Inaccessible Entropy

Iftach HaitnerMicrosoft Research

Omer Reingold Weizmann & Microsoft

Hoeteck WeeQueens College, CUNY

Salil Vadhan Harvard University

outline

Entropy Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications

Def: The Shannon entropy of r.v. X isH(X) = ExÃX[log(1/Pr[X=x)]

H(X) = “Bits of randomness in X (on avg)” 0 · H(X) · log |Supp(X)|

Conditional Entropy: H(X|Y) = EyÃY[H(X|Y=y)]

Entropy

H(X ) = Exà X [log(1=Pr[X = x])]HHH(X ) =

X concentratedon single point

X uniform onSupp(X)

Worst-Case Entropy Measures

Min-Entropy: H1(X) = minx log(1/Pr[X=x])

Max-Entropy: H0(X) = log |Supp(X)|

H1(X) · H(X) · H0(X)

outline

Entropy Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications

Perfect Secrecy & Entropy

Def [Sh49]: Encryption scheme (Enc,Dec) has perfect secrecy if 8 m,m’ 2 {0,1}n

EncK(m) & EncK(m’) are identically distributed for a random key K.

Thm [Sh49]: Perfect secrecy ) |K| ¸ n

Perfect Secrecy ) |K|¸ n

Proof: Perfect secrecy

) (M,EncK(M)) ´ (M,EncK(M’)) for M,M’Ã{0,1}n

) H(M|EncK(M)) = n Decryptability

) H(M|EncK(M),K) = 0) H(M|EncK(M)) · H(K).

Computational Secrecy

Def [GM82]: Encryption scheme (Enc,Dec) has computational secrecy if 8 m,m’ 2 {0,1}n

EncK(m) & EncK(m’) are computationally indistinguishable.

) can have |K| ¿ n.

Where Shannon’s Proof Breaks

Computational secrecy) (M,EncK(M)) ´c (M,EncK(M’)) for M,M’Ã{0,1}n

) “Hpseudo(M|EncK(M))” = n Decryptability

) H(M|EncK(M)) · H(K).

Key point: can have Hpseudo(X) À H(X)e.g. X = G(Uk) for PRG G : {0,1}k! {0,1}n

Pseudoentropy

Def [HILL90]: X has pseudoentropy ¸ k iff there exists a random variable Y s.t.1. Y ´c X2. H(Y) ¸ k

Pseudoentropy Generator:

GS Ã

{0,1}n

X

Y

´

c

Application of Pseudoentropy

Thm [HILL90]: 9 OWF ) 9 PRGProof outline:

OWF

X with pseudo-min-entropy ¸ H0(X)+poly(n)

X with pseudoentropy ¸ H(X)+1/poly(n)

PRG

hardcore bit [GL89]+hashing

repetitions

hashing

outline

Entropy Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications

Unforgeability

Crypto is not just about secrecy. Unforgeability: security properties saying

that it has hard for an adversary to generate “valid” messages.– Unforgeability of MACs, Digital Signatures– Collision-resistance of hash functions– Binding of commitment schemes

Cf. decision problems vs. search/sampling problems.

Ex: Collision-resistant Hashing

Shrinking Collision Resistance: Given f ÃF , an

efficient A cannot output x1x2 such thatf(x1) = f(x2)

F = { f : {0,1}n ! {0,1}n-k}

Ex: Collision-resistant Hashing

Shrinking: H(X | F,Y) ¸ k Collision Resistance: From (even a cheating) G’s

point of view, X is determined by (F,Y) X has “accessible” entropy 0

F = {f : {0,1}n ! {0,1}n-k} G

X Ã {0,1}n

Y= F(X)

F ÃF

X

Ex: Collision-resistant Hashing

Collision Resistance: H(X |F,Y,S1) = neg(n) for every efficient G*.

F = {f : {0,1}n ! {0,1}n-k} G*

S1 Ã{0,1}r

Y

F ÃF

X F-1(Y)

S2 Ã{0,1}r

Measuring Accessible Entropy

Goal: A useful entropy measure to capture possibility that Hacc(X) ¿ H(X)

1st attempt: X has accessible entropy at most k if there is a random variable Y s.t.1. Y ´c X2. H(Y) · k

Not useful! every X is indistinguishable from some Y of entropy polylog(n).

Inaccessible Entropy

Idea: A generator G has inaccessible entropy

if

H(G’s outputs from an observer’s perspective)

>

H(G*’s outputs from G*’s perspective)

Real Entropy

Accessible Entropy

Real Entropy

Def: The real entropy of G isH(Y1,….,Ym|Z) = i H(Yi | Z,Y1,…,Yi-1)

GRÃ{0,1}n

Y1

Z

Y2 Ym

Accessible Entropy

Def: G has accessible entropy at most k, if 8 PPT G*

i H(Yi|Z,S1,S2,…,Si-1) · k

Inaccessible entropy = real – accessible entropy Unbounded G* can achieve real entropy.

