A new interactive hashing theorem

Iftach Haitner*, Omer Reingold

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO '92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically-hiding commitment schemes and of zero-knowledge arguments based on general one-way permutations and on one-way functions. Interactive hashing with respect to a one-way permutation f, is a two-party protocol that enables a sender that knows y = f(x) to transfer a random hash z = h(y) to a receiver. The receiver is guaranteed that the sender is committed to y (in the sense that it cannot come up with x and x′ such that f(x) ≠ f(x′) but h(f(x)) = h(f(x′)) = z). The sender is guaranteed that the receiver does not learn any additional information on y. In particular, when h is a two-to-one hash function, the receiver does not learn which of the two preimages {y, y′} = h-1 (z) is the one the sender can invert with respect to f. This paper reexamines the notion of interactive hashing. We give an alternative proof for the Naor et. al. protocol, which seems to us significantly simpler and more intuitive than the original one. Moreover, the new proof achieves much better parameters (in terms of how security preserving the reduction is). Finally, our proof implies a more versatile interactive hashing theorem for a more general setting than that of the Naor et. al. protocol. One generalization relates to the selection of hash function h (allowing much more flexibility). More importantly, the theorem applies to the case where the underlying function f is hard-to-invert only on some given (possibly sparse) subset of the output strings. In other words, the theorem is tuned towards hashing of a value y that may be distributed over a sparse subset of the domain (rather than uniform on the entire domain as a random output of a one-way permutation is). Our interest in interactive hashing is in part as a very appealing object (i.e., independent of any particular application). Furthermore, a major motivation for looking into interactive hashing is towards improving and simplifying previous constructions of statistical zero-knowledge and statistical commitments (that employ interactive hashing as a central building block). We make some preliminary progress in this direction as well.

Original languageEnglish
Title of host publicationProceedings - Twenty-Second Annual IEEE Conference on Computational Complexity, CCC 2007
Pages319-332
Number of pages14
DOIs
StatePublished - 2007
Externally publishedYes
Event22nd Annual IEEE Conference on Computational Complexity, CCC 2007 - San Diego, CA, United States
Duration: 13 Jun 200716 Jun 2007

Publication series

NameProceedings of the Annual IEEE Conference on Computational Complexity
ISSN (Print)1093-0159

Conference

Conference22nd Annual IEEE Conference on Computational Complexity, CCC 2007
Country/TerritoryUnited States
CitySan Diego, CA
Period13/06/0716/06/07

Fingerprint

Dive into the research topics of 'A new interactive hashing theorem'. Together they form a unique fingerprint.

Cite this