Collision Resistant Hashing for Paranoids: Dealing with Multiple - - PowerPoint PPT Presentation

collision resistant hashing for paranoids
SMART_READER_LITE
LIVE PREVIEW

Collision Resistant Hashing for Paranoids: Dealing with Multiple - - PowerPoint PPT Presentation

Jan 23, 2024 174 likes •426 views

Collision Resistant Hashing for Paranoids: Dealing with Multiple Collisions Eylon Yogev Weizmann Institute of Science & Moni Naor Ilan Komargodski Eurocrypt 2018, Tel Aviv Ask less of a hash function and it is less likely to disappoint!

slide-1
SLIDE 1

Collision Resistant Hashing for Paranoids:

Dealing with Multiple Collisions

Eylon Yogev

Ilan Komargodski Moni Naor

&

Eurocrypt 2018, Tel Aviv

Weizmann Institute of Science

slide-2
SLIDE 2

Ask less of a hash function and it is less likely to disappoint!

Bellare-Rogaway ‘97 What is the “right” notion of hardness of finding collisions in a cryptographic hash function? Depends on the application!

  • Universal One-Way Hash Functions (UOWHF)
  • Multiple Collision Resistant Hashing (MCRH)
  • Collision Resistant Hashing (CRH)

Storing passwords Delegation of computation Signatures POW/ Blockchains

slide-3
SLIDE 3

3

Hash Functions

𝐼 hash function family Each ℎ ∈ 𝐼 is

  • 1. Easy to compute
  • 2. Compressing

ℎ: {0,1}2𝑜 → 0,1 𝑜 Easy to sample ℎ ← 𝐼

𝒊 𝒚, 𝒛 𝒈 CRH 𝒚, 𝒊 𝒛 𝒈 UOWHF

Adv wins if 𝒊 𝒚 = 𝒊(𝒛) Adv wins if 𝒊 𝒚 = 𝒊(𝒛)

slide-4
SLIDE 4

4

Collision Resistant Hash Functions

  • Assumptions yielding CRH: Factoring, DL, LWE…
  • Popular CRH: SHA-2, SHA-3…
  • Black-box separation from one-way permutations [Simon98]
  • Composes nicely:

small compression yields any polynomial compression ℎ: 0,1 𝑜𝑑 → 0,1 𝑜

𝒊 𝒚, 𝒛 𝒈 CRH

Adv wins if 𝒊 𝒚 = 𝒊(𝒛)

slide-5
SLIDE 5

5

Succinct Commitment: Local Opening

𝑦1 𝑦2 𝑦3 𝑦4 𝑦5 𝑦6 𝑦7 𝑦8 𝑧

Committing to a long string by a short one Merkle-tree construction:

  • Key application is succinct and local arguments [Kilian92,BarakGoldreich08]:
  • Input 𝑦 is a PCP proof for a statement
  • Verifier opens a small number of

positions

  • Opening is given by the path to the root
slide-6
SLIDE 6

6

Succinct Commitment: Local Opening

𝑦1 𝑦2 𝑦3 𝑦4 𝑦5 𝑦6 𝑦7 𝑦8 𝑧

Committing to a long string by a short one Merkle-tree construction:

  • Key application is succinct and local arguments [Kilian92,BarakGoldreich08]:
  • Input 𝑦 is a PCP proof for a statement
  • Verifier opens a small number of

positions

  • Opening is given by the path to the root
slide-7
SLIDE 7

7

Succinct Commitment: Local Opening

𝑦1 𝑦2 𝑦3 𝑦4 𝑦5 𝑦6 𝑦7 𝑦8 𝑧

Committing to a long string by a short one Merkle-tree construction:

  • Key application is succinct and local arguments [Kilian92,BarakGoldreich08]:
  • Input 𝑦 is a PCP proof for a statement
  • Verifier opens a small number of

positions

  • Opening is given by the path to the root
  • More applications:
  • Constant-round zero-knowledge arguments
  • Constant-round statistical zero-knowledge
  • Memory delegation
  • Statistically hiding commitments
slide-8
SLIDE 8

8

𝑙-Multi Collision Resistant Hashing

𝒊 𝒚𝟐, … , 𝒚𝒍 𝒈 MCRH

Adv wins if 𝒊 𝒚𝟐 = ⋯ = 𝒊(𝒚𝒍)

  • MCRH but not CRH: let ℎ be a CRH, 𝑦 = 𝑦1 … 𝑦𝑜 and ℎ’(𝑦) = ℎ(𝑦2 … 𝑦𝑜)

Then ℎ’ is a 3-MCRH but not a CRH!

