-
Hardness-Preserving Reductions via Cuckoo Hashing
Authors:
Itay Berman,
Iftach Haitner,
Ilan Komargodski,
Moni Naor
Abstract:
The focus of this work is \emph{hardness-preserving} transformations of somewhat limited pseudorandom functions families (PRFs) into ones with more versatile characteristics. Consider the problem of \emph{domain extension} of pseudorandom functions: given a PRF that takes as input elements of some domain $U$, we would like to come up with a PRF over a larger domain. Can we do it with little work a…
▽ More
The focus of this work is \emph{hardness-preserving} transformations of somewhat limited pseudorandom functions families (PRFs) into ones with more versatile characteristics. Consider the problem of \emph{domain extension} of pseudorandom functions: given a PRF that takes as input elements of some domain $U$, we would like to come up with a PRF over a larger domain. Can we do it with little work and without significantly impacting the security of the system? One approach is to first hash the larger domain into the smaller one and then apply the original PRF. Such a reduction, however, is vulnerable to a "birthday attack": after $\sqrt{\size{U}}$ queries to the resulting PRF, a collision (\ie two distinct inputs having the same hash value) is very likely to occur. As a consequence, the resulting PRF is \emph{insecure} against an attacker making this number of queries. In this work we show how to go beyond the aforementioned birthday attack barrier by replacing the above simple hashing approach with a variant of \textit{cuckoo hashing}, a hashing paradigm that resolves collisions in a table by using two hash functions and two tables, cleverly assigning each element to one of the two tables. We use this approach to obtain: (i) a domain extension method that requires {\em just two calls} to the original PRF, can withstand as many queries as the original domain size, and has a distinguishing probability that is exponentially small in the amount of non-cryptographic work; and (ii) a {\em security-preserving} reduction from non-adaptive to adaptive PRFs.
△ Less
Submitted 4 May, 2021;
originally announced May 2021.
-
Distributional Collision Resistance Beyond One-Way Functions
Authors:
Nir Bitansky,
Iftach Haitner,
Ilan Komargodski,
Eylon Yogev
Abstract:
Distributional collision resistance is a relaxation of collision resistance that only requires that it is hard to sample a collision $(x,y)$ where $x$ is uniformly random and $y$ is uniformly random conditioned on colliding with $x$. The notion lies between one-wayness and collision resistance, but its exact power is still not well-understood. On one hand, distributional collision resistant hash f…
▽ More
Distributional collision resistance is a relaxation of collision resistance that only requires that it is hard to sample a collision $(x,y)$ where $x$ is uniformly random and $y$ is uniformly random conditioned on colliding with $x$. The notion lies between one-wayness and collision resistance, but its exact power is still not well-understood. On one hand, distributional collision resistant hash functions cannot be built from one-way functions in a black-box way, which may suggest that they are stronger. On the other hand, so far, they have not yielded any applications beyond one-way functions.
Assuming distributional collision resistant hash functions, we construct \emph{constant-round} statistically hiding commitment scheme. Such commitments are not known based on one-way functions and are impossible to obtain from one-way functions in a black-box way. Our construction relies on the reduction from inaccessible entropy generators to statistically hiding commitments by Haitner et al.\ (STOC '09). In the converse direction, we show that two-message statistically hiding commitments imply distributional collision resistance, thereby establishing a loose equivalence between the two notions.
A corollary of the first result is that constant-round statistically hiding commitments are implied by average-case hardness in the class $SZK$ (which is known to imply distributional collision resistance). This implication seems to be folklore, but to the best of our knowledge has not been proven explicitly. We provide yet another proof of this implication, which is arguably more direct than the one going through distributional collision resistance.
△ Less
Submitted 3 May, 2021;
originally announced May 2021.
-
Compressing Communication in Distributed Protocols
Authors:
Yael Tauman Kalai,
Ilan Komargodski
Abstract:
We show how to compress communication in selection protocols, where the goal is to agree on a sequence of random bits using only a broadcast channel. More specifically, we present a generic method for converting any selection protocol, into another selection protocol where each message is ``short'' while preserving the same number of rounds, the same output distribution, and the same resilience to…
▽ More
We show how to compress communication in selection protocols, where the goal is to agree on a sequence of random bits using only a broadcast channel. More specifically, we present a generic method for converting any selection protocol, into another selection protocol where each message is ``short'' while preserving the same number of rounds, the same output distribution, and the same resilience to error. Assuming that the output of the protocol lies in some universe of size $M$, in our resulting protocol each message consists of only $\mathsf{polylog}(M,n,d)$ many bits, where $n$ is the number of parties and $d$ is the number of rounds. Our transformation works in the presence of either static or adaptive Byzantine faults.
