (2007), pp. 319–332

[7]

I. Haitner, J.J. Hoch, O. Reingold, G. Segev, Finding collisions in interactive protocols—a tight lower bound on the round complexity of statistically-hiding commitments, in Proceedings of the 48th Annual Symposium on Foundations of Computer Science (FOCS) (2007), pp. 669–679 CrossRef

[8]

I. Haitner, O. Horvitz, J. Katz, C. Koo, R. Morselli, R. Shaltiel, Reducing complexity assumptions for statistically hiding commitment. J. Cryptol. 22(3), 283–310 (2009) CrossRefMATHMathSciNet

[9]

I. Haitner, M. Nguyen, S.J. Ong, O. Reingold, S. Vadhan, Statistically hiding commitments and statistical zero-knowledge arguments from any one-way function. SIAM J. Comput. 39(3), 1153–1218 (2009). Preliminary versions in FOCS’06 and STOC’07 CrossRefMATHMathSciNet

[10]

I. Haitner, O. Reingold, S. Vadhan, H. Wee, Inaccessible entropy, in Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC) (2009), pp. 611–620 CrossRef

[11]

I. Haitner, D. Harnik, O. Reingold, On the power of the randomized iterate. SIAM J. Comput. 40(6), 1486–1528 (2011). Preliminary version in Crypto’06 CrossRefMATHMathSciNet

[12]

J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28, 1364–1396 (1999). Preliminary versions in STOC’89 and STOC’90 CrossRefMATHMathSciNet

[13]

T. Koshiba, Y. Seri, Round-efficient one-way permutation based perfectly concealing bit commitment scheme. Technical Report TR06-093, ECCC (2006). http://eccc.hpi-web.de/report/2006/093/

[14]

Y. Lindell, Parallel coin-tossing and constant-round secure two-party computation. J. Cryptol. 16(3), 143–184 (2003) CrossRefMATHMathSciNet

[15]

M. Naor, M. Yung, Universal one-way Hash functions and their cryptographic applications, in Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC) (1989), pp. 33–43

[16]

M. Naor, R. Ostrovsky, R. Venkatesan, M. Yung, Perfect zero-knowledge arguments for NP using any one-way permutation. J. Cryptol. 11(2), 87–108 (1998). Preliminary version in CRYPTO’92 CrossRefMATHMathSciNet

[17]

M. Nguyen, S.J. Ong, S. Vadhan, Statistical zero-knowledge arguments for NP from any one-way function, in Proceedings of the 47th Annual Symposium on Foundations of Computer Science (FOCS) (2006), pp. 3–14

[18]

R. Ostrovsky, R. Venkatesan, M. Yung, Secure commitment against all powerful adversary, in 9th Annual Symposium on Theoretical Aspects of Computer Science (1992), pp. 439–448

[19]

R. Ostrovsky, R. Venkatesan, M. Yung, Fair games against an all-powerful adversary. AMS DIMACS Ser. Discrete Math. Theor. Comput. Sci. 13, 155–169 (1993). Preliminary version in SEQUENCES’91 MathSciNet

[20]

R. Ostrovsky, R. Venkatesan, M. Yung, Interactive hashing simplifies zero-knowledge protocol design, in Advances in Cryptology—EUROCRYPT’93 (1993), pp. 267–273

[21]

H. Wee, One-way permutations, interactive hashing and statistically hiding commitments, in Theory of Cryptography, Fourth Theory of Cryptography Conference, TCC 2007 (2007), pp. 419–433

Titel: A New Interactive Hashing Theorem
verfasst von: Iftach Haitner
Omer Reingold
Publikationsdatum: 01.01.2014
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 1/2014
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-012-9139-0

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2014

(Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher

Erratum to: A Comparison of Cryptanalytic Tradeoff Algorithms

An Efficient State Recovery Attack on the X-FCSR Family of Stream Ciphers

Security Models and Proof Strategies for Plaintext-Aware Encryption

Concurrent Zero Knowledge, Revisited

A One-Time Stegosystem and Applications to Efficient Covert Communication