  • MCRH do not compose nicely [Joux04]!
slide-9
SLIDE 9

9

The Bipartite Ramsey Problems [KNY17]

The bipartite Ramsey Problem:

  • Given a bipartite 2𝑜 × 2𝑜 graph, given implicitly by a 𝑞𝑝𝑚𝑧(𝑜) circuit

find a bipartite clique or IS of size

𝑜 4 × 𝑜 4.

  • This problem is in TFNP, but is it hard?

Theorem:

  • 𝑜-MCRH exists ⇒ bipartite Ramsey is hard.
  • bipartite Ramsey is hard ⇒

𝑜 4 - MCRH exists.

slide-10
SLIDE 10

The Four Worlds of Cryptographic Hashing

Worlds have black-box separations Contains major cryptographic primitives!

Nocrypt:

∄ one-way functions (∄ UOWHF)

Unihash:

UOWHF exist but ∄ Multi-CRH

Minihash:

∃ Multi-CRH but ∄ CRH

Hashomania:

∃ CRH

slide-11
SLIDE 11

Our Results

Theorem 1: k-MCRH ⇒ constant-round short commitment with local-opening

(and statistically hiding).

  • Works for any k.
  • To commit to 𝑜𝑑 bits the output is ෨

𝑃(𝑜) bits with 𝑃(𝑑) rounds.

Theorem 2: k-MCRH ⇒ 4-round short commitment (no local-opening).

  • Works for any constant k (or for any k with slightly stronger assumption).
  • Suffices for constant-round statistical zero-knowledge arguments.

Theorem 3: k-MCRH does not imply standard CRH (in a black-box manner).

  • Actually, we separate k-MCRH from (k+1)-MCRH.
  • Separate MCRH from one-way permutations [Haitner-Hoch-Reingold-Segev-15].
  • w. local opening in full ver
slide-12
SLIDE 12

Additional Observations

  • Lemma 1: Multi-Pair Collision Resistance ֞
  • Lemma 2: MCRH ⇒ UOWHF (efficiently) ⇒ OWF.
  • Lemma 3: Short commitment ⇒ UOWHF (efficiently).
  • Assuming the receiver is public-coin.

Find: ℎ 𝑦1 = ℎ 𝑧1 , … , ℎ 𝑦𝑙 = ℎ 𝑧𝑙

CRH.

slide-13
SLIDE 13

Theorem 1:

k-MCRH ⇒ constant-round short commitment with local-opening (and statistical hiding).

slide-14
SLIDE 14

14

Receiver Sender

Simple Example

ℎ Input: 𝑦 Sample ℎ ∈ 𝐼 (3-MCRH family) 𝑧 𝑦′: ℎ 𝑦′ = 𝑧 Not committing! 𝑧 = ℎ(𝑦) Commitment = 𝑧 Solution: add pair-wise hash function – in new round

slide-15
SLIDE 15

15

Receiver Sender

Simple Example

ℎ Input: 𝑦 Sample ℎ ∈ 𝐼 (3-MCRH family) 𝑧 Committing! 𝑧 = ℎ(𝑦) Commitment = 𝑧, 𝑣 𝑕 𝑣 Sample 𝑕 ∈ 𝐻 (pairwise family) 𝑣 = 𝑕(𝑦) 𝑦′: ℎ 𝑦′ = 𝑧 𝑕 𝑦′ ≠ 𝑣 Remark: can reduce communication by using an almost pairwise hash function

slide-16
SLIDE 16

16

Receiver Adversary

Simple Example - Proof

ℎ Sample ℎ ∈ 𝐼 (3-MCRH family) 𝑧 Commitment = 𝑧, 𝑣 𝑕 𝑣 Sample 𝑕 ∈ 𝐻 (pairwise family) 𝑦1, 𝑦2 ℎ 𝑦1 = ℎ 𝑦2 = 𝑧 𝑕 𝑦1 = 𝑕 𝑦2 = 𝑣