G*

Y1

Z

Y2 Ym

S1

S2

SmR

s.t. G(Z,R)=(Y1,….,Ym)

OWF Inaccessible Entropy

Claim: Real entropy = n Accessible entropy < n-log n[cf. Omer’s talk: G(x)=(f(x),x1,…,xn) next-bit

pseudoentropy n+log n for OWP f]

GXÃ{0,1}n

f(X)1 f(X)2

f(X)n

Given a one-way function f : {0,1}n{0,1}n, define

X

Ym+1XYn10Y21

OWF Inaccessible Entropy

Claim: Accessible entropy < n-log n Suppose G* s.t. iH(Yi|S1,…,Si-1) n-log n Then can invert f on input Y’ by sequentially

finding S1,..,Sn s.t. Yi=Y’i (via sampling). High accessible entropy success on random

Y=f(X) w.p. 1/poly(n).

G*

Y1

S1

S2

Sn Sm+

1

10

R=Ym+1

Y’ = 0 1 0

outline

Entropy Secrecy & Pseudoentropy Unforgeability & Inaccessible Entropy Applications

Commitment Schemes

m

Commitment Schemes

COMMIT STAGE

S R

m

R

Commitment Schemes

S

REVEAL STAGE

Commitment Schemes

COMMIT STAGE

accept/reject

S Rm2{0,1}n

REVEAL STAGE(m,K)

Security of Commitments

COMMIT STAGE

accept/reject

S Rm2{0,1}n

REVEAL STAGE(m,K)

Hiding– Statistical– Computational

Binding– Statistical– Computational

COMMIT(m) & COMMIT(m’) indistinguishableeven to cheating R*Even cheating S*

cannot reveal(m,K), (m’,K’) with mm’

Statistical Security?

COMMIT STAGE

accept/reject

S Rm2{0,1}t

REVEAL STAGE(m,K)

Hiding– Statistical– Computational

Binding– Statistical– Computational

Impossible!

Statistical Binding

COMMIT STAGE

accept/reject

S Rm2{0,1}n

REVEAL STAGE(m,K)

Hiding– Statistical– Computational

Binding– Statistical– Computational

Thm [HILL90,Naor91]: One-way functions ) Statistically Binding Commitments

Statistical Hiding

COMMIT STAGE

accept/reject

S Rm2{0,1}n

REVEAL STAGE(m,K)

Hiding– Statistical– Computational

Binding– Statistical– Computational

Thm [HNORV07]: One-way functions ) Statistically Hiding Commitments

Too Complicated

!

Our Results I

Much simpler proof that OWF) Statistically Hiding Commitmentsvia accessible entropy.

Conceptually parallels [HILL90,Naor91] construction of PRGs & Statistically Binding Commitments from OWF.

“Nonuniform” version achieves optimal round complexity, O(n/log n) [HHRS07]

Our Results II

Thm: Assume one-way functions exist. Then: NP has constant-round parallelizable ZK

proofs with “black-box simulation” m

constant-round statistically hiding commitments exist.

( * due to [GK96,G01], novelty is )

Statistically Hiding Commitments& Inaccessible Entropy

COMMIT STAGES R

MÃ{0,1}n

REVEAL STAGEM

Statistical Hiding:H(M|C) = n - neg(n)

K

C

Statistically Hiding Commitments& Inaccessible Entropy

COMMIT STAGES* R

REVEAL STAGEM

Statistical Hiding:H(M|C) = n - neg(n)

Comp’l Binding:For every PPT S*

H(M|C,S1) = neg(n)

“inaccessible entropy for protocols”

K

Ccoins S1

coins S2

OWF ) Statistically Hiding Commitments: Our Proof

OWF

G with real min-entropy ¸ accessible entropy+poly(n)

G with real entropy ¸ accessible entropy+log n

statistically hiding commitment

done

repetitions

cut & choose & parallel rep

(interactive) hashing [DHRS07]+UOWHFs [NY89,Rom90]

“m-phase” commitment

Cf. OWF ) Statistically Binding Commitment [HILL90,Nao91]

OWF

X with pseudo-min-entropy ¸ H0(X)+poly(n)

X with pseudoentropy ¸ H(X)+1/poly(n)

PRG

hardcore bit [GL89]+hashing

repetitions

hashing

Statistically binding commitmentexpand output & translate

Other Applications

Simpler/improved universal one-way hash functions from OWF [HRVW09b]

Inspired simpler/improved pseudorandom generators from OWF [HRV09]

Conclusion

Complexity-based cryptography is possible because of gaps between real & computational entropy.

Secrecypseudoentropy > real entropy

Unforgeabilityaccessible entropy < real entropy

Research Directions

Formally unify inaccessible entropy and pseudoentropy.

Complexity-theoretic applications of inaccessible entropy

Remove “parallelizable” condition from ZK result.

Use inaccessible entropy for new understanding/constructions of MACS and digital signatures.