As a corollary, we conclude that for any $\mathsf{poly}(n)$-round collective coin-flip** protocol, leader election protocol, or general selection protocols, messages of length $\mathsf{polylog}(n)$ suffice (in the presence of either static or adaptive Byzantine faults).
△ Less
Submitted 10 May, 2018; v1 submitted 31 May, 2015;
originally announced June 2015.
-
Communication with Contextual Uncertainty
Authors:
Badih Ghazi,
Ilan Komargodski,
Pravesh Kothari,
Madhu Sudan
Abstract:
We introduce a simple model illustrating the role of context in communication and the challenge posed by uncertainty of knowledge of context. We consider a variant of distributional communication complexity where Alice gets some information $x$ and Bob gets $y$, where $(x,y)$ is drawn from a known distribution, and Bob wishes to compute some function $g(x,y)$ (with high probability over $(x,y)$).…
▽ More
We introduce a simple model illustrating the role of context in communication and the challenge posed by uncertainty of knowledge of context. We consider a variant of distributional communication complexity where Alice gets some information $x$ and Bob gets $y$, where $(x,y)$ is drawn from a known distribution, and Bob wishes to compute some function $g(x,y)$ (with high probability over $(x,y)$). In our variant, Alice does not know $g$, but only knows some function $f$ which is an approximation of $g$. Thus, the function being computed forms the context for the communication, and knowing it imperfectly models (mild) uncertainty in this context.
A naive solution would be for Alice and Bob to first agree on some common function $h$ that is close to both $f$ and $g$ and then use a protocol for $h$ to compute $h(x,y)$. We show that any such agreement leads to a large overhead in communication ruling out such a universal solution.
In contrast, we show that if $g$ has a one-way communication protocol with complexity $k$ in the standard setting, then it has a communication protocol with complexity $O(k \cdot (1+I))$ in the uncertain setting, where $I$ denotes the mutual information between $x$ and $y$. In the particular case where the input distribution is a product distribution, the protocol in the uncertain setting only incurs a constant factor blow-up in communication and error.
Furthermore, we show that the dependence on the mutual information $I$ is required. Namely, we construct a class of functions along with a non-product distribution over $(x,y)$ for which the communication complexity is a single bit in the standard setting but at least $Ω(\sqrt{n})$ bits in the uncertain setting.
△ Less
Submitted 19 July, 2015; v1 submitted 19 April, 2015;
originally announced April 2015.
-
Secret-Sharing for NP
Authors:
Ilan Komargodski,
Moni Naor,
Eylon Yogev
Abstract:
A computational secret-sharing scheme is a method that enables a dealer, that has a secret, to distribute this secret among a set of parties such that a "qualified" subset of parties can efficiently reconstruct the secret while any "unqualified" subset of parties cannot efficiently learn anything about the secret. The collection of "qualified" subsets is defined by a Boolean function.
It has bee…
▽ More
A computational secret-sharing scheme is a method that enables a dealer, that has a secret, to distribute this secret among a set of parties such that a "qualified" subset of parties can efficiently reconstruct the secret while any "unqualified" subset of parties cannot efficiently learn anything about the secret. The collection of "qualified" subsets is defined by a Boolean function.
It has been a major open problem to understand which (monotone) functions can be realized by a computational secret-sharing schemes. Yao suggested a method for secret-sharing for any function that has a polynomial-size monotone circuit (a class which is strictly smaller than the class of monotone functions in P). Around 1990 Rudich raised the possibility of obtaining secret-sharing for all monotone functions in NP: In order to reconstruct the secret a set of parties must be "qualified" and provide a witness attesting to this fact.
Recently, Garg et al. (STOC 2013) put forward the concept of witness encryption, where the goal is to encrypt a message relative to a statement "x in L" for a language L in NP such that anyone holding a witness to the statement can decrypt the message, however, if x is not in L, then it is computationally hard to decrypt. Garg et al. showed how to construct several cryptographic primitives from witness encryption and gave a candidate construction.
One can show that computational secret-sharing implies witness encryption for the same language. Our main result is the converse: we give a construction of a computational secret-sharing scheme for any monotone function in NP assuming witness encryption for NP and one-way functions. As a consequence we get a completeness theorem for secret-sharing: computational secret-sharing scheme for any single monotone NP-complete function implies a computational secret-sharing scheme for every monotone function in NP.
△ Less
Submitted 31 May, 2015; v1 submitted 22 March, 2014;
originally announced March 2014.