slide-17
SLIDE 17

17

Receiver Adversary

Simple Example - Proof

ℎ Sample ℎ ∈ 𝐼 (3-MCRH family) 𝑧 𝑕′ Sample 𝑕′ ∈ 𝐻 (pairwise family) ℎ 𝑦1 = ℎ 𝑦2 = 𝑧 = ℎ 𝑦3 = ℎ(𝑦4) 𝑕 𝑦1 = 𝑕 𝑦2 = 𝑣 𝑕′ 𝑦3 = 𝑕′ 𝑦4 = 𝑣′ 𝑣′ 𝑦3, 𝑦4 Did we find a 3-collision? Pr 𝑕′ 𝑦1 = 𝑕′ 𝑦2 = 2−𝑨 => 𝑦1, 𝑦2, 𝑦3, 𝑦4 form a 3-collision!

slide-18
SLIDE 18

Ingredients:

  • 1. 𝐼 – a k-MCRH family.
  • 2. 𝐻 – pairwise independent hash family from 2𝑜 bits to 𝑨 bits.

Protocol:

  • 1. R ⇒ S: Samples ℎ ∈ 𝐼 and sends h.
  • 2. S ⇒ R: Compute a Merkle tree and

send the root-hash 𝑧.

  • 3. R ⇒ S: Sample 𝑕 ∈ 𝐻 and send 𝑕.
  • 4. S ⇒ R: Send 𝑦′ = 𝑣1, … , 𝑣𝑂, where

𝑣𝑗 = 𝑕 𝜌𝑤𝜌𝑂 𝑤

𝑤∈pathi

  • 5. Important: 𝑦′ < |𝑦|

𝑦1 𝑦2 𝑦3 𝑦4 𝑦5 𝑦6 𝑦7 𝑦8 𝜌1 𝜌2 𝜌3 𝜌4 𝜌5 𝜌6 𝜌7 𝑧 = 𝑕(𝜌1𝜌2) 𝑕(𝜌5𝜌6) will be determined later

𝑦=

𝑕(𝑦3𝑦4)

Full Construction

Note: this is not a hash-tree of 𝑕

slide-19
SLIDE 19

Ingredients:

  • 1. 𝐼 – a k-MCRH family.
  • 2. 𝐻 – pairwise independent hash family from 2𝑜 bits to 𝑨 bits.

Protocol:

  • 1. R ⇒ S: Samples ℎ ∈ 𝐼 and sends h.
  • 2. S ⇒ R: Compute a Merkle tree and

send the root-hash 𝑧.

  • 3. R ⇒ S: Sample 𝑕 ∈ 𝐻 and send 𝑕.
  • 4. S ֞ R: Recursively interact to commit
  • n the string 𝑦′ = 𝑣1, … , 𝑣𝑂, where

𝑣𝑗 = 𝑕 𝜌𝑤𝜌𝑂 𝑤

𝑤∈pathi

Important: 𝑦′ < |𝑦| will be determined later Note: this is not a hash-tree of 𝑕

Full Construction

𝑦1 𝑦2 𝑦3 𝑦4 𝑦5 𝑦6 𝑦7 𝑦8 𝜌1 𝜌2 𝜌3 𝜌4 𝜌5 𝜌6 𝜌7 𝑧 = 𝑕(𝜌1𝜌2) 𝑕(𝜌5𝜌6)

𝑦=

𝑕(𝑦3𝑦4)

slide-20
SLIDE 20

Ingredients:

  • 1. 𝐼 – a k-MCRH family.
  • 2. 𝐻 – pairwise independent hash family from 2𝑜 bits to 𝑨 bits.

Protocol:

  • 1. R ⇒ S: Samples ℎ ∈ 𝐼 and sends h.
  • 2. S ⇒ R: Compute a Merkle tree and

send the root-hash 𝑧.

