TY - GEN
T1 - A new interactive hashing theorem
AU - Haitner, Iftach
AU - Reingold, Omer
PY - 2007
Y1 - 2007
N2 - Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO '92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically-hiding commitment schemes and of zero-knowledge arguments based on general one-way permutations and on one-way functions. Interactive hashing with respect to a one-way permutation f, is a two-party protocol that enables a sender that knows y = f(x) to transfer a random hash z = h(y) to a receiver. The receiver is guaranteed that the sender is committed to y (in the sense that it cannot come up with x and x′ such that f(x) ≠ f(x′) but h(f(x)) = h(f(x′)) = z). The sender is guaranteed that the receiver does not learn any additional information on y. In particular, when h is a two-to-one hash function, the receiver does not learn which of the two preimages {y, y′} = h-1 (z) is the one the sender can invert with respect to f. This paper reexamines the notion of interactive hashing. We give an alternative proof for the Naor et. al. protocol, which seems to us significantly simpler and more intuitive than the original one. Moreover, the new proof achieves much better parameters (in terms of how security preserving the reduction is). Finally, our proof implies a more versatile interactive hashing theorem for a more general setting than that of the Naor et. al. protocol. One generalization relates to the selection of hash function h (allowing much more flexibility). More importantly, the theorem applies to the case where the underlying function f is hard-to-invert only on some given (possibly sparse) subset of the output strings. In other words, the theorem is tuned towards hashing of a value y that may be distributed over a sparse subset of the domain (rather than uniform on the entire domain as a random output of a one-way permutation is). Our interest in interactive hashing is in part as a very appealing object (i.e., independent of any particular application). Furthermore, a major motivation for looking into interactive hashing is towards improving and simplifying previous constructions of statistical zero-knowledge and statistical commitments (that employ interactive hashing as a central building block). We make some preliminary progress in this direction as well.
AB - Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO '92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically-hiding commitment schemes and of zero-knowledge arguments based on general one-way permutations and on one-way functions. Interactive hashing with respect to a one-way permutation f, is a two-party protocol that enables a sender that knows y = f(x) to transfer a random hash z = h(y) to a receiver. The receiver is guaranteed that the sender is committed to y (in the sense that it cannot come up with x and x′ such that f(x) ≠ f(x′) but h(f(x)) = h(f(x′)) = z). The sender is guaranteed that the receiver does not learn any additional information on y. In particular, when h is a two-to-one hash function, the receiver does not learn which of the two preimages {y, y′} = h-1 (z) is the one the sender can invert with respect to f. This paper reexamines the notion of interactive hashing. We give an alternative proof for the Naor et. al. protocol, which seems to us significantly simpler and more intuitive than the original one. Moreover, the new proof achieves much better parameters (in terms of how security preserving the reduction is). Finally, our proof implies a more versatile interactive hashing theorem for a more general setting than that of the Naor et. al. protocol. One generalization relates to the selection of hash function h (allowing much more flexibility). More importantly, the theorem applies to the case where the underlying function f is hard-to-invert only on some given (possibly sparse) subset of the output strings. In other words, the theorem is tuned towards hashing of a value y that may be distributed over a sparse subset of the domain (rather than uniform on the entire domain as a random output of a one-way permutation is). Our interest in interactive hashing is in part as a very appealing object (i.e., independent of any particular application). Furthermore, a major motivation for looking into interactive hashing is towards improving and simplifying previous constructions of statistical zero-knowledge and statistical commitments (that employ interactive hashing as a central building block). We make some preliminary progress in this direction as well.
UR - http://www.scopus.com/inward/record.url?scp=34748815778&partnerID=8YFLogxK
U2 - 10.1109/CCC.2007.3
DO - 10.1109/CCC.2007.3
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:34748815778
SN - 0769527809
SN - 9780769527802
T3 - Proceedings of the Annual IEEE Conference on Computational Complexity
SP - 319
EP - 332
BT - Proceedings - Twenty-Second Annual IEEE Conference on Computational Complexity, CCC 2007
T2 - 22nd Annual IEEE Conference on Computational Complexity, CCC 2007
Y2 - 13 June 2007 through 16 June 2007
ER -