  • 3. R ⇒ S: Sample 𝑕 ∈ 𝐻 and send 𝑕.
  • 4. S ֞ R: Recursively interact to commit
  • n the string 𝑦′ = 𝑣1, … , 𝑣𝑂, where

𝑣𝑗 = 𝑕 𝜌𝑤𝜌𝑂 𝑤

𝑤∈pathi

Important: 𝑦′ < |𝑦| 𝑦1 𝑦2 𝑦3 𝑦4 𝑦5 𝑦6 𝑦7 𝑦8 𝜌1 𝜌2 𝜌3 𝜌4 𝜌5 𝜌6 𝜌7 𝑧 = 𝑕(𝜌1𝜌2) 𝑕(𝜌5𝜌6) will be determined later

𝑦=

𝑕(𝑦3𝑦4) Note: this is not a hash-tree of 𝑕

Full Construction

slide-21
SLIDE 21

Ingredients:

  • 1. 𝐼 – a k-MCRH.
  • 2. 𝐻 – pairwise independent hash family from 2𝑜 bits to 𝑨 bits.

Parameters: Input size: 𝑜𝑑 Set: 𝑨 = 𝑜1−𝜀 Size of 𝑦′: 𝑜𝑑−1𝑨 = 𝑜𝑑−𝜀 #rounds:

𝑑 𝜀 = 𝑃 1

Remark: Use the same ℎ in all recursions 𝑦1 𝑦2 𝑦3 𝑦4 𝑦5 𝑦6 𝑦7 𝑦8 𝜌1 𝜌2 𝜌3 𝜌4 𝜌5 𝜌6 𝜌7 𝑧 = 𝑕(𝜌1𝜌2) 𝑕(𝜌5𝜌6)

𝑦=

𝑕(𝑦3𝑦4)

Full Construction

slide-22
SLIDE 22

Protocol:

  • 1. R ⇒ S: Samples ℎ ∈ 𝐼 and sends h.
  • 2. S ⇒ R: Compute a Merkle tree and send the root-hash 𝑧.
  • 3. R ⇒ S: Sample 𝑕 ∈ 𝐻 and send 𝑕.
  • 4. S ֞ R: Recursively interact to commit on the string 𝑦′ = 𝑣1, … , 𝑣𝑂, where

𝑣𝑗 = 𝑕 𝜌𝑤𝜌𝑂 𝑤

𝑤∈pathi.

Proof:

  • 1. Let A be an adversary.
  • 2. Run A to get a pair of openings
  • 3. Partially rewind A and re-run with

a freshly sampled 𝑕 ∈ 𝐻

  • 4. Repeat until there is a node with k distinct

values 𝑦1 𝑦2 𝑦3 𝑦4 𝑦5 𝑦6 𝑦7 𝑦8 𝜌1 𝜌2 𝜌3 𝜌4 𝜌5 𝜌6 𝜌7 𝑧 = 𝑕(𝜌1𝜌2) 𝑕(𝜌5𝜌6)

𝑦=

𝑕(𝑦3𝑦4)

Iterations are not not independent ⇒ proof uses Azuma’s inequality

Proof

slide-23
SLIDE 23

23

Theorem 2: k-MCRH ⇒ 4-round short commitment (no local-opening).

  • Main tool: a special kind of encoding - list-recoverable codes [GS99, GI02,GUV09].
  • generalize list-decoding codes: each symbol is replaced with a list of symbols.
  • used in crypto context [MT07,DS11,HIOS15]
  • In our proof, the list of symbols is list of values the adversary can open to.
  • Also sufficient for hash-and-sign paradigm:
  • To sign a message 𝑛:
  • simulate the commitment protocol on 𝑛.
  • sign the transcript.
slide-24
SLIDE 24

24

Concurrent Work

1. Multi-Collision Resistance: A Paradigm for Keyless Hash Functions [Bitansky-Kalai-Paneth]. Main focus is keyless hash function. 1. 3-message zero-knowledge arguments for NP. 2. 3-message succinct arguments of knowledge for NP. 2. Multi Collision Resistant Hash Functions and their Applications [Berman-Degwekar-Rothblum-Vasudevan] 1. A construction of MCRH from hardness of a variant of Entropy Approximation. 2. constant-round statistically hiding commitment from MCRH.

Thanks!

Can find all three papers on eprint